Appendix A. Configuration Options

_module.args

Additional arguments passed to each module in addition to ones like lib, config, and pkgs, modulesPath.

This option is also available to all submodules. Submodules do not inherit args from their parent module, nor do they provide args to their parent module or sibling submodules. The sole exception to this is the argument name which is provided by parent modules to a submodule and contains the attribute name the submodule is bound to, or a unique generated name if it is not bound to an attribute.

Some arguments are already passed by default, of which the following cannot be changed with this option:

  • lib: The nixpkgs library.

  • config: The results of all options after merging the values from all modules together.

  • options: The options declared in all modules.

  • specialArgs: The specialArgs argument passed to evalModules.

  • All attributes of specialArgs

    Whereas option values can generally depend on other option values thanks to laziness, this does not apply to imports, which must be computed statically before anything else.

    For this reason, callers of the module system can provide specialArgs which are available during import resolution.

    For NixOS, specialArgs includes modulesPath, which allows you to import extra modules from the nixpkgs package tree without having to somehow make the module aware of the location of the nixpkgs or NixOS directories.

    { modulesPath, ... }: {
      imports = [
        (modulesPath + "/profiles/minimal.nix")
      ];
    }
    

For NixOS, the default value for this option includes at least this argument:

  • pkgs: The nixpkgs package set according to the nixpkgs.pkgs option.

Type: lazy attribute set of raw value

Declared by:

<nixpkgs/lib/modules.nix>
appstream.enable

Whether to install files to support the AppStream metadata specification.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/appstream.nix>
boot.enableContainers

Whether to enable support for NixOS containers. Defaults to true (at no cost if containers are not actually used).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
boot.bcache.enable

Whether to enable bcache mount support.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/tasks/bcache.nix>
boot.binfmt.addEmulatedSystemsToNixSandbox

Whether to add the boot.binfmt.emulatedSystems to nix.settings.extra-platforms. Disable this to use remote builders for those platforms, while allowing testing binaries locally.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/system/boot/binfmt.nix>
boot.binfmt.emulatedSystems

List of systems to emulate. Will also configure Nix to support your new systems. Warning: the builder can execute all emulated systems within the same build, which introduces impurities in the case of cross compilation.

Type: list of (one of “aarch64-linux”, “aarch64_be-linux”, “alpha-linux”, “armv6l-linux”, “armv7l-linux”, “i386-linux”, “i486-linux”, “i586-linux”, “i686-linux”, “i686-windows”, “loongarch64-linux”, “mips-linux”, “mips64-linux”, “mips64-linuxabin32”, “mips64el-linux”, “mips64el-linuxabin32”, “mipsel-linux”, “powerpc-linux”, “powerpc64-linux”, “powerpc64le-linux”, “riscv32-linux”, “riscv64-linux”, “s390x-linux”, “sparc-linux”, “sparc64-linux”, “wasm32-wasi”, “wasm64-wasi”, “x86_64-linux”, “x86_64-windows”)

Default: [ ]

Example:

[
  "wasm32-wasi"
  "x86_64-windows"
  "aarch64-linux"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/binfmt.nix>
boot.binfmt.preferStaticEmulators

Whether to use static emulators when available.

This enables the kernel to preload the emulator binaries when the binfmt registrations are added, obviating the need to make the emulator binaries available inside chroots and chroot-like sandboxes.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/binfmt.nix>
boot.binfmt.registrations

Extra binary formats to register with the kernel. See https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html for more details.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/binfmt.nix>
boot.binfmt.registrations.<name>.fixBinary

Whether to open the interpreter file as soon as the registration is loaded, rather than waiting for a relevant file to be invoked.

See the description of the ‘F’ flag in the kernel docs for more details.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/binfmt.nix>
boot.binfmt.registrations.<name>.interpreter

The interpreter to invoke to run the program.

Note that the actual registration will point to /run/binfmt/${name}, so the kernel interpreter length limit doesn’t apply.

Type: path

Declared by:

<nixpkgs/nixos/modules/system/boot/binfmt.nix>
boot.binfmt.registrations.<name>.magicOrExtension

The magic number or extension to match on.

Type: string

Declared by:

<nixpkgs/nixos/modules/system/boot/binfmt.nix>
boot.binfmt.registrations.<name>.mask

A mask to be ANDed with the byte sequence of the file before matching

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/binfmt.nix>
boot.binfmt.registrations.<name>.matchCredentials

Whether to launch with the credentials and security token of the binary, not the interpreter (e.g. setuid bit).

See the description of the ‘C’ flag in the kernel docs for more details.

Implies/requires openBinary = true.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/binfmt.nix>
boot.binfmt.registrations.<name>.offset

The byte offset of the magic number used for recognition.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/binfmt.nix>
boot.binfmt.registrations.<name>.openBinary

Whether to pass the binary to the interpreter as an open file descriptor, instead of a path.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/binfmt.nix>
boot.binfmt.registrations.<name>.preserveArgvZero

Whether to pass the original argv[0] to the interpreter.

See the description of the ‘P’ flag in the kernel docs for more details;

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/binfmt.nix>
boot.binfmt.registrations.<name>.recognitionType

Whether to recognize executables by magic number or extension.

Type: one of “magic”, “extension”

Default: "magic"

Declared by:

<nixpkgs/nixos/modules/system/boot/binfmt.nix>
boot.binfmt.registrations.<name>.wrapInterpreterInShell

Whether to wrap the interpreter in a shell script.

This allows a shell command to be set as the interpreter.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/binfmt.nix>
boot.blacklistedKernelModules

List of names of kernel modules that should not be loaded automatically by the hardware probing code.

Type: list of string

Default: [ ]

Example:

[
  "cirrusfb"
  "i2c_piix4"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/modprobe.nix>
boot.bootspec.enableValidation

Whether to enable the validation of bootspec documents for each build. This will introduce Go in the build-time closure as we are relying on Cuelang for schema validation. Enable this option if you want to ascertain that your documents are correct .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/activation/bootspec.nix>
boot.bootspec.extensions

User-defined data that extends the bootspec document.

To reduce incompatibility and prevent names from clashing between applications, it is highly recommended to use a unique namespace for your extensions.

Type: attribute set of anything

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/activation/bootspec.nix>
boot.consoleLogLevel

The kernel console loglevel. All Kernel Messages with a log level smaller than this setting will be printed to the console.

Type: signed integer

Default: 4

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.crashDump.enable

If enabled, NixOS will set up a kernel that will boot on crash, and leave the user in systemd rescue to be able to save the crashed kernel dump at /proc/vmcore. It also activates the NMI watchdog.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/misc/crashdump.nix>
boot.crashDump.kernelParams

Parameters that will be passed to the kernel kexec-ed on crash.

Type: list of string

Default:

[
  "1"
  "boot.shell_on_fail"
]

Declared by:

<nixpkgs/nixos/modules/misc/crashdump.nix>
boot.crashDump.reservedMemory

The amount of memory reserved for the crashdump kernel. If you choose a too high value, dmesg will mention “crashkernel reservation failed”.

Type: string

Default: "128M"

Declared by:

<nixpkgs/nixos/modules/misc/crashdump.nix>
boot.devShmSize

Size limit for the /dev/shm tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax.

Type: string

Default: "50%"

Example: "256m"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
boot.devSize

Size limit for the /dev tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax.

Type: string

Default: "5%"

Example: "32m"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
boot.extraModprobeConfig

Any additional configuration to be appended to the generated modprobe.conf. This is typically used to specify module options. See modprobe.d(5) for details.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  options parport_pc io=0x378 irq=7 dma=1
''

Declared by:

<nixpkgs/nixos/modules/system/boot/modprobe.nix>
boot.extraModulePackages

A list of additional packages supplying kernel modules.

Type: list of package

Default: [ ]

Example: [ config.boot.kernelPackages.nvidia_x11 ]

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.extraSystemdUnitPaths

Additional paths that get appended to the SYSTEMD_UNIT_PATH environment variable that can contain mutable unit files.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-2.nix>
boot.growPartition

Whether to enable growing the root partition on boot.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/grow-partition.nix>
boot.hardwareScan

Whether to try to load kernel modules for all detected hardware. Usually this does a good job of providing you with the modules you need, but sometimes it can crash the system or cause other nasty effects.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/udev.nix>
boot.initrd.enable

Whether to enable the NixOS initial RAM disk (initrd). This may be needed to perform some initialisation tasks (like mounting network/encrypted file systems) before continuing the boot process.

Type: boolean

Default: !config.boot.isContainer

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.availableKernelModules

The set of kernel modules in the initial ramdisk used during the boot process. This set must include all modules necessary for mounting the root device. That is, it should include modules for the physical device (e.g., SCSI drivers) and for the file system (e.g., ext3). The set specified here is automatically closed under the module dependency relation, i.e., all dependencies of the modules list here are included automatically. The modules listed here are available in the initrd, but are only loaded on demand (e.g., the ext3 module is loaded automatically when an ext3 filesystem is mounted, and modules for PCI devices are loaded when they match the PCI ID of a device in your system). To force a module to be loaded, include it in boot.initrd.kernelModules.

Type: list of string

Default: [ ]

Example:

[
  "sata_nv"
  "ext3"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.initrd.checkJournalingFS

Whether to run fsck on journaling filesystems such as ext3.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.clevis.enable

Whether to enable Clevis in initrd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/clevis.nix>
boot.initrd.clevis.package

Clevis package

Type: package

Default: "pkgs.clevis"

Declared by:

<nixpkgs/nixos/modules/system/boot/clevis.nix>
boot.initrd.clevis.devices

Encrypted devices that need to be unlocked at boot using Clevis

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/clevis.nix>
boot.initrd.clevis.devices.<name>.secretFile

Clevis JWE file used to decrypt the device at boot, in concert with the chosen pin (one of TPM2, Tang server, or SSS).

Type: path

Declared by:

<nixpkgs/nixos/modules/system/boot/clevis.nix>
boot.initrd.clevis.useTang

Whether the Clevis JWE file used to decrypt the devices uses a Tang server as a pin.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/clevis.nix>
boot.initrd.compressor

The compressor to use on the initrd image. May be any of:

  • The name of one of the predefined compressors, see pkgs/build-support/kernel/initrd-compressor-meta.nix for the definitions.

  • A function which, given the nixpkgs package set, returns the path to a compressor tool, e.g. pkgs: "${pkgs.pigz}/bin/pigz"

  • (not recommended, because it does not work when cross-compiling) the full path to a compressor tool, e.g. "${pkgs.pigz}/bin/pigz"

The given program should read data from stdin and write it to stdout compressed.

Type: string or function that evaluates to a(n) string

Default: zstd if the kernel supports it (5.9+), gzip if not

Example: "xz"

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.compressorArgs

Arguments to pass to the compressor for the initrd image, or null to use the compressor’s defaults.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.extraFiles

Extra files to link and copy in to the initrd.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.extraFiles.<name>.source

The object to make available inside the initrd.

Type: package

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.includeDefaultModules

This option, if set, adds a collection of default kernel modules to boot.initrd.availableKernelModules and boot.initrd.kernelModules.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.initrd.kernelModules

List of modules that are always loaded by the initrd.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.initrd.luks.cryptoModules

A list of cryptographic kernel modules needed to decrypt the root device(s). The default includes all common modules.

Type: list of string

Default:

[
  "aes"
  "aes_generic"
  "blowfish"
  "twofish"
  "serpent"
  "cbc"
  "xts"
  "lrw"
  "sha1"
  "sha256"
  "sha512"
  "af_alg"
  "algif_skcipher"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices

The encrypted disk that should be opened before the root filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM setups are supported. The unencrypted devices can be accessed as /dev/mapper/«name».

Type: attribute set of (submodule)

Default: { }

Example:

{
  luksroot = {
    device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08";
  };
}

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.allowDiscards

Whether to allow TRIM requests to the underlying device. This option has security implications; please read the LUKS documentation before activating it. This option is incompatible with authenticated encryption (dm-crypt stacked over dm-integrity).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.bypassWorkqueues

Whether to bypass dm-crypt’s internal read and write workqueues. Enabling this should improve performance on SSDs; see here for more information. Needs Linux 5.9 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.device

Path of the underlying encrypted block device.

Type: string

Example: "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.fallbackToPassword

Whether to fallback to interactive passphrase prompt if the keyfile cannot be found. This will prevent unattended boot should the keyfile go missing.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.fido2.credential

The FIDO2 credential ID.

Type: null or string

Default: null

Example: "f1d00200d8dc783f7fb1e10ace8da27f8312d72692abfca2f7e4960a73f48e82e1f7571f6ebfcee9fb434f9886ccc8fcc52a6614d8d2"

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.fido2.credentials

List of FIDO2 credential IDs.

Use this if you have multiple FIDO2 keys you want to use for the same luks device.

Type: list of string

Default: [ ]

Example:

[
  "f1d00200d8dc783f7fb1e10ace8da27f8312d72692abfca2f7e4960a73f48e82e1f7571f6ebfcee9fb434f9886ccc8fcc52a6614d8d2"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.fido2.gracePeriod

Time in seconds to wait for the FIDO2 key.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.fido2.passwordLess

Defines whatever to use an empty string as a default salt.

Enable only when your device is PIN protected, such as Trezor.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.gpgCard

The option to use this LUKS device with a GPG encrypted luks password by the GPG Smartcard. If null (the default), GPG-Smartcard will be disabled for this device.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.gpgCard.encryptedPass

Path to the GPG encrypted passphrase.

Type: path

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.gpgCard.gracePeriod

Time in seconds to wait for the GPG Smartcard.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.gpgCard.publicKey

Path to the Public Key.

Type: path

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.header

The name of the file or block device that should be used as header for the encrypted device.

Type: null or string

Default: null

Example: "/root/header.img"

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.keyFile

The name of the file (can be a raw device or a partition) that should be used as the decryption key for the encrypted device. If not specified, you will be prompted for a passphrase instead.

Type: null or string

Default: null

Example: "/dev/sdb1"

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.keyFileOffset

The offset of the key file. Use this in combination with keyFileSize to use part of a file as key file (often the case if a raw device or partition is used as a key file). If not specified, the key begins at the first byte of keyFile.

Type: null or signed integer

Default: null

Example: 4096

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.keyFileSize

The size of the key file. Use this if only the beginning of the key file should be used as a key (often the case if a raw device or partition is used as key file). If not specified, the whole keyFile will be used decryption, instead of just the first keyFileSize bytes.

Type: null or signed integer

Default: null

Example: 4096

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.keyFileTimeout

The amount of time in seconds for a keyFile to appear before timing out and trying passwords.

Type: null or signed integer

Default: null

Example: 5

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.postOpenCommands

Commands that should be run right after we have mounted our LUKS device.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  umount /tmp/persistent
''

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.preLVM

Whether the luksOpen will be attempted before LVM scan or after it.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.preOpenCommands

Commands that should be run right before we try to mount our LUKS device. This can be useful, if the keys needed to open the drive is on another partition.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  mkdir -p /tmp/persistent
  mount -t zfs rpool/safe/persistent /tmp/persistent
''

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.tryEmptyPassphrase

If keyFile fails then try an empty passphrase first before prompting for password.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey

The options to use for this LUKS device in YubiKey-PBA. If null (the default), YubiKey-PBA will be disabled for this device.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey.gracePeriod

Time in seconds to wait for the YubiKey.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey.iterationStep

How much the iteration count for PBKDF2 is increased at each successful authentication.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey.keyLength

Length of the LUKS slot key derived with PBKDF2 in byte.

Type: signed integer

Default: 64

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey.saltLength

Length of the new salt in byte (64 is the effective maximum).

Type: signed integer

Default: 16

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey.slot

Which slot on the YubiKey to challenge.

Type: signed integer

Default: 2

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey.storage.device

An unencrypted device that will temporarily be mounted in stage-1. Must contain the current salt to create the challenge for this LUKS device.

Type: path

Default: "/dev/sda1"

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey.storage.fsType

The filesystem of the unencrypted device.

Type: string

Default: "vfat"

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey.storage.path

Absolute path of the salt on the unencrypted device with that device’s root directory as “/”.

Type: string

Default: "/crypt-storage/default"

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.devices.<name>.yubikey.twoFactor

Whether to use a passphrase and a YubiKey (true), or only a YubiKey (false).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.fido2Support

Enables support for authenticating with FIDO2 devices.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.gpgSupport

Enables support for authenticating with a GPG encrypted password.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.mitigateDMAAttacks

Unless enabled, encryption keys can be easily recovered by an attacker with physical access to any machine with PCMCIA, ExpressCard, ThunderBolt or FireWire port. More information is available at https://en.wikipedia.org/wiki/DMA_attack.

This option blacklists FireWire drivers, but doesn’t remove them. You can manually load the drivers if you need to use a FireWire device, but don’t forget to unload them!

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.reusePassphrases

When opening a new LUKS device try reusing last successful passphrase.

Useful for mounting a number of devices that use the same passphrase without retyping it several times.

Such setup can be useful if you use cryptsetup luksSuspend. Different LUKS devices will still have different master keys even when using the same passphrase.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.luks.yubikeySupport

Enables support for authenticating with a YubiKey on LUKS devices. See the NixOS wiki for information on how to properly setup a LUKS device and a YubiKey to work with this feature.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/luksroot.nix>
boot.initrd.network.enable

Add network connectivity support to initrd. The network may be configured using the ip kernel parameter, as described in the kernel documentation. Otherwise, if networking.useDHCP is enabled, an IP address is acquired using DHCP.

You should add the module(s) required for your network card to boot.initrd.availableKernelModules. lspci -v | grep -iA8 'network\|ethernet' will tell you which.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-network.nix>
boot.initrd.network.flushBeforeStage2

Whether to clear the configuration of the interfaces that were set up in the initrd right before stage 2 takes over. Stage 2 will do the regular network configuration based on the NixOS networking options.

The default is false when systemd is enabled in initrd, because the systemd-networkd documentation suggests it.

Type: boolean

Default: "!config.boot.initrd.systemd.enable"

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-network.nix>
boot.initrd.network.openvpn.enable

Starts an OpenVPN client during initrd boot. It can be used to e.g. remotely accessing the SSH service controlled by boot.initrd.network.ssh or other network services included. Service is killed when stage-1 boot is finished.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-openvpn.nix>
boot.initrd.network.openvpn.configuration

The configuration file for OpenVPN.

Warning

Unless your bootloader supports initrd secrets, this configuration is stored insecurely in the global Nix store.

Type: path

Example: ./configuration.ovpn

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-openvpn.nix>
boot.initrd.network.postCommands

Shell commands to be executed after stage 1 of the boot has initialised the network.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-network.nix>
boot.initrd.network.ssh.enable

Start SSH service during initrd boot. It can be used to debug failing boot on a remote server, enter pasphrase for an encrypted partition etc. Service is killed when stage-1 boot is finished.

The sshd configuration is largely inherited from services.openssh.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
boot.initrd.network.ssh.authorizedKeyFiles

Authorized keys taken from files for the root user on initrd. You can combine the authorizedKeyFiles and authorizedKeys options.

Type: list of path

Default: config.users.users.root.openssh.authorizedKeys.keyFiles

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
boot.initrd.network.ssh.authorizedKeys

Authorized keys for the root user on initrd. You can combine the authorizedKeys and authorizedKeyFiles options.

Type: list of string

Default: config.users.users.root.openssh.authorizedKeys.keys

Example:

[
  "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host"
  "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
boot.initrd.network.ssh.extraConfig

Verbatim contents of sshd_config.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
boot.initrd.network.ssh.hostKeys

Specify SSH host keys to import into the initrd.

To generate keys, use ssh-keygen(1) as root:

ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key

Warning

Unless your bootloader supports initrd secrets, these keys are stored insecurely in the global Nix store. Do NOT use your regular SSH host private keys for this purpose or you’ll expose them to regular users!

Additionally, even if your initrd supports secrets, if you’re using initrd SSH to unlock an encrypted disk then using your regular host keys exposes the private keys on your unencrypted boot partition.

Type: list of (string or path)

Default: [ ]

Example:

[
  "/etc/secrets/initrd/ssh_host_rsa_key"
  "/etc/secrets/initrd/ssh_host_ed25519_key"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
boot.initrd.network.ssh.ignoreEmptyHostKeys

Allow leaving config.boot.initrd.network.ssh.hostKeys empty, to deploy ssh host keys out of band.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
boot.initrd.network.ssh.port

Port on which SSH initrd service should listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 22

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
boot.initrd.network.ssh.shell

Login shell of the remote user. Can be used to limit actions user can do.

Type: null or string

Default: "\"/bin/ash\""

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-ssh.nix>
boot.initrd.network.udhcpc.enable

Enables the udhcpc service during stage 1 of the boot process. This defaults to networking.useDHCP. Therefore, this useful if useDHCP is off but the initramfs should do dhcp.

Type: boolean

Default: "networking.useDHCP"

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-network.nix>
boot.initrd.network.udhcpc.extraArgs

Additional command-line arguments passed verbatim to udhcpc if boot.initrd.network.enable and boot.initrd.network.udhcpc.enable are enabled.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/initrd-network.nix>
boot.initrd.postDeviceCommands

Shell commands to be executed immediately after stage 1 of the boot has loaded kernel modules and created device nodes in /dev.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.postMountCommands

Shell commands to be executed immediately after the stage 1 filesystems have been mounted.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.postResumeCommands

Shell commands to be executed immediately after attempting to resume.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.preDeviceCommands

Shell commands to be executed before udev is started to create device nodes.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.preFailCommands

Shell commands to be executed before the failure prompt is shown.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.preLVMCommands

Shell commands to be executed immediately before LVM discovery.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.prepend

Other initrd files to prepend to the final initrd we are building.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.secrets

Secrets to append to the initrd. The attribute name is the path the secret should have inside the initrd, the value is the path it should be copied from (or null for the same path inside and out).

Note that nixos-rebuild switch will generate the initrd also for past generations, so if secrets are moved or deleted you will also have to garbage collect the generations that use those secrets.

Type: attribute set of (null or path)

Default: { }

Example:

{ "/etc/dropbear/dropbear_rsa_host_key" =
    ./secret-dropbear-key;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.services.bcache.enable

This will only be used when systemd is used in stage 1.

Whether to enable bcache support in the initrd.

Type: boolean

Default: config.boot.initrd.systemd.enable && config.boot.bcache.enable

Example: true

Declared by:

<nixpkgs/nixos/modules/tasks/bcache.nix>
boot.initrd.services.lvm.enable

This will only be used when systemd is used in stage 1.

Whether to enable booting from LVM2 in the initrd.

Type: boolean

Default: config.boot.initrd.systemd.enable && config.services.lvm.enable

Example: true

Declared by:

<nixpkgs/nixos/modules/tasks/lvm.nix>
boot.initrd.services.resolved.enable

Whether to enable resolved for stage 1 networking. Uses the toplevel ‘services.resolved’ options for ‘resolved.conf’

Type: unspecified value

Default: "config.boot.initrd.systemd.network.enable"

Declared by:

<nixpkgs/nixos/modules/system/boot/resolved.nix>
boot.initrd.services.udev.packages

This will only be used when systemd is used in stage 1.

List of packages containing udev rules that will be copied to stage 1. All files found in «pkg»/etc/udev/rules.d and «pkg»/lib/udev/rules.d will be included.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/hardware/udev.nix>
boot.initrd.services.udev.binPackages

This will only be used when systemd is used in stage 1.

Packages to search for binaries that are referenced by the udev rules in stage 1. This list always contains /bin of the initrd.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/hardware/udev.nix>
boot.initrd.services.udev.rules

udev rules to include in the initrd only. They’ll be written into file 99-local.rules. Thus they are read and applied after the essential initrd rules.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:1D:60:B9:6D:4F", KERNEL=="eth*", NAME="my_fast_network_card"
''

Declared by:

<nixpkgs/nixos/modules/services/hardware/udev.nix>
boot.initrd.supportedFilesystems

Names of supported filesystem types, or an attribute set of file system types and their state. The set form may be used together with lib.mkForce to explicitly disable support for specific filesystems, e.g. to disable ZFS with an unsupported kernel.

Type: (attribute set of boolean) or (list of string) convertible to it

Default: { }

Example:

{
  btrfs = true;
  zfs = lib.mkForce false;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.initrd.systemd.enable

Whether to enable systemd in initrd. The unit options such as boot.initrd.systemd.services are the same as their stage 2 counterparts such as systemd.services, except that restartTriggers and reloadTriggers are not supported.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.package

The systemd package to use.

Type: package

Default: config.systemd.package

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.packages

Packages providing systemd units and hooks.

Type: list of package

Default: [ ]

Example: [ pkgs.systemd-cryptsetup-generator ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.additionalUpstreamUnits

Additional units shipped with systemd that shall be enabled.

Type: list of string

Default: [ ]

Example:

[
  "debug-shell.service"
  "systemd-quotacheck.service"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.automounts

Definition of systemd automount units. This is a list instead of an attrSet, because systemd mandates the names to be derived from the ‘where’ attribute.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.contents

Set of files that have to be linked into the initrd

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/etc/machine-id".source = /etc/machine-id;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.contents.<name>.enable

Whether to enable copying of this file and symlinking it.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.contents.<name>.dlopen.features

Features to enable via dlopen ELF notes. These will be in addition to anything included via ‘usePriority’, regardless of their priority.

Type: list of (optionally newline-terminated) single-line string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.contents.<name>.dlopen.usePriority

Priority of dlopen ELF notes to include. “required” is minimal, “recommended” includes “required”, and “suggested” includes “recommended”.

See: https://systemd.io/ELF_DLOPEN_METADATA/

Type: one of “required”, “recommended”, “suggested”

Default: "recommended"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.contents.<name>.source

Path of the source file.

Type: path

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.contents.<name>.target

Path of the symlink.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.contents.<name>.text

Text of the file.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.dbus.enable

Whether to enable dbus in stage 1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/system/dbus.nix>
boot.initrd.systemd.dmVerity.enable

Mount verity-protected block devices in the initrd.

Enabling this option allows to use systemd-veritysetup and systemd-veritysetup-generator in the initrd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/dm-verity.nix>
boot.initrd.systemd.emergencyAccess

Set to true for unauthenticated emergency access, and false or null for no emergency access.

Can also be set to a hashed super user password to allow authenticated access to the emergency mode.

Type: boolean or null or (string, not containing newlines or colons)

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.extraBin

Tools to add to /bin

Type: attribute set of path

Default: { }

Example:

{
  umount = ${pkgs.util-linux}/bin/umount;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.extraConfig

Extra config options for systemd. See systemd-system.conf(5) man page for available options.

Type: strings concatenated with “\n”

Default: ""

Example: "DefaultLimitCORE=infinity"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.groups

Groups to include in initrd.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
boot.initrd.systemd.groups.<name>.gid

ID of the group in initrd.

Type: signed integer

Default: config.users.groups.${name}.gid

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
boot.initrd.systemd.initrdBin

Packages to include in /bin for the stage 1 emergency shell.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.managerEnvironment

Environment variables of PID 1. These variables are not passed to started units.

Type: attribute set of (null or string or path or package)

Default: { }

Example:

{
  SYSTEMD_LOG_LEVEL = "debug";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.mounts

Definition of systemd mount units. This is a list instead of an attrSet, because systemd mandates the names to be derived from the ‘where’ attribute.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.network.enable

Whether to enable networkd or not.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
boot.initrd.systemd.network.config

Definition of global systemd network config.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
boot.initrd.systemd.network.links

Definition of systemd network links.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
boot.initrd.systemd.network.netdevs

Definition of systemd network devices.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
boot.initrd.systemd.network.networks

Definition of systemd networks.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
<nixpkgs/nixos/modules/system/boot/networkd.nix>
boot.initrd.systemd.network.wait-online.enable

Whether to enable the systemd-networkd-wait-online service.

systemd-networkd-wait-online can timeout and fail if there are no network interfaces available for it to manage. When systemd-networkd is enabled but a different service is responsible for managing the system’s internet connection (for example, NetworkManager or connman are used to manage WiFi connections), this service is unnecessary and can be disabled.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
boot.initrd.systemd.network.wait-online.anyInterface

Whether to consider the network online when any interface is online, as opposed to all of them. This is useful on portable machines with a wired and a wireless interface, for example.

This is on by default if networking.useDHCP is enabled.

Type: boolean

Default: "config.networking.useDHCP"

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
boot.initrd.systemd.network.wait-online.extraArgs

Extra command-line arguments to pass to systemd-networkd-wait-online. These also affect per-interface systemd-network-wait-online@ services.

See systemd-networkd-wait-online.service(8) for all available options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
boot.initrd.systemd.network.wait-online.ignoredInterfaces

Network interfaces to be ignored when deciding if the system is online.

Type: list of string

Default: [ ]

Example:

[
  "wg0"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
boot.initrd.systemd.network.wait-online.timeout

Time to wait for the network to come online, in seconds. Set to 0 to disable.

Type: unsigned integer, meaning >=0

Default: 120

Example: 0

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
boot.initrd.systemd.paths

Definition of systemd path units.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.repart.enable

Grow and add partitions to a partition table at boot time in the initrd. systemd-repart only works with GPT partition tables.

To run systemd-repart after the initrd, see options.systemd.repart.enable.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/repart.nix>
boot.initrd.systemd.repart.device

The device to operate on.

If device == null, systemd-repart will operate on the device backing the root partition. So in order to dynamically create the root partition in the initrd you need to set a device.

Type: null or string

Default: null

Example: "/dev/vda"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/repart.nix>
boot.initrd.systemd.root

Controls how systemd will interpret the root FS in initrd. See kernel-command-line(7). NixOS currently does not allow specifying the root file system itself this way. Instead, the fstab value is used in order to interpret the root file system specified with the fileSystems option.

Type: one of “fstab”, “gpt-auto”

Default: "fstab"

Example: "gpt-auto"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.services

Definition of systemd service units.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.slices

Definition of slice configurations.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.sockets

Definition of systemd socket units.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.storePaths

Store paths to copy into the initrd as well.

Type: list of ((submodule) or ((optionally newline-terminated) single-line string or package) convertible to it)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.storePaths.*.enable

Whether to enable copying of this file and symlinking it.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.storePaths.*.dlopen.features

Features to enable via dlopen ELF notes. These will be in addition to anything included via ‘usePriority’, regardless of their priority.

Type: list of (optionally newline-terminated) single-line string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.storePaths.*.dlopen.usePriority

Priority of dlopen ELF notes to include. “required” is minimal, “recommended” includes “required”, and “suggested” includes “recommended”.

See: https://systemd.io/ELF_DLOPEN_METADATA/

Type: one of “required”, “recommended”, “suggested”

Default: "recommended"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.storePaths.*.source

Path of the source file.

Type: path

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.storePaths.*.target

Path of the symlink.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.strip

Whether to completely strip executables and libraries copied to the initramfs.

Setting this to false may save on the order of 30MiB on the machine building the system (by avoiding a binutils reference), at the cost of ~1MiB of initramfs size. This puts this option firmly in the territory of micro-optimisation.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.suppressedStorePaths

Store paths specified in the storePaths option that should not be copied.

Type: list of (optionally newline-terminated) single-line string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.suppressedUnits

A list of units to skip when generating system systemd configuration directory. This has priority over upstream units, boot.initrd.systemd.units, and boot.initrd.systemd.additionalUpstreamUnits. The main purpose of this is to prevent a upstream systemd unit from being added to the initrd with any modifications made to it by other NixOS modules.

Type: list of string

Default: [ ]

Example:

[
  "systemd-backlight@.service"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.targets

Definition of systemd target units.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.timers

Definition of systemd timer units.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.tmpfiles.settings

Similar to systemd.tmpfiles.settings but the rules are only applied by systemd-tmpfiles before initrd-switch-root.target.

See bootup(7).

Type: attribute set of attribute set of attribute set of (submodule)

Default: { }

Example:

{
  "10-mypackage" = {
    "/var/lib/my-service/statefolder" = {
      d = {
        group = "root";
        mode = "0755";
        user = "root";
      };
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/tmpfiles.nix>
boot.initrd.systemd.tmpfiles.settings.<config-name>.<tmpfiles-type>.<path>.age

Delete a file when it reaches a certain age.

If a file or directory is older than the current time minus the age field, it is deleted.

If set to "-" no automatic clean-up is done.

Type: string

Default: "-"

Example: "10d"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/tmpfiles.nix>
boot.initrd.systemd.tmpfiles.settings.<config-name>.<tmpfiles-type>.<path>.argument

An argument whose meaning depends on the type of operation.

Please see the upstream documentation for the meaning of this parameter in different situations: https://www.freedesktop.org/software/systemd/man/tmpfiles.d

Type: string

Default: ""

Example: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/tmpfiles.nix>
boot.initrd.systemd.tmpfiles.settings.<config-name>.<tmpfiles-type>.<path>.group

The group of the file.

This may either be a numeric ID or a user/group name.

If omitted or when set to "-", the user and group of the user who invokes systemd-tmpfiles is used.

Type: string

Default: "-"

Example: "root"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/tmpfiles.nix>
boot.initrd.systemd.tmpfiles.settings.<config-name>.<tmpfiles-type>.<path>.mode

The file access mode to use when creating this file or directory.

Type: string

Default: "-"

Example: "0755"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/tmpfiles.nix>
boot.initrd.systemd.tmpfiles.settings.<config-name>.<tmpfiles-type>.<path>.type

The type of operation to perform on the file.

The type consists of a single letter and optionally one or more modifier characters.

Please see the upstream documentation for the available types and more details: https://www.freedesktop.org/software/systemd/man/tmpfiles.d

Type: string

Default: "‹name›"

Example: "d"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/tmpfiles.nix>
boot.initrd.systemd.tmpfiles.settings.<config-name>.<tmpfiles-type>.<path>.user

The user of the file.

This may either be a numeric ID or a user/group name.

If omitted or when set to "-", the user and group of the user who invokes systemd-tmpfiles is used.

Type: string

Default: "-"

Example: "root"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/tmpfiles.nix>
boot.initrd.systemd.tpm2.enable

Whether to enable systemd initrd TPM2 support.

Type: boolean

Default: "boot.initrd.systemd.package.withTpm2Tss"

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/tpm2.nix>
boot.initrd.systemd.units

Definition of systemd units.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/initrd.nix>
boot.initrd.systemd.users

Users to include in initrd.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
boot.initrd.systemd.users.<name>.group

Group the user belongs to in initrd.

Type: (optionally newline-terminated) single-line string

Default: config.users.users.${name}.group

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
boot.initrd.systemd.users.<name>.shell

The path to the user’s shell in initrd.

Type: path, not containing newlines or colons

Default: ${pkgs.shadow}/bin/nologin

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
boot.initrd.systemd.users.<name>.uid

ID of the user in initrd.

Type: signed integer

Default: config.users.users.${name}.uid

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
boot.initrd.unl0kr.enable

Whether to enable the unl0kr on-screen keyboard in initrd to unlock LUKS.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/unl0kr.nix>
boot.initrd.unl0kr.package

The unl0kr package to use.

Type: package

Default: pkgs.unl0kr

Declared by:

<nixpkgs/nixos/modules/system/boot/unl0kr.nix>
boot.initrd.unl0kr.allowVendorDrivers

Whether to load additional drivers for certain vendors (I.E: Wacom, Intel, etc.)

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/unl0kr.nix>
boot.initrd.unl0kr.settings

Configuration for unl0kr.

See unl0kr.conf(5) for supported values.

Alternatively, visit https://gitlab.com/postmarketOS/buffybox/-/blob/unl0kr-2.0.0/unl0kr.conf

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  general.animations = true;
  theme = {
    default = "pmos-dark";
    alternate = "pmos-light";
  };
}

Declared by:

<nixpkgs/nixos/modules/system/boot/unl0kr.nix>
boot.initrd.verbose

Verbosity of the initrd. Please note that disabling verbosity removes only the mandatory messages generated by the NixOS scripts. For a completely silent boot, you might also want to set the two following configuration options:

  • boot.consoleLogLevel = 0;

  • boot.kernelParams = [ "quiet" "udev.log_level=3" ];

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.isContainer

Whether this NixOS machine is a lightweight container running in another NixOS system.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
boot.iscsi-initiator.discoverPortal

iSCSI portal to boot from.

Type: null or string

Default: null

Example: "192.168.1.1:3260"

Declared by:

<nixpkgs/nixos/modules/services/networking/iscsi/root-initiator.nix>
boot.iscsi-initiator.extraConfig

Extra lines to append to /etc/iscsid.conf

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/iscsi/root-initiator.nix>
boot.iscsi-initiator.extraConfigFile

Append an additional file’s contents to /etc/iscsid.conf. Use a non-store path and store passwords in this file. Note: the file specified here must be available in the initrd, see: boot.initrd.secrets.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/iscsi/root-initiator.nix>
boot.iscsi-initiator.extraIscsiCommands

Extra iscsi commands to run in the initrd.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/iscsi/root-initiator.nix>
boot.iscsi-initiator.logLevel

Higher numbers elicits more logs.

Type: signed integer

Default: 1

Example: 8

Declared by:

<nixpkgs/nixos/modules/services/networking/iscsi/root-initiator.nix>
boot.iscsi-initiator.loginAll

Do not log into a specific target on the portal, but to all that we discover. This overrides setting target.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/iscsi/root-initiator.nix>
boot.iscsi-initiator.name

Name of the iSCSI initiator to boot from. Note, booting from iscsi requires networkd based networking.

Type: null or string

Default: null

Example: "iqn.2020-08.org.linux-iscsi.initiatorhost:example"

Declared by:

<nixpkgs/nixos/modules/services/networking/iscsi/root-initiator.nix>
boot.iscsi-initiator.target

Name of the iSCSI target to boot from.

Type: null or string

Default: null

Example: "iqn.2020-08.org.linux-iscsi.targethost:example"

Declared by:

<nixpkgs/nixos/modules/services/networking/iscsi/root-initiator.nix>
boot.kernel.enable

Whether to enable the Linux kernel. This is useful for systemd-like containers which do not require a kernel.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.kernel.randstructSeed

Provides a custom seed for the RANDSTRUCT security option of the Linux kernel. Note that RANDSTRUCT is only enabled in NixOS hardened kernels. Using a custom seed requires building the kernel and dependent packages locally, since this customization happens at build time.

Type: string

Default: ""

Example: "my secret seed"

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.kernel.sysctl

Runtime parameters of the Linux kernel, as set by sysctl(8). Note that sysctl parameters names must be enclosed in quotes (e.g. "vm.swappiness" instead of vm.swappiness). The value of each parameter may be a string, integer, boolean, or null (signifying the option will not appear at all).

Type: attribute set of (sysctl option value)

Default: { }

Example:

{ "net.ipv4.tcp_syncookies" = false; "vm.swappiness" = 60; }

Declared by:

<nixpkgs/nixos/modules/config/sysctl.nix>
boot.kernel.sysctl."net.core.rmem_max"

The maximum receive socket buffer size in bytes. In case of conflicting values, the highest will be used.

Type: null or (unsigned integer, meaning >=0)

Default: null

Declared by:

<nixpkgs/nixos/modules/config/sysctl.nix>
boot.kernel.sysctl."net.core.wmem_max"

The maximum send socket buffer size in bytes. In case of conflicting values, the highest will be used.

Type: null or (unsigned integer, meaning >=0)

Default: null

Declared by:

<nixpkgs/nixos/modules/config/sysctl.nix>
boot.kernelModules

The set of kernel modules to be loaded in the second stage of the boot process. Note that modules that are needed to mount the root file system should be added to boot.initrd.availableKernelModules or boot.initrd.kernelModules.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.kernelPackages

This option allows you to override the Linux kernel used by NixOS. Since things like external kernel module packages are tied to the kernel you’re using, it also overrides those. This option is a function that takes Nixpkgs as an argument (as a convenience), and returns an attribute set containing at the very least an attribute kernel. Additional attributes may be needed depending on your configuration. For instance, if you use the NVIDIA X driver, then it also needs to contain an attribute nvidia_x11.

Please note that we strictly support kernel versions that are maintained by the Linux developers only. More information on the availability of kernel versions is documented in the Linux section of the manual.

Type: raw value

Default: pkgs.linuxPackages

Example: pkgs.linuxKernel.packages.linux_5_10

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.kernelParams

Parameters added to the kernel command line.

Type: list of string, with spaces inside double quotes

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.kernelPatches

A list of additional patches to apply to the kernel.

Every item should be an attribute set with the following attributes:

{
  name = "foo";                 # descriptive name, required

  patch = ./foo.patch;          # path or derivation that contains the patch source
                                # (required, but can be null if only config changes
                                # are needed)

  extraStructuredConfig = {     # attrset of extra configuration parameters without the CONFIG_ prefix
    FOO = lib.kernel.yes;       # (optional)
  };                            # values should generally be lib.kernel.yes,
                                # lib.kernel.no or lib.kernel.module

  features = {                  # attrset of extra "features" the kernel is considered to have
    foo = true;                 # (may be checked by other NixOS modules, optional)
  };

  extraConfig = "FOO y";        # extra configuration options in string form without the CONFIG_ prefix
                                # (optional, multiple lines allowed to specify multiple options)
                                # (deprecated, use extraStructuredConfig instead)
}

There’s a small set of existing kernel patches in Nixpkgs, available as pkgs.kernelPatches, that follow this format and can be used directly.

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    name = "foo";
    patch = ./foo.patch;
    extraStructuredConfig.FOO = lib.kernel.yes;
    features.foo = true;
  }
  {
    name = "foo-ml-mbox";
    patch = (fetchurl {
      url = "https://lore.kernel.org/lkml/19700205182810.58382-1-email@domain/t.mbox.gz";
      hash = "sha256-...";
    });
  }
]

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.loader.efi.canTouchEfiVariables

Whether the installation process is allowed to modify EFI boot variables.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/efi.nix>
boot.loader.efi.efiSysMountPoint

Where the EFI System Partition is mounted.

Type: string

Default: "/boot"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/efi.nix>
boot.loader.external.enable

Whether to enable using an external tool to install your bootloader.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/external/external.nix>
boot.loader.external.installHook

The full path to a program of your choosing which performs the bootloader installation process.

The program will be called with an argument pointing to the output of the system’s toplevel.

Type: path

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/external/external.nix>
boot.loader.generationsDir.enable

Whether to create symlinks to the system generations under /boot. When enabled, /boot/default/kernel, /boot/default/initrd, etc., are updated to point to the current generation’s kernel image, initial RAM disk, and other bootstrap files.

This optional is not necessary with boot loaders such as GNU GRUB for which the menu is updated to point to the latest bootstrap files. However, it is needed for U-Boot on platforms where the boot command line is stored in flash memory rather than in a menu file.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/generations-dir/generations-dir.nix>
boot.loader.generationsDir.copyKernels

Whether to copy the necessary boot files into /boot, so /nix/store is not needed by the boot loader.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/generations-dir/generations-dir.nix>
boot.loader.generic-extlinux-compatible.enable

Whether to generate an extlinux-compatible configuration file under /boot/extlinux.conf. For instance, U-Boot’s generic distro boot support uses this file format.

See U-boot’s documentation for more information.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/generic-extlinux-compatible>
boot.loader.generic-extlinux-compatible.configurationLimit

Maximum number of configurations in the boot menu.

Type: signed integer

Default: 20

Example: 10

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/generic-extlinux-compatible>
boot.loader.generic-extlinux-compatible.mirroredBoots

Mirror the boot configuration to multiple paths.

Type: list of (submodule)

Default:

[
  {
    path = "/boot";
  }
]

Example:

[
  {
    path = "/boot1";
  }
  {
    path = "/boot2";
  }
]

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/generic-extlinux-compatible>
boot.loader.generic-extlinux-compatible.mirroredBoots.*.path

The path to the boot directory where the extlinux-compatible configuration files will be written.

Type: string

Example: "/boot1"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/generic-extlinux-compatible>
boot.loader.generic-extlinux-compatible.populateCmd

Contains the builder command used to populate an image, honoring all options except the -c <path-to-default-configuration> argument. Useful to have for sdImage.populateRootCommands

Type: string (read only)

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/generic-extlinux-compatible>
boot.loader.generic-extlinux-compatible.useGenerationDeviceTree

Whether to generate Device Tree-related directives in the extlinux configuration.

When enabled, the bootloader will attempt to load the device tree binaries from the generation’s kernel.

Note that this affects all generations, regardless of the setting value used in their configurations.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/generic-extlinux-compatible>
boot.loader.grub.enable

Whether to enable the GNU GRUB boot loader.

Type: boolean

Default: !config.boot.isContainer

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.enableCryptodisk

Enable support for encrypted partitions. GRUB should automatically unlock the correct encrypted partition and look for filesystems.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.backgroundColor

Background color to be used for GRUB to fill the areas the image isn’t filling.

Type: null or string

Default: null

Example: "#7EBAE4"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.configurationLimit

Maximum of configurations in boot menu. GRUB has problems when there are too many entries.

Type: signed integer

Default: 100

Example: 120

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.configurationName

GRUB entry name instead of default.

Type: string

Default: ""

Example: "Stable 2.6.21"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.copyKernels

Whether the GRUB menu builder should copy kernels and initial ramdisks to /boot. This is done automatically if /boot is on a different partition than /.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.default

Index of the default menu item to be booted. Can also be set to “saved”, which will make GRUB select the menu item that was used at the last boot.

Type: signed integer or string

Default: "0"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.device

The device on which the GRUB boot loader will be installed. The special value nodev means that a GRUB boot menu will be generated, but GRUB itself will not actually be installed. To install GRUB on multiple devices, use boot.loader.grub.devices.

Type: string

Default: ""

Example: "/dev/disk/by-id/wwn-0x500001234567890a"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.devices

The devices on which the boot loader, GRUB, will be installed. Can be used instead of device to install GRUB onto multiple devices.

Type: list of string

Default: [ ]

Example:

[
  "/dev/disk/by-id/wwn-0x500001234567890a"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.efiInstallAsRemovable

Whether to invoke grub-install with --removable.

Unless you turn this on, GRUB will install itself somewhere in boot.loader.efi.efiSysMountPoint (exactly where depends on other config variables). If you’ve set boot.loader.efi.canTouchEfiVariables AND you are currently booted in UEFI mode, then GRUB will use efibootmgr to modify the boot order in the EFI variables of your firmware to include this location. If you are not booted in UEFI mode at the time GRUB is being installed, the NVRAM will not be modified, and your system will not find GRUB at boot time. However, GRUB will still return success so you may miss the warning that gets printed (“efibootmgr: EFI variables are not supported on this system.”).

If you turn this feature on, GRUB will install itself in a special location within efiSysMountPoint (namely EFI/boot/boot$arch.efi) which the firmwares are hardcoded to try first, regardless of NVRAM EFI variables.

To summarize, turn this on if:

  • You are installing NixOS and want it to boot in UEFI mode, but you are currently booted in legacy mode

  • You want to make a drive that will boot regardless of the NVRAM state of the computer (like a USB “removable” drive)

  • You simply dislike the idea of depending on NVRAM state to make your drive bootable

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.efiSupport

Whether GRUB should be built with EFI support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.entryOptions

Options applied to the primary NixOS menu entry.

Type: null or string

Default: "--class nixos --unrestricted"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraConfig

Additional GRUB commands inserted in the configuration file just before the menu entries.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
  terminal_input --append serial
  terminal_output --append serial
''

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraEntries

Any additional entries you want added to the GRUB boot menu.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  # GRUB 2 example
  menuentry "Windows 7" {
    chainloader (hd0,4)+1
  }
  
  # GRUB 2 with UEFI example, chainloading another distro
  menuentry "Fedora" {
    set root=(hd1,1)
    chainloader /efi/fedora/grubx64.efi
  }
''

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraEntriesBeforeNixOS

Whether extraEntries are included before the default option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraFiles

A set of files to be copied to /boot. Each attribute name denotes the destination file name in /boot, while the corresponding attribute value specifies the source file.

Type: attribute set of path

Default: { }

Example:

{ "memtest.bin" = "${pkgs.memtest86plus}/memtest.bin"; }

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraGrubInstallArgs

Additional arguments passed to grub-install.

A use case for this is to build specific GRUB2 modules directly into the GRUB2 kernel image, so that they are available and activated even in the grub rescue shell.

They are also necessary when the BIOS/UEFI is bugged and cannot correctly read large disks (e.g. above 2 TB), so GRUB2’s own nativedisk and related modules can be used to use its own disk drivers. The example shows one such case. This is also useful for booting from USB. See the GRUB source code for which disk modules are available.

The list elements are passed directly as argv arguments to the grub-install program, in order.

Type: list of string

Default: [ ]

Example:

[
  "--modules=nativedisk ahci pata part_gpt part_msdos diskfilter mdraid1x lvm ext2"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraInstallCommands

Additional shell commands inserted in the bootloader installer script after generating menu entries.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  # the example below generates detached signatures that GRUB can verify
  # https://www.gnu.org/software/grub/manual/grub/grub.html#Using-digital-signatures
  ''${pkgs.findutils}/bin/find /boot -not -path "/boot/efi/*" -type f -name '*.sig' -delete
  old_gpg_home=$GNUPGHOME
  export GNUPGHOME="$(mktemp -d)"
  ''${pkgs.gnupg}/bin/gpg --import ''${priv_key} > /dev/null 2>&1
  ''${pkgs.findutils}/bin/find /boot -not -path "/boot/efi/*" -type f -exec ''${pkgs.gnupg}/bin/gpg --detach-sign "{}" \; > /dev/null 2>&1
  rm -rf $GNUPGHOME
  export GNUPGHOME=$old_gpg_home
''

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraPerEntryConfig

Additional GRUB commands inserted in the configuration file at the start of each NixOS menu entry.

Type: strings concatenated with “\n”

Default: ""

Example: "root (hd0)"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.extraPrepareConfig

Additional bash commands to be run at the script that prepares the GRUB menu entries.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.font

Path to a TrueType, OpenType, or pf2 font to be used by Grub.

Type: null or path

Default: "${pkgs.grub2}/share/grub/unicode.pf2"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.fontSize

Font size for the grub menu. Ignored unless font is set to a ttf or otf font.

Type: null or signed integer

Default: null

Example: 16

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.forceInstall

Whether to try and forcibly install GRUB even if problems are detected. It is not recommended to enable this unless you know what you are doing.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.forcei686

Whether to force the use of a ia32 boot loader on x64 systems. Required to install and run NixOS on 64bit x86 systems with 32bit (U)EFI.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.fsIdentifier

Determines how GRUB will identify devices when generating the configuration file. A value of uuid / label signifies that grub will always resolve the uuid or label of the device before using it in the configuration. A value of provided means that GRUB will use the device name as show in df or mount. Note, zfs zpools / datasets are ignored and will always be mounted using their labels.

Type: one of “uuid”, “label”, “provided”

Default: "uuid"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.gfxmodeBios

The gfxmode to pass to GRUB when loading a graphical boot interface under BIOS.

Type: string

Default: "1024x768"

Example: "auto"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.gfxmodeEfi

The gfxmode to pass to GRUB when loading a graphical boot interface under EFI.

Type: string

Default: "auto"

Example: "1024x768"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.gfxpayloadBios

The gfxpayload to pass to GRUB when loading a graphical boot interface under BIOS.

Type: string

Default: "text"

Example: "keep"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.gfxpayloadEfi

The gfxpayload to pass to GRUB when loading a graphical boot interface under EFI.

Type: string

Default: "keep"

Example: "text"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.ipxe

Set of iPXE scripts available for booting from the GRUB boot menu.

Type: attribute set of (path or string)

Default: { }

Example:

{ demo = ''
    #!ipxe
    dhcp
    chain http://boot.ipxe.org/demo/boot.php
  '';
}

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/ipxe.nix>
boot.loader.grub.memtest86.enable

Make Memtest86+, a memory testing program, available from the GRUB boot menu.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/memtest.nix>
boot.loader.grub.memtest86.params

Parameters added to the Memtest86+ command line. As of memtest86+ 5.01 the following list of (apparently undocumented) parameters are accepted:

  • console=..., set up a serial console. Examples: console=ttyS0, console=ttyS0,9600 or console=ttyS0,115200n8.

  • btrace, enable boot trace.

  • maxcpus=N, limit number of CPUs.

  • onepass, run one pass and exit if there are no errors.

  • tstlist=..., list of tests to run. Example: 0,1,2.

  • cpumask=..., set a CPU mask, to select CPUs to use for testing.

This list of command line options was obtained by reading the Memtest86+ source code.

Type: list of string

Default: [ ]

Example:

[
  "console=ttyS0,115200"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/memtest.nix>
boot.loader.grub.mirroredBoots

Mirror the boot configuration to multiple partitions and install grub to the respective devices corresponding to those partitions.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    devices = [
      "/dev/disk/by-id/wwn-0x500001234567890a"
    ];
    path = "/boot1";
  }
  {
    devices = [
      "/dev/disk/by-id/wwn-0x500009876543210a"
    ];
    path = "/boot2";
  }
]

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.mirroredBoots.*.devices

The path to the devices which will have the GRUB MBR written. Note these are typically device paths and not paths to partitions.

Type: list of string

Default: [ ]

Example:

[
  "/dev/disk/by-id/wwn-0x500001234567890a"
  "/dev/disk/by-id/wwn-0x500009876543210a"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.mirroredBoots.*.efiBootloaderId

The id of the bootloader to store in efi nvram. The default is to name it NixOS and append the path or efiSysMountPoint. This is only used if boot.loader.efi.canTouchEfiVariables is true.

Type: null or string

Default: null

Example: "NixOS-fsid"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.mirroredBoots.*.efiSysMountPoint

The path to the efi system mount point. Usually this is the same partition as the above path and can be left as null.

Type: null or string

Default: null

Example: "/boot1/efi"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.mirroredBoots.*.path

The path to the boot directory where GRUB will be written. Generally this boot path should double as an EFI path.

Type: string

Example: "/boot1"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.splashImage

Background image used for GRUB. Set to null to run GRUB in text mode.

Note

File must be one of .png, .tga, .jpg, or .jpeg. JPEG images must not be progressive. The image will be scaled if necessary to fit the screen.

Type: null or path

Example: ./my-background.png

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.splashMode

Whether to stretch the image or show the image in the top-left corner unstretched.

Type: one of “normal”, “stretch”

Default: "stretch"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.storePath

Path to the Nix store when looking for kernels at boot. Only makes sense when copyKernels is false.

Type: string

Default: "/nix/store"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.subEntryOptions

Options applied to the secondary NixOS submenu entry.

Type: null or string

Default: "--class nixos"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.theme

Path to the grub theme to be used.

Type: null or path

Default: null

Example: "${pkgs.libsForQt5.breeze-grub}/grub/themes/breeze"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.timeoutStyle
  • menu shows the menu.

  • countdown uses a text-mode countdown.

  • hidden hides GRUB entirely.

When using a theme, the default value (menu) is appropriate for the graphical countdown.

When attempting to do flicker-free boot, hidden should be used.

See the GRUB documentation section about timeout_style.

Note

If this option is set to ‘countdown’ or ‘hidden’ […] and ESC or F4 are pressed, or SHIFT is held down during that time, it will display the menu and wait for input.

From: Simple configuration handling page, under GRUB_TIMEOUT_STYLE.

Type: one of “menu”, “countdown”, “hidden”

Default: "menu"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.useOSProber

If set to true, append entries for other OSs detected by os-prober.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.users

User accounts for GRUB. When specified, the GRUB command line and all boot options except the default are password-protected. All passwords and hashes provided will be stored in /boot/grub/grub.cfg, and will be visible to any local user who can read this file. Additionally, any passwords and hashes provided directly in a Nix configuration (as opposed to external files) will be copied into the Nix store, and will be visible to all local users.

Type: attribute set of (submodule)

Default: { }

Example:

{
  root = {
    hashedPasswordFile = "/path/to/file";
  };
}

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.users.<name>.hashedPassword

Specifies the password hash for the account, generated with grub-mkpasswd-pbkdf2. This hash will be copied to the Nix store, and will be visible to all local users.

Type: null or string

Default: null

Example: "grub.pbkdf2.sha512.10000.674DFFDEF76E13EA...2CC972B102CF4355"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.users.<name>.hashedPasswordFile

Specifies the path to a file containing the password hash for the account, generated with grub-mkpasswd-pbkdf2. This hash will be stored in /boot/grub/grub.cfg, and will be visible to any local user who can read this file.

Type: null or string

Default: null

Example: "/path/to/file"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.users.<name>.password

Specifies the clear text password for the account. This password will be copied to the Nix store, and will be visible to all local users.

Type: null or string

Default: null

Example: "Pa$$w0rd!"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.users.<name>.passwordFile

Specifies the path to a file containing the clear text password for the account. This password will be stored in /boot/grub/grub.cfg, and will be visible to any local user who can read this file.

Type: null or string

Default: null

Example: "/path/to/file"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.grub.zfsSupport

Whether GRUB should be built against libzfs.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/grub/grub.nix>
boot.loader.initScript.enable

Some systems require a /sbin/init script which is started. Or having it makes starting NixOS easier. This applies to some kind of hosting services and user mode linux.

Additionally this script will create /boot/init-other-configurations-contents.txt containing contents of remaining configurations. You can copy paste them into /sbin/init manually running a rescue system or such.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/init-script/init-script.nix>
boot.loader.systemd-boot.enable

Whether to enable the systemd-boot (formerly gummiboot) EFI boot manager. For more information about systemd-boot: https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.configurationLimit

Maximum number of latest generations in the boot menu. Useful to prevent boot partition running out of disk space.

null means no limit i.e. all generations that have not been garbage collected yet.

Type: null or signed integer

Default: null

Example: 120

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.consoleMode

The resolution of the console. The following values are valid:

  • "0": Standard UEFI 80x25 mode

  • "1": 80x50 mode, not supported by all devices

  • "2": The first non-standard mode provided by the device firmware, if any

  • "5": Applicable for SteamDeck where this mode represent horizontal mode

  • "auto": Pick a suitable mode automatically using heuristics

  • "max": Pick the highest-numbered available mode

  • "keep": Keep the mode selected by firmware (the default)

Type: one of “0”, “1”, “2”, “5”, “auto”, “max”, “keep”

Default: "keep"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.editor

Whether to allow editing the kernel command-line before boot. It is recommended to set this to false, as it allows gaining root access by passing init=/bin/sh as a kernel parameter. However, it is enabled by default for backwards compatibility.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.edk2-uefi-shell.enable

Make the EDK2 UEFI Shell available from the systemd-boot menu. It can be used to manually boot other operating systems or for debugging.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.edk2-uefi-shell.sortKey

systemd-boot orders the menu entries by their sort keys, so if you want something to appear after all the NixOS entries, it should start with o or onwards.

See also boot.loader.systemd-boot.sortKey

Type: string

Default: "o_edk2-uefi-shell"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.extraEntries

Any additional entries you want added to the systemd-boot menu. These entries will be copied to $BOOT/loader/entries. Each attribute name denotes the destination file name, and the corresponding attribute value is the contents of the entry.

To control the ordering of the entry in the boot menu, use the sort-key field, see https://uapi-group.org/specifications/specs/boot_loader_specification/#sorting and boot.loader.systemd-boot.sortKey.

Type: attribute set of strings concatenated with “\n”

Default: { }

Example:

{ "memtest86.conf" = ''
  title Memtest86+
  efi /efi/memtest86/memtest.efi
  sort-key z_memtest
''; }

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.extraFiles

A set of files to be copied to $BOOT. Each attribute name denotes the destination file name in $BOOT, while the corresponding attribute value specifies the source file.

Type: attribute set of path

Default: { }

Example:

{ "efi/memtest86/memtest.efi" = "${pkgs.memtest86plus}/memtest.efi"; }

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.extraInstallCommands

Additional shell commands inserted in the bootloader installer script after generating menu entries. It can be used to expand on extra boot entries that cannot incorporate certain pieces of information (such as the resulting init= kernel parameter).

Type: strings concatenated with “\n”

Default: ""

Example:

''
  default_cfg=$(cat /boot/loader/loader.conf | grep default | awk '{print $2}')
  init_value=$(cat /boot/loader/entries/$default_cfg | grep init= | awk '{print $2}')
  sed -i "s|@INIT@|$init_value|g" /boot/custom/config_with_placeholder.conf
''

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.graceful

Invoke bootctl install with the --graceful option, which ignores errors when EFI variables cannot be written or when the EFI System Partition cannot be found. Currently only applies to random seed operations.

Only enable this option if systemd-boot otherwise fails to install, as the scope or implication of the --graceful option may change in the future.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.installDeviceTree

Install the devicetree blob specified by config.hardware.deviceTree.name to the ESP and instruct systemd-boot to pass this DTB to linux.

Type: unspecified value

Default: "with config.hardware.deviceTree; enable && name != null"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.memtest86.enable

Make Memtest86+ available from the systemd-boot menu. Memtest86+ is a program for testing memory.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.memtest86.sortKey

systemd-boot orders the menu entries by their sort keys, so if you want something to appear after all the NixOS entries, it should start with o or onwards.

See also boot.loader.systemd-boot.sortKey.

Type: string

Default: "o_memtest86"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.netbootxyz.enable

Make netboot.xyz available from the systemd-boot menu. netboot.xyz is a menu system that allows you to boot OS installers and utilities over the network.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.netbootxyz.sortKey

systemd-boot orders the menu entries by their sort keys, so if you want something to appear after all the NixOS entries, it should start with o or onwards.

See also boot.loader.systemd-boot.sortKey.

Type: string

Default: "o_netbootxyz"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.rebootForBitlocker

Enable EXPERIMENTAL BitLocker support.

Try to detect BitLocker encrypted drives along with an active TPM. If both are found and Windows Boot Manager is selected in the boot menu, set the “BootNext” EFI variable and restart the system. The firmware will then start Windows Boot Manager directly, leaving the TPM PCRs in expected states so that Windows can unseal the encryption key.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.sortKey

The sort key used for the NixOS bootloader entries. This key determines sorting relative to non-NixOS entries. See also https://uapi-group.org/specifications/specs/boot_loader_specification/#sorting

This option can also be used to control the sorting of NixOS specialisations.

By default, specialisations inherit the sort key of their parent generation and will have the same value for both the sort-key and the version (i.e. the generation number), systemd-boot will therefore sort them based on their file name, meaning that in your boot menu you will have each main generation directly followed by its specialisations sorted alphabetically by their names.

If you want a different ordering for a specialisation, you can override its sort-key which will cause the specialisation to be uncoupled from its parent generation. It will then be sorted by its new sort-key just like any other boot entry.

The sort-key is stored in the generation’s bootspec, which means that generations keep their sort-keys even if the original definition of the generation was removed from the NixOS configuration. It also means that updating the sort-key will only affect new generations, while old ones will keep the sort-key that they were originally built with.

Type: string

Default: "nixos"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.windows

Make Windows bootable from systemd-boot. This option is not necessary when Windows and NixOS use the same EFI System Partition (ESP). In that case, Windows will automatically be detected by systemd-boot.

However, if Windows is installed on a separate drive or ESP, you can use this option to add a menu entry for each installation manually.

The attribute name is used for the title of the menu entry and internal file names.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "10".efiDeviceHandle = "HD0c3";
  "11-ame" = {
    title = "Windows 11 Ameliorated Edition";
    efiDeviceHandle = "HD0b1";
  };
  "11-home" = {
    title = "Windows 11 Home";
    efiDeviceHandle = "FS1";
    sortKey = "z_windows";
  };
}

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.windows.<name>.efiDeviceHandle

The device handle of the EFI System Partition (ESP) where the Windows bootloader is located. This is the device handle that the EDK2 UEFI Shell uses to load the bootloader.

To find this handle, follow these steps:

  1. Set boot.loader.systemd-boot.edk2-uefi-shell.enable to true

  2. Run nixos-rebuild boot

  3. Reboot and select “EDK2 UEFI Shell” from the systemd-boot menu

  4. Run map -c to list all consistent device handles

  5. For each device handle (for example, HD0c1), run ls HD0c1:\EFI

  6. If the output contains the directory Microsoft, you might have found the correct device handle

  7. Run HD0c1:\EFI\Microsoft\Boot\Bootmgfw.efi to check if Windows boots correctly

  8. If it does, this device handle is the one you need (in this example, HD0c1)

This option is required, there is no useful default.

Type: string

Example: "HD1b3"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.windows.<name>.sortKey

systemd-boot orders the menu entries by their sort keys, so if you want something to appear after all the NixOS entries, it should start with o or onwards.

See also boot.loader.systemd-boot.sortKey

Type: string

Default: "attribute name of this entry, prefixed with \"o_windows_\""

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.windows.<name>.title

The title of the boot menu entry.

Type: string

Default: "attribute name of this entry, prefixed with \"Windows \""

Example: "Michaelsoft Binbows"

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.systemd-boot.xbootldrMountPoint

Where the XBOOTLDR partition is mounted.

If set, this partition will be used as $BOOT to store boot loader entries and extra files instead of the EFI partition. As per the bootloader specification, it is recommended that the EFI and XBOOTLDR partitions be mounted at /efi and /boot, respectively.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix>
boot.loader.timeout

Timeout (in seconds) until loader boots the default menu item. Use null if the loader menu should be displayed indefinitely.

Type: null or signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/system/boot/loader/loader.nix>
boot.modprobeConfig.enable

Whether to enable modprobe config. This is useful for systems like containers which do not require a kernel.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/modprobe.nix>
boot.modprobeConfig.useUbuntuModuleBlacklist

Whether to enable Ubuntu distro’s module blacklist.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/modprobe.nix>
boot.plymouth.enable

Whether to enable Plymouth boot splash screen.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/plymouth.nix>
boot.plymouth.extraConfig

Literal string to append to configFile and the config file generated by the plymouth module.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/plymouth.nix>
boot.plymouth.font

Font file made available for displaying text on the splash screen.

Type: path

Default: "${pkgs.dejavu_fonts.minimal}/share/fonts/truetype/DejaVuSans.ttf"

Declared by:

<nixpkgs/nixos/modules/system/boot/plymouth.nix>
boot.plymouth.logo

Logo which is displayed on the splash screen. Currently supports PNG file format only.

Type: path

Default: "${pkgs.nixos-icons}/share/icons/hicolor/48x48/apps/nix-snowflake-white.png"

Example:

pkgs.fetchurl {
  url = "https://nixos.org/logo/nixos-hires.png";
  sha256 = "1ivzgd7iz0i06y36p8m5w48fd8pjqwxhdaavc0pxs7w1g7mcy5si";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/plymouth.nix>
boot.plymouth.theme

Splash screen theme.

Type: string

Default: "bgrt"

Declared by:

<nixpkgs/nixos/modules/system/boot/plymouth.nix>
boot.plymouth.themePackages

Extra theme packages for plymouth.

Type: list of package

Default: A NixOS branded variant of the breeze theme when config.boot.plymouth.theme == "breeze", otherwise [ ].

Declared by:

<nixpkgs/nixos/modules/system/boot/plymouth.nix>
boot.postBootCommands

Shell commands to be executed just before systemd is started.

Type: strings concatenated with “\n”

Default: ""

Example: "rm -f /var/log/messages"

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-2.nix>
boot.readOnlyNixStore

If set, NixOS will enforce the immutability of the Nix store by making /nix/store a read-only bind mount. Nix will automatically make the store writable when needed.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-2.nix>
boot.resumeDevice

Device for manual resume attempt during boot. This should be used primarily if you want to resume from file. If left empty, the swap partitions are used. Specify here the device where the file resides. You should also use boot.kernelParams to specify «resume_offset».

Type: string

Default: ""

Example: "/dev/sda3"

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
boot.runSize

Size limit for the /run tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax.

Type: string

Default: "25%"

Example: "256m"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
boot.specialFileSystems.<name>.depends

List of paths that should be mounted before this one. This filesystem’s device and mountPoint are always checked and do not need to be included explicitly. If a path is added to this list, any other filesystem whose mount point is a parent of the path will be mounted before this filesystem. The paths do not need to actually be the mountPoint of some other filesystem.

Type: list of string (with check: non-empty without trailing slash)

Default: [ ]

Example:

[
  "/persist"
]

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
boot.specialFileSystems.<name>.device

Location of the device.

Type: null or string (with check: non-empty)

Default: null

Example: "/dev/sda"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
boot.specialFileSystems.<name>.fsType

Type of the file system.

Type: string (with check: non-empty)

Default: "auto"

Example: "ext3"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
boot.specialFileSystems.<name>.mountPoint

Location of the mounted file system.

Type: string (with check: non-empty without trailing slash)

Example: "/mnt/usb"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
boot.specialFileSystems.<name>.options

Options used to mount the file system.

Type: non-empty (list of string (with check: non-empty))

Default:

[
  "defaults"
]

Example:

[
  "data=journal"
]

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
boot.specialFileSystems.<name>.stratis.poolUuid

UUID of the stratis pool that the fs is located in

Type: null or string

Default: null

Example: "04c68063-90a5-4235-b9dd-6180098a20d9"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
boot.supportedFilesystems

Names of supported filesystem types, or an attribute set of file system types and their state. The set form may be used together with lib.mkForce to explicitly disable support for specific filesystems, e.g. to disable ZFS with an unsupported kernel.

Type: (attribute set of boolean) or (list of string) convertible to it

Default: { }

Example:

{
  btrfs = true;
  zfs = lib.mkForce false;
}

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
boot.swraid.enable

Whether to enable support for Linux MD RAID arrays.

When this is enabled, mdadm will be added to the system path, and MD RAID arrays will be detected and activated automatically, both in stage-1 (initramfs) and in stage-2 (the final NixOS system).

This should be enabled if you want to be able to access and/or boot from MD RAID arrays. nixos-generate-config should detect it correctly in the standard installation procedure.

Type: boolean

Default: "`true` if stateVersion is older than 23.11"

Example: true

Declared by:

<nixpkgs/nixos/modules/tasks/swraid.nix>
boot.swraid.mdadmConf

Contents of /etc/mdadm.conf.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/tasks/swraid.nix>
boot.systemdExecutable

The program to execute to start systemd.

Type: string

Default: "/run/current-system/systemd/lib/systemd/systemd"

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-2.nix>
boot.tmp.cleanOnBoot

Whether to delete all files in /tmp during boot.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/tmp.nix>
boot.tmp.tmpfsSize

Size of tmpfs in percentage. Percentage is defined by systemd.

Type: string or (positive integer, meaning >0)

Default: "50%"

Declared by:

<nixpkgs/nixos/modules/system/boot/tmp.nix>
boot.tmp.useTmpfs

Whether to mount a tmpfs on /tmp during boot.

Note

Large Nix builds can fail if the mounted tmpfs is not large enough. In such a case either increase the tmpfsSize or disable this option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/tmp.nix>
boot.uki.configFile

The configuration file passed to ukify(1) to create the UKI.

By default this configuration file is created from boot.uki.settings.

Type: path

Declared by:

<nixpkgs/nixos/modules/system/boot/uki.nix>
boot.uki.name

Name of the UKI

Type: string

Declared by:

<nixpkgs/nixos/modules/system/boot/uki.nix>
boot.uki.settings

The configuration settings for ukify. These control what the UKI contains and how it is built.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Declared by:

<nixpkgs/nixos/modules/system/boot/uki.nix>
boot.uki.tries

Number of boot attempts before this UKI is considered bad.

If no tries are specified (the default) automatic boot assessment remains inactive.

See documentation on Automatic Boot Assessment and boot counting for more information.

Type: null or (unsigned integer, meaning >=0)

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/uki.nix>
boot.uki.version

Version of the image or generation the UKI belongs to

Type: null or string

Default: config.system.image.version

Declared by:

<nixpkgs/nixos/modules/system/boot/uki.nix>
boot.uvesafb.enable

Whether to enable uvesafb.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/uvesafb.nix>
boot.uvesafb.gfx-mode

Screen resolution in modedb format. See uvesafb and modedb documentation for more details. The default value is a sensible default but may be not ideal for all setups.

Type: string

Default: "1024x768-32"

Declared by:

<nixpkgs/nixos/modules/system/boot/uvesafb.nix>
boot.uvesafb.v86d.package

Which v86d package to use with uvesafb

Type: package

Default:

''
  config.boot.kernelPackages.v86d.overrideAttrs (old: {
            hardeningDisable = [ "all" ];
          })''

Declared by:

<nixpkgs/nixos/modules/system/boot/uvesafb.nix>
boot.vesa

(Deprecated) This option, if set, activates the VESA 800x600 video mode on boot and disables kernel modesetting. It is equivalent to specifying [ "vga=0x317" "nomodeset" ] in the boot.kernelParams option. This option is deprecated as of 2020: Xorg now works better with modesetting, and you might want a different VESA vga setting, anyway.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/kernel.nix>
boot.zfs.enabled

True if ZFS filesystem support is enabled

Type: boolean (read only)

Default: true if ZFS filesystem support is enabled

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
boot.zfs.package

Configured ZFS userland tools package.

Type: package

Default: pkgs.zfs

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
boot.zfs.allowHibernation

Allow hibernation support, this may be a unsafe option depending on your setup. Make sure to NOT use Swap on ZFS.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
boot.zfs.devNodes

Name of directory from which to import ZFS device, this is passed to zpool import as the value of the -d option.

For guidance on choosing this value, see the ZFS documentation.

Type: path

Default: "/dev/disk/by-id"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
boot.zfs.extraPools

Name or GUID of extra ZFS pools that you wish to import during boot.

Usually this is not necessary. Instead, you should set the mountpoint property of ZFS filesystems to legacy and add the ZFS filesystems to NixOS’s fileSystems option, which makes NixOS automatically import the associated pool.

However, in some cases (e.g. if you have many filesystems) it may be preferable to exclusively use ZFS commands to manage filesystems. If so, since NixOS/systemd will not be managing those filesystems, you will need to specify the ZFS pool here so that NixOS automatically imports it on every boot.

Type: list of string

Default: [ ]

Example:

[
  "tank"
  "data"
]

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
boot.zfs.forceImportAll

Forcibly import all ZFS pool(s).

If you set this option to false and NixOS subsequently fails to import your non-root ZFS pool(s), you should manually import each pool with “zpool import -f <pool-name>”, and then reboot. You should only need to do this once.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
boot.zfs.forceImportRoot

Forcibly import the ZFS root pool(s) during early boot.

This is enabled by default for backwards compatibility purposes, but it is highly recommended to disable this option, as it bypasses some of the safeguards ZFS uses to protect your ZFS pools.

If you set this option to false and NixOS subsequently fails to boot because it cannot import the root pool, you should boot with the zfs_force=1 option as a kernel parameter (e.g. by manually editing the kernel params in grub during boot). You should only need to do this once.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
boot.zfs.passwordTimeout

Timeout in seconds to wait for password entry for decrypt at boot.

Defaults to 0, which waits forever.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
boot.zfs.pools

Configuration for individual pools to override global defaults.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
boot.zfs.pools.<name>.devNodes

Name of directory from which to import ZFS device, this is passed to zpool import as the value of the -d option.

For guidance on choosing this value, see the ZFS documentation.

Type: path

Default: "config.boot.zfs.devNodes"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
boot.zfs.removeLinuxDRM

Patch the kernel to change symbols needed by ZFS from EXPORT_SYMBOL_GPL to EXPORT_SYMBOL.

Currently has no effect, but may again in future if a kernel update breaks ZFS due to symbols being newly changed to GPL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
boot.zfs.requestEncryptionCredentials

If true on import encryption keys or passwords for all encrypted datasets are requested. To only decrypt selected datasets supply a list of dataset names instead. For root pools the encryption key can be supplied via both an interactive prompt (keylocation=prompt) and from a file (keylocation=file://).

Type: boolean or list of string

Default: true

Example:

[
  "tank"
  "data"
]

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
console.enable

Whether to enable virtual console.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/config/console.nix>
console.packages

List of additional packages that provide console fonts, keymaps and other resources for virtual consoles use.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/console.nix>
console.colors

The 16 colors palette used by the virtual consoles. Leave empty to use the default colors. Colors must be in hexadecimal format and listed in order from color 0 to color 15.

Type: list of string matching the pattern [[:xdigit:]]{6}

Default: [ ]

Example:

[
  "002b36"
  "dc322f"
  "859900"
  "b58900"
  "268bd2"
  "d33682"
  "2aa198"
  "eee8d5"
  "002b36"
  "cb4b16"
  "586e75"
  "657b83"
  "839496"
  "6c71c4"
  "93a1a1"
  "fdf6e3"
]

Declared by:

<nixpkgs/nixos/modules/config/console.nix>
console.earlySetup

Enable setting virtual console options as early as possible (in initrd).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/console.nix>
console.font

The font used for the virtual consoles. Can be null, a font name, or a path to a PSF font file.

Use null to let the kernel choose a built-in font. The default is 8x16, and, as of Linux 5.3, Terminus 32 bold for display resolutions of 2560x1080 and higher. These fonts cover the IBM437 character set.

Type: null or string or path

Default: null

Example: "LatArCyrHeb-16"

Declared by:

<nixpkgs/nixos/modules/config/console.nix>
console.keyMap

The keyboard mapping table for the virtual consoles.

Type: string or path

Default: "us"

Example: "fr"

Declared by:

<nixpkgs/nixos/modules/config/console.nix>
console.useXkbConfig

If set, configure the virtual console keymap from the xserver keyboard settings.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/console.nix>
containers

A set of NixOS system configurations to be run as lightweight containers. Each container appears as a service container-«name» on the host system, allowing it to be started and stopped via systemctl.

Type: attribute set of (submodule)

Default: { }

Example:

{ webserver =
    { path = "/nix/var/nix/profiles/webserver";
    };
  database =
    { config =
        { config, pkgs, ... }:
        { services.postgresql.enable = true;
          services.postgresql.package = pkgs.postgresql_14;

          system.stateVersion = "25.05";
        };
    };
}

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.enableTun

Allows the container to create and setup tunnel interfaces by granting the NET_ADMIN capability and enabling access to /dev/net/tun.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.additionalCapabilities

Grant additional capabilities to the container. See the capabilities(7) and systemd-nspawn(1) man pages for more information.

Type: list of string

Default: [ ]

Example:

[
  "CAP_NET_ADMIN"
  "CAP_MKNOD"
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.allowedDevices

A list of device nodes to which the containers has access to.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    modifier = "rwm";
    node = "/dev/net/tun";
  }
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.allowedDevices.*.modifier

Device node access modifier. Takes a combination r (read), w (write), and m (mknod). See the systemd.resource-control(5) man page for more information.

Type: string

Example: "rw"

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.allowedDevices.*.node

Path to device node

Type: string

Example: "/dev/net/tun"

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.autoStart

Whether the container is automatically started at boot-time.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.bindMounts

An extra list of directories that is bound to the container.

Type: attribute set of (submodule)

Default: { }

Example:

{ "/home" = { hostPath = "/home/alice";
              isReadOnly = false; };
}

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.bindMounts.<name>.hostPath

Location of the host path to be mounted.

Type: null or string

Default: null

Example: "/home/alice"

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.bindMounts.<name>.isReadOnly

Determine whether the mounted path will be accessed in read-only mode.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.bindMounts.<name>.mountPoint

Mount point on the container file system.

Type: string

Example: "/mnt/usb"

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.config

A specification of the desired configuration of this container, as a NixOS module.

Type: Toplevel NixOS config

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.ephemeral

Runs container in ephemeral mode with the empty root filesystem at boot. This way container will be bootstrapped from scratch on each boot and will be cleaned up on shutdown leaving no traces behind. Useful for completely stateless, reproducible containers.

Note that this option might require to do some adjustments to the container configuration, e.g. you might want to set systemd.network.networks.$interface.dhcpV4Config.ClientIdentifier to “mac” if you use macvlans option. This way dhcp client identifier will be stable between the container restarts.

Note that the container journal will not be linked to the host if this option is enabled.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.extraFlags

Extra flags passed to the systemd-nspawn command. See systemd-nspawn(1) for details.

Type: list of string

Default: [ ]

Example:

[
  "--drop-capability=CAP_SYS_CHROOT"
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.extraVeths

Extra veth-pairs to be created for the container.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.extraVeths.<name>.forwardPorts

List of forwarded ports from host to container. Each forwarded port is specified by protocol, hostPort and containerPort. By default, protocol is tcp and hostPort and containerPort are assumed to be the same if containerPort is not explicitly given.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    containerPort = 80;
    hostPort = 8080;
    protocol = "tcp";
  }
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.extraVeths.<name>.forwardPorts.*.containerPort

Target port of container

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.extraVeths.<name>.forwardPorts.*.hostPort

Source port of the external interface on host

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.extraVeths.<name>.forwardPorts.*.protocol

The protocol specifier for port forwarding between host and container

Type: string

Default: "tcp"

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.extraVeths.<name>.hostAddress

The IPv4 address assigned to the host interface. (Not used when hostBridge is set.)

Type: null or string

Default: null

Example: "10.231.136.1"

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.extraVeths.<name>.hostAddress6

The IPv6 address assigned to the host interface. (Not used when hostBridge is set.)

Type: null or string

Default: null

Example: "fc00::1"

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.extraVeths.<name>.hostBridge

Put the host-side of the veth-pair into the named bridge. Only one of hostAddress* or hostBridge can be given.

Type: null or string

Default: null

Example: "br0"

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.extraVeths.<name>.localAddress

The IPv4 address assigned to the interface in the container. If a hostBridge is used, this should be given with netmask to access the whole network. Otherwise the default netmask is /32 and routing is set up from localAddress to hostAddress and back.

Type: null or string

Default: null

Example: "10.231.136.2"

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.extraVeths.<name>.localAddress6

The IPv6 address assigned to the interface in the container. If a hostBridge is used, this should be given with netmask to access the whole network. Otherwise the default netmask is /128 and routing is set up from localAddress6 to hostAddress6 and back.

Type: null or string

Default: null

Example: "fc00::2"

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.forwardPorts

List of forwarded ports from host to container. Each forwarded port is specified by protocol, hostPort and containerPort. By default, protocol is tcp and hostPort and containerPort are assumed to be the same if containerPort is not explicitly given.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    containerPort = 80;
    hostPort = 8080;
    protocol = "tcp";
  }
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.forwardPorts.*.containerPort

Target port of container

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.forwardPorts.*.hostPort

Source port of the external interface on host

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.forwardPorts.*.protocol

The protocol specifier for port forwarding between host and container

Type: string

Default: "tcp"

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.hostAddress

The IPv4 address assigned to the host interface. (Not used when hostBridge is set.)

Type: null or string

Default: null

Example: "10.231.136.1"

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.hostAddress6

The IPv6 address assigned to the host interface. (Not used when hostBridge is set.)

Type: null or string

Default: null

Example: "fc00::1"

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.hostBridge

Put the host-side of the veth-pair into the named bridge. Only one of hostAddress* or hostBridge can be given.

Type: null or string

Default: null

Example: "br0"

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.interfaces

The list of interfaces to be moved into the container.

Type: list of string

Default: [ ]

Example:

[
  "eth1"
  "eth2"
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.localAddress

The IPv4 address assigned to the interface in the container. If a hostBridge is used, this should be given with netmask to access the whole network. Otherwise the default netmask is /32 and routing is set up from localAddress to hostAddress and back.

Type: null or string

Default: null

Example: "10.231.136.2"

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.localAddress6

The IPv6 address assigned to the interface in the container. If a hostBridge is used, this should be given with netmask to access the whole network. Otherwise the default netmask is /128 and routing is set up from localAddress6 to hostAddress6 and back.

Type: null or string

Default: null

Example: "fc00::2"

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.macvlans

The list of host interfaces from which macvlans will be created. For each interface specified, a macvlan interface will be created and moved to the container.

Type: list of string

Default: [ ]

Example:

[
  "eth1"
  "eth2"
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.nixpkgs

A path to the nixpkgs that provide the modules, pkgs and lib for evaluating the container.

To only change the pkgs argument used inside the container modules, set the nixpkgs.* options in the container config. Setting config.nixpkgs.pkgs = pkgs speeds up the container evaluation by reusing the system pkgs, but the nixpkgs.config option in the container config is ignored in this case.

Type: path

Default: pkgs.path

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.path

As an alternative to specifying config, you can specify the path to the evaluated NixOS system configuration, typically a symlink to a system profile.

Type: path

Example: "/nix/var/nix/profiles/per-container/webserver"

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.privateNetwork

Whether to give the container its own private virtual Ethernet interface. The interface is called eth0, and is hooked up to the interface ve-«container-name» on the host. If this option is not set, then the container shares the network interfaces of the host, and can bind to any port on any interface.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.restartIfChanged

Whether the container should be restarted during a NixOS configuration switch if its definition has changed.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.specialArgs

A set of special arguments to be passed to NixOS modules. This will be merged into the specialArgs used to evaluate the NixOS configurations.

Type: attribute set of unspecified value

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.timeoutStartSec

Time for the container to start. In case of a timeout, the container processes get killed. See systemd.time(7) for more information about the format.

Type: string

Default: "1min"

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
containers.<name>.tmpfs

Mounts a set of tmpfs file systems into the container. Multiple paths can be specified. Valid items must conform to the --tmpfs argument of systemd-nspawn. See systemd-nspawn(1) for details.

Type: list of string

Default: [ ]

Example:

[
  "/var"
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/nixos-containers.nix>
documentation.enable

Whether to install documentation of packages from environment.systemPackages into the generated system path.

See “Multiple-output packages” chapter in the nixpkgs manual for more info.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/misc/documentation.nix>
documentation.dev.enable

Whether to install documentation targeted at developers.

  • This includes man pages targeted at developers if documentation.man.enable is set (this also includes “devman” outputs).

  • This includes info pages targeted at developers if documentation.info.enable is set (this also includes “devinfo” outputs).

  • This includes other pages targeted at developers if documentation.doc.enable is set (this also includes “devdoc” outputs).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/misc/documentation.nix>
documentation.doc.enable

Whether to install documentation distributed in packages’ /share/doc. Usually plain text and/or HTML. This also includes “doc” outputs.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/misc/documentation.nix>
documentation.info.enable

Whether to install info pages and the info command. This also includes “info” outputs.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/misc/documentation.nix>
documentation.man.enable

Whether to install manual pages. This also includes man outputs.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/misc/documentation.nix>
documentation.man.generateCaches

Whether to generate the manual page index caches. This allows searching for a page or keyword using utilities like apropos(1) and the -k option of man(1).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/misc/documentation.nix>
documentation.man.man-db.enable

Whether to enable man-db as the default man page viewer.

Type: boolean

Default: config.documentation.man.enable

Example: false

Declared by:

<nixpkgs/nixos/modules/misc/man-db.nix>
documentation.man.man-db.package

The man-db derivation to use. Useful to override configuration options used for the package.

Type: package

Default: pkgs.man-db

Declared by:

<nixpkgs/nixos/modules/misc/man-db.nix>
documentation.man.man-db.manualPages

The manual pages to generate caches for if documentation.man.generateCaches is enabled. Must be a path to a directory with man pages under /share/man; see the source for an example. Advanced users can make this a content-addressed derivation to save a few rebuilds.

Type: path

Default: all man pages in config.environment.systemPackages

Declared by:

<nixpkgs/nixos/modules/misc/man-db.nix>
documentation.man.mandoc.enable

Whether to enable mandoc as the default man page viewer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/misc/mandoc.nix>
documentation.man.mandoc.package

The mandoc derivation to use. Useful to override configuration options used for the package.

Type: package

Default: pkgs.mandoc

Declared by:

<nixpkgs/nixos/modules/misc/mandoc.nix>
documentation.man.mandoc.cachePath

Change the paths where mandoc makewhatis(8)generates the manual page index caches. documentation.man.generateCaches should be enabled to allow cache generation. This list should only include the paths to manpages installed in the system configuration, i. e. /run/current-system/sw/share/man. makewhatis(8) creates a database in each directory using the files mansection/[arch/]title.section and catsection/[arch/]title.0 in it. If a directory contains no manual pages, no database is created in that directory. This option only needs to be set manually if extra paths should be indexed or documentation.man.manPath contains paths that can’t be indexed.

Type: list of string

Default: config.documentation.man.mandoc.manPath

Example: [ "share/man" "share/man/fr" ]

Declared by:

<nixpkgs/nixos/modules/misc/mandoc.nix>
documentation.man.mandoc.extraConfig

Extra configuration to write to man.conf(5).

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/misc/mandoc.nix>
documentation.man.mandoc.manPath

Change the paths included in the MANPATH environment variable, i. e. the directories where man(1) looks for section-specific directories of man pages. You only need to change this setting if you want extra man pages (e. g. in non-english languages). All values must be strings that are a valid path from the target prefix (without including it). The first value given takes priority. Note that this will not add manpath directives to man.conf(5).

Type: list of string

Default:

[
  "share/man"
]

Example: [ "share/man" "share/man/fr" ]

Declared by:

<nixpkgs/nixos/modules/misc/mandoc.nix>
documentation.man.mandoc.settings

Configuration for man.conf(5)

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/misc/mandoc.nix>
documentation.man.mandoc.settings.manpath

Override the default search path for man(1), apropos(1), and makewhatis(8). It can be used multiple times to specify multiple paths, with the order determining the manual page search order. This is not recommended in favor of documentation.man.mandoc.manPath, but if it’s needed to specify the manpath in this way, set documentation.man.mandoc.manPath to an empty list ([]).

Type: list of string

Default: [ ]

Example: [ "/run/current-system/sw/share/man" ]

Declared by:

<nixpkgs/nixos/modules/misc/mandoc.nix>
documentation.man.mandoc.settings.output.fragment

Whether to omit the <!DOCTYPE> declaration and the <html>, <head>, and <body> elements and only emit the subtree below the <body> element in HTML output of mandoc(1). The style argument will be ignored. This is useful when embedding manual content within existing documents.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/misc/mandoc.nix>
documentation.man.mandoc.settings.output.includes

A string of relative path used as a template for the output path of linked header files (usually via the In macro) in HTML output. Instances of %I are replaced with the include filename. The default is not to present a hyperlink.

Type: null or string

Default: null

Example: ../src/%I.html

Declared by:

<nixpkgs/nixos/modules/misc/mandoc.nix>
documentation.man.mandoc.settings.output.indent

Number of blank characters at the left margin for normal text, default of 5 for mdoc(7) and 7 for man(7). Increasing this is not recommended; it may result in degraded formatting, for example overfull lines or ugly line breaks. When output is to a pager on a terminal that is less than 66 columns wide, the default is reduced to three columns.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/misc/mandoc.nix>
documentation.man.mandoc.settings.output.man

A template for linked manuals (usually via the Xr macro) in HTML output. Instances of ‘%N’ and ‘%S’ are replaced with the linked manual’s name and section, respectively. If no section is included, section 1 is assumed. The default is not to present a hyperlink. If two formats are given and a file %N.%S exists in the current directory, the first format is used; otherwise, the second format is used.

Type: null or string

Default: null

Example: ../html%S/%N.%S.html

Declared by:

<nixpkgs/nixos/modules/misc/mandoc.nix>
documentation.man.mandoc.settings.output.paper

This option is for generating PostScript and PDF output. The paper size name may be one of a3, a4, a5, legal, or letter. You may also manually specify dimensions as NNxNN, width by height in millimetres. If an unknown value is encountered, letter is used. Output pages default to letter sized and are rendered in the Times font family, 11-point. Margins are calculated as 1/9 the page length and width. Line-height is 1.4m.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/misc/mandoc.nix>
documentation.man.mandoc.settings.output.style

Path to the file used for an external style-sheet. This must be a valid absolute or relative URI.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/misc/mandoc.nix>
documentation.man.mandoc.settings.output.toc

Whether to enable printing a table of contents near the beginning of the HTML output of mandoc(1) if an input file contains at least two non-standard sections .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/misc/mandoc.nix>
documentation.man.mandoc.settings.output.width

The ASCII and UTF-8 output width, default is 78. When output is a pager on a terminal that is less than 79 columns wide, the default is reduced to one less than the terminal width. In any case, lines that are output in literal mode are never wrapped and may exceed the output width.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/misc/mandoc.nix>
documentation.nixos.enable

Whether to install NixOS’s own documentation.

  • This includes man pages like configuration.nix(5) if documentation.man.enable is set.

  • This includes the HTML manual and the nixos-help command if documentation.doc.enable is set.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/misc/documentation.nix>
documentation.nixos.extraModuleSources

Which extra NixOS module paths the generated NixOS’s documentation should strip from options.

Type: list of (path or string)

Default: [ ]

Example:

# e.g. with options from modules in ${pkgs.customModules}/nix:
[ pkgs.customModules ]

Declared by:

<nixpkgs/nixos/modules/misc/documentation.nix>
documentation.nixos.extraModules

Modules for which to show options even when not imported.

Type: list of raw value

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/misc/documentation.nix>
documentation.nixos.includeAllModules

Whether the generated NixOS’s documentation should include documentation for all the options from all the NixOS modules included in the current configuration.nix. Disabling this will make the manual generator to ignore options defined outside of baseModules.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/misc/documentation.nix>
documentation.nixos.options.splitBuild

Whether to split the option docs build into a cacheable and an uncacheable part. Splitting the build can substantially decrease the amount of time needed to build the manual, but some user modules may be incompatible with this splitting.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/misc/documentation.nix>
documentation.nixos.options.warningsAreErrors

Treat warning emitted during the option documentation build (eg for missing option descriptions) as errors.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/misc/documentation.nix>
ec2.zfs.datasets

Datasets to create under the tank and boot zpools.

NOTE: This option is used only at image creation time, and does not attempt to declaratively create or manage datasets on an existing system.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/amazon-options.nix>
ec2.zfs.datasets.<name>.mount

Where to mount this dataset.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/virtualisation/amazon-options.nix>
ec2.zfs.datasets.<name>.properties

Properties to set on this dataset.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/amazon-options.nix>
environment.enableAllTerminfo

Whether to install all terminfo outputs

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/terminfo.nix>
environment.enableDebugInfo

Some NixOS packages provide debug symbols. However, these are not included in the system closure by default to save disk space. Enabling this option causes the debug symbols to appear in /run/current-system/sw/lib/debug/.build-id, where tools such as gdb can find them. If you need debug symbols for a package that doesn’t provide them by default, you can enable them as follows:

nixpkgs.config.packageOverrides = pkgs: {
  hello = pkgs.hello.overrideAttrs (oldAttrs: {
    separateDebugInfo = true;
  });
};

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/debug-info.nix>
environment.budgie.excludePackages

Which packages Budgie should exclude from the default environment.

Type: list of package

Default: [ ]

Example: [ pkgs.mate-terminal ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/budgie.nix>
environment.checkConfigurationOptions

Alias of _module.check.

Type: boolean

Declared by:

<nixpkgs/nixos/modules/rename.nix>
environment.cinnamon.excludePackages

Which packages cinnamon should exclude from the default environment

Type: list of package

Default: [ ]

Example: [ pkgs.blueman ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/cinnamon.nix>
environment.deepin.excludePackages

List of default packages to exclude from the configuration

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/deepin.nix>
environment.defaultPackages

Set of default packages that aren’t strictly necessary for a running system, entries can be removed for a more minimal NixOS installation.

Like with systemPackages, packages are installed to /run/current-system/sw. They are automatically available to all users, and are automatically updated every time you rebuild the system configuration.

Type: list of package

Default: these packages, with their meta.priority numerically increased (thus lowering their installation priority):

[ pkgs.perl pkgs.rsync pkgs.strace ]

Example: [ ]

Declared by:

<nixpkgs/nixos/modules/config/system-path.nix>
environment.etc

Set of files that have to be linked in /etc.

Type: attribute set of (submodule)

Default: { }

Example:

{ example-configuration-file =
    { source = "/nix/store/.../etc/dir/file.conf.example";
      mode = "0440";
    };
  "default/useradd".text = "GROUP=100 ...";
}

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.etc.<name>.enable

Whether this /etc file should be generated. This option allows specific /etc files to be disabled.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.etc.<name>.gid

GID of created file. Only takes effect when the file is copied (that is, the mode is not ‘symlink’).

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.etc.<name>.group

Group name of created file. Only takes effect when the file is copied (that is, the mode is not ‘symlink’). Changing this option takes precedence over gid.

Type: string

Default: "+0"

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.etc.<name>.mode

If set to something else than symlink, the file is copied instead of symlinked, with the given file mode.

Type: string

Default: "symlink"

Example: "0600"

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.etc.<name>.source

Path of the source file.

Type: path

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.etc.<name>.target

Name of symlink (relative to /etc). Defaults to the attribute name.

Type: string

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.etc.<name>.text

Text of the file.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.etc.<name>.uid

UID of created file. Only takes effect when the file is copied (that is, the mode is not ‘symlink’).

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.etc.<name>.user

User name of created file. Only takes effect when the file is copied (that is, the mode is not ‘symlink’). Changing this option takes precedence over uid.

Type: string

Default: "+0"

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
environment.extraInit

Shell script code called during global environment initialisation after all variables and profileVariables have been set. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.extraOutputsToInstall

Entries listed here will be appended to the meta.outputsToInstall attribute for each package in environment.systemPackages, and the files from the corresponding derivation outputs symlinked into /run/current-system/sw.

For example, this can be used to install the dev and info outputs for all packages in the system environment, if they are available.

To use specific outputs instead of configuring them globally, select the corresponding attribute on the package derivation, e.g. libxml2.dev or coreutils.info.

Type: list of string

Default: [ ]

Example:

[
  "dev"
  "info"
]

Declared by:

<nixpkgs/nixos/modules/config/system-path.nix>
environment.extraSetup

Shell fragments to be run after the system environment has been created. This should only be used for things that need to modify the internals of the environment, e.g. generating MIME caches. The environment being built can be accessed at $out.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/system-path.nix>
environment.freetds

Configure freetds database entries. Each attribute denotes a section within freetds.conf, and the value (a string) is the config content for that section. When at least one entry is configured the global environment variables FREETDSCONF, FREETDS and SYBASE will be configured to allow the programs that use freetds to find the library and config.

Type: attribute set of string

Default: { }

Example:

{ MYDATABASE = ''
    host = 10.0.2.100
    port = 1433
    tds version = 7.2
  '';
}

Declared by:

<nixpkgs/nixos/modules/programs/freetds.nix>
environment.gnome.excludePackages

Which packages gnome should exclude from the default environment

Type: list of package

Default: [ ]

Example: [ pkgs.totem ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix>
environment.homeBinInPath

Include ~/bin/ in $PATH.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.interactiveShellInit

Shell script code called during interactive shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.ldso

The executable to link into the normal FHS location of the ELF loader.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/config/ldso.nix>
environment.ldso32

The executable to link into the normal FHS location of the 32-bit ELF loader.

This currently only works on x86_64 architectures.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/config/ldso.nix>
environment.localBinInPath

Add ~/.local/bin/ to $PATH

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.loginShellInit

Shell script code called during login shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.lxqt.excludePackages

Which LXQt packages to exclude from the default environment

Type: list of package

Default: [ ]

Example: [ pkgs.lxqt.qterminal ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/lxqt.nix>
environment.mate.excludePackages

Which MATE packages to exclude from the default environment

Type: list of package

Default: [ ]

Example: [ pkgs.mate.mate-terminal pkgs.mate.pluma ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix>
environment.memoryAllocator.provider

The system-wide memory allocator.

Briefly, the system-wide memory allocator providers are:

  • libc: the standard allocator provided by libc

  • graphene-hardened: Hardened memory allocator coming from GrapheneOS project. The default configuration template has all normal optional security features enabled and is quite aggressive in terms of sacrificing performance and memory usage for security.

  • graphene-hardened-light: Hardened memory allocator coming from GrapheneOS project. The light configuration template disables the slab quarantines, write after free check, slot randomization and raises the guard slab interval from 1 to 8 but leaves zero-on-free and slab canaries enabled. The light configuration has solid performance and memory usage while still being far more secure than mainstream allocators with much better security properties.

  • jemalloc: A general purpose allocator that emphasizes fragmentation avoidance and scalable concurrency support.

  • mimalloc: A compact and fast general purpose allocator, which may optionally be built with mitigations against various heap vulnerabilities.

  • scudo: A user-mode allocator based on LLVM Sanitizer’s CombinedAllocator, which aims at providing additional mitigations against heap based vulnerabilities, while maintaining good performance.

Warning

Selecting an alternative allocator (i.e., anything other than libc) may result in instability, data loss, and/or service failure.

Type: one of “libc”, “graphene-hardened”, “graphene-hardened-light”, “jemalloc”, “mimalloc”, “scudo”

Default: "libc"

Declared by:

<nixpkgs/nixos/modules/config/malloc.nix>
environment.pantheon.excludePackages

Which packages pantheon should exclude from the default environment

Type: list of package

Default: [ ]

Example: [ pkgs.pantheon.elementary-camera ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix>
environment.pathsToLink

List of directories to be symlinked in /run/current-system/sw.

Type: list of string

Default: [ ]

Example:

[
  "/"
]

Declared by:

<nixpkgs/nixos/modules/config/system-path.nix>
environment.plasma5.excludePackages

List of default packages to exclude from the configuration

Type: list of package

Default: [ ]

Example: [ pkgs.plasma5Packages.oxygen ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix>
environment.plasma6.excludePackages

List of default packages to exclude from the configuration

Type: list of package

Default: [ ]

Example: [ pkgs.kdePackages.elisa ]

Declared by:

<nixpkgs/nixos/modules/services/desktop-managers/plasma6.nix>
environment.profileRelativeEnvVars

Attribute set of environment variable. Each attribute maps to a list of relative paths. Each relative path is appended to the each profile of environment.profiles to form the content of the corresponding environment variable.

Type: attribute set of list of string

Example:

{
  MANPATH = [
    "/man"
    "/share/man"
  ];
  PATH = [
    "/bin"
  ];
}

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.profileRelativeSessionVariables

Attribute set of environment variable used in the global environment. These variables will be set by PAM early in the login process.

Variable substitution is available as described in pam_env.conf(5).

Each attribute maps to a list of relative paths. Each relative path is appended to the each profile of environment.profiles to form the content of the corresponding environment variable.

Also, these variables are merged into environment.profileRelativeEnvVars and it is therefore not possible to use PAM style variables such as @{HOME}.

Type: attribute set of list of string

Example:

{
  MANPATH = [
    "/man"
    "/share/man"
  ];
  PATH = [
    "/bin"
  ];
}

Declared by:

<nixpkgs/nixos/modules/config/system-environment.nix>
environment.profiles

A list of profiles used to setup the global environment.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.sessionVariables

A set of environment variables used in the global environment. These variables will be set by PAM early in the login process.

The value of each session variable can be either a string or a list of strings. The latter is concatenated, interspersed with colon characters.

Note, due to limitations in the PAM format values may not contain the " character.

Also, these variables are merged into environment.variables and it is therefore not possible to use PAM style variables such as @{HOME}.

Type: attribute set of ((list of (signed integer or string or path)) or signed integer or string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/config/system-environment.nix>
environment.shellAliases

An attribute set that maps aliases (the top level attribute names in this option) to command strings or directly to build outputs. The aliases are added to all users’ shells. Aliases mapped to null are ignored.

Type: attribute set of (null or string or path)

Example:

{
  l = null;
  ll = "ls -l";
}

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.shellInit

Shell script code called during shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.shells

A list of permissible login shells for user accounts. No need to mention /bin/sh here, it is placed into this list implicitly.

Type: list of (package or path)

Default: [ ]

Example: [ pkgs.bashInteractive pkgs.zsh ]

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.stub-ld.enable

Install a stub ELF loader to print an informative error message in the event that a user attempts to run an ELF binary not compiled for NixOS.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/config/stub-ld.nix>
environment.systemPackages

The set of packages that appear in /run/current-system/sw. These packages are automatically available to all users, and are automatically updated every time you rebuild the system configuration. (The latter is the main difference with installing them in the default profile, /nix/var/nix/profiles/default.

Type: list of package

Default: [ ]

Example: [ pkgs.firefox pkgs.thunderbird ]

Declared by:

<nixpkgs/nixos/modules/config/system-path.nix>
environment.unixODBCDrivers

Specifies Unix ODBC drivers to be registered in /etc/odbcinst.ini. You may also want to add pkgs.unixODBC to the system path to get a command line client to connect to ODBC databases.

Type: list of package

Default: [ ]

Example: with pkgs.unixODBCDrivers; [ sqlite psql ]

Declared by:

<nixpkgs/nixos/modules/config/unix-odbc-drivers.nix>
environment.variables

A set of environment variables used in the global environment. These variables will be set on shell initialisation (e.g. in /etc/profile). The value of each variable can be either a string or a list of strings. The latter is concatenated, interspersed with colon characters.

Type: attribute set of ((list of (signed integer or string or path)) or signed integer or string or path)

Default: { }

Example:

{
  EDITOR = "nvim";
  VISUAL = "nvim";
}

Declared by:

<nixpkgs/nixos/modules/config/shells-environment.nix>
environment.wordlist.enable

Whether to enable environment variables for lists of words.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/misc/wordlist.nix>
environment.wordlist.lists

A set with the key names being the environment variable you’d like to set and the values being a list of paths to text documents containing lists of words. The various files will be merged, sorted, duplicates removed, and extraneous spacing removed.

If you have a handful of words that you want to add to an already existing wordlist, you may find builtins.toFile useful for this task.

Type: attribute set of non-empty (list of path)

Default:

{
  WORDLIST = [ "${pkgs.scowl}/share/dict/words.txt" ];
}

Example:

{
  WORDLIST = [ "${pkgs.scowl}/share/dict/words.txt" ];
  AUGMENTED_WORDLIST = [
    "${pkgs.scowl}/share/dict/words.txt"
    "${pkgs.scowl}/share/dict/words.variants.txt"
    (builtins.toFile "extra-words" ''
      desynchonization
      oobleck'')
  ];
}

Declared by:

<nixpkgs/nixos/modules/misc/wordlist.nix>
environment.wvdial.dialerDefaults

Contents of the “Dialer Defaults” section of <filename>/etc/wvdial.conf</filename>.

Type: string

Default: ""

Example: "Init1 = AT+CGDCONT=1,\"IP\",\"internet.t-mobile\""

Declared by:

<nixpkgs/nixos/modules/services/networking/wvdial.nix>
environment.wvdial.pppDefaults

Default ppp settings for wvdial.

Type: string

Default:

''
  noipdefault
  usepeerdns
  defaultroute
  persist
  noauth
''

Declared by:

<nixpkgs/nixos/modules/services/networking/wvdial.nix>
environment.xfce.excludePackages

Which packages XFCE should exclude from the default environment

Type: list of package

Default: [ ]

Example: [ pkgs.xfce.xfce4-volumed-pulse ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix>
fileSystems

The file systems to be mounted. It must include an entry for the root directory (mountPoint = "/"). Each entry in the list is an attribute set with the following fields: mountPoint, device, fsType (a file system type recognised by mount; defaults to "auto"), and options (the mount options passed to mount using the -o flag; defaults to [ "defaults" ]).

Instead of specifying device, you can also specify a volume label (label) for file systems that support it, such as ext2/ext3 (see mke2fs -L).

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/".device = "/dev/hda1";
  "/data" = {
    device = "/dev/hda2";
    fsType = "ext3";
    options = [ "data=journal" ];
  };
  "/bigdisk".label = "bigdisk";
}

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/overlayfs.nix>
<nixpkgs/nixos/modules/tasks/filesystems.nix>
<nixpkgs/nixos/modules/tasks/encrypted-devices.nix>
<nixpkgs/nixos/modules/system/boot/stage-1.nix>
fileSystems.<name>.autoFormat

If the device does not currently contain a filesystem (as determined by blkid), then automatically format it with the filesystem type specified in fsType. Use with caution.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
fileSystems.<name>.autoResize

If set, the filesystem is grown to its maximum size before being mounted. (This is typically the size of the containing partition.) This is currently only supported for ext2/3/4 filesystems that are mounted during early boot.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
fileSystems.<name>.depends

List of paths that should be mounted before this one. This filesystem’s device and mountPoint are always checked and do not need to be included explicitly. If a path is added to this list, any other filesystem whose mount point is a parent of the path will be mounted before this filesystem. The paths do not need to actually be the mountPoint of some other filesystem.

Type: list of string (with check: non-empty without trailing slash)

Default: [ ]

Example:

[
  "/persist"
]

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
fileSystems.<name>.device

Location of the device.

Type: null or string (with check: non-empty)

Default: null

Example: "/dev/sda"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
fileSystems.<name>.encrypted.enable

The block device is backed by an encrypted one, adds this device as a initrd luks entry.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/encrypted-devices.nix>
fileSystems.<name>.encrypted.blkDev

Location of the backing encrypted device.

Type: null or string

Default: null

Example: "/dev/sda1"

Declared by:

<nixpkgs/nixos/modules/tasks/encrypted-devices.nix>
fileSystems.<name>.encrypted.keyFile

Path to a keyfile used to unlock the backing encrypted device. When systemd stage 1 is not enabled, at the time this keyfile is accessed, the neededForBoot filesystems (see utils.fsNeededForBoot) will have been mounted under /mnt-root, so the keyfile path should usually start with “/mnt-root/”. When systemd stage 1 is enabled, fsNeededForBoot file systems will be mounted as needed under /sysroot, and the keyfile will not be accessed until its requisite mounts are done.

Type: null or string

Default: null

Example: "/mnt-root/root/.swapkey"

Declared by:

<nixpkgs/nixos/modules/tasks/encrypted-devices.nix>
fileSystems.<name>.encrypted.label

Label of the unlocked encrypted device. Set fileSystems.<name?>.device to /dev/mapper/<label> to mount the unlocked device.

Type: null or string

Default: null

Example: "rootfs"

Declared by:

<nixpkgs/nixos/modules/tasks/encrypted-devices.nix>
fileSystems.<name>.fsType

Type of the file system.

Type: string (with check: non-empty)

Default: "auto"

Example: "ext3"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
fileSystems.<name>.label

Label of the device (if any).

Type: null or string (with check: non-empty)

Default: null

Example: "root-partition"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
fileSystems.<name>.mountPoint

Location of the mounted file system.

Type: string (with check: non-empty without trailing slash)

Example: "/mnt/usb"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
fileSystems.<name>.neededForBoot

If set, this file system will be mounted in the initial ramdisk. Note that the file system will always be mounted in the initial ramdisk if its mount point is one of the following: /, /nix, /nix/store, /var, /var/log, /var/lib, /var/lib/nixos, /etc, /usr.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
fileSystems.<name>.noCheck

Disable running fsck on this filesystem.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
fileSystems.<name>.options

Options used to mount the file system.

Type: non-empty (list of string (with check: non-empty))

Default:

[
  "defaults"
]

Example:

[
  "data=journal"
]

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
fileSystems.<name>.overlay.lowerdir

The list of path(s) to the lowerdir(s).

To create a writable overlay, you MUST provide an upperdir and a workdir.

You can create a read-only overlay when you provide multiple (at least 2!) lowerdirs and neither an upperdir nor a workdir.

Type: null or (non-empty (list of (string or path in the Nix store)))

Default: null

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/overlayfs.nix>
fileSystems.<name>.overlay.upperdir

The path to the upperdir.

If this is null, a read-only overlay is created using the lowerdir.

If you set this to some value you MUST also set workdir.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/overlayfs.nix>
fileSystems.<name>.overlay.workdir

The path to the workdir.

This MUST be set if you set upperdir.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/overlayfs.nix>
fileSystems.<name>.stratis.poolUuid

UUID of the stratis pool that the fs is located in

Type: null or string

Default: null

Example: "04c68063-90a5-4235-b9dd-6180098a20d9"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
fonts.enableDefaultPackages

Enable a basic set of fonts providing several styles and families and reasonable coverage of Unicode.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/fonts/packages.nix>
fonts.enableGhostscriptFonts

Whether to add the fonts provided by Ghostscript (such as various URW fonts and the “Base-14” Postscript fonts) to the list of system fonts, making them available to X11 applications.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/fonts/ghostscript.nix>
fonts.packages

List of primary font packages.

Type: list of path

Default: [ ]

Example: [ pkgs.dejavu_fonts ]

Declared by:

<nixpkgs/nixos/modules/config/fonts/packages.nix>
fonts.fontDir.enable

Whether to create a directory with links to all fonts in /run/current-system/sw/share/X11/fonts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontdir.nix>
fonts.fontDir.decompressFonts

Whether to decompress fonts in /run/current-system/sw/share/X11/fonts.

Type: boolean

Default: config.programs.xwayland.enable

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontdir.nix>
fonts.fontconfig.enable

If enabled, a Fontconfig configuration file will be built pointing to a set of default fonts. If you don’t care about running X11 applications or any other program that uses Fontconfig, you can turn this option off and prevent a dependency on all those fonts.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
fonts.fontconfig.allowBitmaps

Allow bitmap fonts. Set to false to ban all bitmap fonts.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
fonts.fontconfig.allowType1

Allow Type-1 fonts. Default is false because of poor rendering.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
fonts.fontconfig.antialias

Enable font antialiasing. At high resolution (> 200 DPI), antialiasing has no visible effect; users of such displays may want to disable this option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
fonts.fontconfig.cache32Bit

Generate system fonts cache for 32-bit applications.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
fonts.fontconfig.defaultFonts.emoji

System-wide default emoji font(s). Multiple fonts may be listed in case a font does not support all emoji.

Note that fontconfig matches color emoji fonts preferentially, so if you want to use a black and white font while having a color font installed (eg. Noto Color Emoji installed alongside Noto Emoji), fontconfig will still choose the color font even when it is later in the list.

Type: list of string

Default:

[
  "Noto Color Emoji"
]

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
fonts.fontconfig.defaultFonts.monospace

System-wide default monospace font(s). Multiple fonts may be listed in case multiple languages must be supported.

Type: list of string

Default:

[
  "DejaVu Sans Mono"
]

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
fonts.fontconfig.defaultFonts.sansSerif

System-wide default sans serif font(s). Multiple fonts may be listed in case multiple languages must be supported.

Type: list of string

Default:

[
  "DejaVu Sans"
]

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
fonts.fontconfig.defaultFonts.serif

System-wide default serif font(s). Multiple fonts may be listed in case multiple languages must be supported.

Type: list of string

Default:

[
  "DejaVu Serif"
]

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
fonts.fontconfig.hinting.enable

Enable font hinting. Hinting aligns glyphs to pixel boundaries to improve rendering sharpness at low resolution. At high resolution (> 200 dpi) hinting will do nothing (at best); users of such displays may want to disable this option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
fonts.fontconfig.hinting.autohint

Enable the autohinter in place of the default interpreter. The results are usually lower quality than correctly-hinted fonts, but better than unhinted fonts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
fonts.fontconfig.hinting.style

Hintstyle is the amount of font reshaping done to line up to the grid.

slight will make the font more fuzzy to line up to the grid but will be better in retaining font shape, while full will be a crisp font that aligns well to the pixel grid but will lose a greater amount of font shape.

Type: one of “none”, “slight”, “medium”, “full”

Default: "slight"

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
fonts.fontconfig.includeUserConf

Include the user configuration from ~/.config/fontconfig/fonts.conf or ~/.config/fontconfig/conf.d.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
fonts.fontconfig.localConf

System-wide customization file contents, has higher priority than defaultFonts settings.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
fonts.fontconfig.subpixel.lcdfilter

FreeType LCD filter. At high resolution (> 200 DPI), LCD filtering has no visible effect; users of such displays may want to select none.

Type: one of “none”, “default”, “light”, “legacy”

Default: "default"

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
fonts.fontconfig.subpixel.rgba

Subpixel order. The overwhelming majority of displays are rgb in their normal orientation. Select vrgb for mounting such a display 90 degrees clockwise from its normal orientation or vbgr for mounting 90 degrees counter-clockwise. Select bgr in the unlikely event of mounting 180 degrees from the normal orientation. Reverse these directions in the improbable event that the display’s native subpixel order is bgr.

Type: one of “rgb”, “bgr”, “vrgb”, “vbgr”, “none”

Default: "none"

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
fonts.fontconfig.useEmbeddedBitmaps

Use embedded bitmaps in fonts like Calibri.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/fonts/fontconfig.nix>
gtk.iconCache.enable

Whether to build icon theme caches for GTK applications.

Type: boolean

Default: config.services.xserver.enable

Declared by:

<nixpkgs/nixos/modules/config/gtk/gtk-icon-cache.nix>
hardware.enableAllFirmware

Whether to enable all firmware regardless of license.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/all-firmware.nix>
hardware.enableAllHardware

Whether to enable Enable support for most hardware.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/all-hardware.nix>
hardware.enableRedistributableFirmware

Whether to enable firmware with a license allowing redistribution.

Type: boolean

Default: config.hardware.enableAllFirmware

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/all-firmware.nix>
hardware.acpilight.enable

Enable acpilight. This will allow brightness control via xbacklight from users in the video group

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/acpilight.nix>
hardware.alsa.enablePersistence

Whether to enable ALSA sound card state saving on shutdown. This is generally not necessary if you’re using an external sound server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/audio/alsa.nix>
hardware.amdgpu.amdvlk.enable

Whether to enable AMDVLK Vulkan driver.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/amdvlk.nix>
hardware.amdgpu.amdvlk.package

The amdvlk package to use.

Type: package

Default: pkgs.amdvlk

Declared by:

<nixpkgs/nixos/modules/services/hardware/amdvlk.nix>
hardware.amdgpu.amdvlk.settings

Runtime settings for AMDVLK to be configured /etc/amd/amdVulkanSettings.cfg. See AMDVLK GitHub page.

Type: attribute set of (string or signed integer)

Default: { }

Example:

{
  AllowVkPipelineCachingToDisk = 1;
  EnableVmAlwaysValid = 1;
  IFH = 0;
  IdleAfterSubmitGpuMask = 1;
  ShaderCacheMode = 1;
}

Declared by:

<nixpkgs/nixos/modules/services/hardware/amdvlk.nix>
hardware.amdgpu.amdvlk.support32Bit.enable

Whether to enable 32-bit driver support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/amdvlk.nix>
hardware.amdgpu.amdvlk.support32Bit.package

The amdvlk package to use.

Type: package

Default: pkgs.driversi686Linux.amdvlk

Declared by:

<nixpkgs/nixos/modules/services/hardware/amdvlk.nix>
hardware.amdgpu.amdvlk.supportExperimental.enable

Whether to enable Experimental features support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/amdvlk.nix>
hardware.amdgpu.initrd.enable

Whether to enable loading amdgpu kernelModule in stage 1. Can fix lower resolution in boot screen during initramfs phase .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/amdgpu.nix>
hardware.amdgpu.legacySupport.enable

Whether to enable using amdgpu kernel driver instead of radeon for Southern Islands (Radeon HD 7000) series and Sea Islands (Radeon HD 8000) series cards. Note: this removes support for analog video outputs, which is only available in the radeon driver .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/amdgpu.nix>
hardware.amdgpu.opencl.enable

Whether to enable OpenCL support using ROCM runtime library.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/amdgpu.nix>
hardware.apple.touchBar.enable

Whether to enable support for the Touch Bar on some Apple laptops using tiny-dfr.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/apple-touchbar.nix>
hardware.apple.touchBar.package

The tiny-dfr package to use.

Type: package

Default: pkgs.tiny-dfr

Declared by:

<nixpkgs/nixos/modules/hardware/apple-touchbar.nix>
hardware.apple.touchBar.settings

Configuration for tiny-dfr. See example configuration for available options.

Type: TOML value

Default: { }

Example:

{
  MediaLayerDefault = true;
  ShowButtonOutlines = false;
  EnablePixelShift = true;
}

Declared by:

<nixpkgs/nixos/modules/hardware/apple-touchbar.nix>
hardware.bladeRF.enable

Enables udev rules for BladeRF devices. By default grants access to users in the “bladerf” group. You may want to install the libbladeRF package.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/bladeRF.nix>
hardware.bluetooth.enable

Whether to enable support for Bluetooth.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/bluetooth.nix>
hardware.bluetooth.package

The bluez package to use.

Type: package

Default: pkgs.bluez

Declared by:

<nixpkgs/nixos/modules/services/hardware/bluetooth.nix>
hardware.bluetooth.disabledPlugins

Built-in plugins to disable

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/hardware/bluetooth.nix>
hardware.bluetooth.hsphfpd.enable

Whether to enable support for hsphfpd[-prototype] implementation.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/bluetooth.nix>
hardware.bluetooth.input

Set configuration for the input service (/etc/bluetooth/input.conf). See https://github.com/bluez/bluez/blob/master/profiles/input/input.conf for full list of options.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  General = {
    ClassicBondedOnly = true;
    IdleTimeout = 30;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/hardware/bluetooth.nix>
hardware.bluetooth.network

Set configuration for the network service (/etc/bluetooth/network.conf). See https://github.com/bluez/bluez/blob/master/profiles/network/network.conf for full list of options.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  General = {
    DisableSecurity = true;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/hardware/bluetooth.nix>
hardware.bluetooth.powerOnBoot

Whether to power up the default Bluetooth controller on boot.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/bluetooth.nix>
hardware.bluetooth.settings

Set configuration for system-wide bluetooth (/etc/bluetooth/main.conf). See https://github.com/bluez/bluez/blob/master/src/main.conf for full list of options.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  General = {
    ControllerMode = "bredr";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/hardware/bluetooth.nix>
hardware.brillo.enable

Whether to enable brillo in userspace. This will allow brightness control from users in the video group .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/brillo.nix>
hardware.bumblebee.enable

Enable the bumblebee daemon to manage Optimus hybrid video cards. This should power off secondary GPU until its use is requested by running an application with optirun.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/video/bumblebee.nix>
hardware.bumblebee.connectDisplay

Set to true if you intend to connect your discrete card to a monitor. This option will set up your Nvidia card for EDID discovery and to turn on the monitor signal.

Only nvidia driver is supported so far.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/video/bumblebee.nix>
hardware.bumblebee.driver

Set driver used by bumblebeed. Supported are nouveau and nvidia.

Type: one of “nvidia”, “nouveau”

Default: "nvidia"

Declared by:

<nixpkgs/nixos/modules/hardware/video/bumblebee.nix>
hardware.bumblebee.group

Group for bumblebee socket

Type: string

Default: "wheel"

Example: "video"

Declared by:

<nixpkgs/nixos/modules/hardware/video/bumblebee.nix>
hardware.bumblebee.pmMethod

Set preferred power management method for unused card.

Type: one of “auto”, “bbswitch”, “switcheroo”, “none”

Default: "auto"

Declared by:

<nixpkgs/nixos/modules/hardware/video/bumblebee.nix>
hardware.ckb-next.enable

Whether to enable the Corsair keyboard/mouse driver.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/ckb-next.nix>
hardware.ckb-next.package

The ckb-next package to use.

Type: package

Default: pkgs.ckb-next

Declared by:

<nixpkgs/nixos/modules/hardware/ckb-next.nix>
hardware.ckb-next.gid

Limit access to the ckb daemon to a particular group.

Type: null or signed integer

Default: null

Example: 100

Declared by:

<nixpkgs/nixos/modules/hardware/ckb-next.nix>
hardware.coral.pcie.enable

Whether to enable Coral PCIe support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/coral.nix>
hardware.coral.usb.enable

Whether to enable Coral USB support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/coral.nix>
hardware.cpu.amd.ryzen-smu.enable

Whether to enable ryzen_smu, a linux kernel driver that exposes access to the SMU (System Management Unit) for certain AMD Ryzen Processors.

WARNING: Damage cause by use of your AMD processor outside of official AMD specifications or outside of factory settings are not covered under any AMD product warranty and may not be covered by your board or system manufacturer’s warranty .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/amd-ryzen-smu.nix>
hardware.cpu.amd.sev.enable

Whether to enable access to the AMD SEV device.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/amd-sev.nix>
hardware.cpu.amd.sev.group

Group to assign to the SEV device.

Type: string

Default: "sev"

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/amd-sev.nix>
hardware.cpu.amd.sev.mode

Mode to set for the SEV device.

Type: string

Default: "0660"

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/amd-sev.nix>
hardware.cpu.amd.sev.user

Owner to assign to the SEV device.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/amd-sev.nix>
hardware.cpu.amd.sevGuest.enable

Whether to enable access to the AMD SEV guest device.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/amd-sev.nix>
hardware.cpu.amd.sevGuest.group

Group to assign to the SEV guest device.

Type: string

Default: "sev-guest"

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/amd-sev.nix>
hardware.cpu.amd.sevGuest.mode

Mode to set for the SEV guest device.

Type: string

Default: "0660"

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/amd-sev.nix>
hardware.cpu.amd.sevGuest.user

Owner to assign to the SEV guest device.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/amd-sev.nix>
hardware.cpu.amd.updateMicrocode

Update the CPU microcode for AMD processors.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/amd-microcode.nix>
hardware.cpu.intel.sgx.enableDcapCompat

Whether to enable backward compatibility for SGX software build for the out-of-tree Intel SGX DCAP driver.

Creates symbolic links for the SGX devices /dev/sgx_enclave and /dev/sgx_provision to make them available as /dev/sgx/enclave and /dev/sgx/provision, respectively.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/intel-sgx.nix>
hardware.cpu.intel.sgx.provision.enable

Whether to enable access to the Intel SGX provisioning device.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/intel-sgx.nix>
hardware.cpu.intel.sgx.provision.group

Group to assign to the SGX provisioning device.

Type: string

Default: "sgx_prv"

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/intel-sgx.nix>
hardware.cpu.intel.sgx.provision.mode

Mode to set for the SGX provisioning device.

Type: string

Default: "0660"

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/intel-sgx.nix>
hardware.cpu.intel.sgx.provision.user

Owner to assign to the SGX provisioning device.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/intel-sgx.nix>
hardware.cpu.intel.updateMicrocode

Update the CPU microcode for Intel processors.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/intel-microcode.nix>
hardware.cpu.x86.msr.enable

Whether to enable the msr (Model-Specific Registers) kernel module and configure udev rules for its devices (usually /dev/cpu/*/msr).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/x86-msr.nix>
hardware.cpu.x86.msr.group

Group to set for devices of the msr kernel subsystem.

Type: string

Default: "msr"

Example: "nobody"

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/x86-msr.nix>
hardware.cpu.x86.msr.mode

Mode to set for devices of the msr kernel subsystem.

Type: string

Default: "0640"

Example: "0660"

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/x86-msr.nix>
hardware.cpu.x86.msr.owner

Owner to set for devices of the msr kernel subsystem.

Type: string

Default: "root"

Example: "nobody"

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/x86-msr.nix>
hardware.cpu.x86.msr.settings

Parameters for the msr kernel module.

Type: attribute set of (boolean or signed integer or string)

Default: { }

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/x86-msr.nix>
hardware.cpu.x86.msr.settings.allow-writes

Whether to allow writes to MSRs ("on") or not ("off").

Type: null or one of “on”, “off”

Default: null

Declared by:

<nixpkgs/nixos/modules/hardware/cpu/x86-msr.nix>
hardware.decklink.enable

Whether to enable hardware support for the Blackmagic Design Decklink audio/video interfaces.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/decklink.nix>
hardware.deviceTree.enable

Build device tree files. These are used to describe the non-discoverable hardware of a system.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/device-tree.nix>
hardware.deviceTree.dtbSource

Path to dtb directory that overlays and other processing will be applied to. Uses device trees bundled with the Linux kernel by default.

Type: path

Default: ${cfg.kernelPackage}/dtbs

Declared by:

<nixpkgs/nixos/modules/hardware/device-tree.nix>
hardware.deviceTree.dtboBuildExtraIncludePaths

Additional include paths that will be passed to the preprocessor when creating the final .dts to compile into .dtbo

Type: list of path

Default: [ ]

Example:

[
  ./my_custom_include_dir_1
  ./custom_include_dir_2
]

Declared by:

<nixpkgs/nixos/modules/hardware/device-tree.nix>
hardware.deviceTree.dtboBuildExtraPreprocessorFlags

Additional flags to pass to the preprocessor during dtbo compilations

Type: list of string

Default: [ ]

Example: [ "-DMY_DTB_DEFINE" ]

Declared by:

<nixpkgs/nixos/modules/hardware/device-tree.nix>
hardware.deviceTree.filter

Only include .dtb files matching glob expression.

Type: null or string

Default: null

Example: "*rpi*.dtb"

Declared by:

<nixpkgs/nixos/modules/hardware/device-tree.nix>
hardware.deviceTree.kernelPackage

Kernel package where device tree include directory is from. Also used as default source of dtb package to apply overlays to

Type: path

Default: config.boot.kernelPackages.kernel

Example: pkgs.linux_latest

Declared by:

<nixpkgs/nixos/modules/hardware/device-tree.nix>
hardware.deviceTree.name

The name of an explicit dtb to be loaded, relative to the dtb base. Useful in extlinux scenarios if the bootloader doesn’t pick the right .dtb file from FDTDIR.

Type: null or string

Default: null

Example: "some-dtb.dtb"

Declared by:

<nixpkgs/nixos/modules/hardware/device-tree.nix>
hardware.deviceTree.overlays

List of overlays to apply to base device-tree (.dtb) files.

Type: list of ((submodule) or path convertible to it)

Default: [ ]

Example:

[
  { name = "pps"; dtsFile = ./dts/pps.dts; }
  { name = "spi";
    dtsText = "...";
  }
  { name = "precompiled"; dtboFile = ./dtbos/example.dtbo; }
]

Declared by:

<nixpkgs/nixos/modules/hardware/device-tree.nix>
hardware.deviceTree.overlays.*.dtboFile

Path to .dtbo compiled overlay file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/hardware/device-tree.nix>
hardware.deviceTree.overlays.*.dtsFile

Path to .dts overlay file, overlay is applied to each .dtb file matching “compatible” of the overlay.

Type: null or path

Default: null

Example: ./dts/overlays.dts

Declared by:

<nixpkgs/nixos/modules/hardware/device-tree.nix>
hardware.deviceTree.overlays.*.dtsText

Literal DTS contents, overlay is applied to each .dtb file matching “compatible” of the overlay.

Type: null or string

Default: null

Example:

''
  /dts-v1/;
  /plugin/;
  / {
          compatible = "raspberrypi";
  };
  &{/soc} {
          pps {
                  compatible = "pps-gpio";
                  status = "okay";
          };
  };
''

Declared by:

<nixpkgs/nixos/modules/hardware/device-tree.nix>
hardware.deviceTree.overlays.*.filter

Only apply to .dtb files matching glob expression.

Type: null or string

Default: null

Example: "*rpi*.dtb"

Declared by:

<nixpkgs/nixos/modules/hardware/device-tree.nix>
hardware.deviceTree.overlays.*.name

Name of this overlay

Type: string

Declared by:

<nixpkgs/nixos/modules/hardware/device-tree.nix>
hardware.digitalbitbox.enable

Enables udev rules for Digital Bitbox devices.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/digitalbitbox.nix>
hardware.digitalbitbox.package

The digitalbitbox package to use. This can be used to install a package with udev rules that differ from the defaults.

Type: package

Default: pkgs.digitalbitbox

Declared by:

<nixpkgs/nixos/modules/hardware/digitalbitbox.nix>
hardware.display.edid.enable

Enables handling of EDID files

Type: boolean

Default: config.hardware.display.edid.packages != null

Declared by:

<nixpkgs/nixos/modules/services/hardware/display.nix>
hardware.display.edid.packages

List of packages containing EDID binary files at $out/lib/firmware/edid. Such files will be available for use in drm.edid_firmware kernel parameter as edid/<filename>.

You can craft one directly here or use sibling options linuxhw and modelines.

Type: list of package

Default: [ ]

Example:

[
  (pkgs.runCommand "edid-custom" {} ''
    mkdir -p "$out/lib/firmware/edid"
    base64 -d > "$out/lib/firmware/edid/custom1.bin" <<'EOF'
    <insert your base64 encoded EDID file here `base64 < /sys/class/drm/card0-.../edid`>
    EOF
  '')
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/display.nix>
hardware.display.edid.linuxhw

Exposes EDID files from users-sourced database at https://github.com/linuxhw/EDID

Attribute names will be mapped to EDID filenames <NAME>.bin.

Attribute values are lists of awk regexp patterns that (together) must match exactly one line in either of:

There is no universal way of locating your device config, but here are some practical tips:

  1. locate your device:

  • find your model number (second column)

  • locate manufacturer (first column) and go through the list manually

  1. narrow down results using other columns until there is only one left:

  • Name column

  • production date (Made column)

  • resolution Res

  • screen diagonal (Inch column)

  • as a last resort use ID from the last column

Type: attribute set of list of string

Default: { }

Example:

{
  PG278Q_2014 = [ "PG278Q" "2014" ];
}

Declared by:

<nixpkgs/nixos/modules/services/hardware/display.nix>
hardware.display.edid.modelines

Attribute set of XFree86 Modelines automatically converted and exposed as edid/<name>.bin files in initrd. See for more information:

  • https://en.wikipedia.org/wiki/XFree86_Modeline

Type: attribute set of string

Default: { }

Example:

{
  "PG278Q_60" = "    241.50   2560 2608 2640 2720   1440 1443 1448 1481   -hsync +vsync";
  "PG278Q_120" = "   497.75   2560 2608 2640 2720   1440 1443 1448 1525   +hsync -vsync";
  "U2711_60" = "     241.50   2560 2600 2632 2720   1440 1443 1448 1481   -hsync +vsync";
}

Declared by:

<nixpkgs/nixos/modules/services/hardware/display.nix>
hardware.display.outputs

Hardware/kernel-level configuration of specific outputs.

Type: attribute set of (submodule)

Default: { }

Example:

{
  edid.modelines."PG278Q_60" = "241.50   2560 2608 2640 2720   1440 1443 1448 1481   -hsync +vsync";
  outputs."DP-1".edid = "PG278Q_60.bin";
  outputs."DP-1".mode = "e";
}

Declared by:

<nixpkgs/nixos/modules/services/hardware/display.nix>
hardware.display.outputs.<name>.edid

An EDID filename to be used for configured display, as in edid/<filename>. See for more information:

  • hardware.display.edid.packages

  • https://wiki.archlinux.org/title/Kernel_mode_setting#Forcing_modes_and_EDID

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/display.nix>
hardware.display.outputs.<name>.mode

A video kernel parameter (framebuffer mode) configuration for the specific output:

<xres>x<yres>[M][R][-<bpp>][@<refresh>][i][m][eDd]

See for more information:

  • https://docs.kernel.org/fb/modedb.html

  • https://wiki.archlinux.org/title/Kernel_mode_setting#Forcing_modes

Type: null or string

Default: null

Example:

"e"

Declared by:

<nixpkgs/nixos/modules/services/hardware/display.nix>
hardware.facetimehd.enable

Whether to enable the facetimehd kernel module.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/webcam/facetimehd.nix>
hardware.facetimehd.withCalibration

Whether to include sensor calibration files for facetimehd. This makes colors look much better but is experimental, see https://github.com/patjak/facetimehd/wiki/Extracting-the-sensor-calibration-files for details.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/webcam/facetimehd.nix>
hardware.fancontrol.enable

Whether to enable software fan control (requires fancontrol.config).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/fancontrol.nix>
hardware.fancontrol.config

Required fancontrol configuration file content. See pwmconfig(8) from the lm_sensors package.

Type: strings concatenated with “\n”

Example:

''
  # Configuration file generated by pwmconfig
  INTERVAL=10
  DEVPATH=hwmon3=devices/virtual/thermal/thermal_zone2 hwmon4=devices/platform/f71882fg.656
  DEVNAME=hwmon3=soc_dts1 hwmon4=f71869a
  FCTEMPS=hwmon4/device/pwm1=hwmon3/temp1_input
  FCFANS=hwmon4/device/pwm1=hwmon4/device/fan1_input
  MINTEMP=hwmon4/device/pwm1=35
  MAXTEMP=hwmon4/device/pwm1=65
  MINSTART=hwmon4/device/pwm1=150
  MINSTOP=hwmon4/device/pwm1=0
''

Declared by:

<nixpkgs/nixos/modules/services/hardware/fancontrol.nix>
hardware.firmware

List of packages containing firmware files. Such files will be loaded automatically if the kernel asks for them (i.e., when it has detected specific hardware that requires firmware to function). If multiple packages contain firmware files with the same name, the first package in the list takes precedence. Note that you must rebuild your system if you add files to any of these directories.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/hardware/udev.nix>
hardware.firmwareCompression

Whether to compress firmware files. Defaults depend on the kernel version. For kernels older than 5.3, firmware files are not compressed. For kernels 5.3 and newer, firmware files are compressed with xz. For kernels 5.19 and newer, firmware files are compressed with zstd.

Type: one of “xz”, “zstd”, “none”

Default: "auto"

Declared by:

<nixpkgs/nixos/modules/services/hardware/udev.nix>
hardware.flipperzero.enable

Whether to enable udev rules and software for Flipper Zero devices.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/flipperzero.nix>
hardware.flirc.enable

Whether to enable software to configure a Flirc USB device.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/flirc.nix>
hardware.glasgow.enable

Enables Glasgow udev rules and ensures ‘plugdev’ group exists. This is a prerequisite to using Glasgow without being root.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/glasgow.nix>
hardware.gpgSmartcards.enable

Whether to enable udev rules for gnupg smart cards.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/gpgsmartcards.nix>
hardware.graphics.enable

Whether to enable hardware accelerated graphics drivers.

This is required to allow most graphical applications and environments to use hardware rendering, video encode/decode acceleration, etc.

This option should be enabled by default by the corresponding modules, so you do not usually have to set it yourself.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/graphics.nix>
hardware.graphics.enable32Bit

On 64-bit systems, whether to also install 32-bit drivers for 32-bit applications (such as Wine).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/graphics.nix>
hardware.graphics.extraPackages

Additional packages to add to the default graphics driver lookup path. This can be used to add OpenCL drivers, VA-API/VDPAU drivers, etc.

Note

intel-media-driver supports hardware Broadwell (2014) or newer. Older hardware should use the mostly unmaintained intel-vaapi-driver driver.

Type: list of package

Default: [ ]

Example: with pkgs; [ intel-media-driver intel-ocl intel-vaapi-driver ]

Declared by:

<nixpkgs/nixos/modules/hardware/graphics.nix>
hardware.graphics.extraPackages32

Additional packages to add to 32-bit graphics driver lookup path on 64-bit systems. Used when enable32Bit is set. This can be used to add OpenCL drivers, VA-API/VDPAU drivers, etc.

Note

intel-media-driver supports hardware Broadwell (2014) or newer. Older hardware should use the mostly unmaintained intel-vaapi-driver driver.

Type: list of package

Default: [ ]

Example: with pkgs.pkgsi686Linux; [ intel-media-driver intel-vaapi-driver ]

Declared by:

<nixpkgs/nixos/modules/hardware/graphics.nix>
hardware.hackrf.enable

Enables hackrf udev rules and ensures ‘plugdev’ group exists. This is a prerequisite to using HackRF devices without being root, since HackRF USB descriptors will be owned by plugdev through udev. Ensure your user is a member of the ‘plugdev’ group after enabling.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/hackrf.nix>
hardware.i2c.enable

Whether to enable i2c devices support. By default access is granted to users in the “i2c” group (will be created if non-existent) and any user with a seat, meaning logged on the computer locally .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/i2c.nix>
hardware.i2c.group

Grant access to i2c devices (/dev/i2c-*) to users in this group.

Type: string

Default: "i2c"

Declared by:

<nixpkgs/nixos/modules/hardware/i2c.nix>
hardware.infiniband.enable

Whether to enable Infiniband support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/infiniband.nix>
hardware.infiniband.guids

A list of infiniband port guids on the system. This is discoverable using ibstat -p

Type: list of string

Default: [ ]

Example:

[
  "0xe8ebd30000eee2e1"
]

Declared by:

<nixpkgs/nixos/modules/hardware/infiniband.nix>
hardware.inputmodule.enable

Whether to enable Support for Framework input modules.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/inputmodule.nix>
hardware.intel-gpu-tools.enable

Whether to enable a setcap wrapper for intel-gpu-tools.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/intel-gpu-tools.nix>
hardware.ipu6.enable

Whether to enable support for Intel IPU6/MIPI cameras.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/webcam/ipu6.nix>
hardware.ipu6.platform

Choose the version for your hardware platform.

Use ipu6 for Tiger Lake, ipu6ep for Alder Lake or Raptor Lake, and ipu6epmtl for Meteor Lake.

Type: one of “ipu6”, “ipu6ep”, “ipu6epmtl”

Declared by:

<nixpkgs/nixos/modules/hardware/video/webcam/ipu6.nix>
hardware.keyboard.qmk.enable

Whether to enable non-root access to the firmware of QMK keyboards.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/keyboard/qmk.nix>
hardware.keyboard.teck.enable

Whether to enable non-root access to the firmware of TECK keyboards.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/keyboard/teck.nix>
hardware.keyboard.uhk.enable

Whether to enable non-root access to the firmware of UHK keyboards. You need it when you want to flash a new firmware on the keyboard. Access to the keyboard is granted to users in the “input” group. You may want to install the uhk-agent package .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/keyboard/uhk.nix>
hardware.keyboard.zsa.enable

Whether to enable udev rules for keyboards from ZSA like the ErgoDox EZ, Planck EZ and Moonlander Mark I. You need it when you want to flash a new configuration on the keyboard or use their live training in the browser. You may want to install the wally-cli package .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/keyboard/zsa.nix>
hardware.ksm.enable

Whether to enable Linux kernel Same-Page Merging.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/ksm.nix>
hardware.ksm.sleep

How many milliseconds ksmd should sleep between scans. Setting it to null uses the kernel’s default time.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/hardware/ksm.nix>
hardware.ledger.enable

Whether to enable udev rules for Ledger devices.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/ledger.nix>
hardware.logitech.lcd.enable

Whether to enable support for Logitech LCD Devices.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/logitech.nix>
hardware.logitech.lcd.devices

List of USB device ids supported by g15daemon.

You most likely do not need to change this.

Type: list of string

Default:

[
  "0a07"
  "c222"
  "c225"
  "c227"
  "c251"
]

Declared by:

<nixpkgs/nixos/modules/hardware/logitech.nix>
hardware.logitech.lcd.startWhenNeeded

Only run the service when an actual supported device is plugged.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/hardware/logitech.nix>
hardware.logitech.wireless.enable

Whether to enable support for Logitech Wireless Devices.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/logitech.nix>
hardware.logitech.wireless.enableGraphical

Enable graphical support applications.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/logitech.nix>
hardware.mcelog.enable

Enable the Machine Check Exception logger.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/mcelog.nix>
hardware.mwProCapture.enable

Whether to enable the Magewell Pro Capture family kernel module.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/capture/mwprocapture.nix>
hardware.new-lg4ff.enable

Enables improved Linux module drivers for Logitech driving wheels. This will replace the existing in-kernel hid-logitech modules. Works most notably on the Logitech G25, G27, G29 and Driving Force (GT).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/new-lg4ff.nix>
hardware.nitrokey.enable

Enables udev rules for Nitrokey devices.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/nitrokey.nix>
hardware.nvidia.package

The NVIDIA driver package to use.

Type: unspecified value

Default:

config.boot.kernelPackages.nvidiaPackages."\$\{if cfg.datacenter.enable then "dc" else "stable"}"

Example: "config.boot.kernelPackages.nvidiaPackages.legacy_470"

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.datacenter.enable

Whether to enable Data Center drivers for NVIDIA cards on a NVLink topology .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.datacenter.settings

Additional configuration options for fabricmanager.

Type: attribute set of (atom (null, bool, int, float or string))

Default:

{
  LOG_LEVEL=4;
  LOG_FILE_NAME="/var/log/fabricmanager.log";
  LOG_APPEND_TO_LOG=1;
  LOG_FILE_MAX_SIZE=1024;
  LOG_USE_SYSLOG=0;
  DAEMONIZE=1;
  BIND_INTERFACE_IP="127.0.0.1";
  STARTING_TCP_PORT=16000;
  FABRIC_MODE=0;
  FABRIC_MODE_RESTART=0;
  STATE_FILE_NAME="/var/tmp/fabricmanager.state";
  FM_CMD_BIND_INTERFACE="127.0.0.1";
  FM_CMD_PORT_NUMBER=6666;
  FM_STAY_RESIDENT_ON_FAILURES=0;
  ACCESS_LINK_FAILURE_MODE=0;
  TRUNK_LINK_FAILURE_MODE=0;
  NVSWITCH_FAILURE_MODE=0;
  ABORT_CUDA_JOBS_ON_FM_EXIT=1;
}

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.dynamicBoost.enable

Whether to enable dynamic Boost balances power between the CPU and the GPU for improved performance on supported laptops using the nvidia-powerd daemon. For more information, see the NVIDIA docs, on Chapter 23. Dynamic Boost on Linux .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.forceFullCompositionPipeline

Whether to enable forcefully the full composition pipeline. This sometimes fixes screen tearing issues. This has been reported to reduce the performance of some OpenGL applications and may produce issues in WebGL. It also drastically increases the time the driver needs to clock down after load .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.gsp.enable

Whether to enable the GPU System Processor (GSP) on the video card .

Type: boolean

Default:

config.hardware.nvidia.open == true || lib.versionAtLeast config.hardware.nvidia.package.version "555"

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.modesetting.enable

Whether to enable kernel modesetting when using the NVIDIA proprietary driver.

Enabling this fixes screen tearing when using Optimus via PRIME (see hardware.nvidia.prime.sync.enable. This is not enabled by default because it is not officially supported by NVIDIA and would not work with SLI.

Enabling this and using version 545 or newer of the proprietary NVIDIA driver causes it to provide its own framebuffer device, which can cause Wayland compositors to work when they otherwise wouldn’t. .

Type: boolean

Default: lib.versionAtLeast cfg.package.version "535"

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.nvidiaPersistenced

Whether to enable nvidia-persistenced a update for NVIDIA GPU headless mode, i.e. It ensures all GPUs stay awake even during headless mode .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.nvidiaSettings

Whether to enable nvidia-settings, NVIDIA’s GUI configuration tool .

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.open

Whether to enable the open source NVIDIA kernel module.

Type: null or boolean

Default:

if lib.versionOlder config.hardware.nvidia.package.version "560" then false else null

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.powerManagement.enable

Whether to enable experimental power management through systemd. For more information, see the NVIDIA docs, on Chapter 21. Configuring Power Management Support .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.powerManagement.finegrained

Whether to enable experimental power management of PRIME offload. For more information, see the NVIDIA docs, on Chapter 22. PCI-Express Runtime D3 (RTD3) Power Management .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.prime.allowExternalGpu

Whether to enable configuring X to allow external NVIDIA GPUs when using Prime [Reverse] sync optimus .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.prime.amdgpuBusId

Bus ID of the AMD APU. You can find it using lspci; for example if lspci shows the AMD APU at “04:00.0”, set this option to “PCI:4:0:0”.

Type: string matching the pattern ([[:print:]]+[:@][0-9]{1,3}:[0-9]{1,2}:[0-9])?

Default: ""

Example: "PCI:4:0:0"

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.prime.intelBusId

Bus ID of the Intel GPU. You can find it using lspci; for example if lspci shows the Intel GPU at “00:02.0”, set this option to “PCI:0:2:0”.

Type: string matching the pattern ([[:print:]]+[:@][0-9]{1,3}:[0-9]{1,2}:[0-9])?

Default: ""

Example: "PCI:0:2:0"

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.prime.nvidiaBusId

Bus ID of the NVIDIA GPU. You can find it using lspci; for example if lspci shows the NVIDIA GPU at “01:00.0”, set this option to “PCI:1:0:0”.

Type: string matching the pattern ([[:print:]]+[:@][0-9]{1,3}:[0-9]{1,2}:[0-9])?

Default: ""

Example: "PCI:1:0:0"

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.prime.offload.enable

Whether to enable render offload support using the NVIDIA proprietary driver via PRIME.

If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to be specified (hardware.nvidia.prime.nvidiaBusId and hardware.nvidia.prime.intelBusId or hardware.nvidia.prime.amdgpuBusId) .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.prime.offload.enableOffloadCmd

Whether to enable adding a nvidia-offload convenience script to environment.systemPackages for offloading programs to an nvidia device. To work, should have also enabled hardware.nvidia.prime.offload.enable or hardware.nvidia.prime.reverseSync.enable.

Example usage nvidia-offload sauerbraten_client .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.prime.reverseSync.enable

Whether to enable NVIDIA Optimus support using the NVIDIA proprietary driver via reverse PRIME. If enabled, the Intel/AMD GPU will be used for all rendering, while enabling output to displays attached only to the NVIDIA GPU without a multiplexer.

Warning: This feature is relatively new, depending on your system this might work poorly. AMD support, especially so. See: https://forums.developer.nvidia.com/t/the-all-new-outputsink-feature-aka-reverse-prime/129828

Note that this option only has any effect if the “nvidia” driver is specified in services.xserver.videoDrivers, and it should preferably be the only driver there.

If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to be specified (hardware.nvidia.prime.nvidiaBusId and hardware.nvidia.prime.intelBusId or hardware.nvidia.prime.amdgpuBusId).

If you enable this, you may want to also enable kernel modesetting for the NVIDIA driver (hardware.nvidia.modesetting.enable) in order to prevent tearing.

Note that this configuration will only be successful when a display manager for which the services.xserver.displayManager.setupCommands option is supported is used .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.prime.reverseSync.setupCommands.enable

Whether to enable configure the display manager to be able to use the outputs attached to the NVIDIA GPU. Disable in order to configure the NVIDIA GPU outputs manually using xrandr. Note that this configuration will only be successful when a display manager for which the services.xserver.displayManager.setupCommands option is supported is used .

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.prime.sync.enable

Whether to enable NVIDIA Optimus support using the NVIDIA proprietary driver via PRIME. If enabled, the NVIDIA GPU will be always on and used for all rendering, while enabling output to displays attached only to the integrated Intel/AMD GPU without a multiplexer.

Note that this option only has any effect if the “nvidia” driver is specified in services.xserver.videoDrivers, and it should preferably be the only driver there.

If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to be specified (hardware.nvidia.prime.nvidiaBusId and hardware.nvidia.prime.intelBusId or hardware.nvidia.prime.amdgpuBusId).

If you enable this, you may want to also enable kernel modesetting for the NVIDIA driver (hardware.nvidia.modesetting.enable) in order to prevent tearing.

Note that this configuration will only be successful when a display manager for which the services.xserver.displayManager.setupCommands option is supported is used .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia.videoAcceleration

Whether to enable Whether video acceleration (VA-API) should be enabled. .

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/nvidia.nix>
hardware.nvidia-container-toolkit.enable

Enable dynamic CDI configuration for Nvidia devices by running nvidia-container-toolkit on boot.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/nvidia-container-toolkit>
hardware.nvidia-container-toolkit.package

The nvidia-container-toolkit package to use.

Type: package

Default: pkgs.nvidia-container-toolkit

Declared by:

<nixpkgs/nixos/modules/services/hardware/nvidia-container-toolkit>
hardware.nvidia-container-toolkit.device-name-strategy

Specify the strategy for generating device names, passed to nvidia-ctk cdi generate. This will affect how you reference the device using nvidia.com/gpu= in the container runtime.

Type: one of “index”, “uuid”, “type-index”

Default: "index"

Declared by:

<nixpkgs/nixos/modules/services/hardware/nvidia-container-toolkit>
hardware.nvidia-container-toolkit.mount-nvidia-docker-1-directories

Mount nvidia-docker-1 directories on containers: /usr/local/nvidia/lib and /usr/local/nvidia/lib64.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/nvidia-container-toolkit>
hardware.nvidia-container-toolkit.mount-nvidia-executables

Mount executables nvidia-smi, nvidia-cuda-mps-control, nvidia-cuda-mps-server, nvidia-debugdump, nvidia-powerd and nvidia-ctk on containers.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/nvidia-container-toolkit>
hardware.nvidia-container-toolkit.mounts

Mounts to be added to every container under the Nvidia CDI profile.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/hardware/nvidia-container-toolkit>
hardware.nvidia-container-toolkit.mounts.*.containerPath

Container path.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/hardware/nvidia-container-toolkit>
hardware.nvidia-container-toolkit.mounts.*.hostPath

Host path.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/hardware/nvidia-container-toolkit>
hardware.nvidia-container-toolkit.mounts.*.mountOptions

Mount options.

Type: list of string

Default:

[
  "ro"
  "nosuid"
  "nodev"
  "bind"
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/nvidia-container-toolkit>
hardware.nvidiaOptimus.disable

Completely disable the NVIDIA graphics card and use the integrated graphics processor instead.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/nvidia-optimus.nix>
hardware.onlykey.enable

Enable OnlyKey device (https://crp.to/p/) support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/onlykey/default.nix>
hardware.openrazer.enable

Whether to enable OpenRazer drivers and userspace daemon .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/openrazer.nix>
hardware.openrazer.batteryNotifier

Settings for device battery notifications.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/hardware/openrazer.nix>
hardware.openrazer.batteryNotifier.enable

Mouse battery notifier.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/hardware/openrazer.nix>
hardware.openrazer.batteryNotifier.frequency

How often battery notifications should be shown (in seconds). A value of 0 disables notifications.

Type: signed integer

Default: 600

Declared by:

<nixpkgs/nixos/modules/hardware/openrazer.nix>
hardware.openrazer.batteryNotifier.percentage

At what battery percentage the device should reach before sending notifications.

Type: signed integer

Default: 33

Declared by:

<nixpkgs/nixos/modules/hardware/openrazer.nix>
hardware.openrazer.devicesOffOnScreensaver

Turn off the devices when the systems screensaver kicks in.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/hardware/openrazer.nix>
hardware.openrazer.keyStatistics

Collects number of keypresses per hour per key used to generate a heatmap.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/openrazer.nix>
hardware.openrazer.syncEffectsEnabled

Set the sync effects flag to true so any assignment of effects will work across devices.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/hardware/openrazer.nix>
hardware.openrazer.users

Usernames to be added to the “openrazer” group, so that they can start and interact with the OpenRazer userspace daemon.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/hardware/openrazer.nix>
hardware.openrazer.verboseLogging

Whether to enable verbose logging. Logs debug messages.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/openrazer.nix>
hardware.opentabletdriver.enable

Enable OpenTabletDriver udev rules, user service and blacklist kernel modules known to conflict with OpenTabletDriver.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/opentabletdriver.nix>
hardware.opentabletdriver.package

The opentabletdriver package to use.

Type: package

Default: pkgs.opentabletdriver

Declared by:

<nixpkgs/nixos/modules/hardware/opentabletdriver.nix>
hardware.opentabletdriver.blacklistedKernelModules

Blacklist of kernel modules known to conflict with OpenTabletDriver.

Type: list of string

Default:

[
  "hid-uclogic"
  "wacom"
]

Declared by:

<nixpkgs/nixos/modules/hardware/opentabletdriver.nix>
hardware.opentabletdriver.daemon.enable

Whether to start OpenTabletDriver daemon as a systemd user service.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/hardware/opentabletdriver.nix>
hardware.parallels.enable

This enables Parallels Tools for Linux guests, along with provided video, mouse and other hardware drivers.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/parallels-guest.nix>
hardware.parallels.package

Defines which package to use for prl-tools. Override to change the version.

Type: null or package

Default: "config.boot.kernelPackages.prl-tools"

Example: config.boot.kernelPackages.prl-tools

Declared by:

<nixpkgs/nixos/modules/virtualisation/parallels-guest.nix>
hardware.pcmcia.enable

Enable this option to support PCMCIA card.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/pcmcia.nix>
hardware.pcmcia.config

Path to the configuration file which maps the memory, IRQs and ports used by the PCMCIA hardware.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/hardware/pcmcia.nix>
hardware.pcmcia.firmware

List of firmware used to handle specific PCMCIA card.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/hardware/pcmcia.nix>
hardware.printers.ensureDefaultPrinter

Ensures the named printer is the default CUPS printer / printer queue.

Type: null or printable string without spaces, # and /

Default: null

Declared by:

<nixpkgs/nixos/modules/hardware/printers.nix>
hardware.printers.ensurePrinters

Will regularly ensure that the given CUPS printers are configured as declared here. If a printer’s options are manually changed afterwards, they will be overwritten eventually. This option will never delete any printer, even if removed from this list. You can check existing printers with lpstat -s and remove printers with lpadmin -x <printer-name>. Printers not listed here can still be manually configured.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/hardware/printers.nix>
hardware.printers.ensurePrinters.*.description

Optional human-readable description.

Type: null or string

Default: null

Example: "Brother HL-5140"

Declared by:

<nixpkgs/nixos/modules/hardware/printers.nix>
hardware.printers.ensurePrinters.*.deviceUri

How to reach the printer. lpinfo -v shows a list of supported device URIs and schemes.

Type: string

Example:

"ipp://printserver.local/printers/BrotherHL_Workroom"
"usb://HP/DESKJET%20940C?serial=CN16E6C364BH"

Declared by:

<nixpkgs/nixos/modules/hardware/printers.nix>
hardware.printers.ensurePrinters.*.location

Optional human-readable location.

Type: null or string

Default: null

Example: "Workroom"

Declared by:

<nixpkgs/nixos/modules/hardware/printers.nix>
hardware.printers.ensurePrinters.*.model

Location of the ppd driver file for the printer. lpinfo -m shows a list of supported models.

Type: string

Example:

"gutenprint.${lib.versions.majorMinor (lib.getVersion pkgs.gutenprint)}://brother-hl-5140/expert"

Declared by:

<nixpkgs/nixos/modules/hardware/printers.nix>
hardware.printers.ensurePrinters.*.name

Name of the printer / printer queue. May contain any printable characters except “/”, “#”, and space.

Type: printable string without spaces, # and /

Example: "BrotherHL_Workroom"

Declared by:

<nixpkgs/nixos/modules/hardware/printers.nix>
hardware.printers.ensurePrinters.*.ppdOptions

Sets PPD options for the printer. lpoptions [-p printername] -l shows supported PPD options for the given printer.

Type: attribute set of string

Default: { }

Example:

{
  Duplex = "DuplexNoTumble";
  PageSize = "A4";
}

Declared by:

<nixpkgs/nixos/modules/hardware/printers.nix>
hardware.pulseaudio.enable

Whether to enable the PulseAudio sound server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.pulseaudio.package

The PulseAudio derivation to use. This can be used to enable features (such as JACK support, Bluetooth) via the pulseaudioFull package.

Type: package

Default: pkgs.pulseaudio

Example: pkgs.pulseaudioFull

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.pulseaudio.configFile

The path to the default configuration options the PulseAudio server should use. By default, the “default.pa” configuration from the PulseAudio distribution is used.

Type: null or path

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.pulseaudio.daemon.config

Config of the pulse daemon. See man pulse-daemon.conf.

Type: attribute set of unspecified value

Default: { }

Example: { realtime-scheduling = "yes"; }

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.pulseaudio.daemon.logLevel

The log level that the system-wide pulseaudio daemon should use, if activated.

Type: string

Default: "notice"

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.pulseaudio.extraClientConf

Extra configuration appended to pulse/client.conf file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.pulseaudio.extraConfig

Literal string to append to configFile and the config file generated by the pulseaudio module.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.pulseaudio.extraModules

Extra pulseaudio modules to use. This is intended for out-of-tree pulseaudio modules like extra bluetooth codecs.

Extra modules take precedence over built-in pulseaudio modules.

Type: list of package

Default: [ ]

Example: [ pkgs.pulseaudio-modules-bt ]

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.pulseaudio.support32Bit

Whether to include the 32-bit pulseaudio libraries in the system or not. This is only useful on 64-bit systems and currently limited to x86_64-linux.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.pulseaudio.systemWide

If false, a PulseAudio server is launched automatically for each user that tries to use the sound system. The server runs with user privileges. If true, one system-wide PulseAudio server is launched on boot, running as the user “pulse”, and only users in the “pulse-access” group will have access to the server. Please read the PulseAudio documentation for more details.

Don’t enable this option unless you know what you are doing.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.pulseaudio.tcp.enable

Whether to enable tcp streaming support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.pulseaudio.tcp.anonymousClients.allowAll

Whether to enable all anonymous clients to stream to the server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.pulseaudio.tcp.anonymousClients.allowedIpRanges

A list of IP subnets that are allowed to stream to the server.

Type: list of string

Default: [ ]

Example: [ "127.0.0.1" "192.168.1.0/24" ]

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.pulseaudio.zeroconf.discovery.enable

Whether to enable discovery of pulseaudio sinks in the local network.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.pulseaudio.zeroconf.publish.enable

Whether to enable publishing the pulseaudio sink in the local network.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/config/pulseaudio.nix>
hardware.raid.HPSmartArray.enable

Whether to enable HP Smart Array kernel modules and CLI utility.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/raid/hpsa.nix>
hardware.rasdaemon.enable

Whether to enable RAS logging daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/rasdaemon.nix>
hardware.rasdaemon.config

rasdaemon configuration, currently only used for CE PFA for details, read rasdaemon.outPath/etc/sysconfig/rasdaemon’s comments

Type: strings concatenated with “\n”

Default: ""

Example:

''
  # defaults from included config
  PAGE_CE_REFRESH_CYCLE="24h"
  PAGE_CE_THRESHOLD="50"
  PAGE_CE_ACTION="soft"
''

Declared by:

<nixpkgs/nixos/modules/services/hardware/rasdaemon.nix>
hardware.rasdaemon.extraModules

extra kernel modules to load

Type: list of string

Default: [ ]

Example:

[
  "i7core_edac"
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/rasdaemon.nix>
hardware.rasdaemon.labels

Additional memory module label descriptions to be placed in /etc/ras/dimm_labels.d/labels

Type: strings concatenated with “\n”

Default: ""

Example:

''
  # vendor and model may be shown by 'ras-mc-ctl --mainboard'
  vendor: ASRock
    product: To Be Filled By O.E.M.
    model: B450M Pro4
      # these labels are names for the motherboard slots
      # the numbers may be shown by `ras-mc-ctl --error-count`
      # they are mc:csrow:channel
      DDR4_A1: 0.2.0;  DDR4_B1: 0.2.1;
      DDR4_A2: 0.3.0;  DDR4_B2: 0.3.1;
''

Declared by:

<nixpkgs/nixos/modules/services/hardware/rasdaemon.nix>
hardware.rasdaemon.mainboard

Custom mainboard description, see ras-mc-ctl(8) for more details.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  vendor = ASRock
  model = B450M Pro4
  
  # it should default to such values from
  # /sys/class/dmi/id/board_[vendor|name]
  # alternatively one can supply a script
  # that returns the same format as above
  
  script = <path to script>
''

Declared by:

<nixpkgs/nixos/modules/services/hardware/rasdaemon.nix>
hardware.rasdaemon.record

record events via sqlite3, required for ras-mc-ctl

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/rasdaemon.nix>
hardware.rasdaemon.testing

Whether to enable error injection infrastructure.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/rasdaemon.nix>
hardware.rtl-sdr.enable

Enables rtl-sdr udev rules, ensures ‘plugdev’ group exists, and blacklists DVB kernel modules. This is a prerequisite to using devices supported by rtl-sdr without being root, since rtl-sdr USB descriptors will be owned by plugdev through udev.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/rtl-sdr.nix>
hardware.saleae-logic.enable

Whether to enable udev rules for Saleae Logic devices.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/saleae-logic.nix>
hardware.saleae-logic.package

Saleae Logic package to use.

Type: package

Default: pkgs.saleae-logic-2

Declared by:

<nixpkgs/nixos/modules/hardware/saleae-logic.nix>
hardware.sane.enable

Enable support for SANE scanners.

Note

Users in the “scanner” group will gain access to the scanner, or the “lp” group if it’s also a printer.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane.nix>
hardware.sane.backends-package

Backends driver package to use.

Type: package

Default: pkgs.sane-backends

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane.nix>
hardware.sane.brscan4.enable

When enabled, will automatically register the “brscan4” sane backend and bring configuration files to their expected location.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix>
hardware.sane.brscan4.netDevices

The list of network devices that will be registered against the brscan4 sane backend.

Type: attribute set of (submodule)

Default: { }

Example:

{
  office1 = {
    ip = "192.168.1.2";
    model = "MFC-7860DW";
  };
  office2 = {
    model = "MFC-7860DW";
    nodename = "BRW0080927AFBCE";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix>
hardware.sane.brscan4.netDevices.<name>.ip

The ip address of the device. If undefined, you will have to provide a nodename.

Type: null or string

Default: null

Example: "192.168.1.2"

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix>
hardware.sane.brscan4.netDevices.<name>.model

The model of the network device.

Type: string

Example: "MFC-7860DW"

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix>
hardware.sane.brscan4.netDevices.<name>.name

The friendly name you give to the network device. If undefined, the name of attribute will be used.

Type: string

Example: "office1"

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix>
hardware.sane.brscan4.netDevices.<name>.nodename

The node name of the device. If undefined, you will have to provide an ip.

Type: null or string

Default: null

Example: "BRW0080927AFBCE"

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix>
hardware.sane.brscan5.enable

Whether to enable the Brother brscan5 sane backend.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix>
hardware.sane.brscan5.netDevices

The list of network devices that will be registered against the brscan5 sane backend.

Type: attribute set of (submodule)

Default: { }

Example:

{
  office1 = {
    ip = "192.168.1.2";
    model = "MFC-7860DW";
  };
  office2 = {
    model = "MFC-7860DW";
    nodename = "BRW0080927AFBCE";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix>
hardware.sane.brscan5.netDevices.<name>.ip

The ip address of the device. If undefined, you will have to provide a nodename.

Type: null or string

Default: null

Example: "192.168.1.2"

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix>
hardware.sane.brscan5.netDevices.<name>.model

The model of the network device.

Type: string

Example: "ADS-1200"

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix>
hardware.sane.brscan5.netDevices.<name>.name

The friendly name you give to the network device. If undefined, the name of attribute will be used.

Type: string

Example: "office1"

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix>
hardware.sane.brscan5.netDevices.<name>.nodename

The node name of the device. If undefined, you will have to provide an ip.

Type: null or string

Default: null

Example: "BRW0080927AFBCE"

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan5.nix>
hardware.sane.disabledDefaultBackends

Names of backends which are enabled by default but should be disabled. See $SANE_CONFIG_DIR/dll.conf for the list of possible names.

Type: list of string

Default: [ ]

Example:

[
  "v4l"
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane.nix>
hardware.sane.drivers.scanSnap.enable

Whether to enable drivers for the Fujitsu ScanSnap scanners.

The driver files are unfree and extracted from the Windows driver image.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane.nix>
hardware.sane.drivers.scanSnap.package

The epjitsu package to use. Useful if you want to extract the driver files yourself.

The process is described in the /etc/sane.d/epjitsu.conf file in the sane-backends package.

Type: package

Default: pkgs.sane-drivers.epjitsu

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane.nix>
hardware.sane.dsseries.enable

When enabled, will automatically register the “dsseries” SANE backend.

This supports the Brother DSmobile scanner series, including the DS-620, DS-720D, DS-820W, and DS-920DW scanners.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/dsseries.nix>
hardware.sane.extraBackends

Packages providing extra SANE backends to enable.

Note

The example contains the package for HP scanners, and the package for Apple AirScan and Microsoft WSD support (supports many vendors/devices).

Type: list of path

Default: [ ]

Example: [ pkgs.hplipWithPlugin pkgs.sane-airscan ]

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane.nix>
hardware.sane.netConf

Network hosts that should be probed for remote scanners.

Type: strings concatenated with “\n”

Default: ""

Example: "192.168.0.16"

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane.nix>
hardware.sane.openFirewall

Open ports needed for discovery of scanners on the local network, e.g. needed for Canon scanners (BJNP protocol).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane.nix>
hardware.sane.snapshot

Use a development snapshot of SANE scanner drivers.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane.nix>
hardware.sata.timeout.enable

Whether to enable SATA drive timeouts.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/sata.nix>
hardware.sata.timeout.deciSeconds

Set SCT Error Recovery Control timeout in deciseconds for use in RAID configurations.

Values are as follows: 0 = disable SCT ERT 70 = default in consumer drives (7 seconds)

Maximum is disk dependant but probably 60 seconds.

Type: signed integer

Example: 70

Declared by:

<nixpkgs/nixos/modules/hardware/sata.nix>
hardware.sata.timeout.drives

List of drives for which to configure the timeout.

Type: list of (submodule)

Declared by:

<nixpkgs/nixos/modules/hardware/sata.nix>
hardware.sata.timeout.drives.*.idBy

The method to identify the drive.

Type: one of “path”, “wwn”

Default: "path"

Declared by:

<nixpkgs/nixos/modules/hardware/sata.nix>
hardware.sata.timeout.drives.*.name

Drive name without the full path.

Type: string

Declared by:

<nixpkgs/nixos/modules/hardware/sata.nix>
hardware.sensor.hddtemp.enable

Enable this option to support HDD/SSD temperature sensors.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/sensor/hddtemp.nix>
hardware.sensor.hddtemp.dbEntries

Additional DB entries

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/hardware/sensor/hddtemp.nix>
hardware.sensor.hddtemp.drives

List of drives to monitor. If you pass /dev/disk/by-path/* entries the symlinks will be resolved as hddtemp doesn’t like names with colons.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/hardware/sensor/hddtemp.nix>
hardware.sensor.hddtemp.extraArgs

Additional arguments passed to the daemon.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/hardware/sensor/hddtemp.nix>
hardware.sensor.hddtemp.unit

Celsius or Fahrenheit

Type: one of “C”, “F”

Default: "C"

Declared by:

<nixpkgs/nixos/modules/hardware/sensor/hddtemp.nix>
hardware.sensor.iio.enable

Enable this option to support IIO sensors with iio-sensor-proxy.

IIO sensors are used for orientation and ambient light sensors on some mobile devices.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/sensor/iio.nix>
hardware.spacenavd.enable

Whether to enable spacenavd to support 3DConnexion devices.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/spacenavd.nix>
hardware.steam-hardware.enable

Enable udev rules for Steam hardware such as the Steam Controller, other supported controllers and the HTC Vive

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/steam-hardware.nix>
hardware.system76.enableAll

Whether to enable all recommended configuration for system76 systems.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/system-76.nix>
hardware.system76.firmware-daemon.enable

Whether to enable the system76 firmware daemon

Type: boolean

Default: config.hardware.system76.enableAll

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/system-76.nix>
hardware.system76.kernel-modules.enable

Whether to make the system76 out-of-tree kernel modules available

Type: boolean

Default: config.hardware.system76.enableAll

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/system-76.nix>
hardware.system76.power-daemon.enable

Whether to enable the system76 power daemon

Type: boolean

Default: config.hardware.system76.enableAll

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/system-76.nix>
hardware.trackpoint.enable

Enable sensitivity and speed configuration for trackpoints.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/trackpoint.nix>
hardware.trackpoint.device

The device name of the trackpoint. You can check with xinput. Some newer devices (example x1c6) use “TPPS/2 Elan TrackPoint”.

Type: string

Default: "TPPS/2 IBM TrackPoint"

Declared by:

<nixpkgs/nixos/modules/tasks/trackpoint.nix>
hardware.trackpoint.emulateWheel

Enable scrolling while holding the middle mouse button.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/trackpoint.nix>
hardware.trackpoint.fakeButtons

Switch to “bare” PS/2 mouse support in case Trackpoint buttons are not recognized properly. This can happen for example on models like the L430, T450, T450s, on which the Trackpoint buttons are actually a part of the Synaptics touchpad.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/trackpoint.nix>
hardware.trackpoint.sensitivity

Configure the trackpoint sensitivity. By default, the kernel configures 128.

Type: signed integer

Default: 128

Example: 255

Declared by:

<nixpkgs/nixos/modules/tasks/trackpoint.nix>
hardware.trackpoint.speed

Configure the trackpoint speed. By default, the kernel configures 97.

Type: signed integer

Default: 97

Example: 255

Declared by:

<nixpkgs/nixos/modules/tasks/trackpoint.nix>
hardware.tuxedo-drivers.enable

Whether to enable The tuxedo-drivers driver enables access to the following on TUXEDO notebooks:

  • Driver for Fn-keys

  • SysFS control of brightness/color/mode for most TUXEDO keyboards

  • Hardware I/O driver for TUXEDO Control Center

For more inforation it is best to check at the source code description: https://gitlab.com/tuxedocomputers/development/packages/tuxedo-drivers .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/tuxedo-drivers.nix>
hardware.tuxedo-rs.enable

Whether to enable Rust utilities for interacting with hardware from TUXEDO Computers.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/tuxedo-rs.nix>
hardware.tuxedo-rs.tailor-gui.enable

Whether to enable tailor-gui, an alternative to TUXEDO Control Center, written in Rust.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/tuxedo-rs.nix>
hardware.ubertooth.enable

Whether to enable Ubertooth software and its udev rules.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/ubertooth.nix>
hardware.ubertooth.group

Group for Ubertooth’s udev rules.

Type: string

Default: "ubertooth"

Example: "wheel"

Declared by:

<nixpkgs/nixos/modules/hardware/ubertooth.nix>
hardware.uinput.enable

Whether to enable uinput support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/uinput.nix>
hardware.uni-sync.enable

Whether to enable udev rules and software for Lian Li Uni Controllers.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/uni-sync.nix>
hardware.uni-sync.package

The uni-sync package to use.

Type: package

Default: pkgs.uni-sync

Declared by:

<nixpkgs/nixos/modules/hardware/uni-sync.nix>
hardware.uni-sync.devices

List of controllers with their configurations.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    device_id = "VID:1111/PID:11111/SN:1111111111";
    sync_rgb = true;
    channels = [
      {
        mode = "PWM";
      }
      {
        mode = "Manual";
        speed = 100;
      }
      {
        mode = "Manual";
        speed = 54;
      }
      {
        mode = "Manual";
        speed = 0;
      }
    ];
  }
  {
    device_id = "VID:1010/PID:10101/SN:1010101010";
    sync_rgb = false;
    channels = [
      {
        mode = "Manual";
        speed = 0;
      }
    ];
  }
]

Declared by:

<nixpkgs/nixos/modules/hardware/uni-sync.nix>
hardware.uni-sync.devices.*.channels

List of channels connected to the controller.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    mode = "PWM";
  }
  {
    mode = "Manual";
    speed = 100;
  }
  {
    mode = "Manual";
    speed = 54;
  }
  {
    mode = "Manual";
    speed = 0;
  }
]

Declared by:

<nixpkgs/nixos/modules/hardware/uni-sync.nix>
hardware.uni-sync.devices.*.channels.*.mode

“PWM” to enable PWM sync. “Manual” to set speed.

Type: one of “Manual”, “PWM”

Default: "Manual"

Example: "PWM"

Declared by:

<nixpkgs/nixos/modules/hardware/uni-sync.nix>
hardware.uni-sync.devices.*.channels.*.speed

Fan speed as percentage (clamped between 0 and 100).

Type: signed integer

Default: "50"

Example: "100"

Declared by:

<nixpkgs/nixos/modules/hardware/uni-sync.nix>
hardware.uni-sync.devices.*.device_id

Unique device ID displayed at each startup.

Type: string

Example: "VID:1111/PID:11111/SN:1111111111"

Declared by:

<nixpkgs/nixos/modules/hardware/uni-sync.nix>
hardware.uni-sync.devices.*.sync_rgb

Enable ARGB header sync.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/uni-sync.nix>
hardware.usb-modeswitch.enable

Enable this option to support certain USB WLAN and WWAN adapters.

These network adapters initial present themselves as Flash Drives containing their drivers. This option enables automatic switching to the networking mode.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/usb-modeswitch.nix>
hardware.usbStorage.manageShutdown

Enable this option to gracefully spin-down external storage during shutdown. If you suspect improper head parking after poweroff, install smartmontools and check for the Power-Off_Retract_Count field for an increment.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/usb-storage.nix>
hardware.wirelessRegulatoryDatabase

Whether to enable loading the wireless regulatory database at boot.

Type: boolean

Default: Enabled if proprietary firmware is allowed via enableRedistributableFirmware or enableAllFirmware.

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/all-firmware.nix>
hardware.wooting.enable

Whether to enable support for Wooting keyboards. Note that users must be in the “input” group for udev rules to apply.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/wooting.nix>
hardware.xone.enable

Whether to enable the xone driver for Xbox One and Xbox Series X|S accessories.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/xone.nix>
hardware.xpadneo.enable

Whether to enable the xpadneo driver for Xbox One wireless controllers.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/xpadneo.nix>
i18n.defaultLocale

The default locale. It determines the language for program messages, the format for dates and times, sort order, and so on. It also determines the character set, such as UTF-8.

Type: string

Default: "en_US.UTF-8"

Example: "nl_NL.UTF-8"

Declared by:

<nixpkgs/nixos/modules/config/i18n.nix>
i18n.extraLocaleSettings

A set of additional system-wide locale settings other than LANG which can be configured with i18n.defaultLocale.

Type: attribute set of string

Default: { }

Example:

{
  LC_MESSAGES = "en_US.UTF-8";
  LC_TIME = "de_DE.UTF-8";
}

Declared by:

<nixpkgs/nixos/modules/config/i18n.nix>
i18n.glibcLocales

Customized pkg.glibcLocales package.

Changing this option can disable handling of i18n.defaultLocale and supportedLocale.

Type: path

Default:

pkgs.glibcLocales.override {
  allLocales = lib.any (x: x == "all") config.i18n.supportedLocales;
  locales = config.i18n.supportedLocales;
}

Example: pkgs.glibcLocales

Declared by:

<nixpkgs/nixos/modules/config/i18n.nix>
i18n.inputMethod.enable

Whether to enable an additional input method type.

Type: boolean

Default: true if the deprecated option enabled is set, false otherwise

Example: true

Declared by:

<nixpkgs/nixos/modules/i18n/input-method/default.nix>
i18n.inputMethod.enabled

Deprecated - use type and enable = true instead

Type: null or one of “ibus”, “fcitx5”, “nabi”, “uim”, “hime”, “kime”

Default: null

Example: "fcitx5"

Declared by:

<nixpkgs/nixos/modules/i18n/input-method/default.nix>
i18n.inputMethod.fcitx5.addons

Enabled Fcitx5 addons.

Type: list of package

Default: [ ]

Example: with pkgs; [ fcitx5-rime ]

Declared by:

<nixpkgs/nixos/modules/i18n/input-method/fcitx5.nix>
i18n.inputMethod.fcitx5.ignoreUserConfig

Ignore the user configures. Warning: When this is enabled, the user config files are totally ignored and the user dict can’t be saved and loaded.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/i18n/input-method/fcitx5.nix>
i18n.inputMethod.fcitx5.plasma6Support

Use qt6 versions of fcitx5 packages. Required for configuring fcitx5 in KDE System Settings.

Type: boolean

Default: config.services.desktopManager.plasma6.enable

Declared by:

<nixpkgs/nixos/modules/i18n/input-method/fcitx5.nix>
i18n.inputMethod.fcitx5.quickPhrase

Quick phrases.

Type: attribute set of string

Default: { }

Example:

{
  smile = "(・∀・)";
  angry = "( ̄ー ̄)";
}

Declared by:

<nixpkgs/nixos/modules/i18n/input-method/fcitx5.nix>
i18n.inputMethod.fcitx5.quickPhraseFiles

Quick phrase files.

Type: attribute set of path

Default: { }

Example:

{
  words = ./words.mb;
  numbers = ./numbers.mb;
}

Declared by:

<nixpkgs/nixos/modules/i18n/input-method/fcitx5.nix>
i18n.inputMethod.fcitx5.settings.addons

The addon configures in conf folder in ini format with global sections. Each item is written to the corresponding file.

Type: attribute set of anything

Default: { }

Example: { pinyin.globalSection.EmojiEnabled = "True"; }

Declared by:

<nixpkgs/nixos/modules/i18n/input-method/fcitx5.nix>
i18n.inputMethod.fcitx5.settings.globalOptions

The global options in config file in ini format.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/i18n/input-method/fcitx5.nix>
i18n.inputMethod.fcitx5.settings.inputMethod

The input method configure in profile file in ini format.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/i18n/input-method/fcitx5.nix>
i18n.inputMethod.fcitx5.waylandFrontend

Use the Wayland input method frontend. See Using Fcitx 5 on Wayland.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/i18n/input-method/fcitx5.nix>
i18n.inputMethod.ibus.engines

Enabled IBus engines. Available engines are: anthy, bamboo, cangjie, hangul, kkc, libpinyin, libthai, m17n, mozc, mozc-ut, openbangla-keyboard, pinyin, rime, table, table-chinese, table-others, typing-booster, typing-booster-unwrapped, uniemoji.

Type: list of ibus-engine

Default: [ ]

Example: with pkgs.ibus-engines; [ mozc hangul ]

Declared by:

<nixpkgs/nixos/modules/i18n/input-method/ibus.nix>
i18n.inputMethod.ibus.panel

Replace the IBus panel with another panel.

Type: null or path

Default: null

Example: "${pkgs.plasma5Packages.plasma-desktop}/libexec/kimpanel-ibus-panel"

Declared by:

<nixpkgs/nixos/modules/i18n/input-method/ibus.nix>
i18n.inputMethod.kime.daemonModules

List of enabled daemon modules

Type: list of (one of “Xim”, “Wayland”, “Indicator”)

Default:

[
  "Xim"
  "Wayland"
  "Indicator"
]

Example:

[
  "Xim"
  "Indicator"
]

Declared by:

<nixpkgs/nixos/modules/i18n/input-method/kime.nix>
i18n.inputMethod.kime.extraConfig

extra kime configuration. Refer to https://github.com/Riey/kime/blob/v3.1.1/docs/CONFIGURATION.md for details on supported values.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/i18n/input-method/kime.nix>
i18n.inputMethod.kime.iconColor

Color of the indicator icon

Type: one of “Black”, “White”

Default: "Black"

Example: "White"

Declared by:

<nixpkgs/nixos/modules/i18n/input-method/kime.nix>
i18n.inputMethod.type

Select the enabled input method. Input methods is a software to input symbols that are not available on standard input devices.

Input methods are specially used to input Chinese, Japanese and Korean characters.

Currently the following input methods are available in NixOS:

  • ibus: The intelligent input bus, extra input engines can be added using i18n.inputMethod.ibus.engines.

  • fcitx5: The next generation of fcitx, addons (including engines, dictionaries, skins) can be added using i18n.inputMethod.fcitx5.addons.

  • nabi: A Korean input method based on XIM. Nabi doesn’t support Qt 5.

  • uim: The universal input method, is a library with a XIM bridge. uim mainly support Chinese, Japanese and Korean.

  • hime: An extremely easy-to-use input method framework.

  • kime: Koream IME.

Type: null or one of “ibus”, “fcitx5”, “nabi”, “uim”, “hime”, “kime”

Default: The value of the deprecated option enabled, defaulting to null

Example: "fcitx5"

Declared by:

<nixpkgs/nixos/modules/i18n/input-method/default.nix>
i18n.inputMethod.uim.toolbar

selected UIM toolbar.

Type: one of “gtk”, “gtk3”, “gtk-systray”, “gtk3-systray”, “qt5”

Default: "gtk"

Example: "gtk-systray"

Declared by:

<nixpkgs/nixos/modules/i18n/input-method/uim.nix>
i18n.supportedLocales

List of locales that the system should support. The value "all" means that all locales supported by Glibc will be installed. A full list of supported locales can be found at https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED.

Type: list of string

Default:

lib.unique
  (builtins.map (l: (lib.replaceStrings [ "utf8" "utf-8" "UTF8" ] [ "UTF-8" "UTF-8" "UTF-8" ] l) + "/UTF-8") (
    [
      "C.UTF-8"
      "en_US.UTF-8"
      config.i18n.defaultLocale
    ] ++ (lib.attrValues (lib.filterAttrs (n: v: n != "LANGUAGE") config.i18n.extraLocaleSettings))
  ))

Example:

[
  "en_US.UTF-8/UTF-8"
  "nl_NL.UTF-8/UTF-8"
  "nl_NL/ISO-8859-1"
]

Declared by:

<nixpkgs/nixos/modules/config/i18n.nix>
image.modules

image-specific NixOS Modules used for system.build.images.

Type: attribute set of list of module

Declared by:

<nixpkgs/nixos/modules/image/images.nix>
image.repart.package

The systemd-repart package to use.

Type: package

Default: pkgs.buildPackages.systemd

Example: pkgs.buildPackages.systemdMinimal.override { withCryptsetup = true; }

Declared by:

<nixpkgs/nixos/modules/image/repart.nix>
image.repart.compression.enable

Whether to enable Image compression.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/image/repart.nix>
image.repart.compression.algorithm

Compression algorithm

Type: one of “zstd”, “xz”

Default: "zstd"

Declared by:

<nixpkgs/nixos/modules/image/repart.nix>
image.repart.compression.level

Compression level. The available range depends on the used algorithm.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/image/repart.nix>
image.repart.imageFile

Filename of the image including all extensions (e.g image_1.raw or image_1.raw.zst).

Type: string (read only)

Declared by:

<nixpkgs/nixos/modules/image/repart.nix>
image.repart.imageFileBasename

Basename of the image filename without any extension (e.g. image_1).

Type: string (read only)

Declared by:

<nixpkgs/nixos/modules/image/repart.nix>
image.repart.mkfsOptions

Specify extra options for created file systems. The specified options are converted to individual environment variables of the format SYSTEMD_REPART_MKFS_OPTIONS_<FSTYPE>.

See upstream systemd documentation for information about the usage of these environment variables.

The example would produce the following environment variable:

SYSTEMD_REPART_MKFS_OPTIONS_VFAT="-S 512 -c"

Type: attribute set of list of string

Default: { }

Example:

{
  vfat = [ "-S 512" "-c" ];
}

Declared by:

<nixpkgs/nixos/modules/image/repart.nix>
image.repart.name

Name of the image.

If this option is unset but config.system.image.id is set, config.system.image.id is used as the default value.

Type: string

Declared by:

<nixpkgs/nixos/modules/image/repart.nix>
image.repart.partitions

Specify partitions as a set of the names of the partitions with their configuration as the key.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "10-esp" = {
    contents = {
      "/EFI/BOOT/BOOTX64.EFI".source =
        "${pkgs.systemd}/lib/systemd/boot/efi/systemd-bootx64.efi";
    }
    repartConfig = {
      Type = "esp";
      Format = "fat";
    };
  };
  "20-root" = {
    storePaths = [ config.system.build.toplevel ];
    repartConfig = {
      Type = "root";
      Format = "ext4";
      Minimize = "guess";
    };
  };
};

Declared by:

<nixpkgs/nixos/modules/image/repart.nix>
image.repart.partitions.<name>.contents

The contents to end up in the filesystem image.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/EFI/BOOT/BOOTX64.EFI".source =
    "${pkgs.systemd}/lib/systemd/boot/efi/systemd-bootx64.efi";

  "/loader/entries/nixos.conf".source = systemdBootEntry;
}

Declared by:

<nixpkgs/nixos/modules/image/repart.nix>
image.repart.partitions.<name>.contents.<name>.source

Path of the source file.

Type: path

Declared by:

<nixpkgs/nixos/modules/image/repart.nix>
image.repart.partitions.<name>.repartConfig

Specify the repart options for a partiton as a structural setting. See https://www.freedesktop.org/software/systemd/man/repart.d.html for all available options.

Type: attribute set of (string or signed integer or boolean)

Example:

{
  SizeMaxBytes = "2G";
  SizeMinBytes = "512M";
  Type = "home";
}

Declared by:

<nixpkgs/nixos/modules/image/repart.nix>
image.repart.partitions.<name>.storePaths

The store paths to include in the partition.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/image/repart.nix>
image.repart.partitions.<name>.stripNixStorePrefix

Whether to strip /nix/store/ from the store paths. This is useful when you want to build a partition that only contains store paths and is mounted under /nix/store.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/image/repart.nix>
image.repart.sectorSize

The sector size of the disk image produced by systemd-repart. This value must be a power of 2 between 512 and 4096.

Type: null or signed integer

Default: 512

Example: 4096

Declared by:

<nixpkgs/nixos/modules/image/repart.nix>
image.repart.seed

A UUID to use as a seed. You can set this to null to explicitly randomize the partition UUIDs.

Type: null or string

Default: "0867da16-f251-457d-a9e8-c31f9a3c220b"

Declared by:

<nixpkgs/nixos/modules/image/repart.nix>
image.repart.split

Enables generation of split artifacts from partitions. If enabled, for each partition with SplitName= set, a separate output file containing just the contents of that partition is generated.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/image/repart.nix>
image.repart.verityStore.enable

Whether to enable building images with a dm-verity protected nix store.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/image/repart-verity-store.nix>
image.repart.verityStore.partitionIds.esp

Specify the attribute name of the ESP.

Type: string

Default: "00-esp"

Declared by:

<nixpkgs/nixos/modules/image/repart-verity-store.nix>
image.repart.verityStore.partitionIds.store

Specify the attribute name of the store partition.

Type: string

Default: "20-store"

Declared by:

<nixpkgs/nixos/modules/image/repart-verity-store.nix>
image.repart.verityStore.partitionIds.store-verity

Specify the attribute name of the store’s dm-verity hash partition.

Type: string

Default: "10-store-verity"

Declared by:

<nixpkgs/nixos/modules/image/repart-verity-store.nix>
image.repart.verityStore.ukiPath

Specify the location on the ESP where the UKI is placed.

Type: string

Default: "/EFI/Linux/\${config.system.boot.loader.ukiFile}"

Declared by:

<nixpkgs/nixos/modules/image/repart-verity-store.nix>
image.repart.version

Version of the image

Type: null or string

Default: config.system.image.version

Declared by:

<nixpkgs/nixos/modules/image/repart.nix>
lib

This option allows modules to define helper functions, constants, etc.

Type: attribute set of (attribute set)

Default: { }

Declared by:

<nixpkgs/nixos/modules/misc/lib.nix>
location.latitude

Your current latitude, between -90.0 and 90.0. Must be provided along with longitude.

Type: floating point number

Declared by:

<nixpkgs/nixos/modules/config/locale.nix>
location.longitude

Your current longitude, between between -180.0 and 180.0. Must be provided along with latitude.

Type: floating point number

Declared by:

<nixpkgs/nixos/modules/config/locale.nix>
location.provider

The location provider to use for determining your location. If set to manual you must also provide latitude/longitude.

Type: one of “manual”, “geoclue2”

Default: "manual"

Declared by:

<nixpkgs/nixos/modules/config/locale.nix>
networking.enableB43Firmware

Turn on this option if you want firmware for the NICs supported by the b43 module.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/network/b43.nix>
networking.enableIPv6

Whether to enable support for IPv6.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.enableIntel2200BGFirmware

Turn on this option if you want firmware for the Intel PRO/Wireless 2200BG to be loaded automatically. This is required if you want to use this device.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/network/intel-2200bg.nix>
networking.bonds

This option allows you to define bond devices that aggregate multiple, underlying networking interfaces together. The value of this option is an attribute set. Each attribute specifies a bond, with the attribute name specifying the name of the bond’s network interface

Type: attribute set of (submodule)

Default: { }

Example:

{
  bond0 = {
    interfaces = [ "eth0" "wlan0" ];
    driverOptions = {
  miimon = "100";
  mode = "active-backup";
}
;
  };
  anotherBond.interfaces = [ "enp4s0f0" "enp4s0f1" "enp5s0f0" "enp5s0f1" ];
}

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.bonds.<name>.driverOptions

Options for the bonding driver. Documentation can be found in https://www.kernel.org/doc/Documentation/networking/bonding.txt

Type: attribute set of string

Default: { }

Example:

{
  miimon = "100";
  mode = "active-backup";
}

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.bonds.<name>.interfaces

The interfaces to bond together

Type: list of string

Example:

[
  "enp4s0f0"
  "enp4s0f1"
  "wlan0"
]

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.bonds.<name>.lacp_rate

DEPRECATED, use driverOptions. Option specifying the rate in which we’ll ask our link partner to transmit LACPDU packets in 802.3ad mode.

Type: null or string

Default: null

Example: "fast"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.bonds.<name>.miimon

DEPRECATED, use driverOptions. Miimon is the number of millisecond in between each round of polling by the device driver for failed links. By default polling is not enabled and the driver is trusted to properly detect and handle failure scenarios.

Type: null or signed integer

Default: null

Example: 100

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.bonds.<name>.mode

DEPRECATED, use driverOptions. The mode which the bond will be running. The default mode for the bonding driver is balance-rr, optimizing for throughput. More information about valid modes can be found at https://www.kernel.org/doc/Documentation/networking/bonding.txt

Type: null or string

Default: null

Example: "active-backup"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.bonds.<name>.xmit_hash_policy

DEPRECATED, use driverOptions. Selects the transmit hash policy to use for slave selection in balance-xor, 802.3ad, and tlb modes.

Type: null or string

Default: null

Example: "layer2+3"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.bridges

This option allows you to define Ethernet bridge devices that connect physical networks together. The value of this option is an attribute set. Each attribute specifies a bridge, with the attribute name specifying the name of the bridge’s network interface.

Type: attribute set of (submodule)

Default: { }

Example:

{
  br0 = {
    interfaces = [
      "eth0"
      "eth1"
    ];
  };
  br1 = {
    interfaces = [
      "eth2"
      "wlan0"
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.bridges.<name>.interfaces

The physical network interfaces connected by the bridge.

Type: list of string

Example:

[
  "eth0"
  "eth1"
]

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.bridges.<name>.rstp

Whether the bridge interface should enable rstp.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.defaultGateway

The default gateway. It can be left empty if it is auto-detected through DHCP. It can be specified as a string or an option set along with a network interface.

Type: null or ((submodule) or string convertible to it)

Default: null

Example:

{
  address = "131.211.84.1";
  interface = "enp3s0";
}

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.defaultGateway.address

The default gateway address.

Type: string

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.defaultGateway.interface

The default gateway interface.

Type: null or string

Default: null

Example: "enp0s3"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.defaultGateway.metric

The default gateway metric/preference.

Type: null or signed integer

Default: null

Example: 42

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.defaultGateway6

The default ipv6 gateway. It can be left empty if it is auto-detected through DHCP. It can be specified as a string or an option set along with a network interface.

Type: null or ((submodule) or string convertible to it)

Default: null

Example:

{
  address = "2001:4d0:1e04:895::1";
  interface = "enp3s0";
}

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.defaultGateway6.address

The default gateway address.

Type: string

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.defaultGateway6.interface

The default gateway interface.

Type: null or string

Default: null

Example: "enp0s3"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.defaultGateway6.metric

The default gateway metric/preference.

Type: null or signed integer

Default: null

Example: 42

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.defaultGatewayWindowSize

The window size of the default gateway. It limits maximal data bursts that TCP peers are allowed to send to us.

Type: null or signed integer

Default: null

Example: 524288

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.dhcpcd.enable

Whether to enable dhcpcd for device configuration. This is mainly to explicitly disable dhcpcd (for example when using networkd).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpcd.nix>
networking.dhcpcd.IPv6rs

Force enable or disable solicitation and receipt of IPv6 Router Advertisements. This is required, for example, when using a static unique local IPv6 address (ULA) and global IPv6 address auto-configuration with SLAAC.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpcd.nix>
networking.dhcpcd.allowInterfaces

Enable the DHCP client for any interface whose name matches any of the shell glob patterns in this list. Any interface not explicitly matched by this pattern will be denied. This pattern only applies when non-null.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpcd.nix>
networking.dhcpcd.denyInterfaces

Disable the DHCP client for any interface whose name matches any of the shell glob patterns in this list. The purpose of this option is to blacklist virtual interfaces such as those created by Xen, libvirt, LXC, etc.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpcd.nix>
networking.dhcpcd.extraConfig

Literal string to append to the config file generated for dhcpcd.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpcd.nix>
networking.dhcpcd.persistent

Whenever to leave interfaces configured on dhcpcd daemon shutdown. Set to true if you have your root or store mounted over the network or this machine accepts SSH connections through DHCP interfaces and clients should be notified when it shuts down.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpcd.nix>
networking.dhcpcd.runHook

Shell code that will be run after all other hooks. See man dhcpcd-run-hooks for details on what is possible.

Note

To use sudo or similar tools in your script you may have to set:

systemd.services.dhcpcd.serviceConfig.NoNewPrivileges = false;

In addition, as most of the filesystem is inaccessible to dhcpcd by default, you may want to define some exceptions, e.g.

systemd.services.dhcpcd.serviceConfig.ReadOnlyPaths = [
  "/run/user/1000/bus"  # to send desktop notifications
];

Type: strings concatenated with “\n”

Default: ""

Example: "if [[ $reason =~ BOUND ]]; then echo $interface: Routers are $new_routers - were $old_routers; fi"

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpcd.nix>
networking.dhcpcd.wait

This option specifies when the dhcpcd service will fork to background. If set to “background”, dhcpcd will fork to background immediately. If set to “ipv4” or “ipv6”, dhcpcd will wait for the corresponding IP address to be assigned. If set to “any”, dhcpcd will wait for any type (IPv4 or IPv6) to be assigned. If set to “both”, dhcpcd will wait for both an IPv4 and an IPv6 address before forking. The option “if-carrier-up” is equivalent to “any” if either ethernet is plugged nor WiFi is powered, and to “background” otherwise.

Type: one of “background”, “any”, “ipv4”, “ipv6”, “both”, “if-carrier-up”

Default: "any"

Declared by:

<nixpkgs/nixos/modules/services/networking/dhcpcd.nix>
networking.domain

The domain. It can be left empty if it is auto-detected through DHCP.

Type: null or string

Default: null

Example: "home.arpa"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.extraHosts

Additional verbatim entries to be appended to /etc/hosts. For adding hosts from derivation results, use networking.hostFiles instead.

Type: strings concatenated with “\n”

Default: ""

Example: "192.168.0.1 lanlocalhost"

Declared by:

<nixpkgs/nixos/modules/config/networking.nix>
networking.firewall.enable

Whether to enable the firewall. This is a simple stateful firewall that blocks connection attempts to unauthorised TCP or UDP ports on this machine.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.package

The package to use for running the firewall service.

Type: package

Default: if config.networking.nftables.enable then "pkgs.nftables" else "pkgs.iptables"

Example: pkgs.iptables-legacy

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.allowPing

Whether to respond to incoming ICMPv4 echo requests (“pings”). ICMPv6 pings are always allowed because the larger address space of IPv6 makes network scanning much less effective.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.allowedTCPPortRanges

A range of TCP ports on which incoming connections are accepted.

Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: [ ]

Example:

[
  {
    from = 8999;
    to = 9003;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.allowedTCPPorts

List of TCP ports on which incoming connections are accepted.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: [ ]

Example:

[
  22
  80
]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.allowedUDPPortRanges

Range of open UDP ports.

Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: [ ]

Example:

[
  {
    from = 60000;
    to = 61000;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.allowedUDPPorts

List of open UDP ports.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: [ ]

Example:

[
  53
]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.autoLoadConntrackHelpers

Whether to auto-load connection-tracking helpers. See the description at networking.firewall.connectionTrackingModules

(needs kernel 3.5+)

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.checkReversePath

Performs a reverse path filter test on a packet. If a reply to the packet would not be sent via the same interface that the packet arrived on, it is refused.

If using asymmetric routing or other complicated routing, set this option to loose mode or disable it and setup your own counter-measures.

This option can be either true (or “strict”), “loose” (only drop the packet if the source address is not reachable via any interface) or false.

Type: boolean or one of “strict”, “loose”

Default: true except if the iptables based firewall is in use and the kernel lacks rpfilter support

Example: "loose"

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.connectionTrackingModules

List of connection-tracking helpers that are auto-loaded. The complete list of possible values is given in the example.

As helpers can pose as a security risk, it is advised to set this to an empty list and disable the setting networking.firewall.autoLoadConntrackHelpers unless you know what you are doing. Connection tracking is disabled by default.

Loading of helpers is recommended to be done through the CT target. More info: https://home.regit.org/netfilter-en/secure-use-of-helpers/

Type: list of string

Default: [ ]

Example:

[
  "ftp"
  "irc"
  "sane"
  "sip"
  "tftp"
  "amanda"
  "h323"
  "netbios_sn"
  "pptp"
  "snmp"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.extraCommands

Additional shell commands executed as part of the firewall initialisation script. These are executed just before the final “reject” firewall rule is added, so they can be used to allow packets that would otherwise be refused.

This option only works with the iptables based firewall.

Type: strings concatenated with “\n”

Default: ""

Example: "iptables -A INPUT -p icmp -j ACCEPT"

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall-iptables.nix>
networking.firewall.extraForwardRules

Additional nftables rules to be appended to the forward-allow chain.

This option only works with the nftables based firewall.

Type: strings concatenated with “\n”

Default: ""

Example: "iifname wg0 accept"

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall-nftables.nix>
networking.firewall.extraInputRules

Additional nftables rules to be appended to the input-allow chain.

This option only works with the nftables based firewall.

Type: strings concatenated with “\n”

Default: ""

Example: "ip6 saddr { fc00::/7, fe80::/10 } tcp dport 24800 accept"

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall-nftables.nix>
networking.firewall.extraPackages

Additional packages to be included in the environment of the system as well as the path of networking.firewall.extraCommands.

Type: list of package

Default: [ ]

Example: [ pkgs.ipset ]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.extraReversePathFilterRules

Additional nftables rules to be appended to the rpfilter-allow chain.

This option only works with the nftables based firewall.

Type: strings concatenated with “\n”

Default: ""

Example: "fib daddr . mark . iif type local accept"

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall-nftables.nix>
networking.firewall.extraStopCommands

Additional shell commands executed as part of the firewall shutdown script. These are executed just after the removal of the NixOS input rule, or if the service enters a failed state.

This option only works with the iptables based firewall.

Type: strings concatenated with “\n”

Default: ""

Example: "iptables -P INPUT ACCEPT"

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall-iptables.nix>
networking.firewall.filterForward

Enable filtering in IP forwarding.

This option only works with the nftables based firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.interfaces

Interface-specific open ports.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.interfaces.<name>.allowedTCPPortRanges

A range of TCP ports on which incoming connections are accepted.

Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: [ ]

Example:

[
  {
    from = 8999;
    to = 9003;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.interfaces.<name>.allowedTCPPorts

List of TCP ports on which incoming connections are accepted.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: [ ]

Example:

[
  22
  80
]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.interfaces.<name>.allowedUDPPortRanges

Range of open UDP ports.

Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: [ ]

Example:

[
  {
    from = 60000;
    to = 61000;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.interfaces.<name>.allowedUDPPorts

List of open UDP ports.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: [ ]

Example:

[
  53
]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.logRefusedConnections

Whether to log rejected or dropped incoming connections. Note: The logs are found in the kernel logs, i.e. dmesg or journalctl -k.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.logRefusedPackets

Whether to log all rejected or dropped incoming packets. This tends to give a lot of log messages, so it’s mostly useful for debugging. Note: The logs are found in the kernel logs, i.e. dmesg or journalctl -k.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.logRefusedUnicastsOnly

If networking.firewall.logRefusedPackets and this option are enabled, then only log packets specifically directed at this machine, i.e., not broadcasts or multicasts.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.logReversePathDrops

Logs dropped packets failing the reverse path filter test if the option networking.firewall.checkReversePath is enabled.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.pingLimit

If pings are allowed, this allows setting rate limits on them.

For the iptables based firewall, it should be set like “–limit 1/minute --limit-burst 5”.

For the nftables based firewall, it should be set like “2/second” or “1/minute burst 5 packets”.

Type: null or strings concatenated with " "

Default: null

Example: "--limit 1/minute --limit-burst 5"

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.rejectPackets

If set, refused packets are rejected rather than dropped (ignored). This means that an ICMP “port unreachable” error message is sent back to the client (or a TCP RST packet in case of an existing connection). Rejecting packets makes port scanning somewhat easier.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.firewall.trustedInterfaces

Traffic coming in from these interfaces will be accepted unconditionally. Traffic from the loopback (lo) interface will always be accepted.

Type: list of string

Default: [ ]

Example:

[
  "enp0s2"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/firewall.nix>
networking.fooOverUDP

This option allows you to configure Foo Over UDP and Generic UDP Encapsulation endpoints. See ip-fou(8) for details.

Type: attribute set of (submodule)

Default: { }

Example:

{
  backup = {
    port = 9002;
  };
  primary = {
    local = {
      address = "192.0.2.1";
      dev = "eth0";
    };
    port = 9001;
  };
}

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.fooOverUDP.<name>.local

Local address (and optionally device) to bind to using the given port.

Type: null or (submodule)

Default: null

Example:

{
  address = "203.0.113.22";
}

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.fooOverUDP.<name>.local.address

Local address to bind to. The address must be available when the FOU endpoint is created, using the scripted network setup this can be achieved either by setting dev or adding dependency information to systemd.services.<name>-fou-encap; it isn’t supported when using networkd.

Type: string

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.fooOverUDP.<name>.local.dev

Network device to bind to.

Type: null or string

Default: null

Example: "eth0"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.fooOverUDP.<name>.port

Local port of the encapsulation UDP socket.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.fooOverUDP.<name>.protocol

Protocol number of the encapsulated packets. Specifying null (the default) creates a GUE endpoint, specifying a protocol number will create a FOU endpoint.

Type: null or integer between 1 and 255 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.fqdn

The fully qualified domain name (FQDN) of this host. It is the result of combining networking.hostName and networking.domain. Using this option will result in an evaluation error if the hostname is empty or no domain is specified.

Modules that accept a mere networking.hostName but prefer a fully qualified domain name may use networking.fqdnOrHostName instead.

Type: string (read only)

Default: "${networking.hostName}.${networking.domain}"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.fqdnOrHostName

Either the fully qualified domain name (FQDN), or just the host name if it does not exists.

This is a convenience option for modules to read instead of fqdn when a mere hostName is also an acceptable value; this option does not throw an error when domain is unset.

Type: string (read only)

Default:

if cfg.domain == null then cfg.hostName else cfg.fqdn

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.greTunnels

This option allows you to define Generic Routing Encapsulation (GRE) tunnels.

Type: attribute set of (submodule)

Default: { }

Example:

{
  greBridge = {
    remote = "10.0.0.1";
    local = "10.0.0.22";
    dev = "enp4s0f0";
    type = "tap";
    ttl = 255;
  };
  gre6Tunnel = {
    remote = "fd7a:5634::1";
    local = "fd7a:5634::2";
    dev = "enp4s0f0";
    type = "tun6";
    ttl = 255;
  };
}

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.greTunnels.<name>.dev

The underlying network device on which the tunnel resides.

Type: null or string

Default: null

Example: "enp4s0f0"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.greTunnels.<name>.local

The address of the local endpoint which the remote side should send packets to.

Type: null or string

Default: null

Example: "10.0.0.22"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.greTunnels.<name>.remote

The address of the remote endpoint to forward traffic over.

Type: null or string

Default: null

Example: "10.0.0.1"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.greTunnels.<name>.ttl

The time-to-live/hoplimit of the connection to the remote tunnel endpoint.

Type: null or signed integer

Default: null

Example: 255

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.greTunnels.<name>.type

Whether the tunnel routes layer 2 (tap) or layer 3 (tun) traffic.

Type: one of “tun”, “tap”, “tun6”, “tap6”

Default: "tap"

Example: "tap"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.hostFiles

Files that should be concatenated together to form /etc/hosts.

Type: list of path

Default: Hosts from networking.hosts and networking.extraHosts

Example: [ "${pkgs.my-blocklist-package}/share/my-blocklist/hosts" ]

Declared by:

<nixpkgs/nixos/modules/config/networking.nix>
networking.hostId

The 32-bit host ID of the machine, formatted as 8 hexadecimal characters.

You should try to make this ID unique among your machines. You can generate a random 32-bit ID using the following commands:

head -c 8 /etc/machine-id

(this derives it from the machine-id that systemd generates) or

head -c4 /dev/urandom | od -A none -t x4

The primary use case is to ensure when using ZFS that a pool isn’t imported accidentally on a wrong machine.

Type: null or string

Default: null

Example: "4e98920d"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.hostName

The name of the machine. Leave it empty if you want to obtain it from a DHCP server (if using DHCP). The hostname must be a valid DNS label (see RFC 1035 section 2.3.1: “Preferred name syntax”, RFC 1123 section 2.1: “Host Names and Numbers”) and as such must not contain the domain part. This means that the hostname must start with a letter or digit, end with a letter or digit, and have as interior characters only letters, digits, and hyphen. The maximum length is 63 characters. Additionally it is recommended to only use lower-case characters. If (e.g. for legacy reasons) a FQDN is required as the Linux kernel network node hostname (uname --nodename) the option boot.kernel.sysctl.“kernel.hostname” can be used as a workaround (but the 64 character limit still applies).

WARNING: Do not use underscores (_) or you may run into unexpected issues.

Type: string matching the pattern ^$|^[[:alnum:]]([[:alnum:]_-]{0,61}[[:alnum:]])?$

Default: config.system.nixos.distroId

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.hosts

Locally defined maps of hostnames to IP addresses.

Type: attribute set of list of string

Example:

{
  "127.0.0.1" = [ "foo.bar.baz" ];
  "192.168.0.2" = [ "fileserver.local" "nameserver.local" ];
};

Declared by:

<nixpkgs/nixos/modules/config/networking.nix>
networking.interfaces

The configuration for each network interface.

Please note that systemd.network.netdevs has more features and is better maintained. When building new things, it is advised to use that instead.

Type: attribute set of (submodule)

Default: { }

Example:

{
  eth0 = {
    ipv4 = {
      addresses = [
        {
          address = "131.211.84.78";
          prefixLength = 25;
        }
      ];
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.ipv4.addresses

List of IPv4 addresses that will be statically assigned to the interface.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    address = "10.0.0.1";
    prefixLength = 16;
  }
  {
    address = "192.168.1.1";
    prefixLength = 24;
  }
]

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.ipv4.addresses.*.address

IPv4 address of the interface. Leave empty to configure the interface using DHCP.

Type: string

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.ipv4.addresses.*.prefixLength

Subnet mask of the interface, specified as the number of bits in the prefix (24).

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.ipv4.routes

List of extra IPv4 static routes that will be assigned to the interface.

Warning

If the route type is the default unicast, then the scope is set differently depending on the value of networking.useNetworkd: the script-based backend sets it to link, while networkd sets it to global.

If you want consistency between the two implementations, set the scope of the route manually with networking.interfaces.eth0.ipv4.routes = [{ options.scope = "global"; }] for example.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    address = "10.0.0.0";
    prefixLength = 16;
  }
  {
    address = "192.168.2.0";
    prefixLength = 24;
    via = "192.168.1.1";
  }
]

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.ipv4.routes.*.address

IPv4 address of the network.

Type: string

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.ipv4.routes.*.options

Other route options. See the symbol OPTIONS in the ip-route(8) manual page for the details. You may also specify metric, src, protocol, scope, from and table, which are technically not route options, in the sense used in the manual.

Type: attribute set of string

Default: { }

Example:

{
  mtu = "1492";
  window = "524288";
}

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.ipv4.routes.*.prefixLength

Subnet mask of the network, specified as the number of bits in the prefix (24).

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.ipv4.routes.*.type

Type of the route. See the Route types section in the ip-route(8) manual page for the details.

Note that prohibit, blackhole, unreachable, and throw cannot be configured per device, so they are not available here. Similarly, nat hasn’t been supported since kernel 2.6.

Type: null or one of “unicast”, “local”, “broadcast”, “multicast”

Default: null

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.ipv4.routes.*.via

IPv4 address of the next hop.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.ipv6.addresses

List of IPv6 addresses that will be statically assigned to the interface.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    address = "fdfd:b3f0:482::1";
    prefixLength = 48;
  }
  {
    address = "2001:1470:fffd:2098::e006";
    prefixLength = 64;
  }
]

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.ipv6.addresses.*.address

IPv6 address of the interface. Leave empty to configure the interface using DHCP.

Type: string

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.ipv6.addresses.*.prefixLength

Subnet mask of the interface, specified as the number of bits in the prefix (64).

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.ipv6.routes

List of extra IPv6 static routes that will be assigned to the interface.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    address = "fdfd:b3f0::";
    prefixLength = 48;
  }
  {
    address = "2001:1470:fffd:2098::";
    prefixLength = 64;
    via = "fdfd:b3f0::1";
  }
]

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.ipv6.routes.*.address

IPv6 address of the network.

Type: string

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.ipv6.routes.*.options

Other route options. See the symbol OPTIONS in the ip-route(8) manual page for the details. You may also specify metric, src, protocol, scope, from and table, which are technically not route options, in the sense used in the manual.

Type: attribute set of string

Default: { }

Example:

{
  mtu = "1492";
  window = "524288";
}

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.ipv6.routes.*.prefixLength

Subnet mask of the network, specified as the number of bits in the prefix (64).

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.ipv6.routes.*.type

Type of the route. See the Route types section in the ip-route(8) manual page for the details.

Note that prohibit, blackhole, unreachable, and throw cannot be configured per device, so they are not available here. Similarly, nat hasn’t been supported since kernel 2.6.

Type: null or one of “unicast”, “local”, “broadcast”, “multicast”

Default: null

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.ipv6.routes.*.via

IPv6 address of the next hop.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.macAddress

MAC address of the interface. Leave empty to use the default.

Type: null or string

Default: null

Example: "00:11:22:33:44:55"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.mtu

MTU size for packets leaving the interface. Leave empty to use the default.

Type: null or signed integer

Default: null

Example: 9000

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.name

Name of the interface.

Type: string

Example: "eth0"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.proxyARP

Turn on proxy_arp for this device. This is mainly useful for creating pseudo-bridges between a real interface and a virtual network such as VPN or a virtual machine for interfaces that don’t support real bridging (most wlan interfaces). As ARP proxying acts slightly above the link-layer, below-ip traffic isn’t bridged, so things like DHCP won’t work. The advantage above using NAT lies in the fact that no IP addresses are shared, so all hosts are reachable/routeable.

WARNING: turns on ip-routing, so if you have multiple interfaces, you should think of the consequence and setup firewall rules to limit this.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.tempAddress

When IPv6 is enabled with SLAAC, this option controls the use of temporary address (aka privacy extensions) on this interface. This is used to reduce tracking.

See also the global option networking.tempAddresses, which applies to all interfaces where this is not set.

Possible values are:

  • "default" to generate IPv6 temporary addresses and use these as source addresses in routing;

  • "disabled" to completely disable IPv6 temporary addresses;

  • "enabled" to generate IPv6 temporary addresses but still use EUI-64 addresses as source addresses;

Type: one of “default”, “disabled”, “enabled”

Default: config.networking.tempAddresses

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.useDHCP

Whether this interface should be configured with DHCP. Overrides the default set by networking.useDHCP. If null (the default), DHCP is enabled if the interface has no IPv4 addresses configured with networking.interfaces.<name>.ipv4.addresses, and disabled otherwise.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.virtual

Whether this interface is virtual and should be created by tunctl. This is mainly useful for creating bridges between a host and a virtual network such as VPN or a virtual machine.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.virtualOwner

In case of a virtual device, the user who owns it.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.virtualType

The type of interface to create. The default is TUN for an interface name starting with “tun”, otherwise TAP.

Type: one of “tun”, “tap”

Default: if hasPrefix "tun" name then "tun" else "tap"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.wakeOnLan.enable

Whether to enable wol on this interface.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.interfaces.<name>.wakeOnLan.policy

The Wake-on-LAN policy to set for the device.

The options are

  • phy: Wake on PHY activity

  • unicast: Wake on unicast messages

  • multicast: Wake on multicast messages

  • broadcast: Wake on broadcast messages

  • arp: Wake on ARP

  • magic: Wake on receipt of a magic packet

Type: list of (one of “phy”, “unicast”, “multicast”, “broadcast”, “arp”, “magic”, “secureon”)

Default:

[
  "magic"
]

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.iproute2.enable

Whether to enable copying IP route configuration files.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/config/iproute2.nix>
networking.iproute2.rttablesExtraConfig

Verbatim lines to add to /etc/iproute2/rt_tables

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/iproute2.nix>
networking.jool.enable

Whether to enable Jool, an Open Source implementation of IPv4/IPv6 translation on Linux.

Jool can perform stateless IP/ICMP translation (SIIT) or stateful NAT64, analogous to the IPv4 NAPT. Refer to the upstream documentation for the supported modes of translation and how to configure them.

Enabling this option will install the Jool kernel module and the command line tools for controlling it.

Type: boolean

Default: false

Related packages:

Declared by:

<nixpkgs/nixos/modules/services/networking/jool.nix>
networking.jool.nat64

Definitions of NAT64 instances of Jool. See the documentation for the available options. Also check out the tutorial for an introduction to NAT64 and how to troubleshoot the setup.

The attribute name defines the name of the instance, with the main one being default: this can be accessed from the command line without specifying the name with -i.

Note

Instances created imperatively from the command line will not interfere with the NixOS instances, provided the respective pool4 addresses and port ranges are not overlapping.

Warning

Changes to an instance performed via jool -i <name> are applied correctly but will be lost after restarting the respective jool-nat64-<name>.service.

Type: attribute set of (JSON value)

Default: { }

Example:

{
  default = {
    # custom NAT64 prefix
    global.pool6 = "2001:db8:64::/96";

    # Port forwarding
    bib = [
      { # SSH 192.0.2.16 → 2001:db8:a::1
        "protocol"     = "TCP";
        "ipv4 address" = "192.0.2.16#22";
        "ipv6 address" = "2001:db8:a::1#22";
      }
      { # DNS (TCP) 192.0.2.16 → 2001:db8:a::2
        "protocol"     = "TCP";
        "ipv4 address" = "192.0.2.16#53";
        "ipv6 address" = "2001:db8:a::2#53";
      }
      { # DNS (UDP) 192.0.2.16 → 2001:db8:a::2
        "protocol" = "UDP";
        "ipv4 address" = "192.0.2.16#53";
        "ipv6 address" = "2001:db8:a::2#53";
      }
    ];

    pool4 = [
      # Port ranges for dynamic translation
      { protocol =  "TCP";  prefix = "192.0.2.16/32"; "port range" = "40001-65535"; }
      { protocol =  "UDP";  prefix = "192.0.2.16/32"; "port range" = "40001-65535"; }
      { protocol = "ICMP";  prefix = "192.0.2.16/32"; "port range" = "40001-65535"; }

      # Ports for static BIB entries
      { protocol =  "TCP";  prefix = "192.0.2.16/32"; "port range" = "22"; }
      { protocol =  "UDP";  prefix = "192.0.2.16/32"; "port range" = "53"; }
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/jool.nix>
networking.jool.nat64.<name>.framework

The framework to use for attaching Jool’s translation to the exist kernel packet processing rules. See the documentation for the differences between the two options.

Type: one of “netfilter”, “iptables”

Default: "netfilter"

Declared by:

<nixpkgs/nixos/modules/services/networking/jool.nix>
networking.jool.nat64.<name>.global.pool6

The prefix used for embedding IPv4 into IPv6 addresses. Defaults to the well-known NAT64 prefix, defined by RFC 6052.

Type: Network prefix in CIDR notation

Default: "64:ff9b::/96"

Declared by:

<nixpkgs/nixos/modules/services/networking/jool.nix>
networking.jool.siit

Definitions of SIIT instances of Jool. See the documentation for the available options. Also check out the tutorial for an introduction to SIIT and how to troubleshoot the setup.

The attribute name defines the name of the instance, with the main one being default: this can be accessed from the command line without specifying the name with -i.

Note

Instances created imperatively from the command line will not interfere with the NixOS instances, provided the respective EAMT addresses and port ranges are not overlapping.

Warning

Changes to an instance performed via jool -i <name> are applied correctly but will be lost after restarting the respective jool-siit-<name>.service.

Type: attribute set of (JSON value)

Default: { }

Example:

{
  default = {
    # Maps any IPv4 address x.y.z.t to 2001:db8::x.y.z.t and v.v.
    global.pool6 = "2001:db8::/96";

    # Explicit address mappings
    eamt = [
      # 2001:db8:1:: ←→ 192.0.2.0
      { "ipv6 prefix" = "2001:db8:1::/128"; "ipv4 prefix" = "192.0.2.0"; }
      # 2001:db8:1::x ←→ 198.51.100.x
      { "ipv6 prefix" = "2001:db8:2::/120"; "ipv4 prefix" = "198.51.100.0/24"; }
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/jool.nix>
networking.jool.siit.<name>.framework

The framework to use for attaching Jool’s translation to the exist kernel packet processing rules. See the documentation for the differences between the two options.

Type: one of “netfilter”, “iptables”

Default: "netfilter"

Declared by:

<nixpkgs/nixos/modules/services/networking/jool.nix>
networking.localCommands

Shell commands to be executed at the end of the network-setup systemd service. Note that if you are using DHCP to obtain the network configuration, interfaces may not be fully configured yet.

Type: strings concatenated with “\n”

Default: ""

Example: "text=anything; echo You can put $text here."

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.macvlans

This option allows you to define macvlan interfaces which should be automatically created.

Type: attribute set of (submodule)

Default: { }

Example:

{
  wan = {
    interface = "enp2s0";
    mode = "vepa";
  };
}

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.macvlans.<name>.interface

The interface the macvlan will transmit packets through.

Type: string

Example: "enp4s0"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.macvlans.<name>.mode

The mode of the macvlan device.

Type: null or string

Default: null

Example: "vepa"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.nameservers

The list of nameservers. It can be left empty if it is auto-detected through DHCP.

Type: list of string

Default: [ ]

Example:

[
  "130.161.158.4"
  "130.161.33.17"
]

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.nat.enable

Whether to enable Network Address Translation (NAT). A properly configured firewall or a trusted L2 on all network interfaces is required to prevent unauthorized access to the internal network.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nat.nix>
networking.nat.enableIPv6

Whether to enable IPv6 NAT.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nat.nix>
networking.nat.dmzHost

The local IP address to which all traffic that does not match any forwarding rule is forwarded.

Type: null or string

Default: null

Example: "10.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/nat.nix>
networking.nat.externalIP

The public IP address to which packets from the local network are to be rewritten. If this is left empty, the IP address associated with the external interface will be used. Only connections made to this IP address will be forwarded to the internal network when using forwardPorts.

Type: null or string

Default: null

Example: "203.0.113.123"

Declared by:

<nixpkgs/nixos/modules/services/networking/nat.nix>
networking.nat.externalIPv6

The public IPv6 address to which packets from the local network are to be rewritten. If this is left empty, the IP address associated with the external interface will be used. Only connections made to this IP address will be forwarded to the internal network when using forwardPorts.

Type: null or string

Default: null

Example: "2001:dc0:2001:11::175"

Declared by:

<nixpkgs/nixos/modules/services/networking/nat.nix>
networking.nat.externalInterface

The name of the external network interface.

Type: null or string

Default: null

Example: "eth1"

Declared by:

<nixpkgs/nixos/modules/services/networking/nat.nix>
networking.nat.extraCommands

Additional shell commands executed as part of the nat initialisation script.

This option is incompatible with the nftables based nat module.

Type: strings concatenated with “\n”

Default: ""

Example: "iptables -A INPUT -p icmp -j ACCEPT"

Declared by:

<nixpkgs/nixos/modules/services/networking/nat-iptables.nix>
networking.nat.extraStopCommands

Additional shell commands executed as part of the nat teardown script.

This option is incompatible with the nftables based nat module.

Type: strings concatenated with “\n”

Default: ""

Example: "iptables -D INPUT -p icmp -j ACCEPT || true"

Declared by:

<nixpkgs/nixos/modules/services/networking/nat-iptables.nix>
networking.nat.forwardPorts

List of forwarded ports from the external interface to internal destinations by using DNAT. Destination can be IPv6 if IPv6 NAT is enabled.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    destination = "10.0.0.1:80";
    proto = "tcp";
    sourcePort = 8080;
  }
  {
    destination = "[fc00::2]:80";
    proto = "tcp";
    sourcePort = 8080;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nat.nix>
networking.nat.forwardPorts.*.destination

Forward connection to destination ip:port (or [ipv6]:port); to specify a port range, use ip:start-end

Type: string

Example: "10.0.0.1:80"

Declared by:

<nixpkgs/nixos/modules/services/networking/nat.nix>
networking.nat.forwardPorts.*.loopbackIPs

Public IPs for NAT reflection; for connections to loopbackip:sourcePort from the host itself and from other hosts behind NAT

Type: list of string

Default: [ ]

Example: [ "55.1.2.3" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/nat.nix>
networking.nat.forwardPorts.*.proto

Protocol of forwarded connection

Type: string

Default: "tcp"

Example: "udp"

Declared by:

<nixpkgs/nixos/modules/services/networking/nat.nix>
networking.nat.forwardPorts.*.sourcePort

Source port of the external interface; to specify a port range, use a string with a colon (e.g. “60000:61000”)

Type: signed integer or string matching the pattern [[:digit:]]+:[[:digit:]]+

Example: 8080

Declared by:

<nixpkgs/nixos/modules/services/networking/nat.nix>
networking.nat.internalIPs

The IP address ranges for which to perform NAT. Packets coming from these addresses (on any interface) and destined for the external interface will be rewritten.

Type: list of string

Default: [ ]

Example:

[
  "192.168.1.0/24"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nat.nix>
networking.nat.internalIPv6s

The IPv6 address ranges for which to perform NAT. Packets coming from these addresses (on any interface) and destined for the external interface will be rewritten.

Type: list of string

Default: [ ]

Example:

[
  "fc00::/64"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nat.nix>
networking.nat.internalInterfaces

The interfaces for which to perform NAT. Packets coming from these interface and destined for the external interface will be rewritten.

Type: list of string

Default: [ ]

Example:

[
  "eth0"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nat.nix>
networking.networkmanager.enable

Whether to use NetworkManager to obtain an IP address and other configuration for all network interfaces that are not manually configured. If enabled, a group networkmanager will be created. Add all users that should have permission to change network settings to this group.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.enableStrongSwan

Enable the StrongSwan plugin.

If you enable this option the networkmanager_strongswan plugin will be added to the networking.networkmanager.plugins option so you don’t need to do that yourself.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.appendNameservers

A list of name servers that should be appended to the ones configured in NetworkManager or received by DHCP.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.connectionConfig

Configuration for the [connection] section of NetworkManager.conf. Refer to https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html#id-1.2.3.11 or NetworkManager.conf(5) for more information.

Type: attribute set of (null or boolean or signed integer or string)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.dhcp

Which program (or internal library) should be used for DHCP.

Type: one of “dhcpcd”, “internal”

Default: "internal"

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.dispatcherScripts

A list of scripts which will be executed in response to network events.

Type: list of (submodule)

Default: [ ]

Example:

[ {
  source = pkgs.writeText "upHook" ''
    if [ "$2" != "up" ]; then
      logger "exit: event $2 != up"
      exit
    fi

    # coreutils and iproute are in PATH too
    logger "Device $DEVICE_IFACE coming up"
  '';
  type = "basic";
} ]

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.dispatcherScripts.*.source

Path to the hook script.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.dispatcherScripts.*.type

Dispatcher hook type. Look up the hooks described at https://developer.gnome.org/NetworkManager/stable/NetworkManager.html and choose the type depending on the output folder. You should then filter the event type (e.g., “up”/“down”) from within your script.

Type: one of “basic”, “pre-down”, “pre-up”

Default: "basic"

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.dns

Set the DNS (resolv.conf) processing mode.

A description of these modes can be found in the main section of https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html or in NetworkManager.conf(5).

Type: one of “default”, “dnsmasq”, “systemd-resolved”, “none”

Default: "default"

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.ensureProfiles.environmentFiles

Files to load as environment file. Environment variables from this file will be substituted into the static configuration file using envsubst.

Type: list of path

Default: [ ]

Example:

[
  "/run/secrets/network-manager.env"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.ensureProfiles.profiles

Declaratively define NetworkManager profiles. You can find information about the generated file format here and here. You current profiles which are most likely stored in /etc/NetworkManager/system-connections and there is a tool to convert them to the needed nix code. If you add a new ad-hoc connection via a GUI or nmtui or anything similar it should just work together with the declarative ones. And if you edit a declarative profile NetworkManager will move it to the persistent storage and treat it like a ad-hoc one, but there will be two profiles as soon as the systemd unit from this option runs again which can be confusing since NetworkManager tools will start displaying two profiles with the same name and probably a bit different settings depending on what you edited. A profile won’t be deleted even if it’s removed from the config until the system reboots because that’s when NetworkManager clears it’s temp directory. If networking.resolvconf.enable is true, attributes affecting the name resolution (such as ignore-auto-dns) may not end up changing /etc/resolv.conf as expected when other name services (for example networking.dhcpcd) are enabled. Run resolvconf -l in the terminal to see what each service produces.

Type: attribute set of (attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string)))

Default: { }

Example:

{
  home-wifi = {
    connection = {
      id = "home-wifi";
      permissions = "";
      type = "wifi";
    };
    ipv4 = {
      dns-search = "";
      method = "auto";
    };
    ipv6 = {
      addr-gen-mode = "stable-privacy";
      dns-search = "";
      method = "auto";
    };
    wifi = {
      mac-address-blacklist = "";
      mode = "infrastructure";
      ssid = "Home Wi-Fi";
    };
    wifi-security = {
      auth-alg = "open";
      key-mgmt = "wpa-psk";
      psk = "$HOME_WIFI_PASSWORD";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.ensureProfiles.profiles.<name>.connection.id

This is the name that will be displayed by NetworkManager and GUIs.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.ensureProfiles.profiles.<name>.connection.type

The connection type defines the connection kind, like vpn, wireguard, gsm, wifi and more.

Type: string

Example: "vpn"

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.ethernet.macAddress

Set the MAC address of the interface.

  • "XX:XX:XX:XX:XX:XX": MAC address of the interface

  • "permanent": Use the permanent MAC address of the device

  • "preserve": Don’t change the MAC address of the device upon activation

  • "random": Generate a randomized value upon each connect

  • "stable": Generate a stable, hashed MAC address

Type: string or one of “permanent”, “preserve”, “random”, “stable”

Default: "preserve"

Example: "00:11:22:33:44:55"

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.fccUnlockScripts

List of FCC unlock scripts to enable on the system, behaving as described in https://modemmanager.org/docs/modemmanager/fcc-unlock/#integration-with-third-party-fcc-unlock-tools.

Type: list of (submodule)

Default: [ ]

Example: [{ id = "03f0:4e1d"; path = "${pkgs.modemmanager}/share/ModemManager/fcc-unlock.available.d/03f0:4e1d"; }]

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.fccUnlockScripts.*.id

vid:pid of either the PCI or USB vendor and product ID

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.fccUnlockScripts.*.path

Path to the unlock script

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.insertNameservers

A list of name servers that should be inserted before the ones configured in NetworkManager or received by DHCP.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.logLevel

Set the default logging verbosity level.

Type: one of “OFF”, “ERR”, “WARN”, “INFO”, “DEBUG”, “TRACE”

Default: "WARN"

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.plugins

List of NetworkManager plug-ins to enable. Some plug-ins are enabled by the NetworkManager module by default.

Type: list of NetworkManager plug-in

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.settings

Configuration added to the generated NetworkManager.conf, note that you can overwrite settings with this. Refer to https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html or NetworkManager.conf(5) for more information.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.unmanaged

List of interfaces that will not be managed by NetworkManager. Interface name can be specified here, but if you need more fidelity, refer to https://developer.gnome.org/NetworkManager/stable/NetworkManager.conf.html#device-spec or the “Device List Format” Appendix of NetworkManager.conf(5).

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.wifi.backend

Specify the Wi-Fi backend used for the device. Currently supported are wpa_supplicant or iwd (experimental).

Type: one of “wpa_supplicant”, “iwd”

Default: "wpa_supplicant"

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.wifi.macAddress

Set the MAC address of the interface.

  • "XX:XX:XX:XX:XX:XX": MAC address of the interface

  • "permanent": Use the permanent MAC address of the device

  • "preserve": Don’t change the MAC address of the device upon activation

  • "random": Generate a randomized value upon each connect

  • "stable": Generate a stable, hashed MAC address

  • "stable-ssid": Generate a stable MAC addressed based on Wi-Fi network

Type: string or one of “permanent”, “preserve”, “random”, “stable”, “stable-ssid”

Default: "preserve"

Example: "00:11:22:33:44:55"

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.wifi.powersave

Whether to enable Wi-Fi power saving.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.networkmanager.wifi.scanRandMacAddress

Whether to enable MAC address randomization of a Wi-Fi device during scanning.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/networkmanager.nix>
networking.nftables.enable

Whether to enable nftables and use nftables based firewall if enabled. nftables is a Linux-based packet filtering framework intended to replace frameworks like iptables.

Note that if you have Docker enabled you will not be able to use nftables without intervention. Docker uses iptables internally to setup NAT for containers. This module disables the ip_tables kernel module, however Docker automatically loads the module. Please see https://github.com/NixOS/nixpkgs/issues/24318#issuecomment-289216273 for more information.

There are other programs that use iptables internally too, such as libvirt. For information on how the two firewalls interact, see https://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting#Question_4._How_do_nftables_and_iptables_interact_when_used_on_the_same_system.3F.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nftables.nix>
networking.nftables.checkRuleset

Run nft check on the ruleset to spot syntax errors during build. Because this is executed in a sandbox, the check might fail if it requires access to any environmental factors or paths outside the Nix store. To circumvent this, the ruleset file can be edited using the preCheckRuleset option to work in the sandbox environment.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nftables.nix>
networking.nftables.checkRulesetRedirects

Set of paths that should be intercepted and rewritten while checking the ruleset using pkgs.buildPackages.libredirect.

Type: attribute set of path

Default:

{
  "/etc/hosts" = config.environment.etc.hosts.source;
  "/etc/protocols" = config.environment.etc.protocols.source;
  "/etc/services" = config.environment.etc.services.source;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/nftables.nix>
networking.nftables.extraDeletions

Extra deletion commands to be run on every firewall start, reload and after stopping the firewall.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  # this makes deleting a non-existing table a no-op instead of an error
  table inet some-table;
  
  delete table inet some-table;
''

Declared by:

<nixpkgs/nixos/modules/services/networking/nftables.nix>
networking.nftables.flattenRulesetFile

Use builtins.readFile rather than include to handle networking.nftables.rulesetFile. It is useful when you want to apply networking.nftables.preCheckRuleset to networking.nftables.rulesetFile.

Note

It is expected that networking.nftables.rulesetFile can be accessed from the build sandbox.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nftables.nix>
networking.nftables.flushRuleset

Whether to enable flushing the entire ruleset on each reload.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nftables.nix>
networking.nftables.preCheckRuleset

This script gets run before the ruleset is checked. It can be used to create additional files needed for the ruleset check to work, or modify the ruleset for cases the build environment cannot cover.

Type: strings concatenated with “\n”

Default: ""

Example:

sed 's/skgid meadow/skgid nogroup/g' -i ruleset.conf

Declared by:

<nixpkgs/nixos/modules/services/networking/nftables.nix>
networking.nftables.ruleset

The ruleset to be used with nftables. Should be in a format that can be loaded using “/bin/nft -f”. The ruleset is updated atomically. Note that if the tables should be cleaned first, either:

  • networking.nftables.flushRuleset = true; needs to be set (flushes all tables)

  • networking.nftables.extraDeletions needs to be set

  • or networking.nftables.tables can be used, which will clean up the table automatically

Type: strings concatenated with “\n”

Default: ""

Example:

''
  # Check out https://wiki.nftables.org/ for better documentation.
  # Table for both IPv4 and IPv6.
  table inet filter {
    # Block all incoming connections traffic except SSH and "ping".
    chain input {
      type filter hook input priority 0;
  
      # accept any localhost traffic
      iifname lo accept
  
      # accept traffic originated from us
      ct state {established, related} accept
  
      # ICMP
      # routers may also want: mld-listener-query, nd-router-solicit
      ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
      ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
  
      # allow "ping"
      ip6 nexthdr icmpv6 icmpv6 type echo-request accept
      ip protocol icmp icmp type echo-request accept
  
      # accept SSH connections (required for a server)
      tcp dport 22 accept
  
      # count and drop any other traffic
      counter drop
    }
  
    # Allow all outgoing connections.
    chain output {
      type filter hook output priority 0;
      accept
    }
  
    chain forward {
      type filter hook forward priority 0;
      accept
    }
  }
''

Declared by:

<nixpkgs/nixos/modules/services/networking/nftables.nix>
networking.nftables.rulesetFile

The ruleset file to be used with nftables. Should be in a format that can be loaded using “nft -f”. The ruleset is updated atomically.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/nftables.nix>
networking.nftables.tables

Tables to be added to ruleset. Tables will be added together with delete statements to clean up the table before every update.

Type: attribute set of (submodule)

Default: { }

Example:

{
  filter = {
    content = ''
      # Check out https://wiki.nftables.org/ for better documentation.
      # Table for both IPv4 and IPv6.
      # Block all incoming connections traffic except SSH and "ping".
      chain input {
        type filter hook input priority 0;
      
        # accept any localhost traffic
        iifname lo accept
      
        # accept traffic originated from us
        ct state {established, related} accept
      
        # ICMP
        # routers may also want: mld-listener-query, nd-router-solicit
        ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
        ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
      
        # allow "ping"
        ip6 nexthdr icmpv6 icmpv6 type echo-request accept
        ip protocol icmp icmp type echo-request accept
      
        # accept SSH connections (required for a server)
        tcp dport 22 accept
      
        # count and drop any other traffic
        counter drop
      }
      
      # Allow all outgoing connections.
      chain output {
        type filter hook output priority 0;
        accept
      }
      
      chain forward {
        type filter hook forward priority 0;
        accept
      }
    '';
    family = "inet";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/nftables.nix>
networking.nftables.tables.<name>.enable

Enable this table.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nftables.nix>
networking.nftables.tables.<name>.content

The table content.

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/networking/nftables.nix>
networking.nftables.tables.<name>.family

Table family.

Type: one of “ip”, “ip6”, “inet”, “arp”, “bridge”, “netdev”

Declared by:

<nixpkgs/nixos/modules/services/networking/nftables.nix>
networking.nftables.tables.<name>.name

Table name.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/nftables.nix>
networking.openconnect.package

The openconnect package to use.

Type: package

Default: pkgs.openconnect

Declared by:

<nixpkgs/nixos/modules/services/networking/openconnect.nix>
networking.openconnect.interfaces

OpenConnect interfaces.

Type: attribute set of (submodule)

Default: { }

Example:

{
  openconnect0 = {
    gateway = "gateway.example.com";
    passwordFile = "/var/lib/secrets/openconnect-passwd";
    protocol = "anyconnect";
    user = "example-user";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/openconnect.nix>
networking.openconnect.interfaces.<name>.autoStart

Whether this VPN connection should be started automatically.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/openconnect.nix>
networking.openconnect.interfaces.<name>.certificate

Certificate to authenticate with.

Type: null or path or PKCS#11 URI

Default: null

Example: "/var/lib/secrets/openconnect_certificate.pem"

Declared by:

<nixpkgs/nixos/modules/services/networking/openconnect.nix>
networking.openconnect.interfaces.<name>.extraOptions

Extra config to be appended to the interface config. It should contain long-format options as would be accepted on the command line by openconnect (see https://www.infradead.org/openconnect/manual.html). Non-key-value options like deflate can be used by declaring them as booleans, i. e. deflate = true;.

Type: attribute set of (string or boolean)

Default: { }

Example:

{
  compression = "stateless";
  no-dtls = true;
  no-http-keepalive = true;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/openconnect.nix>
networking.openconnect.interfaces.<name>.gateway

Gateway server to connect to.

Type: string

Example: "gateway.example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/openconnect.nix>
networking.openconnect.interfaces.<name>.passwordFile

File containing the password to authenticate with. This is passed to openconnect via the --passwd-on-stdin option.

Type: null or path

Default: null

Example: "/var/lib/secrets/openconnect-passwd"

Declared by:

<nixpkgs/nixos/modules/services/networking/openconnect.nix>
networking.openconnect.interfaces.<name>.privateKey

Private key to authenticate with.

Type: null or path or PKCS#11 URI

Default: null

Example: "/var/lib/secrets/openconnect_private_key.pem"

Declared by:

<nixpkgs/nixos/modules/services/networking/openconnect.nix>
networking.openconnect.interfaces.<name>.protocol

Protocol to use.

Type: one of “anyconnect”, “array”, “nc”, “pulse”, “gp”, “f5”, “fortinet”

Example: "anyconnect"

Declared by:

<nixpkgs/nixos/modules/services/networking/openconnect.nix>
networking.openconnect.interfaces.<name>.user

Username to authenticate with.

Type: null or string

Default: null

Example: "example-user"

Declared by:

<nixpkgs/nixos/modules/services/networking/openconnect.nix>
networking.proxy.allProxy

This option specifies the all_proxy environment variable.

Type: null or string

Default: config.networking.proxy.default

Example: "http://127.0.0.1:3128"

Declared by:

<nixpkgs/nixos/modules/config/networking.nix>
networking.proxy.default

This option specifies the default value for httpProxy, httpsProxy, ftpProxy and rsyncProxy.

Type: null or string

Default: null

Example: "http://127.0.0.1:3128"

Declared by:

<nixpkgs/nixos/modules/config/networking.nix>
networking.proxy.ftpProxy

This option specifies the ftp_proxy environment variable.

Type: null or string

Default: config.networking.proxy.default

Example: "http://127.0.0.1:3128"

Declared by:

<nixpkgs/nixos/modules/config/networking.nix>
networking.proxy.httpProxy

This option specifies the http_proxy environment variable.

Type: null or string

Default: config.networking.proxy.default

Example: "http://127.0.0.1:3128"

Declared by:

<nixpkgs/nixos/modules/config/networking.nix>
networking.proxy.httpsProxy

This option specifies the https_proxy environment variable.

Type: null or string

Default: config.networking.proxy.default

Example: "http://127.0.0.1:3128"

Declared by:

<nixpkgs/nixos/modules/config/networking.nix>
networking.proxy.noProxy

This option specifies the no_proxy environment variable. If a default proxy is used and noProxy is null, then noProxy will be set to 127.0.0.1,localhost.

Type: null or string

Default: null

Example: "127.0.0.1,localhost,.localdomain"

Declared by:

<nixpkgs/nixos/modules/config/networking.nix>
networking.proxy.rsyncProxy

This option specifies the rsync_proxy environment variable.

Type: null or string

Default: config.networking.proxy.default

Example: "http://127.0.0.1:3128"

Declared by:

<nixpkgs/nixos/modules/config/networking.nix>
networking.resolvconf.enable

Whether DNS configuration is managed by resolvconf.

Type: boolean

Default: !(config.environment.etc ? "resolv.conf")

Declared by:

<nixpkgs/nixos/modules/config/resolvconf.nix>
networking.resolvconf.package

The package that provides the system-wide resolvconf command. Defaults to openresolv if this module is enabled. Otherwise, can be used by other modules (for example services.resolved) to provide a compatibility layer.

This option generally shouldn’t be set by the user.

Type: package

Default: pkgs.openresolv

Declared by:

<nixpkgs/nixos/modules/config/resolvconf.nix>
networking.resolvconf.dnsExtensionMechanism

Enable the edns0 option in resolv.conf. With that option set, glibc supports use of the extension mechanisms for DNS (EDNS) specified in RFC 2671. The most popular user of that feature is DNSSEC, which does not work without it.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/resolvconf.nix>
networking.resolvconf.dnsSingleRequest

Recent versions of glibc will issue both ipv4 (A) and ipv6 (AAAA) address queries at the same time, from the same port. Sometimes upstream routers will systemically drop the ipv4 queries. The symptom of this problem is that ‘getent hosts example.com’ only returns ipv6 (or perhaps only ipv4) addresses. The workaround for this is to specify the option ‘single-request’ in /etc/resolv.conf. This option enables that.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/resolvconf.nix>
networking.resolvconf.extraConfig

Extra configuration to append to resolvconf.conf.

Type: strings concatenated with “\n”

Default: ""

Example: "libc=NO"

Declared by:

<nixpkgs/nixos/modules/config/resolvconf.nix>
networking.resolvconf.extraOptions

Set the options in /etc/resolv.conf.

Type: list of string

Default: [ ]

Example:

[
  "ndots:1"
  "rotate"
]

Declared by:

<nixpkgs/nixos/modules/config/resolvconf.nix>
networking.resolvconf.useLocalResolver

Use local DNS server for resolving.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/resolvconf.nix>
networking.rxe.enable

Whether to enable RDMA over converged ethernet.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/rxe.nix>
networking.rxe.interfaces

Enable RDMA on the listed interfaces. The corresponding virtual RDMA interfaces will be named rxe_<interface>. UDP port 4791 must be open on the respective ethernet interfaces.

Type: list of string

Default: [ ]

Example:

[
  "eth0"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/rxe.nix>
networking.search

The list of search paths used when resolving domain names.

Type: list of string

Default: [ ]

Example:

[
  "example.com"
  "home.arpa"
]

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.sits

This option allows you to define 6-to-4 interfaces which should be automatically created.

Type: attribute set of (submodule)

Default: { }

Example:

{
  hurricane = {
    remote = "10.0.0.1";
    local = "10.0.0.22";
    ttl = 255;
  };
  msipv6 = {
    remote = "192.168.0.1";
    dev = "enp3s0";
    ttl = 127;
  };
}

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.sits.<name>.dev

The underlying network device on which the tunnel resides.

Type: null or string

Default: null

Example: "enp4s0f0"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.sits.<name>.encapsulation

Configures encapsulation in UDP packets.

Type: null or (submodule)

Default: null

Example:

{
  port = 9001;
  type = "fou";
}

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.sits.<name>.encapsulation.port

Destination port for encapsulated packets.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Example: 9001

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.sits.<name>.encapsulation.sourcePort

Source port for encapsulated packets. Will be chosen automatically by the kernel if unset.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Example: 9002

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.sits.<name>.encapsulation.type

Selects encapsulation type. See ip-link(8) for details.

Type: one of “fou”, “gue”

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.sits.<name>.local

The address of the local endpoint which the remote side should send packets to.

Type: null or string

Default: null

Example: "10.0.0.22"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.sits.<name>.remote

The address of the remote endpoint to forward traffic over.

Type: null or string

Default: null

Example: "10.0.0.1"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.sits.<name>.ttl

The time-to-live of the connection to the remote tunnel endpoint.

Type: null or signed integer

Default: null

Example: 255

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.stevenblack.enable

Whether to enable the stevenblack hosts file blocklist.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/config/stevenblack.nix>
networking.stevenblack.package

The stevenblack-blocklist package to use.

Type: package

Default: pkgs.stevenblack-blocklist

Declared by:

<nixpkgs/nixos/modules/config/stevenblack.nix>
networking.stevenblack.block

Additional blocklist extensions.

Type: list of (one of “fakenews”, “gambling”, “porn”, “social”)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/stevenblack.nix>
networking.supplicant

Interfaces for which to start wpa_supplicant. The supplicant is used to scan for and associate with wireless networks, or to authenticate with 802.1x capable network switches.

The value of this option is an attribute set. Each attribute configures a wpa_supplicant service, where the attribute name specifies the name of the interface that wpa_supplicant operates on. The attribute name can be a space separated list of interfaces. The attribute names WLAN, LAN and DBUS have a special meaning. WLAN and LAN are configurations for universal wpa_supplicant service that is started for each WLAN interface or for each LAN interface, respectively. DBUS defines a device-unrelated wpa_supplicant service that can be accessed through D-Bus.

Type: attribute set of (submodule)

Default: { }

Example:

{ "wlan0 wlan1" = {
    configFile.path = "/etc/wpa_supplicant.conf";
    userControlled.group = "network";
    extraConf = ''
      ap_scan=1
      p2p_disabled=1
    '';
    extraCmdArgs = "-u -W";
    bridge = "br0";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/supplicant.nix>
networking.supplicant.<name>.bridge

Name of the bridge interface that wpa_supplicant should listen at.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/supplicant.nix>
networking.supplicant.<name>.configFile.path

External wpa_supplicant.conf configuration file. The configuration options defined declaratively within networking.supplicant have precedence over options defined in configFile.

Type: null or path

Default: null

Example: /etc/wpa_supplicant.conf

Declared by:

<nixpkgs/nixos/modules/services/networking/supplicant.nix>
networking.supplicant.<name>.configFile.writable

Whether the configuration file at configFile.path should be written to by wpa_supplicant.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/supplicant.nix>
networking.supplicant.<name>.driver

Force a specific wpa_supplicant driver.

Type: null or string

Default: "nl80211,wext"

Declared by:

<nixpkgs/nixos/modules/services/networking/supplicant.nix>
networking.supplicant.<name>.extraCmdArgs

Command line arguments to add when executing wpa_supplicant.

Type: string

Default: ""

Example: "-e/run/wpa_supplicant/entropy.bin"

Declared by:

<nixpkgs/nixos/modules/services/networking/supplicant.nix>
networking.supplicant.<name>.extraConf

Configuration options for wpa_supplicant.conf. Options defined here have precedence over options in configFile. NOTE: Do not write sensitive data into extraConf as it will be world-readable in the nix-store. For sensitive information use the configFile instead.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  ap_scan=1
  device_name=My-NixOS-Device
  device_type=1-0050F204-1
  driver_param=use_p2p_group_interface=1
  disable_scan_offload=1
  p2p_listen_reg_class=81
  p2p_listen_channel=1
  p2p_oper_reg_class=81
  p2p_oper_channel=1
  manufacturer=NixOS
  model_name=NixOS_Unstable
  model_number=2015
''

Declared by:

<nixpkgs/nixos/modules/services/networking/supplicant.nix>
networking.supplicant.<name>.userControlled.enable

Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli. This is useful for laptop users that switch networks a lot and don’t want to depend on a large package such as NetworkManager just to pick nearby access points.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/supplicant.nix>
networking.supplicant.<name>.userControlled.group

Members of this group can control wpa_supplicant.

Type: string

Default: "wheel"

Example: "network"

Declared by:

<nixpkgs/nixos/modules/services/networking/supplicant.nix>
networking.supplicant.<name>.userControlled.socketDir

Directory of sockets for controlling wpa_supplicant.

Type: string

Default: "/run/wpa_supplicant"

Declared by:

<nixpkgs/nixos/modules/services/networking/supplicant.nix>
networking.tcpcrypt.enable

Whether to enable opportunistic TCP encryption. If the other end speaks Tcpcrypt, then your traffic will be encrypted; otherwise it will be sent in clear text. Thus, Tcpcrypt alone provides no guarantees – it is best effort. If, however, a Tcpcrypt connection is successful and any attackers that exist are passive, then Tcpcrypt guarantees privacy.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/tcpcrypt.nix>
networking.tempAddresses

Whether to enable IPv6 Privacy Extensions for interfaces not configured explicitly in networking.interfaces.<name>.tempAddress.

This sets the ipv6.conf.*.use_tempaddr sysctl for all interfaces. Possible values are:

  • "default" to generate IPv6 temporary addresses and use these as source addresses in routing;

  • "disabled" to completely disable IPv6 temporary addresses;

  • "enabled" to generate IPv6 temporary addresses but still use EUI-64 addresses as source addresses;

Type: one of “default”, “disabled”, “enabled”

Default:

if ${config.networking.enableIPv6} then "default" else "disabled"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.timeServers

The set of NTP servers from which to synchronise.

Type: list of string

Default:

[
  "0.nixos.pool.ntp.org"
  "1.nixos.pool.ntp.org"
  "2.nixos.pool.ntp.org"
  "3.nixos.pool.ntp.org"
]

Declared by:

<nixpkgs/nixos/modules/config/networking.nix>
networking.ucarp.enable

Whether to enable ucarp, userspace implementation of CARP.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ucarp.nix>
networking.ucarp.package

The ucarp package to use. Please note that the default package, pkgs.ucarp, has not received any upstream updates for a long time and can be considered as unmaintained.

Type: package

Default: pkgs.ucarp

Declared by:

<nixpkgs/nixos/modules/services/networking/ucarp.nix>
networking.ucarp.addr

Virtual shared IP address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/ucarp.nix>
networking.ucarp.advBase

Advertisement frequency in seconds.

Type: unsigned integer, meaning >=0

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/networking/ucarp.nix>
networking.ucarp.advSkew

Advertisement skew in seconds.

Type: unsigned integer, meaning >=0

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/ucarp.nix>
networking.ucarp.deadratio

Ratio to consider a host as dead.

Type: unsigned integer, meaning >=0

Default: 3

Declared by:

<nixpkgs/nixos/modules/services/networking/ucarp.nix>
networking.ucarp.downscript

Command to run after become backup, the interface name, virtual address and optional extra parameters are passed as arguments.

Type: path

Example:

pkgs.writeScript "downscript" ''
  #!/bin/sh
  ${pkgs.iproute2}/bin/ip addr del "$2"/24 dev "$1"
'';

Declared by:

<nixpkgs/nixos/modules/services/networking/ucarp.nix>
networking.ucarp.extraParam

Extra parameter to pass to the up/down scripts.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ucarp.nix>
networking.ucarp.ignoreIfState

Ignore interface state, e.g., down or no carrier.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ucarp.nix>
networking.ucarp.interface

Network interface to bind to.

Type: string

Example: "eth0"

Declared by:

<nixpkgs/nixos/modules/services/networking/ucarp.nix>
networking.ucarp.neutral

Do not run downscript at start if the host is the backup.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ucarp.nix>
networking.ucarp.noMcast

Use broadcast instead of multicast advertisements.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ucarp.nix>
networking.ucarp.passwordFile

File containing shared password between CARP hosts.

Type: string

Example: "/run/keys/ucarp-password"

Declared by:

<nixpkgs/nixos/modules/services/networking/ucarp.nix>
networking.ucarp.preempt

Enable preemptive failover. Thus, this host becomes the CARP master as soon as possible.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ucarp.nix>
networking.ucarp.shutdown

Call downscript at exit.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ucarp.nix>
networking.ucarp.srcIp

Source (real) IP address of this host.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/ucarp.nix>
networking.ucarp.upscript

Command to run after become master, the interface name, virtual address and optional extra parameters are passed as arguments.

Type: path

Example:

pkgs.writeScript "upscript" ''
  #!/bin/sh
  ${pkgs.iproute2}/bin/ip addr add "$2"/24 dev "$1"
'';

Declared by:

<nixpkgs/nixos/modules/services/networking/ucarp.nix>
networking.ucarp.vhId

Virtual IP identifier shared between CARP hosts.

Type: integer between 1 and 255 (both inclusive)

Example: 1

Declared by:

<nixpkgs/nixos/modules/services/networking/ucarp.nix>
networking.useDHCP

Whether to use DHCP to obtain an IP address and other configuration for all network interfaces that do not have any manually configured IPv4 addresses.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.useHostResolvConf

In containers, whether to use the resolv.conf supplied by the host.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.useNetworkd

Whether we should use networkd as the network configuration backend or the legacy script based system. Note that this option is experimental, enable at your own risk.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.usePredictableInterfaceNames

Whether to assign predictable names to network interfaces. If enabled, interfaces are assigned names that contain topology information (e.g. wlp3s0) and thus should be stable across reboots. If disabled, names depend on the order in which interfaces are discovered by the kernel, which may change randomly across reboots; for instance, you may find eth0 and eth1 flipping unpredictably.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/udev.nix>
networking.vlans

This option allows you to define vlan devices that tag packets on top of a physical interface. The value of this option is an attribute set. Each attribute specifies a vlan, with the name specifying the name of the vlan interface.

Type: attribute set of (submodule)

Default: { }

Example:

{
  vlan0 = {
    id = 3;
    interface = "enp3s0";
  };
  vlan1 = {
    id = 1;
    interface = "wlan0";
  };
}

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.vlans.<name>.id

The vlan identifier

Type: signed integer

Example: 1

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.vlans.<name>.interface

The interface the vlan will transmit packets through.

Type: string

Example: "enp4s0"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.vswitches

This option allows you to define Open vSwitches that connect physical networks together. The value of this option is an attribute set. Each attribute specifies a vswitch, with the attribute name specifying the name of the vswitch’s network interface.

Type: attribute set of (submodule)

Default: { }

Example:

{
  vs0 = {
    interfaces = {
      eth0 = { };
      lo1 = {
        type = "internal";
      };
    };
  };
  vs1 = {
    interfaces = [
      {
        name = "eth2";
      }
      {
        name = "lo2";
        type = "internal";
      }
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.vswitches.<name>.controllers

Specify the controller targets. For the allowed options see man 8 ovs-vsctl.

Type: list of string

Default: [ ]

Example:

[
  "ptcp:6653:[::1]"
]

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.vswitches.<name>.extraOvsctlCmds

Commands to manipulate the Open vSwitch database. Every line executed with ovs-vsctl. All commands are bundled together with the operations for adding the interfaces into one atomic operation.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  set-fail-mode <switch_name> secure
  set Bridge <switch_name> stp_enable=true
''

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.vswitches.<name>.interfaces

The physical network interfaces connected by the vSwitch.

Type: attribute set of (submodule)

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.vswitches.<name>.interfaces.<name>.name

Name of the interface

Type: string

Example: "eth0"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.vswitches.<name>.interfaces.<name>.type

Openvswitch type to assign to interface

Type: null or string

Default: null

Example: "internal"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.vswitches.<name>.interfaces.<name>.vlan

Vlan tag to apply to interface

Type: null or signed integer

Default: null

Example: 10

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.vswitches.<name>.openFlowRules

OpenFlow rules to insert into the Open vSwitch. All openFlowRules are loaded with ovs-ofctl within one atomic operation.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  actions=normal
''

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.vswitches.<name>.openFlowVersion

Version of OpenFlow protocol to use when communicating with the switch internally (e.g. with openFlowRules).

Type: string

Default: "OpenFlow13"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.vswitches.<name>.supportedOpenFlowVersions

Supported versions to enable on this switch.

Type: list of string

Default:

[
  "OpenFlow13"
]

Example:

[
  "OpenFlow10"
  "OpenFlow13"
  "OpenFlow14"
]

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.wg-quick.interfaces

Wireguard interfaces.

Type: attribute set of (submodule)

Default: { }

Example:

{
  wg0 = {
    address = [
      "192.168.20.4/24"
    ];
    peers = [
      {
        allowedIPs = [
          "192.168.20.1/32"
        ];
        endpoint = "demo.wireguard.io:12913";
        publicKey = "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=";
      }
    ];
    privateKey = "yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.address

The IP addresses of the interface.

Type: list of string

Default: [ ]

Example:

[
  "192.168.2.1/24"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.autostart

Whether to bring up this interface automatically during boot.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.configFile

wg-quick .conf file, describing the interface. Using this option can be a useful means of configuring WireGuard if one has an existing .conf file. This overrides any other configuration interface configuration options. See wg-quick manpage for more details.

Type: null or string

Default: null

Example: "/secret/wg0.conf"

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.dns

The IP addresses of DNS servers to configure.

Type: list of string

Default: [ ]

Example:

[
  "192.168.2.2"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.generatePrivateKeyFile

Automatically generate a private key with wg genkey, at the privateKeyFile location.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.listenPort

16-bit port for listening. Optional; if not specified, automatically generated based on interface name.

Type: null or signed integer

Default: null

Example: 51820

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.mtu

If not specified, the MTU is automatically determined from the endpoint addresses or the system default route, which is usually a sane choice. However, to manually specify an MTU to override this automatic discovery, this value may be specified explicitly.

Type: null or signed integer

Default: null

Example: 1248

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.peers

Peers linked to the interface.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.peers.*.allowedIPs

List of IP (v4 or v6) addresses with CIDR masks from which this peer is allowed to send incoming traffic and to which outgoing traffic for this peer is directed. The catch-all 0.0.0.0/0 may be specified for matching all IPv4 addresses, and ::/0 may be specified for matching all IPv6 addresses.

Type: list of string

Example:

[
  "10.192.122.3/32"
  "10.192.124.1/24"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.peers.*.endpoint

Endpoint IP or hostname of the peer, followed by a colon, and then a port number of the peer.

Type: null or string

Default: null

Example: "demo.wireguard.io:12913"

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.peers.*.persistentKeepalive

This is optional and is by default off, because most users will not need it. It represents, in seconds, between 1 and 65535 inclusive, how often to send an authenticated empty packet to the peer, for the purpose of keeping a stateful firewall or NAT mapping valid persistently. For example, if the interface very rarely sends traffic, but it might at anytime receive traffic from a peer, and it is behind NAT, the interface might benefit from having a persistent keepalive interval of 25 seconds; however, most users will not need this.

Type: null or signed integer

Default: null

Example: 25

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.peers.*.presharedKey

Base64 preshared key generated by wg genpsk. Optional, and may be omitted. This option adds an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.

Warning: Consider using presharedKeyFile instead if you do not want to store the key in the world-readable Nix store.

Type: null or string

Default: null

Example: "rVXs/Ni9tu3oDBLS4hOyAUAa1qTWVA3loR8eL20os3I="

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.peers.*.presharedKeyFile

File pointing to preshared key as generated by wg genpsk. Optional, and may be omitted. This option adds an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.

Type: null or string

Default: null

Example: "/private/wireguard_psk"

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.peers.*.publicKey

The base64 public key to the peer.

Type: string

Example: "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg="

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.postDown

Command called after the interface is taken down.

Type: strings concatenated with “\n” or (list of string) convertible to it

Default: ""

Example: "${pkgs.iproute2}/bin/ip netns del foo"

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.postUp

Commands called after the interface setup.

Type: strings concatenated with “\n” or (list of string) convertible to it

Default: ""

Example: "${pkgs.iproute2}/bin/ip netns add foo"

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.preDown

Command called before the interface is taken down.

Type: strings concatenated with “\n” or (list of string) convertible to it

Default: ""

Example: "${pkgs.iproute2}/bin/ip netns del foo"

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.preUp

Commands called at the start of the interface setup.

Type: strings concatenated with “\n” or (list of string) convertible to it

Default: ""

Example: "${pkgs.iproute2}/bin/ip netns add foo"

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.privateKey

Base64 private key generated by wg genkey.

Warning: Consider using privateKeyFile instead if you do not want to store the key in the world-readable Nix store.

Type: null or string

Default: null

Example: "yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk="

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.privateKeyFile

Private key file as generated by wg genkey.

Type: null or string

Default: null

Example: "/private/wireguard_key"

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wg-quick.interfaces.<name>.table

The kernel routing table to add this interface’s associated routes to. Setting this is useful for e.g. policy routing (“ip rule”) or virtual routing and forwarding (“ip vrf”). Both numeric table IDs and table names (/etc/rt_tables) can be used. Defaults to “main”.

Type: null or string

Default: null

Example: "main"

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-quick.nix>
networking.wireguard.enable

Whether to enable WireGuard.

Note

By default, this module is powered by a script-based backend. You can enable the networkd backend with networking.wireguard.useNetworkd.

Type: boolean

Default: config.networking.wireguard.interfaces != { }

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces

WireGuard interfaces.

Type: attribute set of (submodule)

Default: { }

Example:

{
  wg0 = {
    ips = [
      "192.168.20.4/24"
    ];
    peers = [
      {
        allowedIPs = [
          "192.168.20.1/32"
        ];
        endpoint = "demo.wireguard.io:12913";
        publicKey = "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=";
      }
    ];
    privateKey = "yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.allowedIPsAsRoutes

Determines whether to add allowed IPs as routes or not.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.dynamicEndpointRefreshSeconds

Periodically refresh the endpoint hostname or address for all peers. Allows WireGuard to notice DNS and IPv4/IPv6 connectivity changes. This option can be set or overridden for individual peers.

Setting this to 0 disables periodic refresh.

Warning

When networking.wireguard.useNetworkd is enabled, this option deletes the Wireguard interface and brings it back up by reconfiguring the network with networkctl reload on every refresh. This could have adverse effects on your network and cause brief connectivity blips. See systemd/systemd#9911 for an upstream feature request that can make this less hacky.

Type: signed integer

Default: 0

Example: 300

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.fwMark

Mark all wireguard packets originating from this interface with the given firewall mark. The firewall mark can be used in firewalls or policy routing to filter the wireguard packets. This can be useful for setup where all traffic goes through the wireguard tunnel, because the wireguard packets need to be routed differently.

Type: null or string

Default: null

Example: "0x6e6978"

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.generatePrivateKeyFile

Automatically generate a private key with wg genkey, at the privateKeyFile location.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.interfaceNamespace

The pre-existing network namespace the WireGuard interface is moved to. The special value init means the init namespace. When null, the interface is not moved. See documentation.

Type: null or string

Default: null

Example: "init"

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.ips

The IP addresses of the interface.

Type: list of string

Default: [ ]

Example:

[
  "192.168.2.1/24"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.listenPort

16-bit port for listening. Optional; if not specified, automatically generated based on interface name.

Type: null or signed integer

Default: null

Example: 51820

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.metric

Set the metric of routes related to this Wireguard interface.

Type: null or signed integer

Default: null

Example: 700

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.mtu

Set the maximum transmission unit in bytes for the wireguard interface. Beware that the wireguard packets have a header that may add up to 80 bytes to the mtu. By default, the MTU is (1500 - 80) = 1420. However, if the MTU of the upstream network is lower, the MTU of the wireguard network has to be adjusted as well.

Type: null or signed integer

Default: null

Example: 1280

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.peers

Peers linked to the interface.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.peers.*.allowedIPs

List of IP (v4 or v6) addresses with CIDR masks from which this peer is allowed to send incoming traffic and to which outgoing traffic for this peer is directed. The catch-all 0.0.0.0/0 may be specified for matching all IPv4 addresses, and ::/0 may be specified for matching all IPv6 addresses.

Type: list of string

Example:

[
  "10.192.122.3/32"
  "10.192.124.1/24"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.peers.*.dynamicEndpointRefreshRestartSeconds

When the dynamic endpoint refresh that is configured via dynamicEndpointRefreshSeconds exits (likely due to a failure), restart that service after this many seconds.

If set to null the value of networking.wireguard.dynamicEndpointRefreshSeconds will be used as the default.

Type: null or (unsigned integer, meaning >=0)

Default: null

Example: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.peers.*.dynamicEndpointRefreshSeconds

Periodically re-execute the wg utility every this many seconds in order to let WireGuard notice DNS / hostname changes.

Setting this to 0 disables periodic reexecution.

Note

This peer-level setting is not available when networking.wireguard.useNetworkd is enabled. The interface-level setting may be used instead.

Type: null or signed integer

Default: config.networking.wireguard.interfaces.<name>.dynamicEndpointRefreshSeconds

Example: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.peers.*.endpoint

Endpoint IP or hostname of the peer, followed by a colon, and then a port number of the peer.

Warning for endpoints with changing IPs: The WireGuard kernel side cannot perform DNS resolution. Thus DNS resolution is done once by the wg userspace utility, when setting up WireGuard. Consequently, if the IP address behind the name changes, WireGuard will not notice. This is especially common for dynamic-DNS setups, but also applies to any other DNS-based setup. If you do not use IP endpoints, you likely want to set networking.wireguard.dynamicEndpointRefreshSeconds to refresh the IPs periodically.

Type: null or string

Default: null

Example: "demo.wireguard.io:12913"

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.peers.*.name

Name used to derive peer unit name.

Type: string

Default: publicKey

Example: "bernd"

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.peers.*.persistentKeepalive

This is optional and is by default off, because most users will not need it. It represents, in seconds, between 1 and 65535 inclusive, how often to send an authenticated empty packet to the peer, for the purpose of keeping a stateful firewall or NAT mapping valid persistently. For example, if the interface very rarely sends traffic, but it might at anytime receive traffic from a peer, and it is behind NAT, the interface might benefit from having a persistent keepalive interval of 25 seconds; however, most users will not need this.

Type: null or signed integer

Default: null

Example: 25

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.peers.*.presharedKey

Base64 preshared key generated by wg genpsk. Optional, and may be omitted. This option adds an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.

Warning: Consider using presharedKeyFile instead if you do not want to store the key in the world-readable Nix store.

Type: null or string

Default: null

Example: "rVXs/Ni9tu3oDBLS4hOyAUAa1qTWVA3loR8eL20os3I="

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.peers.*.presharedKeyFile

File pointing to preshared key as generated by wg genpsk. Optional, and may be omitted. This option adds an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.

Type: null or string

Default: null

Example: "/private/wireguard_psk"

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.peers.*.publicKey

The base64 public key of the peer.

Type: (optionally newline-terminated) single-line string

Example: "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg="

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.postSetup

Commands called at the end of the interface setup.

Type: strings concatenated with “\n” or (list of string) convertible to it

Default: ""

Example:

''printf "nameserver 10.200.100.1" | ${pkgs.openresolv}/bin/resolvconf -a wg0 -m 0''

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.postShutdown

Commands called after shutting down the interface.

Type: strings concatenated with “\n” or (list of string) convertible to it

Default: ""

Example: "${pkgs.openresolv}/bin/resolvconf -d wg0"

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.preSetup

Commands called at the start of the interface setup.

Type: strings concatenated with “\n” or (list of string) convertible to it

Default: ""

Example: "${pkgs.iproute2}/bin/ip netns add foo"

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.preShutdown

Commands called before shutting down the interface.

Type: strings concatenated with “\n” or (list of string) convertible to it

Default: ""

Example: "${pkgs.iproute2}/bin/ip netns del foo"

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.privateKey

Base64 private key generated by wg genkey.

Warning: Consider using privateKeyFile instead if you do not want to store the key in the world-readable Nix store.

Type: null or string

Default: null

Example: "yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk="

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.privateKeyFile

Private key file as generated by wg genkey.

Type: null or string

Default: null

Example: "/private/wireguard_key"

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.socketNamespace

The pre-existing network namespace in which the WireGuard interface is created, and which retains the socket even if the interface is moved via interfaceNamespace. When null, the interface is created in the init namespace. See documentation.

Type: null or string

Default: null

Example: "container"

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.interfaces.<name>.table

The kernel routing table to add this interface’s associated routes to. Setting this is useful for e.g. policy routing (“ip rule”) or virtual routing and forwarding (“ip vrf”). Both numeric table IDs and table names (/etc/rt_tables) can be used. Defaults to “main”.

Type: string

Default: "main"

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard.nix>
networking.wireguard.useNetworkd

Whether to use networkd as the network configuration backend for Wireguard instead of the legacy script-based system.

Warning

Some options have slightly different behavior with the networkd and script-based backends. Check the documentation for each Wireguard option you use before enabling this option.

Type: boolean

Default: config.networking.useNetworkd

Declared by:

<nixpkgs/nixos/modules/services/networking/wireguard-networkd.nix>
networking.wireless.enable

Whether to enable wpa_supplicant.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.allowAuxiliaryImperativeNetworks

Whether to allow configuring networks “imperatively” (e.g. via wpa_supplicant_gui) and declaratively via networking.wireless.networks.

Please note that this adds a custom patch to wpa_supplicant.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.athUserRegulatoryDomain

If enabled, sets the ATH_USER_REGD kernel config switch to true to disable the enforcement of EEPROM regulatory restrictions for ath drivers. Requires at least Linux 5.8.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/network/ath-user-regd.nix>
networking.wireless.dbusControlled

Whether to enable the DBus control interface. This is only needed when using NetworkManager or connman.

Type: boolean

Default: length config.networking.wireless.interfaces < 2

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.driver

Force a specific wpa_supplicant driver.

Type: string

Default: "nl80211,wext"

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.extraConfig

Extra lines appended to the configuration file. See wpa_supplicant.conf(5) for available options.

Type: string

Default: ""

Example:

''
  p2p_disabled=1
''

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.fallbackToWPA2

Whether to fall back to WPA2 authentication protocols if WPA3 failed. This allows old wireless cards (that lack recent features required by WPA3) to connect to mixed WPA2/WPA3 access points.

To avoid possible downgrade attacks, disable this options.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.interfaces

The interfaces wpa_supplicant will use. If empty, it will automatically use all wireless interfaces.

Note

A separate wpa_supplicant instance will be started for each interface.

Type: list of string

Default: [ ]

Example:

[
  "wlan0"
  "wlan1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.iwd.enable

Whether to enable iwd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/iwd.nix>
networking.wireless.iwd.package

The iwd package to use.

Type: package

Default: pkgs.iwd

Declared by:

<nixpkgs/nixos/modules/services/networking/iwd.nix>
networking.wireless.iwd.settings

Options passed to iwd. See iwd.config(5) for supported options.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  Network = {
    EnableIPv6 = true;
    RoutePriorityOffset = 300;
  };
  Settings = {
    AutoConnect = true;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/iwd.nix>
networking.wireless.networks

The network definitions to automatically connect to when wpa_supplicant is running. If this parameter is left empty wpa_supplicant will use /etc/wpa_supplicant.conf as the configuration file.

Type: attribute set of (submodule)

Default: { }

Example:

{ echelon = {                   # SSID with no spaces or special characters
    psk = "abcdefgh";           # (password will be written to /nix/store!)
  };

  echelon = {                   # safe version of the above: read PSK from the
    pskRaw = "ext:psk_echelon"; # variable psk_echelon, defined in secretsFile,
  };                            # this won't leak into /nix/store

  "echelon's AP" = {            # SSID with spaces and/or special characters
     psk = "ijklmnop";          # (password will be written to /nix/store!)
  };

  "free.wifi" = {};             # Public wireless network
}

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.networks.<name>.auth

Use this option to configure advanced authentication methods like EAP. See wpa_supplicant.conf(5) for example configurations.

Warning

Be aware that this will be written to the Nix store in plaintext! Use an external reference like ext:secretname for secrets.

Note

Mutually exclusive with psk and pskRaw.

Type: null or string

Default: null

Example:

''
  eap=PEAP
  identity="user@example.com"
  password=ext:example_password
''

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.networks.<name>.authProtocols

The list of authentication protocols accepted by this network. This corresponds to the key_mgmt option in wpa_supplicant.

Type: list of (one of “WPA-PSK”, “WPA-EAP”, “IEEE8021X”, “NONE”, “WPA-NONE”, “FT-PSK”, “FT-EAP”, “FT-EAP-SHA384”, “WPA-PSK-SHA256”, “WPA-EAP-SHA256”, “SAE”, “FT-SAE”, “WPA-EAP-SUITE-B”, “WPA-EAP-SUITE-B-192”, “OSEN”, “FILS-SHA256”, “FILS-SHA384”, “FT-FILS-SHA256”, “FT-FILS-SHA384”, “OWE”, “DPP”)

Default:

[
  "WPA-PSK"
  "WPA-EAP"
  "SAE"
  "FT-PSK"
  "FT-EAP"
  "FT-SAE"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.networks.<name>.extraConfig

Extra configuration lines appended to the network block. See wpa_supplicant.conf(5) for available options.

Type: string

Default: ""

Example:

''
  bssid_blacklist=02:11:22:33:44:55 02:22:aa:44:55:66
''

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.networks.<name>.hidden

Set this to true if the SSID of the network is hidden.

Type: boolean

Default: false

Example:

{ echelon = {
    hidden = true;
    psk = "abcdefgh";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.networks.<name>.priority

By default, all networks will get same priority group (0). If some of the networks are more desirable, this field can be used to change the order in which wpa_supplicant goes through the networks when selecting a BSS. The priority groups will be iterated in decreasing priority (i.e., the larger the priority value, the sooner the network is matched against the scan results). Within each priority group, networks will be selected based on security policy, signal strength, etc.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.networks.<name>.psk

The network’s pre-shared key in plaintext defaulting to being a network without any authentication.

Warning

Be aware that this will be written to the Nix store in plaintext! Use pskRaw with an external reference to keep it safe.

Note

Mutually exclusive with pskRaw.

Type: null or string matching the pattern [[:print:]]{8,63}

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.networks.<name>.pskRaw

Either the raw pre-shared key in hexadecimal format or the name of the secret (as defined inside networking.wireless.secretsFile and prefixed with ext:) containing the network pre-shared key.

Warning

Be aware that this will be written to the Nix store in plaintext! Always use an external reference.

Note

The external secret can be either the plaintext passphrase or the raw pre-shared key.

Note

Mutually exclusive with psk and auth.

Type: null or string matching the pattern ([[:xdigit:]]{64})|(ext:[^=]+)

Default: null

Example: "ext:name_of_the_secret_here"

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.scanOnLowSignal

Whether to periodically scan for (better) networks when the signal of the current one is low. This will make roaming between access points faster, but will consume more power.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.secretsFile

File consisting of lines of the form varname=value to define variables for the wireless configuration.

Secrets (PSKs, passwords, etc.) can be provided without adding them to the world-readable Nix store by defining them in the secrets file and referring to them in option networking.wireless.networks with the syntax ext:secretname. Example:

# content of /run/secrets/wireless.conf
psk_home=mypassword
psk_other=6a381cea59c7a2d6b30736ba0e6f397f7564a044bcdb7a327a1d16a1ed91b327
pass_work=myworkpassword

# wireless-related configuration
networking.wireless.secretsFile = "/run/secrets/wireless.conf";
networking.wireless.networks = {
  home.pskRaw = "ext:psk_home";
  other.pskRaw = "ext:psk_other";
  work.auth = ''
    eap=PEAP
    identity="my-user@example.com"
    password=ext:pass_work
  '';
};

Type: null or path

Default: null

Example: "/run/secrets/wireless.conf"

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.userControlled.enable

Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli. This is useful for laptop users that switch networks a lot and don’t want to depend on a large package such as NetworkManager just to pick nearby access points.

When using a declarative network specification you cannot persist any settings via wpa_gui or wpa_cli.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wireless.userControlled.group

Members of this group can control wpa_supplicant.

Type: string

Default: "wheel"

Example: "network"

Declared by:

<nixpkgs/nixos/modules/services/networking/wpa_supplicant.nix>
networking.wlanInterfaces

Creating multiple WLAN interfaces on top of one physical WLAN device (NIC).

The name of the WLAN interface corresponds to the name of the attribute. A NIC is referenced by the persistent device name of the WLAN interface that udev assigns to a NIC by default. If a NIC supports multiple WLAN interfaces, then the one NIC can be used as device for multiple WLAN interfaces. If a NIC is used for creating WLAN interfaces, then the default WLAN interface with a persistent device name form udev is not created. A WLAN interface with the persistent name assigned from udev would have to be created explicitly.

Type: attribute set of (submodule)

Default: { }

Example:

{
  wlan-station0 = {
      device = "wlp6s0";
  };
  wlan-adhoc0 = {
      type = "ibss";
      device = "wlp6s0";
      mac = "02:00:00:00:00:01";
  };
  wlan-p2p0 = {
      device = "wlp6s0";
      mac = "02:00:00:00:00:02";
  };
  wlan-ap0 = {
      device = "wlp6s0";
      mac = "02:00:00:00:00:03";
  };
}

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.wlanInterfaces.<name>.device

The name of the underlying hardware WLAN device as assigned by udev.

Type: string

Example: "wlp6s0"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.wlanInterfaces.<name>.flags

Flags for interface of type monitor.

Type: null or one of “none”, “fcsfail”, “control”, “otherbss”, “cook”, “active”

Default: null

Example: "control"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.wlanInterfaces.<name>.fourAddr

Whether to enable 4-address mode with type managed.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.wlanInterfaces.<name>.mac

MAC address to use for the device. If null, then the MAC of the underlying hardware WLAN device is used.

INFO: Locally administered MAC addresses are of the form:

  • x2:xx:xx:xx:xx:xx

  • x6:xx:xx:xx:xx:xx

  • xA:xx:xx:xx:xx:xx

  • xE:xx:xx:xx:xx:xx

Type: null or string

Default: null

Example: "02:00:00:00:00:01"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.wlanInterfaces.<name>.meshID

MeshID of interface with type mesh.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
networking.wlanInterfaces.<name>.type

The type of the WLAN interface. The type has to be supported by the underlying hardware of the device.

Type: one of “managed”, “ibss”, “monitor”, “mesh”, “wds”

Default: "managed"

Example: "ibss"

Declared by:

<nixpkgs/nixos/modules/tasks/network-interfaces.nix>
nix.enable

Whether to enable Nix. Disabling Nix makes the system hard to modify and the Nix programs and configuration will not be made available by NixOS itself.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/system/nix-daemon.nix>
nix.package

This option specifies the Nix package instance to use throughout the system.

Type: package

Default: pkgs.nix

Declared by:

<nixpkgs/nixos/modules/services/system/nix-daemon.nix>
nix.buildMachines

This option lists the machines to be used if distributed builds are enabled (see nix.distributedBuilds). Nix will perform derivations on those machines via SSH by copying the inputs to the Nix store on the remote machine, starting the build, then copying the output back to the local Nix store.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/nix-remote-build.nix>
nix.buildMachines.*.hostName

The hostname of the build machine.

Type: string

Example: "nixbuilder.example.org"

Declared by:

<nixpkgs/nixos/modules/config/nix-remote-build.nix>
nix.buildMachines.*.mandatoryFeatures

A list of features mandatory for this builder. The builder will be ignored for derivations that don’t require all features in this list. All mandatory features are automatically included in supportedFeatures.

Type: list of string

Default: [ ]

Example:

[
  "big-parallel"
]

Declared by:

<nixpkgs/nixos/modules/config/nix-remote-build.nix>
nix.buildMachines.*.maxJobs

The number of concurrent jobs the build machine supports. The build machine will enforce its own limits, but this allows hydra to schedule better since there is no work-stealing between build machines.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/config/nix-remote-build.nix>
nix.buildMachines.*.protocol

The protocol used for communicating with the build machine. Use ssh-ng if your remote builder and your local Nix version support that improved protocol.

Use null when trying to change the special localhost builder without a protocol which is for example used by hydra.

Type: one of <null>, “ssh”, “ssh-ng”

Default: "ssh"

Example: "ssh-ng"

Declared by:

<nixpkgs/nixos/modules/config/nix-remote-build.nix>
nix.buildMachines.*.publicHostKey

The (base64-encoded) public host key of this builder. The field is calculated via base64 -w0 /etc/ssh/ssh_host_type_key.pub. If null, SSH will use its regular known-hosts file when connecting.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/nix-remote-build.nix>
nix.buildMachines.*.speedFactor

The relative speed of this builder. This is an arbitrary integer that indicates the speed of this builder, relative to other builders. Higher is faster.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/config/nix-remote-build.nix>
nix.buildMachines.*.sshKey

The path to the SSH private key with which to authenticate on the build machine. The private key must not have a passphrase. If null, the building user (root on NixOS machines) must have an appropriate ssh configuration to log in non-interactively.

Note that for security reasons, this path must point to a file in the local filesystem, not to the nix store.

Type: null or string

Default: null

Example: "/root/.ssh/id_buildhost_builduser"

Declared by:

<nixpkgs/nixos/modules/config/nix-remote-build.nix>
nix.buildMachines.*.sshUser

The username to log in as on the remote host. This user must be able to log in and run nix commands non-interactively. It must also be privileged to build derivations, so must be included in nix.settings.trusted-users.

Type: null or string

Default: null

Example: "builder"

Declared by:

<nixpkgs/nixos/modules/config/nix-remote-build.nix>
nix.buildMachines.*.supportedFeatures

A list of features supported by this builder. The builder will be ignored for derivations that require features not in this list.

Type: list of string

Default: [ ]

Example:

[
  "kvm"
  "big-parallel"
]

Declared by:

<nixpkgs/nixos/modules/config/nix-remote-build.nix>
nix.buildMachines.*.system

The system type the build machine can execute derivations on. Either this attribute or systems must be present, where system takes precedence if both are set.

Type: null or string

Default: null

Example: "x86_64-linux"

Declared by:

<nixpkgs/nixos/modules/config/nix-remote-build.nix>
nix.buildMachines.*.systems

The system types the build machine can execute derivations on. Either this attribute or system must be present, where system takes precedence if both are set.

Type: list of string

Default: [ ]

Example:

[
  "x86_64-linux"
  "aarch64-linux"
]

Declared by:

<nixpkgs/nixos/modules/config/nix-remote-build.nix>
nix.channel.enable

Whether the nix-channel command and state files are made available on the machine.

The following files are initialized when enabled:

  • /nix/var/nix/profiles/per-user/root/channels

  • /root/.nix-channels

  • $HOME/.nix-defexpr/channels (on login)

Disabling this option will not remove the state files from the system.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/nix-channel.nix>
nix.checkAllErrors

If enabled, checks the nix.conf parsing for any kind of error. When disabled, checks only for unknown settings.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/nix.nix>
nix.checkConfig

If enabled, checks that Nix can parse the generated nix.conf.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/nix.nix>
nix.daemonCPUSchedPolicy

Nix daemon process CPU scheduling policy. This policy propagates to build processes. other is the default scheduling policy for regular tasks. The batch policy is similar to other, but optimised for non-interactive tasks. idle is for extremely low-priority tasks that should only be run when no other task requires CPU time.

Please note that while using the idle policy may greatly improve responsiveness of a system performing expensive builds, it may also slow down and potentially starve crucial configuration updates during load.

idle may therefore be a sensible policy for systems that experience only intermittent phases of high CPU load, such as desktop or portable computers used interactively. Other systems should use the other or batch policy instead.

For more fine-grained resource control, please refer to systemd.resource-control(5) and adjust systemd.services.nix-daemon directly.

Type: one of “other”, “batch”, “idle”

Default: "other"

Example: "batch"

Declared by:

<nixpkgs/nixos/modules/services/system/nix-daemon.nix>
nix.daemonIOSchedClass

Nix daemon process I/O scheduling class. This class propagates to build processes. best-effort is the default class for regular tasks. The idle class is for extremely low-priority tasks that should only perform I/O when no other task does.

Please note that while using the idle scheduling class can improve responsiveness of a system performing expensive builds, it might also slow down or starve crucial configuration updates during load.

idle may therefore be a sensible class for systems that experience only intermittent phases of high I/O load, such as desktop or portable computers used interactively. Other systems should use the best-effort class.

Type: one of “best-effort”, “idle”

Default: "best-effort"

Example: "idle"

Declared by:

<nixpkgs/nixos/modules/services/system/nix-daemon.nix>
nix.daemonIOSchedPriority

Nix daemon process I/O scheduling priority. This priority propagates to build processes. The supported priorities depend on the scheduling policy: With idle, priorities are not used in scheduling decisions. best-effort supports values in the range 0 (high) to 7 (low).

Type: signed integer

Default: 4

Example: 1

Declared by:

<nixpkgs/nixos/modules/services/system/nix-daemon.nix>
nix.distributedBuilds

Whether to distribute builds to the machines listed in nix.buildMachines.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/nix-remote-build.nix>
nix.extraOptions

Additional text appended to nix.conf.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  keep-outputs = true
  keep-derivations = true
''

Declared by:

<nixpkgs/nixos/modules/config/nix.nix>
nix.gc.automatic

Automatically run the garbage collector at a specific time.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-gc.nix>
nix.gc.dates

How often or when garbage collection is performed. For most desktop and server systems a sufficient garbage collection is once a week.

This value must be a calendar event in the format specified by systemd.time(7).

Type: (optionally newline-terminated) single-line string

Default: "03:15"

Example: "weekly"

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-gc.nix>
nix.gc.options

Options given to nix-collect-garbage when the garbage collector is run automatically.

Type: (optionally newline-terminated) single-line string

Default: ""

Example: "--max-freed $((64 * 1024**3))"

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-gc.nix>
nix.gc.persistent

Takes a boolean argument. If true, the time when the service unit was last triggered is stored on disk. When the timer is activated, the service unit is triggered immediately if it would have been triggered at least once during the time when the timer was inactive. Such triggering is nonetheless subject to the delay imposed by RandomizedDelaySec=. This is useful to catch up on missed runs of the service when the system was powered down.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-gc.nix>
nix.gc.randomizedDelaySec

Add a randomized delay before each garbage collection. The delay will be chosen between zero and this value. This value must be a time span in the format specified by systemd.time(7)

Type: (optionally newline-terminated) single-line string

Default: "0"

Example: "45min"

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-gc.nix>
nix.nixPath

The default Nix expression search path, used by the Nix evaluator to look up paths enclosed in angle brackets (e.g. <nixpkgs>).

Type: list of string

Default:

''
  if nix.channel.enable
  then [
    "nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos"
    "nixos-config=/etc/nixos/configuration.nix"
    "/nix/var/nix/profiles/per-user/root/channels"
  ]
  else [];
''

Declared by:

<nixpkgs/nixos/modules/config/nix-channel.nix>
nix.nrBuildUsers

Number of nixbld user accounts created to perform secure concurrent builds. If you receive an error message saying that “all build users are currently in use”, you should increase this value.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/services/system/nix-daemon.nix>
nix.optimise.automatic

Automatically run the nix store optimiser at a specific time.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-optimise.nix>
nix.optimise.dates

Specification (in the format described by systemd.time(7)) of the time at which the optimiser will run.

Type: list of string

Default:

[
  "03:45"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-optimise.nix>
nix.registry

A system-wide flake registry.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/config/nix-flakes.nix>
nix.registry.<name>.exact

Whether the from reference needs to match exactly. If set, a from reference like nixpkgs does not match with a reference like nixpkgs/nixos-20.03.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/nix-flakes.nix>
nix.registry.<name>.flake

The flake input from is rewritten to.

Type: null or (attribute set)

Default: null

Example: nixpkgs

Declared by:

<nixpkgs/nixos/modules/config/nix-flakes.nix>
nix.registry.<name>.from

The flake reference to be rewritten.

Type: attribute set of (string or signed integer or boolean or path or package)

Example:

{
  id = "nixpkgs";
  type = "indirect";
}

Declared by:

<nixpkgs/nixos/modules/config/nix-flakes.nix>
nix.registry.<name>.to

The flake reference from is rewritten to.

Type: attribute set of (string or signed integer or boolean or path or package)

Example:

{
  owner = "my-org";
  repo = "my-nixpkgs";
  type = "github";
}

Declared by:

<nixpkgs/nixos/modules/config/nix-flakes.nix>
nix.settings

Configuration for Nix, see https://nixos.org/manual/nix/stable/command-ref/conf-file.html or nix.conf(5) for available options. The value declared here will be translated directly to the key-value pairs Nix expects.

You can use nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings to view the current value. By default it is empty.

Nix configurations defined under nix.* will be translated and applied to this option. In addition, configuration specified in nix.extraOptions will be appended verbatim to the resulting config file.

Type: attribute set of (Nix config atom (null, bool, int, float, str, path or package) or list of (Nix config atom (null, bool, int, float, str, path or package)))

Default: { }

Example:

{
  use-sandbox = true;
  show-trace = true;

  system-features = [ "big-parallel" "kvm" "recursive-nix" ];
  sandbox-paths = [ "/bin/sh=${pkgs.busybox-sandbox-shell.out}/bin/busybox" ];
}

Declared by:

<nixpkgs/nixos/modules/config/nix.nix>
nix.settings.allowed-users

A list of names of users (separated by whitespace) that are allowed to connect to the Nix daemon. As with nix.settings.trusted-users, you can specify groups by prefixing them with @. Also, you can allow all users by specifying *. The default is *. Note that trusted users are always allowed to connect.

Type: list of string

Default:

[
  "*"
]

Example:

[
  "@wheel"
  "@builders"
  "alice"
  "bob"
]

Declared by:

<nixpkgs/nixos/modules/config/nix.nix>
nix.settings.auto-optimise-store

If set to true, Nix automatically detects files in the store that have identical contents, and replaces them with hard links to a single copy. This saves disk space. If set to false (the default), you can still run nix-store --optimise to get rid of duplicate files.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/config/nix.nix>
nix.settings.cores

This option defines the maximum number of concurrent tasks during one build. It affects, e.g., -j option for make. The special value 0 means that the builder should use all available CPU cores in the system. Some builds may become non-deterministic with this option; use with care! Packages will only be affected if enableParallelBuilding is set for them.

Type: signed integer

Default: 0

Example: 64

Declared by:

<nixpkgs/nixos/modules/config/nix.nix>
nix.settings.extra-sandbox-paths

Directories from the host filesystem to be included in the sandbox.

Type: list of string

Default: [ ]

Example:

[
  "/dev"
  "/proc"
]

Declared by:

<nixpkgs/nixos/modules/config/nix.nix>
nix.settings.max-jobs

This option defines the maximum number of jobs that Nix will try to build in parallel. The default is auto, which means it will use all available logical cores. It is recommend to set it to the total number of logical cores in your system (e.g., 16 for two CPUs with 4 cores each and hyper-threading).

Type: signed integer or value “auto” (singular enum)

Default: "auto"

Example: 64

Declared by:

<nixpkgs/nixos/modules/config/nix.nix>
nix.settings.require-sigs

If enabled (the default), Nix will only download binaries from binary caches if they are cryptographically signed with any of the keys listed in nix.settings.trusted-public-keys. If disabled, signatures are neither required nor checked, so it’s strongly recommended that you use only trustworthy caches and https to prevent man-in-the-middle attacks.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/nix.nix>
nix.settings.sandbox

If set, Nix will perform builds in a sandboxed environment that it will set up automatically for each build. This prevents impurities in builds by disallowing access to dependencies outside of the Nix store by using network and mount namespaces in a chroot environment.

This is enabled by default even though it has a possible performance impact due to the initial setup time of a sandbox for each build. It doesn’t affect derivation hashes, so changing this option will not trigger a rebuild of packages.

When set to “relaxed”, this option permits derivations that set __noChroot = true; to run outside of the sandboxed environment. Exercise caution when using this mode of operation! It is intended to be a quick hack when building with packages that are not easily setup to be built reproducibly.

Type: boolean or value “relaxed” (singular enum)

Default: true

Declared by:

<nixpkgs/nixos/modules/config/nix.nix>
nix.settings.substituters

List of binary cache URLs used to obtain pre-built binaries of Nix packages.

By default https://cache.nixos.org/ is added.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/config/nix.nix>
nix.settings.system-features

The set of features supported by the machine. Derivations can express dependencies on system features through the requiredSystemFeatures attribute.

By default, pseudo-features nixos-test, benchmark, and big-parallel used in Nixpkgs are set, kvm is also included if it is available.

Type: list of string

Example:

[
  "kvm"
  "big-parallel"
  "gccarch-skylake"
]

Declared by:

<nixpkgs/nixos/modules/config/nix.nix>
nix.settings.trusted-public-keys

List of public keys used to sign binary caches. If nix.settings.trusted-public-keys is enabled, then Nix will use a binary from a binary cache if and only if it is signed by any of the keys listed here. By default, only the key for cache.nixos.org is included.

Type: list of string

Example:

[
  "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs="
]

Declared by:

<nixpkgs/nixos/modules/config/nix.nix>
nix.settings.trusted-substituters

List of binary cache URLs that non-root users can use (in addition to those specified using nix.settings.substituters) by passing --option binary-caches to Nix commands.

Type: list of string

Default: [ ]

Example:

[
  "https://hydra.nixos.org/"
]

Declared by:

<nixpkgs/nixos/modules/config/nix.nix>
nix.settings.trusted-users

A list of names of users that have additional rights when connecting to the Nix daemon, such as the ability to specify additional binary caches, or to import unsigned NARs. You can also specify groups by prefixing them with @; for instance, @wheel means all users in the wheel group.

Type: list of string

Example:

[
  "root"
  "alice"
  "@wheel"
]

Declared by:

<nixpkgs/nixos/modules/config/nix.nix>
nix.sshServe.enable

Whether to enable serving the Nix store as a remote store via SSH.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-ssh-serve.nix>
nix.sshServe.keys

A list of SSH public keys allowed to access the binary cache via SSH.

Type: list of string

Default: [ ]

Example:

[
  "ssh-dss AAAAB3NzaC1k... alice@example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-ssh-serve.nix>
nix.sshServe.protocol

The specific Nix-over-SSH protocol to use.

Type: one of “ssh”, “ssh-ng”

Default: "ssh"

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-ssh-serve.nix>
nix.sshServe.write

Whether to enable writing to the Nix store as a remote store via SSH. Note: the sshServe user is named nix-ssh and is not a trusted-user. nix-ssh should be added to the nix.settings.trusted-users option in most use cases, such as allowing remote building of derivations.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nix-ssh-serve.nix>
nixops.enableDeprecatedAutoLuks

Whether to enable the deprecated NixOps AutoLuks module.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/misc/nixops-autoluks.nix>
nixpkgs.buildPlatform

Specifies the platform on which NixOS should be built. By default, NixOS is built on the system where it runs, but you can change where it’s built. Setting this option will cause NixOS to be cross-compiled.

For instance, if you’re doing distributed multi-platform deployment, or if you’re building machines, you can set this to match your development system and/or build farm.

Ignored when nixpkgs.pkgs is set.

Type: string or (attribute set)

Default: config.nixpkgs.hostPlatform

Example:

{
  system = "x86_64-linux";
}

Declared by:

<nixpkgs/nixos/modules/misc/nixpkgs.nix>
nixpkgs.config

Global configuration for Nixpkgs. The complete list of Nixpkgs configuration options is in the Nixpkgs manual section on global configuration.

Ignored when nixpkgs.pkgs is set.

Type: nixpkgs config

Default: { }

Example:

{ allowBroken = true; allowUnfree = true; }

Declared by:

<nixpkgs/nixos/modules/misc/nixpkgs.nix>
nixpkgs.crossSystem

Systems with a recently generated hardware-configuration.nix may instead specify only nixpkgs.buildPlatform, or fall back to removing the nixpkgs.hostPlatform line from the generated config.

Specifies the platform for which NixOS should be built. Specify this only if it is different from nixpkgs.localSystem, the platform on which NixOS should be built. In other words, specify this to cross-compile NixOS. Otherwise it should be set as null, the default. See its description in the Nixpkgs manual for more details.

Ignored when nixpkgs.pkgs or hostPlatform is set.

Type: null or (attribute set)

Default: null

Example:

{
  system = "aarch64-linux";
}

Declared by:

<nixpkgs/nixos/modules/misc/nixpkgs.nix>
nixpkgs.flake.setFlakeRegistry

Whether to pin nixpkgs in the system-wide flake registry (/etc/nix/registry.json) to the store path of the sources of nixpkgs used to build the NixOS system.

This is on by default for NixOS configurations built with flakes.

This option makes nix run nixpkgs#hello reuse dependencies from the system, avoid refetching nixpkgs, and have a consistent result every time.

Note that this option makes the NixOS closure depend on the nixpkgs sources, which may add undesired closure size if the system will not have any nix commands run on it.

Type: boolean

Default: "config.nixpkgs.flake.source != null"

Declared by:

<nixpkgs/nixos/modules/misc/nixpkgs-flake.nix>
nixpkgs.flake.setNixPath

Whether to set NIX_PATH to include nixpkgs=flake:nixpkgs such that <nixpkgs> lookups receive the version of nixpkgs that the system was built with, in concert with nixpkgs.flake.setFlakeRegistry.

This is on by default for NixOS configurations built with flakes.

This makes nix-build '<nixpkgs>' -A hello work out of the box on flake systems.

Note that this option makes the NixOS closure depend on the nixpkgs sources, which may add undesired closure size if the system will not have any nix commands run on it.

Type: boolean

Default: "config.nixpkgs.flake.source != null"

Declared by:

<nixpkgs/nixos/modules/misc/nixpkgs-flake.nix>
nixpkgs.flake.source

The path to the nixpkgs sources used to build the system. This is automatically set up to be the store path of the nixpkgs flake used to build the system if using nixpkgs.lib.nixosSystem, and is otherwise null by default.

This can also be optionally set if the NixOS system is not built with a flake but still uses pinned sources: set this to the store path for the nixpkgs sources used to build the system, as may be obtained by builtins.fetchTarball, for example.

Note: the name of the store path must be “source” due to https://github.com/NixOS/nix/issues/7075.

Type: null or string or path

Default: "if (using nixpkgsFlake.lib.nixosSystem) then self.outPath else null"

Example: "builtins.fetchTarball { name = \"source\"; sha256 = \"sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\"; url = \"https://github.com/nixos/nixpkgs/archive/somecommit.tar.gz\"; }"

Declared by:

<nixpkgs/nixos/modules/misc/nixpkgs-flake.nix>
nixpkgs.hostPlatform

Specifies the platform where the NixOS configuration will run.

To cross-compile, set also nixpkgs.buildPlatform.

Ignored when nixpkgs.pkgs is set.

Type: string or (attribute set)

Default: (import "${nixos}/../lib").lib.systems.examples.aarch64-multiplatform

Example:

{
  system = "aarch64-linux";
}

Declared by:

<nixpkgs/nixos/modules/misc/nixpkgs.nix>
nixpkgs.localSystem

Systems with a recently generated hardware-configuration.nix do not need to specify this option, unless cross-compiling, in which case you should set only nixpkgs.buildPlatform.

If this is somehow not feasible, you may fall back to removing the nixpkgs.hostPlatform line from the generated config and use the old options.

Specifies the platform on which NixOS should be built. When nixpkgs.crossSystem is unset, it also specifies the platform for which NixOS should be built. If this option is unset, it defaults to the platform type of the machine where evaluation happens. Specifying this option is useful when doing distributed multi-platform deployment, or when building virtual machines. See its description in the Nixpkgs manual for more details.

Ignored when nixpkgs.pkgs or hostPlatform is set.

Type: attribute set

Default: (import "${nixos}/../lib").lib.systems.examples.aarch64-multiplatform

Example:

{
  system = "aarch64-linux";
}

Declared by:

<nixpkgs/nixos/modules/misc/nixpkgs.nix>
nixpkgs.overlays

List of overlays to apply to Nixpkgs. This option allows modifying the Nixpkgs package set accessed through the pkgs module argument.

For details, see the Overlays chapter in the Nixpkgs manual.

If the nixpkgs.pkgs option is set, overlays specified using nixpkgs.overlays will be applied after the overlays that were already included in nixpkgs.pkgs.

Type: list of (nixpkgs overlay)

Default: [ ]

Example:

[
  (self: super: {
    openssh = super.openssh.override {
      hpnSupport = true;
      kerberos = self.libkrb5;
    };
  })
]

Declared by:

<nixpkgs/nixos/modules/misc/nixpkgs.nix>
nixpkgs.pkgs

If set, the pkgs argument to all NixOS modules is the value of this option, extended with nixpkgs.overlays, if that is also set. Either nixpkgs.crossSystem or nixpkgs.localSystem will be used in an assertion to check that the NixOS and Nixpkgs architectures match. Any other options in nixpkgs.*, notably config, will be ignored.

If unset, the pkgs argument to all NixOS modules is determined as shown in the default value for this option.

The default value imports the Nixpkgs source files relative to the location of this NixOS module, because NixOS and Nixpkgs are distributed together for consistency, so the nixos in the default value is in fact a relative path. The config, overlays, localSystem, and crossSystem come from this option’s siblings.

This option can be used by applications like NixOps to increase the performance of evaluation, or to create packages that depend on a container that should be built with the exact same evaluation of Nixpkgs, for example. Applications like this should set their default value using lib.mkDefault, so user-provided configuration can override it without using lib.

Note that using a distinct version of Nixpkgs with NixOS may be an unexpected source of problems. Use this option with care.

Type: An evaluation of Nixpkgs; the top level attribute set of packages

Default:

import "${nixos}/.." {
  inherit (cfg) config overlays localSystem crossSystem;
}

Example: import <nixpkgs> {}

Declared by:

<nixpkgs/nixos/modules/misc/nixpkgs.nix>
nixpkgs.system

This option does not need to be specified for NixOS configurations with a recently generated hardware-configuration.nix.

Specifies the Nix platform type on which NixOS should be built. It is better to specify nixpkgs.localSystem instead.

{
  nixpkgs.system = ..;
}

is the same as

{
  nixpkgs.localSystem.system = ..;
}

See nixpkgs.localSystem for more information.

Ignored when nixpkgs.pkgs, nixpkgs.localSystem or nixpkgs.hostPlatform is set.

Type: string

Default: Traditionally builtins.currentSystem, but unset when invoking NixOS through lib.nixosSystem.

Example: "i686-linux"

Declared by:

<nixpkgs/nixos/modules/misc/nixpkgs.nix>
openstack.zfs.datasets

Datasets to create under the tank and boot zpools.

NOTE: This option is used only at image creation time, and does not attempt to declaratively create or manage datasets on an existing system.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/openstack-options.nix>
openstack.zfs.datasets.<name>.mount

Where to mount this dataset.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/virtualisation/openstack-options.nix>
openstack.zfs.datasets.<name>.properties

Properties to set on this dataset.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/openstack-options.nix>
power.ups.enable

Whether to enable support for Power Devices, such as Uninterruptible Power Supplies, Power Distribution Units and Solar Controllers .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.maxStartDelay

This can be set as a global variable above your first UPS definition and it can also be set in a UPS section. This value controls how long upsdrvctl will wait for the driver to finish starting. This keeps your system from getting stuck due to a broken driver or UPS.

Type: signed integer

Default: 45

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.mode

The MODE determines which part of the NUT is to be started, and which configuration files must be modified.

The values of MODE can be:

  • none: NUT is not configured, or use the Integrated Power Management, or use some external system to startup NUT components. So nothing is to be started.

  • standalone: This mode address a local only configuration, with 1 UPS protecting the local system. This implies to start the 3 NUT layers (driver, upsd and upsmon) and the matching configuration files. This mode can also address UPS redundancy.

  • netserver: same as for the standalone configuration, but also need some more ACLs and possibly a specific LISTEN directive in upsd.conf. Since this MODE is opened to the network, a special care should be applied to security concerns.

  • netclient: this mode only requires upsmon.

Type: one of “none”, “standalone”, “netserver”, “netclient”

Default: "standalone"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.openFirewall

Open ports in the firewall for upsd.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.schedulerRules

File which contains the rules to handle UPS events.

Type: string

Example: "/etc/nixos/upssched.conf"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.ups

This is where you configure all the UPSes that this system will be monitoring directly. These are usually attached to serial ports, but USB devices are also supported.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.ups.<name>.description

Description of the UPS.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.ups.<name>.directives

List of configuration directives for this UPS.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.ups.<name>.driver

Specify the program to run to talk to this UPS. apcsmart, bestups, and sec are some examples.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.ups.<name>.maxStartDelay

This can be set as a global variable above your first UPS definition and it can also be set in a UPS section. This value controls how long upsdrvctl will wait for the driver to finish starting. This keeps your system from getting stuck due to a broken driver or UPS.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.ups.<name>.port

The serial port to which your UPS is connected. /dev/ttyS0 is usually the first port on Linux boxes, for example.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.ups.<name>.shutdownOrder

When you have multiple UPSes on your system, you usually need to turn them off in a certain order. upsdrvctl shuts down all the 0s, then the 1s, 2s, and so on. To exclude a UPS from the shutdown sequence, set this to -1.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.ups.<name>.summary

Lines which would be added inside ups.conf for handling this UPS.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.upsd

Options for the upsd.conf configuration file.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.upsd.enable

Whether to enable upsd.

Type: boolean

Default: true if mode is one of standalone, netserver

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.upsd.extraConfig

Additional lines to add to upsd.conf.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.upsd.listen

Address of the interface for upsd to listen on. See man upsd for details`.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    address = "192.168.50.1";
  }
  {
    address = "::1";
    port = 5923;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.upsd.listen.*.address

Address of the interface for upsd to listen on. See man upsd.conf for details.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.upsd.listen.*.port

TCP port for upsd to listen on. See man upsd.conf for details.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3493

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.upsmon

Options for the upsmon.conf configuration file.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.upsmon.enable

Whether to enable upsmon.

Type: boolean

Default: true if mode is one of standalone, netserver, netclient

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.upsmon.monitor

Set of UPS to monitor. See man upsmon.conf for details.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.upsmon.monitor.<name>.passwordFile

The full path to a file containing the password from upsd.users for accessing this UPS. The password file is read on service start. See upsmon.conf for details.

Type: string

Default: power.ups.users.${user}.passwordFile

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.upsmon.monitor.<name>.powerValue

Number of power supplies that the UPS feeds on this system. See upsmon.conf for details.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.upsmon.monitor.<name>.system

Identifier of the UPS to monitor, in this form: <upsname>[@<hostname>[:<port>]] See upsmon.conf for details.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.upsmon.monitor.<name>.type

The relationship with upsd. See upsmon.conf for details.

Type: string

Default: "master"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.upsmon.monitor.<name>.user

Username from upsd.users for accessing this UPS. See upsmon.conf for details.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.upsmon.settings

Additional settings to add to upsmon.conf.

Type: attribute set of (atom (null, bool, int, float or string) or list of non-empty (list of (atom (null, bool, int, float or string))))

Default: { MINSUPPLIES = 1; MONITOR = <generated from config.power.ups.upsmon.monitor> NOTIFYCMD = “${pkgs.nut}/bin/upssched”; POWERDOWNFLAG = “/run/killpower”; RUN_AS_USER = “root”; SHUTDOWNCMD = “${pkgs.systemd}/bin/shutdown now”; }

Example: { MINSUPPLIES = 2; NOTIFYFLAG = [ [ “ONLINE” “SYSLOG+EXEC” ] [ “ONBATT” “SYSLOG+EXEC” ] ]; }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.users

Users that can access upsd. See man upsd.users.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.users.<name>.actions

Allow the user to do certain things with upsd. See man upsd.users for details.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.users.<name>.instcmds

Let the user initiate specific instant commands. Use “ALL” to grant all commands automatically. For the full list of what your UPS supports, use “upscmd -l”. See man upsd.users for details.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.users.<name>.passwordFile

The full path to a file that contains the user’s (clear text) password. The password file is read on service start.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
power.ups.users.<name>.upsmon

Add the necessary actions for a upsmon process to work. See man upsd.users for details.

Type: null or one of “primary”, “secondary”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ups.nix>
powerManagement.enable

Whether to enable power management. This includes support for suspend-to-RAM and powersave features on laptops.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/power-management.nix>
powerManagement.cpuFreqGovernor

Configure the governor used to regulate the frequency of the available CPUs. By default, the kernel configures the performance governor, although this may be overwritten in your hardware-configuration.nix file.

Often used values: “ondemand”, “powersave”, “performance”

Type: null or string

Default: null

Example: "ondemand"

Declared by:

<nixpkgs/nixos/modules/tasks/cpu-freq.nix>
powerManagement.cpufreq.max

The maximum frequency the CPU will use. Defaults to the maximum possible.

Type: null or (unsigned integer, meaning >=0)

Default: null

Example: 2200000

Declared by:

<nixpkgs/nixos/modules/tasks/cpu-freq.nix>
powerManagement.cpufreq.min

The minimum frequency the CPU will use.

Type: null or (unsigned integer, meaning >=0)

Default: null

Example: 800000

Declared by:

<nixpkgs/nixos/modules/tasks/cpu-freq.nix>
powerManagement.powerDownCommands

Commands executed when the machine powers down. That is, they’re executed both when the system shuts down and when it goes to suspend or hibernation.

Type: strings concatenated with “\n”

Default: ""

Example:

"${pkgs.hdparm}/sbin/hdparm -B 255 /dev/sda"

Declared by:

<nixpkgs/nixos/modules/config/power-management.nix>
powerManagement.powerUpCommands

Commands executed when the machine powers up. That is, they’re executed both when the system first boots and when it resumes from suspend or hibernation.

Type: strings concatenated with “\n”

Default: ""

Example:

"${pkgs.hdparm}/sbin/hdparm -B 255 /dev/sda"

Declared by:

<nixpkgs/nixos/modules/config/power-management.nix>
powerManagement.powertop.enable

Whether to enable powertop auto tuning on startup.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/tasks/powertop.nix>
powerManagement.resumeCommands

Commands executed after the system resumes from suspend-to-RAM.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/power-management.nix>
powerManagement.scsiLinkPolicy

SCSI link power management policy. The kernel default is “max_performance”.

“med_power_with_dipm” is supported by kernel versions 4.15 and newer.

Type: null or one of “min_power”, “max_performance”, “medium_power”, “med_power_with_dipm”

Default: null

Declared by:

<nixpkgs/nixos/modules/tasks/scsi-link-power-management.nix>
programs._1password.enable

Whether to enable the 1Password CLI tool.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/_1password.nix>
programs._1password.package

The 1Password CLI package to use.

Type: package

Default: pkgs._1password-cli

Declared by:

<nixpkgs/nixos/modules/programs/_1password.nix>
programs._1password-gui.enable

Whether to enable the 1Password GUI application.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/_1password-gui.nix>
programs._1password-gui.package

The 1Password GUI package to use.

Type: package

Default: pkgs._1password-gui

Declared by:

<nixpkgs/nixos/modules/programs/_1password-gui.nix>
programs._1password-gui.polkitPolicyOwners

A list of users who should be able to integrate 1Password with polkit-based authentication mechanisms.

Type: list of string

Default: [ ]

Example: ["user1" "user2" "user3"]

Declared by:

<nixpkgs/nixos/modules/programs/_1password-gui.nix>
programs.adb.enable

Whether to configure system to use Android Debug Bridge (adb). To grant access to a user, it must be part of adbusers group: users.users.alice.extraGroups = ["adbusers"];

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/adb.nix>
programs.alvr.enable

Whether to enable ALVR, the VR desktop streamer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/alvr.nix>
programs.alvr.package

The alvr package to use.

Type: package

Default: pkgs.alvr

Declared by:

<nixpkgs/nixos/modules/programs/alvr.nix>
programs.alvr.openFirewall

Whether to open the default ports in the firewall for the ALVR server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/alvr.nix>
programs.appgate-sdp.enable

Whether to enable the AppGate SDP VPN client.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/appgate-sdp.nix>
programs.appimage.enable

Whether to enable appimage-run wrapper script for executing appimages on NixOS.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/appimage.nix>
programs.appimage.package

The appimage-run package to use.

Type: package

Default: pkgs.appimage-run

Example:

pkgs.appimage-run.override {
  extraPkgs = pkgs: [ pkgs.ffmpeg pkgs.imagemagick ];
}

Declared by:

<nixpkgs/nixos/modules/programs/appimage.nix>
programs.appimage.binfmt

Whether to enable binfmt registration to run appimages via appimage-run seamlessly.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/appimage.nix>
programs.arp-scan.enable

Whether to configure a setcap wrapper for arp-scan.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/arp-scan.nix>
programs.atop.enable

Whether to enable Atop, a tool for monitoring system resources.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/atop.nix>
programs.atop.package

The atop package to use.

Type: package

Default: pkgs.atop

Declared by:

<nixpkgs/nixos/modules/programs/atop.nix>
programs.atop.atopRotateTimer.enable

Whether to enable the atop-rotate timer, which restarts the atop service daily to make sure the data files are rotate.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/atop.nix>
programs.atop.atopService.enable

Whether to enable the atop service responsible for storing statistics for long-term analysis.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/atop.nix>
programs.atop.atopacctService.enable

Whether to enable the atopacct service which manages process accounting. This allows Atop to gather data about processes that disappeared in between two refresh intervals.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/atop.nix>
programs.atop.atopgpu.enable

Whether to install and enable the atopgpud daemon to get information about NVIDIA gpus.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/atop.nix>
programs.atop.netatop.enable

Whether to install and enable the netatop kernel module. Note: this sets the kernel taint flag “O” for loading out-of-tree modules.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/atop.nix>
programs.atop.netatop.package

Which package to use for netatop.

Type: package

Default: config.boot.kernelPackages.netatop

Declared by:

<nixpkgs/nixos/modules/programs/atop.nix>
programs.atop.settings

Parameters to be written to /etc/atoprc.

Type: attribute set

Default: { }

Example:

{
  flags = "a1f";
  interval = 5;
}

Declared by:

<nixpkgs/nixos/modules/programs/atop.nix>
programs.atop.setuidWrapper.enable

Whether to install a setuid wrapper for Atop. This is required to use some of the features as non-root user (e.g.: ipc information, netatop, atopgpu). Atop tries to drop the root privileges shortly after starting.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/atop.nix>
programs.ausweisapp.enable

Whether to enable AusweisApp.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/ausweisapp.nix>
programs.ausweisapp.openFirewall

Whether to open the required firewall ports for the Smartphone as Card Reader (SaC) functionality of AusweisApp.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/ausweisapp.nix>
programs.autojump.enable

Whether to enable autojump.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/autojump.nix>
programs.bandwhich.enable

Whether to add bandwhich to the global environment and configure a setcap wrapper for it.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/bandwhich.nix>
programs.bash.enableLsColors

Whether to enable extra colors in directory listings.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/bash/ls-colors.nix>
programs.bash.blesh.enable

Whether to enable blesh, a full-featured line editor written in pure Bash.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/bash/blesh.nix>
programs.bash.completion.enable

Whether to enable Bash completion for all interactive bash shells.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash-completion.nix>
programs.bash.completion.package

The bash-completion package to use.

Type: package

Default: pkgs.bash-completion

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash-completion.nix>
programs.bash.interactiveShellInit

Shell script code called during interactive bash shell initialisation.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash.nix>
programs.bash.loginShellInit

Shell script code called during login bash shell initialisation.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash.nix>
programs.bash.promptInit

Shell script code used to initialise the bash prompt.

Type: strings concatenated with “\n”

Default:

''
  # Provide a nice prompt if the terminal supports it.
  if [ "$TERM" != "dumb" ] || [ -n "$INSIDE_EMACS" ]; then
    PROMPT_COLOR="1;31m"
    ((UID)) && PROMPT_COLOR="1;32m"
    if [ -n "$INSIDE_EMACS" ]; then
      # Emacs term mode doesn't support xterm title escape sequence (\e]0;)
      PS1="\n\[\033[$PROMPT_COLOR\][\u@\h:\w]\\$\[\033[0m\] "
    else
      PS1="\n\[\033[$PROMPT_COLOR\][\[\e]0;\u@\h: \w\a\]\u@\h:\w]\\$\[\033[0m\] "
    fi
    if test "$TERM" = "xterm"; then
      PS1="\[\033]2;\h:\u:\w\007\]$PS1"
    fi
  fi
''

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash.nix>
programs.bash.shellAliases

Set of aliases for bash shell, which overrides environment.shellAliases. See environment.shellAliases for an option format description.

Type: attribute set of (null or string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash.nix>
programs.bash.shellInit

Shell script code called during bash shell initialisation.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/bash/bash.nix>
programs.bash.undistractMe.enable

Whether to enable notifications when long-running terminal commands complete.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/bash/undistract-me.nix>
programs.bash.undistractMe.playSound

Whether to enable notification sounds when long-running terminal commands complete.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/bash/undistract-me.nix>
programs.bash.undistractMe.timeout

Number of seconds it would take for a command to be considered long-running.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/programs/bash/undistract-me.nix>
programs.bash.vteIntegration

Whether to enable Bash integration for VTE terminals. This allows it to preserve the current directory of the shell across terminals.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/vte.nix>
programs.bash-my-aws.enable

Whether to enable bash-my-aws.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/bash-my-aws.nix>
programs.bat.enable

Whether to enable bat, a cat(1) clone with wings.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/bat.nix>
programs.bat.package

The bat package to use.

Type: package

Default: pkgs.bat

Declared by:

<nixpkgs/nixos/modules/programs/bat.nix>
programs.bat.extraPackages

Extra bat scripts to be added to the system configuration.

Type: list of package

Default: [ ]

Example:

with pkgs.bat-extras; [
  batdiff
  batman
  prettybat
];

Declared by:

<nixpkgs/nixos/modules/programs/bat.nix>
programs.bat.settings

Parameters to be written to the system-wide bat configuration file.

Type: attribute set of (atom (null, bool, int, float or string) or a list of them for duplicate keys)

Default: { }

Example:

{
  italic-text = "always";
  map-syntax = [
    "*.ino:C++"
    ".ignore:Git Ignore"
  ];
  pager = "less --RAW-CONTROL-CHARS --quit-if-one-screen --mouse";
  paging = "never";
  theme = "TwoDark";
}

Declared by:

<nixpkgs/nixos/modules/programs/bat.nix>
programs.bazecor.enable

Whether to enable Bazecor, the graphical configurator for Dygma Products.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/bazecor.nix>
programs.bazecor.package

The bazecor package to use.

Type: package

Default: pkgs.bazecor

Declared by:

<nixpkgs/nixos/modules/programs/bazecor.nix>
programs.bcc.enable

Whether to enable bcc, tools for BPF-based Linux IO analysis, networking, monitoring, and more.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/bcc.nix>
programs.benchexec.enable

Whether to enable BenchExec.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/benchexec.nix>
programs.benchexec.package

The benchexec package to use.

Type: package

Default: pkgs.benchexec

Declared by:

<nixpkgs/nixos/modules/programs/benchexec.nix>
programs.benchexec.users

Users that intend to use BenchExec. Provide usernames of users that are configured via users.users as string, and UIDs of “mutable users” as integers. Control group delegation will be configured via systemd. For more information, see https://github.com/sosy-lab/benchexec/blob/3.18/doc/INSTALL.md#setting-up-cgroups.

Type: list of (string or signed integer)

Default: [ ]

Example:

[
  "alice" # username of a user configured via users.users
  1007    # UID of a mutable user
]

Declared by:

<nixpkgs/nixos/modules/programs/benchexec.nix>
programs.browserpass.enable

Whether to enable Browserpass native messaging host.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/browserpass.nix>
programs.calls.enable

Whether to enable GNOME calls: a phone dialer and call handler .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/calls.nix>
programs.captive-browser.enable

Whether to enable captive browser, a dedicated Chrome instance to log into captive portals without messing with DNS settings.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/captive-browser.nix>
programs.captive-browser.package

The captive-browser package to use.

Type: package

Default: pkgs.captive-browser

Declared by:

<nixpkgs/nixos/modules/programs/captive-browser.nix>
programs.captive-browser.bindInterface

Binds captive-browser to the network interface declared in cfg.interface. This can be used to avoid collisions with private subnets.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/captive-browser.nix>
programs.captive-browser.browser

The shell (/bin/sh) command executed once the proxy starts. When browser exits, the proxy exits. An extra env var PROXY is available.

Here, we use a separate Chrome instance in Incognito mode, so that it can run (and be waited for) alongside the default one, and that it maintains no state across runs. To configure this browser open a normal window in it, settings will be preserved.

@volth: chromium is to open a plain HTTP (not HTTPS nor redirect to HTTPS!) website. upstream uses http://example.com but I have seen captive portals whose DNS server resolves “example.com” to 127.0.0.1

Type: string

Default: env XDG_CONFIG_HOME="$PREV_CONFIG_HOME" ${pkgs.chromium}/bin/chromium --user-data-dir=${XDG_DATA_HOME:-$HOME/.local/share}/chromium-captive --proxy-server="socks5://$PROXY" --host-resolver-rules="MAP * ~NOTFOUND , EXCLUDE localhost" --no-first-run --new-window --incognito -no-default-browser-check http://cache.nixos.org/

Declared by:

<nixpkgs/nixos/modules/programs/captive-browser.nix>
programs.captive-browser.dhcp-dns

The shell (/bin/sh) command executed to obtain the DHCP DNS server address. The first match of an IPv4 regex is used. IPv4 only, because let’s be real, it’s a captive portal.

Type: string

Declared by:

<nixpkgs/nixos/modules/programs/captive-browser.nix>
programs.captive-browser.interface

your public network interface (wlp3s0, wlan0, eth0, …)

Type: string

Declared by:

<nixpkgs/nixos/modules/programs/captive-browser.nix>
programs.captive-browser.socks5-addr

the listen address for the SOCKS5 proxy server

Type: string

Default: "localhost:1666"

Declared by:

<nixpkgs/nixos/modules/programs/captive-browser.nix>
programs.cardboard.enable

Whether to enable cardboard.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/wayland/cardboard.nix>
programs.cardboard.package

The cardboard package to use.

Type: package

Default: pkgs.cardboard

Declared by:

<nixpkgs/nixos/modules/programs/wayland/cardboard.nix>
programs.ccache.enable

Whether to enable CCache, a compiler cache for fast recompilation of C/C++ code.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/ccache.nix>
programs.ccache.packageNames

Nix top-level packages to be compiled using CCache

Type: list of string

Default: [ ]

Example:

[
  "wxGTK32"
  "ffmpeg"
  "libav_all"
]

Declared by:

<nixpkgs/nixos/modules/programs/ccache.nix>
programs.ccache.cacheDir

CCache directory

Type: path

Default: "/var/cache/ccache"

Declared by:

<nixpkgs/nixos/modules/programs/ccache.nix>
programs.ccache.group

Group owner of CCache directory

Type: string

Default: "nixbld"

Declared by:

<nixpkgs/nixos/modules/programs/ccache.nix>
programs.ccache.owner

Owner of CCache directory

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/programs/ccache.nix>
programs.cdemu.enable

cdemu for members of programs.cdemu.group.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/cdemu.nix>
programs.cdemu.group

Group that users must be in to use cdemu.

Type: string

Default: "cdrom"

Declared by:

<nixpkgs/nixos/modules/programs/cdemu.nix>
programs.cdemu.gui

Whether to install the cdemu GUI (gCDEmu).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/cdemu.nix>
programs.cdemu.image-analyzer

Whether to install the image analyzer.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/cdemu.nix>
programs.cfs-zen-tweaks.enable

Whether to enable CFS Zen Tweaks.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/cfs-zen-tweaks.nix>
programs.chromium.enable

Whether to enable chromium policies.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/chromium.nix>
programs.chromium.enablePlasmaBrowserIntegration

Whether to enable Native Messaging Host for Plasma Browser Integration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/chromium.nix>
programs.chromium.defaultSearchProviderEnabled

Enable the default search provider.

Type: null or boolean

Default: null

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/chromium.nix>
programs.chromium.defaultSearchProviderSearchURL

Chromium default search provider url.

Type: null or string

Default: null

Example: "https://encrypted.google.com/search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}"

Declared by:

<nixpkgs/nixos/modules/programs/chromium.nix>
programs.chromium.defaultSearchProviderSuggestURL

Chromium default search provider url for suggestions.

Type: null or string

Default: null

Example: "https://encrypted.google.com/complete/search?output=chrome&q={searchTerms}"

Declared by:

<nixpkgs/nixos/modules/programs/chromium.nix>
programs.chromium.extensions

List of chromium extensions to install. For list of plugins ids see id in url of extensions on chrome web store page. To install a chromium extension not included in the chrome web store, append to the extension id a semicolon “;” followed by a URL pointing to an Update Manifest XML file. See ExtensionInstallForcelist for additional details.

Type: null or (list of string)

Default: null

Example:

[
  "chlffgpmiacpedhhbkiomidkjlcfhogd" # pushbullet
  "mbniclmhobmnbdlbpiphghaielnnpgdp" # lightshot
  "gcbommkclmclpchllfjekcdonpmejbdp" # https everywhere
  "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
]

Declared by:

<nixpkgs/nixos/modules/programs/chromium.nix>
programs.chromium.extraOpts

Extra chromium policy options. A list of available policies can be found in the Chrome Enterprise documentation: https://cloud.google.com/docs/chrome-enterprise/policies/ Make sure the selected policy is supported on Linux and your browser version.

Type: attribute set

Default: { }

Example:

{
  "BrowserSignin" = 0;
  "SyncDisabled" = true;
  "PasswordManagerEnabled" = false;
  "SpellcheckEnabled" = true;
  "SpellcheckLanguage" = [
    "de"
    "en-US"
  ];
}

Declared by:

<nixpkgs/nixos/modules/programs/chromium.nix>
programs.chromium.homepageLocation

Chromium default homepage

Type: null or string

Default: null

Example: "https://nixos.org"

Declared by:

<nixpkgs/nixos/modules/programs/chromium.nix>
programs.chromium.initialPrefs

Initial preferences are used to configure the browser for the first run. Unlike programs.chromium.extraOpts, initialPrefs can be changed by users in the browser settings. More information can be found in the Chromium documentation: https://www.chromium.org/administrators/configuring-other-preferences/

Type: attribute set

Default: { }

Example:

{
  "first_run_tabs" = [
    "https://nixos.org/"
  ];
}

Declared by:

<nixpkgs/nixos/modules/programs/chromium.nix>
programs.chromium.plasmaBrowserIntegrationPackage

The plasma-browser-integration package to use.

Type: package

Default: pkgs.plasma5Packages.plasma-browser-integration

Declared by:

<nixpkgs/nixos/modules/programs/chromium.nix>
programs.clash-verge.enable

Whether to enable Clash Verge.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/clash-verge.nix>
programs.clash-verge.package

The clash-verge package to use. Available options are clash-verge-rev and clash-nyanpasu, both are forks of the original clash-verge project.

Type: package

Example: "pkgs.clash-verge-rev"

Declared by:

<nixpkgs/nixos/modules/programs/clash-verge.nix>
programs.clash-verge.autoStart

Whether to enable Clash Verge auto launch.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/clash-verge.nix>
programs.clash-verge.tunMode

Whether to enable Clash Verge TUN mode.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/clash-verge.nix>
programs.cnping.enable

Whether to enable a setcap wrapper for cnping.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/cnping.nix>
programs.command-not-found.enable

Whether interactive shells should show which Nix package (if any) provides a missing command.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/command-not-found/command-not-found.nix>
programs.command-not-found.dbPath

Absolute path to programs.sqlite.

By default this file will be provided by your channel (nixexprs.tar.xz).

Type: path

Default: "/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite"

Declared by:

<nixpkgs/nixos/modules/programs/command-not-found/command-not-found.nix>
programs.coolercontrol.enable

Whether to enable CoolerControl GUI & its background services.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/coolercontrol.nix>
programs.coolercontrol.nvidiaSupport

Enable support for Nvidia GPUs.

Type: boolean

Default: lib.elem "nvidia" config.services.xserver.videoDrivers

Declared by:

<nixpkgs/nixos/modules/programs/coolercontrol.nix>
programs.corectrl.enable

Whether to enable CoreCtrl, a tool to overclock amd graphics cards and processors. Add your user to the corectrl group to run corectrl without needing to enter your password .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/corectrl.nix>
programs.corectrl.package

The corectrl package to use. Useful for overriding the configuration options used for the package.

Type: package

Default: pkgs.corectrl

Declared by:

<nixpkgs/nixos/modules/hardware/corectrl.nix>
programs.corectrl.gpuOverclock.enable

Whether to enable GPU overclocking .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/corectrl.nix>
programs.corectrl.gpuOverclock.ppfeaturemask

Sets the amdgpu.ppfeaturemask kernel option. In particular, it is used here to set the overdrive bit. Default is 0xfffd7fff as it is less likely to cause flicker issues. Setting it to 0xffffffff enables all features.

Type: string

Default: "0xfffd7fff"

Example: "0xffffffff"

Declared by:

<nixpkgs/nixos/modules/hardware/corectrl.nix>
programs.corefreq.enable

Whether to enable Whether to enable the corefreq daemon and kernel module.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/corefreq.nix>
programs.corefreq.package

The corefreq package to use.

Type: package

Default: config.boot.kernelPackages.corefreq

Declared by:

<nixpkgs/nixos/modules/programs/corefreq.nix>
programs.cpu-energy-meter.enable

Whether to enable CPU Energy Meter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/cpu-energy-meter.nix>
programs.cpu-energy-meter.package

The cpu-energy-meter package to use.

Type: package

Default: pkgs.cpu-energy-meter

Declared by:

<nixpkgs/nixos/modules/programs/cpu-energy-meter.nix>
programs.criu.enable

Install criu along with necessary kernel options.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/criu.nix>
programs.darling.enable

Whether to enable Darling, a Darwin/macOS compatibility layer for Linux.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/darling.nix>
programs.darling.package

The darling package to use.

Type: package

Default: pkgs.darling

Declared by:

<nixpkgs/nixos/modules/programs/darling.nix>
programs.dconf.enable

Whether to enable dconf.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/dconf.nix>
programs.dconf.packages

A list of packages which provide dconf profiles and databases in /etc/dconf.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/programs/dconf.nix>
programs.dconf.profiles

Attrset of dconf profiles. By default the user profile is used which ends up in /etc/dconf/profile/user.

Type: attribute set of (path or package or (submodule))

Default: { }

Example:

{
  # A "user" profile with a database
  user.databases = [
    {
      settings = { };
    }
  ];
  # A "bar" profile from a package
  bar = pkgs.bar-dconf-profile;
  # A "foo" profile from a path
  foo = ${./foo}
};

Declared by:

<nixpkgs/nixos/modules/programs/dconf.nix>
programs.digitalbitbox.enable

Installs the Digital Bitbox application and enables the complementary hardware module.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/digitalbitbox/default.nix>
programs.digitalbitbox.package

The digitalbitbox package to use. This can be used to install a package with udev rules that differ from the defaults.

Type: package

Default: pkgs.digitalbitbox

Declared by:

<nixpkgs/nixos/modules/programs/digitalbitbox/default.nix>
programs.direnv.enable

Whether to enable direnv integration. Takes care of both installation and setting up the sourcing of the shell. Additionally enables nix-direnv integration. Note that you need to logout and login for this change to apply .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/direnv.nix>
programs.direnv.enableBashIntegration

Whether to enable Bash integration .

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/programs/direnv.nix>
programs.direnv.enableFishIntegration

Whether to enable Fish integration .

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/programs/direnv.nix>
programs.direnv.enableZshIntegration

Whether to enable Zsh integration .

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/programs/direnv.nix>
programs.direnv.package

The direnv package to use.

Type: package

Default: pkgs.direnv

Declared by:

<nixpkgs/nixos/modules/programs/direnv.nix>
programs.direnv.direnvrcExtra

Extra lines to append to the sourced direnvrc

Type: strings concatenated with “\n”

Default: ""

Example:

''
  export FOO="foo"
  echo "loaded direnv!"
''

Declared by:

<nixpkgs/nixos/modules/programs/direnv.nix>
programs.direnv.loadInNixShell

Whether to enable loading direnv in nix-shell nix shell or nix develop .

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/programs/direnv.nix>
programs.direnv.nix-direnv.enable

Whether to enable a faster, persistent implementation of use_nix and use_flake, to replace the builtin one .

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/programs/direnv.nix>
programs.direnv.nix-direnv.package

The nix-direnv package to use

Type: package

Default: "pkgs.nix-direnv"

Declared by:

<nixpkgs/nixos/modules/programs/direnv.nix>
programs.direnv.silent

Whether to enable the hiding of direnv logging .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/direnv.nix>
programs.dmrconfig.enable

Whether to configure system to enable use of dmrconfig. This enables the required udev rules and installs the program.

Type: boolean

Default: false

Related packages:

Declared by:

<nixpkgs/nixos/modules/programs/dmrconfig.nix>
programs.dmrconfig.package

The dmrconfig package to use.

Type: package

Default: pkgs.dmrconfig

Declared by:

<nixpkgs/nixos/modules/programs/dmrconfig.nix>
programs.droidcam.enable

Whether to enable DroidCam client.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/droidcam.nix>
programs.dublin-traceroute.enable

Whether to enable dublin-traceroute (including setcap wrapper).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/dublin-traceroute.nix>
programs.dublin-traceroute.package

The dublin-traceroute package to use.

Type: package

Default: pkgs.dublin-traceroute

Declared by:

<nixpkgs/nixos/modules/programs/dublin-traceroute.nix>
programs.ecryptfs.enable

Whether to enable ecryptfs setuid mount wrappers.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/ecryptfs.nix>
programs.envision.enable

Whether to enable envision.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/envision.nix>
programs.envision.package

The envision package to use.

Type: package

Default: pkgs.envision

Declared by:

<nixpkgs/nixos/modules/programs/envision.nix>
programs.envision.openFirewall

Whether to enable the default ports in the firewall for the WiVRn server.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/envision.nix>
programs.evince.enable

Whether to enable Evince, the GNOME document viewer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/evince.nix>
programs.evince.package

The evince package to use.

Type: package

Default: pkgs.evince

Declared by:

<nixpkgs/nixos/modules/programs/evince.nix>
programs.evolution.enable

Whether to enable Evolution, a Personal information management application that provides integrated mail, calendaring and address book functionality.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome/evolution-data-server.nix>
programs.evolution.plugins

Plugins for Evolution.

Type: list of package

Default: [ ]

Example: [ pkgs.evolution-ews ]

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome/evolution-data-server.nix>
programs.extra-container.enable

Whether to enable extra-container, a tool for running declarative NixOS containers without host system rebuilds .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/extra-container.nix>
programs.fcast-receiver.enable

Whether to enable FCast Receiver.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/fcast-receiver.nix>
programs.fcast-receiver.package

The fcast-receiver package to use.

Type: package

Default: pkgs.fcast-receiver

Declared by:

<nixpkgs/nixos/modules/programs/fcast-receiver.nix>
programs.fcast-receiver.openFirewall

Open ports needed for the functionality of the program.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/fcast-receiver.nix>
programs.feedbackd.enable

Whether to enable the feedbackd D-BUS service and udev rules.

Your user needs to be in the feedbackd group to trigger effects .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/feedbackd.nix>
programs.feedbackd.package

The feedbackd package to use.

Type: package

Default: pkgs.feedbackd

Declared by:

<nixpkgs/nixos/modules/programs/feedbackd.nix>
programs.file-roller.enable

Whether to enable File Roller, an archive manager for GNOME.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/file-roller.nix>
programs.file-roller.package

The file-roller package to use.

Type: package

Default: pkgs.file-roller

Declared by:

<nixpkgs/nixos/modules/programs/file-roller.nix>
programs.firefox.enable

Whether to enable the Firefox web browser.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firefox.package

Firefox package to use.

Type: package

Default: pkgs.firefox

Related packages:

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firefox.autoConfig

AutoConfig files can be used to set and lock preferences that are not covered by the policies.json for Mac and Linux. This method can be used to automatically change user preferences or prevent the end user from modifiying specific preferences by locking them. More info can be found in https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firefox.autoConfigFiles

AutoConfig files can be used to set and lock preferences that are not covered by the policies.json for Mac and Linux. This method can be used to automatically change user preferences or prevent the end user from modifiying specific preferences by locking them. More info can be found in https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig.

Files are concated and autoConfig is appended.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firefox.languagePacks

The language packs to install.

Type: list of (one of “ach”, “af”, “an”, “ar”, “ast”, “az”, “be”, “bg”, “bn”, “br”, “bs”, “ca-valencia”, “ca”, “cak”, “cs”, “cy”, “da”, “de”, “dsb”, “el”, “en-CA”, “en-GB”, “en-US”, “eo”, “es-AR”, “es-CL”, “es-ES”, “es-MX”, “et”, “eu”, “fa”, “ff”, “fi”, “fr”, “fur”, “fy-NL”, “ga-IE”, “gd”, “gl”, “gn”, “gu-IN”, “he”, “hi-IN”, “hr”, “hsb”, “hu”, “hy-AM”, “ia”, “id”, “is”, “it”, “ja”, “ka”, “kab”, “kk”, “km”, “kn”, “ko”, “lij”, “lt”, “lv”, “mk”, “mr”, “ms”, “my”, “nb-NO”, “ne-NP”, “nl”, “nn-NO”, “oc”, “pa-IN”, “pl”, “pt-BR”, “pt-PT”, “rm”, “ro”, “ru”, “sat”, “sc”, “sco”, “si”, “sk”, “skr”, “sl”, “son”, “sq”, “sr”, “sv-SE”, “szl”, “ta”, “te”, “tg”, “th”, “tl”, “tr”, “trs”, “uk”, “ur”, “uz”, “vi”, “xh”, “zh-CN”, “zh-TW”)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firefox.nativeMessagingHosts.packages

Additional packages containing native messaging hosts that should be made available to Firefox extensions.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firefox.nativeMessagingHosts.browserpass

Whether to enable Browserpass support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firefox.nativeMessagingHosts.bukubrow

Whether to enable Bukubrow support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firefox.nativeMessagingHosts.euwebid

Whether to enable Web eID support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firefox.nativeMessagingHosts.ff2mpv

Whether to enable ff2mpv support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firefox.nativeMessagingHosts.fxCast

Whether to enable fx_cast support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firefox.nativeMessagingHosts.gsconnect

Whether to enable GSConnect support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firefox.nativeMessagingHosts.jabref

Whether to enable JabRef support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firefox.nativeMessagingHosts.passff

Whether to enable PassFF support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firefox.nativeMessagingHosts.tridactyl

Whether to enable Tridactyl support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firefox.nativeMessagingHosts.ugetIntegrator

Whether to enable Uget Integrator support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firefox.policies

Group policies to install.

See Mozilla’s documentation for a list of available options.

This can be used to install extensions declaratively! Check out the documentation of the ExtensionSettings policy for details.

When this option is in use, Firefox will inform you that “your browser is managed by your organisation”. That message appears because NixOS installs what you have declared here such that it cannot be overridden through the user interface. It does not mean that someone else has been given control of your browser, unless of course they also control your NixOS configuration.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firefox.preferences

Preferences to set from about:config.

Some of these might be able to be configured more ergonomically using policies.

When this option is in use, Firefox will inform you that “your browser is managed by your organisation”. That message appears because NixOS installs what you have declared here such that it cannot be overridden through the user interface. It does not mean that someone else has been given control of your browser, unless of course they also control your NixOS configuration.

Type: attribute set of (boolean or signed integer or string)

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firefox.preferencesStatus

The status of firefox.preferences.

status can assume the following values:

  • "default": Preferences appear as default.

  • "locked": Preferences appear as default and can’t be changed.

  • "user": Preferences appear as changed.

  • "clear": Value has no effect. Resets to factory defaults on each startup.

Type: one of “default”, “locked”, “user”, “clear”

Default: "locked"

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firefox.wrapperConfig

Arguments to pass to Firefox wrapper

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/firefox.nix>
programs.firejail.enable

Whether to enable firejail, a sandboxing tool for Linux.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/firejail.nix>
programs.firejail.wrappedBinaries

Wrap the binaries in firejail and place them in the global path.

Type: attribute set of (path or (submodule))

Default: { }

Example:

{
  firefox = {
    executable = "${lib.getBin pkgs.firefox}/bin/firefox";
    profile = "${pkgs.firejail}/etc/firejail/firefox.profile";
  };
  mpv = {
    executable = "${lib.getBin pkgs.mpv}/bin/mpv";
    profile = "${pkgs.firejail}/etc/firejail/mpv.profile";
  };
}

Declared by:

<nixpkgs/nixos/modules/programs/firejail.nix>
programs.fish.enable

Whether to configure fish as an interactive shell.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/fish.nix>
programs.fish.package

The fish package to use.

Type: package

Default: pkgs.fish

Declared by:

<nixpkgs/nixos/modules/programs/fish.nix>
programs.fish.interactiveShellInit

Shell script code called during interactive fish shell initialisation.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/fish.nix>
programs.fish.loginShellInit

Shell script code called during fish login shell initialisation.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/fish.nix>
programs.fish.promptInit

Shell script code used to initialise fish prompt.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/fish.nix>
programs.fish.shellAbbrs

Set of fish abbreviations.

Type: attribute set of string

Default: { }

Example:

{
  gco = "git checkout";
  npu = "nix-prefetch-url";
}

Declared by:

<nixpkgs/nixos/modules/programs/fish.nix>
programs.fish.shellAliases

Set of aliases for fish shell, which overrides environment.shellAliases. See environment.shellAliases for an option format description.

Type: attribute set of (null or string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/fish.nix>
programs.fish.shellInit

Shell script code called during fish shell initialisation.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/fish.nix>
programs.fish.useBabelfish

If enabled, the configured environment will be translated to native fish using babelfish. Otherwise, foreign-env will be used.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/fish.nix>
programs.fish.vendor.completions.enable

Whether fish should use completion files provided by other packages.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/fish.nix>
programs.fish.vendor.config.enable

Whether fish should source configuration snippets provided by other packages.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/fish.nix>
programs.fish.vendor.functions.enable

Whether fish should autoload fish functions provided by other packages.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/fish.nix>
programs.flashrom.enable

Installs flashrom and configures udev rules for programmers used by flashrom. Grants access to users in the “flashrom” group.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/flashrom.nix>
programs.flashrom.package

The flashrom package to use.

Type: package

Default: pkgs.flashrom

Declared by:

<nixpkgs/nixos/modules/programs/flashrom.nix>
programs.flexoptix-app.enable

Whether to enable FLEXOPTIX app + udev rules.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/flexoptix-app.nix>
programs.flexoptix-app.package

The flexoptix-app package to use.

Type: package

Default: pkgs.flexoptix-app

Declared by:

<nixpkgs/nixos/modules/programs/flexoptix-app.nix>
programs.foot.enable

Whether to enable foot terminal emulator.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/foot>
programs.foot.enableBashIntegration

Whether to enable foot bash integration.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/foot>
programs.foot.enableFishIntegration

Whether to enable foot fish integration.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/foot>
programs.foot.enableZshIntegration

Whether to enable foot zsh integration.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/foot>
programs.foot.package

The foot package to use.

Type: package

Default: pkgs.foot

Declared by:

<nixpkgs/nixos/modules/programs/foot>
programs.foot.settings

Configuration for foot terminal emulator. Further information can be found in man 5 foot.ini.

Global configuration has to be written under the [main] section.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string) or a list of them for duplicate keys)

Default: { }

Example:

{
  main = {
    font = "FreeMono:size=12";
  };
  scrollback = {
    lines = 100000;
  };
}

Declared by:

<nixpkgs/nixos/modules/programs/foot>
programs.foot.theme

Theme name. Check https://codeberg.org/dnkl/foot/src/branch/master/themes for available themes.

Type: null or string

Default: null

Example: "aeroroot"

Declared by:

<nixpkgs/nixos/modules/programs/foot>
programs.fuse.mountMax

Set the maximum number of FUSE mounts allowed to non-root users.

Type: integer between 0 and 32767 (both inclusive)

Default: 1000

Declared by:

<nixpkgs/nixos/modules/programs/fuse.nix>
programs.fuse.userAllowOther

Allow non-root users to specify the allow_other or allow_root mount options, see mount.fuse3(8).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/fuse.nix>
programs.fzf.fuzzyCompletion

Whether to enable fuzzy completion with fzf.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/fzf.nix>
programs.fzf.keybindings

Whether to enable fzf keybindings.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/fzf.nix>
programs.gamemode.enable

Whether to enable GameMode to optimise system performance on demand.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/gamemode.nix>
programs.gamemode.enableRenice

Whether to enable CAP_SYS_NICE on gamemoded to support lowering process niceness.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/gamemode.nix>
programs.gamemode.settings

System-wide configuration for GameMode (/etc/gamemode.ini). See gamemoded(8) man page for available settings.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string) or a list of them for duplicate keys)

Default: { }

Example:

{
  general = {
    renice = 10;
  };

  # Warning: GPU optimisations have the potential to damage hardware
  gpu = {
    apply_gpu_optimisations = "accept-responsibility";
    gpu_device = 0;
    amd_performance_level = "high";
  };

  custom = {
    start = "${pkgs.libnotify}/bin/notify-send 'GameMode started'";
    end = "${pkgs.libnotify}/bin/notify-send 'GameMode ended'";
  };
}

Declared by:

<nixpkgs/nixos/modules/programs/gamemode.nix>
programs.gamescope.enable

Whether to enable gamescope, the SteamOS session compositing window manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/gamescope.nix>
programs.gamescope.package

The gamescope package to use.

Type: package

Default: pkgs.gamescope

Declared by:

<nixpkgs/nixos/modules/programs/gamescope.nix>
programs.gamescope.args

Arguments passed to GameScope on startup.

Type: list of string

Default: [ ]

Example:

[
  "--rt"
  "--prefer-vk-device 8086:9bc4"
]

Declared by:

<nixpkgs/nixos/modules/programs/gamescope.nix>
programs.gamescope.capSysNice

Add cap_sys_nice capability to the GameScope binary so that it may renice itself.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/gamescope.nix>
programs.gamescope.env

Default environment variables available to the GameScope process, overridable at runtime.

Type: attribute set of string

Default: { }

Example:

# for Prime render offload on Nvidia laptops.
# Also requires `hardware.nvidia.prime.offload.enable`.
{
  __NV_PRIME_RENDER_OFFLOAD = "1";
  __VK_LAYER_NV_optimus = "NVIDIA_only";
  __GLX_VENDOR_LIBRARY_NAME = "nvidia";
}

Declared by:

<nixpkgs/nixos/modules/programs/gamescope.nix>
programs.gdk-pixbuf.modulePackages

Packages providing GDK-Pixbuf modules, for cache generation.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/programs/gdk-pixbuf.nix>
programs.geary.enable

Whether to enable Geary, a Mail client for GNOME.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/geary.nix>
programs.git.enable

Whether to enable git, a distributed version control system.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/git.nix>
programs.git.package

The git package to use.

Type: package

Default: pkgs.git

Example: gitFull

Declared by:

<nixpkgs/nixos/modules/programs/git.nix>
programs.git.config

Configuration to write to /etc/gitconfig. A list can also be specified to keep the configuration in order. For example, setting config to [ { foo.x = 42; } { bar.y = 42; }] will put the foo section before the bar section unlike the default alphabetical order, which can be helpful for sections such as include and includeIf. See the CONFIGURATION FILE section of git-config(1) for more information.

Type: (attribute set of attribute set of anything) or list of attribute set of attribute set of anything

Default: [ ]

Example:

{
  init = {
    defaultBranch = "main";
  };
  url = {
    "https://github.com/" = {
      insteadOf = [
        "gh:"
        "github:"
      ];
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/programs/git.nix>
programs.git.lfs.enable

Whether to enable git-lfs (Large File Storage).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/git.nix>
programs.git.lfs.enablePureSSHTransfer

Whether to enable Enable pure SSH transfer in server side by adding git-lfs-transfer to environment.systemPackages.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/git.nix>
programs.git.lfs.package

The git-lfs package to use.

Type: package

Default: pkgs.git-lfs

Declared by:

<nixpkgs/nixos/modules/programs/git.nix>
programs.git.prompt.enable

Whether to enable automatically sourcing git-prompt.sh. This does not change $PS1; it simply provides relevant utility functions.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/git.nix>
programs.git-worktree-switcher.enable

Whether to enable git-worktree-switcher, switch between git worktrees with speed…

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/git-worktree-switcher.nix>
programs.gnome-disks.enable

Whether to enable GNOME Disks daemon, a program designed to be a UDisks2 graphical front-end.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/gnome-disks.nix>
programs.gnome-terminal.enable

Whether to enable GNOME Terminal.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/gnome-terminal.nix>
programs.gnupg.package

The gnupg package to use.

Type: package

Default: pkgs.gnupg

Declared by:

<nixpkgs/nixos/modules/programs/gnupg.nix>
programs.gnupg.agent.enable

Enables GnuPG agent with socket-activation for every user session.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/gnupg.nix>
programs.gnupg.agent.enableBrowserSocket

Enable browser socket for GnuPG agent.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/gnupg.nix>
programs.gnupg.agent.enableExtraSocket

Enable extra socket for GnuPG agent.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/gnupg.nix>
programs.gnupg.agent.enableSSHSupport

Enable SSH agent support in GnuPG agent. Also sets SSH_AUTH_SOCK environment variable correctly. This will disable socket-activation and thus always start a GnuPG agent per user session.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/gnupg.nix>
programs.gnupg.agent.pinentryPackage

Which pinentry package to use. The path to the mainProgram as defined in the package’s meta attributes will be set in /etc/gnupg/gpg-agent.conf. If not set by the user, it’ll pick an appropriate flavor depending on the system configuration (qt flavor for lxqt and plasma5, gtk2 for xfce, gnome3 on all other systems with X enabled, curses otherwise).

Type: null or package

Default: matching the configured desktop environment or pkgs.pinentry-curses

Example: pkgs.pinentry-gnome3

Declared by:

<nixpkgs/nixos/modules/programs/gnupg.nix>
programs.gnupg.agent.settings

Configuration for /etc/gnupg/gpg-agent.conf. See gpg-agent(1) for supported options.

Type: attribute set of (atom (null, bool, int, float or string))

Default: { }

Example:

{
  default-cache-ttl = 600;
}

Declared by:

<nixpkgs/nixos/modules/programs/gnupg.nix>
programs.gnupg.dirmngr.enable

Enables GnuPG network certificate management daemon with socket-activation for every user session.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/gnupg.nix>
programs.goldwarden.enable

Whether to enable Goldwarden.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/goldwarden.nix>
programs.goldwarden.package

The goldwarden package to use.

Type: package

Default: pkgs.goldwarden

Declared by:

<nixpkgs/nixos/modules/programs/goldwarden.nix>
programs.goldwarden.useSshAgent

Whether to enable Goldwarden’s SSH Agent.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/goldwarden.nix>
programs.gpaste.enable

Whether to enable GPaste, a clipboard manager.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/gpaste.nix>
programs.gphoto2.enable

Whether to configure system to use gphoto2. To grant digital camera access to a user, the user must be part of the camera group: users.users.alice.extraGroups = ["camera"];

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/gphoto2.nix>
programs.gpu-screen-recorder.enable

Whether to install gpu-screen-recorder and generate setcap wrappers for promptless recording.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/gpu-screen-recorder.nix>
programs.gpu-screen-recorder.package

The gpu-screen-recorder package to use.

Type: package

Default: pkgs.gpu-screen-recorder

Declared by:

<nixpkgs/nixos/modules/programs/gpu-screen-recorder.nix>
programs.haguichi.enable

Whether to enable Haguichi, a Linux GUI frontend to the proprietary LogMeIn Hamachi.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/haguichi.nix>
programs.hamster.enable

Whether to enable hamster, a time tracking program.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/hamster.nix>
programs.htop.enable

Whether to enable htop process monitor.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/htop.nix>
programs.htop.package

The htop package to use.

Type: package

Default: pkgs.htop

Declared by:

<nixpkgs/nixos/modules/programs/htop.nix>
programs.htop.settings

Extra global default configuration for htop which is read on first startup only. Htop subsequently uses ~/.config/htop/htoprc as configuration source.

Type: attribute set of (string or signed integer or boolean or list of (string or signed integer or boolean))

Default: { }

Example:

{
  hide_kernel_threads = true;
  hide_userland_threads = true;
}

Declared by:

<nixpkgs/nixos/modules/programs/htop.nix>
programs.hyprland.enable

Whether to enable Hyprland, the dynamic tiling Wayland compositor that doesn’t sacrifice on its looks. You can manually launch Hyprland by executing Hyprland on a TTY. A configuration file will be generated in ~/.config/hypr/hyprland.conf. See https://wiki.hyprland.org for more information.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/wayland/hyprland.nix>
programs.hyprland.package

The hyprland package to use. If the package is not overridable with enableXWayland, then the module option xwayland will have no effect.

Type: package

Default: pkgs.hyprland

Declared by:

<nixpkgs/nixos/modules/programs/wayland/hyprland.nix>
programs.hyprland.portalPackage

The xdg-desktop-portal-hyprland package to use. If the package is not overridable with hyprland, then the Hyprland package used by the portal may differ from the one set in the module option package.

Type: package

Default: pkgs.xdg-desktop-portal-hyprland

Declared by:

<nixpkgs/nixos/modules/programs/wayland/hyprland.nix>
programs.hyprland.systemd.setPath.enable

Set environment path of systemd to include the current system’s bin directory. This is needed in Hyprland setups, where opening links in applications do not work. Enabled by default for Hyprland versions older than 0.41.2.

Type: boolean

Default: lib.versionOlder cfg.package.version "0.41.2"

Example: false

Declared by:

<nixpkgs/nixos/modules/programs/wayland/hyprland.nix>
programs.hyprland.withUWSM

Launch Hyprland with the UWSM (Universal Wayland Session Manager) session manager. This has improved systemd support and is recommended for most users. This automatically starts appropiate targets like graphical-session.target, and wayland-session@Hyprland.target.

Note

Some changes may need to be made to Hyprland configs depending on your setup, see Hyprland wiki.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/wayland/hyprland.nix>
programs.hyprland.xwayland.enable

Whether to enable XWayland.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/wayland/hyprland.nix>
programs.hyprlock.enable

Whether to enable hyprlock, Hyprland’s GPU-accelerated screen locking utility.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/wayland/hyprlock.nix>
programs.hyprlock.package

The hyprlock package to use.

Type: package

Default: pkgs.hyprlock

Declared by:

<nixpkgs/nixos/modules/programs/wayland/hyprlock.nix>
programs.i3lock.enable

Whether to enable i3lock.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/i3lock.nix>
programs.i3lock.package

The i3lock package to use. ::: {.note} The i3lock package must include a i3lock file or link in its out directory in order for the u2fSupport option to work correctly. :::

Type: package

Default: pkgs.i3lock

Example: i3lock-color

Declared by:

<nixpkgs/nixos/modules/programs/i3lock.nix>
programs.i3lock.u2fSupport

Whether to enable U2F support in the i3lock program. U2F enables authentication using a hardware device, such as a security key. When U2F support is enabled, the i3lock program will set the setuid bit on the i3lock binary and enable the pam u2fAuth service,

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/i3lock.nix>
programs.iay.enable

Whether to enable iay, a minimalistic shell prompt.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/iay.nix>
programs.iay.package

The iay package to use.

Type: package

Default: pkgs.iay

Declared by:

<nixpkgs/nixos/modules/programs/iay.nix>
programs.iay.minimalPrompt

Use minimal one-liner prompt.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/iay.nix>
programs.iftop.enable

Whether to enable iftop and setcap wrapper for it.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/iftop.nix>
programs.iio-hyprland.enable

Whether to enable iio-hyprland and iio-sensor-proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/iio-hyprland.nix>
programs.iio-hyprland.package

The iio-hyprland package to use.

Type: package

Default: pkgs.iio-hyprland

Declared by:

<nixpkgs/nixos/modules/programs/iio-hyprland.nix>
programs.immersed.enable

Whether to enable immersed.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/immersed.nix>
programs.immersed.package

The immersed package to use.

Type: package

Default: pkgs.immersed

Declared by:

<nixpkgs/nixos/modules/programs/immersed.nix>
programs.iotop.enable

Whether to enable iotop + setcap wrapper.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/iotop.nix>
programs.java.enable

Install and setup the Java development kit.

Note

This adds JAVA_HOME to the global environment, by sourcing the jdk’s setup-hook on shell init. It is equivalent to starting a shell through ‘nix-shell -p jdk’, or roughly the following system-wide configuration:

environment.variables.JAVA_HOME = ${pkgs.jdk.home}/lib/openjdk;
environment.systemPackages = [ pkgs.jdk ];

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/java.nix>
programs.java.package

The jdk package to use.

Type: package

Default: pkgs.jdk

Example: jre

Declared by:

<nixpkgs/nixos/modules/programs/java.nix>
programs.java.binfmt

Whether to enable binfmt to execute java jar’s and classes.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/java.nix>
programs.joycond-cemuhook.enable

Whether to enable joycond-cemuhook, a program to enable support for cemuhook’s UDP protocol for joycond devices.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/joycond-cemuhook.nix>
programs.k3b.enable

Whether to enable k3b, the KDE disk burning application.

Additionally to installing k3b enabling this will add setuid wrappers in /run/wrappers/bin for both cdrdao and cdrecord. On first run you must manually configure the path of cdrdae and cdrecord to correspond to the appropriate paths under /run/wrappers/bin in the “Setup External Programs” menu.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/k3b.nix>
programs.k40-whisperer.enable

Whether to enable K40-Whisperer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/k40-whisperer.nix>
programs.k40-whisperer.package

The k40-whisperer package to use.

Type: package

Default: pkgs.k40-whisperer

Declared by:

<nixpkgs/nixos/modules/programs/k40-whisperer.nix>
programs.k40-whisperer.group

Group assigned to the device when connected.

Type: string

Default: "k40"

Declared by:

<nixpkgs/nixos/modules/programs/k40-whisperer.nix>
programs.kbdlight.enable

Whether to enable kbdlight.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/kbdlight.nix>
programs.kclock.enable

Whether to enable KClock.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/kclock.nix>
programs.kde-pim.enable

Whether to enable KDE PIM base packages.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/kde-pim.nix>
programs.kde-pim.kmail

Whether to enable KMail.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/kde-pim.nix>
programs.kde-pim.kontact

Whether to enable Kontact.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/kde-pim.nix>
programs.kde-pim.merkuro

Whether to enable Merkuro.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/kde-pim.nix>
programs.kdeconnect.enable

Whether to enable kdeconnect.

Note that it will open the TCP and UDP port from 1714 to 1764 as they are needed for it to function properly. You can use the package to use gnomeExtensions.gsconnect as an alternative implementation if you use Gnome .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/kdeconnect.nix>
programs.kdeconnect.package

The kdeconnect-kde package to use.

Type: package

Default: pkgs.plasma5Packages.kdeconnect-kde

Example: gnomeExtensions.gsconnect

Declared by:

<nixpkgs/nixos/modules/programs/kdeconnect.nix>
programs.kubeswitch.enable

Whether to enable kubeswitch.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/kubeswitch.nix>
programs.kubeswitch.package

The package to install for kubeswitch

Type: package

Default: pkgs.kubeswitch

Declared by:

<nixpkgs/nixos/modules/programs/kubeswitch.nix>
programs.kubeswitch.commandName

The name of the command to use

Type: string

Default: "kswitch"

Declared by:

<nixpkgs/nixos/modules/programs/kubeswitch.nix>
programs.labwc.enable

Whether to enable labwc.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/wayland/labwc.nix>
programs.labwc.package

The labwc package to use.

Type: package

Default: pkgs.labwc

Declared by:

<nixpkgs/nixos/modules/programs/wayland/labwc.nix>
programs.ladybird.enable

Whether to enable the Ladybird web browser.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/ladybird.nix>
programs.lazygit.enable

Whether to enable lazygit, a simple terminal UI for git commands.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/lazygit.nix>
programs.lazygit.package

The lazygit package to use.

Type: package

Default: pkgs.lazygit

Declared by:

<nixpkgs/nixos/modules/programs/lazygit.nix>
programs.lazygit.settings

Lazygit configuration.

See https://github.com/jesseduffield/lazygit/blob/master/docs/Config.md for documentation.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/lazygit.nix>
programs.less.enable

Whether to enable less, a file pager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/less.nix>
programs.less.package

The less package to use.

Type: package

Default: pkgs.less

Declared by:

<nixpkgs/nixos/modules/programs/less.nix>
programs.less.clearDefaultCommands

Clear all default commands. You should remember to set the quit key. Otherwise you will not be able to leave less without killing it.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/less.nix>
programs.less.commands

Defines new command keys.

Type: attribute set of string

Default: { }

Example:

{
  h = "noaction 5\\e(";
  l = "noaction 5\\e)";
}

Declared by:

<nixpkgs/nixos/modules/programs/less.nix>
programs.less.configFile

Path to lesskey configuration file.

configFile takes precedence over commands, clearDefaultCommands, lineEditingKeys, and envVariables.

Type: null or path

Default: null

Example: "${pkgs.my-configs}/lesskey"

Declared by:

<nixpkgs/nixos/modules/programs/less.nix>
programs.less.envVariables

Defines environment variables.

Type: attribute set of string

Default:

{
  LESS = "-R";
}

Example:

{
  LESS = "--quit-if-one-screen";
}

Declared by:

<nixpkgs/nixos/modules/programs/less.nix>
programs.less.lessclose

When less closes a file opened in such a way, it will call another program, called the input postprocessor, which may perform any desired clean-up action (such as deleting the replacement file created by LESSOPEN).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/programs/less.nix>
programs.less.lessopen

Before less opens a file, it first gives your input preprocessor a chance to modify the way the contents of the file are displayed.

Type: null or string

Default: null

Example: "|${pkgs.lesspipe}/bin/lesspipe.sh %s"

Declared by:

<nixpkgs/nixos/modules/programs/less.nix>
programs.less.lineEditingKeys

Defines new line-editing keys.

Type: attribute set of string

Default: { }

Example:

{
  e = "abort";
}

Declared by:

<nixpkgs/nixos/modules/programs/less.nix>
programs.liboping.enable

Whether to enable liboping.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/liboping.nix>
programs.light.enable

Whether to install Light backlight control command and udev rules granting access to members of the “video” group.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/light.nix>
programs.light.brightnessKeys.enable

Whether to enable brightness control with keyboard keys.

This is mainly useful for minimalistic (desktop) environments. You may want to leave this disabled if you run a feature-rich desktop environment such as KDE, GNOME or Xfce as those handle the brightness keys themselves. However, enabling brightness control with this setting makes the control independent of X, so the keys work in non-graphical ttys, so you might want to consider using this instead of the default offered by the desktop environment.

Enabling this will turn on services.actkbd.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/light.nix>
programs.light.brightnessKeys.step

The percentage value by which to increase/decrease brightness.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/programs/light.nix>
programs.localsend.enable

Whether to enable localsend, an open source cross-platform alternative to AirDrop.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/localsend.nix>
programs.localsend.package

The localsend package to use.

Type: package

Default: pkgs.localsend

Declared by:

<nixpkgs/nixos/modules/programs/localsend.nix>
programs.localsend.openFirewall

Whether to enable opening the firewall port 53317 for receiving files.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/localsend.nix>
programs.mdevctl.enable

Whether to enable Mediated Device Management.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/mdevctl.nix>
programs.mepo.enable

Whether to enable Mepo, a fast, simple and hackable OSM map viewer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/mepo.nix>
programs.mepo.locationBackends.geoclue

Whether to enable location detection via geoclue

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/mepo.nix>
programs.mepo.locationBackends.gpsd

Whether to enable location detection via gpsd. This may require additional configuration of gpsd, see here

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/mepo.nix>
programs.mininet.enable

Whether to enable Mininet, an emulator for rapid prototyping of Software Defined Networks.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/mininet.nix>
programs.minipro.enable

Whether to enable minipro and its udev rules. Users of the plugdev group can interact with connected MiniPRO chip programmers.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/minipro.nix>
programs.minipro.package

The minipro package to use.

Type: package

Default: pkgs.minipro

Declared by:

<nixpkgs/nixos/modules/programs/minipro.nix>
programs.miriway.enable

Whether to enable Miriway, a Mir based Wayland compositor. You can manually launch Miriway by executing “exec miriway” on a TTY, or launch it from a display manager. Copy /etc/xdg/xdg-miriway/miriway-shell.config to ~/.config/miriway-shell.config to modify the system-wide configuration on a per-user basis. See https://github.com/Miriway/Miriway, and “miriway --help” for more information.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/miriway.nix>
programs.miriway.config

Miriway’s config. This will be installed system-wide. The default will install the miriway package’s barebones example config.

Type: strings concatenated with “\n”

Default:

''
  x11-window-title=Miriway (Mir-on-X)
  idle-timeout=600
  ctrl-alt=t:miriway-terminal # Default "terminal emulator finder"
  
  shell-component=dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY
  
  meta=Left:@dock-left
  meta=Right:@dock-right
  meta=Space:@toggle-maximized
  meta=Home:@workspace-begin
  meta=End:@workspace-end
  meta=Page_Up:@workspace-up
  meta=Page_Down:@workspace-down
  ctrl-alt=BackSpace:@exit
''

Example:

''
  idle-timeout=300
  ctrl-alt=t:weston-terminal
  add-wayland-extensions=all
  
  shell-components=dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY
  
  shell-component=waybar
  shell-component=wbg Pictures/wallpaper
  
  shell-meta=a:synapse
  
  meta=Left:@dock-left
  meta=Right:@dock-right
  meta=Space:@toggle-maximized
  meta=Home:@workspace-begin
  meta=End:@workspace-end
  meta=Page_Up:@workspace-up
  meta=Page_Down:@workspace-down
  ctrl-alt=BackSpace:@exit
''

Declared by:

<nixpkgs/nixos/modules/programs/miriway.nix>
programs.mosh.enable

Whether to enable mosh.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/mosh.nix>
programs.mosh.openFirewall

Whether to automatically open the necessary ports in the firewall.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/mosh.nix>
programs.mosh.withUtempter

Whether to enable libutempter for mosh.

This is required so that mosh can write to /var/run/utmp (which can be queried with who to display currently connected user sessions). Note, this will add a guid wrapper for the group utmp!

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/mosh.nix>
programs.mouse-actions.enable

Whether to install and set up mouse-actions and it’s udev rules.

Note that only users in the “uinput” group will be able to use the package

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/mouse-actions.nix>
programs.mouse-actions.package

The mouse-actions package to use.

Type: package

Default: pkgs.mouse-actions

Example: mouse-actions-gui

Declared by:

<nixpkgs/nixos/modules/programs/mouse-actions.nix>
programs.mouse-actions.autorun

Whether to start a user service to run mouse-actions on startup.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/mouse-actions.nix>
programs.msmtp.enable

Whether to enable msmtp - an SMTP client.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/msmtp.nix>
programs.msmtp.accounts

Named accounts and their respective configurations. The special name “default” allows a default account to be defined. See msmtp(1) for the available options.

Use programs.msmtp.extraConfig instead of this attribute set-based option if ordered account inheritance is needed.

It is advised to use the passwordeval setting to read the password from a secret file to avoid having it written in the world-readable nix store. The password file must end with a newline (\n).

Type: attribute set of (attribute set)

Default: { }

Example:

{
  default = {
    auth = true;
    host = "smtp.example";
    passwordeval = "cat /secrets/password.txt";
    user = "someone";
  };
}

Declared by:

<nixpkgs/nixos/modules/programs/msmtp.nix>
programs.msmtp.defaults

Default values applied to all accounts. See msmtp(1) for the available options.

Type: attribute set

Default: { }

Example:

{
  aliases = "/etc/aliases";
  port = 587;
  tls = true;
}

Declared by:

<nixpkgs/nixos/modules/programs/msmtp.nix>
programs.msmtp.extraConfig

Extra lines to add to the msmtp configuration verbatim. See msmtp(1) for the syntax and available options.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/msmtp.nix>
programs.msmtp.setSendmail

Whether to set the system sendmail to msmtp’s.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/msmtp.nix>
programs.mtr.enable

Whether to add mtr to the global environment and configure a setcap wrapper for it.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/mtr.nix>
programs.mtr.package

The mtr package to use.

Type: package

Default: pkgs.mtr

Declared by:

<nixpkgs/nixos/modules/programs/mtr.nix>
programs.nano.enable

Whether to enable nano, a small user-friendly console text editor.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/nano.nix>
programs.nano.package

The nano package to use.

Type: package

Default: pkgs.nano

Declared by:

<nixpkgs/nixos/modules/programs/nano.nix>
programs.nano.nanorc

The system-wide nano configuration. See nanorc(5).

Type: strings concatenated with “\n”

Default: ""

Example:

''
  set nowrap
  set tabstospaces
  set tabsize 2
''

Declared by:

<nixpkgs/nixos/modules/programs/nano.nix>
programs.nano.syntaxHighlight

Whether to enable syntax highlight for various languages.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/nano.nix>
programs.nautilus-open-any-terminal.enable

Whether to enable nautilus-open-any-terminal.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/nautilus-open-any-terminal.nix>
programs.nautilus-open-any-terminal.terminal

The terminal emulator to add to context-entry of nautilus. Supported terminal emulators are listed in https://github.com/Stunkymonkey/nautilus-open-any-terminal#supported-terminal-emulators.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/programs/nautilus-open-any-terminal.nix>
programs.nbd.enable

Whether to enable Network Block Device (nbd) support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/nbd.nix>
programs.neovim.enable

Whether to enable Neovim.

When enabled through this option, Neovim is wrapped to use a configuration managed by this module. The configuration file in the user’s home directory at ~/.config/nvim/init.vim is no longer loaded by default.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/neovim.nix>
programs.neovim.package

The neovim-unwrapped package to use.

Type: package

Default: pkgs.neovim-unwrapped

Declared by:

<nixpkgs/nixos/modules/programs/neovim.nix>
programs.neovim.configure

Generate your init file from your list of plugins and custom commands. Neovim will then be wrapped to load nvim -u /nix/store/«hash»-vimrc

Type: attribute set

Default: { }

Example:

{
  customRC = ''
    " here your custom configuration goes!
  '';
  packages.myVimPackage = with pkgs.vimPlugins; {
    # loaded on launch
    start = [ fugitive ];
    # manually loadable by calling `:packadd $plugin-name`
    opt = [ ];
  };
}

Declared by:

<nixpkgs/nixos/modules/programs/neovim.nix>
programs.neovim.defaultEditor

When enabled, installs neovim and configures neovim to be the default editor using the EDITOR environment variable.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/neovim.nix>
programs.neovim.runtime

Set of files that have to be linked in runtime.

Type: attribute set of (submodule)

Default: { }

Example:

{ "ftplugin/c.vim".text = "setlocal omnifunc=v:lua.vim.lsp.omnifunc"; }

Declared by:

<nixpkgs/nixos/modules/programs/neovim.nix>
programs.neovim.runtime.<name>.enable

Whether this runtime directory should be generated. This option allows specific runtime files to be disabled.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/neovim.nix>
programs.neovim.runtime.<name>.source

Path of the source file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/programs/neovim.nix>
programs.neovim.runtime.<name>.target

Name of symlink. Defaults to the attribute name.

Type: string

Declared by:

<nixpkgs/nixos/modules/programs/neovim.nix>
programs.neovim.runtime.<name>.text

Text of the file.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/programs/neovim.nix>
programs.neovim.viAlias

Symlink vi to nvim binary.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/neovim.nix>
programs.neovim.vimAlias

Symlink vim to nvim binary.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/neovim.nix>
programs.neovim.withNodeJs

Enable Node provider.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/neovim.nix>
programs.neovim.withPython3

Enable Python 3 provider.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/neovim.nix>
programs.neovim.withRuby

Enable Ruby provider.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/neovim.nix>
programs.nethoscope.enable

Whether to add nethoscope to the global environment and configure a setcap wrapper for it.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/nethoscope.nix>
programs.nexttrace.enable

Whether to enable Nexttrace to the global environment and configure a setcap wrapper for it.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/nexttrace.nix>
programs.nexttrace.package

The nexttrace package to use.

Type: package

Default: pkgs.nexttrace

Declared by:

<nixpkgs/nixos/modules/programs/nexttrace.nix>
programs.nh.enable

Whether to enable nh, yet another Nix CLI helper.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/nh.nix>
programs.nh.package

The nh package to use.

Type: package

Default: pkgs.nh

Declared by:

<nixpkgs/nixos/modules/programs/nh.nix>
programs.nh.clean.enable

Whether to enable periodic garbage collection with nh clean all.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/nh.nix>
programs.nh.clean.dates

How often cleanup is performed. Passed to systemd.time

The format is described in systemd.time(7).

Type: (optionally newline-terminated) single-line string

Default: "weekly"

Declared by:

<nixpkgs/nixos/modules/programs/nh.nix>
programs.nh.clean.extraArgs

Options given to nh clean when the service is run automatically.

See nh clean all --help for more information.

Type: (optionally newline-terminated) single-line string

Default: ""

Example: "--keep 5 --keep-since 3d"

Declared by:

<nixpkgs/nixos/modules/programs/nh.nix>
programs.nh.flake

The path that will be used for the FLAKE environment variable.

FLAKE is used by nh as the default flake for performing actions, like nh os switch.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/programs/nh.nix>
programs.niri.enable

Whether to enable Niri, a scrollable-tiling Wayland compositor.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/wayland/niri.nix>
programs.niri.package

The niri package to use.

Type: package

Default: pkgs.niri

Declared by:

<nixpkgs/nixos/modules/programs/wayland/niri.nix>
programs.nix-index.enable

Whether to enable nix-index, a file database for nixpkgs.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/nix-index.nix>
programs.nix-index.enableBashIntegration

Whether to enable Bash integration.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/nix-index.nix>
programs.nix-index.enableFishIntegration

Whether to enable Fish integration.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/nix-index.nix>
programs.nix-index.enableZshIntegration

Whether to enable Zsh integration.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/nix-index.nix>
programs.nix-index.package

The nix-index package to use.

Type: package

Default: pkgs.nix-index

Declared by:

<nixpkgs/nixos/modules/programs/nix-index.nix>
programs.nix-ld.enable

Whether to enable nix-ld, Documentation: https://github.com/Mic92/nix-ld.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/nix-ld.nix>
programs.nix-ld.package

The nix-ld package to use.

Type: package

Default: pkgs.nix-ld

Declared by:

<nixpkgs/nixos/modules/programs/nix-ld.nix>
programs.nix-ld.libraries

Libraries that automatically become available to all programs. The default set includes common libraries.

Type: list of package

Default: baseLibraries derived from systemd and nix dependencies.

Declared by:

<nixpkgs/nixos/modules/programs/nix-ld.nix>
programs.nix-required-mounts.enable

Whether to enable Expose extra paths to the sandbox depending on derivations’ requiredSystemFeatures.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/nix-required-mounts.nix>
programs.nix-required-mounts.allowedPatterns

The hook config, describing which paths to mount for which system features

Type: attribute set of (submodule)

Default:

{
  opengl.paths = config.hardware.opengl.extraPackages ++ [
    config.hardware.opengl.package
    pkgs.addDriverRunpath.driverLink
    "/dev/dri"
  ];
}

Example:

{
  require-ipfs = {
    onFeatures = [
      "ifps"
    ];
    paths = [
      "/ipfs"
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/programs/nix-required-mounts.nix>
programs.nix-required-mounts.allowedPatterns.<name>.onFeatures

Which requiredSystemFeatures should trigger relaxation of the sandbox

Type: list of string

Default:

[
  "‹name›"
]

Declared by:

<nixpkgs/nixos/modules/programs/nix-required-mounts.nix>
programs.nix-required-mounts.allowedPatterns.<name>.paths

A list of glob patterns, indicating which paths to expose to the sandbox

Type: list of (path or (submodule))

Declared by:

<nixpkgs/nixos/modules/programs/nix-required-mounts.nix>
programs.nix-required-mounts.allowedPatterns.<name>.unsafeFollowSymlinks

Whether to enable Instructs the hook to mount the symlink targets as well, when any of the paths contain symlinks. This may not work correctly with glob patterns. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/nix-required-mounts.nix>
programs.nix-required-mounts.extraWrapperArgs

List of extra arguments (such as --add-flags -v) to pass to the hook’s wrapper

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/programs/nix-required-mounts.nix>
programs.nix-required-mounts.presets.nvidia-gpu.enable

Whether to enable Declare the support for derivations that require an Nvidia GPU to be available, e.g. derivations with requiredSystemFeatures = [ "cuda" ]. This mounts the corresponding userspace drivers and device nodes in the sandbox, but only for derivations that request these special features.

You may extend or override the exposed paths via the programs.nix-required-mounts.allowedPatterns.nvidia-gpu.paths option. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/nix-required-mounts.nix>
programs.nm-applet.enable

Whether to enable nm-applet, a NetworkManager control applet for GNOME.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/nm-applet.nix>
programs.nm-applet.indicator

Whether to use indicator instead of status icon. It is needed for Appindicator environments, like Enlightenment.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/nm-applet.nix>
programs.nncp.enable

Whether to enable NNCP (Node to Node copy) utilities and configuration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/nncp.nix>
programs.nncp.package

The nncp package to use.

Type: package

Default: pkgs.nncp

Declared by:

<nixpkgs/nixos/modules/programs/nncp.nix>
programs.nncp.group

The group under which NNCP files shall be owned. Any member of this group may access the secret keys of this NNCP node.

Type: string

Default: "uucp"

Declared by:

<nixpkgs/nixos/modules/programs/nncp.nix>
programs.nncp.secrets

A list of paths to NNCP configuration files that should not be in the Nix store. These files are layered on top of the values at programs.nncp.settings.

Type: list of string

Example:

[
  "/run/keys/nncp.hjson"
]

Declared by:

<nixpkgs/nixos/modules/programs/nncp.nix>
programs.nncp.settings

NNCP configuration, see http://www.nncpgo.org/Configuration.html. At runtime these settings will be overlayed by the contents of programs.nncp.secrets into the file /run/nncp.hjson. Node keypairs go in secrets, do not specify them in settings as they will be leaked into /nix/store!

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/nncp.nix>
programs.noisetorch.enable

Whether to enable noisetorch (+ setcap wrapper), a virtual microphone device with noise suppression.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/noisetorch.nix>
programs.noisetorch.package

The noisetorch package to use.

Type: package

Default: pkgs.noisetorch

Declared by:

<nixpkgs/nixos/modules/programs/noisetorch.nix>
programs.npm.enable

Whether to enable npm global config.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/npm.nix>
programs.npm.package

The npm package to use.

Type: package

Default: pkgs.nodePackages.npm

Example: nodePackages_13_x.npm

Declared by:

<nixpkgs/nixos/modules/programs/npm.nix>
programs.npm.npmrc

The system-wide npm configuration. See https://docs.npmjs.com/misc/config.

Type: strings concatenated with “\n”

Default:

''
  prefix = ''${HOME}/.npm
''

Example:

''
  prefix = ''${HOME}/.npm
  https-proxy=proxy.example.com
  init-license=MIT
  init-author-url=https://www.npmjs.com/
  color=true
''

Declared by:

<nixpkgs/nixos/modules/programs/npm.nix>
programs.ns-usbloader.enable

Whether to enable ns-usbloader application with udev rules applied.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/ns-usbloader.nix>
programs.obs-studio.enable

Whether to enable Free and open source software for video recording and live streaming.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/obs-studio.nix>
programs.obs-studio.enableVirtualCamera

Installs and sets up the v4l2loopback kernel module, necessary for OBS to start a virtual camera.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/obs-studio.nix>
programs.obs-studio.package

The obs-studio package to use.

Type: null or package

Default: pkgs.obs-studio

Example: obs-studio

Declared by:

<nixpkgs/nixos/modules/programs/obs-studio.nix>
programs.obs-studio.plugins

Optional OBS plugins.

Type: list of package

Default: [ ]

Example: [ pkgs.obs-studio-plugins.wlrobs ]

Declared by:

<nixpkgs/nixos/modules/programs/obs-studio.nix>
programs.oddjobd.enable

Whether to enable oddjob, a D-Bus service which runs odd jobs on behalf of client applications.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/oddjobd.nix>
programs.oddjobd.package

The oddjob package to use.

Type: package

Default: pkgs.oddjob

Declared by:

<nixpkgs/nixos/modules/programs/oddjobd.nix>
programs.openvpn3.enable

Whether to enable the openvpn3 client.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/openvpn3.nix>
programs.openvpn3.package

The openvpn3 package to use.

Type: package

Default: pkgs.openvpn3

Declared by:

<nixpkgs/nixos/modules/programs/openvpn3.nix>
programs.openvpn3.log-service

Log service configuration

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/openvpn3.nix>
programs.openvpn3.log-service.settings

Options stored in /etc/openvpn3/log-service.json configuration file

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/openvpn3.nix>
programs.openvpn3.log-service.settings.journald

Use systemd-journald

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/programs/openvpn3.nix>
programs.openvpn3.log-service.settings.log_dbus_details

Add D-Bus details in log file/syslog

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/programs/openvpn3.nix>
programs.openvpn3.log-service.settings.log_level

How verbose should the logging be

Type: integer between 0 and 7 (both inclusive)

Default: 3

Example: 6

Declared by:

<nixpkgs/nixos/modules/programs/openvpn3.nix>
programs.openvpn3.log-service.settings.timestamp

Add timestamp log file

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/openvpn3.nix>
programs.openvpn3.netcfg

Network configuration

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/openvpn3.nix>
programs.openvpn3.netcfg.settings

Options stored in /etc/openvpn3/netcfg.json configuration file

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/openvpn3.nix>
programs.openvpn3.netcfg.settings.systemd_resolved

Whether to use systemd-resolved integration

Type: boolean

Default: config.services.resolved.enable

Example: false

Declared by:

<nixpkgs/nixos/modules/programs/openvpn3.nix>
programs.partition-manager.enable

Whether to enable KDE Partition Manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/partition-manager.nix>
programs.partition-manager.package

The partitionmanager package to use.

Type: package

Default: pkgs.libsForQt5.partitionmanager

Declared by:

<nixpkgs/nixos/modules/programs/partition-manager.nix>
programs.pay-respects.enable

Whether to enable pay-respects, an app which corrects your previous console command.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/pay-respects.nix>
programs.pay-respects.alias

pay-respects needs an alias to be configured. The default value is f, but you can use anything else as well.

Type: string

Default: "f"

Declared by:

<nixpkgs/nixos/modules/programs/pay-respects.nix>
programs.plotinus.enable

Whether to enable the Plotinus GTK 3 plugin. Plotinus provides a popup (triggered by Ctrl-Shift-P) to search the menus of a compatible application.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/plotinus.nix>
programs.pqos-wrapper.enable

Whether to enable PQoS Wrapper for BenchExec.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/pqos-wrapper.nix>
programs.pqos-wrapper.package

The pqos-wrapper package to use.

Type: package

Default: pkgs.pqos-wrapper

Declared by:

<nixpkgs/nixos/modules/programs/pqos-wrapper.nix>
programs.projecteur.enable

Whether to enable projecteur, an application for the Logitech Spotlight device (and similar).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/projecteur.nix>
programs.projecteur.package

The projecteur package to use.

Type: package

Default: pkgs.projecteur

Declared by:

<nixpkgs/nixos/modules/programs/projecteur.nix>
programs.proxychains.enable

Whether to enable proxychains configuration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/proxychains.nix>
programs.proxychains.package

The proxychains package to use.

Type: package

Default: pkgs.proxychains

Example: proxychains-ng

Declared by:

<nixpkgs/nixos/modules/programs/proxychains.nix>
programs.proxychains.chain.length

Chain length for random chain.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/programs/proxychains.nix>
programs.proxychains.chain.type

dynamic - Each connection will be done via chained proxies all proxies chained in the order as they appear in the list at least one proxy must be online to play in chain (dead proxies are skipped) otherwise EINTR is returned to the app.

strict - Each connection will be done via chained proxies all proxies chained in the order as they appear in the list all proxies must be online to play in chain otherwise EINTR is returned to the app.

random - Each connection will be done via random proxy (or proxy chain, see programs.proxychains.chain.length) from the list.

Type: one of “dynamic”, “strict”, “random”

Default: "strict"

Declared by:

<nixpkgs/nixos/modules/programs/proxychains.nix>
programs.proxychains.localnet

By default enable localnet for loopback address ranges.

Type: string

Default: "127.0.0.0/255.0.0.0"

Declared by:

<nixpkgs/nixos/modules/programs/proxychains.nix>
programs.proxychains.proxies

Proxies to be used by proxychains.

Type: attribute set of (submodule)

Example:

{ myproxy =
  { type = "socks4";
    host = "127.0.0.1";
    port = 1337;
  };
}

Declared by:

<nixpkgs/nixos/modules/programs/proxychains.nix>
programs.proxychains.proxies.<name>.enable

Whether to enable this proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/proxychains.nix>
programs.proxychains.proxies.<name>.host

Proxy host or IP address.

Type: string

Declared by:

<nixpkgs/nixos/modules/programs/proxychains.nix>
programs.proxychains.proxies.<name>.port

Proxy port

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/programs/proxychains.nix>
programs.proxychains.proxies.<name>.type

Proxy type.

Type: one of “http”, “socks4”, “socks5”

Declared by:

<nixpkgs/nixos/modules/programs/proxychains.nix>
programs.proxychains.proxyDNS

Proxy DNS requests - no leak for DNS data.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/proxychains.nix>
programs.proxychains.quietMode

Whether to enable Quiet mode (no output from the library).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/proxychains.nix>
programs.proxychains.remoteDNSSubnet

Set the class A subnet number to use for the internal remote DNS mapping, uses the reserved 224.x.x.x range by default.

Type: one of 10, 127, 224

Default: 224

Declared by:

<nixpkgs/nixos/modules/programs/proxychains.nix>
programs.proxychains.tcpConnectTimeOut

Connection time-out in milliseconds.

Type: signed integer

Default: 8000

Declared by:

<nixpkgs/nixos/modules/programs/proxychains.nix>
programs.proxychains.tcpReadTimeOut

Connection read time-out in milliseconds.

Type: signed integer

Default: 15000

Declared by:

<nixpkgs/nixos/modules/programs/proxychains.nix>
programs.pulseview.enable

Whether to enable pulseview, a sigrok GUI.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/pulseview.nix>
programs.qdmr.enable

Whether to enable QDMR - a GUI application and command line tool for programming DMR radios.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/qdmr.nix>
programs.qdmr.package

The qdmr package to use.

Type: package

Default: pkgs.qdmr

Declared by:

<nixpkgs/nixos/modules/programs/qdmr.nix>
programs.qgroundcontrol.enable

Whether to enable qgroundcontrol.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/qgroundcontrol.nix>
programs.qgroundcontrol.package

The qgroundcontrol package to use.

Type: package

Default: pkgs.qgroundcontrol

Declared by:

<nixpkgs/nixos/modules/programs/qgroundcontrol.nix>
programs.qgroundcontrol.blacklistModemManagerFromTTYUSB

Disallow ModemManager from interfering with serial connections that QGroundControl might use.

Note that if you use a modem that’s connected via USB, you might want to disable this option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/qgroundcontrol.nix>
programs.quark-goldleaf.enable

Whether to enable quark-goldleaf with udev rules applied.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/quark-goldleaf.nix>
programs.regreet.enable

Enable ReGreet, a clean and customizable greeter for greetd.

To use ReGreet, services.greetd has to be enabled and services.greetd.settings.default_session should contain the appropriate configuration to launch config.programs.regreet.package. For examples, see the ReGreet Readme.

A minimal configuration that launches ReGreet in cage is enabled by this module by default.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/regreet.nix>
programs.regreet.package

The regreet package to use.

Type: package

Default: pkgs.greetd.regreet

Declared by:

<nixpkgs/nixos/modules/programs/regreet.nix>
programs.regreet.cageArgs

Additional arguments to be passed to cage.

Type: list of string

Default:

[
  "-s"
]

Example:

[ "-s" "-m" "last" ]

Declared by:

<nixpkgs/nixos/modules/programs/regreet.nix>
programs.regreet.cursorTheme.package

The package that provides the cursor theme given in the name option.

Type: package

Default: pkgs.adwaita-icon-theme

Declared by:

<nixpkgs/nixos/modules/programs/regreet.nix>
programs.regreet.cursorTheme.name

Name of the cursor theme to use for regreet.

Type: string

Default: "Adwaita"

Declared by:

<nixpkgs/nixos/modules/programs/regreet.nix>
programs.regreet.extraCss

Extra CSS rules to apply on top of the GTK theme. Refer to GTK CSS Properties for modifiable properties.

Type: path or strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/regreet.nix>
programs.regreet.font.package

The package that provides the font given in the name option.

Type: package

Default: pkgs.cantarell-fonts

Declared by:

<nixpkgs/nixos/modules/programs/regreet.nix>
programs.regreet.font.name

Name of the font to use for regreet.

Type: string

Default: "Cantarell"

Declared by:

<nixpkgs/nixos/modules/programs/regreet.nix>
programs.regreet.font.size

Size of the font to use for regreet.

Type: positive integer, meaning >0

Default: 16

Declared by:

<nixpkgs/nixos/modules/programs/regreet.nix>
programs.regreet.iconTheme.package

The package that provides the icon theme given in the name option.

Type: package

Default: pkgs.adwaita-icon-theme

Declared by:

<nixpkgs/nixos/modules/programs/regreet.nix>
programs.regreet.iconTheme.name

Name of the icon theme to use for regreet.

Type: string

Default: "Adwaita"

Declared by:

<nixpkgs/nixos/modules/programs/regreet.nix>
programs.regreet.settings

ReGreet configuration file. Refer https://github.com/rharish101/ReGreet/blob/main/regreet.sample.toml for options.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/regreet.nix>
programs.regreet.theme.package

The package that provides the theme given in the name option.

Type: package

Default: pkgs.gnome-themes-extra

Declared by:

<nixpkgs/nixos/modules/programs/regreet.nix>
programs.regreet.theme.name

Name of the theme to use for regreet.

Type: string

Default: "Adwaita"

Declared by:

<nixpkgs/nixos/modules/programs/regreet.nix>
programs.river.enable

Whether to enable river, a dynamic tiling Wayland compositor.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/wayland/river.nix>
programs.river.package

The river package to use. If the package is not overridable with xwaylandSupport, then the module option xwayland will have no effect.

Set to null to not add any River package to your path. This should be done if you want to use the Home Manager River module to install River.

Type: null or package

Default: pkgs.river

Declared by:

<nixpkgs/nixos/modules/programs/wayland/river.nix>
programs.river.extraPackages

Extra packages to be installed system wide. See Common X11 apps used on i3 with Wayland alternatives for a list of useful software.

Type: list of package

Default:

with pkgs; [ swaylock foot dmenu ];

Example:

with pkgs; [ termite rofi light ]

Declared by:

<nixpkgs/nixos/modules/programs/wayland/river.nix>
programs.river.xwayland.enable

Whether to enable XWayland.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/wayland/river.nix>
programs.rog-control-center.enable

Whether to enable the rog-control-center application.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/rog-control-center.nix>
programs.rog-control-center.autoStart

Whether rog-control-center should be started automatically.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/rog-control-center.nix>
programs.rust-motd.enable

Whether to enable rust-motd, a Message Of The Day (MOTD) generator.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/rust-motd.nix>
programs.rust-motd.enableMotdInSSHD

Whether to let openssh print the result when entering a new ssh-session. By default either nothing or a static file defined via users.motd is printed. Because of that, the latter option is incompatible with this module.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/rust-motd.nix>
programs.rust-motd.order

The order of the sections in programs.rust-motd.settings. By default they are ordered alphabetically.

Context: since attribute sets in Nix are always ordered alphabetically internally this means that

{
  uptime = { /* ... */ };
  banner = { /* ... */ };
}

will still have banner displayed before uptime.

To work around that, this option can be used to define the order of all keys, i.e.

{
  order = [
    "uptime"
    "banner"
  ];
}

makes sure that uptime is placed before banner in the motd.

Type: list of string

Default: attrNames cfg.settings

Declared by:

<nixpkgs/nixos/modules/programs/rust-motd.nix>
programs.rust-motd.refreshInterval

Interval in which the motd(5) file is refreshed. For possible formats, please refer to systemd.time(7).

Type: string

Default: "*:0/5"

Declared by:

<nixpkgs/nixos/modules/programs/rust-motd.nix>
programs.rust-motd.settings

Settings on what to generate. Please read the upstream documentation for further information.

Type: attribute set of (TOML value)

Declared by:

<nixpkgs/nixos/modules/programs/rust-motd.nix>
programs.ryzen-monitor-ng.enable

Whether to enable ryzen_monitor_ng, a userspace application for setting and getting Ryzen SMU (System Management Unit) parameters via the ryzen_smu kernel driver.

Monitor power information of Ryzen processors via the PM table of the SMU.

SMU Set and Get for many parameters and CO counts.

https://github.com/mann1x/ryzen_monitor_ng

WARNING: Damage cause by use of your AMD processor outside of official AMD specifications or outside of factory settings are not covered under any AMD product warranty and may not be covered by your board or system manufacturer’s warranty .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/ryzen-monitor-ng.nix>
programs.ryzen-monitor-ng.package

The ryzen-monitor-ng package to use.

Type: package

Default: pkgs.ryzen-monitor-ng

Declared by:

<nixpkgs/nixos/modules/programs/ryzen-monitor-ng.nix>
programs.screen.enable

Whether to enable screen, a basic terminal multiplexer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/screen.nix>
programs.screen.package

The screen package to use.

Type: package

Default: pkgs.screen

Declared by:

<nixpkgs/nixos/modules/programs/screen.nix>
programs.screen.screenrc

The contents of /etc/screenrc file

Type: strings concatenated with “\n”

Default: ""

Example:

''
  defscrollback 10000
  startup_message off
''

Declared by:

<nixpkgs/nixos/modules/programs/screen.nix>
programs.seahorse.enable

Whether to enable Seahorse, a GNOME application for managing encryption keys and passwords in the GNOME Keyring.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/seahorse.nix>
programs.sedutil.enable

Whether to enable sedutil, to manage self encrypting drives that conform to the Trusted Computing Group OPAL 2.0 SSC specification.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/sedutil.nix>
programs.sharing.enable

Whether to enable sharing, a CLI tool for sharing files.

Note that it will opens the 7478 port for TCP in the firewall, which is needed for it to function properly .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/sharing.nix>
programs.singularity.enable

Whether to install Singularity/Apptainer with system-level overriding such as SUID support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/singularity.nix>
programs.singularity.enableExternalLocalStateDir

Whether to use top-level directories as LOCALSTATEDIR instead of the store path ones. This affects the SESSIONDIR of Apptainer/Singularity. If set to true, the SESSIONDIR will become /var/lib/${projectName}/mnt/session.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/programs/singularity.nix>
programs.singularity.enableFakeroot

Whether to enable the --fakeroot support of Singularity/Apptainer.

This option is deprecated and has no effect. --fakeroot support is enabled automatically, as systemBinPaths = [ "/run/wrappers/bin" ] is always specified.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/singularity.nix>
programs.singularity.enableSuid

Whether to enable the SUID support of Singularity/Apptainer.

Type: boolean

Default: config.services.singularity.package.projectName != "apptainer"

Example: false

Declared by:

<nixpkgs/nixos/modules/programs/singularity.nix>
programs.singularity.package

The singularity package to use.

Type: package

Default: pkgs.singularity

Example: apptainer

Declared by:

<nixpkgs/nixos/modules/programs/singularity.nix>
programs.singularity.packageOverriden

This option provides access to the overridden result of programs.singularity.package.

For example, the following configuration makes all the Nixpkgs packages use the overridden singularity:

{ config, lib, pkgs, ... }:
{
  nixpkgs.overlays = [
    (final: prev: {
      _singularity-orig = prev.singularity;
      singularity = config.programs.singularity.packageOverriden;
    })
  ];
  programs.singularity.enable = true;
  programs.singularity.package = pkgs._singularity-orig;
}

Use lib.mkForce to forcefully specify the overridden package.

Type: null or package

Default: null

Declared by:

<nixpkgs/nixos/modules/programs/singularity.nix>
programs.singularity.systemBinPaths

(Extra) system-wide /**/bin paths for Apptainer/Singularity to find command-line utilities in.

"/run/wrappers/bin" is included by default to make utilities with SUID bit set available to Apptainer/Singularity. Use lib.mkForce to shadow the default values.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/programs/singularity.nix>
programs.skim.package

The skim package to use.

Type: package

Default: pkgs.skim

Declared by:

<nixpkgs/nixos/modules/programs/skim.nix>
programs.skim.fuzzyCompletion

Whether to enable fuzzy completion with skim.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/skim.nix>
programs.skim.keybindings

Whether to enable skim keybindings.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/skim.nix>
programs.slock.enable

Whether to install slock screen locker with setuid wrapper.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/slock.nix>
programs.slock.package

The slock package to use.

Type: package

Default: pkgs.slock

Declared by:

<nixpkgs/nixos/modules/programs/slock.nix>
programs.sniffnet.enable

Whether to enable sniffnet, a network traffic monitor application.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/sniffnet.nix>
programs.soundmodem.enable

Whether to add Soundmodem to the global environment and configure a wrapper for ‘soundmodemconfig’ for users in the ‘soundmodem’ group.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/soundmodem.nix>
programs.soundmodem.package

The soundmodem package to use.

Type: package

Default: pkgs.soundmodem

Declared by:

<nixpkgs/nixos/modules/programs/soundmodem.nix>
programs.spacefm.enable

Whether to install SpaceFM and create /etc/spacefm/spacefm.conf.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/spacefm.nix>
programs.spacefm.settings

The system-wide spacefm configuration. Parameters to be written to /etc/spacefm/spacefm.conf. Refer to the relevant entry in the SpaceFM manual.

Type: attribute set

Default:

{
  tmp_dir = "/tmp";
  terminal_su = "${pkgs.sudo}/bin/sudo";
}

Declared by:

<nixpkgs/nixos/modules/programs/spacefm.nix>
programs.ssh.enableAskPassword

Whether to configure SSH_ASKPASS in the environment.

Type: boolean

Default: config.services.xserver.enable

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.package

The openssh package to use.

Type: package

Default: pkgs.openssh

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.agentPKCS11Whitelist

A pattern-list of acceptable paths for PKCS#11 shared libraries that may be used with the -s option to ssh-add.

Type: null or string

Default: null

Example: "${pkgs.opensc}/lib/opensc-pkcs11.so"

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.agentTimeout

How long to keep the private keys in memory. Use null to keep them forever.

Type: null or string

Default: null

Example: "1h"

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.askPassword

Program used by SSH to ask for passwords.

Type: string

Default: "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.ciphers

Specifies the ciphers allowed and their order of preference.

Type: null or (list of string)

Default: null

Example:

[
  "chacha20-poly1305@openssh.com"
  "aes256-gcm@openssh.com"
]

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.extraConfig

Extra configuration text prepended to ssh_config. Other generated options will be added after a Host * pattern. See ssh_config(5) for help.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.forwardX11

Whether to request X11 forwarding on outgoing connections by default. If set to null, the option is not set at all. This is useful for running graphical programs on the remote machine and have them display to your local X11 server. Historically, this value has depended on the value used by the local sshd daemon, but there really isn’t a relation between the two. Note: there are some security risks to forwarding an X11 connection. NixOS’s X server is built with the SECURITY extension, which prevents some obvious attacks. To enable or disable forwarding on a per-connection basis, see the -X and -x options to ssh. The -Y option to ssh enables trusted forwarding, which bypasses the SECURITY extension.

Type: null or boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.hostKeyAlgorithms

Specifies the host key algorithms that the client wants to use in order of preference.

Type: list of string

Default: [ ]

Example:

[
  "ssh-ed25519"
  "ssh-rsa"
]

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.kexAlgorithms

Specifies the available KEX (Key Exchange) algorithms.

Type: null or (list of string)

Default: null

Example:

[
  "curve25519-sha256@libssh.org"
  "diffie-hellman-group-exchange-sha256"
]

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.knownHosts

The set of system-wide known SSH hosts. To make simple setups more convenient the name of an attribute in this set is used as a host name for the entry. This behaviour can be disabled by setting hostNames explicitly. You can use extraHostNames to add additional host names without disabling this default.

Type: attribute set of (submodule)

Default: { }

Example:

{
  myhost = {
    extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
    publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
  };
  "myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
  "myhost2.net/dsa" = {
    hostNames = [ "myhost2.net" ];
    publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
  };
}

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.knownHosts.<name>.certAuthority

This public key is an SSH certificate authority, rather than an individual host’s key.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.knownHosts.<name>.extraHostNames

A list of additional host names and/or IP numbers used for accessing the host’s ssh service. This list is ignored if hostNames is set explicitly.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.knownHosts.<name>.hostNames

A list of host names and/or IP numbers used for accessing the host’s ssh service. This list includes the name of the containing knownHosts attribute by default for convenience. If you wish to configure multiple host keys for the same host use multiple knownHosts entries with different attribute names and the same hostNames list.

Type: list of string

Default: [ ‹name› ] ++ config.programs.ssh.knownHosts.<name>.extraHostNames

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.knownHosts.<name>.publicKey

The public key data for the host. You can fetch a public key from a running SSH server with the ssh-keyscan command. The public key should not include any host names, only the key type and the key itself.

Type: null or string

Default: null

Example: "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg=="

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.knownHosts.<name>.publicKeyFile

The path to the public key file for the host. The public key file is read at build time and saved in the Nix store. You can fetch a public key file from a running SSH server with the ssh-keyscan command. The content of the file should follow the same format as described for the publicKey option. Only a single key is supported. If a host has multiple keys, use programs.ssh.knownHostsFiles instead.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.knownHostsFiles

Files containing SSH host keys to set as global known hosts. /etc/ssh/ssh_known_hosts (which is generated by programs.ssh.knownHosts) is always included.

Type: list of path

Default: [ ]

Example:

[
  ./known_hosts
  (writeText "github.keys" ''
    github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
    github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
    github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
  '')
]

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.macs

Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used for data integrity protection.

Type: null or (list of string)

Default: null

Example:

[
  "hmac-sha2-512-etm@openssh.com"
  "hmac-sha1"
]

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.pubkeyAcceptedKeyTypes

Specifies the key lib.types that will be used for public key authentication.

Type: list of string

Default: [ ]

Example:

[
  "ssh-ed25519"
  "ssh-rsa"
]

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.setXAuthLocation

Whether to set the path to xauth for X11-forwarded connections. This causes a dependency on X11 packages.

Type: boolean

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.ssh.startAgent

Whether to start the OpenSSH agent when you log in. The OpenSSH agent remembers private keys for you so that you don’t have to type in passphrases every time you make an SSH connection. Use ssh-add to add a key to the agent.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
programs.starship.enable

Whether to enable the Starship shell prompt.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/starship.nix>
programs.starship.package

The starship package to use.

Type: package

Default: pkgs.starship

Declared by:

<nixpkgs/nixos/modules/programs/starship.nix>
programs.starship.interactiveOnly

Whether to enable starship only when the shell is interactive. Some plugins require this to be set to false to function correctly .

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/starship.nix>
programs.starship.presets

Presets files to be merged with settings in order.

Type: list of string

Default: [ ]

Example:

[
  "nerd-font-symbols"
]

Declared by:

<nixpkgs/nixos/modules/programs/starship.nix>
programs.starship.settings

Configuration included in starship.toml.

See https://starship.rs/config/#prompt for documentation.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/starship.nix>
programs.steam.enable

Whether to enable steam.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/steam.nix>
programs.steam.package

The Steam package to use. Additional libraries are added from the system configuration to ensure graphics work properly.

Use this option to customise the Steam package rather than adding your custom Steam to environment.systemPackages yourself.

Type: package

Default: pkgs.steam

Example:

pkgs.steam.override {
  extraEnv = {
    MANGOHUD = true;
    OBS_VKCAPTURE = true;
    RADV_TEX_ANISO = 16;
  };
  extraLibraries = p: with p; [
    atk
  ];
}

Declared by:

<nixpkgs/nixos/modules/programs/steam.nix>
programs.steam.dedicatedServer.openFirewall

Open ports in the firewall for Source Dedicated Server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/steam.nix>
programs.steam.extest.enable

Whether to enable Load the extest library into Steam, to translate X11 input events to uinput events (e.g. for using Steam Input on Wayland) .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/steam.nix>
programs.steam.extraCompatPackages

Extra packages to be used as compatibility tools for Steam on Linux. Packages will be included in the STEAM_EXTRA_COMPAT_TOOLS_PATHS environmental variable. For more information see https://github.com/ValveSoftware/steam-for-linux/issues/6310.

These packages must be Steam compatibility tools that have a steamcompattool output.

Type: list of package

Default: [ ]

Example:

with pkgs; [
  proton-ge-bin
]

Declared by:

<nixpkgs/nixos/modules/programs/steam.nix>
programs.steam.extraPackages

Additional packages to add to the Steam environment.

Type: list of package

Default: [ ]

Example:

with pkgs; [
  gamescope
]

Declared by:

<nixpkgs/nixos/modules/programs/steam.nix>
programs.steam.fontPackages

Font packages to use in Steam.

Defaults to system fonts, but could be overridden to use other fonts — useful for users who would like to customize CJK fonts used in Steam. According to the upstream issue, Steam only follows the per-user fontconfig configuration.

Type: list of package

Default: builtins.filter lib.types.package.check config.fonts.packages

Example: with pkgs; [ source-han-sans ]

Declared by:

<nixpkgs/nixos/modules/programs/steam.nix>
programs.steam.gamescopeSession

Run a GameScope driven Steam session from your display-manager

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/steam.nix>
programs.steam.gamescopeSession.enable

Whether to enable GameScope Session.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/steam.nix>
programs.steam.gamescopeSession.args

Arguments to be passed to GameScope for the session.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/programs/steam.nix>
programs.steam.gamescopeSession.env

Environmental variables to be passed to GameScope for the session.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/steam.nix>
programs.steam.localNetworkGameTransfers.openFirewall

Open ports in the firewall for Steam Local Network Game Transfers.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/steam.nix>
programs.steam.protontricks.enable

Whether to enable protontricks, a simple wrapper for running Winetricks commands for Proton-enabled games.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/steam.nix>
programs.steam.protontricks.package

The protontricks package to use.

Type: package

Default: pkgs.protontricks

Declared by:

<nixpkgs/nixos/modules/programs/steam.nix>
programs.steam.remotePlay.openFirewall

Open ports in the firewall for Steam Remote Play.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/steam.nix>
programs.streamcontroller.enable

Whether to enable StreamController.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/streamcontroller.nix>
programs.streamcontroller.package

The streamcontroller package to use.

Type: package

Default: pkgs.streamcontroller

Declared by:

<nixpkgs/nixos/modules/programs/streamcontroller.nix>
programs.streamdeck-ui.enable

Whether to enable streamdeck-ui.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/streamdeck-ui.nix>
programs.streamdeck-ui.package

The streamdeck-ui package to use.

Type: package

Default: pkgs.streamdeck-ui

Declared by:

<nixpkgs/nixos/modules/programs/streamdeck-ui.nix>
programs.streamdeck-ui.autoStart

Whether streamdeck-ui should be started automatically.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/streamdeck-ui.nix>
programs.sway.enable

Whether to enable Sway, the i3-compatible tiling Wayland compositor. You can manually launch Sway by executing “exec sway” on a TTY. Copy /etc/sway/config to ~/.config/sway/config to modify the default configuration. See https://github.com/swaywm/sway/wiki and “man 5 sway” for more information.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/wayland/sway.nix>
programs.sway.package

The sway package to use. If the package is not overridable with extraSessionCommands, extraOptions, withBaseWrapper, withGtkWrapper, enableXWayland and isNixOS, then the module options wrapperFeatures, extraSessionCommands, extraOptions and xwayland will have no effect.

Set to null to not add any Sway package to your path. This should be done if you want to use the Home Manager Sway module to install Sway.

Type: null or package

Default: pkgs.sway

Declared by:

<nixpkgs/nixos/modules/programs/wayland/sway.nix>
programs.sway.extraOptions

Command line arguments passed to launch Sway. Please DO NOT report issues if you use an unsupported GPU (proprietary drivers).

Type: list of string

Default: [ ]

Example:

[
  "--verbose"
  "--debug"
  "--unsupported-gpu"
]

Declared by:

<nixpkgs/nixos/modules/programs/wayland/sway.nix>
programs.sway.extraPackages

Extra packages to be installed system wide. See https://github.com/swaywm/sway/wiki/Useful-add-ons-for-sway and https://github.com/swaywm/sway/wiki/i3-Migration-Guide#common-x11-apps-used-on-i3-with-wayland-alternatives for a list of useful software.

Type: list of package

Default:

with pkgs; [ brightnessctl foot grim pulseaudio swayidle swaylock wmenu ];

Example:

with pkgs; [ i3status i3status-rust termite rofi light ]

Declared by:

<nixpkgs/nixos/modules/programs/wayland/sway.nix>
programs.sway.extraSessionCommands

Shell commands executed just before Sway is started. See https://github.com/swaywm/sway/wiki/Running-programs-natively-under-wayland and https://github.com/swaywm/wlroots/blob/master/docs/env_vars.md for some useful environment variables.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  # SDL:
  export SDL_VIDEODRIVER=wayland
  # QT (needs qt5.qtwayland in systemPackages):
  export QT_QPA_PLATFORM=wayland-egl
  export QT_WAYLAND_DISABLE_WINDOWDECORATION="1"
  # Fix for some Java AWT applications (e.g. Android Studio),
  # use this if they aren't displayed properly:
  export _JAVA_AWT_WM_NONREPARENTING=1
''

Declared by:

<nixpkgs/nixos/modules/programs/wayland/sway.nix>
programs.sway.wrapperFeatures.base

Whether to enable the base wrapper to execute extra session commands and prepend a dbus-run-session to the sway command.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/wayland/sway.nix>
programs.sway.wrapperFeatures.gtk

Whether to enable the wrapGAppsHook wrapper to execute sway with required environment variables for GTK applications.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/wayland/sway.nix>
programs.sway.xwayland.enable

Whether to enable XWayland.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/wayland/sway.nix>
programs.sysdig.enable

Whether to enable sysdig, a tracing tool.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/sysdig.nix>
programs.system-config-printer.enable

Whether to enable system-config-printer, a Graphical user interface for CUPS administration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/system-config-printer.nix>
programs.systemtap.enable

Install systemtap along with necessary kernel options.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/systemtap.nix>
programs.tcpdump.enable

Whether to configure a setcap wrapper for tcpdump. To use it, add your user to the pcap group.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/tcpdump.nix>
programs.thefuck.enable

Whether to enable thefuck, an app which corrects your previous console command.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/thefuck.nix>
programs.thefuck.alias

thefuck needs an alias to be configured. The default value is fuck, but you can use anything else as well.

Type: string

Default: "fuck"

Declared by:

<nixpkgs/nixos/modules/programs/thefuck.nix>
programs.thunar.enable

Whether to enable Thunar, the Xfce file manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/thunar.nix>
programs.thunar.plugins

List of thunar plugins to install.

Type: list of package

Default: [ ]

Example: with pkgs.xfce; [ thunar-archive-plugin thunar-volman ]

Declared by:

<nixpkgs/nixos/modules/programs/thunar.nix>
programs.thunderbird.enable

Whether to enable Thunderbird mail client.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/thunderbird.nix>
programs.thunderbird.package

The thunderbird package to use.

Type: package

Default: pkgs.thunderbird

Declared by:

<nixpkgs/nixos/modules/programs/thunderbird.nix>
programs.thunderbird.policies

Group policies to install.

See Thunderbird’s documentation for a list of available options.

This can be used to install extensions declaratively! Check out the documentation of the ExtensionSettings policy for details.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/thunderbird.nix>
programs.thunderbird.preferences

Preferences to set from about:config.

Some of these might be able to be configured more ergonomically using policies.

Type: attribute set of (boolean or signed integer or string)

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/thunderbird.nix>
programs.thunderbird.preferencesStatus

The status of thunderbird.preferences.

status can assume the following values:

  • "default": Preferences appear as default.

  • "locked": Preferences appear as default and can’t be changed.

  • "user": Preferences appear as changed.

  • "clear": Value has no effect. Resets to factory defaults on each startup.

Type: one of “default”, “locked”, “user”, “clear”

Default: "locked"

Declared by:

<nixpkgs/nixos/modules/programs/thunderbird.nix>
programs.tmux.enable

Whenever to configure tmux system-wide.

Type: boolean

Default: false

Related packages:

Declared by:

<nixpkgs/nixos/modules/programs/tmux.nix>
programs.tmux.aggressiveResize

Resize the window to the size of the smallest session for which it is the current window.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/tmux.nix>
programs.tmux.baseIndex

Base index for windows and panes.

Type: signed integer

Default: 0

Example: 1

Declared by:

<nixpkgs/nixos/modules/programs/tmux.nix>
programs.tmux.clock24

Use 24 hour clock.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/tmux.nix>
programs.tmux.customPaneNavigationAndResize

Override the hjkl and HJKL bindings for pane navigation and resizing in VI mode.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/tmux.nix>
programs.tmux.escapeTime

Time in milliseconds for which tmux waits after an escape is input.

Type: signed integer

Default: 500

Example: 0

Declared by:

<nixpkgs/nixos/modules/programs/tmux.nix>
programs.tmux.extraConfig

Additional contents of /etc/tmux.conf, to be run after sourcing plugins.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/tmux.nix>
programs.tmux.extraConfigBeforePlugins

Additional contents of /etc/tmux.conf, to be run before sourcing plugins.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/tmux.nix>
programs.tmux.historyLimit

Maximum number of lines held in window history.

Type: signed integer

Default: 2000

Example: 5000

Declared by:

<nixpkgs/nixos/modules/programs/tmux.nix>
programs.tmux.keyMode

VI or Emacs style shortcuts.

Type: one of “emacs”, “vi”

Default: "emacs"

Example: "vi"

Declared by:

<nixpkgs/nixos/modules/programs/tmux.nix>
programs.tmux.newSession

Automatically spawn a session if trying to attach and none are running.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/tmux.nix>
programs.tmux.plugins

List of plugins to install.

Type: list of package

Default: [ ]

Example: [ pkgs.tmuxPlugins.nord ]

Declared by:

<nixpkgs/nixos/modules/programs/tmux.nix>
programs.tmux.resizeAmount

Number of lines/columns when resizing.

Type: signed integer

Default: 5

Example: 10

Declared by:

<nixpkgs/nixos/modules/programs/tmux.nix>
programs.tmux.reverseSplit

Reverse the window split shortcuts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/tmux.nix>
programs.tmux.secureSocket

Store tmux socket under /run, which is more secure than /tmp, but as a downside it doesn’t survive user logout.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/tmux.nix>
programs.tmux.shortcut

Ctrl following by this key is used as the main shortcut.

Type: string

Default: "b"

Example: "a"

Declared by:

<nixpkgs/nixos/modules/programs/tmux.nix>
programs.tmux.terminal

Set the $TERM variable. Use tmux-direct if italics or 24bit true color support is needed.

Type: string

Default: "screen"

Example: "screen-256color"

Declared by:

<nixpkgs/nixos/modules/programs/tmux.nix>
programs.tmux.withUtempter

Whether to enable libutempter for tmux. This is required so that tmux can write to /var/run/utmp (which can be queried with who to display currently connected user sessions). Note, this will add a guid wrapper for the group utmp!

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/tmux.nix>
programs.traceroute.enable

Whether to configure a setcap wrapper for traceroute.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/traceroute.nix>
programs.trippy.enable

Whether to enable trippy, a network diagnostic tool.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/trippy.nix>
programs.tsmClient.enable

Whether to enable IBM Storage Protect (Tivoli Storage Manager, TSM) client command line applications with a client system-options file “dsm.sys” .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/tsm-client.nix>
programs.tsmClient.package

The tsm-client package to use. It will be used with .override to add paths to the client system-options file.

Type: package

Default: pkgs.tsm-client

Example: tsm-client-withGui

Declared by:

<nixpkgs/nixos/modules/programs/tsm-client.nix>
programs.tsmClient.defaultServername

If multiple server stanzas are declared with programs.tsmClient.servers, this option may be used to name a default server stanza that IBM TSM uses in the absence of a user-defined dsm.opt file. This option translates to a defaultserver configuration line.

Type: null or string matching the pattern [^[:space:]]{1,64}

Default: null

Example: "mainTsmServer"

Declared by:

<nixpkgs/nixos/modules/programs/tsm-client.nix>
programs.tsmClient.dsmSysText

This configuration key contains the effective text of the client system-options file “dsm.sys”. It should not be changed, but may be used to feed the configuration into other TSM-depending packages used on the system.

Type: strings concatenated with “\n” (read only)

Declared by:

<nixpkgs/nixos/modules/programs/tsm-client.nix>
programs.tsmClient.servers

Server definitions (“stanzas”) for the client system-options file. The name of each entry will be used for the internal servername by default. Each attribute will be transformed into a line with a key-value pair within the server’s stanza. Integers as values will be canonically turned into strings. The boolean value true will be turned into a line with just the attribute’s name. The value null will not generate a line. A list as values generates an entry for each value, according to the rules above.

Type: attribute set of (attribute set of (one of true, <null> or signed integer or path or (optionally newline-terminated) single-line string or list of (one of true, <null> or signed integer or path or (optionally newline-terminated) single-line string)))

Default: { }

Example:

{
  mainTsmServer = {
    compression = "yes";
    nodename = "MY-TSM-NODE";
    tcpserveraddress = "tsmserver.company.com";
  };
}

Declared by:

<nixpkgs/nixos/modules/programs/tsm-client.nix>
programs.tsmClient.servers.<name>.genPasswd

Whether to enable automatic client password generation. This option does not cause a line in dsm.sys by itself, but generates a corresponding passwordaccess directive. The password will be stored in the directory given by the option passworddir. Caution: If this option is enabled and the server forces to renew the password (e.g. on first connection), a random password will be generated and stored .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/tsm-client.nix>
programs.tsmClient.servers.<name>.inclexcl

Text lines with include.* and exclude.* directives to be used when sending files to the IBM TSM server, or an absolute path pointing to a file with such lines.

Type: (null or path) or strings concatenated with “\n” convertible to it

Default: null

Example:

''
  exclude.dir     /nix/store
  include.encrypt /home/.../*
''

Declared by:

<nixpkgs/nixos/modules/programs/tsm-client.nix>
programs.tsmClient.servers.<name>.nodename

Target node name on the IBM TSM server.

Type: non-empty string

Example: "MY-TSM-NODE"

Declared by:

<nixpkgs/nixos/modules/programs/tsm-client.nix>
programs.tsmClient.servers.<name>.passworddir

Directory that holds the TSM node’s password information.

Type: null or path

Default: null

Example: "/home/alice/tsm-password"

Declared by:

<nixpkgs/nixos/modules/programs/tsm-client.nix>
programs.tsmClient.servers.<name>.servername

Local name of the IBM TSM server, must not contain space or more than 64 chars.

Type: string matching the pattern [^[:space:]]{1,64}

Default: "‹name›"

Example: "mainTsmServer"

Declared by:

<nixpkgs/nixos/modules/programs/tsm-client.nix>
programs.tsmClient.servers.<name>.tcpport

TCP port of the IBM TSM server. TSM does not support ports above 32767.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1500

Declared by:

<nixpkgs/nixos/modules/programs/tsm-client.nix>
programs.tsmClient.servers.<name>.tcpserveraddress

Host/domain name or IP address of the IBM TSM server.

Type: non-empty string

Example: "tsmserver.company.com"

Declared by:

<nixpkgs/nixos/modules/programs/tsm-client.nix>
programs.tsmClient.wrappedPackage

The tsm-client package to use. This option is to provide the effective derivation, wrapped with the path to the client system-options file “dsm.sys”. It should not be changed, but exists for other modules that want to call TSM executables.

Type: package (read only)

Declared by:

<nixpkgs/nixos/modules/programs/tsm-client.nix>
programs.turbovnc.ensureHeadlessSoftwareOpenGL

Whether to set up NixOS such that TurboVNC’s built-in software OpenGL implementation works.

This will enable hardware.graphics.enable so that OpenGL programs can find Mesa’s llvmpipe drivers.

Setting this option to false does not mean that software OpenGL won’t work; it may still work depending on your system configuration.

This option is also intended to generate warnings if you are using some configuration that’s incompatible with using headless software OpenGL in TurboVNC.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/turbovnc.nix>
programs.tuxclocker.enable

Whether to enable TuxClocker, a hardware control and monitoring program .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/tuxclocker.nix>
programs.tuxclocker.enableAMD

Whether to enable AMD GPU controls. Sets the amdgpu.ppfeaturemask kernel parameter to 0xfffd7fff to enable all TuxClocker controls .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/tuxclocker.nix>
programs.tuxclocker.enabledNVIDIADevices

Enable NVIDIA GPU controls for a device by index. Sets the Coolbits Xorg option to enable all TuxClocker controls.

Type: list of signed integer

Default: [ ]

Example:

[
  0
  1
]

Declared by:

<nixpkgs/nixos/modules/services/misc/tuxclocker.nix>
programs.tuxclocker.useUnfree

Whether to use components requiring unfree dependencies. Disabling this allows you to get everything from the binary cache.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/tuxclocker.nix>
programs.udevil.enable

Whether to enable udevil, to mount filesystems without password.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/udevil.nix>
programs.usbtop.enable

Whether to enable usbtop and required kernel module, to show estimated USB bandwidth.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/usbtop.nix>
programs.uwsm.enable

Whether to enable uwsm, which wraps standalone Wayland compositors with a set of Systemd units on the fly. This essentially binds the wayland compositor into graphical-session-pre.target, graphical-session.target, xdg-desktop-autostart.target.

This is useful for Wayland compositors like Hyprland, Sway, Wayfire, etc. that do not start these targets and services on their own.

Note

You must configure waylandCompositors suboptions as well so that UWSM knows which compositors to manage.

Additionally, this by default uses dbus-broker as the dbus implementation for better compatibility. If you dislike this behavior you can set services.dbus.implementation = lib.mkForce "dbus" in your configuration.

If you are having trouble starting a service that depends on graphical-session.target, while using a WM, enabling this option might help .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/wayland/uwsm.nix>
programs.uwsm.package

The uwsm package to use.

Type: package

Default: pkgs.uwsm

Declared by:

<nixpkgs/nixos/modules/programs/wayland/uwsm.nix>
programs.uwsm.waylandCompositors

Configuration for UWSM-managed Wayland Compositors. This creates a desktop entry file which will be used by Display Managers like GDM, to allow starting the UWSM managed session.

Type: attribute set of (submodule)

Example:

hyprland = {
  prettyName = "Hyprland";
  comment = "Hyprland compositor managed by UWSM";
  binPath = "/run/current-system/sw/bin/Hyprland";
};
sway = {
  prettyName = "Sway";
  comment = "Sway compositor managed by UWSM";
  binPath = "/run/current-system/sw/bin/sway";
};

Declared by:

<nixpkgs/nixos/modules/programs/wayland/uwsm.nix>
programs.uwsm.waylandCompositors.<name>.binPath

The wayland-compositor binary path that will be called by UWSM.

It is recommended to use the /run/current-system/sw/bin/ path instead of lib.getExe pkgs.<compositor> to avoid version mismatch of the compositor used by UWSM and the one installed in the system.

Type: path

Example: "/run/current-system/sw/bin/ExampleCompositor"

Declared by:

<nixpkgs/nixos/modules/programs/wayland/uwsm.nix>
programs.uwsm.waylandCompositors.<name>.comment

The comment field of the desktop entry file.

Type: string

Default: "An intelligent Wayland compositor managed by UWSM."

Declared by:

<nixpkgs/nixos/modules/programs/wayland/uwsm.nix>
programs.uwsm.waylandCompositors.<name>.prettyName

The full name of the desktop entry file.

Type: string

Example: "ExampleWaylandCompositor"

Declared by:

<nixpkgs/nixos/modules/programs/wayland/uwsm.nix>
programs.vim.enable

Whether to enable Vi IMproved, an advanced text.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/vim.nix>
programs.vim.package

The vim package to use.

Type: package

Default: pkgs.vim

Example: vim-full

Declared by:

<nixpkgs/nixos/modules/programs/vim.nix>
programs.vim.defaultEditor

Whether to enable vim as the default editor.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/vim.nix>
programs.virt-manager.enable

Whether to enable virt-manager, an UI for managing virtual machines in libvirt.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/virt-manager.nix>
programs.virt-manager.package

The virt-manager package to use.

Type: package

Default: pkgs.virt-manager

Declared by:

<nixpkgs/nixos/modules/programs/virt-manager.nix>
programs.wavemon.enable

Whether to add wavemon to the global environment and configure a setcap wrapper for it.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/wavemon.nix>
programs.waybar.enable

Whether to enable waybar, a highly customizable Wayland bar for Sway and Wlroots based compositors.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/wayland/waybar.nix>
programs.waybar.package

The waybar package to use.

Type: package

Default: pkgs.waybar

Declared by:

<nixpkgs/nixos/modules/programs/wayland/waybar.nix>
programs.wayfire.enable

Whether to enable Wayfire, a wayland compositor based on wlroots.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/wayland/wayfire.nix>
programs.wayfire.package

The wayfire package to use.

Type: package

Default: pkgs.wayfire

Declared by:

<nixpkgs/nixos/modules/programs/wayland/wayfire.nix>
programs.wayfire.plugins

Additional plugins to use with the wayfire window manager.

Type: list of package

Default: with pkgs.wayfirePlugins; [ wcm wf-shell ]

Example:

with pkgs.wayfirePlugins; [
  wcm
  wf-shell
  wayfire-plugins-extra
];

Declared by:

<nixpkgs/nixos/modules/programs/wayland/wayfire.nix>
programs.wayfire.xwayland.enable

Whether to enable XWayland.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/wayland/wayfire.nix>
programs.wayland.miracle-wm.enable

Whether to enable miracle-wm, a tiling Mir based Wayland compositor. You can manually launch miracle-wm by executing “exec miracle-wm” on a TTY, or launch it from a display manager. Consult the USERGUIDE.md at https://github.com/mattkae/miracle-wm for information on how to use & configure it .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/wayland/miracle-wm.nix>
programs.weylus.enable

Whether to enable weylus, which turns your smart phone into a graphic tablet/touch screen for your computer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/weylus.nix>
programs.weylus.package

The weylus package to use.

Type: package

Default: pkgs.weylus

Declared by:

<nixpkgs/nixos/modules/programs/weylus.nix>
programs.weylus.openFirewall

Open ports needed for the functionality of the program.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/weylus.nix>
programs.weylus.users

To enable stylus and multi-touch support, the user you’re going to use must be added to this list. These users can synthesize input events system-wide, even when another user is logged in - untrusted users should not be added.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/programs/weylus.nix>
programs.winbox.enable

Whether to enable MikroTik Winbox.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/winbox.nix>
programs.winbox.package

The winbox package to use.

Type: package

Default: pkgs.winbox

Declared by:

<nixpkgs/nixos/modules/programs/winbox.nix>
programs.winbox.openFirewall

Whether to open ports for the MikroTik Neighbor Discovery protocol. Required for Winbox neighbor discovery.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/winbox.nix>
programs.wireshark.enable

Whether to add Wireshark to the global environment and configure a setcap wrapper for ‘dumpcap’ for users in the ‘wireshark’ group.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/wireshark.nix>
programs.wireshark.package

The wireshark-cli package to use.

Type: package

Default: pkgs.wireshark-cli

Example: wireshark

Declared by:

<nixpkgs/nixos/modules/programs/wireshark.nix>
programs.wshowkeys.enable

Whether to enable wshowkeys (displays keypresses on screen on supported Wayland compositors). It requires root permissions to read input events, but these permissions are dropped after startup.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/wshowkeys.nix>
programs.wshowkeys.package

The wshowkeys package to use.

Type: package

Default: pkgs.wshowkeys

Declared by:

<nixpkgs/nixos/modules/programs/wshowkeys.nix>
programs.xastir.enable

Whether to enable Xastir Graphical APRS client.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/xastir.nix>
programs.xfconf.enable

Whether to enable Xfconf, the Xfce configuration storage system.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/xfconf.nix>
programs.xfs_quota.projects

Setup of xfs_quota projects. Make sure the filesystem is mounted with the pquota option.

Type: attribute set of (submodule)

Default: { }

Example:

{
  projname = {
    id = 50;
    path = "/xfsprojects/projname";
    sizeHardLimit = "50g";
  };
}

Declared by:

<nixpkgs/nixos/modules/programs/xfs_quota.nix>
programs.xfs_quota.projects.<name>.fileSystem

XFS filesystem hosting the xfs_quota project.

Type: string

Default: "/"

Declared by:

<nixpkgs/nixos/modules/programs/xfs_quota.nix>
programs.xfs_quota.projects.<name>.id

Project ID.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/programs/xfs_quota.nix>
programs.xfs_quota.projects.<name>.path

Project directory.

Type: string

Declared by:

<nixpkgs/nixos/modules/programs/xfs_quota.nix>
programs.xfs_quota.projects.<name>.sizeHardLimit

Hard limit of the project size.

Type: null or string

Default: null

Example: "50g"

Declared by:

<nixpkgs/nixos/modules/programs/xfs_quota.nix>
programs.xfs_quota.projects.<name>.sizeSoftLimit

Soft limit of the project size

Type: null or string

Default: null

Example: "30g"

Declared by:

<nixpkgs/nixos/modules/programs/xfs_quota.nix>
programs.xonsh.enable

Whether to configure xonsh as an interactive shell.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/xonsh.nix>
programs.xonsh.package

The xonsh package to use.

Type: package

Default: pkgs.xonsh

Example: pkgs.xonsh.override { extraPackages = ps: [ ps.requests ]; }

Declared by:

<nixpkgs/nixos/modules/programs/xonsh.nix>
programs.xonsh.config

Control file to customize your shell behavior.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/xonsh.nix>
programs.xss-lock.enable

Whether to enable xss-lock.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/xss-lock.nix>
programs.xss-lock.extraOptions

Additional command-line arguments to pass to xss-lock.

Type: list of string

Default: [ ]

Example:

[
  "--ignore-sleep"
]

Declared by:

<nixpkgs/nixos/modules/programs/xss-lock.nix>
programs.xss-lock.lockerCommand

Locker to be used with xsslock

Type: strings concatenated with " "

Default: "${pkgs.i3lock}/bin/i3lock"

Example: "${pkgs.i3lock-fancy}/bin/i3lock-fancy"

Declared by:

<nixpkgs/nixos/modules/programs/xss-lock.nix>
programs.xwayland.enable

Whether to enable Xwayland (an X server for interfacing X11 apps with the Wayland protocol).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/xwayland.nix>
programs.xwayland.package

The Xwayland package to use.

Type: path

Default:

pkgs.xwayland.override (oldArgs: {
  inherit (config.programs.xwayland) defaultFontPath;
})

Declared by:

<nixpkgs/nixos/modules/programs/xwayland.nix>
programs.xwayland.defaultFontPath

Default font path. Setting this option causes Xwayland to be rebuilt.

Type: string

Default:

optionalString config.fonts.fontDir.enable "/run/current-system/sw/share/X11/fonts"

Declared by:

<nixpkgs/nixos/modules/programs/xwayland.nix>
programs.yabar.enable

Whether to enable yabar, a status bar for X window managers.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/yabar.nix>
programs.yabar.package

The package which contains the yabar binary.

Nixpkgs provides the yabar and yabar-unstable, so it’s possible to choose.

Type: package

Default: pkgs.yabar-unstable

Example: pkgs.yabar

Declared by:

<nixpkgs/nixos/modules/programs/yabar.nix>
programs.yabar.bars

List of bars that should be rendered by yabar.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/yabar.nix>
programs.yabar.bars.<name>.extra

An attribute set which contains further attributes of a bar.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/yabar.nix>
programs.yabar.bars.<name>.font

The font that will be used to draw the status bar.

Type: string

Default: "sans bold 9"

Example: "Droid Sans, FontAwesome Bold 9"

Declared by:

<nixpkgs/nixos/modules/programs/yabar.nix>
programs.yabar.bars.<name>.indicators

Indicators that should be rendered by yabar.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/yabar.nix>
programs.yabar.bars.<name>.indicators.<name>.align

Whether to align the indicator at the left or right of the bar.

Type: one of “left”, “center”, “right”

Default: "left"

Example: "right"

Declared by:

<nixpkgs/nixos/modules/programs/yabar.nix>
programs.yabar.bars.<name>.indicators.<name>.exec

The type of the indicator to be executed.

Type: string

Example: "YABAR_DATE"

Declared by:

<nixpkgs/nixos/modules/programs/yabar.nix>
programs.yabar.bars.<name>.indicators.<name>.extra

An attribute set which contains further attributes of a indicator.

Type: attribute set of (string or signed integer)

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/yabar.nix>
programs.yabar.bars.<name>.position

The position where the bar will be rendered.

Type: one of “top”, “bottom”

Default: "top"

Example: "bottom"

Declared by:

<nixpkgs/nixos/modules/programs/yabar.nix>
programs.yazi.enable

Whether to enable yazi terminal file manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/yazi.nix>
programs.yazi.package

The yazi package to use.

Type: package

Default: pkgs.yazi

Declared by:

<nixpkgs/nixos/modules/programs/yazi.nix>
programs.yazi.flavors

Pre-made themes.

See https://yazi-rs.github.io/docs/flavors/overview/ for documentation.

Type: attribute set of (path or package)

Default: { }

Example:

{
  foo = ./foo;
  bar = pkgs.bar;
}

Declared by:

<nixpkgs/nixos/modules/programs/yazi.nix>
programs.yazi.initLua

The init.lua for Yazi itself.

Type: null or path

Default: null

Example: ./init.lua

Declared by:

<nixpkgs/nixos/modules/programs/yazi.nix>
programs.yazi.plugins

Lua plugins.

See https://yazi-rs.github.io/docs/plugins/overview/ for documentation.

Type: attribute set of (path or package)

Default: { }

Example:

{
  foo = ./foo;
  bar = pkgs.bar;
}

Declared by:

<nixpkgs/nixos/modules/programs/yazi.nix>
programs.yazi.settings

Configuration included in $YAZI_CONFIG_HOME.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/yazi.nix>
programs.yazi.settings.keymap

Configuration included in keymap.toml.

See https://yazi-rs.github.io/docs/configuration/keymap/ for documentation.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/yazi.nix>
programs.yazi.settings.theme

Configuration included in theme.toml.

See https://yazi-rs.github.io/docs/configuration/theme/ for documentation.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/yazi.nix>
programs.yazi.settings.yazi

Configuration included in yazi.toml.

See https://yazi-rs.github.io/docs/configuration/yazi/ for documentation.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/yazi.nix>
programs.ydotool.enable

Whether to enable ydotoold system service and ydotool for members of programs.ydotool.group. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/ydotool.nix>
programs.ydotool.group

Group which users must be in to use ydotool.

Type: string

Default: "ydotool"

Declared by:

<nixpkgs/nixos/modules/programs/ydotool.nix>
programs.yubikey-touch-detector.enable

Whether to enable yubikey-touch-detector.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/yubikey-touch-detector.nix>
programs.yubikey-touch-detector.libnotify

If set to true, yubikey-touch-detctor will send notifications using libnotify

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/yubikey-touch-detector.nix>
programs.yubikey-touch-detector.unixSocket

If set to true, yubikey-touch-detector will send notifications to a unix socket

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/yubikey-touch-detector.nix>
programs.yubikey-touch-detector.verbose

Enables verbose logging

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/yubikey-touch-detector.nix>
programs.zmap.enable

Whether to enable ZMap, a network scanner designed for Internet-wide network surveys.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/zmap.nix>
programs.zsh.enable

Whether to configure zsh as an interactive shell. To enable zsh for a particular user, use the users.users.<name?>.shell option for that user. To enable zsh system-wide use the users.defaultUserShell option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
programs.zsh.enableBashCompletion

Enable compatibility with bash’s programmable completion system.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
programs.zsh.enableCompletion

Enable zsh completion for all interactive zsh shells.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
programs.zsh.enableGlobalCompInit

Enable execution of compinit call for all interactive zsh shells.

This option can be disabled if the user wants to extend its fpath and a custom compinit call in the local config is required.

Type: boolean

Default: config.programs.zsh.enableCompletion

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
programs.zsh.enableLsColors

Enable extra colors in directory listings (used by ls and tree).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
programs.zsh.autosuggestions.enable

Whether to enable zsh-autosuggestions.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix>
programs.zsh.autosuggestions.async

Whether to fetch suggestions asynchronously

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix>
programs.zsh.autosuggestions.extraConfig

Attribute set with additional configuration values

Type: attribute set of string

Default: { }

Example:

{
  "ZSH_AUTOSUGGEST_BUFFER_MAX_SIZE" = "20";
}

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix>
programs.zsh.autosuggestions.highlightStyle

Highlight style for suggestions ({fore,back}ground color)

Type: string

Default: "fg=8"

Example: "fg=cyan"

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix>
programs.zsh.autosuggestions.strategy

ZSH_AUTOSUGGEST_STRATEGY is an array that specifies how suggestions should be generated. The strategies in the array are tried successively until a suggestion is found. There are currently three built-in strategies to choose from:

  • history: Chooses the most recent match from history.

  • completion: Chooses a suggestion based on what tab-completion would suggest. (requires zpty module)

  • match_prev_cmd: Like history, but chooses the most recent match whose preceding history item matches the most recently executed command. Note that this strategy won’t work as expected with ZSH options that don’t preserve the history order such as HIST_IGNORE_ALL_DUPS or HIST_EXPIRE_DUPS_FIRST.

Type: list of (one of “history”, “completion”, “match_prev_cmd”)

Default:

[
  "history"
]

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh-autosuggestions.nix>
programs.zsh.histFile

Change history file.

Type: string

Default: "$HOME/.zsh_history"

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
programs.zsh.histSize

Change history size.

Type: signed integer

Default: 2000

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
programs.zsh.interactiveShellInit

Shell script code called during interactive zsh shell initialisation.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
programs.zsh.loginShellInit

Shell script code called during zsh login shell initialisation.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
programs.zsh.ohMyZsh.enable

Enable oh-my-zsh.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix>
programs.zsh.ohMyZsh.package

The oh-my-zsh package to use.

Type: package

Default: pkgs.oh-my-zsh

Declared by:

<nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix>
programs.zsh.ohMyZsh.cacheDir

Cache directory to be used by oh-my-zsh. Without this option it would default to the read-only nix store.

Type: string

Default: "$HOME/.cache/oh-my-zsh"

Declared by:

<nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix>
programs.zsh.ohMyZsh.custom

Path to a custom oh-my-zsh package to override config of oh-my-zsh. (Can’t be used along with customPkgs).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix>
programs.zsh.ohMyZsh.customPkgs

List of custom packages that should be loaded into oh-my-zsh.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix>
programs.zsh.ohMyZsh.plugins

List of oh-my-zsh plugins

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix>
programs.zsh.ohMyZsh.preLoaded

Shell commands executed before the oh-my-zsh is loaded. For example, to disable async git prompt write zstyle ':omz:alpha:lib:git' async-prompt no (more information https://github.com/ohmyzsh/ohmyzsh?tab=readme-ov-file#async-git-prompt)

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix>
programs.zsh.ohMyZsh.theme

Name of the theme to be used by oh-my-zsh.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/zsh/oh-my-zsh.nix>
programs.zsh.promptInit

Shell script code used to initialise the zsh prompt.

Type: strings concatenated with “\n”

Default:

''
  # Note that to manually override this in ~/.zshrc you should run `prompt off`
  # before setting your PS1 and etc. Otherwise this will likely to interact with
  # your ~/.zshrc configuration in unexpected ways as the default prompt sets
  # a lot of different prompt variables.
  autoload -U promptinit && promptinit && prompt suse && setopt prompt_sp
''

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
programs.zsh.setOptions

Configure zsh options. See zshoptions(1).

Type: list of string

Default:

[
  "HIST_IGNORE_DUPS"
  "SHARE_HISTORY"
  "HIST_FCNTL_LOCK"
]

Example:

[
  "EXTENDED_HISTORY"
  "RM_STAR_WAIT"
]

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
programs.zsh.shellAliases

Set of aliases for zsh shell, which overrides environment.shellAliases. See environment.shellAliases for an option format description.

Type: attribute set of (null or string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
programs.zsh.shellInit

Shell script code called during zsh shell initialisation.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh.nix>
programs.zsh.syntaxHighlighting.enable

Whether to enable zsh-syntax-highlighting.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix>
programs.zsh.syntaxHighlighting.highlighters

Specifies the highlighters to be used by zsh-syntax-highlighting.

The following defined options can be found here: https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters.md

Type: list of (one of “main”, “brackets”, “pattern”, “cursor”, “regexp”, “root”, “line”)

Default:

[
  "main"
]

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix>
programs.zsh.syntaxHighlighting.patterns

Specifies custom patterns to be highlighted by zsh-syntax-highlighting.

Please refer to the docs for more information about the usage: https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters/pattern.md

Type: attribute set of string

Default: { }

Example:

{
  "rm -rf *" = "fg=white,bold,bg=red";
}

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix>
programs.zsh.syntaxHighlighting.styles

Specifies custom styles to be highlighted by zsh-syntax-highlighting.

Please refer to the docs for more information about the usage: https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters/main.md

Type: attribute set of string

Default: { }

Example:

{
  "alias" = "fg=magenta,bold";
}

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix>
programs.zsh.vteIntegration

Whether to enable Zsh integration for VTE terminals. This allows it to preserve the current directory of the shell across terminals.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/vte.nix>
programs.zsh.zsh-autoenv.enable

Whether to enable zsh-autoenv.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh-autoenv.nix>
programs.zsh.zsh-autoenv.package

The zsh-autoenv package to use.

Type: package

Default: pkgs.zsh-autoenv

Declared by:

<nixpkgs/nixos/modules/programs/zsh/zsh-autoenv.nix>
qt.enable

Whether to enable Qt configuration, including theming.

Enabling this option is necessary for Qt plugins to work in the installed profiles (e.g.: nix-env -i or environment.systemPackages).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/config/qt.nix>
qt.platformTheme

Selects the platform theme to use for Qt applications.

The options are

Type: null or one of “gnome”, “gtk2”, “kde”, “lxqt”, “qt5ct”

Default: null

Example: "gnome"

Related packages:

Declared by:

<nixpkgs/nixos/modules/config/qt.nix>
qt.style

Selects the style to use for Qt applications.

The options are

  • adwaita, adwaita-dark, adwaita-highcontrast, adawaita-highcontrastinverse: Use Adwaita Qt style with adwaita

  • breeze: Use the Breeze style from breeze

  • bb10bright, bb10dark, cleanlooks, gtk2, motif, plastique: Use styles from qtstyleplugins

  • kvantum: Use styles from kvantum

Type: null or one of “adwaita”, “adwaita-dark”, “adwaita-highcontrast”, “adwaita-highcontrastinverse”, “bb10bright”, “bb10dark”, “breeze”, “cde”, “cleanlooks”, “gtk2”, “kvantum”, “motif”, “plastique”

Default: null

Example: "adwaita"

Related packages:

Declared by:

<nixpkgs/nixos/modules/config/qt.nix>
security.enableWrappers

Whether to enable SUID/SGID wrappers.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
security.acme.acceptTerms

Accept the CA’s terms of service. The default provider is Let’s Encrypt, you can find their ToS at https://letsencrypt.org/repository/.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs

Attribute set of certificates to get signed and renewed. Creates acme-${cert}.{service,timer} systemd units for each certificate defined here. Other services can add dependencies to those units if they rely on the certificates being present, or trigger restarts of the service if certificates get renewed.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "example.com" = {
    webroot = "/var/lib/acme/acme-challenge/";
    email = "foo@example.com";
    extraDomainNames = [ "www.example.com" "foo.example.com" ];
  };
  "bar.example.com" = {
    webroot = "/var/lib/acme/acme-challenge/";
    email = "bar@example.com";
  };
}

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.enableDebugLogs

Whether to enable debug logging for this certificate.

Type: boolean

Default: config.security.acme.defaults.enableDebugLogs

Example: true

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.credentialFiles

Environment variables suffixed by “_FILE” to set for the cert’s service for your selected dnsProvider. To find out what values you need to set, consult the documentation at https://go-acme.github.io/lego/dns/ for the corresponding dnsProvider. This allows to securely pass credential files to lego by leveraging systemd credentials.

Type: attribute set of path

Default: config.security.acme.defaults.credentialFiles

Example:

{
  "RFC2136_TSIG_SECRET_FILE" = "/run/secrets/tsig-secret-example.org";
}

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.directory

Directory where certificate and other state is stored.

Type: string (read only)

Default: "/var/lib/acme/‹name›"

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.dnsPropagationCheck

Toggles lego DNS propagation check, which is used alongside DNS-01 challenge to ensure the DNS entries required are available.

Type: boolean

Default: config.security.acme.defaults.dnsPropagationCheck

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.dnsProvider

DNS Challenge provider. For a list of supported providers, see the “code” field of the DNS providers listed at https://go-acme.github.io/lego/dns/.

Type: null or string

Default: config.security.acme.defaults.dnsProvider

Example: "route53"

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.dnsResolver

Set the resolver to use for performing recursive DNS queries. Supported: host:port. The default is to use the system resolvers, or Google’s DNS resolvers if the system’s cannot be determined.

Type: null or string

Default: config.security.acme.defaults.dnsResolver

Example: "1.1.1.1:53"

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.domain

Domain to fetch certificate for (defaults to the entry name).

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.email

Email address for account creation and correspondence from the CA. It is recommended to use the same email for all certs to avoid account creation limits.

Type: null or string

Default: config.security.acme.defaults.email

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.environmentFile

Path to an EnvironmentFile for the cert’s service containing any required and optional environment variables for your selected dnsProvider. To find out what values you need to set, consult the documentation at https://go-acme.github.io/lego/dns/ for the corresponding dnsProvider.

Type: null or path

Default: config.security.acme.defaults.environmentFile

Example: "/var/src/secrets/example.org-route53-api-token"

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.extraDomainNames

A list of extra domain names, which are included in the one certificate to be issued.

Type: list of string

Default: [ ]

Example:

[
  "example.org"
  "mydomain.org"
]

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.extraLegoFlags

Additional global flags to pass to all lego commands.

Type: list of string

Default: config.security.acme.defaults.extraLegoFlags

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.extraLegoRenewFlags

Additional flags to pass to lego renew.

Type: list of string

Default: config.security.acme.defaults.extraLegoRenewFlags

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.extraLegoRunFlags

Additional flags to pass to lego run.

Type: list of string

Default: config.security.acme.defaults.extraLegoRunFlags

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.group

Group running the ACME client.

Type: string

Default: config.security.acme.defaults.group

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.inheritDefaults

Whether to inherit values set in security.acme.defaults or not.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.keyType

Key type to use for private keys. For an up to date list of supported values check the --key-type option at https://go-acme.github.io/lego/usage/cli/options/.

Type: string

Default: config.security.acme.defaults.keyType

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.listenHTTP

Interface and port to listen on to solve HTTP challenges in the form [INTERFACE]:PORT. If you use a port other than 80, you must proxy port 80 to this port.

Type: null or string

Default: null

Example: ":1360"

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.ocspMustStaple

Turns on the OCSP Must-Staple TLS extension. Make sure you know what you’re doing! See:

Type: boolean

Default: config.security.acme.defaults.ocspMustStaple

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.postRun

Commands to run after new certificates go live. Note that these commands run as the root user.

Executed in the same directory with the new certificate.

Type: strings concatenated with “\n”

Default: config.security.acme.defaults.postRun

Example: "cp full.pem backup.pem"

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.reloadServices

The list of systemd services to call systemctl try-reload-or-restart on.

Type: list of string

Default: config.security.acme.defaults.reloadServices

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.renewInterval

Systemd calendar expression when to check for renewal. See systemd.time(7).

Type: string

Default: config.security.acme.defaults.renewInterval

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.s3Bucket

S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket.

Type: null or string

Default: null

Example: "acme"

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.server

ACME Directory Resource URI. Defaults to Let’s Encrypt’s production endpoint. For testing Let’s Encrypt’s staging endpoint should be used to avoid the rather tight rate limit on the production endpoint.

Type: null or string

Default: config.security.acme.defaults.server

Example: "https://acme-staging-v02.api.letsencrypt.org/directory"

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.validMinDays

Minimum remaining validity before renewal in days.

Type: signed integer

Default: config.security.acme.defaults.validMinDays

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.certs.<name>.webroot

Where the webroot of the HTTP vhost is located. .well-known/acme-challenge/ directory will be created below the webroot if it doesn’t exist. http://example.org/.well-known/acme-challenge/ must also be available (notice unencrypted HTTP).

Type: null or string

Default: config.security.acme.defaults.webroot

Example: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults

Default values inheritable by all configured certs. You can use this to define options shared by all your certs. These defaults can also be ignored on a per-cert basis using the security.acme.certs.${cert}.inheritDefaults option.

Type: submodule

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults.enableDebugLogs

Whether to enable debug logging for this certificate.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults.credentialFiles

Environment variables suffixed by “_FILE” to set for the cert’s service for your selected dnsProvider. To find out what values you need to set, consult the documentation at https://go-acme.github.io/lego/dns/ for the corresponding dnsProvider. This allows to securely pass credential files to lego by leveraging systemd credentials.

Type: attribute set of path

Default: { }

Example:

{
  "RFC2136_TSIG_SECRET_FILE" = "/run/secrets/tsig-secret-example.org";
}

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults.dnsPropagationCheck

Toggles lego DNS propagation check, which is used alongside DNS-01 challenge to ensure the DNS entries required are available.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults.dnsProvider

DNS Challenge provider. For a list of supported providers, see the “code” field of the DNS providers listed at https://go-acme.github.io/lego/dns/.

Type: null or string

Default: null

Example: "route53"

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults.dnsResolver

Set the resolver to use for performing recursive DNS queries. Supported: host:port. The default is to use the system resolvers, or Google’s DNS resolvers if the system’s cannot be determined.

Type: null or string

Default: null

Example: "1.1.1.1:53"

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults.email

Email address for account creation and correspondence from the CA. It is recommended to use the same email for all certs to avoid account creation limits.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults.environmentFile

Path to an EnvironmentFile for the cert’s service containing any required and optional environment variables for your selected dnsProvider. To find out what values you need to set, consult the documentation at https://go-acme.github.io/lego/dns/ for the corresponding dnsProvider.

Type: null or path

Default: null

Example: "/var/src/secrets/example.org-route53-api-token"

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults.extraLegoFlags

Additional global flags to pass to all lego commands.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults.extraLegoRenewFlags

Additional flags to pass to lego renew.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults.extraLegoRunFlags

Additional flags to pass to lego run.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults.group

Group running the ACME client.

Type: string

Default: "acme"

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults.keyType

Key type to use for private keys. For an up to date list of supported values check the --key-type option at https://go-acme.github.io/lego/usage/cli/options/.

Type: string

Default: "ec256"

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults.ocspMustStaple

Turns on the OCSP Must-Staple TLS extension. Make sure you know what you’re doing! See:

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults.postRun

Commands to run after new certificates go live. Note that these commands run as the root user.

Executed in the same directory with the new certificate.

Type: strings concatenated with “\n”

Default: ""

Example: "cp full.pem backup.pem"

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults.reloadServices

The list of systemd services to call systemctl try-reload-or-restart on.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults.renewInterval

Systemd calendar expression when to check for renewal. See systemd.time(7).

Type: string

Default: "daily"

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults.server

ACME Directory Resource URI. Defaults to Let’s Encrypt’s production endpoint. For testing Let’s Encrypt’s staging endpoint should be used to avoid the rather tight rate limit on the production endpoint.

Type: null or string

Default: "https://acme-v02.api.letsencrypt.org/directory"

Example: "https://acme-staging-v02.api.letsencrypt.org/directory"

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults.validMinDays

Minimum remaining validity before renewal in days.

Type: signed integer

Default: 30

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.defaults.webroot

Where the webroot of the HTTP vhost is located. .well-known/acme-challenge/ directory will be created below the webroot if it doesn’t exist. http://example.org/.well-known/acme-challenge/ must also be available (notice unencrypted HTTP).

Type: null or string

Default: null

Example: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.maxConcurrentRenewals

Maximum number of concurrent certificate generation or renewal jobs. All other jobs will queue and wait running jobs to finish. Reduces the system load of certificate generation.

Set to 0 to allow unlimited number of concurrent job runs."

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.preliminarySelfsigned

Whether a preliminary self-signed certificate should be generated before doing ACME requests. This can be useful when certificates are required in a webserver, but ACME needs the webserver to make its requests.

With preliminary self-signed certificate the webserver can be started and can later reload the correct ACME certificates.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.acme.useRoot

Whether to use the root user when generating certs. This is not recommended for security + compatibility reasons. If a service requires root owned certificates consider following the guide on “Using ACME with services demanding root owned certificates” in the NixOS manual, and only using this as a fallback or for testing.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/acme>
security.allowSimultaneousMultithreading

Whether to allow SMT/hyperthreading. Disabling SMT means that only physical CPU cores will be usable at runtime, potentially at significant performance cost.

The primary motivation for disabling SMT is to mitigate the risk of leaking data between threads running on the same CPU core (due to e.g., shared caches). This attack vector is unproven.

Disabling SMT is a supplement to the L1 data cache flushing mitigation (see security.virtualisation.flushL1DataCache) versus malicious VM guests (SMT could “bring back” previously flushed data).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/misc.nix>
security.allowUserNamespaces

Whether to allow creation of user namespaces.

The motivation for disabling user namespaces is the potential presence of code paths where the kernel’s permission checking logic fails to account for namespacing, instead permitting a namespaced process to act outside the namespace with the same privileges as it would have inside it. This is particularly damaging in the common case of running as root within the namespace.

When user namespace creation is disallowed, attempting to create a user namespace fails with “no space left on device” (ENOSPC). root may re-enable user namespace creation at runtime.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/misc.nix>
security.apparmor.enable

Whether to enable the AppArmor Mandatory Access Control system.

If you’re enabling this module on a running system, note that a reboot will be required to activate AppArmor in the kernel.

Also, beware that enabling this module privileges stability over security by not trying to kill unconfined but newly confinable running processes by default, though it would be needed because AppArmor can only confine new or already confined processes of an executable. This killing would for instance be necessary when upgrading to a NixOS revision introducing for the first time an AppArmor profile for the executable of a running process.

Enable security.apparmor.killUnconfinedConfinables if you want this service to do such killing by sending a SIGTERM to those running processes.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/apparmor.nix>
security.apparmor.enableCache

Whether to enable caching of AppArmor policies in /var/cache/apparmor/.

Beware that AppArmor policies almost always contain Nix store paths, and thus produce at each change of these paths a new cached version accumulating in the cache.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/apparmor.nix>
security.apparmor.packages

List of packages to be added to AppArmor’s include path

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/apparmor.nix>
security.apparmor.includes

List of paths to be added to AppArmor’s searched paths when resolving include directives.

Type: attribute set of strings concatenated with “\n”

Default: { }

Declared by:

<nixpkgs/nixos/modules/security/apparmor.nix>
security.apparmor.killUnconfinedConfinables

Whether to enable killing of processes which have an AppArmor profile enabled (in security.apparmor.policies) but are not confined (because AppArmor can only confine new processes).

This is only sending a gracious SIGTERM signal to the processes, not a SIGKILL.

Beware that due to a current limitation of AppArmor, only profiles with exact paths (and no name) can enable such kills.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/apparmor.nix>
security.apparmor.policies

AppArmor policies.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/security/apparmor.nix>
security.apparmor.policies.<name>.enable

Whether to enable loading of the profile into the kernel.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/security/apparmor.nix>
security.apparmor.policies.<name>.enforce

Whether to enable enforcing of the policy or only complain in the logs.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/security/apparmor.nix>
security.apparmor.policies.<name>.profile

The policy of the profile.

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/security/apparmor.nix>
security.audit.enable

Whether to enable the Linux audit system. The special lock value can be used to enable auditing and prevent disabling it until a restart. Be careful about locking this, as it will prevent you from changing your audit configuration until you restart. If possible, test your configuration using build-vm beforehand.

Type: one of false, true, “lock”

Default: false

Declared by:

<nixpkgs/nixos/modules/security/audit.nix>
security.audit.backlogLimit

The maximum number of outstanding audit buffers allowed; exceeding this is considered a failure and handled in a manner specified by failureMode.

Type: signed integer

Default: 64

Declared by:

<nixpkgs/nixos/modules/security/audit.nix>
security.audit.failureMode

How to handle critical errors in the auditing system

Type: one of “silent”, “printk”, “panic”

Default: "printk"

Declared by:

<nixpkgs/nixos/modules/security/audit.nix>
security.audit.rateLimit

The maximum messages per second permitted before triggering a failure as specified by failureMode. Setting it to zero disables the limit.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/security/audit.nix>
security.audit.rules

The ordered audit rules, with each string appearing as one line of the audit.rules file.

Type: list of string

Default: [ ]

Example:

[
  "-a exit,always -F arch=b64 -S execve"
]

Declared by:

<nixpkgs/nixos/modules/security/audit.nix>
security.auditd.enable

Whether to enable the Linux Audit daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/auditd.nix>
security.chromiumSuidSandbox.enable

Whether to install the Chromium SUID sandbox which is an executable that Chromium may use in order to achieve sandboxing.

If you get the error “The SUID sandbox helper binary was found, but is not configured correctly.”, turning this on might help.

Also, if the URL chrome://sandbox tells you that “You are not adequately sandboxed!”, turning this on might resolve the issue.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/chromium-suid-sandbox.nix>
security.dhparams.enable

Whether to generate new DH params and clean up old DH params.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/dhparams.nix>
security.dhparams.defaultBitSize

This allows to override the default bit size for all of the Diffie-Hellman parameters set in security.dhparams.params.

Type: integer of at least 16 bits

Default: 2048

Declared by:

<nixpkgs/nixos/modules/security/dhparams.nix>
security.dhparams.params

Diffie-Hellman parameters to generate.

The value is the size (in bits) of the DH params to generate. The generated DH params path can be found in config.security.dhparams.params.«name».path.

Note

The name of the DH params is taken as being the name of the service it serves and the params will be generated before the said service is started.

Warning

If you are removing all dhparams from this list, you have to leave security.dhparams.enable for at least one activation in order to have them be cleaned up. This also means if you rollback to a version without any dhparams the existing ones won’t be cleaned up. Of course this only applies if security.dhparams.stateful is true.

Note

For module implementers: It’s recommended to not set a specific bit size here, so that users can easily override this by setting security.dhparams.defaultBitSize.

Type: attribute set of ((submodule) or signed integer convertible to it)

Default: { }

Example: { nginx.bits = 3072; }

Declared by:

<nixpkgs/nixos/modules/security/dhparams.nix>
security.dhparams.params.<name>.bits

The bit size for the prime that is used during a Diffie-Hellman key exchange.

Type: integer of at least 16 bits

Default: config.security.dhparams.defaultBitSize

Declared by:

<nixpkgs/nixos/modules/security/dhparams.nix>
security.dhparams.params.<name>.path

The resulting path of the generated Diffie-Hellman parameters file for other services to reference. This could be either a store path or a file inside the directory specified by security.dhparams.path.

Type: path (read only)

Declared by:

<nixpkgs/nixos/modules/security/dhparams.nix>
security.dhparams.path

Path to the directory in which Diffie-Hellman parameters will be stored. This only is relevant if security.dhparams.stateful is true.

Type: string

Default: "/var/lib/dhparams"

Declared by:

<nixpkgs/nixos/modules/security/dhparams.nix>
security.dhparams.stateful

Whether generation of Diffie-Hellman parameters should be stateful or not. If this is enabled, PEM-encoded files for Diffie-Hellman parameters are placed in the directory specified by security.dhparams.path. Otherwise the files are created within the Nix store.

Note

If this is false the resulting store path will be non-deterministic and will be rebuilt every time the openssl package changes.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/dhparams.nix>
security.doas.enable

Whether to enable the doas command, which allows non-root users to execute commands as root.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/doas.nix>
security.doas.extraConfig

Extra configuration text appended to doas.conf. Be aware that this option cannot be used to override the behaviour allowing passwordless operation for root.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/security/doas.nix>
security.doas.extraRules

Define specific rules to be set in the /etc/doas.conf file. More specific rules should come after more general ones in order to yield the expected behavior. You can use mkBefore and/or mkAfter to ensure this is the case when configuration options are merged. Be aware that this option cannot be used to override the behaviour allowing passwordless operation for root.

Type: list of (submodule)

Default: [ ]

Example:

[
  # Allow execution of any command by any user in group doas, requiring
  # a password and keeping any previously-defined environment variables.
  { groups = [ "doas" ]; noPass = false; keepEnv = true; }

  # Allow execution of "/home/root/secret.sh" by user `backup` OR user
  # `database` OR any member of the group with GID `1006`, without a
  # password.
  { users = [ "backup" "database" ]; groups = [ 1006 ];
    cmd = "/home/root/secret.sh"; noPass = true; }

  # Allow any member of group `bar` to run `/home/baz/cmd1.sh` as user
  # `foo` with argument `hello-doas`.
  { groups = [ "bar" ]; runAs = "foo";
    cmd = "/home/baz/cmd1.sh"; args = [ "hello-doas" ]; }

  # Allow any member of group `bar` to run `/home/baz/cmd2.sh` as user
  # `foo` with no arguments.
  { groups = [ "bar" ]; runAs = "foo";
    cmd = "/home/baz/cmd2.sh"; args = [ ]; }

  # Allow user `abusers` to execute "nano" and unset the value of
  # SSH_AUTH_SOCK, override the value of ALPHA to 1, and inherit the
  # value of BETA from the current environment.
  { users = [ "abusers" ]; cmd = "nano";
    setEnv = [ "-SSH_AUTH_SOCK" "ALPHA=1" "BETA" ]; }
]

Declared by:

<nixpkgs/nixos/modules/security/doas.nix>
security.doas.extraRules.*.args

Arguments that must be provided to the command. When set to [], the command must be run without any arguments.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/security/doas.nix>
security.doas.extraRules.*.cmd

The command the user is allowed to run. When set to null (the default), all commands are allowed.

NOTE: It is best practice to specify absolute paths. If a relative path is specified, only a restricted PATH will be searched.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/security/doas.nix>
security.doas.extraRules.*.groups

The groups / GIDs this rule should apply for.

Type: list of (string or signed integer)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/doas.nix>
security.doas.extraRules.*.keepEnv

If true, environment variables other than those listed in doas(1) are kept when creating the environment for the new process.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/doas.nix>
security.doas.extraRules.*.noLog

If true, successful executions will not be logged to syslogd(8).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/doas.nix>
security.doas.extraRules.*.noPass

If true, the user is not required to enter a password.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/doas.nix>
security.doas.extraRules.*.persist

If true, do not ask for a password again for some time after the user successfully authenticates.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/doas.nix>
security.doas.extraRules.*.runAs

Which user or group the specified command is allowed to run as. When set to null (the default), all users are allowed.

A user can be specified using just the username: "foo". It is also possible to only allow running as a specific group with ":bar".

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/security/doas.nix>
security.doas.extraRules.*.setEnv

Keep or set the specified variables. Variables may also be removed with a leading ‘-’ or set using variable=value. If the first character of value is a ‘$’, the value to be set is taken from the existing environment variable of the indicated name. This option is processed after the default environment has been created.

NOTE: All rules have setenv { SSH_AUTH_SOCK } by default. To prevent SSH_AUTH_SOCK from being inherited, add "-SSH_AUTH_SOCK" anywhere in this list.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/doas.nix>
security.doas.extraRules.*.users

The usernames / UIDs this rule should apply for.

Type: list of (string or signed integer)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/doas.nix>
security.doas.wheelNeedsPassword

Whether users of the wheel group must provide a password to run commands as super user via doas.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/doas.nix>
security.duosec.acceptEnvFactor

Look for factor selection or passcode in the $DUO_PASSCODE environment variable before prompting the user for input.

When $DUO_PASSCODE is non-empty, it will override autopush. The SSH client will need SendEnv DUO_PASSCODE in its configuration, and the SSH server will similarly need AcceptEnv DUO_PASSCODE.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.allowTcpForwarding

By default, when SSH forwarding, enabling Duo Security will disable TCP forwarding. By enabling this, you potentially undermine some of the SSH based login security. Note this is not needed if you use PAM.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.autopush

If true, Duo Unix will automatically send a push login request to the user’s phone, falling back on a phone call if push is unavailable. If false, the user will be prompted to choose an authentication method. When configured with autopush = yes, we recommend setting prompts = 1.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.failmode

On service or configuration errors that prevent Duo authentication, fail “safe” (allow access) or “secure” (deny access). The default is “safe”.

Type: one of “safe”, “secure”

Default: "safe"

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.fallbackLocalIP

Duo Unix reports the IP address of the authorizing user, for the purposes of authorization and whitelisting. If Duo Unix cannot detect the IP address of the client, setting fallbackLocalIP = yes will cause Duo Unix to send the IP address of the server it is running on.

If you are using IP whitelisting, enabling this option could cause unauthorized logins if the local IP is listed in the whitelist.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.groups

If specified, Duo authentication is required only for users whose primary group or supplementary group list matches one of the space-separated pattern lists. Refer to https://duo.com/docs/duounix for details.

Type: string

Default: ""

Example: "users,!wheel,!*admin guests"

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.host

Duo API hostname.

Type: string

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.integrationKey

Integration key.

Type: string

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.motd

Print the contents of /etc/motd to screen after a successful login.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.pam.enable

If enabled, protect logins with Duo Security using PAM support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.prompts

If a user fails to authenticate with a second factor, Duo Unix will prompt the user to authenticate again. This option sets the maximum number of prompts that Duo Unix will display before denying access. Must be 1, 2, or 3. Default is 3.

For example, when prompts = 1, the user will have to successfully authenticate on the first prompt, whereas if prompts = 2, if the user enters incorrect information at the initial prompt, he/she will be prompted to authenticate again.

When configured with autopush = true, we recommend setting prompts = 1.

Type: one of 1, 2, 3

Default: 3

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.pushinfo

Include information such as the command to be executed in the Duo Push message.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.secretKeyFile

A file containing your secret key. The security of your Duo application is tied to the security of your secret key.

Type: null or path

Default: null

Example: "/run/keys/duo-skey"

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.duosec.ssh.enable

If enabled, protect SSH logins with Duo Security.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/duosec.nix>
security.forcePageTableIsolation

Whether to force-enable the Page Table Isolation (PTI) Linux kernel feature even on CPU models that claim to be safe from Meltdown.

This hardening feature is most beneficial to systems that run untrusted workloads that rely on address space isolation for security.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/misc.nix>
security.googleOsLogin.enable

Whether to enable Google OS Login.

The OS Login package enables the following components: AuthorizedKeysCommand to query valid SSH keys from the user’s OS Login profile during ssh authentication phase. NSS Module to provide user and group information PAM Module for the sshd service, providing authorization and authentication support, allowing the system to use data stored in Google Cloud IAM permissions to control both, the ability to log into an instance, and to perform operations as root (sudo).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/google_oslogin.nix>
security.ipa.enable

Whether to enable FreeIPA domain integration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/ipa.nix>
security.ipa.basedn

Base DN to use when performing LDAP operations.

Type: string

Example: "dc=example,dc=com"

Declared by:

<nixpkgs/nixos/modules/security/ipa.nix>
security.ipa.cacheCredentials

Whether to cache credentials.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/ipa.nix>
security.ipa.certificate

IPA server CA certificate.

Use nix-prefetch-url http://$server/ipa/config/ca.crt to obtain the file and the hash.

Type: package

Example:

pkgs.fetchurl {
  url = http://ipa.example.com/ipa/config/ca.crt;
  sha256 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
};

Declared by:

<nixpkgs/nixos/modules/security/ipa.nix>
security.ipa.chromiumSupport

Whether to whitelist the FreeIPA domain in Chromium.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/ipa.nix>
security.ipa.domain

Domain of the IPA server.

Type: string

Example: "example.com"

Declared by:

<nixpkgs/nixos/modules/security/ipa.nix>
security.ipa.dyndns.enable

Whether to enable FreeIPA automatic hostname updates.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/ipa.nix>
security.ipa.dyndns.interface

Network interface to perform hostname updates through.

Type: string

Default: "*"

Example: "eth0"

Declared by:

<nixpkgs/nixos/modules/security/ipa.nix>
security.ipa.ifpAllowedUids

A list of users allowed to access the ifp dbus interface.

Type: list of string

Default:

[
  "root"
]

Declared by:

<nixpkgs/nixos/modules/security/ipa.nix>
security.ipa.ipaHostname

Fully-qualified hostname used to identify this host in the IPA domain.

Type: string

Default:

if config.networking.domain != null then config.networking.fqdn
else "${networking.hostName}.${security.ipa.domain}"

Example: "myworkstation.example.com"

Declared by:

<nixpkgs/nixos/modules/security/ipa.nix>
security.ipa.offlinePasswords

Whether to store offline passwords when the server is down.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/ipa.nix>
security.ipa.realm

Kerberos realm.

Type: string

Example: "EXAMPLE.COM"

Declared by:

<nixpkgs/nixos/modules/security/ipa.nix>
security.ipa.server

IPA Server hostname.

Type: string

Example: "ipa.example.com"

Declared by:

<nixpkgs/nixos/modules/security/ipa.nix>
security.isolate.enable

Whether to enable Sandbox for securely executing untrusted programs .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/isolate.nix>
security.isolate.package

The isolate-unwrapped package to use.

Type: package

Default: pkgs.isolate-unwrapped

Declared by:

<nixpkgs/nixos/modules/security/isolate.nix>
security.isolate.boxRoot

All sandboxes are created under this directory. To avoid symlink attacks, this directory and all its ancestors must be writeable only by root.

Type: path

Default: "/var/lib/isolate/boxes"

Declared by:

<nixpkgs/nixos/modules/security/isolate.nix>
security.isolate.cgRoot

Control group which subgroups are placed under. Either an explicit path to a subdirectory in cgroupfs, or “auto:file” to read the path from “file”, where it is put by isolate-cg-helper.

Type: string

Default: "auto:/run/isolate/cgroup"

Declared by:

<nixpkgs/nixos/modules/security/isolate.nix>
security.isolate.extraConfig

Extra configuration to append to the configuration file.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/security/isolate.nix>
security.isolate.firstGid

Start of block of GIDs reserved for sandboxes.

Type: integer or floating point number between 1000 and 65533 (both inclusive)

Default: 60000

Declared by:

<nixpkgs/nixos/modules/security/isolate.nix>
security.isolate.firstUid

Start of block of UIDs reserved for sandboxes.

Type: integer or floating point number between 1000 and 65533 (both inclusive)

Default: 60000

Declared by:

<nixpkgs/nixos/modules/security/isolate.nix>
security.isolate.lockRoot

Directory where lock files are created.

Type: path

Default: "/run/isolate/locks"

Declared by:

<nixpkgs/nixos/modules/security/isolate.nix>
security.isolate.numBoxes

Number of UIDs and GIDs to reserve, starting from firstUid and firstGid.

Type: integer or floating point number between 1000 and 65533 (both inclusive)

Default: 1000

Declared by:

<nixpkgs/nixos/modules/security/isolate.nix>
security.isolate.restrictedInit

If true, only root can create sandboxes.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/isolate.nix>
security.krb5.enable

Enable and configure Kerberos utilities

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/krb5>
security.krb5.package

The krb5 package to use.

Type: package

Default: pkgs.krb5

Example: heimdal

Declared by:

<nixpkgs/nixos/modules/security/krb5>
security.krb5.settings

Structured contents of the krb5.conf file. See krb5.conf(5) for details about configuration.

Type: attribute set of attribute set of ((list of attribute set of ((list of (signed integer or string or boolean)) or signed integer or string or boolean)) or attribute set of ((list of (signed integer or string or boolean)) or signed integer or string or boolean) or (list of (signed integer or string or boolean)) or signed integer or string or boolean)

Default: { }

Example:

{
  domain_realm = {
    "mit.edu" = "ATHENA.MIT.EDU";
  };
  include = [
    "/run/secrets/secret-krb5.conf"
  ];
  includedir = [
    "/run/secrets/secret-krb5.conf.d"
  ];
  libdefaults = {
    default_realm = "ATHENA.MIT.EDU";
  };
  logging = {
    admin_server = "SYSLOG:NOTICE";
    default = "SYSLOG:NOTICE";
    kdc = "SYSLOG:NOTICE";
  };
  realms = {
    "ATHENA.MIT.EDU" = {
      admin_server = "athena.mit.edu";
      kdc = [
        "athena01.mit.edu"
        "athena02.mit.edu"
      ];
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/security/krb5>
security.krb5.settings.include

Files to include in the Kerberos configuration.

Type: (list of path) or path convertible to it

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/krb5>
security.krb5.settings.includedir

Directories containing files to include in the Kerberos configuration.

Type: (list of path) or path convertible to it

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/krb5>
security.krb5.settings.module

Modules to obtain Kerberos configuration from.

Type: (list of path) or path convertible to it

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/krb5>
security.lockKernelModules

Disable kernel module loading once the system is fully initialised. Module loading is disabled until the next reboot. Problems caused by delayed module loading can be fixed by adding the module(s) in question to boot.kernelModules.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/lock-kernel-modules.nix>
security.loginDefs.package

The shadow package to use.

Type: package

Default: pkgs.shadow

Declared by:

<nixpkgs/nixos/modules/programs/shadow.nix>
security.loginDefs.chfnRestrict

Use chfn SUID to allow non-root users to change their account GECOS information.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/programs/shadow.nix>
security.loginDefs.settings

Config options for the /etc/login.defs file, that defines the site-specific configuration for the shadow password suite. See login.defs(5) man page for available options.

Type: attribute set of (atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/programs/shadow.nix>
security.loginDefs.settings.DEFAULT_HOME

Indicate if login is allowed if we can’t cd to the home directory.

Type: one of “yes”, “no”

Default: "yes"

Declared by:

<nixpkgs/nixos/modules/programs/shadow.nix>
security.loginDefs.settings.ENCRYPT_METHOD

This defines the system default encryption algorithm for encrypting passwords.

Type: one of “YESCRYPT”, “SHA512”, “SHA256”, “MD5”, “DES”

Default: "YESCRYPT"

Declared by:

<nixpkgs/nixos/modules/programs/shadow.nix>
security.loginDefs.settings.GID_MAX

Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.

Type: signed integer

Default: 29999

Declared by:

<nixpkgs/nixos/modules/programs/shadow.nix>
security.loginDefs.settings.GID_MIN

Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/programs/shadow.nix>
security.loginDefs.settings.SYS_GID_MAX

Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers

Type: signed integer

Default: 999

Declared by:

<nixpkgs/nixos/modules/programs/shadow.nix>
security.loginDefs.settings.SYS_GID_MIN

Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers

Type: signed integer

Default: 400

Declared by:

<nixpkgs/nixos/modules/programs/shadow.nix>
security.loginDefs.settings.SYS_UID_MAX

Range of user IDs used for the creation of system users by useradd or newusers.

Type: signed integer

Default: 999

Declared by:

<nixpkgs/nixos/modules/programs/shadow.nix>
security.loginDefs.settings.SYS_UID_MIN

Range of user IDs used for the creation of system users by useradd or newusers.

Type: signed integer

Default: 400

Declared by:

<nixpkgs/nixos/modules/programs/shadow.nix>
security.loginDefs.settings.TTYGROUP

The terminal permissions: the login tty will be owned by the TTYGROUP group, and the permissions will be set to TTYPERM

Type: string

Default: "tty"

Declared by:

<nixpkgs/nixos/modules/programs/shadow.nix>
security.loginDefs.settings.TTYPERM

The terminal permissions: the login tty will be owned by the TTYGROUP group, and the permissions will be set to TTYPERM

Type: string

Default: "0620"

Declared by:

<nixpkgs/nixos/modules/programs/shadow.nix>
security.loginDefs.settings.UID_MAX

Range of user IDs used for the creation of regular users by useradd or newusers.

Type: signed integer

Default: 29999

Declared by:

<nixpkgs/nixos/modules/programs/shadow.nix>
security.loginDefs.settings.UID_MIN

Range of user IDs used for the creation of regular users by useradd or newusers.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/programs/shadow.nix>
security.loginDefs.settings.UMASK

The file mode creation mask is initialized to this value.

Type: string

Default: "077"

Declared by:

<nixpkgs/nixos/modules/programs/shadow.nix>
security.pam.enableEcryptfs

Whether to enable eCryptfs PAM module (mounting ecryptfs home directory on login).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.enableFscrypt

Whether to enable fscrypt, to automatically unlock directories with the user’s login password.

This also enables a service at security.pam.services.fscrypt which is used by fscrypt to verify the user’s password when setting up a new protector. If you use something other than pam_unix to verify user passwords, please remember to adjust this PAM service .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.enableOTPW

Whether to enable the OTPW (one-time password) PAM module.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.package

The pam package to use.

Type: package

Default: pkgs.pam

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.dp9ik.enable

Whether to enable the dp9ik pam module provided by tlsclient.

If set, users can be authenticated against the 9front authentication server given in security.pam.dp9ik.authserver .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.dp9ik.authserver

This controls the hostname for the 9front authentication server that users will be authenticated against.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.dp9ik.control

This option sets the pam “control” used for this module.

Type: string

Default: "sufficient"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.krb5.enable

Enables Kerberos PAM modules (pam-krb5, pam-ccreds).

If set, users can authenticate with their Kerberos password. This requires a valid Kerberos configuration (security.krb5.enable should be set to true).

Note that the Kerberos PAM modules are not necessary when using SSS to handle Kerberos authentication.

Type: boolean

Default: config.security.krb5.enable

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.loginLimits

Define resource limits that should apply to users or groups. Each item in the list should be an attribute set with a domain, type, item, and value attribute. The syntax and semantics of these attributes must be that described in limits.conf(5).

Note that these limits do not apply to systemd services, whose limits can be changed via systemd.extraConfig instead.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    domain = "ftp";
    item = "nproc";
    type = "hard";
    value = "0";
  }
  {
    domain = "@student";
    item = "maxlogins";
    type = "-";
    value = "4";
  }
]

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.loginLimits.*.domain

Username, groupname, or wildcard this limit applies to

Type: string

Example: "@wheel"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.loginLimits.*.item

Item this limit applies to

Type: one of “core”, “data”, “fsize”, “memlock”, “nofile”, “rss”, “stack”, “cpu”, “nproc”, “as”, “maxlogins”, “maxsyslogins”, “priority”, “locks”, “sigpending”, “msgqueue”, “nice”, “rtprio”

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.loginLimits.*.type

Type of this limit

Type: one of “-”, “hard”, “soft”

Default: "-"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.loginLimits.*.value

Value of this limit

Type: string or signed integer

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.makeHomeDir.skelDirectory

Path to skeleton directory whose contents are copied to home directories newly created by pam_mkhomedir.

Type: string

Default: "/var/empty"

Example: "/etc/skel"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.makeHomeDir.umask

The user file mode creation mask to use on home directories newly created by pam_mkhomedir.

Type: string

Default: "0077"

Example: "0022"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.mount.enable

Enable PAM mount system to mount filesystems on user login.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam_mount.nix>
security.pam.mount.additionalSearchPaths

Additional programs to include in the search path of pam_mount. Useful for example if you want to use some FUSE filesystems like bindfs.

Type: list of package

Default: [ ]

Example: [ pkgs.bindfs ]

Declared by:

<nixpkgs/nixos/modules/security/pam_mount.nix>
security.pam.mount.createMountPoints

Create mountpoints for volumes if they do not exist.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/pam_mount.nix>
security.pam.mount.cryptMountOptions

Global mount options that apply to every crypt volume. You can define volume-specific options in the volume definitions.

Type: list of string

Default: [ ]

Example:

[ "allow_discard" ]

Declared by:

<nixpkgs/nixos/modules/security/pam_mount.nix>
security.pam.mount.debugLevel

Sets the Debug-Level. 0 disables debugging, 1 enables pam_mount tracing, and 2 additionally enables tracing in mount.crypt. The default is 0. For more information, visit https://pam-mount.sourceforge.net/pam_mount.conf.5.html.

Type: signed integer

Default: 0

Example: 1

Declared by:

<nixpkgs/nixos/modules/security/pam_mount.nix>
security.pam.mount.extraVolumes

List of volume definitions for pam_mount. For more information, visit https://pam-mount.sourceforge.net/pam_mount.conf.5.html.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/pam_mount.nix>
security.pam.mount.fuseMountOptions

Global mount options that apply to every FUSE volume. You can define volume-specific options in the volume definitions.

Type: list of string

Default: [ ]

Example:

[ "nodev" "nosuid" "force-user=%(USER)" "gid=%(USERGID)" "perms=0700" "chmod-deny" "chown-deny" "chgrp-deny" ]

Declared by:

<nixpkgs/nixos/modules/security/pam_mount.nix>
security.pam.mount.logoutHup

Kill remaining processes after logout by sending a SIGHUP.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam_mount.nix>
security.pam.mount.logoutKill

Kill remaining processes after logout by sending a SIGKILL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam_mount.nix>
security.pam.mount.logoutTerm

Kill remaining processes after logout by sending a SIGTERM.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam_mount.nix>
security.pam.mount.logoutWait

Amount of microseconds to wait until killing remaining processes after final logout. For more information, visit https://pam-mount.sourceforge.net/pam_mount.conf.5.html.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/security/pam_mount.nix>
security.pam.mount.removeCreatedMountPoints

Remove mountpoints created by pam_mount after logout. This only affects mountpoints that have been created by pam_mount in the same session.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/pam_mount.nix>
security.pam.oath.enable

Enable the OATH (one-time password) PAM module.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/oath.nix>
security.pam.oath.digits

Specify the lib.length of the one-time password in number of digits.

Type: one of 6, 7, 8

Default: 6

Declared by:

<nixpkgs/nixos/modules/security/oath.nix>
security.pam.oath.usersFile

Set the path to file where the user’s credentials are stored. This file must not be world readable!

Type: path

Default: "/etc/users.oath"

Declared by:

<nixpkgs/nixos/modules/security/oath.nix>
security.pam.oath.window

Specify the number of one-time passwords to check in order to accommodate for situations where the system and the client are slightly out of sync (iteration for HOTP or time steps for TOTP).

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/security/oath.nix>
security.pam.p11.enable

Enables P11 PAM (pam_p11) module.

If set, users can log in with SSH keys and PKCS#11 tokens.

More information can be found here.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.p11.control

This option sets pam “control”. If you want to have multi factor authentication, use “required”. If you want to use the PKCS#11 device instead of the regular password, use “sufficient”.

Read pam.conf(5) for better understanding of this option.

Type: one of “required”, “requisite”, “sufficient”, “lib.optional”

Default: "sufficient"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.rssh.enable

Whether to enable authenticating using a signature performed by the ssh-agent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.rssh.settings

Options to pass to the pam_rssh module. Refer to https://github.com/z4yx/pam_rssh/blob/main/README.md#optional-arguments for supported values.

Boolean values render just the key if true, and nothing if false. Null values are ignored. All other values are rendered as key-value pairs.

Type: attribute set of (null or boolean or string or signed integer or path in the Nix store)

Default: { }

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.rssh.settings.auth_key_file

Path to file with trusted public keys in OpenSSH’s authorized_keys format. The following variables are expanded to the respective PAM items:

  • service: PAM_SERVICE, the service name,

  • user: PAM_USER, the username of the entity under whose identity service will be given,

  • tty: PAM_TTY, the terminal name,

  • rhost: PAM_RHOST, the requesting hostname, and

  • ruser: PAM_RUSER, the requesting entity.

These PAM items are explained in pam_get_item(3).

Variables may be specified as $var, ${var} or ${var:defaultValue}.

Note

Specifying user-writeable files here results in an insecure configuration: a malicious process can then edit such an authorized_keys file and bypass the ssh-agent-based authentication.

This option is ignored if security.pam.rssh.settings.authorized_keys_command is set.

If both this option and security.pam.rssh.settings.authorized_keys_command are unset, the keys will be read from ${HOME}/.ssh/authorized_keys, which should be considered insecure.

Type: null or non-empty string

Default: "/etc/ssh/authorized_keys.d/$ruser"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services

This option defines the PAM services. A service typically corresponds to a program that uses PAM, e.g. login or passwd. Each attribute of this set defines a PAM service, with the attribute name defining the name of the service.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.enableAppArmor

Enable support for attaching AppArmor profiles at the user/group level, e.g., as part of a role based access control scheme.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.enableGnomeKeyring

If enabled, pam_gnome_keyring will attempt to automatically unlock the user’s default Gnome keyring upon login. If the user login password does not match their keyring password, Gnome Keyring will prompt separately after login.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.allowNullPassword

Whether to allow logging into accounts that have no password set (i.e., have an empty password field in /etc/passwd or /etc/group). This does not enable logging into disabled accounts (i.e., that have the password field set to !). Note that regardless of what the pam_unix documentation says, accounts with hashed empty passwords are always allowed to log in.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.duoSecurity.enable

If set, use the Duo Security pam module pam_duo for authentication. Requires configuration of security.duosec options.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.failDelay.enable

If enabled, this will replace the FAIL_DELAY setting from login.defs. Change the delay on failure per-application.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.failDelay.delay

The delay time (in microseconds) on failure.

Type: signed integer

Default: 3000000

Example: 1000000

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.forwardXAuth

Whether X authentication keys should be passed from the calling user to the target user (e.g. for su)

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.fprintAuth

If set, fingerprint reader will be used (if exists and your fingerprints are enrolled).

Type: boolean

Default: config.services.fprintd.enable

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.gnupg.enable

If enabled, pam_gnupg will attempt to automatically unlock the user’s GPG keys with the login password via gpg-agent. The keygrips of all keys to be unlocked should be written to ~/.pam-gnupg, and can be queried with gpg -K --with-keygrip. Presetting passphrases must be enabled by adding allow-preset-passphrase in ~/.gnupg/gpg-agent.conf.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.gnupg.noAutostart

Don’t start gpg-agent if it is not running. Useful in conjunction with starting gpg-agent as a systemd user service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.gnupg.storeOnly

Don’t send the password immediately after login, but store for PAM session.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.googleAuthenticator.enable

If set, users with enabled Google Authenticator (created ~/.google_authenticator) will be required to provide Google Authenticator token to log in.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.googleOsLoginAccountVerification

If set, will use the Google OS Login PAM modules (pam_oslogin_login, pam_oslogin_admin) to verify possible OS Login users and set sudoers configuration accordingly. This only makes sense to enable for the sshd PAM service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.googleOsLoginAuthentication

If set, will use the pam_oslogin_login’s user authentication methods to authenticate users using 2FA. This only makes sense to enable for the sshd PAM service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.kwallet.enable

If enabled, pam_wallet will attempt to automatically unlock the user’s default KDE wallet upon login. If the user has no wallet named “kdewallet”, or the login password does not match their wallet password, KDE will prompt separately after login.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.kwallet.package

The kwallet-pam package to use.

Type: package

Default: pkgs.plasma5Packages.kwallet-pam

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.kwallet.forceRun

The force_run option is used to tell the PAM module for KWallet to forcefully run even if no graphical session (such as a GUI display manager) is detected. This is useful for when you are starting an X Session or a Wayland Session from a TTY. If you intend to log-in from a TTY, it is recommended that you enable this option and ensure that plasma-kwallet-pam.service is started by graphical-session.target.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.limits

Attribute set describing resource limits. Defaults to the value of security.pam.loginLimits. The meaning of the values is explained in limits.conf(5).

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.limits.*.domain

Username, groupname, or wildcard this limit applies to

Type: string

Example: "@wheel"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.limits.*.item

Item this limit applies to

Type: one of “core”, “data”, “fsize”, “memlock”, “nofile”, “rss”, “stack”, “cpu”, “nproc”, “as”, “maxlogins”, “maxsyslogins”, “priority”, “locks”, “sigpending”, “msgqueue”, “nice”, “rtprio”

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.limits.*.type

Type of this limit

Type: one of “-”, “hard”, “soft”

Default: "-"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.limits.*.value

Value of this limit

Type: string or signed integer

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.logFailures

Whether to log authentication failures in /var/log/faillog.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.makeHomeDir

Whether to try to create home directories for users with $HOMEs pointing to nonexistent locations on session login.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.mysqlAuth

If set, the pam_mysql module will be used to authenticate users against a MySQL/MariaDB database.

Type: boolean

Default: config.users.mysql.enable

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.name

Name of the PAM service.

Type: string

Example: "sshd"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.nodelay

Whether the delay after typing a wrong password should be disabled.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.oathAuth

If set, the OATH Toolkit will be used.

Type: boolean

Default: config.security.pam.oath.enable

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.otpwAuth

If set, the OTPW system will be used (if ~/.otpw exists).

Type: boolean

Default: config.security.pam.enableOTPW

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.p11Auth

If set, keys listed in ~/.ssh/authorized_keys and ~/.eid/authorized_certificates can be used to log in with the associated PKCS#11 tokens.

Type: boolean

Default: config.security.pam.p11.enable

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.pamMount

Enable PAM mount (pam_mount) system to mount filesystems on user login.

Type: boolean

Default: config.security.pam.mount.enable

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.requireWheel

Whether to permit root access only to members of group wheel.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.rootOK

If set, root doesn’t need to authenticate (e.g. for the useradd service).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.rssh

If set, the calling user’s SSH agent is used to authenticate against the configured keys. This module works in a manner similar to pam_ssh_agent_auth, but supports a wider range of SSH key types, including those protected by security keys (FIDO2).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.setEnvironment

Whether the service should set the environment variables listed in environment.sessionVariables using pam_env.so.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.setLoginUid

Set the login uid of the process (/proc/self/loginuid) for auditing purposes. The login uid is only set by ‘entry points’ like login and sshd, not by commands like sudo.

Type: boolean

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.showMotd

Whether to show the message of the day.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.sshAgentAuth

If set, the calling user’s SSH agent is used to authenticate against the keys in the calling user’s ~/.ssh/authorized_keys. This is useful for sudo on password-less remote systems.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.sssdStrictAccess

enforce sssd access control

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.startSession

If set, the service will register a new session with systemd’s login manager. For local sessions, this will give the user access to audio devices, CD-ROM drives. In the default PolicyKit configuration, it also allows the user to reboot the system.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.text

Contents of the PAM service file.

Type: null or strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.ttyAudit.enable

Enable or disable TTY auditing for specified users

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.ttyAudit.enablePattern

For each user matching one of comma-separated glob patterns, enable TTY auditing

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.ttyAudit.disablePattern

For each user matching one of comma-separated glob patterns, disable TTY auditing

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.ttyAudit.openOnly

Set the TTY audit flag when opening the session, but do not restore it when closing the session. Using this option is necessary for some services that don’t fork() to run the authenticated session, such as sudo.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.u2fAuth

If set, users listed in $XDG_CONFIG_HOME/Yubico/u2f_keys (or $HOME/.config/Yubico/u2f_keys if XDG variable is not set) are able to log in with the associated U2F key. Path can be changed using security.pam.u2f.authFile option.

Type: boolean

Default: config.security.pam.u2f.enable

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.unixAuth

Whether users can log in with passwords defined in /etc/shadow.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.updateWtmp

Whether to update /var/log/wtmp.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.usshAuth

If set, users with an SSH certificate containing an authorized principal in their SSH agent are able to log in. Specific options are controlled using the security.pam.ussh options.

Note that the security.pam.ussh.enable must also be set for this option to take effect.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.yubicoAuth

If set, users listed in ~/.yubico/authorized_yubikeys are able to log in with the associated Yubikey tokens.

Type: boolean

Default: config.security.pam.yubico.enable

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.services.<name>.zfs

Enable unlocking and mounting of encrypted ZFS home dataset at login.

Type: boolean

Default: config.security.pam.zfs.enable

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.sshAgentAuth.enable

Whether to enable authenticating using a signature performed by the ssh-agent. This allows using SSH keys exclusively, instead of passwords, for instance on remote machines .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.sshAgentAuth.authorizedKeysFiles

A list of paths to files in OpenSSH’s authorized_keys format, containing the keys that will be trusted by the pam_ssh_agent_auth module.

The following patterns are expanded when interpreting the path:

  • %f and %H respectively expand to the fully-qualified and short hostname ;

  • %u expands to the username ;

  • ~ or %h expands to the user’s home directory.

Note

Specifying user-writeable files here result in an insecure configuration: a malicious process can then edit such an authorized_keys file and bypass the ssh-agent-based authentication.

See issue #31611

Type: list of string

Default:

[
  "/etc/ssh/authorized_keys.d/%u"
]

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.u2f.enable

Enables U2F PAM (pam-u2f) module.

If set, users listed in $XDG_CONFIG_HOME/Yubico/u2f_keys (or $HOME/.config/Yubico/u2f_keys if XDG variable is not set) are able to log in with the associated U2F key. The path can be changed using security.pam.u2f.authFile option.

File format is: username:first_keyHandle,first_public_key: second_keyHandle,second_public_key This file can be generated using pamu2fcfg command.

More information can be found here.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.u2f.control

This option sets pam “control”. If you want to have multi factor authentication, use “required”. If you want to use U2F device instead of regular password, use “sufficient”.

Read pam.conf(5) for better understanding of this option.

Type: one of “required”, “requisite”, “sufficient”, “optional”

Default: "sufficient"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.u2f.settings

Options to pass to the PAM module.

Boolean values render just the key if true, and nothing if false. Null values are ignored. All other values are rendered as key-value pairs.

Type: attribute set of (null or boolean or string or signed integer or path in the Nix store)

Default: { }

Example:

{
  authfile = "/etc/u2f_keys";
  authpending_file = "";
  pinverification = 1;
  userpresence = 0;
}

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.u2f.settings.appid

By default pam-u2f module sets the application ID to pam://$HOSTNAME.

When using pamu2fcfg, you can specify your application ID with the -i flag.

More information can be found here

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.u2f.settings.authfile

By default pam-u2f module reads the keys from $XDG_CONFIG_HOME/Yubico/u2f_keys (or $HOME/.config/Yubico/u2f_keys if XDG variable is not set).

If you want to change auth file locations or centralize database (for example use /etc/u2f-mappings) you can set this option.

File format is: username:first_keyHandle,first_public_key: second_keyHandle,second_public_key This file can be generated using pamu2fcfg command.

More information can be found here.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.u2f.settings.cue

By default pam-u2f module does not inform user that he needs to use the u2f device, it just waits without a prompt.

If you set this option to true, cue option is added to pam-u2f module and reminder message will be displayed.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.u2f.settings.debug

Debug output to stderr.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.u2f.settings.interactive

Set to prompt a message and wait before testing the presence of a U2F device. Recommended if your device doesn’t have a tactile trigger.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.u2f.settings.origin

By default pam-u2f module sets the origin to pam://$HOSTNAME. Setting origin to an host independent value will allow you to reuse credentials across machines

When using pamu2fcfg, you can specify your application ID with the -o flag.

More information can be found here

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.ussh.enable

Enables Uber’s USSH PAM (pam-ussh) module.

This is similar to pam-ssh-agent, except that the presence of a CA-signed SSH key with a valid principal is checked instead.

Note that this module must both be enabled using this option and on a per-PAM-service level as well (using usshAuth).

More information can be found here.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.ussh.authorizedPrincipals

Comma-separated list of authorized principals to permit; if the user presents a certificate with one of these principals, then they will be authorized.

Note that pam-ussh also requires that the certificate contain a principal matching the user’s username. The principals from this list are in addition to those principals.

Mutually exclusive with authorizedPrincipalsFile.

Type: null or strings concatenated with “,”

Default: null

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.ussh.authorizedPrincipalsFile

Path to a list of principals; if the user presents a certificate with one of these principals, then they will be authorized.

Note that pam-ussh also requires that the certificate contain a principal matching the user’s username. The principals from this file are in addition to those principals.

Mutually exclusive with authorizedPrincipals.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.ussh.caFile

By default pam-ussh reads the trusted user CA keys from /etc/ssh/trusted_user_ca.

This should be set the same as your TrustedUserCAKeys option for sshd.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.ussh.control

This option sets pam “control”. If you want to have multi factor authentication, use “required”. If you want to use the SSH certificate instead of the regular password, use “sufficient”.

Read pam.conf(5) for better understanding of this option.

Type: one of “required”, “requisite”, “sufficient”, “optional”

Default: "sufficient"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.ussh.group

If set, then the authenticating user must be a member of this group to use this module.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.yubico.enable

Enables Yubico PAM (yubico-pam) module.

If set, users listed in ~/.yubico/authorized_yubikeys are able to log in with the associated Yubikey tokens.

The file must have only one line: username:yubikey_token_id1:yubikey_token_id2 More information can be found here.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.yubico.challengeResponsePath

If not null, set the path used by yubico pam module where the challenge expected response is stored.

More information can be found here.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.yubico.control

This option sets pam “control”. If you want to have multi factor authentication, use “required”. If you want to use Yubikey instead of regular password, use “sufficient”.

Read pam.conf(5) for better understanding of this option.

Type: one of “required”, “requisite”, “sufficient”, “optional”

Default: "sufficient"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.yubico.debug

Debug output to stderr.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.yubico.id

client id

Type: string

Example: "42"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.yubico.mode

Mode of operation.

Use “client” for online validation with a YubiKey validation service such as the YubiCloud.

Use “challenge-response” for offline validation using YubiKeys with HMAC-SHA-1 Challenge-Response configurations. See the man-page ykpamcfg(1) for further details on how to configure offline Challenge-Response validation.

More information can be found here.

Type: one of “client”, “challenge-response”

Default: "client"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.zfs.enable

Enable unlocking and mounting of encrypted ZFS home dataset at login.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.zfs.homes

Prefix of home datasets. This value will be concatenated with "/" + <username> in order to determine the home dataset to unlock.

Type: string

Default: "rpool/home"

Example: "rpool/home"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pam.zfs.noUnmount

Do not unmount home dataset on logout.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
security.pki.caCertificateBlacklist

A list of blacklisted CA certificate names that won’t be imported from the Mozilla Trust Store into /etc/ssl/certs/ca-certificates.crt. Use the names from that file.

Type: list of string

Default: [ ]

Example:

[
  "WoSign"
  "WoSign China"
  "CA WoSign ECC Root"
  "Certification Authority of WoSign G2"
]

Declared by:

<nixpkgs/nixos/modules/security/ca.nix>
security.pki.certificateFiles

A list of files containing trusted root certificates in PEM format. These are concatenated to form /etc/ssl/certs/ca-certificates.crt, which is used by many programs that use OpenSSL, such as curl and git.

Type: list of path

Default: [ ]

Example: [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]

Declared by:

<nixpkgs/nixos/modules/security/ca.nix>
security.pki.certificates

A list of trusted root certificates in PEM format.

Type: list of string

Default: [ ]

Example:

[ ''
    NixOS.org
    =========
    -----BEGIN CERTIFICATE-----
    MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
    TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
    ...
    -----END CERTIFICATE-----
  ''
]

Declared by:

<nixpkgs/nixos/modules/security/ca.nix>
security.pki.useCompatibleBundle

Whether to enable usage of a compatibility bundle.

Such a bundle consists exclusively of BEGIN CERTIFICATE and no BEGIN TRUSTED CERTIFICATE, which is an OpenSSL specific PEM format.

It is known to be incompatible with certain software stacks.

Nevertheless, enabling this will strip all additional trust rules provided by the certificates themselves. This can have security consequences depending on your usecases .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/ca.nix>
security.please.enable

Whether to enable please, a Sudo clone which allows a users to execute a command or edit a file as another user .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/please.nix>
security.please.package

The please package to use.

Type: package

Default: pkgs.please

Declared by:

<nixpkgs/nixos/modules/security/please.nix>
security.please.settings

Please configuration. Refer to https://github.com/edneville/please/blob/master/please.ini.md for details.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  jim_edit_etc_hosts_as_root = {
    editmode = 644;
    name = "jim";
    require_pass = true;
    rule = "/etc/hosts";
    target = "root";
    type = "edit";
  };
  jim_run_any_as_root = {
    name = "jim";
    require_pass = false;
    rule = ".*";
    target = "root";
    type = "run";
  };
}

Declared by:

<nixpkgs/nixos/modules/security/please.nix>
security.please.wheelNeedsPassword

Whether users of the wheel group must provide a password to run commands or edit files with please and pleaseedit respectively.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/please.nix>
security.polkit.enable

Whether to enable polkit.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/polkit.nix>
security.polkit.package

The polkit package to use.

Type: package

Default: pkgs.polkit

Declared by:

<nixpkgs/nixos/modules/security/polkit.nix>
security.polkit.adminIdentities

Specifies which users are considered “administrators”, for those actions that require the user to authenticate as an administrator (i.e. have an auth_admin value). By default, this is all users in the wheel group.

Type: list of string

Default:

[
  "unix-group:wheel"
]

Example:

[
  "unix-user:alice"
  "unix-group:admin"
]

Declared by:

<nixpkgs/nixos/modules/security/polkit.nix>
security.polkit.debug

Whether to enable debug logs from polkit. This is required in order to see log messages from rule definitions.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/polkit.nix>
security.polkit.extraConfig

Any polkit rules to be added to config (in JavaScript ;-). See: https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html#polkit-rules

Type: strings concatenated with “\n”

Default: ""

Example:

''
  /* Log authorization checks. */
  polkit.addRule(function(action, subject) {
    // Make sure to set { security.polkit.debug = true; } in configuration.nix
    polkit.log("user " +  subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
  });
  
  /* Allow any local user to do anything (dangerous!). */
  polkit.addRule(function(action, subject) {
    if (subject.local) return "yes";
  });
''

Declared by:

<nixpkgs/nixos/modules/security/polkit.nix>
security.protectKernelImage

Whether to prevent replacing the running kernel image.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/misc.nix>
security.rtkit.enable

Whether to enable the RealtimeKit system service, which hands out realtime scheduling priority to user processes on demand. For example, PulseAudio and PipeWire use this to acquire realtime priority.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/rtkit.nix>
security.rtkit.args

Command-line options for rtkit-daemon.

Type: list of string

Default: [ ]

Example:

[
  "--our-realtime-priority=29"
  "--max-realtime-priority=28"
]

Declared by:

<nixpkgs/nixos/modules/security/rtkit.nix>
security.shadow.enable

Enable the shadow authentication suite, which provides critical programs such as su, login, passwd.

Note: This is currently experimental. Only disable this if you’re confident that you can recover your system if it breaks.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/programs/shadow.nix>
security.soteria.enable

Whether to enable Soteria, a Polkit authentication agent for any desktop environment.

Note

You should only enable this if you are on a Desktop Environment that does not provide a graphical polkit authentication agent, or you are on a standalone window manager or Wayland compositor.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/soteria.nix>
security.soteria.package

The soteria package to use.

Type: package

Default: pkgs.soteria

Declared by:

<nixpkgs/nixos/modules/security/soteria.nix>
security.sudo.enable

Whether to enable the sudo command, which allows non-root users to execute commands as root.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.package

The sudo package to use.

Type: package

Default: pkgs.sudo

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.configFile

This string contains the contents of the sudoers file.

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.defaultOptions

Options used for the default rules, granting root and the wheel group permission to run any command as any user.

Type: list of string

Default:

[
  "SETENV"
]

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.execWheelOnly

Only allow members of the wheel group to execute sudo by setting the executable’s permissions accordingly. This prevents users that are not members of wheel from exploiting vulnerabilities in sudo such as CVE-2021-3156.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.extraConfig

Extra configuration text appended to sudoers.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.extraRules

Define specific rules to be in the sudoers file. More specific rules should come after more general ones in order to yield the expected behavior. You can use mkBefore/mkAfter to ensure this is the case when configuration options are merged.

Type: list of (submodule)

Default: [ ]

Example:

[
  # Allow execution of any command by all users in group sudo,
  # requiring a password.
  { groups = [ "sudo" ]; commands = [ "ALL" ]; }

  # Allow execution of "/home/root/secret.sh" by user `backup`, `database`
  # and the group with GID `1006` without a password.
  { users = [ "backup" "database" ]; groups = [ 1006 ];
    commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; }

  # Allow all users of group `bar` to run two executables as user `foo`
  # with arguments being pre-set.
  { groups = [ "bar" ]; runAs = "foo";
    commands =
      [ "/home/baz/cmd1.sh hello-sudo"
          { command = ''/home/baz/cmd2.sh ""''; options = [ "SETENV" ]; } ]; }
]

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.extraRules.*.commands

The commands for which the rule should apply.

Type: list of (string or (submodule))

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.extraRules.*.groups

The groups / GIDs this rule should apply for.

Type: list of (string or signed integer)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.extraRules.*.host

For what host this rule should apply.

Type: string

Default: "ALL"

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.extraRules.*.runAs

Under which user/group the specified command is allowed to run.

A user can be specified using just the username: "foo". It is also possible to specify a user/group combination using "foo:bar" or to only allow running as a specific group with ":bar".

Type: string

Default: "ALL:ALL"

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.extraRules.*.users

The usernames / UIDs this rule should apply for.

Type: list of (string or signed integer)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo.keepTerminfo

Whether to preserve the TERMINFO and TERMINFO_DIRS environment variables, for root and the wheel group.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/terminfo.nix>
security.sudo.wheelNeedsPassword

Whether users of the wheel group must provide a password to run commands as super user via sudo.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/sudo.nix>
security.sudo-rs.enable

Whether to enable a memory-safe implementation of the sudo command, which allows non-root users to execute commands as root .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/sudo-rs.nix>
security.sudo-rs.package

The sudo-rs package to use.

Type: package

Default: pkgs.sudo-rs

Declared by:

<nixpkgs/nixos/modules/security/sudo-rs.nix>
security.sudo-rs.configFile

This string contains the contents of the sudoers file.

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/security/sudo-rs.nix>
security.sudo-rs.defaultOptions

Options used for the default rules, granting root and the wheel group permission to run any command as any user.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/sudo-rs.nix>
security.sudo-rs.execWheelOnly

Only allow members of the wheel group to execute sudo by setting the executable’s permissions accordingly. This prevents users that are not members of wheel from exploiting vulnerabilities in sudo such as CVE-2021-3156.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/sudo-rs.nix>
security.sudo-rs.extraConfig

Extra configuration text appended to sudoers.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/security/sudo-rs.nix>
security.sudo-rs.extraRules

Define specific rules to be in the sudoers file. More specific rules should come after more general ones in order to yield the expected behavior. You can use lib.mkBefore/lib.mkAfter to ensure this is the case when configuration options are merged.

Type: list of (submodule)

Default: [ ]

Example:

[
  # Allow execution of any command by all users in group sudo,
  # requiring a password.
  { groups = [ "sudo" ]; commands = [ "ALL" ]; }

  # Allow execution of "/home/root/secret.sh" by user `backup`, `database`
  # and the group with GID `1006` without a password.
  { users = [ "backup" "database" ]; groups = [ 1006 ];
    commands = [ { command = "/home/root/secret.sh"; options = [ "SETENV" "NOPASSWD" ]; } ]; }

  # Allow all users of group `bar` to run two executables as user `foo`
  # with arguments being pre-set.
  { groups = [ "bar" ]; runAs = "foo";
    commands =
      [ "/home/baz/cmd1.sh hello-sudo"
          { command = ''/home/baz/cmd2.sh ""''; options = [ "SETENV" ]; } ]; }
]

Declared by:

<nixpkgs/nixos/modules/security/sudo-rs.nix>
security.sudo-rs.extraRules.*.commands

The commands for which the rule should apply.

Type: list of (string or (submodule))

Declared by:

<nixpkgs/nixos/modules/security/sudo-rs.nix>
security.sudo-rs.extraRules.*.groups

The groups / GIDs this rule should apply for.

Type: list of (string or signed integer)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/sudo-rs.nix>
security.sudo-rs.extraRules.*.host

For what host this rule should apply.

Type: string

Default: "ALL"

Declared by:

<nixpkgs/nixos/modules/security/sudo-rs.nix>
security.sudo-rs.extraRules.*.runAs

Under which user/group the specified command is allowed to run.

A user can be specified using just the username: "foo". It is also possible to specify a user/group combination using "foo:bar" or to only allow running as a specific group with ":bar".

Type: string

Default: "ALL:ALL"

Declared by:

<nixpkgs/nixos/modules/security/sudo-rs.nix>
security.sudo-rs.extraRules.*.users

The usernames / UIDs this rule should apply for.

Type: list of (string or signed integer)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/sudo-rs.nix>
security.sudo-rs.wheelNeedsPassword

Whether users of the wheel group must provide a password to run commands as super user via sudo.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/sudo-rs.nix>
security.tpm2.enable

Whether to enable Trusted Platform Module 2 support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/tpm2.nix>
security.tpm2.abrmd.enable

Whether to enable Trusted Platform 2 userspace resource manager daemon .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/tpm2.nix>
security.tpm2.abrmd.package

tpm2-abrmd package to use

Type: package

Default: pkgs.tpm2-abrmd

Declared by:

<nixpkgs/nixos/modules/security/tpm2.nix>
security.tpm2.applyUdevRules

Whether to make the /dev/tpm[0-9] devices accessible by the tssUser, or the /dev/tpmrm[0-9] by tssGroup respectively

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/security/tpm2.nix>
security.tpm2.pkcs11.enable

Whether to enable TPM2 PKCS#11 tool and shared library in system path (/run/current-system/sw/lib/libtpm2_pkcs11.so) .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/security/tpm2.nix>
security.tpm2.pkcs11.package

tpm2-pkcs11 package to use

Type: package

Default: pkgs.tpm2-pkcs11

Declared by:

<nixpkgs/nixos/modules/security/tpm2.nix>
security.tpm2.tctiEnvironment.enable

Set common TCTI environment variables to the specified value. The variables are

  • TPM2TOOLS_TCTI

  • TPM2_PKCS11_TCTI

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/tpm2.nix>
security.tpm2.tctiEnvironment.deviceConf

Configuration part of the device TCTI, e.g. the path to the TPM device. Applies if interface is set to “device”. The format is specified in the tpm2-tools repository.

Type: string

Default: "/dev/tpmrm0"

Declared by:

<nixpkgs/nixos/modules/security/tpm2.nix>
security.tpm2.tctiEnvironment.interface

The name of the TPM command transmission interface (TCTI) library to use.

Type: one of “tabrmd”, “device”

Default: "device"

Declared by:

<nixpkgs/nixos/modules/security/tpm2.nix>
security.tpm2.tctiEnvironment.tabrmdConf

Configuration part of the tabrmd TCTI, like the D-Bus bus name. Applies if interface is set to “tabrmd”. The format is specified in the tpm2-tools repository.

Type: string

Default: "bus_name=com.intel.tss2.Tabrmd"

Declared by:

<nixpkgs/nixos/modules/security/tpm2.nix>
security.tpm2.tssGroup

Group of the tpm kernel resource manager (tpmrm) device-group, set if applyUdevRules is set.

Type: null or string

Default: "tss"

Declared by:

<nixpkgs/nixos/modules/security/tpm2.nix>
security.tpm2.tssUser

Name of the tpm device-owner and service user, set if applyUdevRules is set.

Type: null or string

Default: if config.security.tpm2.abrmd.enable then "tss" else "root"

Declared by:

<nixpkgs/nixos/modules/security/tpm2.nix>
security.unprivilegedUsernsClone

When disabled, unprivileged users will not be able to create new namespaces. By default unprivileged user namespaces are disabled. This option only works in a hardened profile.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/misc.nix>
security.virtualisation.flushL1DataCache

Whether the hypervisor should flush the L1 data cache before entering guests. See also security.allowSimultaneousMultithreading.

  • null: uses the kernel default

  • "never": disables L1 data cache flushing entirely. May be appropriate if all guests are trusted.

  • "cond": flushes L1 data cache only for pre-determined code paths. May leak information about the host address space layout.

  • "always": flushes L1 data cache every time the hypervisor enters the guest. May incur significant performance cost.

Type: null or one of “never”, “cond”, “always”

Default: null

Declared by:

<nixpkgs/nixos/modules/security/misc.nix>
security.wrapperDirSize

Size limit for the /run/wrappers tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax. WARNING: don’t set to less than 64MB.

Type: string

Default: "50%"

Example: "10G"

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
security.wrappers

This option effectively allows adding setuid/setgid bits, capabilities, changing file ownership and permissions of a program without directly modifying it. This works by creating a wrapper program under the security.wrapperDir directory, which is then added to the shell PATH.

Type: attribute set of (submodule)

Default: { }

Example:

{
  # a setuid root program
  doas =
    { setuid = true;
      owner = "root";
      group = "root";
      source = "${pkgs.doas}/bin/doas";
    };

  # a setgid program
  locate =
    { setgid = true;
      owner = "root";
      group = "mlocate";
      source = "${pkgs.locate}/bin/locate";
    };

  # a program with the CAP_NET_RAW capability
  ping =
    { owner = "root";
      group = "root";
      capabilities = "cap_net_raw+ep";
      source = "${pkgs.iputils.out}/bin/ping";
    };
}

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
security.wrappers.<name>.capabilities

A comma-separated list of capability clauses to be given to the wrapper program. The format for capability clauses is described in the “TEXTUAL REPRESENTATION” section of the cap_from_text(3) manual page. For a list of capabilities supported by the system, check the capabilities(7) manual page.

Note

cap_setpcap, which is required for the wrapper program to be able to raise caps into the Ambient set is NOT raised to the Ambient set so that the real program cannot modify its own capabilities!! This may be too restrictive for cases in which the real program needs cap_setpcap but it at least leans on the side security paranoid vs. too relaxed.

Type: strings concatenated with “,”

Default: ""

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
security.wrappers.<name>.group

The group of the wrapper program.

Type: string

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
security.wrappers.<name>.owner

The owner of the wrapper program.

Type: string

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
security.wrappers.<name>.permissions

The permissions of the wrapper program. The format is that of a symbolic or numeric file mode understood by chmod.

Type: file mode string

Default: "u+rx,g+x,o+x"

Example: "a+rx"

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
security.wrappers.<name>.program

The name of the wrapper program. Defaults to the attribute name.

Type: null or string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
security.wrappers.<name>.setgid

Whether to add the setgid bit the wrapper program.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
security.wrappers.<name>.setuid

Whether to add the setuid bit the wrapper program.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
security.wrappers.<name>.source

The absolute path to the program to be wrapped.

Type: path

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
services.packagekit.enable

Whether to enable PackageKit, a cross-platform D-Bus abstraction layer for installing software. Software utilizing PackageKit can install software regardless of the package manager .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/packagekit.nix>
services.packagekit.settings

Additional settings passed straight through to PackageKit.conf

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/packagekit.nix>
services.packagekit.vendorSettings

Additional settings passed straight through to Vendor.conf

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/packagekit.nix>
services.SystemdJournal2Gelf.enable

Whether to enable SystemdJournal2Gelf.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/logging/SystemdJournal2Gelf.nix>
services.SystemdJournal2Gelf.package

The systemd-journal2gelf package to use.

Type: package

Default: pkgs.systemd-journal2gelf

Declared by:

<nixpkgs/nixos/modules/services/logging/SystemdJournal2Gelf.nix>
services.SystemdJournal2Gelf.extraOptions

Any extra flags to pass to SystemdJournal2Gelf. Note that these are basically journalctl flags.

Type: strings concatenated with " "

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/logging/SystemdJournal2Gelf.nix>
services.SystemdJournal2Gelf.graylogServer

Host and port of your graylog2 input. This should be a GELF UDP input.

Type: string

Example: "graylog2.example.com:11201"

Declared by:

<nixpkgs/nixos/modules/services/logging/SystemdJournal2Gelf.nix>
services._3proxy.enable

Whether to enable 3proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.confFile

Ignore all other 3proxy options and load configuration from this file.

Type: path

Example: "/var/lib/3proxy/3proxy.conf"

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.denyPrivate

Whether to deny access to private IP ranges including loopback.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.extraConfig

Extra configuration, appended to the 3proxy configuration file. Consult documentation for available options.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.privateRanges

What IP ranges to deny access when denyPrivate is set tu true.

Type: list of string

Default:

[
  "0.0.0.0/8"
  "127.0.0.0/8"
  "10.0.0.0/8"
  "100.64.0.0/10"
  "172.16.0.0/12"
  "192.168.0.0/16"
  "::"
  "::1"
  "fc00::/7"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.resolution

Use this option to configure name resolution and DNS caching.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.resolution.nscache

Set name cache size for IPv4.

Type: signed integer

Default: 65535

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.resolution.nscache6

Set name cache size for IPv6.

Type: signed integer

Default: 65535

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.resolution.nserver

List of nameservers to use.

Up to 5 nservers may be specified. If no nserver is configured, default system name resolution functions are used.

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.53"
  "192.168.1.3:5353/tcp"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.resolution.nsrecord

Adds static nsrecords.

Type: attribute set of string

Default: { }

Example:

{
  "files.local" = "192.168.1.12";
  "site.local" = "192.168.1.43";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.services

Use this option to define 3proxy services.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    type = "proxy";
    bindAddress = "192.168.1.24";
    bindPort = 3128;
    auth = [ "none" ];
  }
  {
    type = "proxy";
    bindAddress = "10.10.1.20";
    bindPort = 3128;
    auth = [ "iponly" ];
  }
  {
    type = "socks";
    bindAddress = "172.17.0.1";
    bindPort = 1080;
    auth = [ "strong" ];
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.services.*.acl

Use this option to limit user access to resources.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    rule = "allow";
    users = [ "user1" ];
  }
  {
    rule = "allow";
    sources = [ "192.168.1.0/24" ];
  }
  {
    rule = "deny";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.services.*.acl.*.rule

ACL rule. The following values are valid:

  • "allow": connections allowed.

  • "deny": connections not allowed.

Type: one of “allow”, “deny”

Example: "allow"

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.services.*.acl.*.sources

List of source IP range, use empty list for any.

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "192.168.1.0/24"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.services.*.acl.*.targetPorts

List of target ports, use empty list for any.

Type: list of signed integer

Default: [ ]

Example:

[
  80
  443
]

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.services.*.acl.*.targets

List of target IP ranges, use empty list for any. May also contain host names instead of addresses. It’s possible to use wildmask in the beginning and in the the end of hostname, e.g. *badsite.com or *badcontent*. Hostname is only checked if hostname presents in request.

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "192.168.1.0/24"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.services.*.acl.*.users

List of users, use empty list for any.

Type: list of string

Default: [ ]

Example:

[
  "user1"
  "user2"
  "user3"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.services.*.auth

Authentication type. The following values are valid:

  • "none": disables both authentication and authorization. You can not use ACLs.

  • "iponly": specifies no authentication. ACLs authorization is used.

  • "strong": authentication by username/password. If user is not registered their access is denied regardless of ACLs.

Double authentication is possible, e.g.

  {
    auth = [ "iponly" "strong" ];
    acl = [
      {
        rule = "allow";
        targets = [ "192.168.0.0/16" ];
      }
      {
        rule = "allow"
        users = [ "user1" "user2" ];
      }
    ];
  }

In this example strong username authentication is not required to access 192.168.0.0/16.

Type: list of (one of “none”, “iponly”, “strong”)

Example:

[
  "iponly"
  "strong"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.services.*.bindAddress

Address used for service.

Type: string

Default: "[::]"

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.services.*.bindPort

Override default port used for service.

Type: null or signed integer

Default: null

Example: 3128

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.services.*.extraArguments

Extra arguments for service. Consult “Options” section in documentation for available arguments.

Type: null or string

Default: null

Example: "-46"

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.services.*.extraConfig

Extra configuration for service. Use this to configure things like bandwidth limiter or ACL-based redirection. Consult documentation for available options.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.services.*.maxConnections

Maximum number of simulationeous connections to this service.

Type: signed integer

Default: 100

Example: 1000

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.services.*.type

Service type. The following values are valid:

  • "proxy": HTTP/HTTPS proxy (default port 3128).

  • "socks": SOCKS 4/4.5/5 proxy (default port 1080).

  • "pop3p": POP3 proxy (default port 110).

  • "ftppr": FTP proxy (default port 21).

  • "admin": Web interface (default port 80).

  • "dnspr": Caching DNS proxy (default port 53).

  • "tcppm": TCP portmapper.

  • "udppm": UDP portmapper.

Type: one of “proxy”, “socks”, “pop3p”, “ftppr”, “admin”, “dnspr”, “tcppm”, “udppm”

Example: "proxy"

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services._3proxy.usersFile

Load users and passwords from this file.

Example users file with plain-text passwords:

  test1:CL:password1
  test2:CL:password2

Example users file with md5-crypted passwords:

  test1:CR:$1$tFkisVd2$1GA8JXkRmTXdLDytM/i3a1
  test2:CR:$1$rkpibm5J$Aq1.9VtYAn0JrqZ8M.1ME.

You can generate md5-crypted passwords via https://unix4lyfe.org/crypt/ Note that htpasswd tool generates incompatible md5-crypted passwords. Consult documentation for more information.

Type: null or path

Default: null

Example: "/var/lib/3proxy/3proxy.passwd"

Declared by:

<nixpkgs/nixos/modules/services/networking/3proxy.nix>
services.accounts-daemon.enable

Whether to enable AccountsService, a DBus service for accessing the list of user accounts and information attached to those accounts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/accountsservice.nix>
services.acme-dns.enable

Whether to enable acme-dns.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/acme-dns.nix>
services.acme-dns.package

The acme-dns package to use.

Type: package

Default: pkgs.acme-dns

Declared by:

<nixpkgs/nixos/modules/services/networking/acme-dns.nix>
services.acme-dns.settings

Free-form settings written directly to the acme-dns.cfg file. Refer to https://github.com/joohoi/acme-dns/blob/master/README.md#configuration for supported values.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/acme-dns.nix>
services.acme-dns.settings.api.disable_registration

Whether to disable the HTTP registration endpoint.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/acme-dns.nix>
services.acme-dns.settings.api.ip

IP to bind the HTTP API on.

Type: string

Default: "[::]"

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/acme-dns.nix>
services.acme-dns.settings.api.port

Listen port for the HTTP API.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/networking/acme-dns.nix>
services.acme-dns.settings.api.tls

TLS backend to use.

Type: one of “letsencrypt”, “letsencryptstaging”, “cert”, “none”

Default: "none"

Declared by:

<nixpkgs/nixos/modules/services/networking/acme-dns.nix>
services.acme-dns.settings.database.connection

Database connection string.

Type: string

Default: "/var/lib/acme-dns/acme-dns.db"

Example: "postgres://user:password@localhost/acmedns"

Declared by:

<nixpkgs/nixos/modules/services/networking/acme-dns.nix>
services.acme-dns.settings.database.engine

Database engine to use.

Type: one of “sqlite3”, “postgres”

Default: "sqlite3"

Declared by:

<nixpkgs/nixos/modules/services/networking/acme-dns.nix>
services.acme-dns.settings.general.domain

Domain name to serve the requests off of.

Type: string

Example: "acme-dns.example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/acme-dns.nix>
services.acme-dns.settings.general.listen

IP+port combination to bind and serve the DNS server on.

Type: string

Default: "[::]:53"

Example: "127.0.0.1:53"

Declared by:

<nixpkgs/nixos/modules/services/networking/acme-dns.nix>
services.acme-dns.settings.general.nsadmin

Zone admin email address for SOA.

Type: string

Example: "admin.example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/acme-dns.nix>
services.acme-dns.settings.general.nsname

Zone name server.

Type: string

Example: "acme-dns.example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/acme-dns.nix>
services.acme-dns.settings.general.protocol

Protocols to serve DNS responses on.

Type: one of “both”, “both4”, “both6”, “udp”, “udp4”, “udp6”, “tcp”, “tcp4”, “tcp6”

Default: "both"

Declared by:

<nixpkgs/nixos/modules/services/networking/acme-dns.nix>
services.acme-dns.settings.general.records

Predefined DNS records served in addition to the _acme-challenge TXT records.

Type: list of string

Example:

[
  # replace with your acme-dns server's public IPv4
  "acme-dns.example.com. A 198.51.100.1"
  # replace with your acme-dns server's public IPv6
  "acme-dns.example.com. AAAA 2001:db8::1"
  # acme-dns.example.com should resolve any *.acme-dns.example.com records
  "acme-dns.example.com. NS acme-dns.example.com."
]

Declared by:

<nixpkgs/nixos/modules/services/networking/acme-dns.nix>
services.acme-dns.settings.logconfig.loglevel

Level to log on.

Type: one of “error”, “warning”, “info”, “debug”

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/networking/acme-dns.nix>
services.acpid.enable

Whether to enable the ACPI daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/acpid.nix>
services.acpid.acEventCommands

Shell commands to execute on an ac_adapter.* event.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/hardware/acpid.nix>
services.acpid.handlers

Event handlers.

Note

Handler can be a single command.

Type: attribute set of (submodule)

Default: { }

Example:

{
  ac-power = {
    action = ''
      vals=($1)  # space separated string to array of multiple values
      case ''${vals[3]} in
          00000000)
              echo unplugged >> /tmp/acpi.log
              ;;
          00000001)
              echo plugged in >> /tmp/acpi.log
              ;;
          *)
              echo unknown >> /tmp/acpi.log
              ;;
      esac
    '';
    event = "ac_adapter/*";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/hardware/acpid.nix>
services.acpid.handlers.<name>.action

Shell commands to execute when the event is triggered.

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/hardware/acpid.nix>
services.acpid.handlers.<name>.event

Event type.

Type: string

Example: "button/power.*" "button/lid.*" "ac_adapter.*" "button/mute.*" "button/volumedown.*" "cd/play.*" "cd/next.*"

Declared by:

<nixpkgs/nixos/modules/services/hardware/acpid.nix>
services.acpid.lidEventCommands

Shell commands to execute on a button/lid.* event.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/hardware/acpid.nix>
services.acpid.logEvents

Log all event activity.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/acpid.nix>
services.acpid.powerEventCommands

Shell commands to execute on a button/power.* event.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/hardware/acpid.nix>
services.activemq.enable

Enable the Apache ActiveMQ message broker service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/amqp/activemq/default.nix>
services.activemq.baseDir

The base directory where ActiveMQ stores its persistent data and logs. This will be overridden if you set “activemq.base” and “activemq.data” in the javaProperties option. You can also override this in activemq.xml.

Type: string

Default: "/var/activemq"

Declared by:

<nixpkgs/nixos/modules/services/amqp/activemq/default.nix>
services.activemq.configurationDir

The base directory for ActiveMQ’s configuration. By default, this directory is searched for a file named activemq.xml, which should contain the configuration for the broker service.

Type: string

Default: "${pkgs.activemq}/conf"

Declared by:

<nixpkgs/nixos/modules/services/amqp/activemq/default.nix>
services.activemq.configurationURI

The URI that is passed along to the BrokerFactory to set up the configuration of the ActiveMQ broker service. You should not need to change this. For custom configuration, set the configurationDir instead, and create an activemq.xml configuration file in it.

Type: string

Default: "xbean:activemq.xml"

Declared by:

<nixpkgs/nixos/modules/services/amqp/activemq/default.nix>
services.activemq.extraJavaOptions

Add extra options here that you want to be sent to the Java runtime when the broker service is started.

Type: strings concatenated with " "

Default: ""

Example: "-Xmx2G -Xms2G -XX:MaxPermSize=512M"

Declared by:

<nixpkgs/nixos/modules/services/amqp/activemq/default.nix>
services.activemq.javaProperties

Specifies Java properties that are sent to the ActiveMQ broker service with the “-D” option. You can set properties here to change the behaviour and configuration of the broker. All essential properties that are not set here are automatically given reasonable defaults.

Type: attribute set

Default: { }

Example:

{
  "java.net.preferIPv4Stack" = "true";
}

Declared by:

<nixpkgs/nixos/modules/services/amqp/activemq/default.nix>
services.actkbd.enable

Whether to enable the actkbd key mapping daemon.

Turning this on will start an actkbd instance for every evdev input that has at least one key (which is okay even for systems with tiny memory footprint, since actkbd normally uses <100 bytes of memory per instance).

This allows binding keys globally without the need for e.g. X11.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/actkbd.nix>
services.actkbd.bindings

Key bindings for actkbd.

See actkbd README for documentation.

The example shows a piece of what sound.mediaKeys.enable does when enabled.

Type: list of (submodule)

Default: [ ]

Example:

[ { keys = [ 113 ]; events = [ "key" ]; command = "${pkgs.alsa-utils}/bin/amixer -q set Master toggle"; }
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/actkbd.nix>
services.actkbd.bindings.*.attributes

List of attributes.

Type: list of string

Default:

[
  "exec"
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/actkbd.nix>
services.actkbd.bindings.*.command

What to run.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/hardware/actkbd.nix>
services.actkbd.bindings.*.events

List of events to match.

Type: list of (one of “key”, “rep”, “rel”)

Default:

[
  "key"
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/actkbd.nix>
services.actkbd.bindings.*.keys

List of keycodes to match.

Type: list of signed integer

Declared by:

<nixpkgs/nixos/modules/services/hardware/actkbd.nix>
services.actkbd.extraConfig

Literal contents to append to the end of actkbd configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/hardware/actkbd.nix>
services.adguardhome.enable

Whether to enable AdGuard Home network-wide ad blocker.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/adguardhome.nix>
services.adguardhome.package

The package that runs adguardhome.

Type: package

Default: pkgs.adguardhome

Declared by:

<nixpkgs/nixos/modules/services/networking/adguardhome.nix>
services.adguardhome.allowDHCP

Allows AdGuard Home to open raw sockets (CAP_NET_RAW), which is required for the integrated DHCP server.

The default enables this conditionally if the declarative configuration enables the integrated DHCP server. Manually setting this option is only required for non-declarative setups.

Type: boolean

Default: config.services.adguardhome.settings.dhcp.enabled or false

Declared by:

<nixpkgs/nixos/modules/services/networking/adguardhome.nix>
services.adguardhome.extraArgs

Extra command line parameters to be passed to the adguardhome binary.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/adguardhome.nix>
services.adguardhome.host

Host address to bind HTTP server to.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/adguardhome.nix>
services.adguardhome.mutableSettings

Allow changes made on the AdGuard Home web interface to persist between service restarts.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/adguardhome.nix>
services.adguardhome.openFirewall

Open ports in the firewall for the AdGuard Home web interface. Does not open the port needed to access the DNS resolver.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/adguardhome.nix>
services.adguardhome.port

Port to serve HTTP pages on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/networking/adguardhome.nix>
services.adguardhome.settings

AdGuard Home configuration. Refer to https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#configuration-file for details on supported values.

Note

On start and if mutableSettings is true, these options are merged into the configuration file on start, taking precedence over configuration changes made on the web interface.

Set this to null (default) for a non-declarative configuration without any Nix-supplied values. Declarative configurations are supplied with a default schema_version, and http.address.

Type: null or (YAML value)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/adguardhome.nix>
services.adguardhome.settings.schema_version

Schema version for the configuration. Defaults to the schema_version supplied by cfg.package.

Type: signed integer

Default: cfg.package.schema_version

Declared by:

<nixpkgs/nixos/modules/services/networking/adguardhome.nix>
services.aerospike.enable

Whether to enable Aerospike server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/aerospike.nix>
services.aerospike.package

The aerospike package to use.

Type: package

Default: pkgs.aerospike

Declared by:

<nixpkgs/nixos/modules/services/databases/aerospike.nix>
services.aerospike.extraConfig

Extra configuration

Type: strings concatenated with “\n”

Default: ""

Example:

''
  namespace test {
    replication-factor 2
    memory-size 4G
    default-ttl 30d
    storage-engine memory
  }
''

Declared by:

<nixpkgs/nixos/modules/services/databases/aerospike.nix>
services.aerospike.networkConfig

network section of configuration file

Type: strings concatenated with “\n”

Default:

''
  service {
    address any
    port 3000
  }
  
  heartbeat {
    address any
    mode mesh
    port 3002
    interval 150
    timeout 10
  }
  
  fabric {
    address any
    port 3001
  }
  
  info {
    address any
    port 3003
  }
''

Declared by:

<nixpkgs/nixos/modules/services/databases/aerospike.nix>
services.aerospike.workDir

Location where Aerospike stores its files

Type: string

Default: "/var/lib/aerospike"

Declared by:

<nixpkgs/nixos/modules/services/databases/aerospike.nix>
services.aesmd.enable

Whether to enable Intel’s Architectural Enclave Service Manager (AESM) for Intel SGX.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/aesmd.nix>
services.aesmd.package

The sgx-psw package to use.

Type: package

Default: pkgs.sgx-psw

Declared by:

<nixpkgs/nixos/modules/services/security/aesmd.nix>
services.aesmd.environment

Additional environment variables to pass to the AESM service.

Type: attribute set of string

Default: { }

Example:

{
  AZDCAP_COLLATERAL_VERSION = "v2";
  AZDCAP_DEBUG_LOG_LEVEL = "INFO";
}

Declared by:

<nixpkgs/nixos/modules/services/security/aesmd.nix>
services.aesmd.quoteProviderLibrary

Custom quote provider library to use.

Type: null or path

Default: null

Example: pkgs.sgx-azure-dcap-client

Declared by:

<nixpkgs/nixos/modules/services/security/aesmd.nix>
services.aesmd.settings

AESM configuration

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/aesmd.nix>
services.aesmd.settings.defaultQuotingType

Attestation quote type.

Type: null or one of “ecdsa_256”, “epid_linkable”, “epid_unlinkable”

Default: null

Example: "ecdsa_256"

Declared by:

<nixpkgs/nixos/modules/services/security/aesmd.nix>
services.aesmd.settings.proxy

HTTP network proxy.

Type: null or string

Default: null

Example: "http://proxy_url:1234"

Declared by:

<nixpkgs/nixos/modules/services/security/aesmd.nix>
services.aesmd.settings.proxyType

Type of proxy to use. The default uses the system’s default proxy. If direct is given, uses no proxy. A value of manual uses the proxy from services.aesmd.settings.proxy.

Type: null or one of “default”, “direct”, “manual”

Default:

if (config.services.aesmd.settings.proxy != null) then "manual" else null

Example: "default"

Declared by:

<nixpkgs/nixos/modules/services/security/aesmd.nix>
services.aesmd.settings.whitelistUrl

URL to retrieve authorized Intel SGX enclave signers.

Type: null or string

Default: null

Example: "http://whitelist.trustedservices.intel.com/SGX/LCWL/Linux/sgx_white_list_cert.bin"

Declared by:

<nixpkgs/nixos/modules/services/security/aesmd.nix>
services.agate.enable

Whether to enable Agate Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/agate.nix>
services.agate.package

The agate package to use.

Type: package

Default: pkgs.agate

Declared by:

<nixpkgs/nixos/modules/services/web-servers/agate.nix>
services.agate.addresses

Addresses to listen on, IP:PORT, if you haven’t disabled forwarding only set IPv4.

Type: list of string

Default:

[
  "0.0.0.0:1965"
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/agate.nix>
services.agate.certificatesDir

Root of the certificate directory.

Type: path

Default: "/var/lib/agate/certificates"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/agate.nix>
services.agate.contentDir

Root of the content directory.

Type: path

Default: "/var/lib/agate/content"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/agate.nix>
services.agate.extraArgs

Extra arguments to use running agate.

Type: list of string

Default:

[
  ""
]

Example:

[
  "--log-ip"
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/agate.nix>
services.agate.hostnames

Domain name of this Gemini server, enables checking hostname and port in requests. (multiple occurrences means basic vhosts)

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/agate.nix>
services.agate.language

RFC 4646 Language code for text/gemini documents.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/agate.nix>
services.agate.onlyTls_1_3

Only use TLSv1.3 (default also allows TLSv1.2).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/agate.nix>
services.agorakit.enable

Whether to enable agorakit.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.appKeyFile

A file containing the Laravel APP_KEY - a 32 character long, base64 encoded key used for encryption where needed. Can be generated with <code>head -c 32 /dev/urandom | base64</code>.

Type: path

Example: "/run/keys/agorakit-appkey"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.appURL

The root URL that you want to host agorakit on. All URLs in agorakit will be generated using this value. If you change this in the future you may need to run a command to update stored URLs in the database. Command example: <code>php artisan agorakit:update-url https://old.example.com https://new.example.com</code>

Type: string

Default: "http\${lib.optionalString tlsEnabled \"s\"}://\${cfg.hostName}"

Example: "https://example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.config

Agorakit configuration options to set in the <filename>.env</filename> file.

Refer to <link xlink:href=“https://github.com/agorakit/agorakit”/> for details on supported values.

Settings containing secret data should be set to an attribute set containing the attribute <literal>_secret</literal> - a string pointing to a file containing the value the option should be set to. See the example to get a better picture of this: in the resulting <filename>.env</filename> file, the <literal>OIDC_CLIENT_SECRET</literal> key will be set to the contents of the <filename>/run/keys/oidc_secret</filename> file.

Type: attribute set of (null or boolean or signed integer or 16 bit unsigned integer; between 0 and 65535 (both inclusive) or path or string or (submodule))

Default: { }

Example:

''
  {
    ALLOWED_IFRAME_HOSTS = "https://example.com";
    AUTH_METHOD = "oidc";
    OIDC_NAME = "MyLogin";
    OIDC_DISPLAY_NAME_CLAIMS = "name";
    OIDC_CLIENT_ID = "agorakit";
    OIDC_CLIENT_SECRET = {_secret = "/run/keys/oidc_secret"};
    OIDC_ISSUER = "https://keycloak.example.com/auth/realms/My%20Realm";
    OIDC_ISSUER_DISCOVER = true;
  }
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.dataDir

agorakit data directory

Type: path

Default: "/var/lib/agorakit"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.database.createLocally

Create the database and database user locally.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.database.host

Database host address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.database.name

Database name.

Type: string

Default: "agorakit"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.database.passwordFile

A file containing the password corresponding to <option>database.user</option>.

Type: null or path

Default: null

Example: "/run/keys/agorakit-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.database.port

Database host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3306

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.database.user

Database username.

Type: string

Default: user

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.group

Group agorakit runs as.

Type: string

Default: "agorakit"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.hostName

The hostname to serve agorakit on.

Type: string

Default: config.networking.fqdn

Example: "agorakit.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.mail.driver

Mail driver to use.

Type: one of “smtp”, “sendmail”

Default: "smtp"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.mail.encryption

SMTP encryption mechanism to use.

Type: null or value “tls” (singular enum)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.mail.from

Mail “from” email.

Type: string

Default: "mail@agorakit.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.mail.fromName

Mail “from” name.

Type: string

Default: "agorakit"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.mail.host

Mail host address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.mail.passwordFile

A file containing the password corresponding to <option>mail.user</option>.

Type: null or path

Default: null

Example: "/run/keys/agorakit-mailpassword"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.mail.port

Mail host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1025

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.mail.user

Mail username.

Type: null or string

Default: null

Example: "agorakit"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.maxUploadSize

The maximum size for uploads (e.g. images).

Type: string

Default: "18M"

Example: "1G"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx

With this option, you can customize the nginx virtualHost settings.

Type: submodule

Default: { }

Example:

''
  {
    serverAliases = [
      "agorakit.''${config.networking.domain}"
    ];
    # To enable encryption and let let's encrypt take care of certificate
    forceSSL = true;
    enableACME = true;
  }
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.nginx.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.poolConfig

Options for the agorakit PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = 32;
  "pm.max_requests" = 500;
  "pm.max_spare_servers" = 4;
  "pm.min_spare_servers" = 2;
  "pm.start_servers" = 2;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.agorakit.user

User agorakit runs as.

Type: string

Default: "agorakit"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/agorakit.nix>
services.airsonic.enable

Whether to enable Airsonic, the Free and Open Source media streaming server (fork of Subsonic and Libresonic).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/airsonic.nix>
services.airsonic.contextPath

The context path, i.e., the last part of the Airsonic URL. Typically ‘/’ or ‘/airsonic’. Default ‘/’

Type: path

Default: "/"

Declared by:

<nixpkgs/nixos/modules/services/misc/airsonic.nix>
services.airsonic.home

The directory where Airsonic will create files. Make sure it is writable.

Type: path

Default: "/var/lib/airsonic"

Declared by:

<nixpkgs/nixos/modules/services/misc/airsonic.nix>
services.airsonic.jre

The jre8 package to use. ::: {.note} Airsonic only supports Java 8, airsonic-advanced requires at least Java 11. :::

Type: package

Default: pkgs.jre8

Declared by:

<nixpkgs/nixos/modules/services/misc/airsonic.nix>
services.airsonic.jvmOptions

Extra command line options for the JVM running AirSonic. Useful for sending jukebox output to non-default alsa devices.

Type: list of string

Default: [ ]

Example:

[
  "-Djavax.sound.sampled.Clip='#CODEC [plughw:1,0]'"
  "-Djavax.sound.sampled.Port='#Port CODEC [hw:1]'"
  "-Djavax.sound.sampled.SourceDataLine='#CODEC [plughw:1,0]'"
  "-Djavax.sound.sampled.TargetDataLine='#CODEC [plughw:1,0]'"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/airsonic.nix>
services.airsonic.listenAddress

The host name or IP address on which to bind Airsonic. The default value is appropriate for first launch, when the default credentials are easy to guess. It is also appropriate if you intend to use the virtualhost option in the service module. In other cases, you may want to change this to a specific IP or 0.0.0.0 to listen on all interfaces.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/misc/airsonic.nix>
services.airsonic.maxMemory

The memory limit (max Java heap size) in megabytes. Default: 100

Type: signed integer

Default: 100

Declared by:

<nixpkgs/nixos/modules/services/misc/airsonic.nix>
services.airsonic.port

The port on which Airsonic will listen for incoming HTTP traffic. Set to 0 to disable.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 4040

Declared by:

<nixpkgs/nixos/modules/services/misc/airsonic.nix>
services.airsonic.transcoders

List of paths to transcoder executables that should be accessible from Airsonic. Symlinks will be created to each executable inside ${config.services.airsonic.home}/transcoders.

Type: list of path

Default: [ "${pkgs.ffmpeg.bin}/bin/ffmpeg" ]

Declared by:

<nixpkgs/nixos/modules/services/misc/airsonic.nix>
services.airsonic.user

User account under which airsonic runs.

Type: string

Default: "airsonic"

Declared by:

<nixpkgs/nixos/modules/services/misc/airsonic.nix>
services.airsonic.virtualHost

Name of the nginx virtualhost to use and setup. If null, do not setup any virtualhost.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/airsonic.nix>
services.airsonic.war

Airsonic war file to use.

Type: path

Default: "${pkgs.airsonic}/webapps/airsonic.war"

Declared by:

<nixpkgs/nixos/modules/services/misc/airsonic.nix>
services.akkoma.enable

Whether to enable Akkoma.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.package

The akkoma package to use.

Type: package

Default: pkgs.akkoma

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config

Configuration for Akkoma. The attributes are serialised to Elixir DSL.

Refer to https://docs.akkoma.dev/stable/configuration/cheatsheet/ for configuration options.

Settings containing secret data should be set to an attribute set containing the attribute _secret - a string pointing to a file containing the value the option should be set to.

Type: attribute set of attribute set of (Elixir value)

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":joken".":default_signer"

JWT signing secret.

The attribute _secret should point to a file containing the secret.

This secret can be generated as follows:

$ tr -dc 'A-Za-z0-9-._~' </dev/urandom | head -c 64

Type: secret value

Default:

{
  _secret = "/var/lib/secrets/akkoma/jwt-signer";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":logger".":ex_syslogger".level

Log level.

Refer to https://hexdocs.pm/logger/Logger.html#module-levels for options.

Type: non-empty string

Default: ":info"

Example: ":warning"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":pleroma".":frontends"

Frontend configuration.

Users should rely on the default value and prefer to configure frontends through config.services.akkoma.frontends.

Type: Elixir value

Default:

lib.mapAttrs (key: val:
  (pkgs.formats.elixirConf { }).lib.mkMap { name = val.name; ref = val.ref; })
  config.services.akkoma.frontends;

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":pleroma".":instance".description

Instance description.

Type: non-empty string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":pleroma".":instance".email

Instance administrator email.

Type: non-empty string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":pleroma".":instance".name

Instance name.

Type: non-empty string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":pleroma".":instance".static_dir

Directory of static files.

This directory can be built using a derivation, or it can be managed as mutable state by setting the option to an absolute path.

Type: path

Default: Derivation gathering the following paths into a directory:

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":pleroma".":instance".upload_dir

Directory where Akkoma will put uploaded files.

Type: absolute path

Default: "/var/lib/akkoma/uploads"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":pleroma".":media_proxy".enabled

Whether to enable proxying of remote media through the instance’s proxy.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":pleroma".":media_proxy".base_url

Base path for the media proxy. Whilst this can just be set to a subdirectory of the main domain, it is now recommended to use a different subdomain.

Type: null or non-empty string

Default:

if lib.versionOlder config.system.stateVersion "24.05"
then "$\{httpConf.scheme}://$\{httpConf.host}:$\{builtins.toString httpConf.port}"
else null;

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":pleroma"."Pleroma.Repo"

Database configuration.

Refer to https://hexdocs.pm/ecto_sql/Ecto.Adapters.Postgres.html#module-connection-options for options.

Type: Elixir value

Default:

{
  adapter = (pkgs.formats.elixirConf { }).lib.mkRaw "Ecto.Adapters.Postgres";
  socket_dir = "/run/postgresql";
  username = config.services.akkoma.user;
  database = "akkoma";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":pleroma"."Pleroma.Upload".base_url

Base path which uploads will be stored at. Whilst this can just be set to a subdirectory of the main domain, it is now recommended to use a different subdomain.

Type: non-empty string

Default:

if lib.versionOlder config.system.stateVersion "24.05"
then "$\{httpConf.scheme}://$\{httpConf.host}:$\{builtins.toString httpConf.port}/media/"
else null;

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":pleroma"."Pleroma.Web.Endpoint".http.ip

Listener IP address or Unix socket path.

The value is automatically converted to Elixir’s internal address representation during serialisation.

Type: absolute path or IPv4 or IPv6 address

Default: "/run/akkoma/socket"

Example: "::1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":pleroma"."Pleroma.Web.Endpoint".http.port

Listener port number.

Must be 0 if using a Unix socket.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

if isAbsolutePath config.services.akkoma.config.:pleroma"."Pleroma.Web.Endpoint".http.ip
  then 0
  else 4000;

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":pleroma"."Pleroma.Web.Endpoint".live_view.signing_salt

LiveView signing salt.

The attribute _secret should point to a file containing the secret.

This salt can be generated as follows:

$ tr -dc 'A-Za-z0-9-._~' </dev/urandom | head -c 8

Type: secret value

Default:

{
  _secret = "/var/lib/secrets/akkoma/liveview-salt";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":pleroma"."Pleroma.Web.Endpoint".secret_key_base

Secret key used as a base to generate further secrets for encrypting and signing data.

The attribute _secret should point to a file containing the secret.

This key can generated can be generated as follows:

$ tr -dc 'A-Za-z-._~' </dev/urandom | head -c 64

Type: secret value

Default:

{
  _secret = "/var/lib/secrets/akkoma/key-base";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":pleroma"."Pleroma.Web.Endpoint".signing_salt

Signing salt.

The attribute _secret should point to a file containing the secret.

This salt can be generated as follows:

$ tr -dc 'A-Za-z0-9-._~' </dev/urandom | head -c 8

Type: secret value

Default:

{
  _secret = "/var/lib/secrets/akkoma/signing-salt";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":pleroma"."Pleroma.Web.Endpoint".url.host

Domain name of the instance.

Type: non-empty string

Default: config.networking.fqdn

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":pleroma"."Pleroma.Web.Endpoint".url.port

External port number.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 443

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":pleroma"."Pleroma.Web.Endpoint".url.scheme

URL scheme.

Type: non-empty string

Default: "https"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":web_push_encryption"

Web Push Notifications configuration.

The necessary key pair can be generated as follows:

$ nix-shell -p nodejs --run 'npx web-push generate-vapid-keys'

Type: Elixir value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":web_push_encryption".":vapid_details".private_key

base64-encoded private ECDH key.

The attribute _secret should point to a file containing the secret.

Type: secret value

Default:

{
  _secret = "/var/lib/secrets/akkoma/vapid-private";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":web_push_encryption".":vapid_details".public_key

base64-encoded public ECDH key.

Type: non-empty string or secret value

Default:

{
  _secret = "/var/lib/secrets/akkoma/vapid-public";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.config.":web_push_encryption".":vapid_details".subject

mailto URI for administrative contact.

Type: non-empty string

Default:

"mailto:${config.services.akkoma.config.":pleroma".":instance".email}"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.dist.address

Listen address for Erlang distribution protocol and Port Mapper Daemon (epmd).

Type: IPv4 or IPv6 address

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.dist.cookie

Erlang release cookie.

If set to null, a temporary random cookie will be generated.

Type: null or secret value

Default: null

Example:

{
  _secret = "/var/lib/secrets/akkoma/releaseCookie";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.dist.epmdPort

TCP port to bind Erlang Port Mapper Daemon to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 4369

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.dist.extraFlags

Extra flags to pass to Erlang

Type: list of string

Default: [ ]

Example:

[
  "+sbwt"
  "none"
  "+sbwtdcpu"
  "none"
  "+sbwtdio"
  "none"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.dist.portMax

Upper bound for Erlang distribution protocol TCP port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 65535

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.dist.portMin

Lower bound for Erlang distribution protocol TCP port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 49152

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.extraPackages

List of extra packages to include in the executable search path of the service unit. These are needed by various configurable components such as:

  • ExifTool for the Pleroma.Upload.Filter.Exiftool upload filter,

  • ImageMagick for still image previews in the media proxy as well as for the Pleroma.Upload.Filters.Mogrify upload filter, and

  • ffmpeg for video previews in the media proxy.

Type: list of package

Default: with pkgs; [ exiftool ffmpeg-headless graphicsmagick-imagemagick-compat ]

Example: with pkgs; [ exiftool ffmpeg-full imagemagick ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.extraStatic

Attribute set of extra packages to add to the static files directory.

Do not add frontends here. These should be configured through services.akkoma.frontends.

Type: null or (attribute set of package)

Default: null

Example:

{
  "emoji/blobs.gg" = pkgs.akkoma-emoji.blobs_gg;
  "static/terms-of-service.html" = pkgs.writeText "terms-of-service.html" ''
    …
  '';
  "favicon.png" = let
    rev = "697a8211b0f427a921e7935a35d14bb3e32d0a2c";
  in pkgs.stdenvNoCC.mkDerivation {
    name = "favicon.png";

    src = pkgs.fetchurl {
      url = "https://raw.githubusercontent.com/TilCreator/NixOwO/${rev}/NixOwO_plain.svg";
      hash = "sha256-tWhHMfJ3Od58N9H5yOKPMfM56hYWSOnr/TGCBi8bo9E=";
    };

    nativeBuildInputs = with pkgs; [ librsvg ];

    dontUnpack = true;
    installPhase = ''
      rsvg-convert -o $out -w 96 -h 96 $src
    '';
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.frontends

Akkoma frontends.

Type: attribute set of (submodule)

Default:

{
  primary = {
    package = pkgs.akkoma-frontends.akkoma-fe;
    name = "akkoma-fe";
    ref = "stable";
  };
  admin = {
    package = pkgs.akkoma-frontends.admin-fe;
    name = "admin-fe";
    ref = "stable";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.frontends.<name>.package

Akkoma frontend package.

Type: package

Example: pkgs.akkoma-frontends.akkoma-fe

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.frontends.<name>.name

Akkoma frontend name.

Type: non-empty string

Example: "akkoma-fe"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.frontends.<name>.ref

Akkoma frontend reference.

Type: non-empty string

Example: "stable"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.group

Group account under which Akkoma runs.

Type: non-empty string

Default: "akkoma"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.initDb.enable

Whether to automatically initialise the database on startup. This will create a database role and database if they do not already exist, and (re)set the role password and the ownership of the database.

This setting can be used safely even if the database already exists and contains data.

The database settings are configured through config.services.akkoma.config.":pleroma"."Pleroma.Repo".

If disabled, the database has to be set up manually:

CREATE ROLE akkoma LOGIN;

CREATE DATABASE akkoma
  OWNER akkoma
  TEMPLATE template0
  ENCODING 'utf8'
  LOCALE 'C';

\connect akkoma
CREATE EXTENSION IF NOT EXISTS citext;
CREATE EXTENSION IF NOT EXISTS pg_trgm;
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.initDb.password

Password of the database user to initialise the database with.

If set to null, no password will be used.

The attribute _secret should point to a file containing the secret.

Type: null or secret value

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.initDb.username

Name of the database user to initialise the database with.

This user is required to have the CREATEROLE and CREATEDB capabilities.

Type: non-empty string

Default: config.services.postgresql.superUser

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.initSecrets

Whether to initialise non‐existent secrets with random values.

If enabled, appropriate secrets for the following options will be created automatically if the files referenced in the _secrets attribute do not exist during startup.

  • config.":pleroma"."Pleroma.Web.Endpoint".secret_key_base

  • config.":pleroma"."Pleroma.Web.Endpoint".signing_salt

  • config.":pleroma"."Pleroma.Web.Endpoint".live_view.signing_salt

  • config.":web_push_encryption".":vapid_details".private_key

  • config.":web_push_encryption".":vapid_details".public_key

  • config.":joken".":default_signer"

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.installWrapper

Whether to install a wrapper around pleroma_ctl to simplify administration of the Akkoma instance.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx

Extra configuration for the nginx virtual host of Akkoma.

If set to null, no virtual host will be added to the nginx configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.nginx.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.akkoma.user

User account under which Akkoma runs.

Type: non-empty string

Default: "akkoma"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/akkoma.nix>
services.alerta.enable

Whether to enable alerta.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
services.alerta.authenticationRequired

Whether users must authenticate when using the web UI or command-line tool

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
services.alerta.bind

Address to bind to. The default is to bind to all addresses

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
services.alerta.corsOrigins

List of URLs that can access the API for Cross-Origin Resource Sharing (CORS)

Type: list of string

Default:

[
  "http://localhost"
  "http://localhost:5000"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
services.alerta.databaseName

Name of the database instance to connect to

Type: string

Default: "monitoring"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
services.alerta.databaseUrl

URL of the MongoDB or PostgreSQL database to connect to

Type: string

Default: "mongodb://localhost"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
services.alerta.extraConfig

These lines go into alertad.conf verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
services.alerta.logDir

Location where the logfiles are stored

Type: path

Default: "/var/log/alerta"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
services.alerta.port

Port of Alerta

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5000

Declared by:

<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
services.alerta.signupEnabled

Whether to prevent sign-up of new users via the web UI

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/alerta.nix>
services.alice-lg.enable

Whether to enable Alice Looking Glass.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/alice-lg.nix>
services.alice-lg.package

The alice-lg package to use.

Type: package

Default: pkgs.alice-lg

Declared by:

<nixpkgs/nixos/modules/services/networking/alice-lg.nix>
services.alice-lg.settings

alice-lg configuration, for configuration options see the example on github

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  server = {
    # configures the built-in webserver and provides global application settings
    listen_http = "127.0.0.1:7340";
    enable_prefix_lookup = true;
    asn = 9033;
    store_backend = postgres;
    routes_store_refresh_parallelism = 5;
    neighbors_store_refresh_parallelism = 10000;
    routes_store_refresh_interval = 5;
    neighbors_store_refresh_interval = 5;
  };
  postgres = {
    url = "postgres://postgres:postgres@localhost:5432/alice";
    min_connections = 2;
    max_connections = 128;
  };
  pagination = {
    routes_filtered_page_size = 250;
    routes_accepted_page_size = 250;
    routes_not_exported_page_size = 250;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/alice-lg.nix>
services.alloy.enable

Whether to enable Grafana Alloy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/alloy.nix>
services.alloy.package

The grafana-alloy package to use.

Type: package

Default: pkgs.grafana-alloy

Declared by:

<nixpkgs/nixos/modules/services/monitoring/alloy.nix>
services.alloy.configPath

Alloy configuration file/directory path.

We default to /etc/alloy here, and expect the user to configure a configuration file via environment.etc."alloy/config.alloy".

This allows config reload, contrary to specifying a store path. A reloadTrigger for config.alloy is configured.

Other *.alloy files in the same directory (ignoring subdirs) are also honored, but it’s necessary to manually extend systemd.services.alloy.reloadTriggers to enable config reload during nixos-rebuild switch.

This can also point to another directory containing *.alloy files, or a single Alloy file in the Nix store (at the cost of reload).

Component names must be unique across all Alloy configuration files, and configuration blocks must not be repeated.

Alloy will continue to run if subsequent reloads of the configuration file fail, potentially marking components as unhealthy depending on the nature of the failure. When this happens, Alloy will continue functioning in the last valid state.

Type: path

Default: "/etc/alloy"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/alloy.nix>
services.alloy.extraFlags

Extra command-line flags passed to alloy run.

See https://grafana.com/docs/alloy/latest/reference/cli/run/

Type: list of string

Default: [ ]

Example:

[
  "--server.http.listen-addr=127.0.0.1:12346"
  "--disable-reporting"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/alloy.nix>
services.alps.enable

Whether to enable alps.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/alps.nix>
services.alps.bindIP

The IP the service should listen on.

Type: string

Default: "[::]"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/alps.nix>
services.alps.imaps.host

The IMAPS server address.

Type: string

Default: "[::1]"

Example: "mail.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/alps.nix>
services.alps.imaps.port

The IMAPS server port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 993

Declared by:

<nixpkgs/nixos/modules/services/web-apps/alps.nix>
services.alps.port

TCP port the service should listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1323

Declared by:

<nixpkgs/nixos/modules/services/web-apps/alps.nix>
services.alps.smtps.host

The SMTPS server address.

Type: string

Default: "services.alps.imaps.host"

Example: "mail.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/alps.nix>
services.alps.smtps.port

The SMTPS server port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 465

Declared by:

<nixpkgs/nixos/modules/services/web-apps/alps.nix>
services.alps.theme

The frontend’s theme to use.

Type: one of “alps”, “sourcehut”

Default: "sourcehut"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/alps.nix>
services.amazon-cloudwatch-agent.enable

Whether to enable Amazon CloudWatch Agent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/amazon-cloudwatch-agent.nix>
services.amazon-cloudwatch-agent.package

The amazon-cloudwatch-agent package to use.

Type: package

Default: pkgs.amazon-cloudwatch-agent

Declared by:

<nixpkgs/nixos/modules/services/monitoring/amazon-cloudwatch-agent.nix>
services.amazon-cloudwatch-agent.commonConfiguration

Amazon CloudWatch Agent common configuration. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/install-CloudWatch-Agent-commandline-fleet.html#CloudWatch-Agent-profile-instance-first for supported values.

Type: TOML value

Default: { }

Example:

{
  credentials = {
    shared_credential_file = "/path/to/credentials";
    shared_credential_profile = "profile_name";
  };
  proxy = {
    http_proxy = "http_url";
    https_proxy = "https_url";
    no_proxy = "domain";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/amazon-cloudwatch-agent.nix>
services.amazon-cloudwatch-agent.configuration

Amazon CloudWatch Agent configuration. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for supported values.

Type: JSON value

Default: { }

Example:

{
  agent = {
    logfile = "/var/log/amazon-cloudwatch-agent/amazon-cloudwatch-agent.log";
    metrics_collection_interval = 10;
  };
  logs = {
    force_flush_interval = 15;
    log_stream_name = "log_stream_name";
    logs_collected = {
      files = {
        collect_list = [
          {
            file_path = "/var/log/amazon-cloudwatch-agent/amazon-cloudwatch-agent.log";
            log_group_name = "amazon-cloudwatch-agent.log";
            log_stream_name = "{instance_id}";
            timezone = "UTC";
          }
        ];
      };
    };
  };
  metrics = {
    metrics_collected = {
      cpu = {
        append_dimensions = {
          customized_dimension_key_1 = "customized_dimension_value_1";
          customized_dimension_key_2 = "customized_dimension_value_2";
        };
        measurement = [
          {
            name = "cpu_usage_idle";
            rename = "CPU_USAGE_IDLE";
            unit = "Percent";
          }
          {
            name = "cpu_usage_nice";
            unit = "Percent";
          }
          "cpu_usage_guest"
        ];
        metrics_collection_interval = 10;
        resource = [
          "*"
        ];
        totalcpu = false;
      };
    };
    namespace = "MyCustomNamespace";
  };
  traces = {
    traces_collected = {
      oltp = { };
      xray = { };
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/amazon-cloudwatch-agent.nix>
services.amazon-cloudwatch-agent.mode

Amazon CloudWatch Agent mode. Indicates whether the agent is running in EC2 (“ec2”), on-premises (“onPremise”), or if it should guess based on metadata endpoints like IMDS or the ECS task metadata endpoint (“auto”).

Type: string

Default: "auto"

Example: "onPremise"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/amazon-cloudwatch-agent.nix>
services.amazon-ssm-agent.enable

Whether to enable Amazon SSM agent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/amazon-ssm-agent.nix>
services.amazon-ssm-agent.package

The amazon-ssm-agent package to use.

Type: package

Default: pkgs.amazon-ssm-agent

Declared by:

<nixpkgs/nixos/modules/services/misc/amazon-ssm-agent.nix>
services.amule.enable

Whether to run the AMule daemon. You need to manually run “amuled --ec-config” to configure the service for the first time.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/amuled.nix>
services.amule.dataDir

The directory holding configuration, incoming and temporary files.

Type: string

Default:

"/home/${config.services.amule.user}/"

Declared by:

<nixpkgs/nixos/modules/services/networking/amuled.nix>
services.amule.user

The user the AMule daemon should run as.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/amuled.nix>
services.ananicy.enable

Whether to enable Ananicy, an auto nice daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/ananicy.nix>
services.ananicy.package

The ananicy package to use.

Type: package

Default: pkgs.ananicy

Example: ananicy-cpp

Declared by:

<nixpkgs/nixos/modules/services/misc/ananicy.nix>
services.ananicy.extraCgroups

Cgroups to write in ‘nixCgroups.cgroups’. See: https://gitlab.com/ananicy-cpp/ananicy-cpp/#cgroups

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    CPUQuota = 80;
    cgroup = "cpu80";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/misc/ananicy.nix>
services.ananicy.extraRules

Rules to write in ‘nixRules.rules’. See: https://github.com/Nefelim4ag/Ananicy#configuration https://gitlab.com/ananicy-cpp/ananicy-cpp/#global-configuration

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    name = "eog";
    type = "Image-Viewer";
  }
  {
    name = "fdupes";
    type = "BG_CPUIO";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/misc/ananicy.nix>
services.ananicy.extraTypes

Types to write in ‘nixTypes.types’. See: https://gitlab.com/ananicy-cpp/ananicy-cpp/#types

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    nice = 19;
    other_parameter = "value";
    type = "my_type";
  }
  {
    ioclass = "idle";
    nice = 19;
    sched = "batch";
    type = "compiler";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/misc/ananicy.nix>
services.ananicy.rulesProvider

Which package to copy default rules,types,cgroups from.

Type: package

Default: pkgs.ananicy

Example: ananicy-cpp

Declared by:

<nixpkgs/nixos/modules/services/misc/ananicy.nix>
services.ananicy.settings

See https://github.com/Nefelim4ag/Ananicy/blob/master/ananicy.d/ananicy.conf

Type: attribute set of (signed integer or boolean or string)

Default: { }

Example:

{
  apply_nice = false;
}

Declared by:

<nixpkgs/nixos/modules/services/misc/ananicy.nix>
services.anki-sync-server.enable

Whether to enable anki-sync-server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/anki-sync-server.nix>
services.anki-sync-server.package

The anki-sync-server package to use.

Type: package

Default: pkgs.anki-sync-server

Declared by:

<nixpkgs/nixos/modules/services/misc/anki-sync-server.nix>
services.anki-sync-server.address

IP address anki-sync-server listens to. Note host names are not resolved.

Type: string

Default: "::1"

Declared by:

<nixpkgs/nixos/modules/services/misc/anki-sync-server.nix>
services.anki-sync-server.baseDirectory

Base directory where user(s) synchronized data will be stored.

Type: string

Default: "%S/%N"

Declared by:

<nixpkgs/nixos/modules/services/misc/anki-sync-server.nix>
services.anki-sync-server.openFirewall

Whether to open the firewall for the specified port.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/anki-sync-server.nix>
services.anki-sync-server.port

Port number anki-sync-server listens to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 27701

Declared by:

<nixpkgs/nixos/modules/services/misc/anki-sync-server.nix>
services.anki-sync-server.users

List of user-password pairs to provide to the sync server.

Type: list of (submodule)

Declared by:

<nixpkgs/nixos/modules/services/misc/anki-sync-server.nix>
services.anki-sync-server.users.*.password

Password accepted by anki-sync-server for the associated username. WARNING: This option is not secure. This password will be stored in plaintext and will be visible to all users. See services.anki-sync-server.users.passwordFile for a more secure option.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/anki-sync-server.nix>
services.anki-sync-server.users.*.passwordFile

File containing the password accepted by anki-sync-server for the associated username. Make sure to make readable only by root.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/anki-sync-server.nix>
services.anki-sync-server.users.*.username

User name accepted by anki-sync-server.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/anki-sync-server.nix>
services.anuko-time-tracker.enable

Whether to enable Anuko Time Tracker.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.package

The anuko-time-tracker package to use.

Type: package

Default: pkgs.anuko-time-tracker

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.dataDir

Default data folder for Anuko Time Tracker.

Type: string

Default: "/var/lib/anuko-time-tracker"

Example: "/mnt/anuko-time-tracker"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.database.createLocally

Create the database and database user locally.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.database.host

Database host.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.database.name

Database name.

Type: string

Default: "anuko_time_tracker"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.database.passwordFile

Database user password file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.database.user

Database username.

Type: string

Default: "anuko_time_tracker"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.hostname

The hostname to serve Anuko Time Tracker on.

Type: string

Default: config.networking.fqdn

Example: "anuko.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx

With this option, you can customize the Nginx virtualHost settings.

Type: submodule

Default: { }

Example:

{
  serverAliases = [
    "anuko.${config.networking.domain}"
  ];

  # To enable encryption and let let's encrypt take care of certificate
  forceSSL = true;
  enableACME = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.nginx.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.poolConfig

Options for Anuko Time Tracker’s PHP-FPM pool.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = 32;
  "pm.max_requests" = 500;
  "pm.max_spare_servers" = 4;
  "pm.min_spare_servers" = 2;
  "pm.start_servers" = 2;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.settings.defaultCurrency

Defines a default currency symbol for new groups. Use €, £, a more specific dollar like US$, CAD, etc.

Type: string

Default: "$"

Example: "€"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.settings.defaultLanguage

Defines Anuko Time Tracker default language. It is used on Time Tracker login page. After login, a language set for user group is used. Empty string means the language is defined by user browser.

Type: string

Default: ""

Example: "nl"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.settings.email.mode

Mail sending mode. Can be ‘mail’ or ‘smtp’.

Type: string

Default: "smtp"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.settings.email.sender

Default sender for mail.

Type: string

Default: "Anuko Time Tracker <bounces@example.com>"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.settings.email.smtpAuth

MTA requires authentication.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.settings.email.smtpDebug

Debug mail sending.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.settings.email.smtpHost

MTA hostname.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.settings.email.smtpPasswordFile

Path to file containing the MTA authentication password.

Type: null or path

Default: null

Example: "/var/lib/anuko-time-tracker/secrets/smtp-password"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.settings.email.smtpPort

MTA port.

Type: signed integer

Default: 25

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.settings.email.smtpUser

MTA authentication username.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.settings.emailRequired

Defines whether an email is required for new registrations.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.settings.exportDecimalDuration

Defines whether time duration values are decimal in CSV and XML data exports (1.25 vs 1:15).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.settings.forumLink

Forum link from the main menu.

Type: string

Default: "https://www.anuko.com/forum/viewforum.php?f=4"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.settings.helpLink

Help link from the main menu.

Type: string

Default: "https://www.anuko.com/time-tracker/user-guide/index.htm"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.settings.multiorgMode

Defines whether users see the Register option in the menu of Time Tracker that allows them to self-register and create new organizations (top groups).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.settings.reportFooter

Defines whether to use a footer on reports.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.settings.weekendStartDay

This option defines which days are highlighted with weekend color. 6 means Saturday. For Saudi Arabia, etc. set it to 4 for Thursday and Friday to be weekend days.

Type: signed integer

Default: 6

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.anuko-time-tracker.user

User under which Anuko Time Tracker runs.

Type: string

Default: "anuko_time_tracker"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/anuko-time-tracker.nix>
services.apache-kafka.enable

Whether to enable Apache Kafka event streaming broker.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
services.apache-kafka.package

The apacheKafka package to use.

Type: package

Default: pkgs.apacheKafka

Declared by:

<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
services.apache-kafka.clusterId

KRaft mode ClusterId used for formatting log directories. Can be generated with kafka-storage.sh random-uuid

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
services.apache-kafka.configFiles.log4jProperties

Kafka log4j property configuration file path

Type: path

Default: "pkgs.writeText \"log4j.properties\" cfg.log4jProperties"

Declared by:

<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
services.apache-kafka.configFiles.serverProperties

Kafka server.properties configuration file path. Defaults to the rendered settings.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
services.apache-kafka.formatLogDirs

Whether to format log dirs in KRaft mode if all log dirs are unformatted, ie. they contain no meta.properties.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
services.apache-kafka.formatLogDirsIgnoreFormatted

Whether to ignore already formatted log dirs when formatting log dirs, instead of failing. Useful when replacing or adding disks.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
services.apache-kafka.jre

The JRE with which to run Kafka

Type: package

Default: pkgs.apacheKafka.passthru.jre

Declared by:

<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
services.apache-kafka.jvmOptions

Extra command line options for the JVM running Kafka.

Type: list of string

Default: [ ]

Example:

[
  "-Djava.net.preferIPv4Stack=true"
  "-Dcom.sun.management.jmxremote"
  "-Dcom.sun.management.jmxremote.local.only=true"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
services.apache-kafka.log4jProperties

Kafka log4j property configuration.

Type: strings concatenated with “\n”

Default:

''
  log4j.rootLogger=INFO, stdout
  
  log4j.appender.stdout=org.apache.log4j.ConsoleAppender
  log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
  log4j.appender.stdout.layout.ConversionPattern=[%d] %p %m (%c)%n
''

Declared by:

<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
services.apache-kafka.settings

Kafka broker configuration server.properties.

Note that .properties files contain mappings from string to string. Keys with dots are NOT represented by nested attrs in these settings, but instead as quoted strings (ie. settings."broker.id", NOT settings.broker.id).

Type: lazy attribute set of (null or boolean or signed integer or string or list of (boolean or signed integer or string))

Declared by:

<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
services.apache-kafka.settings."broker.id"

Broker ID. -1 or null to auto-allocate in zookeeper mode.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
services.apache-kafka.settings.listeners

Kafka Listener List. See listeners.

Type: list of string

Default:

[
  "PLAINTEXT://localhost:9092"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
services.apache-kafka.settings."log.dirs"

Log file directories.

Type: list of path

Declared by:

<nixpkgs/nixos/modules/services/misc/apache-kafka.nix>
services.apcupsd.enable

Whether to enable the APC UPS daemon. apcupsd monitors your UPS and permits orderly shutdown of your computer in the event of a power failure. User manual: http://www.apcupsd.com/manual/manual.html. Note that apcupsd runs as root (to allow shutdown of computer). You can check the status of your UPS with the “apcaccess” command.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/apcupsd.nix>
services.apcupsd.configText

Contents of the runtime configuration file, apcupsd.conf. The default settings makes apcupsd autodetect USB UPSes, limit network access to localhost and shutdown the system when the battery level is below 50 percent, or when the UPS has calculated that it has 5 minutes or less of remaining power-on time. See man apcupsd.conf for details.

Type: strings concatenated with “\n”

Default:

''
  UPSTYPE usb
  NISIP 127.0.0.1
  BATTERYLEVEL 50
  MINUTES 5
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/apcupsd.nix>
services.apcupsd.hooks

Each attribute in this option names an apcupsd event and the string value it contains will be executed in a shell, in response to that event (prior to the default action). See “man apccontrol” for the list of events and what they represent.

A hook script can stop apccontrol from doing its default action by exiting with value 99. Do not do this unless you know what you’re doing.

Type: attribute set of strings concatenated with “\n”

Default: { }

Example:

{
  doshutdown = "# shell commands to notify that the computer is shutting down";
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/apcupsd.nix>
services.arbtt.enable

Whether to enable Arbtt statistics capture service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/arbtt.nix>
services.arbtt.package

The arbtt package to use.

Type: package

Default: pkgs.haskellPackages.arbtt

Declared by:

<nixpkgs/nixos/modules/services/monitoring/arbtt.nix>
services.arbtt.logFile

The log file for captured samples.

Type: string

Default: "%h/.arbtt/capture.log"

Example: "/home/username/.arbtt-capture.log"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/arbtt.nix>
services.arbtt.sampleRate

The sampling interval in seconds.

Type: signed integer

Default: 60

Example: 120

Declared by:

<nixpkgs/nixos/modules/services/monitoring/arbtt.nix>
services.archisteamfarm.enable

If enabled, starts the ArchisSteamFarm service. For configuring the SteamGuard token you will need to use the web-ui, which is enabled by default over on 127.0.0.1:1242. You cannot configure ASF in any way outside of nix, since all the config files get wiped on restart and replaced with the programnatically set ones by nix.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/archisteamfarm.nix>
services.archisteamfarm.package

The ArchiSteamFarm package to use. ::: {.warning} Should always be the latest version, for security reasons, since this module uses very new features and to not get out of sync with the Steam API. :::

Type: package

Default: pkgs.ArchiSteamFarm

Declared by:

<nixpkgs/nixos/modules/services/games/archisteamfarm.nix>
services.archisteamfarm.bots

Bots name and configuration.

Type: attribute set of (submodule)

Default: { }

Example:

{
  exampleBot = {
    passwordFile = "/var/lib/archisteamfarm/secrets/password";
    settings = {
      SteamParentalCode = "1234";
    };
    username = "alice";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/games/archisteamfarm.nix>
services.archisteamfarm.bots.<name>.enabled

Whether to enable the bot on startup.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/games/archisteamfarm.nix>
services.archisteamfarm.bots.<name>.passwordFile

Path to a file containing the password. The file must be readable by the archisteamfarm user/group. Omit or set to null to provide the password a different way, such as through the web-ui.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/archisteamfarm.nix>
services.archisteamfarm.bots.<name>.settings

Additional settings that are documented here.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/games/archisteamfarm.nix>
services.archisteamfarm.bots.<name>.username

Name of the user to log in. Default is attribute name.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/games/archisteamfarm.nix>
services.archisteamfarm.dataDir

The ASF home directory used to store all data. If left as the default value this directory will automatically be created before the ASF server starts, otherwise the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions.

Type: path

Default: "/var/lib/archisteamfarm"

Declared by:

<nixpkgs/nixos/modules/services/games/archisteamfarm.nix>
services.archisteamfarm.ipcPasswordFile

Path to a file containing the password. The file must be readable by the archisteamfarm user/group.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/archisteamfarm.nix>
services.archisteamfarm.ipcSettings

Settings to write to IPC.config. All options can be found here.

Type: JSON value

Default: { }

Example:

{
  Kestrel = {
    Endpoints = {
      HTTP = {
        Url = "http://*:1242";
      };
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/games/archisteamfarm.nix>
services.archisteamfarm.settings

The ASF.json file, all the options are documented here. Do note that AutoRestart and UpdateChannel is always to false respectively 0 because NixOS takes care of updating everything. Headless is also always set to true because there is no way to provide inputs via a systemd service. You should try to keep ASF up to date since upstream does not provide support for anything but the latest version and you’re exposing yourself to all kinds of issues - as is outlined here.

Type: JSON value

Default: { }

Example:

{
  Statistics = false;
}

Declared by:

<nixpkgs/nixos/modules/services/games/archisteamfarm.nix>
services.archisteamfarm.web-ui

The Web-UI hosted on 127.0.0.1:1242.

Type: submodule

Default:

{
  enable = true;
}

Example:

{
  enable = false;
}

Declared by:

<nixpkgs/nixos/modules/services/games/archisteamfarm.nix>
services.archisteamfarm.web-ui.enable

Whether to start the web-ui. This is the preferred way of configuring things such as the steam guard token.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/games/archisteamfarm.nix>
services.archisteamfarm.web-ui.package

The ui package to use. ::: {.note} Contents must be in lib/dist :::

Type: package

Default: pkgs.ArchiSteamFarm.ui

Declared by:

<nixpkgs/nixos/modules/services/games/archisteamfarm.nix>
services.aria2.enable

Whether or not to enable the headless Aria2 daemon service.

Aria2 daemon can be controlled via the RPC interface using one of many WebUIs (http://localhost:6800/ by default).

Targets are downloaded to /var/lib/aria2/Downloads by default and are accessible to users in the aria2 group.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/aria2.nix>
services.aria2.downloadDirPermission

The permission for settings.dir.

The default is 0770, which denies access for users not in the aria2 group.

You may want to adjust serviceUMask as well, which further restricts the file permission for newly created files (i.e. the downloads).

Type: string

Default: "0770"

Declared by:

<nixpkgs/nixos/modules/services/networking/aria2.nix>
services.aria2.openPorts

Open listen and RPC ports found in settings.listen-port and settings.rpc-listen-port options in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/aria2.nix>
services.aria2.rpcSecretFile

A file containing the RPC secret authorization token. Read https://aria2.github.io/manual/en/html/aria2c.html#rpc-auth to know how this option value is used.

Type: path

Example: "/run/secrets/aria2-rpc-token.txt"

Declared by:

<nixpkgs/nixos/modules/services/networking/aria2.nix>
services.aria2.serviceUMask

The file mode creation mask for Aria2 service.

The default is 0022 for compatibility reason, as this is the default used by systemd. However, this results in file permission 0644 for new files, and denies aria2 group member from modifying the file.

You may want to set this value to 0002 so you can manage the file more easily.

Type: string

Default: "0022"

Example: "0002"

Declared by:

<nixpkgs/nixos/modules/services/networking/aria2.nix>
services.aria2.settings

Generates the aria2.conf file. Refer to the documentation for all possible settings.

Type: attribute set of (boolean or signed integer or floating point number or (optionally newline-terminated) single-line string)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/aria2.nix>
services.aria2.settings.enable-rpc

Enable JSON-RPC/XML-RPC server.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/aria2.nix>
services.aria2.settings.conf-path

Configuration file path.

Type: (optionally newline-terminated) single-line string

Default: "/var/lib/aria2/aria2.conf"

Declared by:

<nixpkgs/nixos/modules/services/networking/aria2.nix>
services.aria2.settings.dir

Directory to store downloaded files.

Type: (optionally newline-terminated) single-line string

Default: "/var/lib/aria2/Downloads"

Declared by:

<nixpkgs/nixos/modules/services/networking/aria2.nix>
services.aria2.settings.listen-port

Set UDP listening port range used by DHT(IPv4, IPv6) and UDP tracker.

Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

[
  {
    from = 6881;
    to = 6999;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/aria2.nix>
services.aria2.settings.rpc-listen-port

Specify a port number for JSON-RPC/XML-RPC server to listen to. Possible Values: 1024-65535

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6800

Declared by:

<nixpkgs/nixos/modules/services/networking/aria2.nix>
services.aria2.settings.save-session

Save error/unfinished downloads to FILE on exit.

Type: (optionally newline-terminated) single-line string

Default: "/var/lib/aria2/aria2.session"

Declared by:

<nixpkgs/nixos/modules/services/networking/aria2.nix>
services.armagetronad.servers

Armagetron server definitions.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/games/armagetronad.nix>
services.armagetronad.servers.<name>.enable

Whether to enable armagetronad.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/games/armagetronad.nix>
services.armagetronad.servers.<name>.package

The armagetronad-dedicated package to use. Ensure that you use a derivation which contains the path bin/armagetronad-dedicated.

Type: package

Default: pkgs.armagetronad-dedicated

Example:

pkgs.armagetronad."0.2.9-sty+ct+ap".dedicated

Declared by:

<nixpkgs/nixos/modules/services/games/armagetronad.nix>
services.armagetronad.servers.<name>.dns

DNS address to use for this server. Optional.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/armagetronad.nix>
services.armagetronad.servers.<name>.host

Host to listen on. Used for SERVER_IP.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/games/armagetronad.nix>
services.armagetronad.servers.<name>.name

The name of this server.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/games/armagetronad.nix>
services.armagetronad.servers.<name>.openFirewall

Set to true to open the configured UDP port for Armagetron Advanced.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/games/armagetronad.nix>
services.armagetronad.servers.<name>.port

Port to listen on. Used for SERVER_PORT.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 4534

Declared by:

<nixpkgs/nixos/modules/services/games/armagetronad.nix>
services.armagetronad.servers.<name>.roundSettings

Armagetron Advanced server per-round configuration. Refer to: https://wiki.armagetronad.org/index.php?title=Console_Commands or armagetronad-dedicated --doc for a list.

This attrset is used to populate everytime.cfg; see: https://wiki.armagetronad.org/index.php/Configuration_Files

Type: attribute set of (atom (null, bool, int, float or string) or a list of them for duplicate keys)

Default: { }

Example:

{
  SAY = [
    "Hosted on NixOS"
    "https://nixos.org"
    "iD Tech High Rubber rul3z!! Happy New Year 2008!!1"
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/games/armagetronad.nix>
services.armagetronad.servers.<name>.settings

Armagetron Advanced server rules configuration. Refer to: https://wiki.armagetronad.org/index.php?title=Console_Commands or armagetronad-dedicated --doc for a list.

This attrset is used to populate settings_custom.cfg; see: https://wiki.armagetronad.org/index.php/Configuration_Files

Type: attribute set of (atom (null, bool, int, float or string) or a list of them for duplicate keys)

Default: { }

Example:

{
  CYCLE_RUBBER = 40;
}

Declared by:

<nixpkgs/nixos/modules/services/games/armagetronad.nix>
services.artalk.enable

Whether to enable artalk, a comment system.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/artalk.nix>
services.artalk.package

The artalk package to use.

Type: package

Default: pkgs.artalk

Declared by:

<nixpkgs/nixos/modules/services/web-apps/artalk.nix>
services.artalk.allowModify

allow Artalk store the settings to config file persistently

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/artalk.nix>
services.artalk.configFile

Artalk config file path. If it is not exist, Artalk will generate one.

Type: string

Default: "/etc/artalk/config.yml"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/artalk.nix>
services.artalk.group

Artalk group name.

Type: string

Default: "artalk"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/artalk.nix>
services.artalk.settings

The artalk configuration.

If you set allowModify to true, Artalk will be able to store the settings in the config file persistently. This section’s content will update in the config file after the service restarts.

Options containing secret data should be set to an attribute set containing the attribute _secret - a string pointing to a file containing the value the option should be set to.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/artalk.nix>
services.artalk.settings.host

Artalk server listen host

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/artalk.nix>
services.artalk.settings.port

Artalk server listen port

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 23366

Declared by:

<nixpkgs/nixos/modules/services/web-apps/artalk.nix>
services.artalk.user

Artalk user name.

Type: string

Default: "artalk"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/artalk.nix>
services.artalk.workdir

Artalk working directory

Type: string

Default: "/var/lib/artalk"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/artalk.nix>
services.asterisk.enable

Whether to enable the Asterisk PBX server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/asterisk.nix>
services.asterisk.package

The asterisk package to use.

Type: package

Default: pkgs.asterisk

Declared by:

<nixpkgs/nixos/modules/services/networking/asterisk.nix>
services.asterisk.confFiles

Sets the content of config files (typically ending with .conf) in the Asterisk configuration directory.

Note that if you want to change asterisk.conf, it is preferable to use the services.asterisk.extraConfig option over this option. If "asterisk.conf" is specified with the confFiles option (not recommended), you must be prepared to set your own astetcdir path.

See https://www.asterisk.org/community/documentation/ for more examples of what is possible here.

Type: attribute set of string

Default: { }

Example:

{
  "extensions.conf" = ''
    [tests]
    ; Dial 100 for "hello, world"
    exten => 100,1,Answer()
    same  =>     n,Wait(1)
    same  =>     n,Playback(hello-world)
    same  =>     n,Hangup()

    [softphones]
    include => tests

    [unauthorized]
  '';
  "sip.conf" = ''
    [general]
    allowguest=no              ; Require authentication
    context=unauthorized       ; Send unauthorized users to /dev/null
    srvlookup=no               ; Don't do DNS lookup
    udpbindaddr=0.0.0.0        ; Listen on all interfaces
    nat=force_rport,comedia    ; Assume device is behind NAT

    [softphone](!)
    type=friend                ; Match on username first, IP second
    context=softphones         ; Send to softphones context in
                               ; extensions.conf file
    host=dynamic               ; Device will register with asterisk
    disallow=all               ; Manually specify codecs to allow
    allow=g722
    allow=ulaw
    allow=alaw

    [myphone](softphone)
    secret=GhoshevFew          ; Change this password!
  '';
  "logger.conf" = ''
    [general]

    [logfiles]
    ; Add debug output to log
    syslog.local0 => notice,warning,error,debug
  '';
}

Declared by:

<nixpkgs/nixos/modules/services/networking/asterisk.nix>
services.asterisk.extraArguments

Additional command line arguments to pass to Asterisk.

Type: list of string

Default: [ ]

Example:

[
  "-vvvddd"
  "-e"
  "1024"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/asterisk.nix>
services.asterisk.extraConfig

Extra configuration options appended to the default asterisk.conf file.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  [options]
  verbose=3
  debug=3
''

Declared by:

<nixpkgs/nixos/modules/services/networking/asterisk.nix>
services.asterisk.useTheseDefaultConfFiles

Sets these config files to the default content. The default value for this option contains all necesscary files to avoid errors at startup. This does not override settings via services.asterisk.confFiles.

Type: list of string

Default:

[
  "ari.conf"
  "acl.conf"
  "agents.conf"
  "amd.conf"
  "calendar.conf"
  "cdr.conf"
  "cdr_syslog.conf"
  "cdr_custom.conf"
  "cel.conf"
  "cel_custom.conf"
  "cli_aliases.conf"
  "confbridge.conf"
  "dundi.conf"
  "features.conf"
  "hep.conf"
  "iax.conf"
  "pjsip.conf"
  "pjsip_wizard.conf"
  "phone.conf"
  "phoneprov.conf"
  "queues.conf"
  "res_config_sqlite3.conf"
  "res_parking.conf"
  "statsd.conf"
  "udptl.conf"
  "unistim.conf"
]

Example:

[
  "sip.conf"
  "dundi.conf"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/asterisk.nix>
services.asusd.enable

Whether to enable the asusd service for ASUS ROG laptops.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/asusd.nix>
services.asusd.enableUserService

Activate the asusd-user service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/asusd.nix>
services.asusd.package

The asusctl package to use.

Type: package

Default: pkgs.asusctl

Declared by:

<nixpkgs/nixos/modules/services/hardware/asusd.nix>
services.asusd.animeConfig

The content of /etc/asusd/anime.ron. See https://asus-linux.org/asusctl/#anime-control.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/asusd.nix>
services.asusd.asusdConfig

The content of /etc/asusd/asusd.ron. See https://asus-linux.org/asusctl/.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/asusd.nix>
services.asusd.auraConfig

The content of /etc/asusd/aura.ron. See https://asus-linux.org/asusctl/#led-keyboard-control.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/asusd.nix>
services.asusd.fanCurvesConfig

The content of /etc/asusd/fan_curves.ron. See https://asus-linux.org/asusctl/#fan-curves.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/asusd.nix>
services.asusd.profileConfig

The content of /etc/asusd/profile.ron. See https://asus-linux.org/asusctl/#profiles.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/asusd.nix>
services.asusd.userLedModesConfig

The content of /etc/asusd/asusd-user-ledmodes.ron. See https://asus-linux.org/asusctl/#led-keyboard-control.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/asusd.nix>
services.atd.enable

Whether to enable the at daemon, a command scheduler.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/scheduling/atd.nix>
services.atd.allowEveryone

Whether to make /var/spool/at{jobs,spool} writeable by everyone (and sticky). This is normally not needed since the at commands are setuid/setgid atd.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/scheduling/atd.nix>
services.atftpd.enable

Whether to enable the atftpd TFTP server. By default, the server binds to address 0.0.0.0.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/atftpd.nix>
services.atftpd.extraOptions

Extra command line arguments to pass to atftp.

Type: list of string

Default: [ ]

Example:

[ "--bind-address 192.168.9.1"
  "--verbose=7"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/atftpd.nix>
services.atftpd.root

Document root directory for the atftpd.

Type: path

Default: "/srv/tftp"

Declared by:

<nixpkgs/nixos/modules/services/networking/atftpd.nix>
services.athens.enable

Whether to enable Go module datastore and proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.enablePprof

Enable pprof endpoints.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.package

Which athens derivation to use

Type: package

Default: pkgs.athens

Example: "pkgs.athens"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.basicAuthPass

Password for basic auth. Warning: this is stored in plain text in the config file.

Type: null or string

Default: null

Example: "swordfish"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.basicAuthUser

Username for basic auth.

Type: null or string

Default: null

Example: "user"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.cloudRuntime

Specifies the Cloud Provider on which the Proxy/registry is running.

Type: one of “GCP”, “none”

Default: "none"

Example: "GCP"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.downloadMode

Defines how Athens behaves when a module@version is not found in storage. There are 7 options:

  1. “sync”: download the module synchronously and return the results to the client.

  2. “async”: return 404, but asynchronously store the module in the storage backend.

  3. “redirect”: return a 301 redirect status to the client with the base URL as the DownloadRedirectURL from below.

  4. “async_redirect”: same as option number 3 but it will asynchronously store the module to the backend.

  5. “none”: return 404 if a module is not found and do nothing.

  6. “file:<path>”: will point to an HCL file that specifies any of the 5 options above based on different import paths.

  7. “custom:<base64-encoded-hcl>” is the same as option 6 but the file is fully encoded in the option. This is useful for using an environment variable in serverless deployments.

Type: one of “sync”, “async”, “redirect”, “async_redirect”, “none” or string matching the pattern ^file:.*$|^custom:.*$

Default: "async_redirect"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.downloadURL

URL used if DownloadMode is set to redirect.

Type: string

Default: "https://proxy.golang.org"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.extraConfig

Extra configuration options for the athens config file.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.filterFile

Filename for the include exclude filter.

Type: null or path

Default: null

Example:

pkgs.writeText "filterFile" ''
  - github.com/azure
  + github.com/azure/azure-sdk-for-go
  D golang.org/x/tools
''

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.forceSSL

Force SSL redirects for incoming requests.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.githubToken

Creates .netrc file with the given token to be used for GitHub. Warning: this is stored in plain text in the config file.

Type: null or string

Default: null

Example: "ghp_1234567890"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.globalEndpoint

Endpoint for a package registry in case of a proxy cache miss.

Type: string

Default: ""

Example: "http://upstream-athens.example.com:3000"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.goBinary

The Go package used by Athens at runtime.

Athens primarily runs two Go commands:

  1. go mod download -json <module>@<version>

  2. go list -m -json <module>@latest

Type: package

Default: pkgs.go

Example: "pkgs.go_1_23"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.goBinaryEnvVars

Environment variables to pass to the Go binary.

Type: attribute set

Default: { }

Example:

''
  { "GOPROXY" = "direct", "GODEBUG" = "true" }
''

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.goEnv

Specifies the type of environment to run. One of ‘development’ or ‘production’.

Type: one of “development”, “production”

Default: "development"

Example: "production"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.goGetDir

Temporary directory that Athens will use to fetch modules from VCS prior to persisting them to a storage backend.

If the value is empty, Athens will use the default OS temp directory.

Type: null or path

Default: null

Example: "/tmp/athens"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.goGetWorkers

Number of workers concurrently downloading modules.

Type: signed integer

Default: 10

Example: 32

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.hgrcPath

Path to the .hgrc file.

Type: null or path

Default: null

Example: "/home/user/.hgrc"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.index.mysql.database

Database name for the MySQL database.

Type: string

Default: "athens"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.index.mysql.host

Host for the MySQL database.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.index.mysql.params.parseTime

Parse time for the MySQL database.

Type: null or string

Default: "true"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.index.mysql.params.timeout

Timeout for the MySQL database.

Type: null or string

Default: "30s"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.index.mysql.password

Password for the MySQL database. Warning: this is stored in plain text in the config file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.index.mysql.port

Port for the MySQL database.

Type: signed integer

Default: 3306

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.index.mysql.protocol

Protocol for the MySQL database.

Type: string

Default: "tcp"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.index.mysql.user

User for the MySQL database.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.index.postgres.database

Database name for the Postgres database.

Type: string

Default: "athens"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.index.postgres.host

Host for the Postgres database.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.index.postgres.params.connect_timeout

Connect timeout for the Postgres database.

Type: null or string

Default: "30s"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.index.postgres.params.sslmode

SSL mode for the Postgres database.

Type: null or string

Default: "disable"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.index.postgres.password

Password for the Postgres database. Warning: this is stored in plain text in the config file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.index.postgres.port

Port for the Postgres database.

Type: signed integer

Default: 5432

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.index.postgres.user

User for the Postgres database.

Type: string

Default: "postgres"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.indexType

Type of index backend Athens will use.

Type: one of “none”, “memory”, “mysql”, “postgres”

Default: "none"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.logLevel

Log level for Athens. Supports all logrus log levels (https://github.com/Sirupsen/logrus#level-logging)".

Type: null or one of “panic”, “fatal”, “error”, “warning”, “info”, “debug”, “trace”

Default: "warning"

Example: "debug"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.netrcPath

Path to the .netrc file.

Type: null or path

Default: null

Example: "/home/user/.netrc"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.networkMode

Configures how Athens will return the results of the /list endpoint as it can be assembled from both its own storage and the upstream VCS.

Note, that for better error messaging, this would also affect how other endpoints behave.

Modes:

  1. strict: merge VCS versions with storage versions, but fail if either of them fails.

  2. offline: only get storage versions, never reach out to VCS.

  3. fallback: only return storage versions, if VCS fails. Note this means that you may see inconsistent results since fallback mode does a best effort of giving you what’s available at the time of requesting versions.

Type: one of “strict”, “offline”, “fallback”

Default: "strict"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.noSumPatterns

List of patterns that Athens sum db proxy will return a 403 for.

Type: list of string

Default: [ ]

Example:

[
  "github.com/mycompany/*"
]

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.pathPrefix

Sets basepath for all routes.

Type: null or string

Default: null

Example: "/athens"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.port

Port number Athens listens on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Example: 443

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.pprofPort

Port number for pprof endpoints.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3301

Example: 443

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.protocolWorkers

Number of workers concurrently serving protocol paths.

Type: signed integer

Default: 30

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.robotsFile

Provides /robots.txt for net crawlers.

Type: null or path

Default: null

Example: pkgs.writeText "robots.txt" "# my custom robots.txt ..."

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.shutdownTimeout

Number of seconds to wait for the server to shutdown gracefully.

Type: signed integer

Default: 60

Example: 1

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.singleFlight.etcd.endpoints

URLs that determine all distributed etcd servers.

Type: list of string

Default: [ ]

Example:

[
  "localhost:2379"
]

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.singleFlight.redis.endpoint

URL of the redis server.

Type: string

Default: ""

Example: "localhost:6379"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.singleFlight.redis.lockConfig.maxRetries

Maximum number of retries for the lock.

Type: signed integer

Default: 10

Example: 1

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.singleFlight.redis.lockConfig.timeout

Timeout for the lock in seconds.

Type: signed integer

Default: 15

Example: 1

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.singleFlight.redis.lockConfig.ttl

TTL for the lock in seconds.

Type: signed integer

Default: 900

Example: 1

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.singleFlight.redis.password

Password for the redis server. Warning: this is stored in plain text in the config file.

Type: string

Default: ""

Example: "swordfish"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.singleFlight.redisSentinel.endpoints

URLs that determine all distributed redis servers.

Type: list of string

Default: [ ]

Example:

[
  "localhost:26379"
]

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.singleFlight.redisSentinel.lockConfig.maxRetries

Maximum number of retries for the lock.

Type: signed integer

Default: 10

Example: 1

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.singleFlight.redisSentinel.lockConfig.timeout

Timeout for the lock in seconds.

Type: signed integer

Default: 15

Example: 1

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.singleFlight.redisSentinel.lockConfig.ttl

TTL for the lock in seconds.

Type: signed integer

Default: 900

Example: 1

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.singleFlight.redisSentinel.masterName

Name of the sentinel master server.

Type: string

Default: ""

Example: "redis-1"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.singleFlight.redisSentinel.sentinelPassword

Password for the sentinel server. Warning: this is stored in plain text in the config file.

Type: string

Default: ""

Example: "swordfish"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.singleFlightType

Determines what mechanism Athens uses to manage concurrency flowing into the Athens backend.

Type: one of “memory”, “etcd”, “redis”, “redis-sentinel”, “gcp”, “azureblob”

Default: "memory"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.statsExporter

Stats exporter to use.

Type: null or value “prometheus” (singular enum)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.azureblob.accountKey

Account key for the Azure Blob storage backend. Warning: this is stored in plain text in the config file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.azureblob.accountName

Account name for the Azure Blob storage backend.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.azureblob.containerName

Container name for the Azure Blob storage backend.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.cdn.endpoint

hostname of the CDN server.

Type: null or string

Default: null

Example: "cdn.example.com"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.disk.rootPath

Athens disk root folder.

Type: null or path

Default: "/var/lib/athens"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.external.url

URL of the backend storage layer.

Type: null or string

Default: null

Example: "https://athens.example.com"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.gcp.bucket

GCP backend storage bucket.

Type: null or string

Default: null

Example: "my-bucket"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.gcp.jsonKey

Base64 encoded GCP service account key. Warning: this is stored in plain text in the config file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.gcp.projectID

GCP project ID.

Type: null or string

Default: null

Example: "my-project"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.minio.enableSSL

Enable SSL for the minio storage backend.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.minio.bucket

Bucket name for the minio storage backend.

Type: null or string

Default: null

Example: "gomods"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.minio.endpoint

Endpoint of the minio storage backend.

Type: null or string

Default: null

Example: "minio.example.com:9001"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.minio.key

Access key id for the minio storage backend.

Type: null or string

Default: null

Example: "minio"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.minio.region

Region for the minio storage backend.

Type: null or string

Default: null

Example: "us-east-1"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.minio.secret

Secret key for the minio storage backend. Warning: this is stored in plain text in the config file.

Type: null or string

Default: null

Example: "minio123"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.mongo.certPath

Path to the certificate file for the mongo database.

Type: null or path

Default: null

Example: "/etc/ssl/mongo.pem"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.mongo.defaultDBName

Name of the mongo database.

Type: null or string

Default: null

Example: "athens"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.mongo.insecure

Allow insecure connections to the mongo database.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.mongo.url

URL of the mongo database.

Type: null or string

Default: null

Example: "mongodb://localhost:27017"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.s3.awsContainerCredentialsRelativeURI

Container relative url (used by fargate).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.s3.bucket

Bucket name for the S3 storage backend.

Type: null or string

Default: null

Example: "gomods"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.s3.credentialsEndpoint

Credentials endpoint for the S3 storage backend.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.s3.endpoint

Endpoint for the S3 storage backend.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.s3.forcePathStyle

Force path style for the S3 storage backend.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.s3.key

Access key id for the S3 storage backend.

Type: null or string

Default: null

Example: "minio"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.s3.region

Region of the S3 storage backend.

Type: null or string

Default: null

Example: "eu-west-3"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.s3.secret

Secret key for the S3 storage backend. Warning: this is stored in plain text in the config file.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.s3.token

Token for the S3 storage backend. Warning: this is stored in plain text in the config file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storage.s3.useDefaultConfiguration

Use default configuration for the S3 storage backend.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.storageType

Specifies the type of storage backend to use.

Type: one of “memory”, “disk”, “mongo”, “gcp”, “minio”, “s3”, “azureblob”, “external”

Default: "disk"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.sumDBs

List of fully qualified URLs that Athens will proxy that the go command can use a checksum verifier.

Type: list of string

Default:

[
  "https://sum.golang.org"
]

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.timeout

Timeout for external network calls in seconds.

Type: signed integer

Default: 300

Example: 3

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.tlsCertFile

Path to the TLS certificate file.

Type: null or path

Default: null

Example: "/etc/ssl/certs/athens.crt"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.tlsKeyFile

Path to the TLS key file.

Type: null or path

Default: null

Example: "/etc/ssl/certs/athens.key"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.traceExporter

Trace exporter to use.

Type: null or one of “jaeger”, “datadog”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.traceExporterURL

URL endpoint that traces will be sent to.

Type: null or string

Default: null

Example: "http://localhost:14268"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.unixSocket

Path to the unix socket file. If set, Athens will listen on the unix socket instead of TCP socket.

Type: null or path

Default: null

Example: "/run/athens.sock"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.athens.validatorHook

Endpoint to validate modules against.

Not used if empty.

Type: null or string

Default: null

Example: "https://validation.example.com"

Declared by:

<nixpkgs/nixos/modules/services/development/athens.nix>
services.atticd.enable

Whether to enable the atticd, the Nix Binary Cache server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/atticd.nix>
services.atticd.package

The attic-server package to use.

Type: package

Default: pkgs.attic-server

Declared by:

<nixpkgs/nixos/modules/services/networking/atticd.nix>
services.atticd.environmentFile

Path to an EnvironmentFile containing required environment variables:

  • ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64: The base64-encoded RSA PEM PKCS1 of the RS256 JWT secret. Generate it with openssl genrsa -traditional 4096 | base64 -w0.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/atticd.nix>
services.atticd.group

The user under which attic runs.

Type: string

Default: "atticd"

Declared by:

<nixpkgs/nixos/modules/services/networking/atticd.nix>
services.atticd.mode

Mode in which to run the server.

‘monolithic’ runs all components, and is suitable for single-node deployments.

‘api-server’ runs only the API server, and is suitable for clustering.

‘garbage-collector’ only runs the garbage collector periodically.

A simple NixOS-based Attic deployment will typically have one ‘monolithic’ and any number of ‘api-server’ nodes.

There are several other supported modes that perform one-off operations, but these are the only ones that make sense to run via the NixOS module.

Type: one of “monolithic”, “api-server”, “garbage-collector”

Default: "monolithic"

Declared by:

<nixpkgs/nixos/modules/services/networking/atticd.nix>
services.atticd.settings

Structured configurations of atticd. See https://github.com/zhaofengli/attic/blob/main/server/src/config-template.toml

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/atticd.nix>
services.atticd.user

The group under which attic runs.

Type: string

Default: "atticd"

Declared by:

<nixpkgs/nixos/modules/services/networking/atticd.nix>
services.atuin.enable

Whether to enable Atuin server for shell history sync.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/atuin.nix>
services.atuin.package

The atuin package to use.

Type: package

Default: pkgs.atuin

Declared by:

<nixpkgs/nixos/modules/services/misc/atuin.nix>
services.atuin.database.createLocally

Create the database and database user locally.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/atuin.nix>
services.atuin.database.uri

URI to the database. Can be set to null in which case ATUIN_DB_URI should be set through an EnvironmentFile

Type: null or string

Default: "postgresql:///atuin?host=/run/postgresql"

Example: "postgresql://atuin@localhost:5432/atuin"

Declared by:

<nixpkgs/nixos/modules/services/misc/atuin.nix>
services.atuin.host

The host address the atuin server should listen on.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/misc/atuin.nix>
services.atuin.maxHistoryLength

The max length of each history item the atuin server should store.

Type: signed integer

Default: 8192

Declared by:

<nixpkgs/nixos/modules/services/misc/atuin.nix>
services.atuin.openFirewall

Open ports in the firewall for the atuin server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/atuin.nix>
services.atuin.openRegistration

Allow new user registrations with the atuin server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/atuin.nix>
services.atuin.path

A path to prepend to all the routes of the server.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/atuin.nix>
services.atuin.port

The port the atuin server should listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8888

Declared by:

<nixpkgs/nixos/modules/services/misc/atuin.nix>
services.audiobookshelf.enable

Whether to enable Audiobookshelf, self-hosted audiobook and podcast server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/audiobookshelf.nix>
services.audiobookshelf.package

The audiobookshelf package to use.

Type: package

Default: pkgs.audiobookshelf

Declared by:

<nixpkgs/nixos/modules/services/web-apps/audiobookshelf.nix>
services.audiobookshelf.dataDir

Path to Audiobookshelf config and metadata inside of /var/lib.

Type: string

Default: "audiobookshelf"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/audiobookshelf.nix>
services.audiobookshelf.group

Group under which Audiobookshelf runs.

Type: string

Default: "audiobookshelf"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/audiobookshelf.nix>
services.audiobookshelf.host

The host Audiobookshelf binds to.

Type: string

Default: "127.0.0.1"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/audiobookshelf.nix>
services.audiobookshelf.openFirewall

Open ports in the firewall for the Audiobookshelf web interface.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/audiobookshelf.nix>
services.audiobookshelf.port

The TCP port Audiobookshelf will listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/audiobookshelf.nix>
services.audiobookshelf.user

User account under which Audiobookshelf runs.

Type: string

Default: "audiobookshelf"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/audiobookshelf.nix>
services.authelia.instances

Multi-domain protection currently requires multiple instances of Authelia. If you don’t require multiple instances of Authelia you can define just the one.

https://www.authelia.com/roadmap/active/multi-domain-protection/

Type: attribute set of (submodule)

Default: { }

Example:

''
  {
    main = {
      enable = true;
      secrets.storageEncryptionKeyFile = "/etc/authelia/storageEncryptionKeyFile";
      secrets.jwtSecretFile = "/etc/authelia/jwtSecretFile";
      settings = {
        theme = "light";
        default_2fa_method = "totp";
        log.level = "debug";
        server.disable_healthcheck = true;
      };
    };
    preprod = {
      enable = false;
      secrets.storageEncryptionKeyFile = "/mnt/pre-prod/authelia/storageEncryptionKeyFile";
      secrets.jwtSecretFile = "/mnt/pre-prod/jwtSecretFile";
      settings = {
        theme = "dark";
        default_2fa_method = "webauthn";
        server.host = "0.0.0.0";
      };
    };
    test.enable = true;
    test.secrets.manual = true;
    test.settings.theme = "grey";
    test.settings.server.disable_healthcheck = true;
    test.settingsFiles = [ "/mnt/test/authelia" "/mnt/test-authelia.conf" ];
    };
  }
''

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.enable

Whether to enable Authelia instance.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.package

The authelia package to use.

Type: package

Default: pkgs.authelia

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.environmentVariables

Additional environment variables to provide to authelia. If you are providing secrets please consider the options under services.authelia.<instance>.secrets or make sure you use the _FILE suffix. If you provide the raw secret rather than the location of a secret file that secret will be preserved in the nix store. For more details: https://www.authelia.com/configuration/methods/secrets/

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.group

The name of the group for this authelia instance.

Type: string

Default: "authelia-‹name›"

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.name

Name is used as a suffix for the service name, user, and group. By default it takes the value you use for <instance> in: services.authelia.<instance>

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.secrets

It is recommended you keep your secrets separate from the configuration. It’s especially important to keep the raw secrets out of your nix configuration, as the values will be preserved in your nix store. This attribute allows you to configure the location of secret files to be loaded at runtime.

https://www.authelia.com/configuration/methods/secrets/

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.secrets.jwtSecretFile

Path to your JWT secret used during identity verificaton.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.secrets.manual

Configuring authelia’s secret files via the secrets attribute set is intended to be convenient and help catch cases where values are required to run at all. If a user wants to set these values themselves and bypass the validation they can set this value to true.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.secrets.oidcHmacSecretFile

Path to your HMAC secret used to sign OIDC JWTs.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.secrets.oidcIssuerPrivateKeyFile

Path to your private key file used to encrypt OIDC JWTs.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.secrets.sessionSecretFile

Path to your session secret. Only used when redis is used as session storage.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.secrets.storageEncryptionKeyFile

Path to your storage encryption key.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.settings

Your Authelia config.yml as a Nix attribute set. There are several values that are defined and documented in nix such as default_2fa_method, but additional items can also be included.

https://github.com/authelia/authelia/blob/master/config.template.yml

Type: YAML value

Default: { }

Example:

''
  {
    theme = "light";
    default_2fa_method = "totp";
    log.level = "debug";
    server.disable_healthcheck = true;
  }
''

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.settings.default_2fa_method

Default 2FA method for new users and fallback for preferred but disabled methods.

Type: one of “”, “totp”, “webauthn”, “mobile_push”

Default: ""

Example: "webauthn"

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.settings.log.file_path

File path where the logs will be written. If not set logs are written to stdout.

Type: null or path

Default: null

Example: "/var/log/authelia/authelia.log"

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.settings.log.format

Format the logs are written as.

Type: one of “json”, “text”

Default: "json"

Example: "text"

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.settings.log.keep_stdout

Whether to also log to stdout when a file_path is defined.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.settings.log.level

Level of verbosity for logs.

Type: one of “trace”, “debug”, “info”, “warn”, “error”

Default: "debug"

Example: "info"

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.settings.server.address

The address to listen on.

Type: string

Default: "tcp://:9091/"

Example: "unix:///var/run/authelia.sock?path=authelia&umask=0117"

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.settings.telemetry.metrics.enabled

Enable Metrics.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.settings.telemetry.metrics.address

The address to listen on for metrics. This should be on a different port to the main server.port value.

Type: string

Default: "tcp://127.0.0.1:9959"

Example: "tcp://0.0.0.0:8888"

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.settings.theme

The theme to display.

Type: one of “light”, “dark”, “grey”, “auto”

Default: "light"

Example: "dark"

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.settingsFiles

Here you can provide authelia with configuration files or directories. It is possible to give authelia multiple files and use the nix generated configuration file set via services.authelia.<instance>.settings.

Type: list of path

Default: [ ]

Example:

[
  "/etc/authelia/config.yml"
  "/etc/authelia/access-control.yml"
  "/etc/authelia/config/"
]

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.authelia.instances.<name>.user

The name of the user for this authelia instance.

Type: string

Default: "authelia-‹name›"

Declared by:

<nixpkgs/nixos/modules/services/security/authelia.nix>
services.auto-cpufreq.enable

Whether to enable auto-cpufreq daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/auto-cpufreq.nix>
services.auto-cpufreq.settings

Configuration for auto-cpufreq.

The available options can be found in the example configuration file.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/hardware/auto-cpufreq.nix>
services.auto-epp.enable

Whether to enable auto-epp for amd active pstate.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/auto-epp.nix>
services.auto-epp.package

The auto-epp package to use.

Type: package

Default: pkgs.auto-epp

Declared by:

<nixpkgs/nixos/modules/services/hardware/auto-epp.nix>
services.auto-epp.settings

Settings for the auto-epp application. See upstream example: https://github.com/jothi-prasath/auto-epp/blob/master/sample-auto-epp.conf

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/hardware/auto-epp.nix>
services.auto-epp.settings.Settings.epp_state_for_AC

energy_performance_preference when on plugged in

Note

See available epp states by running: cat /sys/devices/system/cpu/cpu0/cpufreq/energy_performance_available_preferences

Type: string

Default: "balance_performance"

Declared by:

<nixpkgs/nixos/modules/services/hardware/auto-epp.nix>
services.auto-epp.settings.Settings.epp_state_for_BAT

energy_performance_preference when on battery

Note

See available epp states by running: cat /sys/devices/system/cpu/cpu0/cpufreq/energy_performance_available_preferences

Type: string

Default: "power"

Declared by:

<nixpkgs/nixos/modules/services/hardware/auto-epp.nix>
services.autofs.enable

Mount filesystems on demand. Unmount them automatically. You may also be interested in afuse.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/autofs.nix>
services.autofs.autoMaster

Contents of /etc/auto.master file. See auto.master(5) and autofs(5).

Type: string

Example:

let
  mapConf = pkgs.writeText "auto" ''
   kernel    -ro,soft,intr       ftp.kernel.org:/pub/linux
   boot      -fstype=ext2        :/dev/hda1
   windoze   -fstype=smbfs       ://windoze/c
   removable -fstype=ext2        :/dev/hdd
   cd        -fstype=iso9660,ro  :/dev/hdc
   floppy    -fstype=auto        :/dev/fd0
   server    -rw,hard,intr       / -ro myserver.me.org:/ \
                                 /usr myserver.me.org:/usr \
                                 /home myserver.me.org:/home
  '';
in ''
  /auto file:${mapConf}
''

Declared by:

<nixpkgs/nixos/modules/services/misc/autofs.nix>
services.autofs.debug

Pass -d and -7 to automount and write log to the system journal.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/autofs.nix>
services.autofs.timeout

Set the global minimum timeout, in seconds, until directories are unmounted

Type: signed integer

Default: 600

Declared by:

<nixpkgs/nixos/modules/services/misc/autofs.nix>
services.automatic-timezoned.enable

Enable automatic-timezoned, simple daemon for keeping the system timezone up-to-date based on the current location. It uses geoclue2 to determine the current location and systemd-timedated to actually set the timezone.

To avoid silent overriding by the service, if you have explicitly set a timezone, either remove it or ensure that it is set with a lower priority than the default value using lib.mkDefault or lib.mkOverride. This is to make the choice deliberate. An error will be presented otherwise.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/system/automatic-timezoned.nix>
services.automatic-timezoned.package

The automatic-timezoned package to use.

Type: package

Default: pkgs.automatic-timezoned

Declared by:

<nixpkgs/nixos/modules/services/system/automatic-timezoned.nix>
services.automx2.enable

Whether to enable automx2.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/automx2.nix>
services.automx2.package

The automx2 package to use.

Type: package

Default: pkgs.python3Packages.automx2

Declared by:

<nixpkgs/nixos/modules/services/mail/automx2.nix>
services.automx2.domain

E-Mail-Domain for which mail client autoconfig/autoconfigure should be set up. The autoconfig and autodiscover subdomains are automatically prepended and set up with ACME. The names of those domains are hardcoded in the mail clients and are not configurable.

Type: string

Example: "example.com"

Declared by:

<nixpkgs/nixos/modules/services/mail/automx2.nix>
services.automx2.port

Port used by automx2.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 4243

Declared by:

<nixpkgs/nixos/modules/services/mail/automx2.nix>
services.automx2.settings

Bootstrap json to populate database. See docs for details.

Type: JSON value

Declared by:

<nixpkgs/nixos/modules/services/mail/automx2.nix>
services.automysqlbackup.enable

Whether to enable AutoMySQLBackup.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/automysqlbackup.nix>
services.automysqlbackup.calendar

Configured when to run the backup service systemd unit (DayOfWeek Year-Month-Day Hour:Minute:Second).

Type: string

Default: "01:15:00"

Declared by:

<nixpkgs/nixos/modules/services/backup/automysqlbackup.nix>
services.automysqlbackup.settings

automysqlbackup configuration. Refer to ${pkgs.automysqlbackup}/etc/automysqlbackup.conf for details on supported values.

Type: attribute set of (string or signed integer or boolean or list of string)

Default: { }

Example:

{
  db_names = [ "nextcloud" "matomo" ];
  table_exclude = [ "nextcloud.oc_users" "nextcloud.oc_whats_new" ];
  mailcontent = "log";
  mail_address = "admin@example.org";
}

Declared by:

<nixpkgs/nixos/modules/services/backup/automysqlbackup.nix>
services.autorandr.enable

Whether to enable handling of hotplug and sleep events by autorandr.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.defaultTarget

Fallback if no monitor layout can be detected. See the docs (https://github.com/phillipberndt/autorandr/blob/v1.0/README.md#how-to-use) for further reference.

Type: string

Default: "default"

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.hooks

Global hook scripts

Type: submodule

Default: { }

Example:

{
  postswitch = {
    "notify-i3" = "${pkgs.i3}/bin/i3-msg restart";
    "change-background" = readFile ./change-background.sh;
    "change-dpi" = ''
      case "$AUTORANDR_CURRENT_PROFILE" in
        default)
          DPI=120
          ;;
        home)
          DPI=192
          ;;
        work)
          DPI=144
          ;;
        *)
          echo "Unknown profle: $AUTORANDR_CURRENT_PROFILE"
          exit 1
      esac
      echo "Xft.dpi: $DPI" | ${pkgs.xorg.xrdb}/bin/xrdb -merge
    '';
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.hooks.postswitch

Postswitch hook executed after mode switch.

Type: attribute set of strings concatenated with “\n”

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.hooks.predetect

Predetect hook executed before autorandr attempts to run xrandr.

Type: attribute set of strings concatenated with “\n”

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.hooks.preswitch

Preswitch hook executed before mode switch.

Type: attribute set of strings concatenated with “\n”

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.ignoreLid

Treat outputs as connected even if their lids are closed

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.matchEdid

Match displays based on edid instead of name

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles

Autorandr profiles specification.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "work" = {
    fingerprint = {
      eDP1 = "<EDID>";
      DP1 = "<EDID>";
    };
    config = {
      eDP1.enable = false;
      DP1 = {
        enable = true;
        crtc = 0;
        primary = true;
        position = "0x0";
        mode = "3840x2160";
        gamma = "1.0:0.909:0.833";
        rate = "60.00";
        rotate = "left";
      };
    };
    hooks.postswitch = readFile ./work-postswitch.sh;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.config

Per output profile configuration.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.config.<name>.enable

Whether to enable the output.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.config.<name>.crtc

Output video display controller.

Type: null or (unsigned integer, meaning >=0)

Default: null

Example: 0

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.config.<name>.dpi

Output DPI configuration.

Type: null or (positive integer, meaning >0)

Default: null

Example: 96

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.config.<name>.gamma

Output gamma configuration.

Type: string

Default: ""

Example: "1.0:0.909:0.833"

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.config.<name>.mode

Output resolution.

Type: string

Default: ""

Example: "3840x2160"

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.config.<name>.position

Output position

Type: string

Default: ""

Example: "5760x0"

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.config.<name>.primary

Whether output should be marked as primary

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.config.<name>.rate

Output framerate.

Type: string

Default: ""

Example: "60.00"

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.config.<name>.rotate

Output rotate configuration.

Type: null or one of “normal”, “left”, “right”, “inverted”

Default: null

Example: "left"

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.config.<name>.scale

Output scale configuration.

Either configure by pixels or a scaling factor. When using pixel method the xrandr(1) option --scale-from will be used; when using factor method the option --scale will be used.

This option is a shortcut version of the transform option and they are mutually exclusive.

Type: null or (submodule)

Default: null

Example:

{
  x = 1.25;
  y = 1.25;
}

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.config.<name>.scale.method

Output scaling method.

Type: one of “factor”, “pixel”

Default: "factor"

Example: "pixel"

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.config.<name>.scale.x

Horizontal scaling factor/pixels.

Type: floating point number or (positive integer, meaning >0)

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.config.<name>.scale.y

Vertical scaling factor/pixels.

Type: floating point number or (positive integer, meaning >0)

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.config.<name>.transform

Refer to xrandr(1) for the documentation of the transform matrix.

Type: null or (3×3 matrix of floating point numbers)

Default: null

Example:

[
  [ 0.6 0.0 0.0 ]
  [ 0.0 0.6 0.0 ]
  [ 0.0 0.0 1.0 ]
]

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.fingerprint

Output name to EDID mapping. Use autorandr --fingerprint to get current setup values.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.hooks

Profile hook scripts.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.hooks.postswitch

Postswitch hook executed after mode switch.

Type: attribute set of strings concatenated with “\n”

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.hooks.predetect

Predetect hook executed before autorandr attempts to run xrandr.

Type: attribute set of strings concatenated with “\n”

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autorandr.profiles.<name>.hooks.preswitch

Preswitch hook executed before mode switch.

Type: attribute set of strings concatenated with “\n”

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/autorandr.nix>
services.autossh.sessions

List of AutoSSH sessions to start as systemd services. Each service is named ‘autossh-{session.name}’.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    extraArguments = "-N -D4343 billremote@socks.host.net";
    monitoringPort = 20000;
    name = "socks-peer";
    user = "bill";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/autossh.nix>
services.autossh.sessions.*.extraArguments

Arguments to be passed to AutoSSH and retransmitted to SSH process. Some meaningful options include -N (don’t run remote command), -D (open SOCKS proxy on local port), -R (forward remote port), -L (forward local port), -v (Enable debug). Check ssh manual for the complete list.

Type: strings concatenated with " "

Example: "-N -D4343 bill@socks.example.net"

Declared by:

<nixpkgs/nixos/modules/services/networking/autossh.nix>
services.autossh.sessions.*.monitoringPort

Port to be used by AutoSSH for peer monitoring. Note, that AutoSSH also uses mport+1. Value of 0 disables the keep-alive style monitoring

Type: signed integer

Default: 0

Example: 20000

Declared by:

<nixpkgs/nixos/modules/services/networking/autossh.nix>
services.autossh.sessions.*.name

Name of the local AutoSSH session

Type: string

Example: "socks-peer"

Declared by:

<nixpkgs/nixos/modules/services/networking/autossh.nix>
services.autossh.sessions.*.user

Name of the user the AutoSSH session should run as

Type: string

Example: "bill"

Declared by:

<nixpkgs/nixos/modules/services/networking/autossh.nix>
services.autosuspend.enable

Whether to enable the autosuspend daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/autosuspend.nix>
services.autosuspend.package

The autosuspend package to use.

Type: package

Default: pkgs.autosuspend

Declared by:

<nixpkgs/nixos/modules/services/misc/autosuspend.nix>
services.autosuspend.checks

Checks for activity. For more information, see:

Type: attribute set of (section of an INI file (attrs of INI atom (null, bool, int, float or string)))

Default: { }

Example:

{
  # Basic activity check configuration.
  # The check class name is derived from the section header (Ping in this case).
  # Remember to enable desired checks. They are disabled by default.
  Ping = {
    hosts = "192.168.0.7";
  };

  # This check is disabled.
  Smb.enabled = false;

  # Example for a custom check name.
  # This will use the Users check with the custom name RemoteUsers.
  # Custom names are necessary in case a check class is used multiple times.
  # Custom names can also be used for clarification.
  RemoteUsers = {
    class = "Users";
    name = ".*";
    terminal = ".*";
    host = "[0-9].*";
  };

  # Here the Users activity check is used again with different settings and a different name
  LocalUsers = {
    class = "Users";
    name = ".*";
    terminal = ".*";
    host = "localhost";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/autosuspend.nix>
services.autosuspend.checks.<name>.enabled

Whether to enable this activity check.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/autosuspend.nix>
services.autosuspend.checks.<name>.class

Name of the class implementing the check. If this option is not specified, the check’s name must represent a valid internal check class.

Type: null or one of “ActiveCalendarEvent”, “ActiveConnection”, “ExternalCommand”, “JsonPath”, “Kodi”, “KodiIdleTime”, “LastLogActivity”, “Load”, “LogindSessionsIdle”, “Mpd”, “NetworkBandwidth”, “Ping”, “Processes”, “Smb”, “Users”, “XIdleTime”, “XPath”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/autosuspend.nix>
services.autosuspend.settings

Configuration for autosuspend, see https://autosuspend.readthedocs.io/en/latest/configuration_file.html#general-configuration for supported values.

Type: section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  enable = true;
  interval = 30;
  idle_time = 120;
}

Declared by:

<nixpkgs/nixos/modules/services/misc/autosuspend.nix>
services.autosuspend.settings.suspend_cmd

The command to execute in case the host shall be suspended. This line can contain additional command line arguments to the command to execute.

Type: string

Default: "systemctl suspend"

Declared by:

<nixpkgs/nixos/modules/services/misc/autosuspend.nix>
services.autosuspend.settings.wakeup_cmd

The command to execute for scheduling a wake up of the system. The given string is processed using Python’s str.format() and a format argument called timestamp encodes the UTC timestamp of the planned wake up time (float). Additionally iso can be used to acquire the timestamp in ISO 8601 format.

Type: string

Default: "sh -c 'echo 0 > /sys/class/rtc/rtc0/wakealarm && echo {timestamp:.0f} > /sys/class/rtc/rtc0/wakealarm' "

Declared by:

<nixpkgs/nixos/modules/services/misc/autosuspend.nix>
services.autosuspend.wakeups

Checks for wake up. For more information, see:

Type: attribute set of (section of an INI file (attrs of INI atom (null, bool, int, float or string)))

Default: { }

Example:

{
  # Wake up checks reuse the same configuration mechanism as activity checks.
  Calendar = {
    url = "http://example.org/test.ics";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/autosuspend.nix>
services.autosuspend.wakeups.<name>.enabled

Whether to enable this wake-up check.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/autosuspend.nix>
services.autosuspend.wakeups.<name>.class

Name of the class implementing the check. If this option is not specified, the check’s name must represent a valid internal check class.

Type: null or one of “Calendar”, “Command”, “File”, “Periodic”, “SystemdTimer”, “XPath”, “XPathDelta”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/autosuspend.nix>
services.avahi.enable

Whether to run the Avahi daemon, which allows Avahi clients to use Avahi’s service discovery facilities and also allows the local machine to advertise its presence and services (through the mDNS responder implemented by avahi-daemon).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.package

The avahi package to use.

Type: package

Default: pkgs.avahi

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.allowInterfaces

List of network interfaces that should be used by the avahi-daemon. Other interfaces will be ignored. If null, all local interfaces except loopback and point-to-point will be used.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.allowPointToPoint

Whether to use POINTTOPOINT interfaces. Might make mDNS unreliable due to usually large latencies with such links and opens a potential security hole by allowing mDNS access from Internet connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.browseDomains

List of non-local DNS domains to be browsed.

Type: list of string

Default: [ ]

Example:

[
  "0pointer.de"
  "zeroconf.org"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.cacheEntriesMax

Number of resource records to be cached per interface. Use 0 to disable caching. Avahi daemon defaults to 4096 if not set.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.denyInterfaces

List of network interfaces that should be ignored by the avahi-daemon. Other unspecified interfaces will be used, unless allowInterfaces is set. This option takes precedence over allowInterfaces.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.domainName

Domain name for all advertisements.

Type: string

Default: "local"

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.extraConfig

Extra config to append to avahi-daemon.conf.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.extraServiceFiles

Specify custom service definitions which are placed in the avahi service directory. See the avahi.service(5) manpage for detailed information.

Type: attribute set of (string or path)

Default: { }

Example:

{
  ssh = "${pkgs.avahi}/etc/avahi/services/ssh.service";
  smb = ''
    <?xml version="1.0" standalone='no'?><!--*-nxml-*-->
    <!DOCTYPE service-group SYSTEM "avahi-service.dtd">
    <service-group>
      <name replace-wildcards="yes">%h</name>
      <service>
        <type>_smb._tcp</type>
        <port>445</port>
      </service>
    </service-group>
  '';
}

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.hostName

Host name advertised on the LAN. If not set, avahi will use the value of config.networking.hostName.

Type: string

Default: config.networking.hostName

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.ipv4

Whether to use IPv4.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.ipv6

Whether to use IPv6.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.nssmdns4

Whether to enable the mDNS NSS (Name Service Switch) plug-in for IPv4. Enabling it allows applications to resolve names in the .local domain by transparently querying the Avahi daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.nssmdns6

Whether to enable the mDNS NSS (Name Service Switch) plug-in for IPv6. Enabling it allows applications to resolve names in the .local domain by transparently querying the Avahi daemon.

Note

Due to the fact that most mDNS responders only register local IPv4 addresses, most user want to leave this option disabled to avoid long timeouts when applications first resolve the none existing IPv6 address.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.openFirewall

Whether to open the firewall for UDP port 5353. Disabling this setting also disables discovering of network devices.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.publish.enable

Whether to allow publishing in general.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.publish.addresses

Whether to register mDNS address records for all local IP addresses.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.publish.domain

Whether to announce the locally used domain name for browsing by other hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.publish.hinfo

Whether to register a mDNS HINFO record which contains information about the local operating system and CPU.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.publish.userServices

Whether to publish user services. Will set addresses=true.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.publish.workstation

Whether to register a service of type “_workstation._tcp” on the local LAN.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.reflector

Reflect incoming mDNS requests to all allowed network interfaces.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.avahi.wideArea

Whether to enable wide-area service discovery.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/avahi-daemon.nix>
services.awstats.enable

Whether to enable awstats, a real-time logfile analyzer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/logging/awstats.nix>
services.awstats.configs

Attribute set of domains to collect stats for.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "mysite" = {
    domain = "example.com";
    logFile = "/var/log/nginx/access.log";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/logging/awstats.nix>
services.awstats.configs.<name>.domain

The domain name to collect stats for.

Type: string

Default: "‹name›"

Example: "example.com"

Declared by:

<nixpkgs/nixos/modules/services/logging/awstats.nix>
services.awstats.configs.<name>.extraConfig

Extra configuration to be appended to awstats.${name}.conf.

Type: attribute set of string

Default: { }

Example:

{
  "ValidHTTPCodes" = "404";
}

Declared by:

<nixpkgs/nixos/modules/services/logging/awstats.nix>
services.awstats.configs.<name>.hostAliases

List of aliases the site has.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/logging/awstats.nix>
services.awstats.configs.<name>.logFile

The log file to be scanned.

For mail, set this to

journalctl $OLD_CURSOR -u postfix.service | ${pkgs.perl}/bin/perl ${pkgs.awstats.out}/share/awstats/tools/maillogconvert.pl standard |

Type: string

Example: "/var/log/nginx/access.log"

Declared by:

<nixpkgs/nixos/modules/services/logging/awstats.nix>
services.awstats.configs.<name>.logFormat

The log format being used.

For mail, set this to

%time2 %email %email_r %host %host_r %method %url %code %bytesd

Type: string

Default: "1"

Declared by:

<nixpkgs/nixos/modules/services/logging/awstats.nix>
services.awstats.configs.<name>.type

The type of log being collected.

Type: one of “mail”, “web”

Default: "web"

Example: "mail"

Declared by:

<nixpkgs/nixos/modules/services/logging/awstats.nix>
services.awstats.configs.<name>.webService.enable

Whether to enable awstats web service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/logging/awstats.nix>
services.awstats.configs.<name>.webService.hostname

The hostname the web service appears under.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/logging/awstats.nix>
services.awstats.configs.<name>.webService.urlPrefix

The URL prefix under which the awstats pages appear.

Type: string

Default: "/awstats"

Declared by:

<nixpkgs/nixos/modules/services/logging/awstats.nix>
services.awstats.dataDir

The directory where awstats data will be stored.

Type: path

Default: "/var/lib/awstats"

Declared by:

<nixpkgs/nixos/modules/services/logging/awstats.nix>
services.awstats.updateAt

Specification of the time at which awstats will get updated. (in the format described by systemd.time(7))

Type: null or string

Default: null

Example: "hourly"

Declared by:

<nixpkgs/nixos/modules/services/logging/awstats.nix>
services.ayatana-indicators.enable

Whether to enable Ayatana Indicators, a continuation of Canonical’s Application Indicators .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/ayatana-indicators.nix>
services.ayatana-indicators.packages

List of packages containing Ayatana Indicator services that should be brought up by a SystemD “ayatana-indicators” user target.

Packages specified here must have passthru.ayatana-indicators set correctly.

If, how, and where these indicators are displayed will depend on your DE. Which target they will be brought up by depends on the packages’ passthru.ayatana-indicators.

Type: list of package

Default: [ ]

Example: with pkgs; [ ayatana-indicator-messages ]

Declared by:

<nixpkgs/nixos/modules/services/desktops/ayatana-indicators.nix>
services.babeld.enable

Whether to enable the babeld network routing daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/babeld.nix>
services.babeld.extraConfig

Options that will be copied to babeld.conf. See babeld(8) for details.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/babeld.nix>
services.babeld.interfaceDefaults

A set describing default parameters for babeld interfaces. See babeld(8) for options.

Type: null or (attribute set of unspecified value)

Default: null

Example:

{
  split-horizon = true;
  type = "tunnel";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/babeld.nix>
services.babeld.interfaces

A set describing babeld interfaces. See babeld(8) for options.

Type: attribute set of attribute set of unspecified value

Default: { }

Example:

{
  enp0s2 = {
    hello-interval = 5;
    split-horizon = "auto";
    type = "wired";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/babeld.nix>
services.bacula-dir.enable

Whether to enable Bacula Director Daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.extraConfig

Extra configuration for Bacula Director Daemon.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  TODO
''

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.extraDirectorConfig

Extra configuration to be passed in Director directive.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  Maximum Concurrent Jobs = 20;
  Heartbeat Interval = 30;
''

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.extraMessagesConfig

Extra configuration to be passed in Messages directive.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  console = all
''

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.name

The director name used by the system administrator. This directive is required.

Type: string

Default: "${config.networking.hostName}-dir"

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.password

Specifies the password that must be supplied for a Director.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.port

Specify the port (a positive integer) on which the Director daemon will listen for Bacula Console connections. This same port number must be specified in the Director resource of the Console configuration file. The default is 9101, so normally this directive need not be specified. This directive should not be used if you specify DirAddresses (N.B plural) directive.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9101

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.tls

TLS Options for the Director. Important notice: The backup won’t be encrypted.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.tls.enable

Specifies if TLS should be enabled. If this set to false TLS will be completely disabled, even if services.bacula-dir.tls.require is true.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.tls.allowedCN

Common name attribute of allowed peer certificates. This directive is valid for a server and in a client context. If this directive is specified, the peer certificate will be verified against this list. In the case this directive is configured on a server side, the allowed CN list will not be checked if services.bacula-dir.tls.verifyPeer is false.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.tls.caCertificateFile

The path specifying a PEM encoded TLS CA certificate(s). Multiple certificates are permitted in the file. One of TLS CA Certificate File or TLS CA Certificate Dir are required in a server context, unless services.bacula-dir.tls.verifyPeer is false, and are always required in a client context.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.tls.certificate

The full path to the PEM encoded TLS certificate. It will be used as either a client or server certificate, depending on the connection direction. This directive is required in a server context, but it may not be specified in a client context if services.bacula-dir.tls.verifyPeer is false in the corresponding server context.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.tls.key

The path of a PEM encoded TLS private key. It must correspond to the TLS certificate.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.tls.require

Require TLS or TLS-PSK encryption. This directive is ignored unless one of services.bacula-dir.tls.enable is true or TLS PSK Enable is set to yes. If TLS is not required while TLS or TLS-PSK are enabled, then the Bacula component will connect with other components either with or without TLS or TLS-PSK

If services.bacula-dir.tls.enable or TLS-PSK is enabled and TLS is required, then the Bacula component will refuse any connection request that does not use TLS.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-dir.tls.verifyPeer

Verify peer certificate. Instructs server to request and verify the client’s X.509 certificate. Any client certificate signed by a known-CA will be accepted. Additionally, the client’s X509 certificate Common Name must meet the value of the Address directive. If services.bacula-dir.tls.allowedCN is used, the client’s x509 certificate Common Name must also correspond to one of the CN specified in the services.bacula-dir.tls.allowedCN directive. This directive is valid only for a server and not in client context.

Standard from Bacula is true.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.enable

Whether to enable the Bacula File Daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.director

This option defines director resources in Bacula File Daemon.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.director.<name>.monitor

If Monitor is set to no, this director will have full access to this Storage daemon. If Monitor is set to yes, this director will only be able to fetch the current status of this Storage daemon.

Please note that if this director is being used by a Monitor, we highly recommend to set this directive to yes to avoid serious security problems.

Type: one of “no”, “yes”

Default: "no"

Example: "yes"

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.director.<name>.password

Specifies the password that must be supplied for the default Bacula Console to be authorized. The same password must appear in the Director resource of the Console configuration file. For added security, the password is never passed across the network but instead a challenge response hash code created with the password. This directive is required. If you have either /dev/random or bc on your machine, Bacula will generate a random password during the configuration process, otherwise it will be left blank and you must manually supply it.

The password is plain text. It is not generated through any special process but as noted above, it is better to use random text for security reasons.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.director.<name>.tls

TLS Options for the Director in this Configuration.

Type: submodule

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.director.<name>.tls.enable

Specifies if TLS should be enabled. If this set to false TLS will be completely disabled, even if services.bacula-fd.director.<name>.tls.require is true.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.director.<name>.tls.allowedCN

Common name attribute of allowed peer certificates. This directive is valid for a server and in a client context. If this directive is specified, the peer certificate will be verified against this list. In the case this directive is configured on a server side, the allowed CN list will not be checked if services.bacula-fd.director.<name>.tls.verifyPeer is false.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.director.<name>.tls.caCertificateFile

The path specifying a PEM encoded TLS CA certificate(s). Multiple certificates are permitted in the file. One of TLS CA Certificate File or TLS CA Certificate Dir are required in a server context, unless services.bacula-fd.director.<name>.tls.verifyPeer is false, and are always required in a client context.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.director.<name>.tls.certificate

The full path to the PEM encoded TLS certificate. It will be used as either a client or server certificate, depending on the connection direction. This directive is required in a server context, but it may not be specified in a client context if services.bacula-fd.director.<name>.tls.verifyPeer is false in the corresponding server context.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.director.<name>.tls.key

The path of a PEM encoded TLS private key. It must correspond to the TLS certificate.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.director.<name>.tls.require

Require TLS or TLS-PSK encryption. This directive is ignored unless one of services.bacula-fd.director.<name>.tls.enable is true or TLS PSK Enable is set to yes. If TLS is not required while TLS or TLS-PSK are enabled, then the Bacula component will connect with other components either with or without TLS or TLS-PSK

If services.bacula-fd.director.<name>.tls.enable or TLS-PSK is enabled and TLS is required, then the Bacula component will refuse any connection request that does not use TLS.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.director.<name>.tls.verifyPeer

Verify peer certificate. Instructs server to request and verify the client’s X.509 certificate. Any client certificate signed by a known-CA will be accepted. Additionally, the client’s X509 certificate Common Name must meet the value of the Address directive. If services.bacula-fd.director.<name>.tls.allowedCN is used, the client’s x509 certificate Common Name must also correspond to one of the CN specified in the services.bacula-fd.director.<name>.tls.allowedCN directive. This directive is valid only for a server and not in client context.

Standard from Bacula is true.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.extraClientConfig

Extra configuration to be passed in Client directive.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  Maximum Concurrent Jobs = 20;
  Heartbeat Interval = 30;
''

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.extraMessagesConfig

Extra configuration to be passed in Messages directive.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  console = all
''

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.name

The client name that must be used by the Director when connecting. Generally, it is a good idea to use a name related to the machine so that error messages can be easily identified if you have multiple Clients. This directive is required.

Type: string

Default: "${config.networking.hostName}-fd"

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.port

This specifies the port number on which the Client listens for Director connections. It must agree with the FDPort specified in the Client resource of the Director’s configuration file.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9102

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.tls

TLS Options for the File Daemon. Important notice: The backup won’t be encrypted.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.tls.enable

Specifies if TLS should be enabled. If this set to false TLS will be completely disabled, even if services.bacula-fd.tls.require is true.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.tls.allowedCN

Common name attribute of allowed peer certificates. This directive is valid for a server and in a client context. If this directive is specified, the peer certificate will be verified against this list. In the case this directive is configured on a server side, the allowed CN list will not be checked if services.bacula-fd.tls.verifyPeer is false.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.tls.caCertificateFile

The path specifying a PEM encoded TLS CA certificate(s). Multiple certificates are permitted in the file. One of TLS CA Certificate File or TLS CA Certificate Dir are required in a server context, unless services.bacula-fd.tls.verifyPeer is false, and are always required in a client context.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.tls.certificate

The full path to the PEM encoded TLS certificate. It will be used as either a client or server certificate, depending on the connection direction. This directive is required in a server context, but it may not be specified in a client context if services.bacula-fd.tls.verifyPeer is false in the corresponding server context.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.tls.key

The path of a PEM encoded TLS private key. It must correspond to the TLS certificate.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.tls.require

Require TLS or TLS-PSK encryption. This directive is ignored unless one of services.bacula-fd.tls.enable is true or TLS PSK Enable is set to yes. If TLS is not required while TLS or TLS-PSK are enabled, then the Bacula component will connect with other components either with or without TLS or TLS-PSK

If services.bacula-fd.tls.enable or TLS-PSK is enabled and TLS is required, then the Bacula component will refuse any connection request that does not use TLS.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-fd.tls.verifyPeer

Verify peer certificate. Instructs server to request and verify the client’s X.509 certificate. Any client certificate signed by a known-CA will be accepted. Additionally, the client’s X509 certificate Common Name must meet the value of the Address directive. If services.bacula-fd.tls.allowedCN is used, the client’s x509 certificate Common Name must also correspond to one of the CN specified in the services.bacula-fd.tls.allowedCN directive. This directive is valid only for a server and not in client context.

Standard from Bacula is true.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.enable

Whether to enable Bacula Storage Daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.autochanger

This option defines Autochanger resources in Bacula Storage Daemon.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.autochanger.<name>.changerCommand

The name-string specifies an external program to be called that will automatically change volumes as required by Bacula. Normally, this directive will be specified only in the AutoChanger resource, which is then used for all devices. However, you may also specify the different Changer Command in each Device resource. Most frequently, you will specify the Bacula supplied mtx-changer script as follows:

"/path/mtx-changer %c %o %S %a %d"

and you will install the mtx on your system (found in the depkgs release). An example of this command is in the default bacula-sd.conf file. For more details on the substitution characters that may be specified to configure your autochanger please see the AutochangersAutochangersChapter chapter of this manual. For FreeBSD users, you might want to see one of the several chio scripts in examples/autochangers.

Type: string

Default: "/etc/bacula/mtx-changer %c %o %S %a %d"

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.autochanger.<name>.changerDevice

The specified name-string must be the generic SCSI device name of the autochanger that corresponds to the normal read/write Archive Device specified in the Device resource. This generic SCSI device name should be specified if you have an autochanger or if you have a standard tape drive and want to use the Alert Command (see below). For example, on Linux systems, for an Archive Device name of /dev/nst0, you would specify /dev/sg0 for the Changer Device name. Depending on your exact configuration, and the number of autochangers or the type of autochanger, what you specify here can vary. This directive is optional. See the Using AutochangersAutochangersChapter chapter of this manual for more details of using this and the following autochanger directives.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.autochanger.<name>.devices

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.autochanger.<name>.extraAutochangerConfig

Extra configuration to be passed in Autochanger directive.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  
''

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.device

This option defines Device resources in Bacula Storage Daemon.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.device.<name>.archiveDevice

The specified name-string gives the system file name of the storage device managed by this storage daemon. This will usually be the device file name of a removable storage device (tape drive), for example /dev/nst0 or /dev/rmt/0mbn. For a DVD-writer, it will be for example /dev/hdc. It may also be a directory name if you are archiving to disk storage. In this case, you must supply the full absolute path to the directory. When specifying a tape device, it is preferable that the “non-rewind” variant of the device file name be given.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.device.<name>.extraDeviceConfig

Extra configuration to be passed in Device directive.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  LabelMedia = yes
  Random Access = no
  AutomaticMount = no
  RemovableMedia = no
  MaximumOpenWait = 60
  AlwaysOpen = no
''

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.device.<name>.mediaType

The specified name-string names the type of media supported by this device, for example, DLT7000. Media type names are arbitrary in that you set them to anything you want, but they must be known to the volume database to keep track of which storage daemons can read which volumes. In general, each different storage type should have a unique Media Type associated with it. The same name-string must appear in the appropriate Storage resource definition in the Director’s configuration file.

Even though the names you assign are arbitrary (i.e. you choose the name you want), you should take care in specifying them because the Media Type is used to determine which storage device Bacula will select during restore. Thus you should probably use the same Media Type specification for all drives where the Media can be freely interchanged. This is not generally an issue if you have a single Storage daemon, but it is with multiple Storage daemons, especially if they have incompatible media.

For example, if you specify a Media Type of DDS-4 then during the restore, Bacula will be able to choose any Storage Daemon that handles DDS-4. If you have an autochanger, you might want to name the Media Type in a way that is unique to the autochanger, unless you wish to possibly use the Volumes in other drives. You should also ensure to have unique Media Type names if the Media is not compatible between drives. This specification is required for all devices.

In addition, if you are using disk storage, each Device resource will generally have a different mount point or directory. In order for Bacula to select the correct Device resource, each one must have a unique Media Type.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.director

This option defines Director resources in Bacula Storage Daemon.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.director.<name>.monitor

If Monitor is set to no, this director will have full access to this Storage daemon. If Monitor is set to yes, this director will only be able to fetch the current status of this Storage daemon.

Please note that if this director is being used by a Monitor, we highly recommend to set this directive to yes to avoid serious security problems.

Type: one of “no”, “yes”

Default: "no"

Example: "yes"

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.director.<name>.password

Specifies the password that must be supplied for the default Bacula Console to be authorized. The same password must appear in the Director resource of the Console configuration file. For added security, the password is never passed across the network but instead a challenge response hash code created with the password. This directive is required. If you have either /dev/random or bc on your machine, Bacula will generate a random password during the configuration process, otherwise it will be left blank and you must manually supply it.

The password is plain text. It is not generated through any special process but as noted above, it is better to use random text for security reasons.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.director.<name>.tls

TLS Options for the Director in this Configuration.

Type: submodule

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.director.<name>.tls.enable

Specifies if TLS should be enabled. If this set to false TLS will be completely disabled, even if services.bacula-sd.director.<name>.tls.require is true.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.director.<name>.tls.allowedCN

Common name attribute of allowed peer certificates. This directive is valid for a server and in a client context. If this directive is specified, the peer certificate will be verified against this list. In the case this directive is configured on a server side, the allowed CN list will not be checked if services.bacula-sd.director.<name>.tls.verifyPeer is false.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.director.<name>.tls.caCertificateFile

The path specifying a PEM encoded TLS CA certificate(s). Multiple certificates are permitted in the file. One of TLS CA Certificate File or TLS CA Certificate Dir are required in a server context, unless services.bacula-sd.director.<name>.tls.verifyPeer is false, and are always required in a client context.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.director.<name>.tls.certificate

The full path to the PEM encoded TLS certificate. It will be used as either a client or server certificate, depending on the connection direction. This directive is required in a server context, but it may not be specified in a client context if services.bacula-sd.director.<name>.tls.verifyPeer is false in the corresponding server context.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.director.<name>.tls.key

The path of a PEM encoded TLS private key. It must correspond to the TLS certificate.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.director.<name>.tls.require

Require TLS or TLS-PSK encryption. This directive is ignored unless one of services.bacula-sd.director.<name>.tls.enable is true or TLS PSK Enable is set to yes. If TLS is not required while TLS or TLS-PSK are enabled, then the Bacula component will connect with other components either with or without TLS or TLS-PSK

If services.bacula-sd.director.<name>.tls.enable or TLS-PSK is enabled and TLS is required, then the Bacula component will refuse any connection request that does not use TLS.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.director.<name>.tls.verifyPeer

Verify peer certificate. Instructs server to request and verify the client’s X.509 certificate. Any client certificate signed by a known-CA will be accepted. Additionally, the client’s X509 certificate Common Name must meet the value of the Address directive. If services.bacula-sd.director.<name>.tls.allowedCN is used, the client’s x509 certificate Common Name must also correspond to one of the CN specified in the services.bacula-sd.director.<name>.tls.allowedCN directive. This directive is valid only for a server and not in client context.

Standard from Bacula is true.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.extraMessagesConfig

Extra configuration to be passed in Messages directive.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  console = all
''

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.extraStorageConfig

Extra configuration to be passed in Storage directive.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  Maximum Concurrent Jobs = 20;
  Heartbeat Interval = 30;
''

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.name

Specifies the Name of the Storage daemon.

Type: string

Default: "${config.networking.hostName}-sd"

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.port

Specifies port number on which the Storage daemon listens for Director connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9103

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.tls

TLS Options for the Storage Daemon. Important notice: The backup won’t be encrypted.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.tls.enable

Specifies if TLS should be enabled. If this set to false TLS will be completely disabled, even if services.bacula-sd.tls.require is true.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.tls.allowedCN

Common name attribute of allowed peer certificates. This directive is valid for a server and in a client context. If this directive is specified, the peer certificate will be verified against this list. In the case this directive is configured on a server side, the allowed CN list will not be checked if services.bacula-sd.tls.verifyPeer is false.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.tls.caCertificateFile

The path specifying a PEM encoded TLS CA certificate(s). Multiple certificates are permitted in the file. One of TLS CA Certificate File or TLS CA Certificate Dir are required in a server context, unless services.bacula-sd.tls.verifyPeer is false, and are always required in a client context.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.tls.certificate

The full path to the PEM encoded TLS certificate. It will be used as either a client or server certificate, depending on the connection direction. This directive is required in a server context, but it may not be specified in a client context if services.bacula-sd.tls.verifyPeer is false in the corresponding server context.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.tls.key

The path of a PEM encoded TLS private key. It must correspond to the TLS certificate.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.tls.require

Require TLS or TLS-PSK encryption. This directive is ignored unless one of services.bacula-sd.tls.enable is true or TLS PSK Enable is set to yes. If TLS is not required while TLS or TLS-PSK are enabled, then the Bacula component will connect with other components either with or without TLS or TLS-PSK

If services.bacula-sd.tls.enable or TLS-PSK is enabled and TLS is required, then the Bacula component will refuse any connection request that does not use TLS.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bacula-sd.tls.verifyPeer

Verify peer certificate. Instructs server to request and verify the client’s X.509 certificate. Any client certificate signed by a known-CA will be accepted. Additionally, the client’s X509 certificate Common Name must meet the value of the Address directive. If services.bacula-sd.tls.allowedCN is used, the client’s x509 certificate Common Name must also correspond to one of the CN specified in the services.bacula-sd.tls.allowedCN directive. This directive is valid only for a server and not in client context.

Standard from Bacula is true.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/bacula.nix>
services.bamf.enable

Whether to enable bamf.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/bamf.nix>
services.bazarr.enable

Whether to enable bazarr, a subtitle manager for Sonarr and Radarr.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/bazarr.nix>
services.bazarr.package

The bazarr package to use.

Type: package

Default: pkgs.bazarr

Declared by:

<nixpkgs/nixos/modules/services/misc/bazarr.nix>
services.bazarr.group

Group under which bazarr runs.

Type: string

Default: "bazarr"

Declared by:

<nixpkgs/nixos/modules/services/misc/bazarr.nix>
services.bazarr.listenPort

Port on which the bazarr web interface should listen

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6767

Declared by:

<nixpkgs/nixos/modules/services/misc/bazarr.nix>
services.bazarr.openFirewall

Open ports in the firewall for the bazarr web interface.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/bazarr.nix>
services.bazarr.user

User account under which bazarr runs.

Type: string

Default: "bazarr"

Declared by:

<nixpkgs/nixos/modules/services/misc/bazarr.nix>
services.bcg.enable

Whether to enable BigClown gateway.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.package

The bcg package to use.

Type: package

Default: pkgs.python3Packages.bcg

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.automaticRemoveKitFromNames

Automatically remove kits.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.automaticRenameGenericNodes

Automatically rename generic nodes.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.automaticRenameKitNodes

Automatically rename kit’s nodes.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.automaticRenameNodes

Automatically rename all nodes.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.baseTopicPrefix

Topic prefix added to all MQTT messages.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.device

Device name to configure gateway to use.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.environmentFiles

File to load as environment file. Environment variables from this file will be interpolated into the config file using envsubst with this syntax: $ENVIRONMENT or ${VARIABLE}. This is useful to avoid putting secrets into the nix store.

Type: list of path

Default: [ ]

Example:

[
  "/run/keys/bcg.env"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.mqtt.cafile

Certificate Authority file for MQTT server access.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.mqtt.certfile

Certificate file for MQTT server access.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.mqtt.host

Host where MQTT server is running.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.mqtt.keyfile

Key file for MQTT server access.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.mqtt.password

MQTT server access password.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.mqtt.port

Port of MQTT server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1883

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.mqtt.username

MQTT server access username.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.name

Name for the device.

Supported variables:

  • {ip} IP address

  • {id} The ID of the connected usb-dongle or core-module

null can be used for automatic detection from gateway firmware.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.qosNodeMessages

Set the guarantee of MQTT message delivery.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.rename

Rename nodes to different name.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.retainNodeMessages

Specify that node messages should be retaied in MQTT broker.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.bcg.verbose

Verbosity level.

Type: one of “CRITICAL”, “ERROR”, “WARNING”, “INFO”, “DEBUG”

Default: "WARNING"

Declared by:

<nixpkgs/nixos/modules/services/misc/bcg.nix>
services.beanstalkd.enable

Whether to enable the Beanstalk work queue.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/beanstalkd.nix>
services.beanstalkd.listen.address

IP address to listen on.

Type: string

Default: "127.0.0.1"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/misc/beanstalkd.nix>
services.beanstalkd.listen.port

TCP port that will be used to accept client connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 11300

Declared by:

<nixpkgs/nixos/modules/services/misc/beanstalkd.nix>
services.beanstalkd.openFirewall

Whether to open ports in the firewall for the server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/beanstalkd.nix>
services.bee.enable

Whether to enable Ethereum Swarm Bee.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/bee.nix>
services.bee.package

The bee package to use.

Type: package

Default: pkgs.bee

Example: bee-unstable

Declared by:

<nixpkgs/nixos/modules/services/networking/bee.nix>
services.bee.daemonNiceLevel

Daemon process priority for bee. 0 is the default Unix process priority, 19 is the lowest.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/bee.nix>
services.bee.group

Group the bee binary should execute under.

Type: string

Default: "bee"

Declared by:

<nixpkgs/nixos/modules/services/networking/bee.nix>
services.bee.settings

Ethereum Swarm Bee configuration. Refer to https://gateway.ethswarm.org/bzz/docs.swarm.eth/docs/installation/configuration/ for details on supported values.

Type: YAML value

Declared by:

<nixpkgs/nixos/modules/services/networking/bee.nix>
services.bee.user

User the bee binary should execute under.

Type: string

Default: "bee"

Declared by:

<nixpkgs/nixos/modules/services/networking/bee.nix>
services.beesd.filesystems

BTRFS filesystems to run block-level deduplication on.

Type: attribute set of (submodule)

Default: { }

Example:

{
  root = {
    spec = "LABEL=root";
    hashTableSizeMB = 2048;
    verbosity = "crit";
    extraOptions = [ "--loadavg-target" "5.0" ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/bees.nix>
services.beesd.filesystems.<name>.extraOptions

Extra command-line options passed to the daemon. See upstream bees documentation.

Type: list of string

Default: [ ]

Example:

[ "--thread-count" "4" ]

Declared by:

<nixpkgs/nixos/modules/services/misc/bees.nix>
services.beesd.filesystems.<name>.hashTableSizeMB

Hash table size in MB; must be a multiple of 16.

A larger ratio of index size to storage size means smaller blocks of duplicate content are recognized.

If you have 1TB of data, a 4GB hash table (which is to say, a value of 4096) will permit 4KB extents (the smallest possible size) to be recognized, whereas a value of 1024 – creating a 1GB hash table – will recognize only aligned duplicate blocks of 16KB.

Type: signed integer

Default: 1024

Declared by:

<nixpkgs/nixos/modules/services/misc/bees.nix>
services.beesd.filesystems.<name>.spec

Description of how to identify the filesystem to be duplicated by this instance of bees. Note that deduplication crosses subvolumes; one must not configure multiple instances for subvolumes of the same filesystem (or block devices which are part of the same filesystem), but only for completely independent btrfs filesystems.

This must be in a format usable by findmnt; that could be a key=value pair, or a bare path to a mount point. Using bare paths will allow systemd to start the beesd service only after mounting the associated path.

Type: string

Example: "LABEL=MyBulkDataDrive"

Declared by:

<nixpkgs/nixos/modules/services/misc/bees.nix>
services.beesd.filesystems.<name>.verbosity

Log verbosity (syslog keyword/level).

Type: one of “alert”, “crit”, “debug”, “emerg”, “err”, “info”, “notice”, “warning”, 1, 2, 7, 0, 3, 6, 5, 4

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/misc/bees.nix>
services.beesd.filesystems.<name>.workDir

Name (relative to the root of the filesystem) of the subvolume where the hash table will be stored.

Type: string

Default: ".beeshome"

Declared by:

<nixpkgs/nixos/modules/services/misc/bees.nix>
services.below.enable

Whether to enable ‘below’ resource monitor.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/below.nix>
services.below.cgroupFilterOut

A regexp matching the full paths of cgroups whose data shouldn’t be collected

Type: null or string

Default: null

Example: "user.slice.*"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/below.nix>
services.below.collect.diskStats

Whether to enable dist_stat collection.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/below.nix>
services.below.collect.exitStats

Whether to enable eBPF-based exitstats.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/below.nix>
services.below.collect.ioStats

Whether to enable io.stat collection for cgroups.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/below.nix>
services.below.compression.enable

Whether to enable data compression.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/below.nix>
services.below.dirs.log

Where to store below’s logs

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/below.nix>
services.below.dirs.store

Where to store below’s data

Type: null or path

Default: null

Example: "/var/lib/below"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/below.nix>
services.below.retention.size

Size limit for below’s data, in bytes. Data is deleted oldest-first, in 24h ‘shards’.

Note

The size limit may be exceeded by at most the size of the active shard, as:

  • the active shard cannot be deleted;

  • the size limit is only enforced when a new shard is created.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/below.nix>
services.below.retention.time

Retention time, in seconds.

Note

As data is stored in 24 hour shards which are discarded as a whole, only data expired by 24h (or more) is guaranteed to be discarded.

Note

If retention.size is set, data may be discarded earlier than the specified time.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/below.nix>
services.bepasty.enable

Whether to enable bepasty, a binary pastebin server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/bepasty.nix>
services.bepasty.servers

configure a number of bepasty servers which will be started with gunicorn.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/bepasty.nix>
services.bepasty.servers.<name>.bind

Bind address to be used for this server.

Type: string

Default: "127.0.0.1:8000"

Example: "0.0.0.0:8000"

Declared by:

<nixpkgs/nixos/modules/services/misc/bepasty.nix>
services.bepasty.servers.<name>.dataDir

Path to the directory where the pastes will be saved to

Type: string

Default: "/var/lib/bepasty/data"

Declared by:

<nixpkgs/nixos/modules/services/misc/bepasty.nix>
services.bepasty.servers.<name>.defaultPermissions

default permissions for all unauthenticated accesses.

Type: string

Default: "read"

Example: "read,create,delete"

Declared by:

<nixpkgs/nixos/modules/services/misc/bepasty.nix>
services.bepasty.servers.<name>.extraConfig

Extra configuration for bepasty server to be appended on the configuration. see https://bepasty-server.readthedocs.org/en/latest/quickstart.html#configuring-bepasty for all options.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  PERMISSIONS = {
    'myadminsecret': 'admin,list,create,read,delete',
  }
  MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000
''

Declared by:

<nixpkgs/nixos/modules/services/misc/bepasty.nix>
services.bepasty.servers.<name>.secretKey

server secret for safe session cookies, must be set.

Warning: this secret is stored in the WORLD-READABLE Nix store!

It’s recommended to use secretKeyFile which takes precedence over secretKey.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/bepasty.nix>
services.bepasty.servers.<name>.secretKeyFile

A file that contains the server secret for safe session cookies, must be set.

secretKeyFile takes precedence over secretKey.

Warning: when secretKey is non-empty secretKeyFile defaults to a file in the WORLD-READABLE Nix store containing that secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/bepasty.nix>
services.bepasty.servers.<name>.workDir

Path to the working directory (used for config and pidfile). Defaults to the users home directory.

Type: string

Default: "/var/lib/bepasty"

Declared by:

<nixpkgs/nixos/modules/services/misc/bepasty.nix>
services.biboumi.enable

Whether to enable the Biboumi XMPP gateway to IRC.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/biboumi.nix>
services.biboumi.credentialsFile

Path to a configuration file to be merged with the settings. Beware not to surround “=” with spaces when setting biboumi’s options in this file. Useful to merge a file which is better kept out of the Nix store because it contains sensible data like password.

Type: path

Default: "/dev/null"

Example: "/run/keys/biboumi.cfg"

Declared by:

<nixpkgs/nixos/modules/services/networking/biboumi.nix>
services.biboumi.openFirewall

Whether to enable opening of the identd port in the firewall.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/biboumi.nix>
services.biboumi.settings

See biboumi 8.5 for documentation.

Type: settings option

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/biboumi.nix>
services.biboumi.settings.admin

The bare JID of the gateway administrator. This JID will have more privileges than other standard users, for example some administration ad-hoc commands will only be available to that JID.

Type: list of string

Default: [ ]

Example:

[
  "admin@example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/biboumi.nix>
services.biboumi.settings.ca_file

Specifies which file should be used as the list of trusted CA when negotiating a TLS session.

Type: path

Default: "/etc/ssl/certs/ca-certificates.crt"

Declared by:

<nixpkgs/nixos/modules/services/networking/biboumi.nix>
services.biboumi.settings.db_name

The name of the database to use.

Type: path or string

Default: "/var/lib/biboumi/biboumi.sqlite"

Example: "postgresql://user:secret@localhost"

Declared by:

<nixpkgs/nixos/modules/services/networking/biboumi.nix>
services.biboumi.settings.hostname

The hostname served by the XMPP gateway. This domain must be configured in the XMPP server as an external component.

Type: string

Example: "biboumi.example.org"

Declared by:

<nixpkgs/nixos/modules/services/networking/biboumi.nix>
services.biboumi.settings.identd_port

The TCP port on which to listen for identd queries.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 113

Example: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/biboumi.nix>
services.biboumi.settings.log_level

Indicate what type of log messages to write in the logs. 0 is debug, 1 is info, 2 is warning, 3 is error.

Type: integer between 0 and 3 (both inclusive)

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/networking/biboumi.nix>
services.biboumi.settings.password

The password used to authenticate the XMPP component to your XMPP server. This password must be configured in the XMPP server, associated with the external component on hostname.

Set it to null and use credentialsFile if you do not want this password to go into the Nix store.

Type: null or string

Declared by:

<nixpkgs/nixos/modules/services/networking/biboumi.nix>
services.biboumi.settings.persistent_by_default

Whether all rooms will be persistent by default: the value of the “persistent” option in the global configuration of each user will be “true”, but the value of each individual room will still default to false. This means that a user just needs to change the global “persistent” configuration option to false in order to override this.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/biboumi.nix>
services.biboumi.settings.policy_directory

A directory that should contain the policy files, used to customize Botan’s behaviour when negotiating the TLS connections with the IRC servers.

Type: path

Default: "${pkgs.biboumi}/etc/biboumi"

Declared by:

<nixpkgs/nixos/modules/services/networking/biboumi.nix>
services.biboumi.settings.port

The TCP port to use to connect to the local XMPP component.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5347

Declared by:

<nixpkgs/nixos/modules/services/networking/biboumi.nix>
services.biboumi.settings.realname_customization

Whether the users will be able to use the ad-hoc commands that lets them configure their realname and username.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/biboumi.nix>
services.biboumi.settings.realname_from_jid

Whether the realname and username of each biboumi user will be extracted from their JID. Otherwise they will be set to the nick they used to connect to the IRC server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/biboumi.nix>
services.biboumi.settings.xmpp_server_ip

The IP address to connect to the XMPP server on. The connection to the XMPP server is unencrypted, so the biboumi instance and the server should normally be on the same host.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/biboumi.nix>
services.bind.enable

Whether to enable BIND domain name server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.package

The bind package to use.

Type: package

Default: pkgs.bind

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.blockedNetworks

What networks are just blocked.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.cacheNetworks

What networks are allowed to use us as a resolver. Note that this is for recursive queries – all networks are allowed to query zones configured with the zones option by default (although this may be overridden within each zone’s configuration, via the allowQuery option). It is recommended that you limit cacheNetworks to avoid your server being used for DNS amplification attacks.

Type: list of string

Default:

[
  "127.0.0.0/24"
  "::1/128"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.configFile

Overridable config file to use for named. By default, that generated by nixos.

Type: path

Default: confFile

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.directory

Working directory of BIND.

Type: string

Default: "/run/named"

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.extraConfig

Extra lines to be added verbatim to the generated named configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.extraOptions

Extra lines to be added verbatim to the options section of the generated named configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.forward

Whether to forward ‘first’ (try forwarding but lookup directly if forwarding fails) or ‘only’.

Type: one of “first”, “only”

Default: "first"

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.forwarders

List of servers we should forward requests to.

Type: list of string

Default: config.networking.nameservers

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.ipv4Only

Only use ipv4, even if the host supports ipv6.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.listenOn

Interfaces to listen on.

Type: list of string

Default:

[
  "any"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.listenOnIpv6

Ipv6 interfaces to listen on.

Type: list of string

Default:

[
  "any"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.zones

List of zones we claim authority over.

Type: (attribute set of (submodule)) or (list of (attribute set)) convertible to it

Default: [ ]

Example:

{
  "example.com" = {
    extraConfig = "";
    file = "/var/dns/example.com";
    master = false;
    masters = [
      "192.168.0.1"
    ];
    slaves = [ ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.zones.<name>.allowQuery

List of address ranges allowed to query this zone. Instead of the address(es), this may instead contain the single string “any”.

Type: list of string

Default:

[
  "any"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.zones.<name>.extraConfig

Extra zone config to be appended at the end of the zone section.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.zones.<name>.file

Zone file resource records contain columns of data, separated by whitespace, that define the record.

Type: string or path

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.zones.<name>.master

Master=false means slave server

Type: boolean

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.zones.<name>.masters

List of servers for inclusion in stub and secondary zones.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.zones.<name>.name

Name of the zone.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bind.zones.<name>.slaves

Addresses who may request zone transfers.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/bind.nix>
services.bird-lg.package

The bird-lg package to use.

Type: package

Default: pkgs.bird-lg

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.frontend.enable

Whether to enable Bird Looking Glass Frontend Webserver.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.frontend.bgpMapInfo

Information displayed in bgpmap.

Type: list of string

Default:

[
  "asn"
  "as-name"
  "ASName"
  "descr"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.frontend.dnsInterface

DNS zone to query ASN information.

Type: string

Default: "asn.cymru.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.frontend.domain

Server name domain suffixes.

Type: string

Example: "dn42.lantian.pub"

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.frontend.extraArgs

Extra parameters documented here.

Note

Passing lines (plain strings) is deprecated in favour of passing lists of strings.

Type: strings concatenated with “\n” or list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.frontend.listenAddress

Address to listen on.

Type: string

Default: "127.0.0.1:5000"

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.frontend.nameFilter

Protocol names to hide in summary tables (RE2 syntax),

Type: string

Default: ""

Example: "^ospf"

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.frontend.navbar.allServers

Text of ‘All server’ button in the navigation bar.

Type: string

Default: "ALL Servers"

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.frontend.navbar.allServersURL

URL of ‘All servers’ button.

Type: string

Default: "all"

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.frontend.navbar.brand

Brand to show in the navigation bar .

Type: string

Default: "Bird-lg Go"

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.frontend.navbar.brandURL

URL of the brand to show in the navigation bar.

Type: string

Default: "/"

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.frontend.netSpecificMode

Apply network-specific changes for some networks.

Type: string

Default: ""

Example: "dn42"

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.frontend.protocolFilter

Information displayed in bgpmap.

Type: list of string

Default: [ ]

Example:

[
  "ospf"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.frontend.proxyPort

Port bird-lg-proxy is running on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8000

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.frontend.servers

Server name prefixes.

Type: list of string

Example:

[
  "gigsgigscloud"
  "hostdare"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.frontend.timeout

Time before request timed out, in seconds.

Type: signed integer

Default: 120

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.frontend.titleBrand

Prefix of page titles in browser tabs.

Type: string

Default: "Bird-lg Go"

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.frontend.whois

Whois server for queries.

Type: string

Default: "whois.verisign-grs.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.group

Group to run the service.

Type: string

Default: "bird-lg"

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.proxy.enable

Whether to enable Bird Looking Glass Proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.proxy.allowedIPs

List of IPs or networks to allow (default all allowed).

Type: list of string

Default: [ ]

Example:

[
  "192.168.25.52"
  "192.168.25.53"
  "192.168.0.0/24"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.proxy.birdSocket

Bird control socket path.

Type: string

Default: "/var/run/bird/bird.ctl"

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.proxy.extraArgs

Extra parameters documented here.

Note

Passing lines (plain strings) is deprecated in favour of passing lists of strings.

Type: strings concatenated with “\n” or list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.proxy.listenAddress

Address to listen on.

Type: string

Default: "127.0.0.1:8000"

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.proxy.traceroute.binary

Traceroute’s binary path.

Type: string

Default: "${pkgs.traceroute}/bin/traceroute"

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.proxy.traceroute.flags

Flags for traceroute process

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.proxy.traceroute.rawOutput

Display traceroute output in raw format.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird-lg.user

User to run the service.

Type: string

Default: "bird-lg"

Declared by:

<nixpkgs/nixos/modules/services/networking/bird-lg.nix>
services.bird2.enable

Whether to enable BIRD Internet Routing Daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/bird.nix>
services.bird2.autoReload

Whether bird2 should be automatically reloaded when the configuration changes.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/bird.nix>
services.bird2.checkConfig

Whether the config should be checked at build time. When the config can’t be checked during build time, for example when it includes other files, either disable this option or use preCheckConfig to create the included files before checking.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/bird.nix>
services.bird2.config

BIRD Internet Routing Daemon configuration file. http://bird.network.cz/

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/networking/bird.nix>
services.bird2.preCheckConfig

Commands to execute before the config file check. The file to be checked will be available as bird2.conf in the current directory.

Files created with this option will not be available at service runtime, only during build time checking.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  echo "cost 100;" > include.conf
''

Declared by:

<nixpkgs/nixos/modules/services/networking/bird.nix>
services.birdwatcher.enable

Whether to enable Birdwatcher.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/birdwatcher.nix>
services.birdwatcher.package

The birdwatcher package to use.

Type: package

Default: pkgs.birdwatcher

Declared by:

<nixpkgs/nixos/modules/services/networking/birdwatcher.nix>
services.birdwatcher.flags

Flags to append to the program call

Type: list of string

Default: [ ]

Example:

[
  "-worker-pool-size 16"
  "-6"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/birdwatcher.nix>
services.birdwatcher.settings

birdwatcher configuration, for configuration options see the example on github

Type: strings concatenated with “\n”

Default: { }

Example:

[server]
allow_from = []
allow_uncached = false
modules_enabled = ["status",
                   "protocols",
                   "protocols_bgp",
                   "protocols_short",
                   "routes_protocol",
                   "routes_peer",
                   "routes_table",
                   "routes_table_filtered",
                   "routes_table_peer",
                   "routes_filtered",
                   "routes_prefixed",
                   "routes_noexport",
                   "routes_pipe_filtered_count",
                   "routes_pipe_filtered"
                  ]

[status]
reconfig_timestamp_source = "bird"
reconfig_timestamp_match = "# created: (.*)"

filter_fields = []

[bird]
listen = "0.0.0.0:29184"
config = "/etc/bird/bird2.conf"
birdc  = "${pkgs.bird}/bin/birdc"
ttl = 5 # time to live (in minutes) for caching of cli output

[parser]
filter_fields = []

[cache]
use_redis = false # if not using redis cache, activate housekeeping to save memory!

[housekeeping]
interval = 5
force_release_memory = true

Declared by:

<nixpkgs/nixos/modules/services/networking/birdwatcher.nix>
services.bitcoind

Specification of one or more bitcoind instances.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
services.bitcoind.<name>.enable

Whether to enable Bitcoin daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
services.bitcoind.<name>.package

The bitcoind package to use.

Type: package

Default: pkgs.bitcoind

Declared by:

<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
services.bitcoind.<name>.configFile

The configuration file path to supply bitcoind.

Type: null or path

Default: null

Example: "/var/lib/‹name›/bitcoin.conf"

Declared by:

<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
services.bitcoind.<name>.dataDir

The data directory for bitcoind.

Type: path

Default: "/var/lib/bitcoind-‹name›"

Declared by:

<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
services.bitcoind.<name>.dbCache

Override the default database cache size in MiB.

Type: null or integer between 4 and 16384 (both inclusive)

Default: null

Example: 4000

Declared by:

<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
services.bitcoind.<name>.extraCmdlineOptions

Extra command line options to pass to bitcoind. Run bitcoind --help to list all available options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
services.bitcoind.<name>.extraConfig

Additional configurations to be appended to bitcoin.conf.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  par=16
  rpcthreads=16
  logips=1
''

Declared by:

<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
services.bitcoind.<name>.group

The group as which to run bitcoind.

Type: string

Default: "bitcoind-‹name›"

Declared by:

<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
services.bitcoind.<name>.pidFile

Location of bitcoind pid file.

Type: path

Default: "/var/lib/bitcoind-‹name›/bitcoind.pid"

Declared by:

<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
services.bitcoind.<name>.port

Override the default port on which to listen for connections.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
services.bitcoind.<name>.prune

Reduce storage requirements by enabling pruning (deleting) of old blocks. This allows the pruneblockchain RPC to be called to delete specific blocks, and enables automatic pruning of old blocks if a target size in MiB is provided. This mode is incompatible with -txindex and -rescan. Warning: Reverting this setting requires re-downloading the entire blockchain. (“disable” = disable pruning blocks, “manual” = allow manual pruning via RPC, >=550 = automatically prune block files to stay under the specified target size in MiB).

Type: null or ((unsigned integer, meaning >=0) or (one of “disable”, “manual”) convertible to it)

Default: null

Example: 10000

Declared by:

<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
services.bitcoind.<name>.rpc.port

Override the default port on which to listen for JSON-RPC connections.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
services.bitcoind.<name>.rpc.users

RPC user information for JSON-RPC connections.

Type: attribute set of (submodule)

Default: { }

Example:

{
  alice.passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae";
  bob.passwordHMAC = "b2dd077cb54591a2f3139e69a897ac$4e71f08d48b4347cf8eff3815c0e25ae2e9a4340474079f55705f40574f4ec99";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
services.bitcoind.<name>.rpc.users.<name>.name

Username for JSON-RPC connections.

Type: string

Example: "alice"

Declared by:

<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
services.bitcoind.<name>.rpc.users.<name>.passwordHMAC

Password HMAC-SHA-256 for JSON-RPC connections. Must be a string of the format <SALT-HEX>$<HMAC-HEX>.

Tool (Python script) for HMAC generation is available here: https://github.com/bitcoin/bitcoin/blob/master/share/rpcauth/rpcauth.py

Type: string matching the pattern [0-9a-f]+\$[0-9a-f]{64}

Example: "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae"

Declared by:

<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
services.bitcoind.<name>.testnet

Whether to use the testnet instead of mainnet.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
services.bitcoind.<name>.user

The user as which to run bitcoind.

Type: string

Default: "bitcoind-‹name›"

Declared by:

<nixpkgs/nixos/modules/services/networking/bitcoind.nix>
services.bitlbee.enable

Whether to run the BitlBee IRC to other chat network gateway. Running it allows you to access the MSN, Jabber, Yahoo! and ICQ chat networks via an IRC client.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
services.bitlbee.authBackend

How users are authenticated storage – save passwords internally pam – Linux PAM authentication

Type: one of “storage”, “pam”

Default: "storage"

Declared by:

<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
services.bitlbee.authMode

The following authentication modes are available: Open – Accept connections from anyone, use NickServ for user authentication. Closed – Require authorization (using the PASS command during login) before allowing the user to connect at all. Registered – Only allow registered users to use this server; this disables the register- and the account command until the user identifies himself.

Type: one of “Open”, “Closed”, “Registered”

Default: "Open"

Declared by:

<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
services.bitlbee.configDir

Specify an alternative directory to store all the per-user configuration files.

Type: path

Default: "/var/lib/bitlbee"

Declared by:

<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
services.bitlbee.extraDefaults

Will be inserted in the Default section of the config file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
services.bitlbee.extraSettings

Will be inserted in the Settings section of the config file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
services.bitlbee.hostName

Normally, BitlBee gets a hostname using getsockname(). If you have a nicer alias for your BitlBee daemon, you can set it here and BitlBee will identify itself with that name instead.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
services.bitlbee.interface

The interface the BitlBee daemon will be listening to. If 127.0.0.1, only clients on the local host can connect to it; if 0.0.0.0, clients can access it from any network interface.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
services.bitlbee.libpurple_plugins

The list of libpurple plugins to install.

Type: list of package

Default: [ ]

Example: [ pkgs.purple-matrix ]

Declared by:

<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
services.bitlbee.plugins

The list of bitlbee plugins to install.

Type: list of package

Default: [ ]

Example: [ pkgs.bitlbee-facebook ]

Declared by:

<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
services.bitlbee.portNumber

Number of the port BitlBee will be listening to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6667

Declared by:

<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
services.bitlbee.protocols

This option allows to remove the support of protocol, even if compiled in. If nothing is given, there are no restrictions.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/bitlbee.nix>
services.bitmagnet.enable

Whether to enable Bitmagnet service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/torrent/bitmagnet.nix>
services.bitmagnet.package

The bitmagnet package to use.

Type: package

Default: pkgs.bitmagnet

Declared by:

<nixpkgs/nixos/modules/services/torrent/bitmagnet.nix>
services.bitmagnet.group

Group of user running bitmagnet

Type: string

Default: "bitmagnet"

Declared by:

<nixpkgs/nixos/modules/services/torrent/bitmagnet.nix>
services.bitmagnet.openFirewall

Open DHT ports in firewall

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/torrent/bitmagnet.nix>
services.bitmagnet.settings

Bitmagnet configuration (https://bitmagnet.io/setup/configuration.html).

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/torrent/bitmagnet.nix>
services.bitmagnet.settings.dht_server

DHT server settings

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/torrent/bitmagnet.nix>
services.bitmagnet.settings.dht_server.port

DHT listen port

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3334

Declared by:

<nixpkgs/nixos/modules/services/torrent/bitmagnet.nix>
services.bitmagnet.settings.http_server

HTTP server settings

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/torrent/bitmagnet.nix>
services.bitmagnet.settings.http_server.port

HTTP server listen port

Type: string

Default: ":3333"

Declared by:

<nixpkgs/nixos/modules/services/torrent/bitmagnet.nix>
services.bitmagnet.settings.postgres

PostgreSQL database configuration

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/torrent/bitmagnet.nix>
services.bitmagnet.settings.postgres.host

Address, hostname or Unix socket path of the database server

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/torrent/bitmagnet.nix>
services.bitmagnet.settings.postgres.name

Database name to connect to

Type: string

Default: "bitmagnet"

Declared by:

<nixpkgs/nixos/modules/services/torrent/bitmagnet.nix>
services.bitmagnet.settings.postgres.password

Password for database user

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/torrent/bitmagnet.nix>
services.bitmagnet.settings.postgres.user

User to connect as

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/torrent/bitmagnet.nix>
services.bitmagnet.useLocalPostgresDB

Use a local postgresql database, create user and database

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/torrent/bitmagnet.nix>
services.bitmagnet.user

User running bitmagnet

Type: string

Default: "bitmagnet"

Declared by:

<nixpkgs/nixos/modules/services/torrent/bitmagnet.nix>
services.bitwarden-directory-connector-cli.enable

Whether to enable Bitwarden Directory Connector.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.package

The bitwarden-directory-connector-cli package to use.

Type: package

Default: pkgs.bitwarden-directory-connector-cli

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.domain

The domain the Bitwarden/Vaultwarden is accessible on.

Type: string

Example: "https://vaultwarden.example.com"

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.interval

The interval when to run the connector. This uses systemd’s OnCalendar syntax.

Type: string

Default: "*:0,15,30,45"

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.ldap

Options to configure the LDAP connection. If you used the desktop application to test the configuration you can find the settings by searching for ldap in ~/.config/Bitwarden\ Directory\ Connector/data.json.

Type: attribute set of (JSON value)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.ldap.ad

Whether the LDAP Server is an Active Directory.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.ldap.hostname

The host the LDAP is accessible on.

Type: string

Example: "ldap.example.com"

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.ldap.pagedSearch

Whether the LDAP server paginates search results.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.ldap.port

Port LDAP is accessible on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 389

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.ldap.rootPath

Root path for LDAP.

Type: string

Example: "dc=example,dc=com"

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.ldap.ssl

Whether to use TLS.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.ldap.startTls

Whether to use STARTTLS.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.ldap.username

The user to authenticate as.

Type: string

Example: "cn=admin,dc=example,dc=com"

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.secrets.bitwarden.client_path_id

Path to file that contains Client ID.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.secrets.bitwarden.client_path_secret

Path to file that contains Client Secret.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.secrets.ldap

Path to file that contains LDAP password for user in {option}`ldap.username

Type: string

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.sync

Options to configure what gets synced. If you used the desktop application to test the configuration you can find the settings by searching for sync in ~/.config/Bitwarden\ Directory\ Connector/data.json.

Type: attribute set of (JSON value)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.sync.creationDateAttribute

Attribute that lists a user’s creation date.

Type: string

Example: "whenCreated"

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.sync.emailPrefixAttribute

The attribute that contains the users username.

Type: string

Example: "accountName"

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.sync.emailSuffix

Suffix for the email, normally @example.com.

Type: string

Example: "@example.com"

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.sync.groupFilter

LDAP filter for groups.

Type: string

Default: ""

Example: "(cn=sales)"

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.sync.groupNameAttribute

Attribute for a name of group.

Type: string

Default: "cn"

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.sync.groupObjectClass

A class that groups will have.

Type: string

Default: "groupOfNames"

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.sync.groupPath

Group directory, relative to root.

Type: string

Default: "ou=groups"

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.sync.groups

Whether to sync ldap groups into BitWarden.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.sync.largeImport

Enable if you are syncing more than 2000 users/groups.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.sync.memberAttribute

Attribute that lists members in a LDAP group.

Type: string

Example: "uniqueMember"

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.sync.overwriteExisting

Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.sync.removeDisabled

Remove users from bitwarden groups if no longer in the ldap group.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.sync.useEmailPrefixSuffix

If a user has no email address, combine a username prefix with a suffix value to form an email.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.sync.userEmailAttribute

Attribute for a users email.

Type: string

Default: "mail"

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.sync.userFilter

LDAP filter for users.

Type: string

Default: ""

Example: "(memberOf=cn=sales,ou=groups,dc=example,dc=com)"

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.sync.userObjectClass

Class that users must have.

Type: string

Default: "inetOrgPerson"

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.sync.userPath

User directory, relative to root.

Type: string

Default: "ou=users"

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.sync.users

Sync users.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.bitwarden-directory-connector-cli.user

User to run the program.

Type: string

Default: "bwdc"

Declared by:

<nixpkgs/nixos/modules/services/security/bitwarden-directory-connector-cli.nix>
services.blackfire-agent.enable

Whether to enable Blackfire profiler agent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/development/blackfire.nix>
services.blackfire-agent.settings

See https://blackfire.io/docs/up-and-running/configuration/agent

Type: attribute set of string

Declared by:

<nixpkgs/nixos/modules/services/development/blackfire.nix>
services.blackfire-agent.settings.server-id

Sets the server id used to authenticate with Blackfire

You can find your personal server-id at https://blackfire.io/my/settings/credentials

Type: string

Declared by:

<nixpkgs/nixos/modules/services/development/blackfire.nix>
services.blackfire-agent.settings.server-token

Sets the server token used to authenticate with Blackfire

You can find your personal server-token at https://blackfire.io/my/settings/credentials

Type: string

Declared by:

<nixpkgs/nixos/modules/services/development/blackfire.nix>
services.blendfarm.enable

Whether to enable Blendfarm, a render farm management software for Blender.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/blenderfarm.nix>
services.blendfarm.package

The blendfarm package to use.

Type: package

Default: pkgs.blendfarm

Declared by:

<nixpkgs/nixos/modules/services/misc/blenderfarm.nix>
services.blendfarm.basicSecurityPasswordFile

Path to the password file the client needs to connect to the server. The password must not contain a forward slash.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/blenderfarm.nix>
services.blendfarm.blenderPackage

The blender package to use.

Type: package

Default: pkgs.blender

Declared by:

<nixpkgs/nixos/modules/services/misc/blenderfarm.nix>
services.blendfarm.group

Group under which blendfarm runs.

Type: string

Default: "blendfarm"

Declared by:

<nixpkgs/nixos/modules/services/misc/blenderfarm.nix>
services.blendfarm.openFirewall

Whether to enable allowing blendfarm network access through the firewall.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/blenderfarm.nix>
services.blendfarm.serverConfig

Server configuration

Type: attribute set of anything

Default:

{
  BasicSecurityPassword = null;
  BroadcastPort = 16342;
  BypassScriptUpdate = false;
  Port = 15000;
}

Declared by:

<nixpkgs/nixos/modules/services/misc/blenderfarm.nix>
services.blendfarm.serverConfig.BroadcastPort

Default port blendfarm server advertises itself on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 16342

Declared by:

<nixpkgs/nixos/modules/services/misc/blenderfarm.nix>
services.blendfarm.serverConfig.BypassScriptUpdate

Prevents blendfarm from replacing the .py self-generated scripts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/blenderfarm.nix>
services.blendfarm.serverConfig.Port

Default port blendfarm server listens on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 15000

Declared by:

<nixpkgs/nixos/modules/services/misc/blenderfarm.nix>
services.blendfarm.user

User under which blendfarm runs.

Type: string

Default: "blendfarm"

Declared by:

<nixpkgs/nixos/modules/services/misc/blenderfarm.nix>
services.blockbook-frontend

Specification of one or more blockbook-frontend instances.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.enable

Whether to enable blockbook-frontend application.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.package

The blockbook package to use.

Type: package

Default: pkgs.blockbook

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.certFile

To enable SSL, specify path to the name of certificate files without extension. Expecting certFile.crt and certFile.key.

Type: null or path

Default: null

Example: "/etc/secrets/blockbook-frontend-‹name›/certFile"

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.coinName

See https://github.com/trezor/blockbook/blob/master/bchain/coins/blockchain.go#L61 for current of coins supported in master (Note: may differ from release).

Type: string

Default: "Bitcoin"

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.configFile

Location of the blockbook configuration file.

Type: null or path

Default: null

Example: "/var/lib/blockbook-frontend-‹name›/config.json"

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.cssDir

Location of the dir with main.css CSS file. By default, the one shipped with the package is used.

Type: path

Default: "${package}/share/css/"

Example: "${dataDir}/static/css/"

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.dataDir

Location of blockbook-frontend-‹name› data directory.

Type: path

Default: "/var/lib/blockbook-frontend-‹name›"

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.debug

Debug mode, return more verbose errors, reload templates on each request.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.extraCmdLineOptions

Extra command line options to pass to Blockbook. Run blockbook --help to list all available options.

Type: list of string

Default: [ ]

Example:

[
  "-workers=1"
  "-dbcache=0"
  "-logtosderr"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.extraConfig

Additional configurations to be appended to coin.conf. Overrides any already defined configuration options. See https://github.com/trezor/blockbook/tree/master/configs/coins for current configuration options supported in master (Note: may differ from release).

Type: attribute set

Default: { }

Example:

{
         "alternative_estimate_fee" = "whatthefee-disabled";
         "alternative_estimate_fee_params" = "{\"url\": \"https://whatthefee.io/data.json\", \"periodSeconds\": 60}";
         "fiat_rates" = "coingecko";
         "fiat_rates_params" = "{\"url\": \"https://api.coingecko.com/api/v3\", \"coin\": \"bitcoin\", \"periodSeconds\": 60}";
         "coin_shortcut" = "BTC";
         "coin_label" = "Bitcoin";
         "parse" = true;
         "subversion" = "";
         "address_format" = "";
         "xpub_magic" = 76067358;
         "xpub_magic_segwit_p2sh" = 77429938;
         "xpub_magic_segwit_native" = 78792518;
         "mempool_workers" = 8;
         "mempool_sub_workers" = 2;
         "block_addresses_to_keep" = 300;
       }

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.group

The group as which to run blockbook-frontend-‹name›.

Type: string

Default: "blockbook-frontend-‹name›"

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.internal

Internal http server binding [address]:port.

Type: null or string

Default: ":9030"

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.messageQueueBinding

Message Queue Binding address:port.

Type: string

Default: "tcp://127.0.0.1:38330"

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.public

Public http server binding [address]:port.

Type: null or string

Default: ":9130"

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.rpc.password

RPC password for JSON-RPC connections. Warning: this is stored in cleartext in the Nix store!!! Use configFile or passwordFile if needed.

Type: string

Default: "rpc"

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.rpc.passwordFile

File containing password of the RPC user. Note: This options is ignored when configFile is used.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.rpc.port

Port for JSON-RPC connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8030

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.rpc.url

URL for JSON-RPC connections.

Type: string

Default: "http://127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.rpc.user

Username for JSON-RPC connections.

Type: string

Default: "rpc"

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.sync

Synchronizes until tip, if together with zeromq, keeps index synchronized.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.templateDir

Location of the HTML templates. By default, ones shipped with the package are used.

Type: path

Default: "${package}/share/templates/"

Example: "${dataDir}/templates/static/"

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blockbook-frontend.<name>.user

The user as which to run blockbook-frontend-‹name›.

Type: string

Default: "blockbook-frontend-‹name›"

Declared by:

<nixpkgs/nixos/modules/services/networking/blockbook-frontend.nix>
services.blocky.enable

Whether to enable blocky, a fast and lightweight DNS proxy as ad-blocker for local network with many features.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/blocky.nix>
services.blocky.package

The blocky package to use.

Type: package

Default: pkgs.blocky

Declared by:

<nixpkgs/nixos/modules/services/networking/blocky.nix>
services.blocky.settings

Blocky configuration. Refer to https://0xerr0r.github.io/blocky/configuration/ for details on supported values.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/blocky.nix>
services.bloop.extraOptions

Specifies additional command line argument to pass to bloop java process.

Type: list of string

Default: [ ]

Example:

[
  "-J-Xmx2G"
  "-J-XX:MaxInlineLevel=20"
  "-J-XX:+UseParallelGC"
]

Declared by:

<nixpkgs/nixos/modules/services/development/bloop.nix>
services.bloop.install

Whether to install a user service for the Bloop server.

The service must be manually started for each user with “systemctl --user start bloop”.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/development/bloop.nix>
services.blueman.enable

Whether to enable blueman, a bluetooth manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/blueman.nix>
services.bluemap.enable

Whether to enable bluemap.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.bluemap.enableNginx

Enable configuring a virtualHost for serving the bluemap webapp

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.bluemap.enableRender

Enable rendering

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.bluemap.addons

A set of jar addons to be loaded.

See https://bluemap.bluecolored.de/3rdPartySupport.html for a list of officially recognized addons.

Type: attribute set of path in the Nix store

Default: { }

Example:

{
  blueBridge = ./blueBridge.jar;
  blueBorder = pkgs.fetchurl {
    url = "https://github.com/pop4959/BlueBorder/releases/download/1.1.1/BlueBorder-1.1.1.jar";
    hash = "...";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.bluemap.coreSettings

Settings for the core.conf file, see upstream docs.

Type: HOCON value

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.bluemap.coreSettings.data

Folder for where bluemap stores its data

Type: path

Default: "/var/lib/bluemap"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.bluemap.coreSettings.metrics

Whether to enable Sending usage metrics containing the version of bluemap in use.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.bluemap.defaultWorld

The world used by the default map ruleset. If you configure your own maps you do not need to set this.

Type: path

Example: ${config.services.minecraft.dataDir}/world

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.bluemap.eula

By changing this option to true you confirm that you own a copy of minecraft Java Edition, and that you agree to minecrafts EULA.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.bluemap.host

Domain on which nginx will serve the bluemap webapp

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.bluemap.maps

Settings for files in maps/. If you define anything here you must define everything yourself. See the default for an example with good options for the different world types. For valid values consult upstream docs.

Type: attribute set of (HOCON value)

Default:

{
  "overworld" = {
    world = "${cfg.defaultWorld}";
    ambient-light = 0.1;
    cave-detection-ocean-floor = -5;
  };

  "nether" = {
    world = "${cfg.defaultWorld}/DIM-1";
    sorting = 100;
    sky-color = "#290000";
    void-color = "#150000";
    ambient-light = 0.6;
    world-sky-light = 0;
    remove-caves-below-y = -10000;
    cave-detection-ocean-floor = -5;
    cave-detection-uses-block-light = true;
    max-y = 90;
  };

  "end" = {
    world = "${cfg.defaultWorld}/DIM1";
    sorting = 200;
    sky-color = "#080010";
    void-color = "#080010";
    ambient-light = 0.6;
    world-sky-light = 0;
    remove-caves-below-y = -10000;
    cave-detection-ocean-floor = -5;
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.bluemap.maps.<name>.world

Path to world folder containing the dimension to render

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.bluemap.onCalendar

How often to trigger rendering the map, in the format of a systemd timer onCalendar configuration. See systemd.timer(5).

Type: string

Default: "*-*-* 03:10:00"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.bluemap.packs

A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order.

Type: attribute set of path in the Nix store

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.bluemap.storage

Where the rendered map will be stored. Unless you are doing something advanced you should probably leave this alone and configure webRoot instead. See upstream docs

Type: attribute set of (HOCON value)

Default:

{
  "file" = {
    root = "${config.services.bluemap.webRoot}/maps";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.bluemap.storage.<name>.storage-type

Type of storage config

Type: one of “FILE”, “SQL”

Default: "FILE"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.bluemap.webRoot

The directory for saving and serving the webapp and the maps

Type: path

Default: "/var/lib/bluemap/web"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.bluemap.webappSettings

Settings for the webapp.conf file, see upstream docs.

Type: HOCON value

Default:

{
  enabled = true;
  webroot = config.services.bluemap.webRoot;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.bluemap.webserverSettings

Settings for the webserver.conf file, usually not required. See upstream docs.

Type: HOCON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.bluemap.webserverSettings.enabled

Enable bluemap’s built-in webserver. Disabled by default in nixos for use of nginx directly.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bluemap.nix>
services.boinc.enable

Whether to enable the BOINC distributed computing client. If this option is set to true, the boinc_client daemon will be run as a background service. The boinccmd command can be used to control the daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/computing/boinc/client.nix>
services.boinc.package

The boinc package to use.

Type: package

Default: pkgs.boinc

Example: boinc-headless

Declared by:

<nixpkgs/nixos/modules/services/computing/boinc/client.nix>
services.boinc.allowRemoteGuiRpc

If set to true, any remote host can connect to and control this BOINC client (subject to password authentication). If instead set to false, only the hosts listed in dataDir/remote_hosts.cfg will be allowed to connect.

See also: https://boinc.berkeley.edu/wiki/Controlling_BOINC_remotely#Remote_access

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/computing/boinc/client.nix>
services.boinc.dataDir

The directory in which to store BOINC’s configuration and data files.

Type: path

Default: "/var/lib/boinc"

Declared by:

<nixpkgs/nixos/modules/services/computing/boinc/client.nix>
services.boinc.extraEnvPackages

Additional packages to make available in the environment in which BOINC will run. Common choices are:

  • pkgs.virtualbox: The VirtualBox virtual machine framework. Required by some BOINC projects, such as ATLAS@home.

  • pkgs.ocl-icd: OpenCL infrastructure library. Required by BOINC projects that use OpenCL, in addition to a device-specific OpenCL driver.

  • pkgs.linuxPackages.nvidia_x11: Provides CUDA libraries. Required by BOINC projects that use CUDA. Note that this requires an NVIDIA graphics device to be present on the system.

    Also provides OpenCL drivers for NVIDIA GPUs; pkgs.ocl-icd is also needed in this case.

Type: list of package

Default: [ ]

Example: [ pkgs.virtualbox ]

Declared by:

<nixpkgs/nixos/modules/services/computing/boinc/client.nix>
services.bookstack.enable

Whether to enable BookStack.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.package

The bookstack package to use.

Type: package

Default: pkgs.bookstack

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.appKeyFile

A file containing the Laravel APP_KEY - a 32 character long, base64 encoded key used for encryption where needed. Can be generated with head -c 32 /dev/urandom | base64.

Type: path

Example: "/run/keys/bookstack-appkey"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.appURL

The root URL that you want to host BookStack on. All URLs in BookStack will be generated using this value. If you change this in the future you may need to run a command to update stored URLs in the database. Command example: php artisan bookstack:update-url https://old.example.com https://new.example.com

Type: string

Default: "http\${lib.optionalString tlsEnabled \"s\"}://\${cfg.hostname}"

Example: "https://example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.config

BookStack configuration options to set in the .env file.

Refer to https://www.bookstackapp.com/docs/ for details on supported values.

Settings containing secret data should be set to an attribute set containing the attribute _secret - a string pointing to a file containing the value the option should be set to. See the example to get a better picture of this: in the resulting .env file, the OIDC_CLIENT_SECRET key will be set to the contents of the /run/keys/oidc_secret file.

Type: attribute set of (null or boolean or signed integer or 16 bit unsigned integer; between 0 and 65535 (both inclusive) or path or string or (submodule))

Default: { }

Example:

{
  ALLOWED_IFRAME_HOSTS = "https://example.com";
  WKHTMLTOPDF = "/home/user/bins/wkhtmltopdf";
  AUTH_METHOD = "oidc";
  OIDC_NAME = "MyLogin";
  OIDC_DISPLAY_NAME_CLAIMS = "name";
  OIDC_CLIENT_ID = "bookstack";
  OIDC_CLIENT_SECRET = {_secret = "/run/keys/oidc_secret"};
  OIDC_ISSUER = "https://keycloak.example.com/auth/realms/My%20Realm";
  OIDC_ISSUER_DISCOVER = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.dataDir

BookStack data directory

Type: path

Default: "/var/lib/bookstack"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.database.createLocally

Create the database and database user locally.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.database.host

Database host address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.database.name

Database name.

Type: string

Default: "bookstack"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.database.passwordFile

A file containing the password corresponding to database.user.

Type: null or path

Default: null

Example: "/run/keys/bookstack-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.database.port

Database host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3306

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.database.user

Database username.

Type: string

Default: user

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.group

Group bookstack runs as.

Type: string

Default: "bookstack"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.hostname

The hostname to serve BookStack on.

Type: string

Default: config.networking.fqdnOrHostName

Example: "bookstack.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.mail.driver

Mail driver to use.

Type: one of “smtp”, “sendmail”

Default: "smtp"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.mail.encryption

SMTP encryption mechanism to use.

Type: null or value “tls” (singular enum)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.mail.from

Mail “from” email.

Type: string

Default: "mail@bookstackapp.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.mail.fromName

Mail “from” name.

Type: string

Default: "BookStack"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.mail.host

Mail host address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.mail.passwordFile

A file containing the password corresponding to mail.user.

Type: null or path

Default: null

Example: "/run/keys/bookstack-mailpassword"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.mail.port

Mail host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1025

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.mail.user

Mail username.

Type: null or string

Default: null

Example: "bookstack"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.maxUploadSize

The maximum size for uploads (e.g. images).

Type: string

Default: "18M"

Example: "1G"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx

With this option, you can customize the nginx virtualHost settings.

Type: submodule

Default: { }

Example:

{
  serverAliases = [
    "bookstack.${config.networking.domain}"
  ];
  # To enable encryption and let let's encrypt take care of certificate
  forceSSL = true;
  enableACME = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.nginx.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.poolConfig

Options for the bookstack PHP pool. See the documentation on php-fpm.conf for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = 32;
  "pm.max_requests" = 500;
  "pm.max_spare_servers" = 4;
  "pm.min_spare_servers" = 2;
  "pm.start_servers" = 2;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.bookstack.user

User bookstack runs as.

Type: string

Default: "bookstack"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/bookstack.nix>
services.borgbackup.package

The borgbackup package to use.

Type: package

Default: pkgs.borgbackup

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs

Deduplicating backups using BorgBackup. Adding a job will cause a borg-job-NAME wrapper to be added to your system path, so that you can perform maintenance easily. See also the chapter about BorgBackup in the NixOS manual.

Type: attribute set of (submodule)

Default: { }

Example:

  { # for a local backup
    rootBackup = {
      paths = "/";
      exclude = [ "/nix" ];
      repo = "/path/to/local/repo";
      encryption = {
        mode = "repokey";
        passphrase = "secret";
      };
      compression = "auto,lzma";
      startAt = "weekly";
    };
  }
  { # Root backing each day up to a remote backup server. We assume that you have
    #   * created a password less key: ssh-keygen -N "" -t ed25519 -f /path/to/ssh_key
    #     best practices are: use -t ed25519, /path/to = /run/keys
    #   * the passphrase is in the file /run/keys/borgbackup_passphrase
    #   * you have initialized the repository manually
    paths = [ "/etc" "/home" ];
    exclude = [ "/nix" "'**/.cache'" ];
    doInit = false;
    repo =  "user3@arep.repo.borgbase.com:repo";
    encryption = {
      mode = "repokey-blake2";
      passCommand = "cat /path/to/passphrase";
    };
    environment = { BORG_RSH = "ssh -i /path/to/ssh_key"; };
    compression = "auto,lzma";
    startAt = "daily";
};

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.appendFailedSuffix

Append a .failed suffix to the archive name, which is only removed if borg create has a zero exit status.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.archiveBaseName

How to name the created archives. A timestamp, whose format is determined by dateFormat, will be appended. The full name can be modified at runtime ($archiveName). Placeholders like {hostname} must not be used. Use null for no base name.

Type: null or string matching the pattern [^/{}]+

Default: "${config.networking.hostName}-<name>"

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.compression

Compression method to use. Refer to borg help compression for all available options.

Type: string matching the pattern none|(auto,)?(lz4|zstd|zlib|lzma)(,[[:digit:]]{1,2})?

Default: "lz4"

Example: "auto,lzma"

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.dateFormat

Arguments passed to date to create a timestamp suffix for the archive name.

Type: string

Default: "+%Y-%m-%dT%H:%M:%S"

Example: "-u +%s"

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.doInit

Run borg init if the specified repo does not exist. You should set this to false if the repository is located on an external drive that might not always be mounted.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.dumpCommand

Backup the stdout of this program instead of filesystem paths. Mutually exclusive with paths.

Type: null or path

Default: null

Example: "/path/to/createZFSsend.sh"

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.encryption.mode

Encryption mode to use. Setting a mode other than "none" requires you to specify a passCommand or a passphrase.

Type: one of “repokey”, “keyfile”, “repokey-blake2”, “keyfile-blake2”, “authenticated”, “authenticated-blake2”, “none”

Example: "repokey-blake2"

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.encryption.passCommand

A command which prints the passphrase to stdout. Mutually exclusive with passphrase.

Type: null or string

Default: null

Example: "cat /path/to/passphrase_file"

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.encryption.passphrase

The passphrase the backups are encrypted with. Mutually exclusive with passCommand. If you do not want the passphrase to be stored in the world-readable Nix store, use passCommand.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.environment

Environment variables passed to the backup script. You can for example specify which SSH key to use.

Type: attribute set of string

Default: { }

Example:

{
  BORG_RSH = "ssh -i /path/to/key";
}

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.exclude

Exclude paths matching any of the given patterns. See borg help patterns for pattern syntax.

Type: list of string

Default: [ ]

Example:

[
  "/home/*/.cache"
  "/nix"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.extraArgs

Additional arguments for all borg calls the service has. Handle with care.

Type: string or (list of string) convertible to it

Default: [ ]

Example:

[
  "--remote-path=/path/to/borg"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.extraCompactArgs

Additional arguments for borg compact. Can also be set at runtime using $extraCompactArgs.

Type: string or (list of string) convertible to it

Default: [ ]

Example:

[
  "--cleanup-commits"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.extraCreateArgs

Additional arguments for borg create. Can also be set at runtime using $extraCreateArgs.

Type: string or (list of string) convertible to it

Default: [ ]

Example:

[
  "--stats"
  "--checkpoint-interval 600"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.extraInitArgs

Additional arguments for borg init. Can also be set at runtime using $extraInitArgs.

Type: string or (list of string) convertible to it

Default: [ ]

Example:

[
  "--append-only"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.extraPruneArgs

Additional arguments for borg prune. Can also be set at runtime using $extraPruneArgs.

Type: string or (list of string) convertible to it

Default: [ ]

Example:

[
  "--save-space"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.failOnWarnings

Fail the whole backup job if any borg command returns a warning (exit code 1), for example because a file changed during backup.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.group

The group borg is run as. User or group needs read permission for the specified paths.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.inhibitsSleep

Prevents the system from sleeping while backing up.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.paths

Path(s) to back up. Mutually exclusive with dumpCommand.

Type: null or ((list of string) or string convertible to it)

Default: null

Example: "/home/user"

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.patterns

Include/exclude paths matching the given patterns. The first matching patterns is used, so if an include pattern (prefix +) matches before an exclude pattern (prefix -), the file is backed up. See borg help patterns for pattern syntax.

Type: list of string

Default: [ ]

Example:

[
  "+ /home/susan"
  "- /home/*"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.persistentTimer

Set the Persistent option for the systemd.timer(5) which triggers the backup immediately if the last trigger was missed (e.g. if the system was powered down).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.postCreate

Shell commands to run after borg create. The name of the created archive is stored in $archiveName.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.postHook

Shell commands to run just before exit. They are executed even if a previous command exits with a non-zero exit code. The latter is available as $exitStatus.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.postInit

Shell commands to run after borg init.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.postPrune

Shell commands to run after borg prune.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.preHook

Shell commands to run before the backup. This can for example be used to mount file systems.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  # To add excluded paths at runtime
  extraCreateArgs="$extraCreateArgs --exclude /some/path"
''

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.privateTmp

Set the PrivateTmp option for the systemd-service. Set to false if you need sockets or other files from global /tmp.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.prune.keep

Prune a repository by deleting all archives not matching any of the specified retention options. See borg help prune for the available options.

Type: attribute set of (signed integer or string matching the pattern [[:digit:]]+[Hdwmy])

Default: { }

Example:

{
  within = "1d"; # Keep all archives from the last day
  daily = 7;
  weekly = 4;
  monthly = -1;  # Keep at least one archive for each month
}

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.prune.prefix

Only consider archive names starting with this prefix for pruning. By default, only archives created by this job are considered. Use "" or null to consider all archives.

Type: null or string

Default: archiveBaseName

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.readWritePaths

By default, borg cannot write anywhere on the system but $HOME/.config/borg and $HOME/.cache/borg. If, for example, your preHook script needs to dump files somewhere, put those directories here.

Type: list of path

Default: [ ]

Example:

[
  "/var/backup/mysqldump"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.removableDevice

Whether the repo (which must be local) is a removable device.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.repo

Remote or local repository to back up to.

Type: string

Example: "user@machine:/path/to/repo"

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.startAt

When or how often the backup should run. Must be in the format described in systemd.time(7). If you do not want the backup to start automatically, use [ ]. It will generate a systemd service borgbackup-job-NAME. You may trigger it manually via systemctl restart borgbackup-job-NAME.

Type: string or list of string

Default: "daily"

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.jobs.<name>.user

The user borg is run as. User or group need read permission for the specified paths.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.repos

Serve BorgBackup repositories to given public SSH keys, restricting their access to the repository only. See also the chapter about BorgBackup in the NixOS manual. Also, clients do not need to specify the absolute path when accessing the repository, i.e. user@machine:. is enough. (Note colon and dot.)

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.repos.<name>.allowSubRepos

Allow clients to create repositories in subdirectories of the specified path. These can be accessed using user@machine:path/to/subrepo. Note that a quota applies to repositories independently. Therefore, if this is enabled, clients can create multiple repositories and upload an arbitrary amount of data.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.repos.<name>.authorizedKeys

Public SSH keys that are given full write access to this repository. You should use a different SSH key for each repository you write to, because the specified keys are restricted to running borg serve and can only access this single repository.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.repos.<name>.authorizedKeysAppendOnly

Public SSH keys that can only be used to append new data (archives) to the repository. Note that archives can still be marked as deleted and are subsequently removed from disk upon accessing the repo with full write access, e.g. when pruning.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.repos.<name>.group

The group borg serve is run as. User or group needs write permission for the specified path.

Type: string

Default: "borg"

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.repos.<name>.path

Where to store the backups. Note that the directory is created automatically, with correct permissions.

Type: path

Default: "/var/lib/borgbackup"

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.repos.<name>.quota

Storage quota for the repository. This quota is ensured for all sub-repositories if allowSubRepos is enabled but not for the overall storage space used.

Type: null or string matching the pattern [[:digit:].]+[KMGTP]?

Default: null

Example: "100G"

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgbackup.repos.<name>.user

The user borg serve is run as. User or group needs write permission for the specified path.

Type: string

Default: "borg"

Declared by:

<nixpkgs/nixos/modules/services/backup/borgbackup.nix>
services.borgmatic.enable

Whether to enable borgmatic.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/borgmatic.nix>
services.borgmatic.enableConfigCheck

Whether to enable checking all configurations during build time.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/borgmatic.nix>
services.borgmatic.configurations

Set of borgmatic configurations, see https://torsion.org/borgmatic/docs/reference/configuration/

Type: attribute set of (YAML value)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/backup/borgmatic.nix>
services.borgmatic.configurations.<name>.repositories

A required list of local or remote repositories with paths and optional labels (which can be used with the --repository flag to select a repository). Tildes are expanded. Multiple repositories are backed up to in sequence. Borg placeholders can be used. See the output of “borg help placeholders” for details. See ssh_command for SSH options like identity file or port. If systemd service is used, then add local repository paths in the systemd service file to the ReadWritePaths list.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    label = "backupserver";
    path = "ssh://user@backupserver/./sourcehostname.borg";
  }
  {
    label = "local";
    path = "/mnt/backup";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/backup/borgmatic.nix>
services.borgmatic.configurations.<name>.repositories.*.label

Label to the repository

Type: string

Declared by:

<nixpkgs/nixos/modules/services/backup/borgmatic.nix>
services.borgmatic.configurations.<name>.repositories.*.path

Path to the repository

Type: string

Declared by:

<nixpkgs/nixos/modules/services/backup/borgmatic.nix>
services.borgmatic.configurations.<name>.source_directories

List of source directories and files to backup. Globs and tildes are expanded. Do not backslash spaces in path names.

Type: list of string

Default: [ ]

Example:

[
  "/home"
  "/etc"
  "/var/log/syslog*"
  "/home/user/path with spaces"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/borgmatic.nix>
services.borgmatic.settings

See https://torsion.org/borgmatic/docs/reference/configuration/

Type: null or (YAML value)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/borgmatic.nix>
services.borgmatic.settings.repositories

A required list of local or remote repositories with paths and optional labels (which can be used with the --repository flag to select a repository). Tildes are expanded. Multiple repositories are backed up to in sequence. Borg placeholders can be used. See the output of “borg help placeholders” for details. See ssh_command for SSH options like identity file or port. If systemd service is used, then add local repository paths in the systemd service file to the ReadWritePaths list.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    label = "backupserver";
    path = "ssh://user@backupserver/./sourcehostname.borg";
  }
  {
    label = "local";
    path = "/mnt/backup";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/backup/borgmatic.nix>
services.borgmatic.settings.repositories.*.label

Label to the repository

Type: string

Declared by:

<nixpkgs/nixos/modules/services/backup/borgmatic.nix>
services.borgmatic.settings.repositories.*.path

Path to the repository

Type: string

Declared by:

<nixpkgs/nixos/modules/services/backup/borgmatic.nix>
services.borgmatic.settings.source_directories

List of source directories and files to backup. Globs and tildes are expanded. Do not backslash spaces in path names.

Type: list of string

Default: [ ]

Example:

[
  "/home"
  "/etc"
  "/var/log/syslog*"
  "/home/user/path with spaces"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/borgmatic.nix>
services.bosun.enable

Whether to enable bosun.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/bosun.nix>
services.bosun.package

The bosun package to use.

Type: package

Default: pkgs.bosun

Declared by:

<nixpkgs/nixos/modules/services/monitoring/bosun.nix>
services.bosun.checkFrequency

Bosun’s check frequency

Type: string

Default: "5m"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/bosun.nix>
services.bosun.extraConfig

Extra configuration options for Bosun. You should describe your desired templates, alerts, macros, etc through this configuration option.

A detailed description of the supported syntax can be found at-spi2-atk https://bosun.org/configuration.html

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/bosun.nix>
services.bosun.group

Group account under which bosun runs.

Type: string

Default: "bosun"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/bosun.nix>
services.bosun.influxHost

Host and port of the influxdb database.

Type: null or string

Default: null

Example: "localhost:8086"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/bosun.nix>
services.bosun.ledisDir

Path to bosun’s ledis data dir

Type: path

Default: "/var/lib/bosun/ledis_data"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/bosun.nix>
services.bosun.listenAddress

The host address and port that bosun’s web interface will listen on.

Type: string

Default: ":8070"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/bosun.nix>
services.bosun.opentsdbHost

Host and port of the OpenTSDB database that stores bosun data. To disable opentsdb you can pass null as parameter.

Type: null or string

Default: "localhost:4242"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/bosun.nix>
services.bosun.stateFile

Path to bosun’s state file.

Type: path

Default: "/var/lib/bosun/bosun.state"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/bosun.nix>
services.bosun.user

User account under which bosun runs.

Type: string

Default: "bosun"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/bosun.nix>
services.botamusique.enable

Whether to enable botamusique, a bot to play audio streams on mumble.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/botamusique.nix>
services.botamusique.package

The botamusique package to use.

Type: package

Default: pkgs.botamusique

Declared by:

<nixpkgs/nixos/modules/services/audio/botamusique.nix>
services.botamusique.settings

Your configuration.ini as a Nix attribute set. Look up possible options in the configuration.example.ini.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/audio/botamusique.nix>
services.botamusique.settings.bot.comment

Comment displayed for the bot.

Type: string

Default: "Hi, I'm here to play radio, local music or youtube/soundcloud music. Have fun!"

Declared by:

<nixpkgs/nixos/modules/services/audio/botamusique.nix>
services.botamusique.settings.bot.username

Name the bot should appear with.

Type: string

Default: "botamusique"

Declared by:

<nixpkgs/nixos/modules/services/audio/botamusique.nix>
services.botamusique.settings.server.host

Hostname of the mumble server to connect to.

Type: string

Default: "localhost"

Example: "mumble.example.com"

Declared by:

<nixpkgs/nixos/modules/services/audio/botamusique.nix>
services.botamusique.settings.server.port

Port of the mumble server to connect to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 64738

Declared by:

<nixpkgs/nixos/modules/services/audio/botamusique.nix>
services.bpftune.enable

Whether to enable bpftune BPF driven auto-tuning.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/system/bpftune.nix>
services.bpftune.package

The bpftune package to use.

Type: package

Default: pkgs.bpftune

Declared by:

<nixpkgs/nixos/modules/services/system/bpftune.nix>
services.brltty.enable

Whether to enable the BRLTTY daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/brltty.nix>
services.btrbk.extraPackages

Extra packages for btrbk, like compression utilities for stream_compress.

Note: This option will get deprecated in future releases. Required compression programs will get automatically provided to btrbk depending on configured compression method in services.btrbk.instances.<name>.settings option.

Type: list of package

Default: [ ]

Example: [ pkgs.xz ]

Declared by:

<nixpkgs/nixos/modules/services/backup/btrbk.nix>
services.btrbk.instances

Set of btrbk instances. The instance named btrbk is the default one.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/backup/btrbk.nix>
services.btrbk.instances.<name>.onCalendar

How often this btrbk instance is started. See systemd.time(7) for more information about the format. Setting it to null disables the timer, thus this instance can only be started manually.

Type: null or string

Default: "daily"

Declared by:

<nixpkgs/nixos/modules/services/backup/btrbk.nix>
services.btrbk.instances.<name>.settings

configuration options for btrbk. Nested attrsets translate to subsections.

Type: attribute set of (string or instances of this type recursively)

Default: { }

Example:

{
  snapshot_preserve = "14d";
  snapshot_preserve_min = "2d";
  volume = {
    "/mnt/btr_pool" = {
      subvolume = {
        home = {
          snapshot_create = "always";
        };
        rootfs = { };
      };
      target = "/mnt/btr_backup/mylaptop";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/backup/btrbk.nix>
services.btrbk.instances.<name>.settings.stream_compress

Compress the btrfs send stream before transferring it from/to remote locations using a compression command.

Type: one of “gzip”, “pigz”, “bzip2”, “pbzip2”, “bzip3”, “xz”, “lzo”, “lz4”, “zstd”, “no”

Default: "no"

Declared by:

<nixpkgs/nixos/modules/services/backup/btrbk.nix>
services.btrbk.ioSchedulingClass

IO scheduling class for btrbk (see ionice(1) for a quick description). Applies to local instances, and remote ones connecting by ssh if set to idle.

Type: one of “idle”, “best-effort”, “realtime”

Default: "best-effort"

Declared by:

<nixpkgs/nixos/modules/services/backup/btrbk.nix>
services.btrbk.niceness

Niceness for local instances of btrbk. Also applies to remote ones connecting via ssh when positive.

Type: integer between -20 and 19 (both inclusive)

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/backup/btrbk.nix>
services.btrbk.sshAccess

SSH keys that should be able to make or push snapshots on this system remotely with btrbk

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/backup/btrbk.nix>
services.btrbk.sshAccess.*.key

SSH public key allowed to login as user btrbk to run remote backups.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/backup/btrbk.nix>
services.btrbk.sshAccess.*.roles

What actions can be performed with this SSH key. See ssh_filter_btrbk(1) for details

Type: list of (one of “info”, “source”, “target”, “delete”, “snapshot”, “send”, “receive”)

Example:

[
  "source"
  "info"
  "send"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/btrbk.nix>
services.btrfs.autoScrub.enable

Whether to enable regular btrfs scrub.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/btrfs.nix>
services.btrfs.autoScrub.fileSystems

List of paths to btrfs filesystems to regularly call btrfs scrub on. Defaults to all mount points with btrfs filesystems. Note that if you have filesystems that span multiple devices (e.g. RAID), you should take care to use the same device for any given mount point and let btrfs take care of automatically mounting the rest, in order to avoid scrubbing the same data multiple times.

Type: list of path

Example:

[
  "/"
]

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/btrfs.nix>
services.btrfs.autoScrub.interval

Systemd calendar expression for when to scrub btrfs filesystems. The recommended period is a month but could be less (btrfs-scrub(8)). See systemd.time(7) for more information on the syntax.

Type: string

Default: "monthly"

Example: "weekly"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/btrfs.nix>
services.buffyboard.enable

Whether to enable buffyboard framebuffer keyboard (on-screen keyboard).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/buffyboard.nix>
services.buffyboard.package

The buffybox package to use.

Type: package

Default: pkgs.buffybox

Declared by:

<nixpkgs/nixos/modules/services/hardware/buffyboard.nix>
services.buffyboard.configFile

Path to an INI format configuration file to provide Buffyboard. By default, this is generated from whatever you’ve set in settings. If specified manually, then settings is ignored.

For an example config file see here

Type: path

Default: ini.generate "buffyboard.conf" cfg.settings

Declared by:

<nixpkgs/nixos/modules/services/hardware/buffyboard.nix>
services.buffyboard.extraFlags

Extra CLI arguments to pass to buffyboard.

Type: list of string

Default: [ ]

Example:

[
  "--geometry=1920x1080@640,0"
  "--dpi=192"
  "--rotate=2"
  "--verbose"
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/buffyboard.nix>
services.buffyboard.settings

Settings to include in /etc/buffyboard.conf. Every option here is strictly optional: Buffyboard will use its own baked-in defaults for those options left unset.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/hardware/buffyboard.nix>
services.buffyboard.settings.input.pointer

Enable or disable the use of a hardware mouse or other pointing device.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/buffyboard.nix>
services.buffyboard.settings.input.touchscreen

Enable or disable the use of the touchscreen.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/buffyboard.nix>
services.buffyboard.settings.quirks.fbdev_force_refresh

If true and using the framebuffer backend, this triggers a display refresh after every draw operation. This has a negative performance impact.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/buffyboard.nix>
services.buffyboard.settings.theme.default

Selects the default theme on boot. Can be changed at runtime to the alternative theme.

Type: string or one of <null>, “adwaita-dark”, “breezy-dark”, “breezy-light”, “nord-dark”, “nord-light”, “pmos-dark”, “pmos-light”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/buffyboard.nix>
services.buildbot-master.enable

Whether to enable the Buildbot continuous integration server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.package

The buildbot-full package to use.

Type: package

Default: pkgs.buildbot-full

Example: buildbot

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.packages

Packages to add to PATH for the buildbot process.

Type: list of package

Default: [ pkgs.git ]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.buildbotDir

Specifies the Buildbot directory.

Type: path

Default: "${config.services.buildbot-master.home}/master"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.buildbotUrl

Specifies the Buildbot URL.

Type: string

Default: "http://localhost:8010/"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.builders

List of Builders.

Type: list of string

Default:

[
  "util.BuilderConfig(name='runtests',workernames=['example-worker'],factory=factory)"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.changeSource

List of Change Sources.

Type: list of string

Default: [ ]

Example:

[
  "changes.GitPoller('https://github.com/buildbot/pyflakes.git', workdir='gitpoller-workdir', branch='master', pollinterval=300)"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.configurators

Configurator Steps, see https://docs.buildbot.net/latest/manual/configuration/configurators.html

Type: list of string

Default: [ ]

Example:

[
  "util.JanitorConfigurator(logHorizon=timedelta(weeks=4), hour=12, dayOfWeek=6)"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.dbUrl

Specifies the database connection string.

Type: string

Default: "sqlite:///state.sqlite"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.extraConfig

Extra configuration to append to master.cfg

Type: strings concatenated with “\n”

Default: "c['buildbotNetUsageData'] = None"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.extraGroups

List of extra groups that the buildbot user should be a part of.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.extraImports

Extra python imports to prepend to master.cfg

Type: strings concatenated with “\n”

Default: ""

Example: "from buildbot.process.project import Project"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.factorySteps

Factory Steps

Type: list of string

Default: [ ]

Example:

[
  "steps.Git(repourl='https://github.com/buildbot/pyflakes.git', mode='incremental')"
  "steps.ShellCommand(command=['trial', 'pyflakes'])"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.group

Primary group of buildbot user.

Type: string

Default: "buildbot"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.home

Buildbot home directory.

Type: path

Default: "/home/buildbot"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.listenAddress

Specifies the bind address on which the buildbot HTTP interface listens.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.masterCfg

Optionally pass master.cfg path. Other options in this configuration will be ignored.

Type: path

Default: generated configuration file

Example: "/etc/nixos/buildbot/master.cfg"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.pbPort

The buildmaster will listen on a TCP port of your choosing for connections from workers. It can also use this port for connections from remote Change Sources, status clients, and debug tools. This port should be visible to the outside world, and you’ll need to tell your worker admins about your choice. If put in (single) quotes, this can also be used as a connection string, as defined in the ConnectionStrings guide.

Type: string or signed integer

Default: 9989

Example: "'tcp:9990:interface=127.0.0.1'"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.port

Specifies port number on which the buildbot HTTP interface listens.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8010

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.pythonPackages

Packages to add the to the PYTHONPATH of the buildbot process.

Type: function that evaluates to a(n) list of package

Default: pythonPackages: with pythonPackages; [ ]

Example: pythonPackages: with pythonPackages; [ requests ]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.reporters

List of reporter objects used to present build status to various users.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.schedulers

List of Schedulers.

Type: list of string

Default:

[
  "schedulers.SingleBranchScheduler(name='all', change_filter=util.ChangeFilter(branch='master'), treeStableTimer=None, builderNames=['runtests'])"
  "schedulers.ForceScheduler(name='force',builderNames=['runtests'])"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.title

Specifies the Buildbot Title.

Type: string

Default: "Buildbot"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.titleUrl

Specifies the Buildbot TitleURL.

Type: string

Default: "Buildbot"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.user

User the buildbot server should execute under.

Type: string

Default: "buildbot"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-master.workers

List of Workers.

Type: list of string

Default:

[
  "worker.Worker('example-worker', 'pass')"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/master.nix>
services.buildbot-worker.enable

Whether to enable the Buildbot Worker.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix>
services.buildbot-worker.package

The buildbot-worker package to use.

Type: package

Default: pkgs.buildbot-worker

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix>
services.buildbot-worker.packages

Packages to add to PATH for the buildbot process.

Type: list of package

Default: [ pkgs.git ]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix>
services.buildbot-worker.adminMessage

Name of the administrator of this worker

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix>
services.buildbot-worker.buildbotDir

Specifies the Buildbot directory.

Type: path

Default: "${config.services.buildbot-worker.home}/worker"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix>
services.buildbot-worker.extraGroups

List of extra groups that the Buildbot Worker user should be a part of.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix>
services.buildbot-worker.group

Primary group of buildbot Worker user.

Type: string

Default: "bbworker"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix>
services.buildbot-worker.home

Buildbot home directory.

Type: path

Default: "/home/bbworker"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix>
services.buildbot-worker.hostMessage

Description of this worker

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix>
services.buildbot-worker.keepalive

This is a number that indicates how frequently keepalive messages should be sent from the worker to the buildmaster, expressed in seconds.

Type: signed integer

Default: 600

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix>
services.buildbot-worker.masterUrl

Specifies the Buildbot Worker connection string.

Type: string

Default: "localhost:9989"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix>
services.buildbot-worker.user

User the buildbot Worker should execute under.

Type: string

Default: "bbworker"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix>
services.buildbot-worker.workerPass

Specifies the Buildbot Worker password.

Type: string

Default: "pass"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix>
services.buildbot-worker.workerPassFile

File used to store the Buildbot Worker password

Type: path

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix>
services.buildbot-worker.workerUser

Specifies the Buildbot Worker user.

Type: string

Default: "example-worker"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildbot/worker.nix>
services.buildkite-agents

Attribute set of buildkite agents. The attribute key is combined with the hostname and a unique integer to create the final agent name. This can be overridden by setting the name attribute.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix>
services.buildkite-agents.<name>.enable

Whether to enable this buildkite agent

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix>
services.buildkite-agents.<name>.package

Which buildkite-agent derivation to use

Type: package

Default: pkgs.buildkite-agent

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix>
services.buildkite-agents.<name>.dataDir

The workdir for the agent

Type: string

Default: "/var/lib/buildkite-agent-‹name›"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix>
services.buildkite-agents.<name>.extraConfig

Extra lines to be added verbatim to the configuration file.

Type: strings concatenated with “\n”

Default: ""

Example: "debug=true"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix>
services.buildkite-agents.<name>.extraGroups

Groups the user for this buildkite agent should belong to

Type: list of string

Default:

[
  "keys"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix>
services.buildkite-agents.<name>.hooks

“Agent” hooks to install. See https://buildkite.com/docs/agent/v3/hooks for possible options.

Type: attribute set of strings concatenated with “\n”

Default: { }

Example:

{
  environment = ''
    export SECRET_VAR=`head -1 /run/keys/secret`
  '';
}

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix>
services.buildkite-agents.<name>.hooksPath

Path to the directory storing the hooks. Consider using services.buildkite-agents.<name>.hooks.<name> instead.

Type: path

Default: generated from services.buildkite-agents.<name>.hooks

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix>
services.buildkite-agents.<name>.name

The name of the agent as seen in the buildkite dashboard.

Type: string

Default: "%hostname-‹name›-%n"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix>
services.buildkite-agents.<name>.privateSshKeyPath

OpenSSH private key

A run-time path to the key file, which is supposed to be provisioned outside of Nix store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix>
services.buildkite-agents.<name>.runtimePackages

Add programs to the buildkite-agent environment

Type: list of package

Default: [ pkgs.bash pkgs.gnutar pkgs.gzip pkgs.git pkgs.nix ]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix>
services.buildkite-agents.<name>.shell

Command that buildkite-agent 3 will execute when it spawns a shell.

Type: string

Default: "${pkgs.bash}/bin/bash -e -c"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix>
services.buildkite-agents.<name>.tags

Tags for the agent.

Type: attribute set of (string or list of string)

Default: { }

Example:

{
  docker = "true";
  queue = "default";
  ruby2 = "true";
}

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix>
services.buildkite-agents.<name>.tokenPath

The token from your Buildkite “Agents” page.

A run-time path to the token file, which is supposed to be provisioned outside of Nix store.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/buildkite-agents.nix>
services.c2fmzq-server.enable

Whether to enable c2fmzq-server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/c2fmzq-server.nix>
services.c2fmzq-server.package

The c2fmzq package to use.

Type: package

Default: pkgs.c2fmzq

Declared by:

<nixpkgs/nixos/modules/services/web-apps/c2fmzq-server.nix>
services.c2fmzq-server.bindIP

The local address to use.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/c2fmzq-server.nix>
services.c2fmzq-server.passphraseFile

Path to file containing the database passphrase

Type: string

Example: "/run/secrets/c2fmzq/pwfile"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/c2fmzq-server.nix>
services.c2fmzq-server.port

The local port to use.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/web-apps/c2fmzq-server.nix>
services.c2fmzq-server.settings

Configuration for c2FmZQ-server passed as CLI arguments. Run c2FmZQ-server help for supported values.

Type: attribute set of (null or boolean or signed integer or string)

Example:

{
  allow-new-accounts = true;
  auto-approve-new-accounts = true;
  enable-webapp = true;
  encrypt-metadata = true;
  verbose = 3;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/c2fmzq-server.nix>
services.c2fmzq-server.settings.database

Path of the database

Type: string

Default: "%S/c2fmzq-server/data"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/c2fmzq-server.nix>
services.c2fmzq-server.settings.verbose

The level of logging verbosity: 1:Error 2:Info 3:Debug

Type: integer between 1 and 3 (both inclusive)

Default: 2

Declared by:

<nixpkgs/nixos/modules/services/web-apps/c2fmzq-server.nix>
services.cachefilesd.enable

Whether to enable cachefilesd network filesystems caching daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/cachefilesd.nix>
services.cachefilesd.cacheDir

Directory to contain filesystem cache.

Type: string

Default: "/var/cache/fscache"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/cachefilesd.nix>
services.cachefilesd.extraConfig

Additional configuration file entries. See cachefilesd.conf(5) for more information.

Type: strings concatenated with “\n”

Default: ""

Example: "brun 10%"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/cachefilesd.nix>
services.cachix-agent.enable

Whether to enable Cachix Deploy Agent: https://docs.cachix.org/deploy/.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/system/cachix-agent/default.nix>
services.cachix-agent.package

The cachix package to use.

Type: package

Default: pkgs.cachix

Declared by:

<nixpkgs/nixos/modules/services/system/cachix-agent/default.nix>
services.cachix-agent.credentialsFile

Required file that needs to contain CACHIX_AGENT_TOKEN=…

Type: path

Default: "/etc/cachix-agent.token"

Declared by:

<nixpkgs/nixos/modules/services/system/cachix-agent/default.nix>
services.cachix-agent.host

Cachix uri to use.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/system/cachix-agent/default.nix>
services.cachix-agent.name

Agent name, usually same as the hostname

Type: string

Default: "config.networking.hostName"

Declared by:

<nixpkgs/nixos/modules/services/system/cachix-agent/default.nix>
services.cachix-agent.profile

Profile name, defaults to ‘system’ (NixOS).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/system/cachix-agent/default.nix>
services.cachix-agent.verbose

Enable verbose output

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/system/cachix-agent/default.nix>
services.cachix-watch-store.enable

Whether to enable Cachix Watch Store: https://docs.cachix.org.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/system/cachix-watch-store.nix>
services.cachix-watch-store.package

The cachix package to use.

Type: package

Default: pkgs.cachix

Declared by:

<nixpkgs/nixos/modules/services/system/cachix-watch-store.nix>
services.cachix-watch-store.cacheName

Cachix binary cache name

Type: string

Declared by:

<nixpkgs/nixos/modules/services/system/cachix-watch-store.nix>
services.cachix-watch-store.cachixTokenFile

Required file that needs to contain the cachix auth token.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/system/cachix-watch-store.nix>
services.cachix-watch-store.compressionLevel

The compression level for ZSTD compression (between 0 and 16)

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/system/cachix-watch-store.nix>
services.cachix-watch-store.host

Cachix host to connect to

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/system/cachix-watch-store.nix>
services.cachix-watch-store.jobs

Number of threads used for pushing store paths

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/system/cachix-watch-store.nix>
services.cachix-watch-store.signingKeyFile

Optional file containing a self-managed signing key to sign uploaded store paths.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/system/cachix-watch-store.nix>
services.cachix-watch-store.verbose

Enable verbose output

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/system/cachix-watch-store.nix>
services.caddy.enable

Whether to enable Caddy web server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.enableReload

Reload Caddy instead of restarting it when configuration file changes.

Note that enabling this option requires the admin API to not be turned off.

If you enable this option, consider setting grace_period to a non-infinite value in services.caddy.globalConfig to prevent Caddy waiting for active connections to finish, which could delay the reload essentially indefinitely.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.package

The caddy package to use.

Type: package

Default: pkgs.caddy

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.acmeCA

Note

Sets the acme_ca option in the global options block of the resulting Caddyfile.

The URL to the ACME CA’s directory. It is strongly recommended to set this to https://acme-staging-v02.api.letsencrypt.org/directory for Let’s Encrypt’s staging endpoint while testing or in development.

Value null should be prefered for production setups, as it omits the acme_ca option to enable automatic issuer fallback.

Type: null or string

Default: null

Example: "https://acme-v02.api.letsencrypt.org/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.adapter

Name of the config adapter to use. See https://caddyserver.com/docs/config-adapters for the full list.

If null is specified, the --adapter argument is omitted when starting or restarting Caddy. Notably, this allows specification of a configuration file in Caddy’s native JSON format, as long as the filename does not start with Caddyfile (in which case the caddyfile adapter is implicitly enabled). See https://caddyserver.com/docs/command-line#caddy-run for details.

Note

Any value other than null or caddyfile is only valid when providing your own configFile.

Type: null or string

Default:

if ((cfg.configFile != configFile) || (builtins.baseNameOf cfg.configFile) == "Caddyfile") then "caddyfile" else null

Example: nginx

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.configFile

Override the configuration file used by Caddy. By default, NixOS generates one automatically.

The configuration file is exposed at /etc/caddy/caddy_config.

Type: path

Default: "A Caddyfile automatically generated by values from services.caddy.*"

Example:

pkgs.writeText "Caddyfile" ''
  example.com

  root * /var/www/wordpress
  php_fastcgi unix//run/php/php-version-fpm.sock
  file_server
'';

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.dataDir

The data directory for caddy.

Note

If left as the default value this directory will automatically be created before the Caddy server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions.

Caddy v2 replaced CADDYPATH with XDG directories. See https://caddyserver.com/docs/conventions#file-locations.

Type: path

Default: "/var/lib/caddy"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.email

Your email address. Mainly used when creating an ACME account with your CA, and is highly recommended in case there are problems with your certificates.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.environmentFile

Environment file as defined in systemd.exec(5).

You can use environment variables to pass secrets to the service without adding them to the world-redable nix store.

# in configuration.nix
services.caddy.environmentFile = "/run/secrets/caddy.env";
services.caddy.globalConfig = ''
  {
    acme_ca https://acme.zerossl.com/v2/DV90
    acme_eab {
      key_id {$EAB_KEY_ID}
      mac_key {$EAB_MAC_KEY}
    }
  }
'';
# in /run/secrets/caddy.env
EAB_KEY_ID=secret
EAB_MAC_KEY=secret

Find more examples here

Type: null or path

Default: null

Example: "/run/secrets/caddy.env"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.extraConfig

Additional lines of configuration appended to the automatically generated Caddyfile.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  example.com {
    encode gzip
    log
    root /srv/http
  }
''

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.globalConfig

Additional lines of configuration appended to the global config section of the Caddyfile.

Refer to https://caddyserver.com/docs/caddyfile/options#global-options for details on supported values.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  debug
  servers {
    protocol {
      experimental_http3
    }
  }
''

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.group

Group under which caddy runs.

Note

If left as the default value this group will automatically be created on system activation, otherwise you are responsible for ensuring the group exists before the Caddy service starts.

Type: string

Default: "caddy"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.logDir

Directory for storing Caddy access logs.

Note

If left as the default value this directory will automatically be created before the Caddy server starts, otherwise the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions.

Type: path

Default: "/var/log/caddy"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.logFormat

Configuration for the default logger. See https://caddyserver.com/docs/caddyfile/options#log for details.

Type: strings concatenated with “\n”

Default:

''
  level ERROR
''

Example:

mkForce "level INFO";

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.resume

Use saved config, if any (and prefer over any specified configuration passed with --config).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.settings

Structured configuration for Caddy to generate a Caddy JSON configuration file. See https://caddyserver.com/docs/json/ for available options.

Warning

Using a Caddyfile instead of a JSON config is highly recommended by upstream. There are only very few exception to this.

Please use a Caddyfile via services.caddy.configFile, services.caddy.virtualHosts or services.caddy.extraConfig with services.caddy.globalConfig instead.

Note

Takes presence over most services.caddy.* options, such as services.caddy.configFile and services.caddy.virtualHosts, if specified.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.user

User account under which caddy runs.

Note

If left as the default value this user will automatically be created on system activation, otherwise you are responsible for ensuring the user exists before the Caddy service starts.

Type: string

Default: "caddy"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.virtualHosts

Declarative specification of virtual hosts served by Caddy.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "hydra.example.com" = {
    serverAliases = [ "www.hydra.example.com" ];
    extraConfig = ''
      encode gzip
      root * /srv/http
    '';
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.virtualHosts.<name>.extraConfig

Additional lines of configuration appended to this virtual host in the automatically generated Caddyfile.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.virtualHosts.<name>.hostName

Canonical hostname for the server.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.virtualHosts.<name>.listenAddresses

A list of host interfaces to bind to for this virtual host.

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "::1"
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.virtualHosts.<name>.logFormat

Configuration for HTTP request logging (also known as access logs). See https://caddyserver.com/docs/caddyfile/directives/log#log for details.

Type: strings concatenated with “\n”

Default:

''
  output file ''${config.services.caddy.logDir}/access-''${hostName}.log
''

Example:

mkForce ''
  output discard
'';

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.virtualHosts.<name>.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.caddy.virtualHosts.<name>.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is mostly useful if you use DNS challenges but Caddy does not currently support your provider.

Note that this option does not create any certificates, nor does it add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/caddy/default.nix>
services.cadvisor.enable

Whether to enable Cadvisor service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/cadvisor.nix>
services.cadvisor.extraOptions

Additional cadvisor options.

See https://github.com/google/cadvisor/blob/master/docs/runtime_options.md for available options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/cadvisor.nix>
services.cadvisor.listenAddress

Cadvisor listening host

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/cadvisor.nix>
services.cadvisor.port

Cadvisor listening port

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/monitoring/cadvisor.nix>
services.cadvisor.storageDriver

Cadvisor storage driver.

Type: null or string

Default: null

Example: "influxdb"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/cadvisor.nix>
services.cadvisor.storageDriverDb

Cadvisord storage driver database name.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/cadvisor.nix>
services.cadvisor.storageDriverHost

Cadvisor storage driver host.

Type: string

Default: "localhost:8086"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/cadvisor.nix>
services.cadvisor.storageDriverPassword

Cadvisor storage driver password.

Warning: this password is stored in the world-readable Nix store. It’s recommended to use the storageDriverPasswordFile option since that gives you control over the security of the password. storageDriverPasswordFile also takes precedence over storageDriverPassword.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/cadvisor.nix>
services.cadvisor.storageDriverPasswordFile

File that contains the cadvisor storage driver password.

storageDriverPasswordFile takes precedence over storageDriverPassword

Warning: when storageDriverPassword is non-empty this defaults to a file in the world-readable Nix store that contains the value of storageDriverPassword.

It’s recommended to override this with a path not in the Nix store. Tip: use nixops key management

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/cadvisor.nix>
services.cadvisor.storageDriverSecure

Cadvisor storage driver, enable secure communication.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/cadvisor.nix>
services.cadvisor.storageDriverUser

Cadvisor storage driver username.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/cadvisor.nix>
services.cage.enable

Whether to enable cage kiosk service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/wayland/cage.nix>
services.cage.package

The cage package to use.

Type: package

Default: pkgs.cage

Declared by:

<nixpkgs/nixos/modules/services/wayland/cage.nix>
services.cage.environment

Additional environment variables to pass to Cage.

Type: attribute set of string

Default: { }

Example:

{
  WLR_LIBINPUT_NO_DEVICES = "1";
}

Declared by:

<nixpkgs/nixos/modules/services/wayland/cage.nix>
services.cage.extraArguments

Additional command line arguments to pass to Cage.

Type: list of string

Default: []

Example:

[
  "-d"
]

Declared by:

<nixpkgs/nixos/modules/services/wayland/cage.nix>
services.cage.program

Program to run in cage.

Type: path

Default: "${pkgs.xterm}/bin/xterm"

Declared by:

<nixpkgs/nixos/modules/services/wayland/cage.nix>
services.cage.user

User to log-in as.

Type: string

Default: "demo"

Declared by:

<nixpkgs/nixos/modules/services/wayland/cage.nix>
services.calibre-server.enable

Whether to enable calibre-server (e-book software).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/calibre-server.nix>
services.calibre-server.package

The calibre package to use.

Type: package

Default: pkgs.calibre

Declared by:

<nixpkgs/nixos/modules/services/misc/calibre-server.nix>
services.calibre-server.auth.enable

Password based authentication to access the server. See the calibre-server documentation for details.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/calibre-server.nix>
services.calibre-server.auth.mode

Choose the type of authentication used. Set the HTTP authentication mode used by the server. See the calibre-server documentation for details.

Type: one of “auto”, “basic”, “digest”

Default: "auto"

Declared by:

<nixpkgs/nixos/modules/services/misc/calibre-server.nix>
services.calibre-server.auth.userDb

Choose users database file to use for authentication. Make sure users database file is initialized before service startup. See the calibre-server documentation for details.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/calibre-server.nix>
services.calibre-server.extraFlags

Extra flags to pass to the calibre-server command. See the calibre-server documentation for details.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/calibre-server.nix>
services.calibre-server.group

The group under which calibre-server runs.

Type: string

Default: "calibre-server"

Declared by:

<nixpkgs/nixos/modules/services/misc/calibre-server.nix>
services.calibre-server.host

The interface on which to listen for connections. See the calibre-server documentation for details.

Type: string

Default: "0.0.0.0"

Example: "::1"

Declared by:

<nixpkgs/nixos/modules/services/misc/calibre-server.nix>
services.calibre-server.libraries

Make sure each library path is initialized before service startup. The directories of the libraries to serve. They must be readable for the user under which the server runs. See the calibredb documentation for details.

Type: list of path

Default:

[
  "/var/lib/calibre-server"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/calibre-server.nix>
services.calibre-server.openFirewall

Open ports in the firewall for the Calibre Server web interface.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/calibre-server.nix>
services.calibre-server.port

The port on which to listen for connections. See the calibre-server documentation for details.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/misc/calibre-server.nix>
services.calibre-server.user

The user under which calibre-server runs.

Type: string

Default: "calibre-server"

Declared by:

<nixpkgs/nixos/modules/services/misc/calibre-server.nix>
services.calibre-web.enable

Whether to enable Calibre-Web.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/calibre-web.nix>
services.calibre-web.package

The calibre-web package to use.

Type: package

Default: pkgs.calibre-web

Declared by:

<nixpkgs/nixos/modules/services/web-apps/calibre-web.nix>
services.calibre-web.dataDir

The directory below /var/lib where Calibre-Web stores its data.

Type: string

Default: "calibre-web"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/calibre-web.nix>
services.calibre-web.group

Group account under which Calibre-Web runs.

Type: string

Default: "calibre-web"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/calibre-web.nix>
services.calibre-web.listen.ip

IP address that Calibre-Web should listen on.

Type: string

Default: "::1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/calibre-web.nix>
services.calibre-web.listen.port

Listen port for Calibre-Web.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8083

Declared by:

<nixpkgs/nixos/modules/services/web-apps/calibre-web.nix>
services.calibre-web.openFirewall

Open ports in the firewall for the server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/calibre-web.nix>
services.calibre-web.options.enableBookConversion

Configure path to the Calibre’s ebook-convert in the DB.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/calibre-web.nix>
services.calibre-web.options.enableBookUploading

Allow books to be uploaded via Calibre-Web UI.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/calibre-web.nix>
services.calibre-web.options.enableKepubify

Whether to enable kebup conversion support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/calibre-web.nix>
services.calibre-web.options.calibreLibrary

Path to Calibre library.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/calibre-web.nix>
services.calibre-web.options.reverseProxyAuth.enable

Enable authorization using auth proxy.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/calibre-web.nix>
services.calibre-web.options.reverseProxyAuth.header

Auth proxy header name.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/calibre-web.nix>
services.calibre-web.user

User account under which Calibre-Web runs.

Type: string

Default: "calibre-web"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/calibre-web.nix>
services.canaille.enable

Whether to enable Canaille.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/canaille.nix>
services.canaille.package

The canaille package to use.

Type: package

Default: pkgs.canaille

Declared by:

<nixpkgs/nixos/modules/services/security/canaille.nix>
services.canaille.jwtPrivateKeyFile

File containing the JWT private key. Make sure it has appropriate permissions.

You can generate one using

openssl genrsa -out private.pem 4096
openssl rsa -in private.pem -pubout -outform PEM -out public.pem

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/canaille.nix>
services.canaille.ldapBindPasswordFile

File containing the LDAP bind password.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/canaille.nix>
services.canaille.secretKeyFile

File containing the Flask secret key. Its content is going to be provided to Canaille as SECRET_KEY. Make sure it has appropriate permissions. For example, copy the output of this to the specified file:

python3 -c 'import secrets; print(secrets.token_hex())'

Type: path

Declared by:

<nixpkgs/nixos/modules/services/security/canaille.nix>
services.canaille.settings

Settings for Canaille. See the documentation for details.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/canaille.nix>
services.canaille.settings.CANAILLE.ACL

Access Control Lists.

See also the documentation.

Type: null or (TOML value)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/canaille.nix>
services.canaille.settings.CANAILLE.SMTP

SMTP configuration. By default, sending emails is not enabled.

Set to an empty attrs to send emails from localhost without authentication.

See also the documentation.

Type: null or (TOML value)

Default: null

Example: { }

Declared by:

<nixpkgs/nixos/modules/services/security/canaille.nix>
services.canaille.settings.CANAILLE.SMTP.PASSWORD

SMTP Password. Can’t be set and has to be provided using services.canaille.smtpPasswordFile.

Type: null or string (read only)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/canaille.nix>
services.canaille.settings.CANAILLE_LDAP

Configuration for the LDAP backend. This storage backend is not yet supported by the module, so use at your own risk!

Type: null or (TOML value)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/canaille.nix>
services.canaille.settings.CANAILLE_LDAP.BIND_PW

The LDAP bind password. Can’t be set and has to be provided using services.canaille.ldapBindPasswordFile.

Type: null or string (read only)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/canaille.nix>
services.canaille.settings.CANAILLE_OIDC

OpenID Connect settings. See the documentation.

Type: null or (TOML value)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/canaille.nix>
services.canaille.settings.CANAILLE_OIDC.JWT.PRIVATE_KEY

JWT private key. Can’t be set and has to be provided using services.canaille.jwtPrivateKeyFile.

Type: null or string (read only)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/canaille.nix>
services.canaille.settings.CANAILLE_SQL.DATABASE_URI

The SQL server URI. Will configure a local PostgreSQL db if left to default. Please note that the NixOS module only really supports PostgreSQL for now. Change at your own risk!

Type: string

Default: "postgresql://localhost/canaille?host=/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/security/canaille.nix>
services.canaille.settings.PREFERRED_URL_SCHEME

The url scheme by which canaille will be served.

Type: one of “http”, “https”

Default: "https"

Declared by:

<nixpkgs/nixos/modules/services/security/canaille.nix>
services.canaille.settings.SECRET_KEY

Flask Secret Key. Can’t be set and must be provided through services.canaille.settings.secretKeyFile.

Type: null or string (read only)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/canaille.nix>
services.canaille.settings.SERVER_NAME

The domain name on which canaille will be served.

Type: string

Example: "auth.example.org"

Declared by:

<nixpkgs/nixos/modules/services/security/canaille.nix>
services.canaille.smtpPasswordFile

File containing the SMTP password. Make sure it has appropriate permissions.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/canaille.nix>
services.canto-daemon.enable

Whether to enable the canto RSS daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/canto-daemon.nix>
services.cassandra.enable

Whether to enable Apache Cassandra – Scalable and highly available database .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.package

The cassandra package to use.

Type: package

Default: pkgs.cassandra

Example: cassandra_3_11

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.allowClients

Enables or disables the native transport server (CQL binary protocol). This server uses the same address as the rpcAddress, but the port it uses is not rpc_port but native_transport_port. See the official Cassandra docs for more information on these variables and set them using extraConfig.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.clusterName

The name of the cluster. This setting prevents nodes in one logical cluster from joining another. All nodes in a cluster must have the same value.

Type: string

Default: "Test Cluster"

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.extraConfig

Extra options to be merged into cassandra.yaml as nix attribute set.

Type: attribute set

Default: { }

Example:

{
  commitlog_sync_batch_window_in_ms = 3;
}

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.extraEnvSh

Extra shell lines to be appended onto cassandra-env.sh.

Type: strings concatenated with “\n”

Default: ""

Example: "CLASSPATH=$CLASSPATH:${extraJar}"

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.fullRepairInterval

Set the interval how often full repairs are run, i.e. nodetool repair --full is executed. See https://cassandra.apache.org/doc/latest/operating/repair.html for more information.

Set to null to disable full repairs.

Type: null or string

Default: "3w"

Example: null

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.fullRepairOptions

Options passed through to the full repair command.

Type: list of string

Default: [ ]

Example:

[
  "--partitioner-range"
]

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.group

Run Apache Cassandra under this group.

Type: string

Default: "cassandra"

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.heapNewSize

Must be left blank or set together with heapNewSize. If left blank a sensible value for the available amount of RAM and CPU cores is calculated.

Override to set the amount of memory to allocate to the JVM at start-up. For production use you may wish to adjust this for your environment. HEAP_NEWSIZE refers to the size of the young generation.

The main trade-off for the young generation is that the larger it is, the longer GC pause times will be. The shorter it is, the more expensive GC will be (usually).

The example HEAP_NEWSIZE assumes a modern 8-core+ machine for decent pause times. If in doubt, and if you do not particularly want to tweak, go with 100 MB per physical CPU core.

Type: null or string

Default: null

Example: "800M"

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.homeDir

Home directory for Apache Cassandra.

Type: path

Default: "/var/lib/cassandra"

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.incrementalRepairInterval

Set the interval how often incremental repairs are run, i.e. nodetool repair is executed. See https://cassandra.apache.org/doc/latest/operating/repair.html for more information.

Set to null to disable incremental repairs.

Type: null or string

Default: "3d"

Example: null

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.incrementalRepairOptions

Options passed through to the incremental repair command.

Type: list of string

Default: [ ]

Example:

[
  "--partitioner-range"
]

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.jmxPort

Specifies the default port over which Cassandra will be available for JMX connections. For security reasons, you should not expose this port to the internet. Firewall it if needed.

Type: signed integer

Default: 7199

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.jmxRoles

Roles that are allowed to access the JMX (e.g. nodetool) BEWARE: The passwords will be stored world readable in the nix store. It’s recommended to use your own protected file using jmxRolesFile

Doesn’t work in versions older than 3.11 because they don’t like that it’s world readable.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.jmxRoles.*.password

Password for JMX

Type: string

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.jmxRoles.*.username

Username for JMX

Type: string

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.jmxRolesFile

Specify your own jmx roles file.

Make sure the permissions forbid “others” from reading the file if you’re using Cassandra below version 3.11.

Type: null or path

Default: generated configuration file if version is at least 3.11, otherwise null

Example: "/var/lib/cassandra/jmx.password"

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.jvmOpts

Populate the JVM_OPT environment variable.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.listenAddress

Address or interface to bind to and tell other Cassandra nodes to connect to. You must change this if you want multiple nodes to be able to communicate!

Set listenAddress OR listenInterface, not both.

Leaving it blank leaves it up to InetAddress.getLocalHost(). This will always do the “Right Thing” if the node is properly configured (hostname, name resolution, etc), and the Right Thing is to use the address associated with the hostname (it might not be).

Setting listenAddress to 0.0.0.0 is always wrong.

Type: null or string

Default: "127.0.0.1"

Example: null

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.listenInterface

Set listenAddress OR listenInterface, not both. Interfaces must correspond to a single address, IP aliasing is not supported.

Type: null or string

Default: null

Example: "eth1"

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.logbackConfig

XML logback configuration for cassandra

Type: strings concatenated with “\n”

Default:

''
  <configuration scan="false">
    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
      <encoder>
        <pattern>%-5level %date{HH:mm:ss,SSS} %msg%n</pattern>
      </encoder>
    </appender>
  
    <root level="INFO">
      <appender-ref ref="STDOUT" />
    </root>
  
    <logger name="com.thinkaurelius.thrift" level="ERROR"/>
  </configuration>
''

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.mallocArenaMax

Set this to control the amount of arenas per-thread in glibc.

Type: null or signed integer

Default: null

Example: 4

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.maxHeapSize

Must be left blank or set together with heapNewSize. If left blank a sensible value for the available amount of RAM and CPU cores is calculated.

Override to set the amount of memory to allocate to the JVM at start-up. For production use you may wish to adjust this for your environment. MAX_HEAP_SIZE is the total amount of memory dedicated to the Java heap. HEAP_NEWSIZE refers to the size of the young generation.

The main trade-off for the young generation is that the larger it is, the longer GC pause times will be. The shorter it is, the more expensive GC will be (usually).

Type: null or string

Default: null

Example: "4G"

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.remoteJmx

Cassandra ships with JMX accessible only from localhost. To enable remote JMX connections set to true.

Be sure to also enable authentication and/or TLS. See: https://wiki.apache.org/cassandra/JmxSecurity

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.rpcAddress

The address or interface to bind the native transport server to.

Set rpcAddress OR rpcInterface, not both.

Leaving rpcAddress blank has the same effect as on listenAddress (i.e. it will be based on the configured hostname of the node).

Note that unlike listenAddress, you can specify "0.0.0.0", but you must also set extraConfig.broadcast_rpc_address to a value other than "0.0.0.0".

For security reasons, you should not expose this port to the internet. Firewall it if needed.

Type: null or string

Default: "127.0.0.1"

Example: null

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.rpcInterface

Set rpcAddress OR rpcInterface, not both. Interfaces must correspond to a single address, IP aliasing is not supported.

Type: null or string

Default: null

Example: "eth1"

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.seedAddresses

The addresses of hosts designated as contact points in the cluster. A joining node contacts one of the nodes in the seeds list to learn the topology of the ring. Set to [ "127.0.0.1" ] for a single node cluster.

Type: list of string

Default:

[
  "127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.cassandra.user

Run Apache Cassandra under this user.

Type: string

Default: "cassandra"

Declared by:

<nixpkgs/nixos/modules/services/databases/cassandra.nix>
services.castopod.enable

Whether to enable Castopod, a hosting platform for podcasters.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/castopod.nix>
services.castopod.package

Which Castopod package to use.

Type: package

Default: pkgs.castopod

Declared by:

<nixpkgs/nixos/modules/services/web-apps/castopod.nix>
services.castopod.configureNginx

Configure nginx as a reverse proxy for CastoPod.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/castopod.nix>
services.castopod.dataDir

The path where castopod stores all data. This path must be in sync with the castopod package (where it is hardcoded during the build in accordance with its own dataDir argument).

Type: path

Default: "/var/lib/castopod"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/castopod.nix>
services.castopod.database.createLocally

Create the database and database user locally.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/castopod.nix>
services.castopod.database.hostname

Database hostname.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/castopod.nix>
services.castopod.database.name

Database name.

Type: string

Default: "castopod"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/castopod.nix>
services.castopod.database.passwordFile

A file containing the password corresponding to services.castopod.database.user.

This file is loaded using systemd LoadCredentials.

Type: null or path

Default: null

Example: "/run/keys/castopod-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/castopod.nix>
services.castopod.database.user

Database user.

Type: string

Default: "castopod"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/castopod.nix>
services.castopod.environmentFile

Environment file to inject e.g. secrets into the configuration. See for available environment variables.

This file is loaded using systemd LoadCredentials.

Type: null or path

Default: null

Example: "/run/keys/castopod-env"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/castopod.nix>
services.castopod.localDomain

The domain serving your CastoPod instance.

Type: string

Example: "castopod.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/castopod.nix>
services.castopod.maxUploadSize

Maximum supported size for a file upload in. Maximum HTTP body size is set to this value for nginx and PHP (because castopod doesn’t support chunked uploads yet: https://code.castopod.org/adaures/castopod/-/issues/330).

Note, that practical upload size limit is smaller. For example, with 512 MiB setting - around 500 MiB is possible.

Type: string

Default: "512M"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/castopod.nix>
services.castopod.poolSettings

Options for Castopod’s PHP pool. See the documentation on php-fpm.conf for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = "32";
  "pm.max_requests" = "500";
  "pm.max_spare_servers" = "4";
  "pm.min_spare_servers" = "2";
  "pm.start_servers" = "2";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/castopod.nix>
services.castopod.settings

Environment variables used for Castopod. See for available environment variables.

Type: attribute set of (string or signed integer or boolean)

Default: { }

Example:

{
  "email.SMTPHost" = "localhost";
  "email.SMTPUser" = "myuser";
  "email.fromEmail" = "castopod@example.com";
  "email.protocol" = "smtp";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/castopod.nix>
services.centrifugo.enable

Whether to enable Centrifugo messaging server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/centrifugo.nix>
services.centrifugo.package

The centrifugo package to use.

Type: package

Default: pkgs.centrifugo

Declared by:

<nixpkgs/nixos/modules/services/networking/centrifugo.nix>
services.centrifugo.credentials

Environment variables with absolute paths to credentials files to load on service startup.

Type: attribute set of path

Default: { }

Example:

{
  CENTRIFUGO_UNI_GRPC_TLS_KEY = "/run/keys/centrifugo-uni-grpc-tls.key";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/centrifugo.nix>
services.centrifugo.environmentFiles

Files to load environment variables from. Options set via environment variables take precedence over settings.

See the Centrifugo documentation for the environment variable name format.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/centrifugo.nix>
services.centrifugo.extraGroups

Additional groups for the systemd service.

Type: list of string

Default: [ ]

Example:

[
  "redis-centrifugo"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/centrifugo.nix>
services.centrifugo.settings

Declarative Centrifugo configuration. See the Centrifugo documentation for a list of options.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/centrifugo.nix>
services.ceph.enable

Whether to enable Ceph global configuration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.client.enable

Whether to enable Ceph client configuration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.client.extraConfig

Extra configuration to add to the client section. Configuration for rados gateways would be added here, with their own sections, see example.

Type: attribute set of attribute set of string

Default: { }

Example:

{
  # This would create a section for a radosgw daemon named node0 and related
  # configuration for it
  "client.radosgw.node0" = { "some config option" = "true"; };
};

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.extraConfig

Extra configuration to add to the global section. Use for setting values that are common for all daemons in the cluster.

Type: attribute set of string

Default: { }

Example:

{
  "ms bind ipv6" = "true";
}

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.global.authClientRequired

Enables requiring the cluster to authenticate itself to the client.

Type: one of “cephx”, “none”

Default: "cephx"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.global.authClusterRequired

Enables requiring daemons to authenticate with eachother in the cluster.

Type: one of “cephx”, “none”

Default: "cephx"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.global.authServiceRequired

Enables requiring clients to authenticate with the cluster to access services in the cluster (e.g. radosgw, mds or osd).

Type: one of “cephx”, “none”

Default: "cephx"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.global.clusterName

Name of cluster

Type: string

Default: "ceph"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.global.clusterNetwork

A comma-separated list of subnets that will be used as cluster networks in the cluster.

Type: null or strings concatenated with “,”

Default: null

Example:

''
  10.10.0.0/24, 192.168.0.0/24
''

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.global.fsid

Filesystem ID, a generated uuid, its must be generated and set before attempting to start a cluster

Type: string

Example:

''
  433a2193-4f8a-47a0-95d2-209d7ca2cca5
''

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.global.maxOpenFiles

Max open files for each OSD daemon.

Type: signed integer

Default: 131072

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.global.mgrModulePath

Path at which to find ceph-mgr modules.

Type: path

Default: "${pkgs.ceph.lib}/lib/ceph/mgr"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.global.monHost

List of hostname shortnames/IP addresses of the initial monitors.

Type: null or strings concatenated with “,”

Default: null

Example:

''
  10.10.0.1, 10.10.0.2, 10.10.0.3
''

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.global.monInitialMembers

List of hosts that will be used as monitors at startup.

Type: null or strings concatenated with “,”

Default: null

Example:

''
  node0, node1, node2
''

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.global.publicNetwork

A comma-separated list of subnets that will be used as public networks in the cluster.

Type: null or strings concatenated with “,”

Default: null

Example:

''
  10.20.0.0/24, 192.168.1.0/24
''

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.global.rgwMimeTypesFile

Path to mime types used by radosgw.

Type: null or path

Default: "${pkgs.mailcap}/etc/mime.types"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.mds.enable

Whether to enable Ceph MDS daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.mds.package

The ceph package to use.

Type: package

Default: pkgs.ceph

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.mds.daemons

A list of metadata service daemons that should have a service created. The names correspond to the id part in ceph i.e. [ “name1” ] would result in mds.name1

Type: list of string

Default: [ ]

Example:

[
  "name1"
  "name2"
]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.mds.extraConfig

Extra configuration to add to the MDS section.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.mgr.enable

Whether to enable Ceph MGR daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.mgr.package

The ceph package to use.

Type: package

Default: pkgs.ceph

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.mgr.daemons

A list of names for manager daemons that should have a service created. The names correspond to the id part in ceph i.e. [ “name1” ] would result in mgr.name1

Type: list of string

Default: [ ]

Example:

[
  "name1"
  "name2"
]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.mgr.extraConfig

Extra configuration to add to the global section for manager daemons.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.mon.enable

Whether to enable Ceph MON daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.mon.package

The ceph package to use.

Type: package

Default: pkgs.ceph

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.mon.daemons

A list of monitor daemons that should have a service created. The names correspond to the id part in ceph i.e. [ “name1” ] would result in mon.name1

Type: list of string

Default: [ ]

Example:

[
  "name1"
  "name2"
]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.mon.extraConfig

Extra configuration to add to the monitor section.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.osd.enable

Whether to enable Ceph OSD daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.osd.package

The ceph package to use.

Type: package

Default: pkgs.ceph

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.osd.daemons

A list of OSD daemons that should have a service created. The names correspond to the id part in ceph i.e. [ “name1” ] would result in osd.name1

Type: list of string

Default: [ ]

Example:

[
  "name1"
  "name2"
]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.osd.extraConfig

Extra configuration to add to the OSD section.

Type: attribute set of string

Default:

{
  "osd crush chooseleaf type" = "1";
  "osd journal size" = "10000";
  "osd pool default min size" = "2";
  "osd pool default pg num" = "200";
  "osd pool default pgp num" = "200";
  "osd pool default size" = "3";
}

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.rgw.enable

Whether to enable Ceph RadosGW daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.rgw.package

The ceph package to use.

Type: package

Default: pkgs.ceph

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.ceph.rgw.daemons

A list of rados gateway daemons that should have a service created. The names correspond to the id part in ceph i.e. [ “name1” ] would result in client.name1, radosgw daemons aren’t daemons to cluster in the sense that OSD, MGR or MON daemons are. They are simply daemons, from ceph, that uses the cluster as a backend.

Type: list of string

Default: [ ]

Example:

[
  "name1"
  "name2"
]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/ceph.nix>
services.certmgr.enable

Whether to enable certmgr.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/certmgr.nix>
services.certmgr.package

The certmgr package to use.

Type: package

Default: pkgs.certmgr

Declared by:

<nixpkgs/nixos/modules/services/security/certmgr.nix>
services.certmgr.defaultRemote

The default CA host:port to use.

Type: string

Default: "127.0.0.1:8888"

Declared by:

<nixpkgs/nixos/modules/services/security/certmgr.nix>
services.certmgr.metricsAddress

The address for the Prometheus HTTP endpoint.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/security/certmgr.nix>
services.certmgr.metricsPort

The port for the Prometheus HTTP endpoint.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9488

Declared by:

<nixpkgs/nixos/modules/services/security/certmgr.nix>
services.certmgr.renewInterval

How often to check certificate expirations and how often to update the cert_next_expires metric.

Type: string

Default: "30m"

Declared by:

<nixpkgs/nixos/modules/services/security/certmgr.nix>
services.certmgr.specs

Certificate specs as described by: https://github.com/cloudflare/certmgr#certificate-specs These will be added to the Nix store, so they will be world readable.

Type: attribute set of (path or (submodule))

Default: { }

Example:

{
  exampleCert =
  let
    domain = "example.com";
    secret = name: "/var/lib/secrets/${name}.pem";
  in {
    service = "nginx";
    action = "reload";
    authority = {
      file.path = secret "ca";
    };
    certificate = {
      path = secret domain;
    };
    private_key = {
      owner = "root";
      group = "root";
      mode = "0600";
      path = secret "${domain}-key";
    };
    request = {
      CN = domain;
      hosts = [ "mail.${domain}" "www.${domain}" ];
      key = {
        algo = "rsa";
        size = 2048;
      };
      names = {
        O = "Example Organization";
        C = "USA";
      };
    };
  };
  otherCert = "/var/certmgr/specs/other-cert.json";
}

Declared by:

<nixpkgs/nixos/modules/services/security/certmgr.nix>
services.certmgr.svcManager

This specifies the service manager to use for restarting or reloading services. See: https://github.com/cloudflare/certmgr#certmgryaml. For how to use the “command” service manager in particular, see: https://github.com/cloudflare/certmgr#command-svcmgr-and-how-to-use-it.

Type: one of “circus”, “command”, “dummy”, “openrc”, “systemd”, “sysv”

Default: "systemd"

Declared by:

<nixpkgs/nixos/modules/services/security/certmgr.nix>
services.certmgr.validMin

The interval before a certificate expires to start attempting to renew it.

Type: string

Default: "72h"

Declared by:

<nixpkgs/nixos/modules/services/security/certmgr.nix>
services.certspotter.enable

Whether to enable Cert Spotter, a Certificate Transparency log monitor.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/certspotter.nix>
services.certspotter.package

The certspotter package to use.

Type: package

Default: pkgs.certspotter

Declared by:

<nixpkgs/nixos/modules/services/monitoring/certspotter.nix>
services.certspotter.emailRecipients

A list of email addresses to send certificate updates to.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/certspotter.nix>
services.certspotter.extraFlags

Extra command-line arguments to pass to Cert Spotter

Type: list of string

Default: [ ]

Example:

[
  "-no_save"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/certspotter.nix>
services.certspotter.hooks

Scripts to run upon the detection of a new certificate. See man 8 certspotter-script or the GitHub page for more info.

Type: list of path

Default: [ ]

Example:

[
  (pkgs.writeShellScript "certspotter-hook" ''
    echo "Event summary: $SUMMARY."
  '')
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/certspotter.nix>
services.certspotter.sendmailPath

Path to the sendmail binary. By default, the local sendmail wrapper is used (see services.mail.sendmailSetuidWrapper}).

Type: null or path

Example: "${pkgs.system-sendmail}/bin/sendmail"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/certspotter.nix>
services.certspotter.startAtEnd

Whether to skip certificates issued before the first launch of Cert Spotter. Setting this to false will cause Cert Spotter to download tens of terabytes of data.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/certspotter.nix>
services.certspotter.watchlist

Domain names to watch. To monitor a domain with all subdomains, prefix its name with . (e.g. .example.org).

Type: list of string

Default: [ ]

Example:

[
  ".example.org"
  "another.example.com"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/certspotter.nix>
services.cfdyndns.enable

Whether to enable Cloudflare Dynamic DNS Client.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/cfdyndns.nix>
services.cfdyndns.apiTokenFile

The path to a file containing the API Token used to authenticate with CloudFlare.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/cfdyndns.nix>
services.cfdyndns.apikeyFile

The path to a file containing the API Key used to authenticate with CloudFlare.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/cfdyndns.nix>
services.cfdyndns.email

The email address to use to authenticate to CloudFlare.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/cfdyndns.nix>
services.cfdyndns.records

The records to update in CloudFlare.

Type: list of string

Default: [ ]

Example:

[
  "host.tld"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/cfdyndns.nix>
services.cfssl.enable

Whether to enable the CFSSL CA api-server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.address

Address to bind.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.ca

CA used to sign the new certificate – accepts ‘[file:]fname’ or ‘env:varname’.

Type: string

Default: "${cfg.dataDir}/ca.pem"

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.caBundle

Path to root certificate store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.caKey

CA private key – accepts ‘[file:]fname’ or ‘env:varname’.

Type: string

Default: "file:${cfg.dataDir}/ca-key.pem"

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.configFile

Path to configuration file. Do not put this in nix-store as it might contain secrets.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.dataDir

The work directory for CFSSL.

Note

If left as the default value this directory will automatically be created before the CFSSL server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions.

Type: path

Default: "/var/lib/cfssl"

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.dbConfig

Certificate db configuration file. Path must be writeable.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.intBundle

Path to intermediate certificate store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.intDir

Intermediates directory.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.logLevel

Log level (0 = DEBUG, 5 = FATAL).

Type: one of 0, 1, 2, 3, 4, 5

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.metadata

Metadata file for root certificate presence. The content of the file is a json dictionary (k,v): each key k is a SHA-1 digest of a root certificate while value v is a list of key store filenames.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.mutualTlsCa

Mutual TLS - require clients be signed by this CA.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.mutualTlsClientCert

Mutual TLS - client certificate to call remote instance requiring client certs.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.mutualTlsClientKey

Mutual TLS - client key to call remote instance requiring client certs. Do not put this in nix-store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.mutualTlsCn

Mutual TLS - regex for whitelist of allowed client CNs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.port

Port to bind.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8888

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.remote

Remote CFSSL server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.responder

Certificate for OCSP responder.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.responderKey

Private key for OCSP responder certificate. Do not put this in nix-store.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.tlsCert

Other endpoint’s CA to set up TLS protocol.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.tlsKey

Other endpoint’s CA private key. Do not put this in nix-store.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cfssl.tlsRemoteCa

CAs to trust for remote TLS requests.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/cfssl.nix>
services.cgit

Configure cgit instances.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/cgit.nix>
services.cgit.<name>.enable

Whether to enable cgit.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/cgit.nix>
services.cgit.<name>.package

The cgit package to use.

Type: package

Default: pkgs.cgit

Declared by:

<nixpkgs/nixos/modules/services/networking/cgit.nix>
services.cgit.<name>.extraConfig

These lines go to the end of cgitrc verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/cgit.nix>
services.cgit.<name>.group

Group to run the cgit service as.

Type: string

Default: "cgit"

Declared by:

<nixpkgs/nixos/modules/services/networking/cgit.nix>
services.cgit.<name>.nginx.location

Location to serve cgit under.

Type: string

Default: "/"

Example: "/git/"

Declared by:

<nixpkgs/nixos/modules/services/networking/cgit.nix>
services.cgit.<name>.nginx.virtualHost

VirtualHost to serve cgit on, defaults to the attribute name.

Type: string

Default: "‹name›"

Example: "git.example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/cgit.nix>
services.cgit.<name>.repos

cgit repository settings, see cgitrc(5)

Type: attribute set of attribute set of (boolean or signed integer or string)

Default: { }

Example:

{
  blah = {
    desc = "An example repository";
    path = "/var/lib/git/example";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/cgit.nix>
services.cgit.<name>.scanPath

A path which will be scanned for repositories.

Type: null or path

Default: null

Example: "/var/lib/git"

Declared by:

<nixpkgs/nixos/modules/services/networking/cgit.nix>
services.cgit.<name>.settings

cgit configuration, see cgitrc(5)

Type: attribute set of (boolean or signed integer or string or list of (boolean or signed integer or string))

Default: { }

Example:

{
  enable-follow-links = true;
  source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/cgit.nix>
services.cgit.<name>.user

User to run the cgit service as.

Type: string

Default: "cgit"

Declared by:

<nixpkgs/nixos/modules/services/networking/cgit.nix>
services.cgminer.enable

Whether to enable cgminer, an ASIC/FPGA/GPU miner for bitcoin and litecoin.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/cgminer.nix>
services.cgminer.package

The cgminer package to use.

Type: package

Default: pkgs.cgminer

Declared by:

<nixpkgs/nixos/modules/services/misc/cgminer.nix>
services.cgminer.config

Additional config

Type: attribute set of (boolean or signed integer)

Default: { }

Example:

{
  auto-fan = true;
  auto-gpu = true;
  expiry = 120;
  failover-only = true;
  gpu-threads = 2;
  log = 5;
  queue = 1;
  scan-time = 60;
  temp-histeresys = 3;
}

Declared by:

<nixpkgs/nixos/modules/services/misc/cgminer.nix>
services.cgminer.hardware

List of config options for every GPU

Type: list of attribute set of (string or signed integer)

Default: [ ]

Example:

[
  {
    gpu-engine = "0-985";
    gpu-fan = "0-85";
    gpu-memclock = 860;
    gpu-powertune = 20;
    intensity = 9;
    temp-cutoff = 95;
    temp-overheat = 85;
    temp-target = 75;
  }
  {
    gpu-engine = "0-950";
    gpu-fan = "0-85";
    gpu-memclock = 825;
    gpu-powertune = 20;
    intensity = 9;
    temp-cutoff = 95;
    temp-overheat = 85;
    temp-target = 75;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/misc/cgminer.nix>
services.cgminer.pools

List of pools where to mine

Type: list of attribute set of string

Default: [ ]

Example:

[
  {
    password = "X";
    url = "http://p2pool.org:9332";
    username = "17EUZxTvs9uRmPsjPZSYUU3zCz9iwstudk";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/misc/cgminer.nix>
services.cgminer.user

User account under which cgminer runs

Type: string

Default: "cgminer"

Declared by:

<nixpkgs/nixos/modules/services/misc/cgminer.nix>
services.changedetection-io.enable

Whether to enable changedetection-io.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/changedetection-io.nix>
services.changedetection-io.baseURL

The base url used in notifications and {base_url} token.

Type: null or string

Default: null

Example: "https://changedetection-io.example"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/changedetection-io.nix>
services.changedetection-io.behindProxy

Enable this option when changedetection-io runs behind a reverse proxy, so that it trusts X-* headers. It is recommend to run changedetection-io behind a TLS reverse proxy.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/changedetection-io.nix>
services.changedetection-io.chromePort

A free port on which webDriverSupport or playwrightSupport listen on localhost.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 4444

Declared by:

<nixpkgs/nixos/modules/services/web-apps/changedetection-io.nix>
services.changedetection-io.datastorePath

The directory used to store all data for changedetection-io.

Type: string

Default: "/var/lib/changedetection-io"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/changedetection-io.nix>
services.changedetection-io.environmentFile

Securely pass environment variabels to changedetection-io.

This can be used to set for example a frontend password reproducible via SALTED_PASS which convinetly also deactivates nags about the hosted version. SALTED_PASS should be 64 characters long while the first 32 are the salt and the second the frontend password. It can easily be retrieved from the settings file when first set via the frontend with the following command: jq -r .settings.application.password /var/lib/changedetection-io/url-watches.json

Type: null or path

Default: null

Example: "/run/secrets/changedetection-io.env"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/changedetection-io.nix>
services.changedetection-io.group

Group account under which changedetection-io runs.

Type: string

Default: "changedetection-io"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/changedetection-io.nix>
services.changedetection-io.listenAddress

Address the server will listen on.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/changedetection-io.nix>
services.changedetection-io.playwrightSupport

Enable support for fetching web pages using playwright and Chromium. This starts a headless Chromium controlled by puppeteer in an oci container.

Note

Playwright can currently leak memory. See https://github.com/dgtlmoon/changedetection.io/wiki/Playwright-content-fetcher#playwright-memory-leak

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/changedetection-io.nix>
services.changedetection-io.port

Port the server will listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/changedetection-io.nix>
services.changedetection-io.user

User account under which changedetection-io runs.

Type: string

Default: "changedetection-io"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/changedetection-io.nix>
services.changedetection-io.webDriverSupport

Enable support for fetching web pages using WebDriver and Chromium. This starts a headless chromium controlled by puppeteer in an oci container.

Note

Playwright can currently leak memory. See https://github.com/dgtlmoon/changedetection.io/wiki/Playwright-content-fetcher#playwright-memory-leak

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/changedetection-io.nix>
services.charybdis.enable

Whether to enable Charybdis IRC daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/charybdis.nix>
services.charybdis.config

Charybdis IRC daemon configuration file.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/charybdis.nix>
services.charybdis.group

Charybdis IRC daemon group.

Type: string

Default: "ircd"

Declared by:

<nixpkgs/nixos/modules/services/networking/charybdis.nix>
services.charybdis.motd

Charybdis MOTD text.

Charybdis will read its MOTD from /etc/charybdis/ircd.motd . If set, the value of this option will be written to this path.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/charybdis.nix>
services.charybdis.statedir

Location of the state directory of charybdis.

Type: path

Default: "/var/lib/charybdis"

Declared by:

<nixpkgs/nixos/modules/services/networking/charybdis.nix>
services.charybdis.user

Charybdis IRC daemon user.

Type: string

Default: "ircd"

Declared by:

<nixpkgs/nixos/modules/services/networking/charybdis.nix>
services.chatgpt-retrieval-plugin.enable

Whether to enable chatgpt-retrieval-plugin service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/chatgpt-retrieval-plugin.nix>
services.chatgpt-retrieval-plugin.bearerTokenPath

Path to the secret bearer token used for the http api authentication.

Type: path

Default: ""

Example: "config.age.secrets.CHATGPT_RETRIEVAL_PLUGIN_BEARER_TOKEN.path"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/chatgpt-retrieval-plugin.nix>
services.chatgpt-retrieval-plugin.datastore

This specifies the vector database provider you want to use to store and query embeddings.

Type: one of “pinecone”, “weaviate”, “zilliz”, “milvus”, “qdrant”, “redis”

Default: "qdrant"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/chatgpt-retrieval-plugin.nix>
services.chatgpt-retrieval-plugin.host

The hostname or IP address for chatgpt-retrieval-plugin to bind to.

Type: string

Default: "127.0.0.1"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/chatgpt-retrieval-plugin.nix>
services.chatgpt-retrieval-plugin.openaiApiKeyPath

Path to the secret openai api key used for embeddings.

Type: path

Default: ""

Example: "config.age.secrets.CHATGPT_RETRIEVAL_PLUGIN_OPENAI_API_KEY.path"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/chatgpt-retrieval-plugin.nix>
services.chatgpt-retrieval-plugin.port

Port the chatgpt-retrieval-plugin service listens on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/web-apps/chatgpt-retrieval-plugin.nix>
services.chatgpt-retrieval-plugin.qdrantCollection

name of the qdrant collection used to store documents.

Type: string

Default: "document_chunks"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/chatgpt-retrieval-plugin.nix>
services.chisel-server.enable

Whether to enable Chisel Tunnel Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/chisel-server.nix>
services.chisel-server.authfile

Path to auth.json file

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/chisel-server.nix>
services.chisel-server.backend

HTTP server to proxy normal requests to

Type: null or string

Default: null

Example: "http://127.0.0.1:8888"

Declared by:

<nixpkgs/nixos/modules/services/networking/chisel-server.nix>
services.chisel-server.host

Address to listen on, falls back to 0.0.0.0

Type: null or string

Default: null

Example: "[::1]"

Declared by:

<nixpkgs/nixos/modules/services/networking/chisel-server.nix>
services.chisel-server.keepalive

Keepalive interval, falls back to 25s

Type: null or string

Default: null

Example: "5s"

Declared by:

<nixpkgs/nixos/modules/services/networking/chisel-server.nix>
services.chisel-server.port

Port to listen on, falls back to 8080

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/chisel-server.nix>
services.chisel-server.reverse

Allow clients reverse port forwarding

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/chisel-server.nix>
services.chisel-server.socks5

Allow clients access to internal SOCKS5 proxy

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/chisel-server.nix>
services.chromadb.enable

Whether to enable ChromaDB, an open-source AI application database…

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/chromadb.nix>
services.chromadb.package

ChromaDB package to use.

Type: package

Default: "pkgs.python3Packages.chromadb"

Example: pkgs.python3Packages.chromadb

Declared by:

<nixpkgs/nixos/modules/services/databases/chromadb.nix>
services.chromadb.dbpath

Location where ChromaDB stores its files

Type: string

Default: "/var/lib/chromadb"

Declared by:

<nixpkgs/nixos/modules/services/databases/chromadb.nix>
services.chromadb.host

Defines the IP address by which ChromaDB will be accessible.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/databases/chromadb.nix>
services.chromadb.logFile

Specifies the location of file for logging output.

Type: path

Default: "/var/log/chromadb/chromadb.log"

Declared by:

<nixpkgs/nixos/modules/services/databases/chromadb.nix>
services.chromadb.openFirewall

Whether to automatically open the specified TCP port in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/chromadb.nix>
services.chromadb.port

Defined the port number to listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8000

Declared by:

<nixpkgs/nixos/modules/services/databases/chromadb.nix>
services.chrony.enable

Whether to synchronise your machine’s time using chrony. Make sure you disable NTP if you enable this service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/chrony.nix>
services.chrony.enableMemoryLocking

Whether to add the -m flag to lock memory.

Type: boolean

Default: "config.environment.memoryAllocator.provider != \"graphene-hardened\""

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/chrony.nix>
services.chrony.enableNTS

Whether to enable Network Time Security authentication. Make sure it is supported by your selected NTP server(s).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/chrony.nix>
services.chrony.enableRTCTrimming

Enable tracking of the RTC offset to the system clock and automatic trimming. See also services.chrony.autotrimThreshold

Note

This is not compatible with the rtcsync directive, which naively syncs the RTC time every 11 minutes.

Tracking the RTC drift will allow more precise timekeeping, especially on intermittently running devices, where the RTC is very relevant.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/chrony.nix>
services.chrony.package

The chrony package to use.

Type: package

Default: pkgs.chrony

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/chrony.nix>
services.chrony.autotrimThreshold

Maximum estimated error threshold for the rtcautotrim command. When reached, the RTC will be trimmed. Only used when services.chrony.enableRTCTrimming is enabled.

Type: positive integer, meaning >0

Default: 30

Example: 10

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/chrony.nix>
services.chrony.directory

Directory where chrony state is stored.

Type: string

Default: "/var/lib/chrony"

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/chrony.nix>
services.chrony.extraConfig

Extra configuration directives that should be added to chrony.conf

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/chrony.nix>
services.chrony.extraFlags

Extra flags passed to the chronyd command.

Type: list of string

Default: [ ]

Example:

[
  "-s"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/chrony.nix>
services.chrony.initstepslew.enabled

Allow chronyd to make a rapid measurement of the system clock error at boot time, and to correct the system clock by stepping before normal operation begins.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/chrony.nix>
services.chrony.initstepslew.threshold

The threshold of system clock error (in seconds) above which the clock will be stepped. If the correction required is less than the threshold, a slew is used instead.

Type: floating point number or signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/chrony.nix>
services.chrony.serverOption

Set option for server directives.

Use “iburst” to rapidly poll on startup. Recommended if your machine is consistently online.

Use “offline” to prevent polling on startup. Recommended if your machine boots offline or is otherwise frequently offline.

Type: one of “iburst”, “offline”

Default: "iburst"

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/chrony.nix>
services.chrony.servers

The set of NTP servers from which to synchronise.

Type: list of string

Default: config.networking.timeServers

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/chrony.nix>
services.cinnamon.apps.enable

Whether to enable Cinnamon default applications.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/cinnamon.nix>
services.cjdns.enable

Whether to enable the cjdns network encryption and routing engine. A file at /etc/cjdns.keys will be created if it does not exist to contain a random secret key that your IPv6 address will be derived from.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.ETHInterface.beacon

Auto-connect to other cjdns nodes on the same network. Options: 0: Disabled. 1: Accept beacons, this will cause cjdns to accept incoming beacon messages and try connecting to the sender. 2: Accept and send beacons, this will cause cjdns to broadcast messages on the local network which contain a randomly generated per-session password, other nodes which have this set to 1 or 2 will hear the beacon messages and connect automatically.

Type: signed integer

Default: 2

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.ETHInterface.bind

Bind to this device for native ethernet operation. all is a pseudo-name which will try to connect to all devices.

Type: string

Default: ""

Example: "eth0"

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.ETHInterface.connectTo

Credentials for connecting look similar to UDP credientials except they begin with the mac address.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "01:02:03:04:05:06" = {
    hostname = "homer.hype";
    password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM";
    publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.ETHInterface.connectTo.<name>.hostname

Optional hostname to add to /etc/hosts; prevents reverse lookup failures.

Type: string

Default: ""

Example: "foobar.hype"

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.ETHInterface.connectTo.<name>.login

(optional) name your peer has for you

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.ETHInterface.connectTo.<name>.password

Authorized password to the opposite end of the tunnel.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.ETHInterface.connectTo.<name>.peerName

(optional) human-readable name for peer

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.ETHInterface.connectTo.<name>.publicKey

Public key at the opposite end of the tunnel.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.UDPInterface.bind

Address and port to bind UDP tunnels to.

Type: string

Default: ""

Example: "192.168.1.32:43211"

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.UDPInterface.connectTo

Credentials for making UDP tunnels.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "192.168.1.1:27313" = {
    hostname = "homer.hype";
    password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM";
    publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.UDPInterface.connectTo.<name>.hostname

Optional hostname to add to /etc/hosts; prevents reverse lookup failures.

Type: string

Default: ""

Example: "foobar.hype"

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.UDPInterface.connectTo.<name>.login

(optional) name your peer has for you

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.UDPInterface.connectTo.<name>.password

Authorized password to the opposite end of the tunnel.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.UDPInterface.connectTo.<name>.peerName

(optional) human-readable name for peer

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.UDPInterface.connectTo.<name>.publicKey

Public key at the opposite end of the tunnel.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.addExtraHosts

Whether to add cjdns peers with an associated hostname to /etc/hosts. Beware that enabling this incurs heavy eval-time costs.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.admin.bind

Bind the administration port to this address and port.

Type: string

Default: "127.0.0.1:11234"

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.authorizedPasswords

Any remote cjdns nodes that offer these passwords on connection will be allowed to route through this node.

Type: list of string

Default: [ ]

Example:

[
  "snyrfgkqsc98qh1y4s5hbu0j57xw5s0"
  "z9md3t4p45mfrjzdjurxn4wuj0d8swv"
  "49275fut6tmzu354pq70sr5b95qq0vj"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.confFile

Ignore all other cjdns options and load configuration from this file.

Type: null or path

Default: null

Example: "/etc/cjdroute.conf"

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.cjdns.extraConfig

Extra configuration, given as attrs, that will be merged recursively with the rest of the JSON generated by this module, at the root node.

Type: attribute set

Default: { }

Example:

{
  router = {
    interface = {
      tunDevice = "tun10";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/cjdns.nix>
services.clamav.package

The clamav package to use.

Type: package

Default: pkgs.clamav

Declared by:

<nixpkgs/nixos/modules/services/security/clamav.nix>
services.clamav.daemon.enable

Whether to enable ClamAV clamd daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/clamav.nix>
services.clamav.daemon.settings

ClamAV configuration. Refer to https://linux.die.net/man/5/clamd.conf, for details on supported values.

Type: attribute set of (boolean or signed integer or string or list of string)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/clamav.nix>
services.clamav.fangfrisch.enable

Whether to enable ClamAV fangfrisch updater.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/clamav.nix>
services.clamav.fangfrisch.interval

How often freshclam is invoked. See systemd.time(7) for more information about the format.

Type: string

Default: "hourly"

Declared by:

<nixpkgs/nixos/modules/services/security/clamav.nix>
services.clamav.fangfrisch.settings

fangfrisch configuration. Refer to https://rseichter.github.io/fangfrisch/#_configuration, for details on supported values. Note that by default urlhaus and sanesecurity are enabled.

Type: attribute set of attribute set of (string or signed integer or boolean)

Default: { }

Example:

{
  securiteinfo = {
    customer_id = "your customer_id";
    enabled = "yes";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/security/clamav.nix>
services.clamav.scanner.enable

Whether to enable ClamAV scanner.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/clamav.nix>
services.clamav.scanner.interval

How often clamdscan is invoked. See systemd.time(7) for more information about the format. By default this runs using 10 cores at most, be sure to run it at a time of low traffic.

Type: string

Default: "*-*-* 04:00:00"

Declared by:

<nixpkgs/nixos/modules/services/security/clamav.nix>
services.clamav.scanner.scanDirectories

List of directories to scan. The default includes everything I could think of that is valid for nixos. Feel free to contribute a PR to add to the default if you see something missing.

Type: list of string

Default:

[
  "/home"
  "/var/lib"
  "/tmp"
  "/etc"
  "/var/tmp"
]

Declared by:

<nixpkgs/nixos/modules/services/security/clamav.nix>
services.clamav.updater.enable

Whether to enable ClamAV freshclam updater.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/clamav.nix>
services.clamav.updater.frequency

Number of database checks per day.

Type: signed integer

Default: 12

Declared by:

<nixpkgs/nixos/modules/services/security/clamav.nix>
services.clamav.updater.interval

How often freshclam is invoked. See systemd.time(7) for more information about the format.

Type: string

Default: "hourly"

Declared by:

<nixpkgs/nixos/modules/services/security/clamav.nix>
services.clamav.updater.settings

freshclam configuration. Refer to https://linux.die.net/man/5/freshclam.conf, for details on supported values.

Type: attribute set of (boolean or signed integer or string or list of string)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/clamav.nix>
services.clamsmtp.enable

Whether to enable clamsmtp.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/clamsmtp.nix>
services.clamsmtp.instances

Instances of clamsmtp to run.

Type: list of (submodule)

Declared by:

<nixpkgs/nixos/modules/services/mail/clamsmtp.nix>
services.clamsmtp.instances.*.action

Action to take when a virus is detected.

Note that viruses often spoof sender addresses, so bouncing is in most cases not a good idea.

Type: one of “bounce”, “drop”, “pass”

Default: "drop"

Declared by:

<nixpkgs/nixos/modules/services/mail/clamsmtp.nix>
services.clamsmtp.instances.*.header

A header to add to scanned messages. See clamsmtpd.conf(5) for more details. Empty means no header.

Type: string

Default: ""

Example: "X-Virus-Scanned: ClamAV using ClamSMTP"

Declared by:

<nixpkgs/nixos/modules/services/mail/clamsmtp.nix>
services.clamsmtp.instances.*.keepAlives

Number of seconds to wait between each NOOP sent to the sending server. 0 to disable.

This is meant for slow servers where the sending MTA times out waiting for clamd to scan the file.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/mail/clamsmtp.nix>
services.clamsmtp.instances.*.listen

Address to wait for incoming SMTP connections on. See clamsmtpd.conf(5) for more details.

Type: string

Example: "127.0.0.1:10025"

Declared by:

<nixpkgs/nixos/modules/services/mail/clamsmtp.nix>
services.clamsmtp.instances.*.maxConnections

Maximum number of connections to accept at once.

Type: signed integer

Default: 64

Declared by:

<nixpkgs/nixos/modules/services/mail/clamsmtp.nix>
services.clamsmtp.instances.*.outAddress

Address of the SMTP server to send email to once it has been scanned.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/mail/clamsmtp.nix>
services.clamsmtp.instances.*.quarantine

Whether to quarantine files that contain viruses by leaving them in the temporary directory.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/clamsmtp.nix>
services.clamsmtp.instances.*.tempDirectory

Temporary directory that needs to be accessible to both clamd and clamsmtpd.

Type: string

Default: "/tmp"

Declared by:

<nixpkgs/nixos/modules/services/mail/clamsmtp.nix>
services.clamsmtp.instances.*.timeout

Time-out for network connections.

Type: signed integer

Default: 180

Declared by:

<nixpkgs/nixos/modules/services/mail/clamsmtp.nix>
services.clamsmtp.instances.*.transparentProxy

Enable clamsmtp’s transparent proxy support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/clamsmtp.nix>
services.clamsmtp.instances.*.virusAction

Command to run when a virus is found. Please see VIRUS ACTION in clamsmtpd(8) for a discussion of this option and its safe use.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/clamsmtp.nix>
services.clamsmtp.instances.*.xClient

Send the XCLIENT command to the receiving server, for forwarding client addresses and connection information if the receiving server supports this feature.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/clamsmtp.nix>
services.clatd.enable

Whether to enable clatd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/clatd.nix>
services.clatd.enableNetworkManagerIntegration

Whether to enable NetworkManager integration.

Type: boolean

Default: "config.networking.networkmanager.enable"

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/clatd.nix>
services.clatd.package

The clatd package to use.

Type: package

Default: pkgs.clatd

Declared by:

<nixpkgs/nixos/modules/services/networking/clatd.nix>
services.clatd.settings

Configuration of clatd. See clatd Documentation.

Type: attribute set of (atom (null, bool, int, float or string))

Default: { }

Example:

{
  plat-prefix = "64:ff9b::/96";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/clatd.nix>
services.clickhouse.enable

Whether to enable ClickHouse database server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/clickhouse.nix>
services.clickhouse.package

The clickhouse package to use.

Type: package

Default: pkgs.clickhouse

Declared by:

<nixpkgs/nixos/modules/services/databases/clickhouse.nix>
services.clight.enable

Whether to enable clight.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/clight.nix>
services.clight.settings

Additional configuration to extend clight.conf. See https://github.com/FedeDP/Clight/blob/master/Extra/clight.conf for a sample configuration file.

Type: attribute set of (null or signed integer or string or boolean or floating point number or list of (signed integer or string or boolean or floating point number) or attribute set of (signed integer or string or boolean or floating point number or list of (signed integer or string or boolean or floating point number)))

Default: { }

Example:

{
  ac_capture_timeouts = [
    120
    300
    60
  ];
  captures = 20;
  gamma_long_transition = true;
}

Declared by:

<nixpkgs/nixos/modules/services/x11/clight.nix>
services.clight.temperature.day

Colour temperature to use during the day, between 1000 and 25000 K.

Type: signed integer

Default: 5500

Declared by:

<nixpkgs/nixos/modules/services/x11/clight.nix>
services.clight.temperature.night

Colour temperature to use at night, between 1000 and 25000 K.

Type: signed integer

Default: 3700

Declared by:

<nixpkgs/nixos/modules/services/x11/clight.nix>
services.clipcat.enable

Whether to enable Clipcat clipboard daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/clipcat.nix>
services.clipcat.package

The clipcat package to use.

Type: package

Default: pkgs.clipcat

Declared by:

<nixpkgs/nixos/modules/services/misc/clipcat.nix>
services.clipmenu.enable

Whether to enable clipmenu, the clipboard management daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/clipmenu.nix>
services.clipmenu.package

The clipmenu package to use.

Type: package

Default: pkgs.clipmenu

Declared by:

<nixpkgs/nixos/modules/services/misc/clipmenu.nix>
services.cloud-init.enable

Enable the cloud-init service. This services reads configuration metadata in a cloud environment and configures the machine according to this metadata.

This configuration is not completely compatible with the NixOS way of doing configuration, as configuration done by cloud-init might be overridden by a subsequent nixos-rebuild call. However, some parts of cloud-init fall outside of NixOS’s responsibility, like filesystem resizing and ssh public key provisioning, and cloud-init is useful for that parts. Thus, be wary that using cloud-init in NixOS might come as some cost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/system/cloud-init.nix>
services.cloud-init.btrfs.enable

Allow the cloud-init service to operate btrfs filesystem.

Type: boolean

Default: hasFs "btrfs"

Declared by:

<nixpkgs/nixos/modules/services/system/cloud-init.nix>
services.cloud-init.config

raw cloud-init configuration.

Takes precedence over the settings option if set.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/system/cloud-init.nix>
services.cloud-init.ext4.enable

Allow the cloud-init service to operate ext4 filesystem.

Type: boolean

Default: hasFs "ext4"

Declared by:

<nixpkgs/nixos/modules/services/system/cloud-init.nix>
services.cloud-init.extraPackages

List of additional packages to be available within cloud-init jobs.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/system/cloud-init.nix>
services.cloud-init.network.enable

Allow the cloud-init service to configure network interfaces through systemd-networkd.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/system/cloud-init.nix>
services.cloud-init.settings

Structured cloud-init configuration.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/system/cloud-init.nix>
services.cloud-init.xfs.enable

Allow the cloud-init service to operate xfs filesystem.

Type: boolean

Default: hasFs "xfs"

Declared by:

<nixpkgs/nixos/modules/services/system/cloud-init.nix>
services.cloudflare-dyndns.enable

Whether to enable Cloudflare Dynamic DNS Client.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflare-dyndns.nix>
services.cloudflare-dyndns.package

The cloudflare-dyndns package to use.

Type: package

Default: pkgs.cloudflare-dyndns

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflare-dyndns.nix>
services.cloudflare-dyndns.apiTokenFile

The path to a file containing the CloudFlare API token.

The file must have the form CLOUDFLARE_API_TOKEN=...

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflare-dyndns.nix>
services.cloudflare-dyndns.deleteMissing

Whether to delete the record when no IP address is found.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflare-dyndns.nix>
services.cloudflare-dyndns.domains

List of domain names to update records for.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflare-dyndns.nix>
services.cloudflare-dyndns.frequency

Run cloudflare-dyndns with the given frequency (see systemd.time(7) for the format). If null, do not run automatically.

Type: null or string

Default: "*:0/5"

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflare-dyndns.nix>
services.cloudflare-dyndns.ipv4

Whether to enable setting IPv4 A records.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflare-dyndns.nix>
services.cloudflare-dyndns.ipv6

Whether to enable setting IPv6 AAAA records.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflare-dyndns.nix>
services.cloudflare-dyndns.proxied

Whether this is a DNS-only record, or also being proxied through CloudFlare.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflare-dyndns.nix>
services.cloudflare-warp.enable

Whether to enable Cloudflare Zero Trust client daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflare-warp.nix>
services.cloudflare-warp.package

The cloudflare-warp package to use.

Type: package

Default: pkgs.cloudflare-warp

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflare-warp.nix>
services.cloudflare-warp.openFirewall

Whether to enable opening UDP ports in the firewall.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflare-warp.nix>
services.cloudflare-warp.rootDir

Working directory for the warp-svc daemon.

Type: string

Default: "/var/lib/cloudflare-warp"

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflare-warp.nix>
services.cloudflare-warp.udpPort

The UDP port to open in the firewall. Warp uses port 2408 by default, but fallback ports can be used if that conflicts with another service. See the firewall documentation for the pre-configured available fallback ports.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 2408

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflare-warp.nix>
services.cloudflared.enable

Whether to enable Cloudflare Tunnel client daemon (formerly Argo Tunnel).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.package

The cloudflared package to use.

Type: package

Default: pkgs.cloudflared

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.group

Group under which cloudflared runs.

Type: string

Default: "cloudflared"

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.tunnels

Cloudflare tunnels.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "00000000-0000-0000-0000-000000000000" = {
    credentialsFile = "/tmp/test";
    default = "http_status:404";
    ingress = {
      "*.domain1.com" = {
        service = "http://localhost:80";
      };
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.tunnels.<name>.credentialsFile

Credential file.

See Credentials file.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.tunnels.<name>.default

Catch-all service if no ingress matches.

See service.

Type: string

Example: "http_status:404"

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.tunnels.<name>.ingress

Ingress rules.

See Ingress rules.

Type: attribute set of (string or (submodule))

Default: { }

Example:

{
  "*.anotherone.com" = "http://localhost:80";
  "*.domain.com" = "http://localhost:80";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.tunnels.<name>.originRequest.caPool

Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare.

Type: null or string or path

Default: null

Example: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.tunnels.<name>.originRequest.connectTimeout

Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout.

Type: null or string

Default: null

Example: "30s"

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.tunnels.<name>.originRequest.disableChunkedEncoding

Disables chunked transfer encoding. Useful if you are running a WSGI server.

Type: null or boolean

Default: null

Example: false

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.tunnels.<name>.originRequest.httpHostHeader

Sets the HTTP Host header on requests sent to the local service.

Type: null or string

Default: null

Example: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.tunnels.<name>.originRequest.keepAliveConnections

Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections.

Type: null or signed integer

Default: null

Example: 100

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.tunnels.<name>.originRequest.keepAliveTimeout

Timeout after which an idle keepalive connection can be discarded.

Type: null or string

Default: null

Example: "1m30s"

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.tunnels.<name>.originRequest.noHappyEyeballs

Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols.

Type: null or boolean

Default: null

Example: false

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.tunnels.<name>.originRequest.noTLSVerify

Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted.

Type: null or boolean

Default: null

Example: false

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.tunnels.<name>.originRequest.originServerName

Hostname that cloudflared should expect from your origin server certificate.

Type: null or string

Default: null

Example: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.tunnels.<name>.originRequest.proxyAddress

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures the listen address for that proxy.

Type: null or string

Default: null

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.tunnels.<name>.originRequest.proxyPort

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures the listen port for that proxy. If set to zero, an unused port will randomly be chosen.

Type: null or signed integer

Default: null

Example: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.tunnels.<name>.originRequest.proxyType

cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are:

Type: null or one of “”, “socks”

Default: null

Example: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.tunnels.<name>.originRequest.tcpKeepAlive

The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server.

Type: null or string

Default: null

Example: "30s"

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.tunnels.<name>.originRequest.tlsTimeout

Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server.

Type: null or string

Default: null

Example: "10s"

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.tunnels.<name>.warp-routing.enabled

Enable warp routing.

See Connect from WARP to a private network on Cloudflare using Cloudflare Tunnel.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudflared.user

User account under which Cloudflared runs.

Type: string

Default: "cloudflared"

Declared by:

<nixpkgs/nixos/modules/services/networking/cloudflared.nix>
services.cloudlog.enable

Whether to enable Cloudlog.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.baseUrl

Cloudlog base URL

Type: string

Default: "http://localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.dataDir

Cloudlog data directory.

Type: string

Default: "/var/lib/cloudlog"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.database.createLocally

Create the database and database user locally.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.database.host

MySQL database host

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.database.name

MySQL database name.

Type: string

Default: "cloudlog"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.database.passwordFile

MySQL user password file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.database.user

MySQL user name.

Type: string

Default: "cloudlog"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.extraConfig

Any additional text to be appended to the config.php configuration file. This is a PHP script. For configuration settings, see https://github.com/magicbug/Cloudlog/wiki/Cloudlog.php-Configuration-File.

Type: string

Default: ""

Example:

''
  $config['show_time'] = TRUE;
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.poolConfig

Options for Cloudlog’s PHP-FPM pool.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = 32;
  "pm.max_requests" = 500;
  "pm.max_spare_servers" = 4;
  "pm.min_spare_servers" = 2;
  "pm.start_servers" = 2;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.update-clublog-scp.enable

Whether to periodically update the Clublog SCP database. If enabled, a systemd timer will run the update task as specified by the interval option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.update-clublog-scp.interval

Specification (in the format described by systemd.time(7)) of the time at which the Clublog SCP update will occur.

Type: string

Default: "monthly"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.update-dok.enable

Whether to periodically update the DOK resource file. If enabled, a systemd timer will run the update task as specified by the interval option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.update-dok.interval

Specification (in the format described by systemd.time(7)) of the time at which the DOK update will occur.

Type: string

Default: "monthly"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.update-lotw-users.enable

Whether to periodically update the list of LoTW users. If enabled, a systemd timer will run the update task as specified by the interval option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.update-lotw-users.interval

Specification (in the format described by systemd.time(7)) of the time at which the LoTW user update will occur.

Type: string

Default: "weekly"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.update-sota.enable

Whether to periodically update the SOTA database. If enabled, a systemd timer will run the update task as specified by the interval option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.update-sota.interval

Specification (in the format described by systemd.time(7)) of the time at which the SOTA update will occur.

Type: string

Default: "monthly"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.update-wwff.enable

Whether to periodically update the WWFF database. If enabled, a systemd timer will run the update task as specified by the interval option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.update-wwff.interval

Specification (in the format described by systemd.time(7)) of the time at which the WWFF update will occur.

Type: string

Default: "monthly"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.upload-clublog.enable

Whether to periodically upload logs to Clublog. If enabled, a systemd timer will run the log upload task as specified by the interval option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.upload-clublog.interval

Specification (in the format described by systemd.time(7)) of the time at which the Clublog upload will occur.

Type: string

Default: "daily"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.upload-lotw.enable

Whether to periodically upload logs to LoTW. If enabled, a systemd timer will run the log upload task as specified by the interval option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.upload-lotw.interval

Specification (in the format described by systemd.time(7)) of the time at which the LoTW upload will occur.

Type: string

Default: "daily"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.upload-qrz.enable

Whether to periodically upload logs to QRZ. If enabled, a systemd timer will run the update task as specified by the interval option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.upload-qrz.interval

Specification (in the format described by systemd.time(7)) of the time at which the QRZ upload will occur.

Type: string

Default: "daily"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.user

User account under which Cloudlog runs.

Type: string

Default: "cloudlog"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cloudlog.virtualHost

Name of the nginx virtualhost to use and setup. If null, do not setup any virtualhost.

Type: null or string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cloudlog.nix>
services.cntlm.enable

Whether to enable cntlm, which starts a local proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/cntlm.nix>
services.cntlm.configText

Verbatim contents of cntlm.conf.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/cntlm.nix>
services.cntlm.domain

Proxy account domain/workgroup name.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/cntlm.nix>
services.cntlm.extraConfig

Additional config appended to the end of the generated cntlm.conf.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/cntlm.nix>
services.cntlm.netbios_hostname

The hostname of your machine.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/cntlm.nix>
services.cntlm.noproxy

A list of domains where the proxy is skipped.

Type: list of string

Default: [ ]

Example:

[
  "*.example.com"
  "example.com"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/cntlm.nix>
services.cntlm.password

Proxy account password. Note: use chmod 0600 on /etc/cntlm.password for security.

Type: string

Default: "/etc/cntlm.password"

Declared by:

<nixpkgs/nixos/modules/services/networking/cntlm.nix>
services.cntlm.port

Specifies on which ports the cntlm daemon listens.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

[
  3128
]

Declared by:

<nixpkgs/nixos/modules/services/networking/cntlm.nix>
services.cntlm.proxy

A list of NTLM/NTLMv2 authenticating HTTP proxies.

Parent proxy, which requires authentication. The same as proxy on the command-line, can be used more than once to specify unlimited number of proxies. Should one proxy fail, cntlm automatically moves on to the next one. The connect request fails only if the whole list of proxies is scanned and (for each request) and found to be invalid. Command-line takes precedence over the configuration file.

Type: list of string

Example:

[
  "proxy.example.com:81"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/cntlm.nix>
services.cntlm.username

Proxy account name, without the possibility to include domain name (‘at’ sign is interpreted literally).

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/cntlm.nix>
services.cockpit.enable

Whether to enable Cockpit.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/cockpit.nix>
services.cockpit.package

The Cockpit package to use.

Type: package

Default: pkgs.cockpit

Declared by:

<nixpkgs/nixos/modules/services/monitoring/cockpit.nix>
services.cockpit.openFirewall

Open port for cockpit.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/cockpit.nix>
services.cockpit.port

Port where cockpit will listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9090

Declared by:

<nixpkgs/nixos/modules/services/monitoring/cockpit.nix>
services.cockpit.settings

Settings for cockpit that will be saved in /etc/cockpit/cockpit.conf.

See the documentation, that is also available with man cockpit.conf.5 for details.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/cockpit.nix>
services.cockroachdb.enable

Whether to enable CockroachDB Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/cockroachdb.nix>
services.cockroachdb.package

The cockroachdb package to use. This would primarily be useful to enable Enterprise Edition features in your own custom CockroachDB build (Nixpkgs CockroachDB binaries only contain open source features and open source code).

Type: package

Default: pkgs.cockroachdb

Declared by:

<nixpkgs/nixos/modules/services/databases/cockroachdb.nix>
services.cockroachdb.cache

The total size for caches.

This can be a percentage, expressed with a fraction sign or as a decimal-point number, or any bytes-based unit. For example, "25%", "0.25" both represent 25% of the available system memory. The values "1000000000" and "1GB" both represent 1 gigabyte of memory.

Type: string

Default: "25%"

Declared by:

<nixpkgs/nixos/modules/services/databases/cockroachdb.nix>
services.cockroachdb.certsDir

The path to the certificate directory.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/cockroachdb.nix>
services.cockroachdb.extraArgs

Extra CLI arguments passed to cockroach start. For the full list of supported arguments, check https://www.cockroachlabs.com/docs/stable/cockroach-start.html#flags

Type: list of string

Default: [ ]

Example:

[
  "--advertise-addr"
  "[fe80::f6f2:::]"
]

Declared by:

<nixpkgs/nixos/modules/services/databases/cockroachdb.nix>
services.cockroachdb.group

User account under which CockroachDB runs

Type: string

Default: "cockroachdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/cockroachdb.nix>
services.cockroachdb.http.address

Address to bind to for http-based Admin UI

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/databases/cockroachdb.nix>
services.cockroachdb.http.port

Port to bind to for http-based Admin UI

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/databases/cockroachdb.nix>
services.cockroachdb.insecure

Run in insecure mode.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/cockroachdb.nix>
services.cockroachdb.join

The addresses for connecting the node to a cluster.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/cockroachdb.nix>
services.cockroachdb.listen.address

Address to bind to for intra-cluster communication

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/databases/cockroachdb.nix>
services.cockroachdb.listen.port

Port to bind to for intra-cluster communication

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 26257

Declared by:

<nixpkgs/nixos/modules/services/databases/cockroachdb.nix>
services.cockroachdb.locality

An ordered, comma-separated list of key-value pairs that describe the topography of the machine. Topography might include country, datacenter or rack designations. Data is automatically replicated to maximize diversities of each tier. The order of tiers is used to determine the priority of the diversity, so the more inclusive localities like country should come before less inclusive localities like datacenter. The tiers and order must be the same on all nodes. Including more tiers is better than including fewer. For example:

    country=us,region=us-west,datacenter=us-west-1b,rack=12
    country=ca,region=ca-east,datacenter=ca-east-2,rack=4

    planet=earth,province=manitoba,colo=secondary,power=3

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/cockroachdb.nix>
services.cockroachdb.maxSqlMemory

The maximum in-memory storage capacity available to store temporary data for SQL queries.

This can be a percentage, expressed with a fraction sign or as a decimal-point number, or any bytes-based unit. For example, "25%", "0.25" both represent 25% of the available system memory. The values "1000000000" and "1GB" both represent 1 gigabyte of memory.

Type: string

Default: "25%"

Declared by:

<nixpkgs/nixos/modules/services/databases/cockroachdb.nix>
services.cockroachdb.openPorts

Open firewall ports for cluster communication by default

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/cockroachdb.nix>
services.cockroachdb.user

User account under which CockroachDB runs

Type: string

Default: "cockroachdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/cockroachdb.nix>
services.code-server.enable

Whether to enable code-server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.package

The code-server package to use.

Type: package

Default: pkgs.code-server

Example:

pkgs.vscode-with-extensions.override {
  vscode = pkgs.code-server;
  vscodeExtensions = with pkgs.vscode-extensions; [
    bbenoist.nix
    dracula-theme.theme-dracula
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.auth

The type of authentication to use.

Type: one of “none”, “password”

Default: "password"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.disableFileDownloads

Disable file downloads from Code.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.disableGettingStartedOverride

Disable the coder/coder override in the Help: Getting Started page.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.disableTelemetry

Disable telemetry.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.disableUpdateCheck

Disable update check. Without this flag, code-server checks every 6 hours against the latest github release and then notifies you once every week that a new release is available.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.disableWorkspaceTrust

Disable Workspace Trust feature.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.extensionsDir

Path to the extensions directory.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.extraArguments

Additional arguments to pass to code-server.

Type: list of string

Default: [ ]

Example: [ "--log=info" ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.extraEnvironment

Additional environment variables to pass to code-server.

Type: attribute set of string

Default: { }

Example:

{
  PKG_CONFIG_PATH = "/run/current-system/sw/lib/pkgconfig";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.extraGroups

An array of additional groups for the code-server user.

Type: list of string

Default: [ ]

Example:

[
  "docker"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.extraPackages

Additional packages to add to the code-server PATH.

Type: list of package

Default: [ ]

Example: [ pkgs.go ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.group

The group to run code-server under. By default, a group named code-server will be created.

Type: string

Default: "code-server"

Example: "yourGroup"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.hashedPassword

Create the password with: echo -n 'thisismypassword' | npx argon2-cli -e.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.host

The host name or IP address the server should listen to.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.port

The port the server should listen to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 4444

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.proxyDomain

Domain used for proxying ports.

Type: null or string

Default: null

Example: "code-server.lan"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.socket

Path to a socket (bind-addr will be ignored).

Type: null or string

Default: null

Example: "/run/code-server/socket"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.socketMode

File mode of the socket.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.user

The user to run code-server as. By default, a user named code-server will be created.

Type: string

Default: "code-server"

Example: "yourUser"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.code-server.userDataDir

Path to the user data directory.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/code-server.nix>
services.coder.enable

Whether to enable Coder service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/coder.nix>
services.coder.package

The coder package to use.

Type: package

Default: pkgs.coder

Declared by:

<nixpkgs/nixos/modules/services/web-apps/coder.nix>
services.coder.accessUrl

Access URL should be a external IP address or domain with DNS records pointing to Coder.

Type: null or string

Default: null

Example: "https://coder.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/coder.nix>
services.coder.database.createLocally

Create the database and database user locally.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/coder.nix>
services.coder.database.database

Name of database.

Type: string

Default: "coder"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/coder.nix>
services.coder.database.host

Hostname hosting the database.

Type: string

Default: "/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/coder.nix>
services.coder.database.password

Password for accessing the database.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/coder.nix>
services.coder.database.sslmode

Password for accessing the database.

Type: null or string

Default: "disable"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/coder.nix>
services.coder.database.username

Username for accessing the database.

Type: string

Default: "coder"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/coder.nix>
services.coder.environment.extra

Extra environment variables to pass run Coder’s server with. See Coder documentation.

Type: attribute set

Default: { }

Example:

{
  CODER_OAUTH2_GITHUB_ALLOWED_ORGS = "your-org";
  CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/coder.nix>
services.coder.environment.file

Systemd environment file to add to Coder.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/coder.nix>
services.coder.group

Group under which the coder service runs.

Note

If left as the default value this group will automatically be created on system activation, otherwise it needs to be configured manually.

Type: string

Default: "coder"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/coder.nix>
services.coder.homeDir

Home directory for coder user.

Type: string

Default: "/var/lib/coder"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/coder.nix>
services.coder.listenAddress

Listen address.

Type: string

Default: "127.0.0.1:3000"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/coder.nix>
services.coder.tlsCert

The path to the TLS certificate.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/coder.nix>
services.coder.tlsKey

The path to the TLS key.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/coder.nix>
services.coder.user

User under which the coder service runs.

Note

If left as the default value this user will automatically be created on system activation, otherwise it needs to be configured manually.

Type: string

Default: "coder"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/coder.nix>
services.coder.wildcardAccessUrl

If you are providing TLS certificates directly to the Coder server, you must use a single certificate for the root and wildcard domains.

Type: null or string

Default: null

Example: "*.coder.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/coder.nix>
services.collabora-online.enable

Whether to enable collabora-online.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/collabora-online.nix>
services.collabora-online.package

The Collabora Online package to use.

Type: package

Default: pkgs.collabora-online

Declared by:

<nixpkgs/nixos/modules/services/web-apps/collabora-online.nix>
services.collabora-online.aliasGroups

Alias groups to use.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/collabora-online.nix>
services.collabora-online.aliasGroups.*.aliases

A list of regex pattern of aliasname.

Type: list of string

Default: [ ]

Example:

[
  "scheme://aliasname1:port"
  "scheme://aliasname2:port"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/collabora-online.nix>
services.collabora-online.aliasGroups.*.host

Hostname to allow or deny.

Type: string

Example: "scheme://hostname:port"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/collabora-online.nix>
services.collabora-online.extraArgs

Extra arguments to pass to the service.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/collabora-online.nix>
services.collabora-online.port

Listening port

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9980

Declared by:

<nixpkgs/nixos/modules/services/web-apps/collabora-online.nix>
services.collabora-online.settings

Configuration for Collabora Online WebSocket Daemon, see https://sdk.collaboraonline.com/docs/installation/Configuration.html, or https://github.com/CollaboraOnline/online/blob/master/coolwsd.xml.in for the default configuration.

Type: `coolwsd.xml` configuration type, used to override values in the default configuration.

Attribute names correspond to XML tags unless prefixed with `@`. Nested attribute sets correspond to nested XML tags. Attribute prefixed with `@` correspond to XML attributes. E.g., `{ storage.wopi.“@allow” = true; }` in Nix corresponds to `<storage><wopi allow=“true”/></storage>` in `coolwsd.xml`, or `–o:storage.wopi[@allow]=true` in the command line.

Arrays correspond to multiple elements with the same tag name. E.g. `{ host = [ ‘‘127\.0\.0\.1’’ “::1” ]; }` in Nix corresponds to ```xml <net><post_allow> <host>127\.0\.0\.1</host> <host>::1</host> </post_allow></net> ``` in `coolwsd.xml`, or `–o:net.post_allow.host[0]='127\.0\.0\.1 --o:net.post_allow.host[1]=::1` in the command line.

Null values could be used to remove an element from the default configuration.

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/collabora-online.nix>
services.collectd.enable

Whether to enable collectd agent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/collectd.nix>
services.collectd.package

The collectd package to use.

Type: package

Default: pkgs.collectd

Declared by:

<nixpkgs/nixos/modules/services/monitoring/collectd.nix>
services.collectd.autoLoadPlugin

Enable plugin autoloading.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/collectd.nix>
services.collectd.buildMinimalPackage

Build a minimal collectd package with only the configured services.collectd.plugins

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/collectd.nix>
services.collectd.dataDir

Data directory for collectd agent.

Type: path

Default: "/var/lib/collectd"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/collectd.nix>
services.collectd.extraConfig

Extra configuration for collectd. Use mkBefore to add lines before the default config, and mkAfter to add them below.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/collectd.nix>
services.collectd.include

Additional paths to load config from.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/collectd.nix>
services.collectd.plugins

Attribute set of plugin names to plugin config segments

Type: attribute set of strings concatenated with “\n”

Default: { }

Example:

{
  cpu = "";
  memory = "";
  network = "Server 192.168.1.1 25826";
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/collectd.nix>
services.collectd.user

User under which to run collectd.

Type: null or string

Default: "collectd"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/collectd.nix>
services.collectd.validateConfig

Validate the syntax of collectd configuration file at build time. Disable this if you use the Include directive on files unavailable in the build sandbox, or when cross-compiling.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/collectd.nix>
services.colord.enable

Whether to enable colord, the color management daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/colord.nix>
services.commafeed.enable

Whether to enable CommaFeed.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/commafeed.nix>
services.commafeed.package

The commafeed package to use.

Type: package

Default: pkgs.commafeed

Declared by:

<nixpkgs/nixos/modules/services/web-apps/commafeed.nix>
services.commafeed.environment

Extra environment variables passed to CommaFeed, refer to https://github.com/Athou/commafeed/blob/master/commafeed-server/config.yml.example for supported values. The default user is admin and the default password is admin. Correct configuration for H2 database is already provided.

Type: attribute set of (boolean or signed integer or string)

Default: { }

Example:

{
  CF_SERVER_APPLICATIONCONNECTORS_0_PORT = 9090;
  CF_SERVER_APPLICATIONCONNECTORS_0_TYPE = "http";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/commafeed.nix>
services.commafeed.environmentFile

Environment file as defined in systemd.exec(5).

Type: null or path

Default: null

Example: "/var/lib/commafeed/commafeed.env"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/commafeed.nix>
services.commafeed.group

Group under which CommaFeed runs.

Type: string

Default: "commafeed"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/commafeed.nix>
services.commafeed.stateDir

Directory holding all state for CommaFeed to run.

Type: path

Default: "/var/lib/commafeed"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/commafeed.nix>
services.commafeed.user

User under which CommaFeed runs.

Type: string

Default: "commafeed"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/commafeed.nix>
services.compton

Alias of services.picom.

Type: submodule

Declared by:

<nixpkgs/nixos/modules/services/x11/picom.nix>
services.conduwuit.enable

Whether to enable conduwuit.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduwuit.nix>
services.conduwuit.package

The conduwuit package to use.

Type: package

Default: pkgs.conduwuit

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduwuit.nix>
services.conduwuit.extraEnvironment

Extra Environment variables to pass to the conduwuit server.

Type: attribute set of string

Default: { }

Example:

{
  RUST_BACKTRACE = "yes";
}

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduwuit.nix>
services.conduwuit.group

The group conduwuit is run as.

Type: non-empty string

Default: "conduwuit"

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduwuit.nix>
services.conduwuit.settings

Generates the conduwuit.toml configuration file. Refer to https://conduwuit.puppyirl.gay/configuration.html for details on supported values.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduwuit.nix>
services.conduwuit.settings.global.address

Addresses (IPv4 or IPv6) to listen on for connections by the reverse proxy/tls terminator. If set to null, conduwuit will listen on IPv4 and IPv6 localhost. Must be null if unix_socket_path is set.

Type: null or (list of non-empty string)

Default: null

Example:

[
  "127.0.0.1"
  "::1"
]

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduwuit.nix>
services.conduwuit.settings.global.allow_check_for_updates

If enabled, conduwuit will send a simple GET request periodically to https://pupbrain.dev/check-for-updates/stable for any new announcements made. Despite the name, this is not an update check endpoint, it is simply an announcement check endpoint.

Disabled by default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduwuit.nix>
services.conduwuit.settings.global.allow_encryption

Whether new encrypted rooms can be created. Note: existing rooms will continue to work.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduwuit.nix>
services.conduwuit.settings.global.allow_federation

Whether this server federates with other servers.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduwuit.nix>
services.conduwuit.settings.global.allow_registration

Whether new users can register on this server.

Registration with token requires registration_token or registration_token_file to be set.

If set to true without a token configured, and yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse is set to true, users can freely register.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduwuit.nix>
services.conduwuit.settings.global.database_path

Path to the conduwuit database, the directory where conduwuit will save its data. Note that database_path cannot be edited because of the service’s reliance on systemd StateDir.

Type: path (read only)

Default: "/var/lib/conduwuit/"

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduwuit.nix>
services.conduwuit.settings.global.max_request_size

Max request size in bytes. Don’t forget to also change it in the proxy.

Type: positive integer, meaning >0

Default: 20000000

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduwuit.nix>
services.conduwuit.settings.global.port

The port(s) conduwuit will be running on. You need to set up a reverse proxy in your web server (e.g. apache or nginx), so all requests to /_matrix on port 443 and 8448 will be forwarded to the conduwuit instance running on this port.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

[
  6167
]

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduwuit.nix>
services.conduwuit.settings.global.server_name

The server_name is the name of this server. It is used as a suffix for user and room ids.

Type: non-empty string

Example: "example.com"

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduwuit.nix>
services.conduwuit.settings.global.trusted_servers

Servers listed here will be used to gather public keys of other servers (notary trusted key servers).

Currently, conduwuit doesn’t support inbound batched key requests, so this list should only contain other Synapse servers.

Example: [ "matrix.org" "constellatory.net" "tchncs.de" ]

Type: list of non-empty string

Default:

[
  "matrix.org"
]

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduwuit.nix>
services.conduwuit.settings.global.unix_socket_path

Listen on a UNIX socket at the specified path. If listening on a UNIX socket, listening on an address will be disabled. The address option must be set to null (the default value). The option services.conduwuit.group must be set to a group your reverse proxy is part of.

This will automatically add a system user “conduwuit” to your system if services.conduwuit.user is left at the default, and a “conduwuit” group if services.conduwuit.group is left at the default.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduwuit.nix>
services.conduwuit.settings.global.unix_socket_perms

The default permissions (in octal) to create the UNIX socket with.

Type: positive integer, meaning >0

Default: 660

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduwuit.nix>
services.conduwuit.user

The user conduwuit is run as.

Type: non-empty string

Default: "conduwuit"

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduwuit.nix>
services.confd.enable

Whether to enable confd, a service to manage local application configuration files using templates and data from etcd/consul/redis/zookeeper.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/confd.nix>
services.confd.package

The confd package to use.

Type: package

Default: pkgs.confd

Declared by:

<nixpkgs/nixos/modules/services/misc/confd.nix>
services.confd.backend

Confd config storage backend to use.

Type: one of “etcd”, “consul”, “redis”, “zookeeper”

Default: "etcd"

Declared by:

<nixpkgs/nixos/modules/services/misc/confd.nix>
services.confd.confDir

The path to the confd configs.

Type: path

Default: "/etc/confd"

Declared by:

<nixpkgs/nixos/modules/services/misc/confd.nix>
services.confd.interval

Confd check interval.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/misc/confd.nix>
services.confd.logLevel

Confd log level.

Type: one of “info”, “debug”

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/misc/confd.nix>
services.confd.nodes

Confd list of nodes to connect to.

Type: list of string

Default:

[
  "http://127.0.0.1:2379"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/confd.nix>
services.confd.prefix

The string to prefix to keys.

Type: path

Default: "/"

Declared by:

<nixpkgs/nixos/modules/services/misc/confd.nix>
services.confd.watch

Confd, whether to watch etcd config for changes.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/confd.nix>
services.connman.enable

Whether to use ConnMan for managing your network connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/connman.nix>
services.connman.enableVPN

Whether to enable ConnMan VPN service.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/connman.nix>
services.connman.package

The connman package / build flavor

Type: package

Default: pkgs.connman

Example: pkgs.connmanFull

Declared by:

<nixpkgs/nixos/modules/services/networking/connman.nix>
services.connman.extraConfig

Configuration lines appended to the generated connman configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/connman.nix>
services.connman.extraFlags

Extra flags to pass to connmand

Type: list of string

Default: [ ]

Example:

[
  "--nodnsproxy"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/connman.nix>
services.connman.networkInterfaceBlacklist

Default blacklisted interfaces, this includes NixOS containers interfaces (ve).

Type: list of string

Default:

[
  "vmnet"
  "vboxnet"
  "virbr"
  "ifb"
  "ve"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/connman.nix>
services.connman.wifi.backend

Specify the Wi-Fi backend used. Currently supported are wpa_supplicant or iwd.

Type: one of “wpa_supplicant”, “iwd”

Default: "wpa_supplicant"

Declared by:

<nixpkgs/nixos/modules/services/networking/connman.nix>
services.consul.enable

Enables the consul daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/consul.nix>
services.consul.package

The consul package to use.

Type: package

Default: pkgs.consul

Declared by:

<nixpkgs/nixos/modules/services/networking/consul.nix>
services.consul.alerts.enable

Whether to enable consul-alerts.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/consul.nix>
services.consul.alerts.package

The consul-alerts package to use.

Type: package

Default: pkgs.consul-alerts

Declared by:

<nixpkgs/nixos/modules/services/networking/consul.nix>
services.consul.alerts.consulAddr

Consul api listening address

Type: string

Default: "localhost:8500"

Declared by:

<nixpkgs/nixos/modules/services/networking/consul.nix>
services.consul.alerts.listenAddr

Api listening address.

Type: string

Default: "localhost:9000"

Declared by:

<nixpkgs/nixos/modules/services/networking/consul.nix>
services.consul.alerts.watchChecks

Whether to enable check watcher.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/consul.nix>
services.consul.alerts.watchEvents

Whether to enable event watcher.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/consul.nix>
services.consul.dropPrivileges

Whether the consul agent should be run as a non-root consul user.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/consul.nix>
services.consul.extraConfig

Extra configuration options which are serialized to json and added to the config.json file.

Type: attribute set of anything

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/consul.nix>
services.consul.extraConfigFiles

Additional configuration files to pass to consul NOTE: These will not trigger the service to be restarted when altered.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/consul.nix>
services.consul.forceAddrFamily

Whether to bind ipv4/ipv6 or both kind of addresses.

Type: one of “any”, “ipv4”, “ipv6”

Default: "any"

Declared by:

<nixpkgs/nixos/modules/services/networking/consul.nix>
services.consul.forceIpv4

Deprecated: Use consul.forceAddrFamily instead. Whether we should force the interfaces to only pull ipv4 addresses.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/consul.nix>
services.consul.interface.advertise

The name of the interface to pull the advertise_addr from.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/consul.nix>
services.consul.interface.bind

The name of the interface to pull the bind_addr from.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/consul.nix>
services.consul.leaveOnStop

If enabled, causes a leave action to be sent when closing consul. This allows a clean termination of the node, but permanently removes it from the cluster. You probably don’t want this option unless you are running a node which going offline in a permanent / semi-permanent fashion.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/consul.nix>
services.consul.webUi

Enables the web interface on the consul http port.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/consul.nix>
services.consul-template.instances

Attribute set of consul-template instances. Creates independent consul-template-${name}.service systemd units for each instance defined here.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/vault-agent.nix>
services.consul-template.instances.<name>.enable

Whether to enable this consul-template instance.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/vault-agent.nix>
services.consul-template.instances.<name>.package

The consul-template package to use.

Type: package

Default: pkgs.consul-template

Declared by:

<nixpkgs/nixos/modules/services/security/vault-agent.nix>
services.consul-template.instances.<name>.group

Group under which this instance runs.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/security/vault-agent.nix>
services.consul-template.instances.<name>.settings

Free-form settings written directly to the config.json file. Refer to https://github.com/hashicorp/consul-template/blob/main/docs/configuration.md#configuration-file for supported values.

Note

Resulting format is JSON not HCL. Refer to https://www.hcl2json.com/ if you are unsure how to convert HCL options to JSON.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/vault-agent.nix>
services.consul-template.instances.<name>.settings.pid_file

Path to use for the pid file.

Type: string

Default: "/run/consul-template/‹name›.pid"

Declared by:

<nixpkgs/nixos/modules/services/security/vault-agent.nix>
services.consul-template.instances.<name>.settings.template

Template section of consul-template. Refer to https://github.com/hashicorp/consul-template/blob/main/docs/configuration.md#templates for supported values.

Type: null or (list of attribute set of anything)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/vault-agent.nix>
services.consul-template.instances.<name>.user

User under which this instance runs.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/security/vault-agent.nix>
services.convos.enable

Whether to enable Convos.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/convos.nix>
services.convos.listenAddress

Address or host the web interface should listen on

Type: string

Default: "*"

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/convos.nix>
services.convos.listenPort

Port the web interface should listen on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Example: 8080

Declared by:

<nixpkgs/nixos/modules/services/web-apps/convos.nix>
services.convos.reverseProxy

Enables reverse proxy support. This will allow Convos to automatically pick up the X-Forwarded-For and X-Request-Base HTTP headers set in your reverse proxy web server. Note that enabling this option without a reverse proxy in front will be a security issue.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/convos.nix>
services.coredns.enable

Whether to enable Coredns dns server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/coredns.nix>
services.coredns.package

The coredns package to use.

Type: package

Default: pkgs.coredns

Declared by:

<nixpkgs/nixos/modules/services/networking/coredns.nix>
services.coredns.config

Verbatim Corefile to use. See https://coredns.io/manual/toc/#configuration for details.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  . {
    whoami
  }
''

Declared by:

<nixpkgs/nixos/modules/services/networking/coredns.nix>
services.coredns.extraArgs

Extra arguments to pass to coredns.

Type: list of string

Default: [ ]

Example:

[
  "-dns.port=53"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/coredns.nix>
services.corerad.enable

Whether to enable CoreRAD IPv6 NDP RA daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/corerad.nix>
services.corerad.package

The corerad package to use.

Type: package

Default: pkgs.corerad

Declared by:

<nixpkgs/nixos/modules/services/networking/corerad.nix>
services.corerad.configFile

Path to CoreRAD TOML configuration file.

Type: path

Example: "${pkgs.corerad}/etc/corerad/corerad.toml"

Declared by:

<nixpkgs/nixos/modules/services/networking/corerad.nix>
services.corerad.settings

Configuration for CoreRAD, see https://github.com/mdlayher/corerad/blob/main/internal/config/reference.toml for supported values. Ignored if configFile is set.

Type: TOML value

Example:

{
  interfaces = [
    # eth0 is an upstream interface monitoring for IPv6 router advertisements.
    {
      name = "eth0";
      monitor = true;
    }
    # eth1 is a downstream interface advertising IPv6 prefixes for SLAAC.
    {
      name = "eth1";
      advertise = true;
      prefix = [{ prefix = "::/64"; }];
    }
  ];
  # Optionally enable Prometheus metrics.
  debug = {
    address = "localhost:9430";
    prometheus = true;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/corerad.nix>
services.corosync.enable

Whether to enable corosync.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/corosync/default.nix>
services.corosync.package

The corosync package to use.

Type: package

Default: pkgs.corosync

Declared by:

<nixpkgs/nixos/modules/services/cluster/corosync/default.nix>
services.corosync.clusterName

Name of the corosync cluster.

Type: string

Default: "nixcluster"

Declared by:

<nixpkgs/nixos/modules/services/cluster/corosync/default.nix>
services.corosync.extraOptions

Additional options with which to start corosync.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/cluster/corosync/default.nix>
services.corosync.nodelist

Corosync nodelist: all cluster members.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/cluster/corosync/default.nix>
services.corosync.nodelist.*.name

Node name

Type: string

Declared by:

<nixpkgs/nixos/modules/services/cluster/corosync/default.nix>
services.corosync.nodelist.*.nodeid

Node ID number

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/services/cluster/corosync/default.nix>
services.corosync.nodelist.*.ring_addrs

List of addresses, one for each ring.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/cluster/corosync/default.nix>
services.coturn.enable

Whether to enable coturn TURN server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.alt-listening-port

Alternative listening port for UDP and TCP listeners; default (or zero) value means “listening port plus one”. This is needed for RFC 5780 support (STUN extension specs, NAT behavior discovery). The TURN Server supports RFC 5780 only if it is started with more than one listening IP address of the same family (IPv4 or IPv6). RFC 5780 is supported only by UDP protocol, other protocols are listening to that endpoint only for “symmetry”.

Type: signed integer

Default: listening-port + 1

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.alt-tls-listening-port

Alternative listening port for TLS and DTLS protocols.

Type: signed integer

Default: tls-listening-port + 1

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.cert

Certificate file in PEM format.

Type: null or string

Default: null

Example: "/var/lib/acme/example.com/fullchain.pem"

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.cli-ip

Local system IP address to be used for CLI server endpoint.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.cli-password

CLI access password. For the security reasons, it is recommended to use the encrypted for of the password (see the -P command in the turnadmin utility).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.cli-port

CLI server port.

Type: signed integer

Default: 5766

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.dh-file

Use custom DH TLS key, stored in PEM format in the file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.extraConfig

Additional configuration options

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.listening-ips

Listener IP addresses of relay server. If no IP(s) specified in the config file or in the command line options, then all IPv4 and IPv6 system IPs will be used for listening.

Type: list of string

Default: [ ]

Example:

[
  "203.0.113.42"
  "2001:DB8::42"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.listening-port

TURN listener port for UDP and TCP. Note: actually, TLS and DTLS sessions can connect to the “plain” TCP and UDP port(s), too - if allowed by configuration.

Type: signed integer

Default: 3478

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.lt-cred-mech

Use long-term credential mechanism.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.max-port

Upper bound of UDP relay endpoints

Type: signed integer

Default: 65535

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.min-port

Lower bound of UDP relay endpoints

Type: signed integer

Default: 49152

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.no-auth

This option is opposite to lt-cred-mech. (TURN Server with no-auth option allows anonymous access). If neither option is defined, and no users are defined, then no-auth is default. If at least one user is defined, in this file or in command line or in usersdb file, then lt-cred-mech is default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.no-cli

Turn OFF the CLI support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.no-dtls

Disable DTLS client listener

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.no-tcp

Disable TCP client listener

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.no-tcp-relay

Disable TCP relay endpoints

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.no-tls

Disable TLS client listener

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.no-udp

Disable UDP client listener

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.no-udp-relay

Disable UDP relay endpoints

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.pkey

Private key file in PEM format.

Type: null or string

Default: null

Example: "/var/lib/acme/example.com/key.pem"

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.realm

The default realm to be used for the users when no explicit origin/realm relationship was found in the database, or if the TURN server is not using any database (just the commands-line settings and the userdb file). Must be used with long-term credentials mechanism or with TURN REST API.

Type: string

Default: config.networking.hostName

Example: "example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.relay-ips

Relay address (the local IP address that will be used to relay the packets to the peer). Multiple relay addresses may be used. The same IP(s) can be used as both listening IP(s) and relay IP(s).

If no relay IP(s) specified, then the turnserver will apply the default policy: it will decide itself which relay addresses to be used, and it will always be using the client socket IP address as the relay IP address of the TURN session (if the requested relay address family is the same as the family of the client socket).

Type: list of string

Default: [ ]

Example:

[
  "203.0.113.42"
  "2001:DB8::42"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.secure-stun

Require authentication of the STUN Binding request. By default, the clients are allowed anonymous access to the STUN Binding functionality.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.static-auth-secret

‘Static’ authentication secret value (a string) for TURN REST API only. If not set, then the turn server will try to use the ‘dynamic’ value in turn_secret table in user database (if present). The database-stored value can be changed on-the-fly by a separate program, so this is why that other mode is ‘dynamic’.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.static-auth-secret-file

Path to the file containing the static authentication secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.tls-listening-port

TURN listener port for TLS. Note: actually, “plain” TCP and UDP sessions can connect to the TLS and DTLS port(s), too - if allowed by configuration. The TURN server “automatically” recognizes the type of traffic. Actually, two listening endpoints (the “plain” one and the “tls” one) are equivalent in terms of functionality; but we keep both endpoints to satisfy the RFC 5766 specs. For secure TCP connections, we currently support SSL version 3 and TLS version 1.0, 1.1 and 1.2. For secure UDP connections, we support DTLS version 1.

Type: signed integer

Default: 5349

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.coturn.use-auth-secret

TURN REST API flag. Flag that sets a special authorization option that is based upon authentication secret. This feature can be used with the long-term authentication mechanism, only. This feature purpose is to support “TURN Server REST API”, see “TURN REST API” link in the project’s page https://github.com/coturn/coturn/

This option is used with timestamp:

usercombo -> “timestamp:userid” turn user -> usercombo turn password -> base64(hmac(secret key, usercombo))

This allows TURN credentials to be accounted for a specific user id. If you don’t have a suitable id, the timestamp alone can be used. This option is just turning on secret-based authentication. The actual value of the secret is defined either by option static-auth-secret, or can be found in the turn_secret table in the database.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/coturn.nix>
services.couchdb.enable

Whether to enable CouchDB Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.package

The couchdb3 package to use.

Type: package

Default: pkgs.couchdb3

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.adminPass

Couchdb (i.e. fauxton) account with permission for all dbs and tasks.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.adminUser

Couchdb (i.e. fauxton) account with permission for all dbs and tasks.

Type: string

Default: "admin"

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.argsFile

vm.args configuration. Overrides Couchdb’s Erlang VM parameters file.

Type: path

Default: "config.services.couchdb.package/etc/vm.args"

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.bindAddress

Defines the IP address by which CouchDB will be accessible.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.configFile

Configuration file for persisting runtime changes. File needs to be readable and writable from couchdb user/group.

Type: path

Default: "/var/lib/couchdb/local.ini"

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.databaseDir

Specifies location of CouchDB database files (*.couch named). This location should be writable and readable for the user the CouchDB service runs as (couchdb by default).

Type: path

Default: "/var/lib/couchdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.extraConfig

Extra configuration options for CouchDB

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.extraConfigFiles

Extra configuration files. Overrides any other configuration. You can use this to setup the Admin user without putting the password in your nix store.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.group

Group account under which couchdb runs.

Type: string

Default: "couchdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.logFile

Specifies the location of file for logging output.

Type: path

Default: "/var/log/couchdb.log"

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.port

Defined the port number to listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5984

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.uriFile

This file contains the full URI that can be used to access this instance of CouchDB. It is used to help discover the port CouchDB is running on (if it was set to 0 (e.g. automatically assigned any free one). This file should be writable and readable for the user that runs the CouchDB service (couchdb by default).

Type: path

Default: "/run/couchdb/couchdb.uri"

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.user

User account under which couchdb runs.

Type: string

Default: "couchdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.couchdb.viewIndexDir

Specifies location of CouchDB view index files. This location should be writable and readable for the user that runs the CouchDB service (couchdb by default).

Type: path

Default: "/var/lib/couchdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/couchdb.nix>
services.cpuminer-cryptonight.enable

Whether to enable the cpuminer cryptonight miner.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/cpuminer-cryptonight.nix>
services.cpuminer-cryptonight.pass

Password for mining server

Type: string

Default: "x"

Declared by:

<nixpkgs/nixos/modules/services/misc/cpuminer-cryptonight.nix>
services.cpuminer-cryptonight.threads

Number of miner threads, defaults to available processors

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/misc/cpuminer-cryptonight.nix>
services.cpuminer-cryptonight.url

URL of mining server

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/cpuminer-cryptonight.nix>
services.cpuminer-cryptonight.user

Username for mining server

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/cpuminer-cryptonight.nix>
services.cpupower-gui.enable

Enables dbus/systemd service needed by cpupower-gui. These services are responsible for retrieving and modifying cpu power saving settings.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/cpupower-gui.nix>
services.crab-hole.enable

Whether to enable Crab-hole Service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/crab-hole.nix>
services.crab-hole.package

The crab-hole package to use.

Type: package

Default: pkgs.crab-hole

Declared by:

<nixpkgs/nixos/modules/services/networking/crab-hole.nix>
services.crab-hole.configFile

The config file of crab-hole.

If files are added via url, make sure the service has access to them. Setting this option will override any configuration applied by the settings option.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/crab-hole.nix>
services.crab-hole.settings

Crab-holes config. See big example https://github.com/LuckyTurtleDev/crab-hole/blob/main/example-config.toml

Type: TOML value

Example:

{
  api = {
    admin_key = "1234";
    listen = "127.0.0.1";
    port = 8080;
    show_doc = true;
  };
  blocklist = {
    allow_list = [
      "file:///allowed.txt"
    ];
    include_subdomains = true;
    lists = [
      "https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn/hosts"
      "https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt"
      "file:///blocked.txt"
    ];
  };
  downstream = [
    {
      listen = "localhost";
      port = 8080;
      protocol = "udp";
    }
    {
      certificate = "dns.example.com.crt";
      dns_hostname = "dns.example.com";
      key = "dns.example.com.key";
      listen = "[::]";
      port = 8055;
      protocol = "https";
      timeout_ms = 3000;
    }
  ];
  upstream = {
    name_servers = [
      {
        protocol = "tls";
        socket_addr = "[2606:4700:4700::1111]:853";
        tls_dns_name = "1dot1dot1dot1.cloudflare-dns.com";
        trust_nx_responses = false;
      }
      {
        protocol = "tls";
        socket_addr = "1.1.1.1:853";
        tls_dns_name = "1dot1dot1dot1.cloudflare-dns.com";
        trust_nx_responses = false;
      }
    ];
    options = {
      validate = false;
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/crab-hole.nix>
services.crab-hole.settings.blocklist.allow_list

List of allowlists. If files are added via url, make sure the service has access to them!

Type: list of (string or path)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/crab-hole.nix>
services.crab-hole.settings.blocklist.include_subdomains

Whether to enable Include subdomains.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/crab-hole.nix>
services.crab-hole.settings.blocklist.lists

List of blocklists. If files are added via url, make sure the service has access to them!

Type: list of (string or path)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/crab-hole.nix>
services.crab-hole.supplementaryGroups

Adds additional groups to the crab-hole service. Can be useful to prevent permission issues.

Type: list of string

Default: [ ]

Example:

[
  "acme"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/crab-hole.nix>
services.crabfit.enable

Whether to enable Crab Fit, a meeting scheduler based on peoples’ availability.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/crabfit.nix>
services.crabfit.api.package

The crabfit-api package to use.

Type: package

Default: pkgs.crabfit-api

Declared by:

<nixpkgs/nixos/modules/services/web-apps/crabfit.nix>
services.crabfit.api.environment

Environment variables for the crabfit API.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/crabfit.nix>
services.crabfit.api.host

The hostname of the API.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/crabfit.nix>
services.crabfit.api.port

The internal listening port of the API.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/crabfit.nix>
services.crabfit.frontend.package

The crabfit-frontend package to use.

Type: package

Default: pkgs.crabfit-frontend

Declared by:

<nixpkgs/nixos/modules/services/web-apps/crabfit.nix>
services.crabfit.frontend.environment

Environment variables for the crabfit frontend.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/crabfit.nix>
services.crabfit.frontend.finalDrv

The patched frontend, using the correct urls for the API and frontend.

Type: package (read only)

Default:

cfg.package.override {
  api_url = "https://${cfg.api.host}";
  frontend_url = cfg.frontend.host;
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/crabfit.nix>
services.crabfit.frontend.host

The hostname of the frontend.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/crabfit.nix>
services.crabfit.frontend.port

The internal listening port of the frontend.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3001

Declared by:

<nixpkgs/nixos/modules/services/web-apps/crabfit.nix>
services.create_ap.enable

Whether to enable setting up wifi hotspots using create_ap.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/create_ap.nix>
services.create_ap.settings

Configuration for create_ap. See upstream example configuration for supported values.

Type: attribute set of (signed integer or boolean or string)

Default: { }

Example:

{
  INTERNET_IFACE = "eth0";
  PASSPHRASE = "12345678";
  SSID = "My Wifi Hotspot";
  WIFI_IFACE = "wlan0";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/create_ap.nix>
services.croc.enable

Whether to enable croc relay.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/croc.nix>
services.croc.debug

Whether to enable debug logs.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/croc.nix>
services.croc.openFirewall

Whether to enable opening of the peer port(s) in the firewall.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/croc.nix>
services.croc.pass

Password or passwordfile for the relay.

Type: path or string

Default: "pass123"

Declared by:

<nixpkgs/nixos/modules/services/networking/croc.nix>
services.croc.ports

Ports of the relay.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

[
  9009
  9010
  9011
  9012
  9013
]

Declared by:

<nixpkgs/nixos/modules/services/networking/croc.nix>
services.cron.enable

Whether to enable the Vixie cron daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/scheduling/cron.nix>
services.cron.cronFiles

A list of extra crontab files that will be read and appended to the main crontab file when the cron service starts.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/scheduling/cron.nix>
services.cron.mailto

Email address to which job output will be mailed.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/scheduling/cron.nix>
services.cron.systemCronJobs

A list of Cron jobs to be appended to the system-wide crontab. See the manual page for crontab for the expected format. If you want to get the results mailed you must setuid sendmail. See security.wrappers

If neither /var/cron/cron.deny nor /var/cron/cron.allow exist only root is allowed to have its own crontab file. The /var/cron/cron.deny file is created automatically for you, so every user can use a crontab.

Many nixos modules set systemCronJobs, so if you decide to disable vixie cron and enable another cron daemon, you may want it to get its system crontab based on systemCronJobs.

Type: list of string

Default: [ ]

Example:

[ "* * * * *  test   ls -l / > /tmp/cronout 2>&1"
  "* * * * *  eelco  echo Hello World > /home/eelco/cronout"
]

Declared by:

<nixpkgs/nixos/modules/services/scheduling/cron.nix>
services.crossfire-server.enable

If enabled, the Crossfire game server will be started at boot.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/crossfire-server.nix>
services.crossfire-server.package

The crossfire-server package to use. ::: {.note} This will also be used for map/arch data, if you don’t change dataDir :::

Type: package

Default: pkgs.crossfire-server

Declared by:

<nixpkgs/nixos/modules/services/games/crossfire-server.nix>
services.crossfire-server.configFiles

Text to append to the corresponding configuration files. Note that the files given in the example are not the complete set of files available to customize; look in /etc/crossfire after enabling the server to see the available files, and read the comments in each file for detailed documentation on the format and what settings are available.

Note that the motd, rules, and news files, if configured here, will overwrite the example files that come with the server, rather than being appended to them as the other configuration files are.

Type: attribute set of string

Default: { }

Example:

{
  dm_file = ''
    admin:secret_password:localhost
    alice:xyzzy:*
  '';
  ban_file = ''
    # Bob is a jerk
    bob@*
    # So is everyone on 192.168.86.255/24
    *@192.168.86.
  '';
  metaserver2 = ''
    metaserver2_notification on
    localhostname crossfire.example.net
  '';
  motd = "Welcome to CrossFire!";
  news = "No news yet.";
  rules = "Don't be a jerk.";
  settings = ''
    # be nicer to newbies and harsher to experienced players
    balanced_stat_loss true
    # don't let players pick up and use admin-created items
    real_wiz false
  '';
}

Declared by:

<nixpkgs/nixos/modules/services/games/crossfire-server.nix>
services.crossfire-server.dataDir

Where to load readonly data from – maps, archetypes, treasure tables, and the like. If you plan to edit the data on the live server (rather than overlaying the crossfire-maps and crossfire-arch packages and nixos-rebuilding), point this somewhere read-write and copy the data there before starting the server.

Type: string

Default: "${config.services.crossfire.package}/share/crossfire"

Declared by:

<nixpkgs/nixos/modules/services/games/crossfire-server.nix>
services.crossfire-server.openFirewall

Whether to open ports in the firewall for the server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/crossfire-server.nix>
services.crossfire-server.stateDir

Where to store runtime data (save files, persistent items, etc).

If left at the default, this will be automatically created on server startup if it does not already exist. If changed, it is the admin’s responsibility to make sure that the directory exists and is writeable by the crossfire user.

Type: string

Default: "/var/lib/crossfire"

Declared by:

<nixpkgs/nixos/modules/services/games/crossfire-server.nix>
services.cryptpad.enable

Whether to enable cryptpad.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cryptpad.nix>
services.cryptpad.package

The cryptpad package to use.

Type: package

Default: pkgs.cryptpad

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cryptpad.nix>
services.cryptpad.configureNginx

Configure Nginx as a reverse proxy for Cryptpad. Note that this makes some assumptions on your setup, and sets settings that will affect other virtualHosts running on your Nginx instance, if any. Alternatively you can configure a reverse-proxy of your choice.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cryptpad.nix>
services.cryptpad.settings

Cryptpad configuration settings. See https://github.com/cryptpad/cryptpad/blob/main/config/config.example.js for a more extensive reference documentation. Test your deployed instance through https://<domain>/checkup/.

Type: JSON value

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cryptpad.nix>
services.cryptpad.settings.adminKeys

List of public signing keys of users that can access the admin panel

Type: list of string

Default: [ ]

Example:

[
  "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cryptpad.nix>
services.cryptpad.settings.blockDailyCheck

Disable telemetry. This setting is only effective if the ‘Disable server telemetry’ setting in the admin menu has been untouched, and will be ignored by cryptpad once that option is set either way. Note that due to the service confinement, just enabling the option in the admin menu will not be able to resolve DNS and fail; this setting must be set as well.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cryptpad.nix>
services.cryptpad.settings.httpAddress

Address on which the Node.js server should listen

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cryptpad.nix>
services.cryptpad.settings.httpPort

Port on which the Node.js server should listen

Type: signed integer

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cryptpad.nix>
services.cryptpad.settings.httpSafeOrigin

Cryptpad sandbox URL

Type: null or string

Example: "https://cryptpad-ui.example.com. Apparently optional but recommended."

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cryptpad.nix>
services.cryptpad.settings.httpUnsafeOrigin

This is the URL that users will enter to load your instance

Type: string

Default: ""

Example: "https://cryptpad.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cryptpad.nix>
services.cryptpad.settings.installMethod

Install method is listed in telemetry if you agree to it through the consentToContact setting in the admin panel.

Type: string

Default: "nixos"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cryptpad.nix>
services.cryptpad.settings.logLevel

Controls log level

Type: string

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cryptpad.nix>
services.cryptpad.settings.logToStdout

Controls whether log output should go to stdout of the systemd service

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cryptpad.nix>
services.cryptpad.settings.maxWorkers

Number of child processes, defaults to number of cores available

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cryptpad.nix>
services.cryptpad.settings.websocketPort

Port for the websocket that needs to be separate

Type: signed integer

Default: 3003

Declared by:

<nixpkgs/nixos/modules/services/web-apps/cryptpad.nix>
services.cyrus-imap.enable

Whether to enable Cyrus IMAP, an email, contacts and calendar server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.cyrusConfigFile

Path to the configuration file used for Cyrus.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.cyrusSettings

Cyrus configuration settings. See cyrus.conf(5)

Type: attribute set of attribute set of (boolean or signed integer or list of string)

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.cyrusSettings.DAEMON

This section lists long running daemons to start before any SERVICES are spawned. master(8) will ensure that these processes are running, restarting any process which dies or forks. All listed processes will be shutdown when master(8) is exiting.

Type: unspecified value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.cyrusSettings.EVENTS

This section lists processes that should be run at specific intervals, similar to cron jobs. This section is typically used to perform scheduled cleanup/maintenance.

Type: unspecified value

Default:

{
  checkpoint = {
    cmd = [
      "ctl_cyrusdb"
      "-c"
    ];
    period = 30;
  };
  deleteprune = {
    at = 430;
    cmd = [
      "cyr_expire"
      "-E"
      "4"
      "-D"
      "28"
    ];
  };
  delprune = {
    at = 400;
    cmd = [
      "cyr_expire"
      "-E"
      "3"
    ];
  };
  expungeprune = {
    at = 445;
    cmd = [
      "cyr_expire"
      "-E"
      "4"
      "-X"
      "28"
    ];
  };
  tlsprune = {
    at = 400;
    cmd = [
      "tls_prune"
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.cyrusSettings.SERVICES

This section is the heart of the cyrus.conf file. It lists the processes that should be spawned to handle client connections made on certain Internet/UNIX sockets.

Type: unspecified value

Default:

{
  imap = {
    cmd = [
      "imapd"
    ];
    listen = "imap";
    prefork = 0;
  };
  lmtpunix = {
    cmd = [
      "lmtpd"
    ];
    listen = "/run/cyrus/lmtp";
    prefork = 0;
  };
  notify = {
    cmd = [
      "notifyd"
    ];
    listen = "/run/cyrus/notify";
    prefork = 0;
    proto = "udp";
  };
  pop3 = {
    cmd = [
      "pop3d"
    ];
    listen = "pop3";
    prefork = 0;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.cyrusSettings.START

This section lists the processes to run before any SERVICES are spawned. This section is typically used to initialize databases. Master itself will not startup until all tasks in START have completed, so put no blocking commands here.

Type: unspecified value

Default:

{
  recover = {
    cmd = [
      "ctl_cyrusdb"
      "-r"
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.debug

Whether to enable debugging messages for the Cyrus master process.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.group

Cyrus IMAP group name. If this is not set, a group named cyrus will be created.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.imapdConfigFile

Path to the configuration file used for cyrus-imap.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.imapdSettings

IMAP configuration settings. See imapd.conf(5)

Type: attribute set of (string or signed integer or boolean or list of string)

Default:

{
  admins = [
    "cyrus"
  ];
  allowplaintext = true;
  defaultdomain = "localhost";
  defaultpartition = "default";
  duplicate_db_path = "/run/cyrus/db/deliver.db";
  hashimapspool = true;
  httpmodules = [
    "carddav"
    "caldav"
  ];
  mboxname_lockpath = "/run/cyrus/lock";
  partition-default = "/var/lib/cyrus/storage";
  popminpoll = 1;
  proc_path = "/run/cyrus/proc";
  ptscache_db_path = "/run/cyrus/db/ptscache.db";
  sasl_auto_transition = true;
  sasl_pwcheck_method = [
    "saslauthd"
  ];
  sievedir = "/var/lib/cyrus/sieve";
  statuscache_db_path = "/run/cyrus/db/statuscache.db";
  syslog_prefix = "cyrus";
  tls_client_ca_dir = "/etc/ssl/certs";
  tls_session_timeout = 1440;
  tls_sessions_db_path = "/run/cyrus/db/tls_sessions.db";
  virtdomains = "on";
}

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.imapdSettings.configdirectory

The pathname of the IMAP configuration directory.

Type: path

Default: "/var/lib/cyrus"

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.imapdSettings.idlesocket

Unix socket that idled listens on.

Type: path

Default: "/run/cyrus/idle"

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.imapdSettings.lmtpsocket

Unix socket that lmtpd listens on, used by deliver(8). This should match the path specified in cyrus.conf(5).

Type: path

Default: "/run/cyrus/lmtp"

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.imapdSettings.notifysocket

Unix domain socket that the mail notification daemon listens on.

Type: path

Default: "/run/cyrus/notify"

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.listenQueue

Socket listen queue backlog size. See listen(2) for more information about a backlog. Default is 32, which may be increased if you have a very high connection rate.

Type: signed integer

Default: 32

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.sslCACert

File path which containing one or more CA certificates to use.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.sslServerCert

File containing the global certificate used for all services (IMAP, POP3, LMTP, Sieve)

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.sslServerKey

File containing the private key belonging to the global server certificate.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.tmpDBDir

Location where DB files are stored. Databases in this directory are recreated upon startup, so ideally they should live in ephemeral storage for best performance.

Type: path

Default: "/run/cyrus/db"

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.cyrus-imap.user

Cyrus IMAP user name. If this is not set, a user named cyrus will be created.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/cyrus-imap.nix>
services.dae.enable

Whether to enable dae, a Linux high-performance transparent proxy solution based on eBPF.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/dae.nix>
services.dae.package

The dae package to use.

Type: package

Default: pkgs.dae

Declared by:

<nixpkgs/nixos/modules/services/networking/dae.nix>
services.dae.assets

Assets required to run dae.

Type: list of path

Default: with pkgs; [ v2ray-geoip v2ray-domain-list-community ]

Declared by:

<nixpkgs/nixos/modules/services/networking/dae.nix>
services.dae.assetsPath

The path which contains geolocation database. This option will override assets.

Type: string

Default:

(symlinkJoin {
    name = "dae-assets";
    paths = assets;
})/share/v2ray

Declared by:

<nixpkgs/nixos/modules/services/networking/dae.nix>
services.dae.config

WARNING: This option will expose store your config unencrypted world-readable in the nix store. Config text for dae.

See https://github.com/daeuniverse/dae/blob/main/example.dae.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/dae.nix>
services.dae.configFile

The path of dae config file, end with .dae.

Type: null or path

Default: null

Example: "/path/to/your/config.dae"

Declared by:

<nixpkgs/nixos/modules/services/networking/dae.nix>
services.dae.disableTxChecksumIpGeneric

See https://github.com/daeuniverse/dae/issues/43

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/dae.nix>
services.dae.openFirewall

Open the firewall port.

Type: submodule

Default:

{
  enable = true;
  port = 12345;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/dae.nix>
services.dae.openFirewall.enable

Whether to enable opening port in the firewall.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/dae.nix>
services.dae.openFirewall.port

Port to be opened. Consist with field tproxy_port in config file.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/services/networking/dae.nix>
services.dante.enable

Whether to enable Dante SOCKS proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/dante.nix>
services.dante.config

Contents of Dante’s configuration file. NOTE: user.privileged, user.unprivileged and logoutput are set by the service.

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/networking/dante.nix>
services.darkhttpd.enable

Whether to enable DarkHTTPd web server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/darkhttpd.nix>
services.darkhttpd.address

Address to listen on. Pass all to listen on all interfaces.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/darkhttpd.nix>
services.darkhttpd.extraArgs

Additional configuration passed to the executable.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/darkhttpd.nix>
services.darkhttpd.hideServerId

Don’t identify the server type in headers or directory listings.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/darkhttpd.nix>
services.darkhttpd.port

Port to listen on. Pass 0 to let the system choose any free port for you.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 80

Declared by:

<nixpkgs/nixos/modules/services/web-servers/darkhttpd.nix>
services.darkhttpd.rootDir

Path from which to serve files.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-servers/darkhttpd.nix>
services.das_watchdog.enable

Whether to enable realtime watchdog.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/das_watchdog.nix>
services.dashy.enable

Whether to enable Dashy, a highly customizable, easy to use, privacy-respecting dashboard app.

Note that this builds a static web app as opposed to running a full node server, unlike the default docker image.

Writing config changes to disk through the UI, triggering a rebuild through the UI and application status checks are unavailable without the node server; Everything else will work fine.

See the deployment docs for building from source, hosting with a CDN and CDN cloud deploy for more information. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dashy.nix>
services.dashy.package

The dashy-ui package to use.

Type: package

Default: pkgs.dashy-ui

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dashy.nix>
services.dashy.finalDrv

Final derivation containing the fully built static files

Type: package (read only)

Default:

''
  if cfg.settings != {}
  then cfg.package.override {inherit (cfg) settings;}
  else cfg.package;
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dashy.nix>
services.dashy.settings

Settings serialized into user-data/conf.yml before build. If left empty, the default configuration shipped with the package will be used instead.

Note that the full configuration will be written to the nix store as world readable, which may include secrets such as password hashes.

To add files such as icons or backgrounds, you can reference them in line such as

icon = "$\{./icon.png}";

This will add the file to the nix store upon build, referencing it by file path as expected by Dashy.

Type: JSON value

Default: { }

Example:

''
  {
    appConfig = {
      cssThemes = [
        "example-theme-1"
        "example-theme-2"
      ];
      enableFontAwesome = true;
      fontAwesomeKey = "e9076c7025";
      theme = "thebe";
    };
    pageInfo = {
      description = "My Awesome Dashboard";
      navLinks = [
        {
          path = "/";
          title = "Home";
        }
        {
          path = "https://example.com";
          title = "Example 1";
        }
        {
          path = "https://example.com";
          title = "Example 2";
        }
      ];
      title = "Dashy";
    };
    sections = [
      {
        displayData = {
          collapsed = true;
          cols = 2;
          customStyles = "border: 2px dashed red;";
          itemSize = "large";
        };
        items = [
          {
            backgroundColor = "#0079ff";
            color = "#00ffc9";
            description = "Source code and documentation on GitHub";
            icon = "fab fa-github";
            target = "sametab";
            title = "Source";
            url = "https://github.com/Lissy93/dashy";
          }
          {
            description = "View currently open issues, or raise a new one";
            icon = "fas fa-bug";
            title = "Issues";
            url = "https://github.com/Lissy93/dashy/issues";
          }
          {
            description = "Live Demo #1";
            icon = "fas fa-rocket";
            target = "iframe";
            title = "Demo 1";
            url = "https://dashy-demo-1.as93.net";
          }
          {
            description = "Live Demo #2";
            icon = "favicon";
            target = "newtab";
            title = "Demo 2";
            url = "https://dashy-demo-2.as93.net";
          }
        ];
        name = "Getting Started";
      }
    ];
  }
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dashy.nix>
services.dashy.virtualHost.enableNginx

Whether to enable a virtualhost to serve dashy through nginx.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dashy.nix>
services.dashy.virtualHost.domain

Domain to use for the virtual host.

This can be used to change nginx options like

services.nginx.virtualHosts."$\{config.services.dashy.virtualHost.domain}".listen = [ ... ]

or

services.nginx.virtualHosts."example.com".listen = [ ... ]

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dashy.nix>
services.datadog-agent.enable

Whether to enable Datadog-agent v7 monitoring service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix>
services.datadog-agent.enableLiveProcessCollection

Whether to enable the live process collection agent.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix>
services.datadog-agent.enableTraceAgent

Whether to enable the trace agent.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix>
services.datadog-agent.package

The datadog-agent package to use. ::: {.note} The provided package is expected to have an overridable pythonPackages-attribute which configures the Python environment with the Datadog checks. :::

Type: package

Default: pkgs.datadog-agent

Declared by:

<nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix>
services.datadog-agent.apiKeyFile

Path to a file containing the Datadog API key to associate the agent with your account.

Type: path

Example: "/run/keys/datadog_api_key"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix>
services.datadog-agent.checks

Configuration for all Datadog checks. Keys of this attribute set will be used as the name of the check to create the appropriate configuration in conf.d/$check.d/conf.yaml.

The configuration is converted into JSON from the plain Nix language configuration, meaning that you should write configuration adhering to Datadog’s documentation - but in Nix language.

Refer to the implementation of this module (specifically the definition of defaultChecks) for an example.

Note: The ‘disk’ and ‘network’ check are configured in separate options because they exist by default. Attempting to override their configuration here will have no effect.

Type: attribute set of (attribute set)

Default: { }

Example:

{
  http_check = {
    init_config = null;
    instances = [
      {
        name = "some-service";
        tags = [
          "some-service"
        ];
        url = "http://localhost:1337/healthz";
      }
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix>
services.datadog-agent.ddUrl

Custom dd_url to configure the agent with. Useful if traffic to datadog needs to go through a proxy. Don’t use this to point to another datadog site (EU) - use site instead.

Type: null or string

Default: null

Example: "http://haproxy.example.com:3834"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix>
services.datadog-agent.diskCheck

Disk check config

Type: attribute set

Default:

{
  init_config = { };
  instances = [
    {
      use_mount = "false";
    }
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix>
services.datadog-agent.extraConfig

Extra configuration options that will be merged into the main config file datadog.yaml.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix>
services.datadog-agent.extraIntegrations

Extra integrations from the Datadog core-integrations repository that should be built and included.

By default the included integrations are disk, mongo, network, nginx and postgres.

To include additional integrations the name of the derivation and a function to filter its dependencies from the Python package set must be provided.

Type: attribute set

Default: { }

Example:

{
  ntp = pythonPackages: [ pythonPackages.ntplib ];
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix>
services.datadog-agent.hostname

The hostname to show in the Datadog dashboard (optional)

Type: null or string

Default: null

Example: "mymachine.mydomain"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix>
services.datadog-agent.logLevel

Logging verbosity.

Type: null or one of “DEBUG”, “INFO”, “WARN”, “ERROR”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix>
services.datadog-agent.networkCheck

Network check config

Type: attribute set

Default:

{
  init_config = { };
  instances = [
    {
      collect_connection_state = false;
      excluded_interfaces = [
        "lo"
        "lo0"
      ];
    }
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix>
services.datadog-agent.processAgentPackage

Which DataDog v7 agent package to use. Note that the provided package is expected to have an overridable pythonPackages-attribute which configures the Python environment with the Datadog checks.

Type: package

Default: pkgs.datadog-process-agent

Declared by:

<nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix>
services.datadog-agent.site

The datadog site to point the agent towards. Set to datadoghq.eu to point it to their EU site.

Type: null or string

Default: null

Example: "datadoghq.eu"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix>
services.datadog-agent.tags

The tags to mark this Datadog agent

Type: null or (list of string)

Default: null

Example:

[
  "test"
  "service"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/datadog-agent.nix>
services.davfs2.enable

Whether to enable davfs2.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/davfs2.nix>
services.davfs2.davGroup

The group of the running mount.davfs daemon. Ordinary users must be member of this group in order to mount a davfs2 file system. Value must be given as name, not as numerical id.

Type: string

Default: "davfs2"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/davfs2.nix>
services.davfs2.davUser

When invoked by root the mount.davfs daemon will run as this user. Value must be given as name, not as numerical id.

Type: string

Default: "davfs2"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/davfs2.nix>
services.davfs2.settings

Extra settings appended to the configuration of davfs2. See davfs2.conf(5) for available settings.

Type: attribute set of attribute set of (boolean or signed integer or string or attribute set of (boolean or signed integer or string))

Default: { }

Example:

{
  globalSection = {
    proxy = "foo.bar:8080";
    use_locks = false;
  };
  sections = {
    "/media/dav" = {
      use_locks = true;
    };
    "/home/otto/mywebspace" = {
      gui_optimize = true;
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/davfs2.nix>
services.davis.enable

Whether to enable Davis is a caldav and carddav server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.package

The davis package to use.

Type: package

Default: pkgs.davis

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.adminLogin

Username for the admin account.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.adminPasswordFile

The full path to a file that contains the admin’s password. Must be readable by the user.

Type: path

Example: "/run/secrets/davis-admin-pass"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.appSecretFile

A file containing the Symfony APP_SECRET - Its value should be a series of characters, numbers and symbols chosen randomly and the recommended length is around 32 characters. Can be generated with <code>cat /dev/urandom | tr -dc a-zA-Z0-9 | fold -w 48 | head -n 1</code>.

Type: path

Example: "/run/secrets/davis-appsecret"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.config

Type: attribute set of (null or boolean or signed integer or 16 bit unsigned integer; between 0 and 65535 (both inclusive) or path or string or (submodule))

Default: { }

Example: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.dataDir

Davis data directory.

Type: path

Default: "/var/lib/davis"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.database.createLocally

Create the database and database user locally.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.database.driver

Database type, required in all circumstances.

Type: one of “sqlite”, “postgresql”, “mysql”

Default: "sqlite"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.database.name

Database name, only used when the databse is created locally.

Type: null or string

Default: "davis"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.database.urlFile

A file containing the database connection url. If set then it overrides all other database settings (except driver). This is mandatory if you want to use an external database, that is when services.davis.database.createLocally is false.

Type: null or path

Default: null

Example: "/run/secrets/davis-db-url"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.group

Group davis runs as.

Type: string

Default: "davis"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.hostname

Domain of the host to serve davis under. You may want to change it if you run Davis on a different URL than davis.yourdomain.

Type: string

Example: "davis.yourdomain.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.mail.dsn

Mail DSN for sending emails. Mutually exclusive with services.davis.mail.dsnFile.

Type: null or string

Default: null

Example: "smtp://username:password@example.com:25"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.mail.dsnFile

A file containing the mail DSN for sending emails. Mutually exclusive with servies.davis.mail.dsn.

Type: null or string

Default: null

Example: "/run/secrets/davis-mail-dsn"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.mail.inviteFromAddress

Email address to send invitations from.

Type: null or string

Default: null

Example: "no-reply@dav.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx

With this option, you can customize the nginx virtualHost settings.

Type: submodule

Default: null

Example:

''
  {
    serverAliases = [
      "dav.''${config.networking.domain}"
    ];
    # To enable encryption and let let's encrypt take care of certificate
    forceSSL = true;
    enableACME = true;
  }
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.nginx.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.poolConfig

Options for the davis PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = 32;
  "pm.max_requests" = 500;
  "pm.max_spare_servers" = 4;
  "pm.min_spare_servers" = 2;
  "pm.start_servers" = 2;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davis.user

User davis runs as.

Type: string

Default: "davis"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/davis.nix>
services.davmail.enable

Whether to enable davmail, an MS Exchange gateway.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/davmail.nix>
services.davmail.config

Davmail configuration. Refer to http://davmail.sourceforge.net/serversetup.html and http://davmail.sourceforge.net/advanced.html for details on supported values.

Type: davmail config type (str, int, bool or attribute set thereof)

Default: { }

Example:

{
  davmail.allowRemote = true;
  davmail.imapPort = 55555;
  davmail.bindAddress = "10.0.1.2";
  davmail.smtpSaveInSent = true;
  davmail.folderSizeLimit = 10;
  davmail.caldavAutoSchedule = false;
  log4j.logger.rootLogger = "DEBUG";
}

Declared by:

<nixpkgs/nixos/modules/services/mail/davmail.nix>
services.davmail.url

Outlook Web Access URL to access the exchange server, i.e. the base webmail URL.

Type: string

Example: "https://outlook.office365.com/EWS/Exchange.asmx"

Declared by:

<nixpkgs/nixos/modules/services/mail/davmail.nix>
services.db-rest.enable

Whether to enable db-rest service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/db-rest.nix>
services.db-rest.package

The db-rest package to use.

Type: package

Default: pkgs.db-rest

Declared by:

<nixpkgs/nixos/modules/services/misc/db-rest.nix>
services.db-rest.group

Group under which db-rest runs.

Type: string

Default: "db-rest"

Declared by:

<nixpkgs/nixos/modules/services/misc/db-rest.nix>
services.db-rest.host

The host address the db-rest server should listen on.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/misc/db-rest.nix>
services.db-rest.port

The port the db-rest server should listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/misc/db-rest.nix>
services.db-rest.redis.enable

Enable caching with redis for db-rest.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/db-rest.nix>
services.db-rest.redis.createLocally

Configure a local redis server for db-rest.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/db-rest.nix>
services.db-rest.redis.host

Redis host.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/db-rest.nix>
services.db-rest.redis.passwordFile

Path to a file containing the redis password.

Type: null or path

Default: null

Example: "/run/keys/db-rest/pasword-redis-db"

Declared by:

<nixpkgs/nixos/modules/services/misc/db-rest.nix>
services.db-rest.redis.port

Redis port.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/db-rest.nix>
services.db-rest.redis.useSSL

Use SSL if using a redis network connection.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/db-rest.nix>
services.db-rest.redis.user

Optional username used for authentication with redis.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/db-rest.nix>
services.db-rest.user

User account under which db-rest runs.

Type: string

Default: "db-rest"

Declared by:

<nixpkgs/nixos/modules/services/misc/db-rest.nix>
services.dbus.packages

Packages whose D-Bus configuration files should be included in the configuration of the D-Bus system-wide or session-wide message bus. Specifically, files in the following directories will be included into their respective DBus configuration paths: «pkg»/etc/dbus-1/system.d «pkg»/share/dbus-1/system.d «pkg»/share/dbus-1/system-services «pkg»/etc/dbus-1/session.d «pkg»/share/dbus-1/session.d «pkg»/share/dbus-1/services

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/system/dbus.nix>
services.dbus.apparmor

AppArmor mode for dbus.

enabled enables mediation when it’s supported in the kernel, disabled always disables AppArmor even with kernel support, and required fails when AppArmor was not found in the kernel.

Type: one of “enabled”, “disabled”, “required”

Default: "disabled"

Declared by:

<nixpkgs/nixos/modules/services/system/dbus.nix>
services.dbus.implementation

The implementation to use for the message bus defined by the D-Bus specification. Can be either the classic dbus daemon or dbus-broker, which aims to provide high performance and reliability, while keeping compatibility to the D-Bus reference implementation.

Type: one of “dbus”, “broker”

Default: "dbus"

Declared by:

<nixpkgs/nixos/modules/services/system/dbus.nix>
services.ddccontrol.enable

Whether to enable ddccontrol for controlling displays.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/ddccontrol.nix>
services.ddclient.enable

Whether to synchronise your machine’s IP address with a dynamic DNS provider (e.g. dyndns.org).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.package

The ddclient executable package run by the service.

Type: package

Default: pkgs.ddclient

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.configFile

Path to configuration file. When set this overrides the generated configuration from module options.

Type: null or path

Default: null

Example: "/root/nixos/secrets/ddclient.conf"

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.domains

Domain name(s) to synchronize.

Type: list of string

Default:

[
  ""
]

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.extraConfig

Extra configuration. Contents will be added verbatim to the configuration file.

Note

daemon should not be added here because it does not work great with the systemd-timer approach the service uses.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.interval

The interval at which to run the check and update. See man 7 systemd.time for the format.

Type: string

Default: "10min"

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.passwordFile

A file containing the password or a TSIG key in named format when using the nsupdate protocol.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.protocol

Protocol to use with dynamic DNS provider (see https://ddclient.net/protocols.html ).

Type: string

Default: "dyndns2"

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.quiet

Print no messages for unnecessary updates.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.script

script as required by some providers.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.server

Server address.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.ssl

Whether to use SSL/TLS to connect to dynamic DNS provider.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.use

Method to determine the IP address to send to the dynamic DNS provider.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.username

User name.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.usev4

Method to determine the IPv4 address to send to the dynamic DNS provider. Only used if use is not set.

Type: string

Default: "webv4, webv4=checkip.dyndns.com/, webv4-skip='Current IP Address: '"

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.usev6

Method to determine the IPv6 address to send to the dynamic DNS provider. Only used if use is not set.

Type: string

Default: "webv6, webv6=checkipv6.dyndns.com/, webv6-skip='Current IP Address: '"

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.verbose

Print verbose information.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddclient.zone

zone as required by some providers.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/ddclient.nix>
services.ddns-updater.enable

Whether to enable Container to update DNS records periodically with WebUI for many DNS providers.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ddns-updater.nix>
services.ddns-updater.package

The ddns-updater package to use.

Type: package

Default: pkgs.ddns-updater

Declared by:

<nixpkgs/nixos/modules/services/networking/ddns-updater.nix>
services.ddns-updater.environment

Environment variables to be set for the ddns-updater service. DATADIR is ignored to enable using systemd DynamicUser. For full list see https://github.com/qdm12/ddns-updater

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/ddns-updater.nix>
services.deconz.enable

Whether to enable deCONZ, a Zigbee gateway for use with ConBee/RaspBee hardware (https://phoscon.de/).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/deconz.nix>
services.deconz.package

Which deCONZ package to use.

Type: package

Default: pkgs.deconz

Declared by:

<nixpkgs/nixos/modules/services/networking/deconz.nix>
services.deconz.allowRebootSystem

Whether to enable rebooting the system.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/deconz.nix>
services.deconz.allowRestartService

Whether to enable killing/restarting processes.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/deconz.nix>
services.deconz.allowSetSystemTime

Whether to enable setting the system time.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/deconz.nix>
services.deconz.device

Force deCONZ to use a specific USB device (e.g. /dev/ttyACM0). By default it does a search.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/deconz.nix>
services.deconz.extraArgs

Extra command line arguments for deCONZ, see https://github.com/dresden-elektronik/deconz-rest-plugin/wiki/deCONZ-command-line-parameters.

Type: list of string

Default: [ ]

Example:

[
  "--dbg-info=1"
  "--dbg-err=2"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/deconz.nix>
services.deconz.httpPort

TCP port for the web server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 80

Declared by:

<nixpkgs/nixos/modules/services/networking/deconz.nix>
services.deconz.listenAddress

Pin deCONZ to the network interface specified through the provided IP address. This applies for the webserver as well as the websocket notifications.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/deconz.nix>
services.deconz.openFirewall

Whether to enable opening up the service ports in the firewall.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/deconz.nix>
services.deconz.wsPort

TCP port for the WebSocket.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 443

Declared by:

<nixpkgs/nixos/modules/services/networking/deconz.nix>
services.deepin.app-services.enable

Whether to enable service collection of DDE applications, including dconfig-center.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/deepin/app-services.nix>
services.deepin.dde-api.enable

Whether to enable the DDE API, which provides some dbus interfaces that is used for screen zone detecting, thumbnail generating, and sound playing in Deepin Desktop Environment .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/deepin/dde-api.nix>
services.deepin.dde-daemon.enable

Whether to enable daemon for handling the deepin session settings.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/deepin/dde-daemon.nix>
services.deepin.deepin-anything.enable

Whether to enable deepin anything file search tool.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/deepin/deepin-anything.nix>
services.deliantra-server.enable

If enabled, the Deliantra game server will be started at boot.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/deliantra-server.nix>
services.deliantra-server.package

The deliantra-server package to use. ::: {.note} This will also be used for map/arch data, if you don’t change dataDir :::

Type: package

Default: pkgs.deliantra-server

Declared by:

<nixpkgs/nixos/modules/services/games/deliantra-server.nix>
services.deliantra-server.configFiles

Contents of the server configuration files. These will be appended to the example configurations the server comes with and overwrite any default settings defined therein.

The example here is not comprehensive. See the files in /etc/deliantra-server after enabling this module for full documentation.

Type: attribute set of string

Default:

{
  motd = "";
}

Example:

{
  dm_file = ''
    admin:secret_password:localhost
    alice:xyzzy:*
  '';
  motd = "Welcome to Deliantra!";
  settings = ''
    # Settings for game mechanics.
    stat_loss_on_death true
    armor_max_enchant 7
  '';
  config = ''
    # Settings for the server daemon.
    hiscore_url https://deliantra.example.net/scores/
    max_map_reset 86400
  '';
}

Declared by:

<nixpkgs/nixos/modules/services/games/deliantra-server.nix>
services.deliantra-server.dataDir

Where to store readonly data (maps, archetypes, sprites, etc). Note that if you plan to use the live map editor (rather than editing the maps offline and then nixos-rebuilding), THIS MUST BE WRITEABLE – copy the deliantra-data someplace writeable (say, /var/lib/deliantra/data) and update this option accordingly.

Type: string

Default: "${pkgs.deliantra-data}"

Declared by:

<nixpkgs/nixos/modules/services/games/deliantra-server.nix>
services.deliantra-server.openFirewall

Whether to open ports in the firewall for the server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/deliantra-server.nix>
services.deliantra-server.stateDir

Where to store runtime data (save files, persistent items, etc).

If left at the default, this will be automatically created on server startup if it does not already exist. If changed, it is the admin’s responsibility to make sure that the directory exists and is writeable by the crossfire user.

Type: string

Default: "/var/lib/deliantra"

Declared by:

<nixpkgs/nixos/modules/services/games/deliantra-server.nix>
services.deluge.enable

Whether to enable Deluge daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/torrent/deluge.nix>
services.deluge.package

The deluge-2_x package to use.

Type: package

Default: pkgs.deluge-2_x

Declared by:

<nixpkgs/nixos/modules/services/torrent/deluge.nix>
services.deluge.authFile

The file managing the authentication for deluge, the format of this file is straightforward, each line contains a username:password:level tuple in plaintext. It only has an effect when services.deluge.declarative is set to true. See https://dev.deluge-torrent.org/wiki/UserGuide/Authentication for more information.

Type: path

Example: "/run/keys/deluge-auth"

Declared by:

<nixpkgs/nixos/modules/services/torrent/deluge.nix>
services.deluge.config

Deluge core configuration for the core.conf file. Only has an effect when services.deluge.declarative is set to true. String values must be quoted, integer and boolean values must not. See https://git.deluge-torrent.org/deluge/tree/deluge/core/preferencesmanager.py#n41 for the available options.

Type: attribute set

Default: { }

Example:

{
  download_location = "/srv/torrents/";
  max_upload_speed = "1000.0";
  share_ratio_limit = "2.0";
  allow_remote = true;
  daemon_port = 58846;
  listen_ports = [ 6881 6889 ];
}

Declared by:

<nixpkgs/nixos/modules/services/torrent/deluge.nix>
services.deluge.dataDir

The directory where deluge will create files.

Type: path

Default: "/var/lib/deluge"

Declared by:

<nixpkgs/nixos/modules/services/torrent/deluge.nix>
services.deluge.declarative

Whether to use a declarative deluge configuration. Only if set to true, the options services.deluge.config, services.deluge.openFirewall and services.deluge.authFile will be applied.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/torrent/deluge.nix>
services.deluge.extraPackages

Extra packages available at runtime to enable Deluge’s plugins. For example, extraction utilities are required for the built-in “Extractor” plugin. This always contains unzip, gnutar, xz and bzip2.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/torrent/deluge.nix>
services.deluge.group

Group under which deluge runs.

Type: string

Default: "deluge"

Declared by:

<nixpkgs/nixos/modules/services/torrent/deluge.nix>
services.deluge.openFilesLimit

Number of files to allow deluged to open.

Type: signed integer or string

Default: 4096

Declared by:

<nixpkgs/nixos/modules/services/torrent/deluge.nix>
services.deluge.openFirewall

Whether to open the firewall for the ports in services.deluge.config.listen_ports. It only takes effet if services.deluge.declarative is set to true.

It does NOT apply to the daemon port nor the web UI port. To access those ports securely check the documentation https://dev.deluge-torrent.org/wiki/UserGuide/ThinClient#CreateSSHTunnel or use a VPN or configure certificates for deluge.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/torrent/deluge.nix>
services.deluge.user

User account under which deluge runs.

Type: string

Default: "deluge"

Declared by:

<nixpkgs/nixos/modules/services/torrent/deluge.nix>
services.deluge.web.enable

Whether to enable Deluge Web daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/torrent/deluge.nix>
services.deluge.web.openFirewall

Open ports in the firewall for deluge web daemon

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/torrent/deluge.nix>
services.deluge.web.port

Deluge web UI port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8112

Declared by:

<nixpkgs/nixos/modules/services/torrent/deluge.nix>
services.dendrite.enable

Whether to enable matrix.org dendrite.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.environmentFile

Environment file as defined in systemd.exec(5). Secrets may be passed to the service without adding them to the world-readable Nix store, by specifying placeholder variables as the option value in Nix and setting these variables accordingly in the environment file. Currently only used for the registration secret to allow secure registration when client_api.registration_disabled is true.

  # snippet of dendrite-related config
  services.dendrite.settings.client_api.registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
  # content of the environment file
  REGISTRATION_SHARED_SECRET=verysecretpassword

Note that this file needs to be available on the host on which dendrite is running.

Type: null or path

Default: null

Example: "/var/lib/dendrite/registration_secret"

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.httpPort

The port to listen for HTTP requests on.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8008

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.httpsPort

The port to listen for HTTPS requests on.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.loadCredential

This can be used to pass secrets to the systemd service without adding them to the nix store. To use the example setting, see the example of services.dendrite.settings.global.private_key. See the LoadCredential section of systemd.exec manual for more information.

Type: list of string

Default: [ ]

Example:

[
  "private_key:/path/to/my_private_key"
]

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.openRegistration

Allow open registration without secondary verification (reCAPTCHA).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.settings

Configuration for dendrite, see: https://github.com/matrix-org/dendrite/blob/main/dendrite-sample.yaml for available options with which to populate settings.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.settings.app_service_api.database.connection_string

Database for the Appservice API.

Type: string

Default: "file:federationapi.db"

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.settings.client_api.registration_disabled

Whether to disable user registration to the server without the shared secret.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.settings.federation_api.database.connection_string

Database for the Federation API.

Type: string

Default: "file:federationapi.db"

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.settings.global.private_key

The path to the signing private key file, used to sign requests and events.

  nix-shell -p dendrite --command "generate-keys --private-key matrix_key.pem"

Type: path or string matching the pattern ^\$CREDENTIALS_DIRECTORY/.+

Example: "$CREDENTIALS_DIRECTORY/private_key"

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.settings.global.server_name

The domain name of the server, with optional explicit port. This is used by remote servers to connect to this server. This is also the last part of your UserID.

Type: string

Example: "example.com"

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.settings.global.trusted_third_party_id_servers

Lists of domains that the server will trust as identity servers to verify third party identifiers such as phone numbers and email addresses

Type: list of string

Default:

[
  "matrix.org"
  "vector.im"
]

Example:

[
  "matrix.org"
]

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.settings.key_server.database.connection_string

Database for the Key Server (for end-to-end encryption).

Type: string

Default: "file:keyserver.db"

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.settings.media_api.base_path

Storage path for uploaded media.

Type: string

Default: "/var/lib/dendrite/media_store"

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.settings.media_api.database.connection_string

Database for the Media API.

Type: string

Default: "file:mediaapi.db"

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.settings.mscs.database.connection_string

Database for exerimental MSC’s.

Type: string

Default: "file:mscs.db"

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.settings.relay_api.database.connection_string

Database for the Relay Server.

Type: string

Default: "file:relayapi.db"

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.settings.room_server.database.connection_string

Database for the Room Server.

Type: string

Default: "file:roomserver.db"

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.settings.sync_api.database.connection_string

Database for the Sync API.

Type: string

Default: "file:syncserver.db"

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.settings.sync_api.search.enable

Whether to enable Dendrite’s full-text search engine.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.settings.sync_api.search.index_path

The path the search index will be created in.

Type: string

Default: "/var/lib/dendrite/searchindex"

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.settings.sync_api.search.language

The language most likely to be used on the server - used when indexing, to ensure the returned results match expectations. A full list of possible languages can be found at https://github.com/blevesearch/bleve/tree/master/analysis/lang

Type: string

Default: "en"

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.settings.user_api.account_database.connection_string

Database for the User API, accounts.

Type: string

Default: "file:userapi_accounts.db"

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.settings.user_api.device_database.connection_string

Database for the User API, devices.

Type: string

Default: "file:userapi_devices.db"

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.tlsCert

The path to the TLS certificate.

  nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"

Type: null or path

Default: null

Example: "/var/lib/dendrite/server.cert"

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dendrite.tlsKey

The path to the TLS key.

  nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"

Type: null or path

Default: null

Example: "/var/lib/dendrite/server.key"

Declared by:

<nixpkgs/nixos/modules/services/matrix/dendrite.nix>
services.dependency-track.enable

Whether to enable dependency-track.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.package

The dependency-track package to use.

Type: package

Default: pkgs.dependency-track

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.database.createLocally

Whether a database should be automatically created on the local host. Set this to false if you plan on provisioning a local database yourself.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.database.databaseName

Database name to use when connecting to an external or manually provisioned database; has no effect when a local database is automatically provisioned.

To use this with a local database, set services.dependency-track.database.createLocally to false and create the database and user.

Type: string

Default: "dependency-track"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.database.passwordFile

The path to a file containing the database password.

Type: path

Example: "/run/keys/db_password"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.database.type

h2 database is not recommended for a production setup. postgresql this settings it recommended for production setups. manual the module doesn’t handle database settings.

Type: one of “h2”, “postgresql”, “manual”

Default: "postgresql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.database.username

Username to use when connecting to an external or manually provisioned database; has no effect when a local database is automatically provisioned.

To use this with a local database, set services.dependency-track.database.createLocally to false and create the database and user.

Type: string

Default: "dependency-track"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.frontend.baseUrl

The base URL of the API server.

NOTE:

  • This URL must be reachable by the browsers of your users.

  • The frontend container itself does NOT communicate with the API server directly, it just serves static files.

  • When deploying to dedicated servers, please use the external IP or domain of the API server.

Type: string

Default:

lib.optionalString config.services.dependency-track.nginx.enable "${
  if sslEnabled then "https" else "http"
}://${config.services.dependency-track.nginx.domain}";

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.javaArgs

Java options passed to JVM

Type: list of string

Default:

[
  "-Xmx4G"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.ldap.bindPasswordFile

The path to a file containing the LDAP bind password.

Type: path

Example: "/run/keys/ldap_bind_password"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.logLevel

Log level for dependency-track

Type: one of “INFO”, “WARN”, “ERROR”, “DEBUG”, “TRACE”

Default: "INFO"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.nginx.enable

Whether to set up an nginx virtual host.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.nginx.domain

The domain name under which to set up the virtual host.

Type: string

Example: "dtrack.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.oidc.enable

Whether to enable oidc support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.oidc.clientId

Defines the client ID for OpenID Connect.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.oidc.flow

Specifies the OpenID Connect flow to use. Values other than “implicit” will result in the Code+PKCE flow to be used. Usage of the implicit flow is strongly discouraged, but may be necessary when the IdP of choice does not support the Code+PKCE flow. See also:

  • https://oauth.net/2/grant-types/implicit/

  • https://oauth.net/2/pkce/

Type: one of “code”, “implicit”

Default: "code"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.oidc.issuer

Defines the issuer URL to be used for OpenID Connect. See alpine.oidc.issuer property of the API server.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.oidc.loginButtonText

Defines the scopes to request for OpenID Connect. See also: https://openid.net/specs/openid-connect-basic-1_0.html#Scopes

Type: string

Default: "Login with OpenID Connect"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.oidc.scope

Defines the scopes to request for OpenID Connect. See also: https://openid.net/specs/openid-connect-basic-1_0.html#Scopes

Type: string

Default: "openid profile email"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.oidc.teamSynchronization

This option will ensure that team memberships for OpenID Connect users are dynamic and synchronized with membership of OpenID Connect groups or assigned roles. When a team is mapped to an OpenID Connect group, all local OpenID Connect users will automatically be assigned to the team if they are a member of the group the team is mapped to. If the user is later removed from the OpenID Connect group, they will also be removed from the team. This option provides the ability to dynamically control user permissions via the identity provider. Note that team synchronization is only performed during user provisioning and after successful authentication.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.oidc.teams.claim

Defines the name of the claim that contains group memberships or role assignments in the provider’s userinfo endpoint. The claim must be an array of strings. Most public identity providers do not support group or role management. When using a customizable / on-demand hosted identity provider, name, content, and inclusion in the userinfo endpoint will most likely need to be configured.

Type: string

Default: "groups"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.oidc.teams.default

Defines one or more team names that auto-provisioned OIDC users shall be added to. Multiple team names may be provided as comma-separated list.

Has no effect when services.dependency-track.oidc.userProvisioning=false, or services.dependency-track.oidc.teamSynchronization=true.

Type: null or strings concatenated with “,”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.oidc.userProvisioning

Specifies if mapped OpenID Connect accounts are automatically created upon successful authentication. When a user logs in with a valid access token but an account has not been previously provisioned, an authentication failure will be returned. This allows admins to control specifically which OpenID Connect users can access the system and which users cannot. When this value is set to true, a local OpenID Connect user will be created and mapped to the OpenID Connect account automatically. This automatic provisioning only affects authentication, not authorization.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.oidc.usernameClaim

Defines the name of the claim that contains the username in the provider’s userinfo endpoint. Common claims are “name”, “username”, “preferred_username” or “nickname”. See also: https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse

Type: string

Default: "name"

Example: "preferred_username"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.port

On which port dependency-track should listen for new HTTP connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.settings

See https://docs.dependencytrack.org/getting-started/configuration/#default-configuration for possible options

Type: attribute set of (string, package, bool, int or float)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.settings."alpine.data.directory"

Defines the path to the data directory. This directory will hold logs, keys, and any database or index files along with application-specific files or directories.

Type: path

Default: "/var/lib/dependency-track"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.settings."alpine.database.driver"

Specifies the JDBC driver class to use.

Type: one of “org.h2.Driver”, “org.postgresql.Driver”, “com.microsoft.sqlserver.jdbc.SQLServerDriver”, “com.mysql.cj.jdbc.Driver”

Default:

if config.services.dependency-track.database.type == "h2" then "org.h2.Driver"
else if config.services.dependency-track.database.type == "postgresql" then "org.postgresql.Driver"
else null;

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.settings."alpine.database.mode"

Defines the database mode of operation. Valid choices are: ‘server’, ‘embedded’, and ‘external’. In server mode, the database will listen for connections from remote hosts. In embedded mode, the system will be more secure and slightly faster. External mode should be used when utilizing an external database server (i.e. mysql, postgresql, etc).

Type: one of “server”, “embedded”, “external”

Default:

if config.services.dependency-track.database.type == "h2" then "embedded"
else if config.services.dependency-track.database.type == "postgresql" then "external"
else null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.settings."alpine.database.url"

Specifies the JDBC URL to use when connecting to the database.

Type: string

Default:

if config.services.dependency-track.database.type == "h2" then "jdbc:h2:/var/lib/dependency-track/db"
  else if config.services.dependency-track.database.type == "postgresql" then "jdbc:postgresql:${config.services.dependency-track.database.name}?socketFactory=org.newsclub.net.unix.AFUNIXSocketFactory$FactoryArg&socketFactoryArg=/run/postgresql/.s.PGSQL.5432"
  else null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.settings."alpine.database.username"

Specifies the username to use when authenticating to the database.

Type: string

Default:

if config.services.dependency-track.database.createLocally then "dependency-track"
else config.services.dependency-track.database.username

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.settings."alpine.ldap.enabled"

Defines if LDAP will be used for user authentication. If enabled, alpine.ldap.* properties should be set accordingly.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.settings."alpine.oidc.client.id"

Defines the client ID to be used for OpenID Connect. The client ID should be the same as the one configured for the frontend, and will only be used to validate ID tokens.

Type: string

Default: config.services.dependency-track.oidc.clientId

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.settings."alpine.oidc.enabled"

Defines if OpenID Connect will be used for user authentication. If enabled, alpine.oidc.* properties should be set accordingly.

Type: boolean

Default: config.services.dependency-track.oidc.enable

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.settings."alpine.oidc.issuer"

Defines the issuer URL to be used for OpenID Connect. This issuer MUST support provider configuration via the /.well-known/openid-configuration endpoint. See also:

  • https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

  • https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

Type: string

Default: config.services.dependency-track.oidc.issuer

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.settings."alpine.oidc.team.synchronization"

This option will ensure that team memberships for OpenID Connect users are dynamic and synchronized with membership of OpenID Connect groups or assigned roles. When a team is mapped to an OpenID Connect group, all local OpenID Connect users will automatically be assigned to the team if they are a member of the group the team is mapped to. If the user is later removed from the OpenID Connect group, they will also be removed from the team. This option provides the ability to dynamically control user permissions via the identity provider. Note that team synchronization is only performed during user provisioning and after successful authentication.

Type: boolean

Default: config.services.dependency-track.oidc.teamSynchronization

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.settings."alpine.oidc.teams.claim"

Defines the name of the claim that contains group memberships or role assignments in the provider’s userinfo endpoint. The claim must be an array of strings. Most public identity providers do not support group or role management. When using a customizable / on-demand hosted identity provider, name, content, and inclusion in the userinfo endpoint will most likely need to be configured.

Type: string

Default: config.services.dependency-track.oidc.teams.claim

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.settings."alpine.oidc.teams.default"

Defines one or more team names that auto-provisioned OIDC users shall be added to. Multiple team names may be provided as comma-separated list.

Has no effect when services.dependency-track.oidc.userProvisioning=false, or services.dependency-track.oidc.teamSynchronization=true.

Type: null or strings concatenated with “,”

Default: config.services.dependency-track.oidc.teams.default

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.settings."alpine.oidc.user.provisioning"

Specifies if mapped OpenID Connect accounts are automatically created upon successful authentication. When a user logs in with a valid access token but an account has not been previously provisioned, an authentication failure will be returned. This allows admins to control specifically which OpenID Connect users can access the system and which users cannot. When this value is set to true, a local OpenID Connect user will be created and mapped to the OpenID Connect account automatically. This automatic provisioning only affects authentication, not authorization.

Type: boolean

Default: config.services.dependency-track.oidc.userProvisioning

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.dependency-track.settings."alpine.oidc.username.claim"

Defines the name of the claim that contains the username in the provider’s userinfo endpoint. Common claims are “name”, “username”, “preferred_username” or “nickname”. See also: https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse

Type: string

Default: config.services.dependency-track.oidc.usernameClaim

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dependency-track.nix>
services.desktopManager.lomiri.enable

Whether to enable the Lomiri graphical shell (formerly known as Unity8) .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktop-managers/lomiri.nix>
services.desktopManager.plasma6.enable

Enable the Plasma 6 (KDE 6) desktop environment.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktop-managers/plasma6.nix>
services.desktopManager.plasma6.enableQt5Integration

Enable Qt 5 integration (theming, etc). Disable for a pure Qt 6 system.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/desktop-managers/plasma6.nix>
services.desktopManager.plasma6.notoPackage

The Noto fonts - used for UI by default package to use.

Type: package

Default: pkgs.noto-fonts

Example: noto-fonts-lgc-plus

Declared by:

<nixpkgs/nixos/modules/services/desktop-managers/plasma6.nix>
services.devmon.enable

Whether to enable devmon, an automatic device mounting daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/devmon.nix>
services.devpi-server.enable

Whether to enable Devpi Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/devpi-server.nix>
services.devpi-server.package

The devpi-server package to use.

Type: package

Default: pkgs.devpi-server

Declared by:

<nixpkgs/nixos/modules/services/misc/devpi-server.nix>
services.devpi-server.host

domain/ip address to listen on

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/misc/devpi-server.nix>
services.devpi-server.openFirewall

Whether to enable opening the default ports in the firewall for Devpi Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/devpi-server.nix>
services.devpi-server.port

The port on which Devpi Server will listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3141

Declared by:

<nixpkgs/nixos/modules/services/misc/devpi-server.nix>
services.devpi-server.primaryUrl

Url for the primary node. Required option for replica nodes.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/devpi-server.nix>
services.devpi-server.replica

Run node as a replica. Requires the secretFile option and the primaryUrl to be enabled.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/devpi-server.nix>
services.devpi-server.secretFile

Path to a shared secret file used for synchronization, Required for all nodes in a replica/primary setup.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/devpi-server.nix>
services.dex.enable

Whether to enable the OpenID Connect and OAuth2 identity provider.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dex.nix>
services.dex.environmentFile

Environment file (see systemd.exec(5) “EnvironmentFile=” section for the syntax) to define variables for dex. This option can be used to safely include secret keys into the dex configuration.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dex.nix>
services.dex.settings

The available options can be found in the example configuration.

It’s also possible to refer to environment variables (defined in services.dex.environmentFile) using the syntax $VARIABLE_NAME.

Type: YAML value

Default: { }

Example:

{
  # External url
  issuer = "http://127.0.0.1:5556/dex";
  storage = {
    type = "postgres";
    config.host = "/var/run/postgres";
  };
  web = {
    http = "127.0.0.1:5556";
  };
  enablePasswordDB = true;
  staticClients = [
    {
      id = "oidcclient";
      name = "Client";
      redirectURIs = [ "https://example.com/callback" ];
      secretFile = "/etc/dex/oidcclient"; # The content of `secretFile` will be written into to the config as `secret`.
    }
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dex.nix>
services.dgraph.enable

Whether to enable Dgraph native GraphQL database with a graph backend.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/dgraph.nix>
services.dgraph.package

The dgraph package to use.

Type: package

Default: pkgs.dgraph

Declared by:

<nixpkgs/nixos/modules/services/databases/dgraph.nix>
services.dgraph.alpha.host

The host which dgraph alpha will be run on.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/databases/dgraph.nix>
services.dgraph.alpha.port

The port which to run dgraph alpha on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 7080

Declared by:

<nixpkgs/nixos/modules/services/databases/dgraph.nix>
services.dgraph.settings

Contents of the dgraph config. For more details see https://dgraph.io/docs/deploy/config

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/databases/dgraph.nix>
services.dgraph.zero.host

The host which dgraph zero will be run on.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/databases/dgraph.nix>
services.dgraph.zero.port

The port which to run dgraph zero on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5080

Declared by:

<nixpkgs/nixos/modules/services/databases/dgraph.nix>
services.dictd.enable

Whether to enable the DICT.org dictionary server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/dictd.nix>
services.dictd.DBs

List of databases to make available.

Type: list of package

Default: with pkgs.dictdDBs; [ wiktionary wordnet ]

Example: [ pkgs.dictdDBs.nld2eng ]

Declared by:

<nixpkgs/nixos/modules/services/misc/dictd.nix>
services.diod.enable

Whether to enable the diod 9P file server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/diod.nix>
services.diod.allsquash

Remap all users to “nobody”. The attaching user need not be present in the password file.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/diod.nix>
services.diod.authRequired

Allow clients to connect without authentication, i.e. without a valid MUNGE credential.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/diod.nix>
services.diod.exportall

Export all file systems listed in /proc/mounts. If new file systems are mounted after diod has started, they will become immediately mountable. If there is a duplicate entry for a file system in the exports list, any options listed in the exports entry will apply.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/diod.nix>
services.diod.exportopts

Establish a default set of export options. These are overridden, not appended to, by opts attributes in an “exports” entry.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/diod.nix>
services.diod.exports

List the file systems that clients will be allowed to mount. All paths should be fully qualified. The exports table can include two types of element: a string element (as above), or an alternate table element form { path=“/path”, opts=“ro” }. In the alternate form, the (optional) opts attribute is a comma-separated list of export options. The two table element forms can be mixed in the exports table. Note that although diod will not traverse file system boundaries for a given mount due to inode uniqueness constraints, subdirectories of a file system can be separately exported.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/diod.nix>
services.diod.extraConfig

Extra configuration options for diod.conf.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/diod.nix>
services.diod.listen

[ “IP:PORT” [,“IP:PORT”,…] ] List the interfaces and ports that diod should listen on.

Type: list of string

Default:

[
  "0.0.0.0:564"
]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/diod.nix>
services.diod.logdest

Set the destination for logging. The value has the form of “syslog:facility:level” or “filename”.

Type: string

Default: "syslog:daemon:err"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/diod.nix>
services.diod.nwthreads

Sets the (fixed) number of worker threads created to handle 9P requests for a unique aname.

Type: signed integer

Default: 16

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/diod.nix>
services.diod.squashuser

Change the squash user. The squash user must be present in the password file.

Type: string

Default: "nobody"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/diod.nix>
services.diod.statfsPassthru

This option configures statfs to return the host file system’s type rather than V9FS_MAGIC.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/diod.nix>
services.diod.userdb

This option disables password/group lookups. It allows any uid to attach and assumes gid=uid, and supplementary groups contain only the primary gid.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/diod.nix>
services.discourse.enable

Whether to enable Discourse, an open source discussion platform.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.enableACME

Whether an ACME certificate should be used to secure connections to the server.

Type: boolean

Default: true, unless services.discourse.sslCertificate and services.discourse.sslCertificateKey are set.

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.package

The discourse package to use.

Type: package

Default: pkgs.discourse

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.admin.email

The admin user email address.

Type: string

Example: "admin@example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.admin.fullName

The admin user’s full name.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.admin.passwordFile

A path to a file containing the admin user’s password.

This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.admin.skipCreate

Do not create the admin account, instead rely on other existing admin accounts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.admin.username

The admin user username.

Type: string

Example: "admin"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.backendSettings

Additional settings to put in the discourse.conf file.

Look in the discourse_defaults.conf file in the upstream distribution to find available options.

Setting an option to null means “define variable, but leave right-hand side empty”.

Type: attribute set of (null or string or signed integer or boolean or floating point number)

Default: { }

Example:

{
  max_reqs_per_ip_per_minute = 300;
  max_reqs_per_ip_per_10_seconds = 60;
  max_asset_reqs_per_ip_per_10_seconds = 250;
  max_reqs_per_ip_mode = "warn+block";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.database.createLocally

Whether a database should be automatically created on the local host. Set this to false if you plan on provisioning a local database yourself. This has no effect if services.discourse.database.host is customized.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.database.host

Discourse database hostname. null means “prefer local unix socket connection”.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.database.ignorePostgresqlVersion

Whether to allow other versions of PostgreSQL than the recommended one. Only effective when services.discourse.database.createLocally is enabled.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.database.name

Discourse database name.

Type: string

Default: "discourse"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.database.passwordFile

File containing the Discourse database user password.

This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.database.pool

Database connection pool size.

Type: signed integer

Default: 8

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.database.username

Discourse database user.

Type: string

Default: "discourse"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.hostname

The hostname to serve Discourse on.

Type: string

Default: config.networking.fqdnOrHostName

Example: "discourse.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.mail.contactEmailAddress

Email address of key contact responsible for this site. Used for critical notifications, as well as on the /about contact form for urgent matters.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.mail.incoming.enable

Whether to set up Postfix to receive incoming mail.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.mail.incoming.apiKeyFile

A file containing the Discourse API key used to add posts and messages from mail. If left at its default value null, one will be automatically generated.

This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.mail.incoming.mailReceiverPackage

The discourse-mail-receiver package to use.

Type: package

Default: pkgs.discourse-mail-receiver

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.mail.incoming.replyEmailAddress

Template for reply by email incoming email address, for example: %{reply_key}@reply.example.com or replies+%{reply_key}@example.com

Type: string

Default: "%{reply_key}@${config.services.discourse.hostname}"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.mail.notificationEmailAddress

The from: email address used when sending all essential system emails. The domain specified here must have SPF, DKIM and reverse PTR records set correctly for email to arrive.

Type: string

Default:

"${if config.services.discourse.mail.incoming.enable then "notifications" else "noreply"}@${config.services.discourse.hostname}"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.mail.outgoing.enableStartTLSAuto

Whether to try to use StartTLS.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.mail.outgoing.authentication

Authentication type to use, see https://api.rubyonrails.org/classes/ActionMailer/Base.html

Type: null or one of “plain”, “login”, “cram_md5”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.mail.outgoing.domain

HELO domain to use for outgoing mail.

Type: string

Default: config.services.discourse.hostname

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.mail.outgoing.forceTLS

Force implicit TLS as per RFC 8314 3.3.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.mail.outgoing.opensslVerifyMode

How OpenSSL checks the certificate, see https://api.rubyonrails.org/classes/ActionMailer/Base.html

Type: string

Default: "peer"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.mail.outgoing.passwordFile

A file containing the password of the SMTP server account.

This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.mail.outgoing.port

The port of the SMTP server Discourse should use to send email.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 25

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.mail.outgoing.serverAddress

The address of the SMTP server Discourse should use to send email.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.mail.outgoing.username

The username of the SMTP server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.nginx.enable

Whether an nginx virtual host should be set up to serve Discourse. Only disable if you’re planning to use a different web server, which is not recommended.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.plugins

Plugins to install as part of Discourse, expressed as a list of derivations.

Type: list of package

Default: [ ]

Example:

with config.services.discourse.package.plugins; [
  discourse-canned-replies
  discourse-github
];

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.redis.dbNumber

Redis database number.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.redis.host

Redis server hostname.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.redis.passwordFile

File containing the Redis password.

This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.redis.useSSL

Connect to Redis with SSL.

Type: boolean

Default: config.services.discourse.redis.host != "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.secretKeyBaseFile

The path to a file containing the secret_key_base secret.

Discourse uses secret_key_base to encrypt the cookie store, which contains session data, and to digest user auth tokens.

Needs to be a 64 byte long string of hexadecimal characters. You can generate one by running

openssl rand -hex 64 >/path/to/secret_key_base_file

This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.

Type: null or path

Default: null

Example: "/run/keys/secret_key_base"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.sidekiqProcesses

How many Sidekiq processes should be spawned.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.siteSettings

Discourse site settings. These are the settings that can be changed from the UI. This only defines their default values: they can still be overridden from the UI.

Available settings can be found by looking in the site_settings.yml file of the upstream distribution. To find a setting’s path, you only need to care about the first two levels; i.e. its category and name. See the example.

Settings containing secret data should be set to an attribute set containing the attribute _secret - a string pointing to a file containing the value the option should be set to. See the example to get a better picture of this: in the resulting config/nixos_site_settings.json file, the login.github_client_secret key will be set to the contents of the /run/keys/discourse_github_client_secret file.

Type: JSON value

Default: { }

Example:

{
  required = {
    title = "My Cats";
    site_description = "Discuss My Cats (and be nice plz)";
  };
  login = {
    enable_github_logins = true;
    github_client_id = "a2f6dfe838cb3206ce20";
    github_client_secret._secret = /run/keys/discourse_github_client_secret;
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.sslCertificate

The path to the server SSL certificate. Set this to enable SSL.

Type: null or path

Default: null

Example: "/run/keys/ssl.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.sslCertificateKey

The path to the server SSL certificate key. Set this to enable SSL.

Type: null or path

Default: null

Example: "/run/keys/ssl.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.discourse.unicornTimeout

Time in seconds before a request to Unicorn times out.

This can be raised if the system Discourse is running on is too slow to handle many requests within 30 seconds.

Type: signed integer

Default: 30

Declared by:

<nixpkgs/nixos/modules/services/web-apps/discourse.nix>
services.disnix.enable

Whether to enable Disnix.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/disnix.nix>
services.disnix.enableMultiUser

Whether to support multi-user mode by enabling the Disnix D-Bus service

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/disnix.nix>
services.disnix.enableProfilePath

Whether to enable exposing the Disnix profiles in the system’s PATH.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/disnix.nix>
services.disnix.package

The disnix package to use.

Type: package

Default: pkgs.disnix

Declared by:

<nixpkgs/nixos/modules/services/misc/disnix.nix>
services.disnix.profiles

Names of the Disnix profiles to expose in the system’s PATH

Type: list of string

Default:

[
  "default"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/disnix.nix>
services.disnix.useWebServiceInterface

Whether to enable the DisnixWebService interface running on Apache Tomcat.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/disnix.nix>
services.displayManager.enable

Whether to enable systemd’s display-manager service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/display-managers/default.nix>
services.displayManager.autoLogin

Auto login configuration attrset.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/display-managers/default.nix>
services.displayManager.autoLogin.enable

Automatically log in as autoLogin.user.

Type: boolean

Default: config.services.displayManager.autoLogin.user != null

Declared by:

<nixpkgs/nixos/modules/services/display-managers/default.nix>
services.displayManager.autoLogin.user

User to be used for the automatic login.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/display-managers/default.nix>
services.displayManager.defaultSession

Graphical session to pre-select in the session chooser (only effective for GDM, LightDM and SDDM).

On GDM, LightDM and SDDM, it will also be used as a session for auto-login.

Set this option to empty string to get an error with a list of currently available sessions.

Type: session name

Default: null

Example: "gnome"

Declared by:

<nixpkgs/nixos/modules/services/display-managers/default.nix>
services.displayManager.environment

Additional environment variables needed by the display manager.

Type: attribute set of unspecified value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/display-managers/default.nix>
services.displayManager.execCmd

Command to start the display manager.

Type: string

Example: "${pkgs.lightdm}/bin/lightdm"

Declared by:

<nixpkgs/nixos/modules/services/display-managers/default.nix>
services.displayManager.hiddenUsers

A list of users which will not be shown in the display manager.

Type: list of string

Default:

[
  "nobody"
]

Declared by:

<nixpkgs/nixos/modules/services/display-managers/default.nix>
services.displayManager.logToFile

Whether the display manager redirects the output of the session script to ~/.xsession-errors.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/display-managers/default.nix>
services.displayManager.logToJournal

Whether the display manager redirects the output of the session script to the systemd journal.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/display-managers/default.nix>
services.displayManager.ly.enable

Whether to enable ly as the display manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/display-managers/ly.nix>
services.displayManager.ly.package

The ly package to use.

Type: package

Default: pkgs.ly

Declared by:

<nixpkgs/nixos/modules/services/display-managers/ly.nix>
services.displayManager.ly.settings

Extra settings merged in and overwriting defaults in config.ini.

Type: attribute set of (string or signed integer or boolean)

Default: { }

Example:

{
  load = false;
  save = false;
}

Declared by:

<nixpkgs/nixos/modules/services/display-managers/ly.nix>
services.displayManager.preStart

Script executed before the display manager is started.

Type: strings concatenated with “\n”

Default: ""

Example: "rm -f /var/log/my-display-manager.log"

Declared by:

<nixpkgs/nixos/modules/services/display-managers/default.nix>
services.displayManager.sddm.enable

Whether to enable sddm as the display manager.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/display-managers/sddm.nix>
services.displayManager.sddm.enableHidpi

Whether to enable automatic HiDPI mode.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/display-managers/sddm.nix>
services.displayManager.sddm.package

The sddm package to use.

Type: package

Default: pkgs.plasma5Packages.sddm

Declared by:

<nixpkgs/nixos/modules/services/display-managers/sddm.nix>
services.displayManager.sddm.autoLogin.minimumUid

Minimum user ID for auto-login user.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/display-managers/sddm.nix>
services.displayManager.sddm.autoLogin.relogin

If true automatic login will kick in again on session exit (logout), otherwise it will only log in automatically when the display-manager is started.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/display-managers/sddm.nix>
services.displayManager.sddm.autoNumlock

Enable numlock at login.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/display-managers/sddm.nix>
services.displayManager.sddm.extraPackages

Extra Qt plugins / QML libraries to add to the environment.

Type: list of package

Default: "[]"

Declared by:

<nixpkgs/nixos/modules/services/display-managers/sddm.nix>
services.displayManager.sddm.settings

Extra settings merged in and overwriting defaults in sddm.conf.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  Autologin = {
    Session = "plasma.desktop";
    User = "john";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/display-managers/sddm.nix>
services.displayManager.sddm.setupScript

A script to execute when starting the display server. DEPRECATED, please use services.xserver.displayManager.setupCommands.

Type: string

Default: ""

Example:

''
  # workaround for using NVIDIA Optimus without Bumblebee
  xrandr --setprovideroutputsource modesetting NVIDIA-0
  xrandr --auto
''

Declared by:

<nixpkgs/nixos/modules/services/display-managers/sddm.nix>
services.displayManager.sddm.stopScript

A script to execute when stopping the display server.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/display-managers/sddm.nix>
services.displayManager.sddm.theme

Greeter theme to use.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/display-managers/sddm.nix>
services.displayManager.sddm.wayland.enable

Whether to enable experimental Wayland support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/display-managers/sddm.nix>
services.displayManager.sddm.wayland.compositor

The compositor to use: kwin, weston

Type: one of “kwin”, “weston”

Default: "weston"

Declared by:

<nixpkgs/nixos/modules/services/display-managers/sddm.nix>
services.displayManager.sessionPackages

A list of packages containing x11 or wayland session files to be passed to the display manager.

Type: list of package with provided sessions

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/display-managers/default.nix>
services.distccd.enable

Whether to enable distccd, a distributed C/C++ compiler.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/development/distccd.nix>
services.distccd.package

The distcc package to use.

Type: package

Default: pkgs.distcc

Declared by:

<nixpkgs/nixos/modules/services/development/distccd.nix>
services.distccd.allowedClients

Client IPs which are allowed to connect to distccd in CIDR notation.

Anyone who can connect to the distccd server can run arbitrary commands on that system as the distcc user, therefore you should use this judiciously.

Type: list of string

Default:

[
  "127.0.0.1"
]

Example:

[
  "127.0.0.1"
  "192.168.0.0/24"
  "10.0.0.0/24"
]

Declared by:

<nixpkgs/nixos/modules/services/development/distccd.nix>
services.distccd.jobTimeout

Maximum duration, in seconds, of a single compilation request.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/development/distccd.nix>
services.distccd.logLevel

Set the minimum severity of error that will be included in the log file. Useful if you only want to see error messages rather than an entry for each connection.

Type: null or one of “critical”, “error”, “warning”, “notice”, “info”, “debug”

Default: "warning"

Declared by:

<nixpkgs/nixos/modules/services/development/distccd.nix>
services.distccd.maxJobs

Maximum number of tasks distccd should execute at lib.any time.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/development/distccd.nix>
services.distccd.nice

Niceness of the compilation tasks.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/development/distccd.nix>
services.distccd.openFirewall

Opens the specified TCP port for distcc.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/development/distccd.nix>
services.distccd.port

The TCP port which distccd will listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3632

Declared by:

<nixpkgs/nixos/modules/services/development/distccd.nix>
services.distccd.stats.enable

Whether to enable statistics reporting via HTTP server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/development/distccd.nix>
services.distccd.stats.port

The TCP port which the distccd statistics HTTP server will listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3633

Declared by:

<nixpkgs/nixos/modules/services/development/distccd.nix>
services.distccd.zeroconf

Whether to register via mDNS/DNS-SD

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/development/distccd.nix>
services.dkimproxy-out.enable

Whether to enable dkimproxy_out.

Note that a key will be auto-generated, and can be found in /var/lib/dkimproxy-out.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/dkimproxy-out.nix>
services.dkimproxy-out.domains

List of domains DKIMproxy can sign for.

Type: list of string

Example:

[
  "example.org"
  "example.com"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/dkimproxy-out.nix>
services.dkimproxy-out.keySize

Size of the RSA key to use to sign outgoing emails. Note that the maximum mandatorily verified as per RFC6376 is 2048.

Type: signed integer

Default: 2048

Declared by:

<nixpkgs/nixos/modules/services/mail/dkimproxy-out.nix>
services.dkimproxy-out.listen

Address:port DKIMproxy should listen on.

Type: string

Example: "127.0.0.1:10027"

Declared by:

<nixpkgs/nixos/modules/services/mail/dkimproxy-out.nix>
services.dkimproxy-out.relay

Address:port DKIMproxy should forward mail to.

Type: string

Example: "127.0.0.1:10028"

Declared by:

<nixpkgs/nixos/modules/services/mail/dkimproxy-out.nix>
services.dkimproxy-out.selector

The selector to use for DKIM key identification.

For example, if ‘selector1’ is used here, then for each domain ‘example.org’ given in domain, ‘selector1._domainkey.example.org’ should contain the TXT record indicating the public key is the one in /var/lib/dkimproxy-out/public.key: “v=DKIM1; t=s; p=[THE PUBLIC KEY]”.

Type: string

Example: "selector1"

Declared by:

<nixpkgs/nixos/modules/services/mail/dkimproxy-out.nix>
services.dleyna-renderer.enable

Whether to enable dleyna-renderer service, a DBus service for handling DLNA renderers.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/dleyna-renderer.nix>
services.dleyna-server.enable

Whether to enable dleyna-server service, a DBus service for handling DLNA servers.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/dleyna-server.nix>
services.dnscache.enable

Whether to run the dnscache caching dns server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/dnscache.nix>
services.dnscache.clientIps

Client IP addresses (or prefixes) from which to accept connections.

Type: list of string

Default:

[
  "127.0.0.1"
]

Example:

[
  "192.168"
  "172.23.75.82"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/dnscache.nix>
services.dnscache.domainServers

Table of {hostname: server} pairs to use as authoritative servers for hosts (and subhosts). If entry for @ is not specified predefined list of root servers is used.

Type: attribute set of list of string

Default: { }

Example:

{
  "@" = ["8.8.8.8" "8.8.4.4"];
  "example.com" = ["192.168.100.100"];
}

Declared by:

<nixpkgs/nixos/modules/services/networking/dnscache.nix>
services.dnscache.forwardOnly

Whether to treat root servers (for @) as caching servers, requesting addresses the same way a client does. This is needed if you want to use e.g. Google DNS as your upstream DNS.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/dnscache.nix>
services.dnscache.ip

IP address on which to listen for connections.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/dnscache.nix>
services.dnscrypt-proxy2.enable

Whether to enable dnscrypt-proxy2.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/dnscrypt-proxy2.nix>
services.dnscrypt-proxy2.configFile

Path to TOML config file. See: https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml If this option is set, it will override any configuration done in options.services.dnscrypt-proxy2.settings.

Type: path

Default: TOML file generated from services.dnscrypt-proxy2.settings

Example: "/etc/dnscrypt-proxy/dnscrypt-proxy.toml"

Declared by:

<nixpkgs/nixos/modules/services/networking/dnscrypt-proxy2.nix>
services.dnscrypt-proxy2.settings

Attrset that is converted and passed as TOML config file. For available params, see: https://github.com/DNSCrypt/dnscrypt-proxy/blob/2.1.5/dnscrypt-proxy/example-dnscrypt-proxy.toml

Type: attribute set

Default: { }

Example:

{
  sources.public-resolvers = {
    urls = [ "https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md" ];
    cache_file = "public-resolvers.md";
    minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
    refresh_delay = 72;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/dnscrypt-proxy2.nix>
services.dnscrypt-proxy2.upstreamDefaults

Whether to base the config declared in services.dnscrypt-proxy2.settings on the upstream example config (https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/example-dnscrypt-proxy.toml)

Disable this if you want to declare your dnscrypt config from scratch.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/dnscrypt-proxy2.nix>
services.dnsdist.enable

Whether to enable dnsdist domain name server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsdist.nix>
services.dnsdist.dnscrypt.enable

Whether to enable a DNSCrypt endpoint to dnsdist.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsdist.nix>
services.dnsdist.dnscrypt.certLifetime

The lifetime (in minutes) of the resolver certificate. This will be automatically rotated before expiration.

Type: positive integer, meaning >0

Default: 15

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsdist.nix>
services.dnsdist.dnscrypt.listenAddress

Listen IP address of the endpoint

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsdist.nix>
services.dnsdist.dnscrypt.listenPort

Listen port of the endpoint

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 443

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsdist.nix>
services.dnsdist.dnscrypt.providerKey

The filepath to the provider secret key. If not given a new provider key pair will be generated in /var/lib/dnsdist on the first run.

Note

The file must be readable by the dnsdist user/group.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsdist.nix>
services.dnsdist.dnscrypt.providerName

The name that will be given to this DNSCrypt resolver.

Note

The provider name must start with 2.dnscrypt-cert..

Type: string

Default: 2.dnscrypt-cert.${config.networking.hostName}

Example: "2.dnscrypt-cert.myresolver"

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsdist.nix>
services.dnsdist.extraConfig

Extra lines to be added verbatim to dnsdist.conf.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsdist.nix>
services.dnsdist.listenAddress

Listen IP address

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsdist.nix>
services.dnsdist.listenPort

Listen port

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 53

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsdist.nix>
services.dnsmasq.enable

Whether to run dnsmasq.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsmasq.nix>
services.dnsmasq.package

The dnsmasq package to use.

Type: package

Default: pkgs.dnsmasq

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsmasq.nix>
services.dnsmasq.alwaysKeepRunning

If enabled, systemd will always respawn dnsmasq even if shut down manually. The default, disabled, will only restart it on error.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsmasq.nix>
services.dnsmasq.resolveLocalQueries

Whether dnsmasq should resolve local queries (i.e. add 127.0.0.1 to /etc/resolv.conf).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsmasq.nix>
services.dnsmasq.settings

Configuration of dnsmasq. Lists get added one value per line (empty lists and false values don’t get added, though false values get turned to comments). Gets merged with

{
  dhcp-leasefile = "/var/lib/dnsmasq/dnsmasq.leases";
  conf-file = optional cfg.resolveLocalQueries "/etc/dnsmasq-conf.conf";
  resolv-file = optional cfg.resolveLocalQueries "/etc/dnsmasq-resolv.conf";
}

Type: attribute set of (atom (null, bool, int, float or string) or a list of them for duplicate keys)

Default: { }

Example:

{
  domain-needed = true;
  dhcp-range = [ "192.168.0.2,192.168.0.254" ];
}

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsmasq.nix>
services.dnsmasq.settings.server

The DNS servers which dnsmasq should query.

Type: list of string

Default: [ ]

Example:

[
  "8.8.8.8"
  "8.8.4.4"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsmasq.nix>
services.dnsproxy.enable

Whether to enable dnsproxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsproxy.nix>
services.dnsproxy.package

The dnsproxy package to use.

Type: package

Default: pkgs.dnsproxy

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsproxy.nix>
services.dnsproxy.flags

A list of extra command-line flags to pass to dnsproxy. For details on the available options, see https://github.com/AdguardTeam/dnsproxy#usage. Keep in mind that options passed through command-line flags override config options.

Type: list of string

Default: [ ]

Example:

[
  "--upstream=1.1.1.1:53"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsproxy.nix>
services.dnsproxy.settings

Contents of the config.yaml config file. The --config-path argument will only be passed if this set is not empty.

See https://github.com/AdguardTeam/dnsproxy/blob/master/config.yaml.dist.

Type: YAML value

Default: { }

Example:

{
  bootstrap = [
    "8.8.8.8:53"
  ];
  listen-addrs = [
    "0.0.0.0"
  ];
  listen-ports = [
    53
  ];
  upstream = [
    "1.1.1.1:53"
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/networking/dnsproxy.nix>
services.do-agent.enable

Whether to enable do-agent, the DigitalOcean droplet metrics agent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/do-agent.nix>
services.dockerRegistry.enable

Whether to enable Docker Registry.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/docker-registry.nix>
services.dockerRegistry.enableDelete

Enable delete for manifests and blobs.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/docker-registry.nix>
services.dockerRegistry.enableGarbageCollect

Whether to enable garbage collect.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/docker-registry.nix>
services.dockerRegistry.enableRedisCache

Whether to enable redis as blob cache.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/docker-registry.nix>
services.dockerRegistry.package

The docker-distribution package to use.

Type: package

Default: pkgs.docker-distribution

Example: gitlab-container-registry

Declared by:

<nixpkgs/nixos/modules/services/misc/docker-registry.nix>
services.dockerRegistry.configFile

Path to CNCF distribution config file.

Setting this option will override any configuration applied by the extraConfig option.

Type: path

Default: pkgs.writeText "docker-registry-config.yml" "# my custom docker-registry-config.yml ..."

Declared by:

<nixpkgs/nixos/modules/services/misc/docker-registry.nix>
services.dockerRegistry.extraConfig

Docker extra registry configuration.

Type: attribute set

Default: { }

Example:

{
  log.level = "debug";
}

Declared by:

<nixpkgs/nixos/modules/services/misc/docker-registry.nix>
services.dockerRegistry.garbageCollectDates

Specification (in the format described by systemd.time(7)) of the time at which the garbage collect will occur.

Type: string

Default: "daily"

Declared by:

<nixpkgs/nixos/modules/services/misc/docker-registry.nix>
services.dockerRegistry.listenAddress

Docker registry host or ip to bind to.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/misc/docker-registry.nix>
services.dockerRegistry.openFirewall

Opens the port used by the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/docker-registry.nix>
services.dockerRegistry.port

Docker registry port to bind to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5000

Declared by:

<nixpkgs/nixos/modules/services/misc/docker-registry.nix>
services.dockerRegistry.redisPassword

Set redis password.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/docker-registry.nix>
services.dockerRegistry.redisUrl

Set redis host and port.

Type: string

Default: "localhost:6379"

Declared by:

<nixpkgs/nixos/modules/services/misc/docker-registry.nix>
services.dockerRegistry.storagePath

Docker registry storage path for the filesystem storage backend. Set to null to configure another backend via extraConfig.

Type: null or path

Default: "/var/lib/docker-registry"

Declared by:

<nixpkgs/nixos/modules/services/misc/docker-registry.nix>
services.documize.enable

Whether to enable Documize Wiki.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/documize.nix>
services.documize.package

The documize-community package to use.

Type: package

Default: pkgs.documize-community

Declared by:

<nixpkgs/nixos/modules/services/web-apps/documize.nix>
services.documize.cert

The cert.pem file used for https.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/documize.nix>
services.documize.db

Database specific connection string for example:

  • MySQL/Percona/MariaDB: user:password@tcp(host:3306)/documize

  • MySQLv8+: user:password@tcp(host:3306)/documize?allowNativePasswords=true

  • PostgreSQL: host=localhost port=5432 dbname=documize user=admin password=secret sslmode=disable

  • MSSQL: sqlserver://username:password@localhost:1433?database=Documize or sqlserver://sa@localhost/SQLExpress?database=Documize

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/documize.nix>
services.documize.dbtype

Specify the database provider: mysql, percona, mariadb, postgresql, sqlserver

Type: one of “mysql”, “percona”, “mariadb”, “postgresql”, “sqlserver”

Default: "postgresql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/documize.nix>
services.documize.forcesslport

Redirect given http port number to TLS.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/documize.nix>
services.documize.key

The key.pem file used for https.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/documize.nix>
services.documize.location

reserved

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/documize.nix>
services.documize.offline

Set true for offline mode.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/documize.nix>
services.documize.port

The http/https port number.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5001

Declared by:

<nixpkgs/nixos/modules/services/web-apps/documize.nix>
services.documize.salt

The salt string used to encode JWT tokens, if not set a random value will be generated.

Type: null or string

Default: null

Example: "3edIYV6c8B28b19fh"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/documize.nix>
services.documize.stateDirectoryName

The name of the directory below /var/lib/private where documize runs in and stores, for example, backups.

Type: string

Default: "documize"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/documize.nix>
services.docuum.enable

Whether to enable docuum daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/admin/docuum.nix>
services.docuum.deletionChunkSize

Removes specified quantity of images at a time.

Type: signed integer

Default: 1

Example: 10

Declared by:

<nixpkgs/nixos/modules/services/admin/docuum.nix>
services.docuum.keep

Prevents deletion of images for which repository:tag matches the specified regex.

Type: list of string

Default: [ ]

Example:

[
  "^my-image"
]

Declared by:

<nixpkgs/nixos/modules/services/admin/docuum.nix>
services.docuum.minAge

Sets the minimum age of images to be considered for deletion.

Type: null or string

Default: null

Example: "1d"

Declared by:

<nixpkgs/nixos/modules/services/admin/docuum.nix>
services.docuum.threshold

Threshold for deletion in bytes, like 10 GB, 10 GiB, 10GB or percentage-based thresholds like 50%

Type: string

Default: "10 GB"

Example: "50%"

Declared by:

<nixpkgs/nixos/modules/services/admin/docuum.nix>
services.doh-proxy-rust.enable

Whether to enable doh-proxy-rust.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/doh-proxy-rust.nix>
services.doh-proxy-rust.flags

A list of command-line flags to pass to doh-proxy. For details on the available options, see https://github.com/jedisct1/doh-server#usage.

Type: list of string

Default: [ ]

Example:

[
  "--server-address=9.9.9.9:53"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/doh-proxy-rust.nix>
services.dokuwiki.sites

Specification of one or more DokuWiki sites to serve

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix>
services.dokuwiki.sites.<name>.enable

Whether to enable DokuWiki web application.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix>
services.dokuwiki.sites.<name>.package

The dokuwiki package to use.

Type: package

Default: pkgs.dokuwiki

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix>
services.dokuwiki.sites.<name>.acl

Access Control Lists: see https://www.dokuwiki.org/acl Mutually exclusive with services.dokuwiki.aclFile Set this to a value other than null to take precedence over aclFile option.

Warning: Consider using aclFile instead if you do not want to store the ACL in the world-readable Nix store.

Type: null or (list of (submodule))

Default: null

Example:

[
  {
    page = "start";
    actor = "@external";
    level = "read";
  }
  {
    page = "*";
    actor = "@users";
    level = "upload";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix>
services.dokuwiki.sites.<name>.acl.*.actor

User or group to restrict

Type: string

Example: "@external"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix>
services.dokuwiki.sites.<name>.acl.*.level

Permission level to restrict the actor(s) to. See https://www.dokuwiki.org/acl#background_info for explanation

Type: one of 4, 16, 2, 0, 1, 8, “create”, “delete”, “edit”, “none”, “read”, “upload”

Example: "read"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix>
services.dokuwiki.sites.<name>.acl.*.page

Page or namespace to restrict

Type: string

Example: "start"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix>
services.dokuwiki.sites.<name>.aclFile

Location of the dokuwiki acl rules. Mutually exclusive with services.dokuwiki.acl Mutually exclusive with services.dokuwiki.acl which is preferred. Consult documentation https://www.dokuwiki.org/acl for further instructions. Example: https://github.com/splitbrain/dokuwiki/blob/master/conf/acl.auth.php.dist

Type: null or string

Default: "/var/lib/dokuwiki/‹name›/acl.auth.php"

Example: "/var/lib/dokuwiki/‹name›/acl.auth.php"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix>
services.dokuwiki.sites.<name>.mergedConfig

Read only representation of the final configuration.

Type: unspecified value (read only)

Default:

{
  useacl = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix>
services.dokuwiki.sites.<name>.phpOptions

Options for PHP’s php.ini file for this dokuwiki site.

Type: attribute set of string

Default: { }

Example:

{
  "opcache.interned_strings_buffer" = "8";
  "opcache.max_accelerated_files" = "10000";
  "opcache.memory_consumption" = "128";
  "opcache.revalidate_freq" = "15";
  "opcache.fast_shutdown" = "1";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix>
services.dokuwiki.sites.<name>.phpPackage

The php package to use.

Type: package

Default: pkgs.php81

Example: php82

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix>
services.dokuwiki.sites.<name>.plugins

List of path(s) to respective plugin(s) which are copied from the ‘plugin’ directory.

Note

These plugins need to be packaged before use, see example.

Type: list of path

Default: [ ]

Example:

let
  plugin-icalevents = pkgs.stdenv.mkDerivation rec {
    name = "icalevents";
    version = "2017-06-16";
    src = pkgs.fetchzip {
      stripRoot = false;
      url = "https://github.com/real-or-random/dokuwiki-plugin-icalevents/releases/download/${version}/dokuwiki-plugin-icalevents-${version}.zip";
      hash = "sha256-IPs4+qgEfe8AAWevbcCM9PnyI0uoyamtWeg4rEb+9Wc=";
    };
    installPhase = "mkdir -p $out; cp -R * $out/";
  };
# And then pass this theme to the plugin list like this:
in [ plugin-icalevents ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix>
services.dokuwiki.sites.<name>.pluginsConfig

List of the dokuwiki (un)loaded plugins.

Type: attribute set of boolean

Default:

{
  authad = false;
  authldap = false;
  authmysql = false;
  authpgsql = false;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix>
services.dokuwiki.sites.<name>.poolConfig

Options for the DokuWiki PHP pool. See the documentation on php-fpm.conf for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = 32;
  "pm.max_requests" = 500;
  "pm.max_spare_servers" = 4;
  "pm.min_spare_servers" = 2;
  "pm.start_servers" = 2;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix>
services.dokuwiki.sites.<name>.settings

Structural DokuWiki configuration. Refer to https://www.dokuwiki.org/config for details and supported values. Settings can either be directly set from nix, loaded from a file using ._file or obtained from any PHP function calls using ._raw.

Type: attribute set of anything

Default:

{
  superuser = "admin";
  useacl = true;
}

Example:

{
  title = "My Wiki";
  userewrite = 1;
  disableactions = [ "register" ]; # Will be concatenated with commas
  plugin.smtp = {
    smtp_pass._file = "/var/run/secrets/dokuwiki/smtp_pass";
    smtp_user._raw = "getenv('DOKUWIKI_SMTP_USER')";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix>
services.dokuwiki.sites.<name>.stateDir

Location of the DokuWiki state directory.

Type: path

Default: "/var/lib/dokuwiki/‹name›/data"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix>
services.dokuwiki.sites.<name>.templates

List of path(s) to respective template(s) which are copied from the ‘tpl’ directory.

Note

These templates need to be packaged before use, see example.

Type: list of path

Default: [ ]

Example:

let
  template-bootstrap3 = pkgs.stdenv.mkDerivation rec {
  name = "bootstrap3";
  version = "2022-07-27";
  src = pkgs.fetchFromGitHub {
    owner = "giterlizzi";
    repo = "dokuwiki-template-bootstrap3";
    rev = "v${version}";
    hash = "sha256-B3Yd4lxdwqfCnfmZdp+i/Mzwn/aEuZ0ovagDxuR6lxo=";
  };
  installPhase = "mkdir -p $out; cp -R * $out/";
};
# And then pass this theme to the template list like this:
in [ template-bootstrap3 ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix>
services.dokuwiki.sites.<name>.usersFile

Location of the dokuwiki users file. List of users. Format:

login:passwordhash:Real Name:email:groups,comma,separated

Create passwordHash easily by using:

mkpasswd -5 password `pwgen 8 1`

Example: https://github.com/splitbrain/dokuwiki/blob/master/conf/users.auth.php.dist

Type: null or string

Default: "/var/lib/dokuwiki/‹name›/users.auth.php"

Example: "/var/lib/dokuwiki/‹name›/users.auth.php"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix>
services.dokuwiki.webserver

Whether to use nginx or caddy for virtual host management.

Further nginx configuration can be done by adapting services.nginx.virtualHosts.<name>. See services.nginx.virtualHosts for further information.

Further caddy configuration can be done by adapting services.caddy.virtualHosts.<name>. See services.caddy.virtualHosts for further information.

Type: one of “nginx”, “caddy”

Default: "nginx"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dokuwiki.nix>
services.dolibarr.enable

Whether to enable dolibarr.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.package

The dolibarr package to use.

Type: package

Default: pkgs.dolibarr

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.database.createLocally

Create the database and database user locally.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.database.host

Database host address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.database.name

Database name.

Type: string

Default: "dolibarr"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.database.passwordFile

Database password file.

Type: null or path

Default: null

Example: "/run/keys/dolibarr-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.database.port

Database host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3306

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.database.user

Database username.

Type: string

Default: "dolibarr"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.domain

Domain name of your server.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.group

Group account under which dolibarr runs.

Note

If left as the default value this group will automatically be created on system activation, otherwise you are responsible for ensuring the group exists before the dolibarr application starts.

Type: string

Default: "dolibarr"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx

With this option, you can customize an nginx virtual host which already has sensible defaults for Dolibarr. Set to {} if you do not need any customization to the virtual host. If enabled, then by default, the serverName is ${domain}, SSL is active, and certificates are acquired via ACME. If this is set to null (the default), no nginx virtualHost will be configured.

Type: null or (submodule)

Default: null

Example:

{
  serverAliases = [
    "dolibarr.${config.networking.domain}"
    "erp.${config.networking.domain}"
  ];
  enableACME = false;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.nginx.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.poolConfig

Options for the Dolibarr PHP pool. See the documentation on php-fpm.conf for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = 32;
  "pm.max_requests" = 500;
  "pm.max_spare_servers" = 4;
  "pm.min_spare_servers" = 2;
  "pm.start_servers" = 2;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.settings

Dolibarr settings, see https://github.com/Dolibarr/dolibarr/blob/develop/htdocs/conf/conf.php.example for details.

Type: attribute set of (boolean or signed integer or string)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.stateDir

State and configuration directory dolibarr will use.

Type: string

Default: "/var/lib/dolibarr"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.dolibarr.user

User account under which dolibarr runs.

Note

If left as the default value this user will automatically be created on system activation, otherwise you are responsible for ensuring the user exists before the dolibarr application starts.

Type: string

Default: "dolibarr"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/dolibarr.nix>
services.domoticz.enable

Whether to enable Domoticz home automation.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/domoticz.nix>
services.domoticz.bind

IP address to bind to.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/misc/domoticz.nix>
services.domoticz.port

Port to bind to for HTTP, set to 0 to disable HTTP.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/misc/domoticz.nix>
services.dovecot2.enable

Whether to enable the dovecot 2.x POP3/IMAP server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.enableDHE

Whether to enable ssl_dh and generation of primes for the key exchange.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.enableImap

Whether to enable starting the IMAP listener (when Dovecot is enabled).

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.enableLmtp

Whether to enable starting the LMTP listener (when Dovecot is enabled).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.enablePAM

Whether to enable creating a own Dovecot PAM service and configure PAM user logins.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.enablePop3

Whether to enable starting the POP3 listener (when Dovecot is enabled).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.enableQuota

Whether to enable the dovecot quota service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.configFile

Config file used for the whole dovecot configuration.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.createMailUser

Whether to enable automatically creating the user given in services.dovecot.user and the group given in services.dovecot.group.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.extraConfig

Additional entries to put verbatim into Dovecot’s config file.

Type: strings concatenated with “\n”

Default: ""

Example: "mail_debug = yes"

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.group

Dovecot group name.

Type: string

Default: "dovecot2"

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.imapsieve.mailbox

Configure Sieve filtering rules on IMAP actions

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.imapsieve.mailbox.*.after

When an IMAP event of interest occurs, this sieve script is executed after any user script respectively.

This setting each specify the location of a single sieve script. The semantics of this setting is similar to sieve_after: the specified scripts form a sequence together with the user script in which the next script is only executed when an (implicit) keep action is executed.

Type: null or path

Default: null

Example: ./report-spam.sieve

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.imapsieve.mailbox.*.before

When an IMAP event of interest occurs, this sieve script is executed before any user script respectively.

This setting each specify the location of a single sieve script. The semantics of this setting is similar to sieve_before: the specified scripts form a sequence together with the user script in which the next script is only executed when an (implicit) keep action is executed.

Type: null or path

Default: null

Example: ./report-spam.sieve

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.imapsieve.mailbox.*.causes

Only execute the administrator Sieve scripts for the mailbox configured with services.dovecot2.imapsieve.mailbox.<name>.name when one of the listed IMAPSIEVE causes apply.

This has no effect on the user script, which is always executed no matter the cause.

Type: list of (one of “APPEND”, “COPY”, “FLAG”)

Default: [ ]

Example:

[
  "COPY"
  "APPEND"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.imapsieve.mailbox.*.from

Only execute the administrator Sieve scripts for the mailbox configured with services.dovecot2.imapsieve.mailbox.<name>.name when the message originates from the indicated mailbox.

This setting supports wildcards with a syntax compatible with the IMAP LIST command, meaning that this setting can apply to multiple or even all (“*”) mailboxes.

Type: null or string

Default: null

Example: "*"

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.imapsieve.mailbox.*.name

This setting configures the name of a mailbox for which administrator scripts are configured.

The settings defined hereafter with matching sequence numbers apply to the mailbox named by this setting.

This setting supports wildcards with a syntax compatible with the IMAP LIST command, meaning that this setting can apply to multiple or even all (“*”) mailboxes.

Type: string

Example: "Junk"

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.mailGroup

Default group to store mail for virtual users.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.mailLocation

Location that dovecot will use for mail folders. Dovecot mail_location option.

Type: string

Default: "maildir:/var/spool/mail/%u"

Example: "maildir:~/mail:INBOX=/var/spool/mail/%u"

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.mailPlugins

Additional entries to add to the mail_plugins variable, globally and per protocol

Type: submodule

Default:

{
  globally = {
    enable = [ ];
  };
  perProtocol = { };
}

Example:

{
  globally = {
    enable = [
      "acl"
    ];
  };
  perProtocol = {
    imap = {
      enable = [
        "imap_acl"
      ];
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.mailPlugins.globally

Additional entries to add to the mail_plugins variable for all protocols

Type: submodule

Default:

{
  enable = [ ];
}

Example:

{
  enable = [
    "virtual"
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.mailPlugins.globally.enable

mail plugins to enable as a list of strings to append to the top-level $mail_plugins configuration variable

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.mailPlugins.perProtocol

Additional entries to add to the mail_plugins variable, per protocol

Type: attribute set of (submodule)

Default: { }

Example:

{
  imap = [
    "imap_acl"
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.mailPlugins.perProtocol.<name>.enable

mail plugins to enable as a list of strings to append to the corresponding per-protocol $mail_plugins configuration variable

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.mailUser

Default user to store mail for virtual users.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.mailboxes

Configure mailboxes and auto create or subscribe them.

Type: (attribute set of (submodule)) or (list of unspecified value) convertible to it

Default: { }

Example:

{
  Spam = { specialUse = "Junk"; auto = "create"; };
}

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.mailboxes.<name>.auto

Whether to automatically create or create and subscribe to the mailbox or not.

Type: one of “no”, “create”, “subscribe”

Default: "no"

Example: "subscribe"

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.mailboxes.<name>.autoexpunge

To automatically remove all email from the mailbox which is older than the specified time.

Type: null or string

Default: null

Example: "60d"

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.mailboxes.<name>.name

The name of the mailbox.

Type: string matching the pattern [^"]+ (read only)

Default: "‹name›"

Example: "Spam"

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.mailboxes.<name>.specialUse

Null if no special use flag is set. Other than that every use flag mentioned in the RFC is valid.

Type: null or one of “All”, “Archive”, “Drafts”, “Flagged”, “Junk”, “Sent”, “Trash”

Default: null

Example: "Junk"

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.modules

Symlinks the contents of lib/dovecot of every given package into /etc/dovecot/modules. This will make the given modules available if a dovecot package with the module_dir patch applied is being used.

Type: list of package

Default: [ ]

Example: [ pkgs.dovecot_pigeonhole ]

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.pluginSettings

Plugin settings for dovecot in general, e.g. sieve, sieve_default, etc.

Some of the other knobs of this module will influence by default the plugin settings, but you can still override any plugin settings.

If you override a plugin setting, its value is cleared and you have to copy over the defaults.

Type: attribute set of (string or package)

Default: { }

Example:

{
  sieve = "file:~/sieve;active=~/.dovecot.sieve";
}

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.protocols

Additional listeners to start when Dovecot is enabled.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.quotaGlobalPerUser

Quota limit for the user in bytes. Supports suffixes b, k, M, G, T and %.

Type: string

Default: "100G"

Example: "10G"

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.quotaPort

The Port the dovecot quota service binds to. If using postfix, add check_policy_service inet:localhost:12340 to your smtpd_recipient_restrictions in your postfix config.

Type: string

Default: "12340"

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.showPAMFailure

Whether to enable showing the PAM failure message on authentication error (useful for OTPW).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.sieve.extensions

Sieve extensions for use in user scripts

Type: list of string

Default: [ ]

Example:

[
  "notify"
  "imapflags"
  "vnd.dovecot.filter"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.sieve.globalExtensions

Sieve extensions for use in global scripts

Type: list of string

Default: [ ]

Example:

[
  "vnd.dovecot.environment"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.sieve.pipeBins

Programs available for use by the vnd.dovecot.pipe extension

Type: list of path

Default: [ ]

Example:

map lib.getExe [
  (pkgs.writeShellScriptBin "learn-ham.sh" "exec ${pkgs.rspamd}/bin/rspamc learn_ham")
  (pkgs.writeShellScriptBin "learn-spam.sh" "exec ${pkgs.rspamd}/bin/rspamc learn_spam")
]

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.sieve.plugins

Sieve plugins to load

Type: list of string

Default: [ ]

Example:

[
  "sieve_extprograms"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.sieve.scripts

Sieve scripts to be executed. Key is a sequence, e.g. ‘before2’, ‘after’ etc.

Type: attribute set of path

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.sslCACert

Path to the server’s CA certificate key.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.sslServerCert

Path to the server’s public key.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.sslServerKey

Path to the server’s private key.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dovecot2.user

Dovecot user name.

Type: string

Default: "dovecot2"

Declared by:

<nixpkgs/nixos/modules/services/mail/dovecot.nix>
services.dragonflydb.enable

Whether to enable DragonflyDB.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/dragonflydb.nix>
services.dragonflydb.bind

The IP interface to bind to. null means “all interfaces”.

Type: null or string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/databases/dragonflydb.nix>
services.dragonflydb.cacheMode

Once this mode is on, Dragonfly will evict items least likely to be stumbled upon in the future but only when it is near maxmemory limit.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/dragonflydb.nix>
services.dragonflydb.dbNum

Maximum number of supported databases for select

Type: null or (unsigned integer, meaning >=0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/dragonflydb.nix>
services.dragonflydb.keysOutputLimit

Maximum number of returned keys in keys command. keys is a dangerous command. We truncate its result to avoid blowup in memory when fetching too many keys.

Type: unsigned integer, meaning >=0

Default: 8192

Declared by:

<nixpkgs/nixos/modules/services/databases/dragonflydb.nix>
services.dragonflydb.maxMemory

The maximum amount of memory to use for storage (in bytes). null means this will be automatically set.

Type: null or (unsigned integer, meaning >=0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/dragonflydb.nix>
services.dragonflydb.memcachePort

To enable memcached compatible API on this port. null means disabled.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/dragonflydb.nix>
services.dragonflydb.port

The TCP port to accept connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6379

Declared by:

<nixpkgs/nixos/modules/services/databases/dragonflydb.nix>
services.dragonflydb.requirePass

Password for database

Type: null or string

Default: null

Example: "letmein!"

Declared by:

<nixpkgs/nixos/modules/services/databases/dragonflydb.nix>
services.dragonflydb.user

The user to run DragonflyDB as

Type: string

Default: "dragonfly"

Declared by:

<nixpkgs/nixos/modules/services/databases/dragonflydb.nix>
services.drbd.enable

Whether to enable support for DRBD, the Distributed Replicated Block Device.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/drbd.nix>
services.drbd.config

Contents of the drbd.conf configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/drbd.nix>
services.druid.package

The apache-druid package to use.

Type: package

Default: pkgs.druid

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.broker.enable

Whether to enable Druid Broker.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.broker.config

(key=value) Configuration to be written to runtime.properties of the druid Druid Broker https://druid.apache.org/docs/latest/configuration/index.html

Type: attribute set of anything

Default: { }

Example:

{
  "druid.plainTextPort" = "8082";
  "druid.service" = "servicename";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.broker.jdk

The JDK package to use.

Type: package

Default: pkgs.jdk17_headless

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.broker.jvmArgs

Arguments to pass to the JVM

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.broker.openFirewall

Open firewall ports for Druid Broker.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.broker.restartIfChanged

Automatically restart the service on config change. This can be set to false to defer restarts on clusters running critical applications. Please consider the security implications of inadvertently running an older version, and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.commonConfig

(key=value) Configuration to be written to common.runtime.properties

Type: attribute set of anything

Default: { }

Example:

{
  "druid.extensions.loadList" = "[ \"mysql-metadata-storage\" ]";
  "druid.metadata.storage.connector.connectURI" = "jdbc:mysql://localhost:3306/druid";
  "druid.metadata.storage.type" = "mysql";
  "druid.zk.service.host" = "localhost:2181";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.commonTmpDirs

Common List of directories used by druid processes

Type: list of string

Default:

[
  "/var/log/druid/requests"
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.coordinator.enable

Whether to enable Druid Coordinator.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.coordinator.config

(key=value) Configuration to be written to runtime.properties of the druid Druid Coordinator https://druid.apache.org/docs/latest/configuration/index.html

Type: attribute set of anything

Default: { }

Example:

{
  "druid.plainTextPort" = "8082";
  "druid.service" = "servicename";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.coordinator.jdk

The JDK package to use.

Type: package

Default: pkgs.jdk17_headless

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.coordinator.jvmArgs

Arguments to pass to the JVM

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.coordinator.openFirewall

Open firewall ports for Druid Coordinator.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.coordinator.restartIfChanged

Automatically restart the service on config change. This can be set to false to defer restarts on clusters running critical applications. Please consider the security implications of inadvertently running an older version, and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.extraClassPaths

Extra classpath to include in the jvm

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.extraConfDirs

Extra Conf Dirs to include in the jvm

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.historical.enable

Whether to enable Druid Historical.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.historical.config

(key=value) Configuration to be written to runtime.properties of the druid Druid Historical https://druid.apache.org/docs/latest/configuration/index.html

Type: attribute set of anything

Default: { }

Example:

{
  "druid.plainTextPort" = "8082";
  "druid.service" = "servicename";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.historical.jdk

The JDK package to use.

Type: package

Default: pkgs.jdk17_headless

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.historical.jvmArgs

Arguments to pass to the JVM

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.historical.openFirewall

Open firewall ports for Druid Historical.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.historical.restartIfChanged

Automatically restart the service on config change. This can be set to false to defer restarts on clusters running critical applications. Please consider the security implications of inadvertently running an older version, and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.historical.segmentLocations

Locations where the historical will store its data.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.historical.segmentLocations.*.freeSpacePercent

Druid Historical will fail to write if it exceeds this value

Type: floating point number

Default: 1.0

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.historical.segmentLocations.*.maxSize

Max size the druid historical can occupy

Type: string

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.historical.segmentLocations.*.path

the path to store the segments

Type: path

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.log4j

Log4j Configuration for the druid process

Type: path

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.middleManager.enable

Whether to enable Druid middleManager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.middleManager.config

(key=value) Configuration to be written to runtime.properties of the druid Druid middleManager https://druid.apache.org/docs/latest/configuration/index.html

Type: attribute set of anything

Default: { }

Example:

{
  "druid.plainTextPort" = "8082";
  "druid.service" = "servicename";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.middleManager.jdk

The JDK package to use.

Type: package

Default: pkgs.jdk17_headless

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.middleManager.jvmArgs

Arguments to pass to the JVM

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.middleManager.openFirewall

Open firewall ports for Druid middleManager.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.middleManager.restartIfChanged

Automatically restart the service on config change. This can be set to false to defer restarts on clusters running critical applications. Please consider the security implications of inadvertently running an older version, and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.overlord.enable

Whether to enable Druid Overlord.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.overlord.config

(key=value) Configuration to be written to runtime.properties of the druid Druid Overlord https://druid.apache.org/docs/latest/configuration/index.html

Type: attribute set of anything

Default: { }

Example:

{
  "druid.plainTextPort" = "8082";
  "druid.service" = "servicename";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.overlord.jdk

The JDK package to use.

Type: package

Default: pkgs.jdk17_headless

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.overlord.jvmArgs

Arguments to pass to the JVM

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.overlord.openFirewall

Open firewall ports for Druid Overlord.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.overlord.restartIfChanged

Automatically restart the service on config change. This can be set to false to defer restarts on clusters running critical applications. Please consider the security implications of inadvertently running an older version, and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.router.enable

Whether to enable Druid Router.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.router.config

(key=value) Configuration to be written to runtime.properties of the druid Druid Router https://druid.apache.org/docs/latest/configuration/index.html

Type: attribute set of anything

Default: { }

Example:

{
  "druid.plainTextPort" = "8082";
  "druid.service" = "servicename";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.router.jdk

The JDK package to use.

Type: package

Default: pkgs.jdk17_headless

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.router.jvmArgs

Arguments to pass to the JVM

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.router.openFirewall

Open firewall ports for Druid Router.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.druid.router.restartIfChanged

Automatically restart the service on config change. This can be set to false to defer restarts on clusters running critical applications. Please consider the security implications of inadvertently running an older version, and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/druid/default.nix>
services.dspam.enable

Whether to enable the dspam spam filter.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/dspam.nix>
services.dspam.domainSocket

Path to local domain socket which is used for communication with the daemon. Set to null to disable UNIX socket.

Type: null or path

Default: "/run/dspam/dspam.sock"

Declared by:

<nixpkgs/nixos/modules/services/mail/dspam.nix>
services.dspam.extraConfig

Additional dspam configuration.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/dspam.nix>
services.dspam.group

Group for the dspam daemon.

Type: string

Default: "dspam"

Declared by:

<nixpkgs/nixos/modules/services/mail/dspam.nix>
services.dspam.maintenanceInterval

If set, maintenance script will be run at specified (in systemd.timer format) interval

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/dspam.nix>
services.dspam.storageDriver

Storage driver backend to use for dspam.

Type: string

Default: "hash"

Declared by:

<nixpkgs/nixos/modules/services/mail/dspam.nix>
services.dspam.user

User for the dspam daemon.

Type: string

Default: "dspam"

Declared by:

<nixpkgs/nixos/modules/services/mail/dspam.nix>
services.duckling.enable

Whether to enable duckling.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/duckling.nix>
services.duckling.port

Port on which duckling will run.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/misc/duckling.nix>
services.duplicati.enable

Whether to enable Duplicati.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicati.nix>
services.duplicati.package

The duplicati package to use.

Type: package

Default: pkgs.duplicati

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicati.nix>
services.duplicati.dataDir

The directory where Duplicati stores its data files.

Note

If left as the default value this directory will automatically be created before the Duplicati server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions.

Type: string

Default: "/var/lib/duplicati"

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicati.nix>
services.duplicati.interface

Listening interface for the web UI Set it to “any” to listen on all available interfaces

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicati.nix>
services.duplicati.port

Port serving the web interface

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8200

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicati.nix>
services.duplicati.user

Duplicati runs as it’s own user. It will only be able to backup world-readable files. Run as root with special care.

Type: string

Default: "duplicati"

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicati.nix>
services.duplicity.enable

Whether to enable backups with duplicity.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicity.nix>
services.duplicity.cleanup.maxAge

If non-null, delete all backup sets older than the given time. Old backup sets will not be deleted if backup sets newer than time depend on them.

Type: null or string

Default: null

Example: "6M"

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicity.nix>
services.duplicity.cleanup.maxFull

If non-null, delete all backups sets that are older than the count:th last full backup (in other words, keep the last count full backups and associated incremental sets).

Type: null or signed integer

Default: null

Example: 2

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicity.nix>
services.duplicity.cleanup.maxIncr

If non-null, delete incremental sets of all backups sets that are older than the count:th last full backup (in other words, keep only old full backups and not their increments).

Type: null or signed integer

Default: null

Example: 1

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicity.nix>
services.duplicity.exclude

List of paths to exclude from backups. See the FILE SELECTION section in duplicity(1) for details on the syntax.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicity.nix>
services.duplicity.excludeFileList

File containing newline-separated list of paths to exclude into the backups. See the FILE SELECTION section in duplicity(1) for details on the syntax.

Type: null or path

Default: null

Example: /path/to/fileList.txt

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicity.nix>
services.duplicity.extraFlags

Extra command-line flags passed to duplicity. See duplicity(1).

Type: list of string

Default: [ ]

Example:

[
  "--backend-retry-delay"
  "100"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicity.nix>
services.duplicity.frequency

Run duplicity with the given frequency (see systemd.time(7) for the format). If null, do not run automatically.

Type: null or string

Default: "daily"

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicity.nix>
services.duplicity.fullIfOlderThan

If "never" (the default) always do incremental backups (the first backup will be a full backup, of course). If "always" always do full backups. Otherwise, this must be a string representing a duration. Full backups will be made when the latest full backup is older than this duration. If this is not the case, an incremental backup is performed.

Type: string

Default: "never"

Example: "1M"

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicity.nix>
services.duplicity.include

List of paths to include into the backups. See the FILE SELECTION section in duplicity(1) for details on the syntax.

Type: list of string

Default: [ ]

Example:

[
  "/home"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicity.nix>
services.duplicity.includeFileList

File containing newline-separated list of paths to include into the backups. See the FILE SELECTION section in duplicity(1) for details on the syntax.

Type: null or path

Default: null

Example: /path/to/fileList.txt

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicity.nix>
services.duplicity.root

Root directory to backup.

Type: path

Default: "/"

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicity.nix>
services.duplicity.secretFile

Path of a file containing secrets (gpg passphrase, access key…) in the format of EnvironmentFile as described by systemd.exec(5). For example:

PASSPHRASE=«...»
AWS_ACCESS_KEY_ID=«...»
AWS_SECRET_ACCESS_KEY=«...»

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicity.nix>
services.duplicity.targetUrl

Target url to backup to. See the URL FORMAT section in duplicity(1) for supported urls.

Type: string

Example: "s3://host:port/prefix"

Declared by:

<nixpkgs/nixos/modules/services/backup/duplicity.nix>
services.dwm-status.enable

Whether to enable dwm-status user service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/dwm-status.nix>
services.dwm-status.package

The dwm-status package to use.

Type: package

Default: pkgs.dwm-status

Example: dwm-status.override { enableAlsaUtils = false; }

Declared by:

<nixpkgs/nixos/modules/services/misc/dwm-status.nix>
services.dwm-status.extraConfig

Extra config in TOML format.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/dwm-status.nix>
services.dwm-status.order

List of enabled features in order.

Type: list of (one of “audio”, “backlight”, “battery”, “cpu_load”, “network”, “time”)

Declared by:

<nixpkgs/nixos/modules/services/misc/dwm-status.nix>
services.dysnomia.enable

Whether to enable Dysnomia

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
services.dysnomia.enableAuthentication

Whether to publish privacy-sensitive authentication credentials

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
services.dysnomia.enableLegacyModules

Whether to enable Dysnomia legacy process and wrapper modules

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
services.dysnomia.package

The Dysnomia package

Type: path

Declared by:

<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
services.dysnomia.components

An attribute set in which each key represents a container and each value an attribute set in which each key represents a component and each value a derivation constructing its initial state

Type: attribute set of (attribute set)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
services.dysnomia.containers

An attribute set in which each key represents a container and each value an attribute set providing its configuration properties

Type: attribute set of (attribute set)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
services.dysnomia.extraContainerPaths

A list of paths containing additional container configurations that are added to the search folders

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
services.dysnomia.extraContainerProperties

An attribute set providing additional container settings in addition to the default properties

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
services.dysnomia.extraModulePaths

A list of paths containing additional modules that are added to the search folders

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
services.dysnomia.properties

An attribute set in which each attribute represents a machine property. Optionally, these values can be shell substitutions.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/dysnomia.nix>
services.earlyoom.enable

Whether to enable early out of memory killing.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/system/earlyoom.nix>
services.earlyoom.enableDebugInfo

Enable debugging messages.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/system/earlyoom.nix>
services.earlyoom.enableNotifications

Send notifications about killed processes via the system d-bus.

WARNING: enabling this option (while convenient) should not be done on a machine where you do not trust the other users as it allows any other local user to DoS your session by spamming notifications.

To actually see the notifications in your GUI session, you need to have systembus-notify running as your user, which this option handles by enabling services.systembus-notify.

See README for details.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/system/earlyoom.nix>
services.earlyoom.package

The earlyoom package to use.

Type: package

Default: pkgs.earlyoom

Declared by:

<nixpkgs/nixos/modules/services/system/earlyoom.nix>
services.earlyoom.extraArgs

Extra command-line arguments to be passed to earlyoom.

Type: list of string

Default: [ ]

Example:

[
  "-g"
  "--prefer '(^|/)(java|chromium)$'"
]

Declared by:

<nixpkgs/nixos/modules/services/system/earlyoom.nix>
services.earlyoom.freeMemKillThreshold

Minimum available memory (in percent) before sending SIGKILL. If unset, this defaults to half of freeMemThreshold.

See the description of services.earlyoom.freeMemThreshold.

Type: null or integer between 1 and 100 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/system/earlyoom.nix>
services.earlyoom.freeMemThreshold

Minimum available memory (in percent).

If the available memory falls below this threshold (and the analog is true for freeSwapThreshold) the killing begins. SIGTERM is sent first to the process that uses the most memory; then, if the available memory falls below freeMemKillThreshold (and the analog is true for freeSwapKillThreshold), SIGKILL is sent.

See README for details.

Type: integer between 1 and 100 (both inclusive)

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/system/earlyoom.nix>
services.earlyoom.freeSwapKillThreshold

Minimum free swap space (in percent) before sending SIGKILL. If unset, this defaults to half of freeSwapThreshold.

See the description of services.earlyoom.freeMemThreshold.

Type: null or integer between 1 and 100 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/system/earlyoom.nix>
services.earlyoom.freeSwapThreshold

Minimum free swap space (in percent) before sending SIGTERM.

See the description of services.earlyoom.freeMemThreshold.

Type: integer between 1 and 100 (both inclusive)

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/system/earlyoom.nix>
services.earlyoom.killHook

An absolute path to an executable to be run for each process killed. Some environment variables are available, see README and the man page for details.

Type: null or path

Default: null

Example:

pkgs.writeShellScript "earlyoom-kill-hook" ''
  echo "Process $EARLYOOM_NAME ($EARLYOOM_PID) was killed" >> /path/to/log
''

Declared by:

<nixpkgs/nixos/modules/services/system/earlyoom.nix>
services.earlyoom.reportInterval

Interval (in seconds) at which a memory report is printed (set to 0 to disable).

Type: signed integer

Default: 3600

Example: 0

Declared by:

<nixpkgs/nixos/modules/services/system/earlyoom.nix>
services.ebusd.enable

Whether to enable ebusd, a daemon for communication with eBUS heating systems.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.package

The ebusd package to use.

Type: package

Default: pkgs.ebusd

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.configpath

Directory to read CSV config files from. This can be a local folder or a URL.

Type: string

Default: "https://cfg.ebusd.eu/"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.device

Use DEV as eBUS device [/dev/ttyUSB0]. This can be either: enh:DEVICE or enh:IP:PORT for enhanced device (only adapter v3 and newer), ens:DEVICE for enhanced high speed serial device (only adapter v3 and newer with firmware since 20220731), DEVICE for serial device (normal speed, for all other serial adapters like adapter v2 as well as adapter v3 in non-enhanced mode), or [udp:]IP:PORT for network device.

Source: https://github.com/john30/ebusd/wiki/2.-Run#device-options

Type: string

Default: ""

Example: "IP:PORT"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.extraArguments

Extra arguments to the ebus daemon

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.logs.all

Only write log for matching AREAs (all|main|network|bus|update|other) below or equal to LEVEL (none|error|notice|info|debug)

Type: one of “none”, “error”, “notice”, “info”, “debug”

Default: "notice"

Example: "debug"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.logs.bus

Only write log for matching AREAs (all|main|network|bus|update|other) below or equal to LEVEL (none|error|notice|info|debug)

Type: one of “none”, “error”, “notice”, “info”, “debug”

Default: "notice"

Example: "debug"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.logs.main

Only write log for matching AREAs (all|main|network|bus|update|other) below or equal to LEVEL (none|error|notice|info|debug)

Type: one of “none”, “error”, “notice”, “info”, “debug”

Default: "notice"

Example: "debug"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.logs.network

Only write log for matching AREAs (all|main|network|bus|update|other) below or equal to LEVEL (none|error|notice|info|debug)

Type: one of “none”, “error”, “notice”, “info”, “debug”

Default: "notice"

Example: "debug"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.logs.other

Only write log for matching AREAs (all|main|network|bus|update|other) below or equal to LEVEL (none|error|notice|info|debug)

Type: one of “none”, “error”, “notice”, “info”, “debug”

Default: "notice"

Example: "debug"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.logs.update

Only write log for matching AREAs (all|main|network|bus|update|other) below or equal to LEVEL (none|error|notice|info|debug)

Type: one of “none”, “error”, “notice”, “info”, “debug”

Default: "notice"

Example: "debug"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.mqtt.enable

Whether to enable support for MQTT.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.mqtt.home-assistant

Adds the Home Assistant topics to MQTT, read more at MQTT Integration

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.mqtt.host

Connect to MQTT broker on HOST.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.mqtt.password

The MQTT password.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.mqtt.port

The port on which to connect to MQTT

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1883

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.mqtt.retain

Whether to enable set the retain flag on all topics instead of only selected global ones.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.mqtt.user

The MQTT user to use

Type: string

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.port

The port on which to listen on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8888

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.readonly

Only read from device, never write to it

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ebusd.scanconfig

Pick CSV config files matching initial scan (“none” or empty for no initial scan message, “full” for full scan, or a single hex address to scan, default is to send a broadcast ident message). If combined with --checkconfig, you can add scan message data as arguments for checking a particular scan configuration, e.g. “FF08070400/0AB5454850303003277201”. For further details on this option, see Automatic configuration.

Type: string

Default: "full"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/ebusd.nix>
services.ecs-agent.enable

Whether to enable Amazon ECS agent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/ecs-agent.nix>
services.ecs-agent.package

The ecs-agent package to use.

Type: package

Default: pkgs.ecs-agent

Declared by:

<nixpkgs/nixos/modules/virtualisation/ecs-agent.nix>
services.ecs-agent.extra-environment

The environment the ECS agent should run with. See the ECS agent documentation for keys that work here.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/ecs-agent.nix>
services.eg25-manager.enable

Whether to enable Quectel EG25 modem manager service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/network/eg25-manager.nix>
services.eg25-manager.package

The eg25-manager package to use.

Type: package

Default: pkgs.eg25-manager

Declared by:

<nixpkgs/nixos/modules/hardware/network/eg25-manager.nix>
services.eintopf.enable

Whether to enable Eintopf community event calendar web app.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/eintopf.nix>
services.eintopf.secrets

A list of files containing the various secrets. Should be in the format expected by systemd’s EnvironmentFile directory.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/eintopf.nix>
services.eintopf.settings

Settings to configure web service. See https://codeberg.org/Klasse-Methode/eintopf/src/branch/main/DEPLOYMENT.md for available options.

Type: attribute set of string

Default: { }

Example:

{
  EINTOPF_ADDR = ":1234";
  EINTOPF_ADMIN_EMAIL = "admin@example.org";
  EINTOPF_TIMEZONE = "Europe/Berlin";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/eintopf.nix>
services.ejabberd.enable

Whether to enable ejabberd server

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ejabberd.nix>
services.ejabberd.package

The ejabberd package to use.

Type: package

Default: pkgs.ejabberd

Declared by:

<nixpkgs/nixos/modules/services/networking/ejabberd.nix>
services.ejabberd.configFile

Configuration file for ejabberd in YAML format

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ejabberd.nix>
services.ejabberd.ctlConfig

Configuration of ejabberdctl

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/ejabberd.nix>
services.ejabberd.group

Group under which ejabberd is ran

Type: string

Default: "ejabberd"

Declared by:

<nixpkgs/nixos/modules/services/networking/ejabberd.nix>
services.ejabberd.imagemagick

Add ImageMagick to server’s path; allows for image thumbnailing

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ejabberd.nix>
services.ejabberd.loadDumps

Configuration dumps that should be loaded on the first startup

Type: list of path

Default: [ ]

Example: [ ./myejabberd.dump ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ejabberd.nix>
services.ejabberd.logsDir

Location of the logfile directory of ejabberd

Type: path

Default: "/var/log/ejabberd"

Declared by:

<nixpkgs/nixos/modules/services/networking/ejabberd.nix>
services.ejabberd.spoolDir

Location of the spooldir of ejabberd

Type: path

Default: "/var/lib/ejabberd"

Declared by:

<nixpkgs/nixos/modules/services/networking/ejabberd.nix>
services.ejabberd.user

User under which ejabberd is ran

Type: string

Default: "ejabberd"

Declared by:

<nixpkgs/nixos/modules/services/networking/ejabberd.nix>
services.elasticsearch.enable

Whether to enable elasticsearch.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.package

The elasticsearch package to use.

Type: package

Default: pkgs.elasticsearch

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.cluster_name

Elasticsearch name that identifies your cluster for auto-discovery.

Type: string

Default: "elasticsearch"

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.dataDir

Data directory for elasticsearch.

Type: path

Default: "/var/lib/elasticsearch"

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.extraCmdLineOptions

Extra command line options for the elasticsearch launcher.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.extraConf

Extra configuration for elasticsearch.

Type: string

Default: ""

Example:

''
  node.name: "elasticsearch"
  node.master: true
  node.data: false
''

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.extraJavaOptions

Extra command line options for Java.

Type: list of string

Default: [ ]

Example:

[
  "-Djava.net.preferIPv4Stack=true"
]

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.listenAddress

Elasticsearch listen address.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.logging

Elasticsearch logging configuration.

Type: string

Default:

''
  logger.action.name = org.elasticsearch.action
  logger.action.level = info
  
  appender.console.type = Console
  appender.console.name = console
  appender.console.layout.type = PatternLayout
  appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n
  
  rootLogger.level = info
  rootLogger.appenderRef.console.ref = console
''

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.plugins

Extra elasticsearch plugins

Type: list of package

Default: [ ]

Example: [ pkgs.elasticsearchPlugins.discovery-ec2 ]

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.port

Elasticsearch port to listen for HTTP traffic.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9200

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.restartIfChanged

Automatically restart the service on config change. This can be set to false to defer restarts on a server or cluster. Please consider the security implications of inadvertently running an older version, and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.single_node

Start a single-node cluster

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch.tcp_port

Elasticsearch port for the node to node communication.

Type: signed integer

Default: 9300

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch.nix>
services.elasticsearch-curator.enable

Whether to enable elasticsearch curator.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch-curator.nix>
services.elasticsearch-curator.actionYAML

curator action.yaml file contents, alternatively use curator-cli which takes a simple action command

Type: strings concatenated with “\n”

Example:

''
  ---
  actions:
    1:
      action: delete_indices
      description: >-
        Delete indices older than 45 days (based on index name), for logstash-
        prefixed indices. Ignore the error if the filter does not result in an
        actionable list of indices (ignore_empty_list) and exit cleanly.
      options:
        ignore_empty_list: True
        disable_action: False
      filters:
      - filtertype: pattern
        kind: prefix
        value: logstash-
      - filtertype: age
        source: name
        direction: older
        timestring: '%Y.%m.%d'
        unit: days
        unit_count: 45
''

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch-curator.nix>
services.elasticsearch-curator.hosts

a list of elasticsearch hosts to connect to

Type: list of string

Default:

[
  "localhost"
]

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch-curator.nix>
services.elasticsearch-curator.interval

The frequency to run curator, a systemd.time such as ‘hourly’

Type: string

Default: "hourly"

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch-curator.nix>
services.elasticsearch-curator.port

the port that elasticsearch is listening on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9200

Declared by:

<nixpkgs/nixos/modules/services/search/elasticsearch-curator.nix>
services.emacs.enable

Whether to enable a user service for the Emacs daemon. Use emacsclient to connect to the daemon. If true, services.emacs.install is considered true, whatever its value.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/editors/emacs.nix>
services.emacs.package

The emacs package to use.

Type: package

Default: pkgs.emacs

Declared by:

<nixpkgs/nixos/modules/services/editors/emacs.nix>
services.emacs.defaultEditor

When enabled, configures emacsclient to be the default editor using the EDITOR environment variable.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/editors/emacs.nix>
services.emacs.install

Whether to install a user service for the Emacs daemon. Once the service is started, use emacsclient to connect to the daemon.

The service must be manually started for each user with “systemctl --user start emacs” or globally through services.emacs.enable.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/editors/emacs.nix>
services.emacs.startWithGraphical

Start emacs with the graphical session instead of any session. Without this, emacs clients will not be able to create frames in the graphical session.

Type: boolean

Default: config.services.xserver.enable

Declared by:

<nixpkgs/nixos/modules/services/editors/emacs.nix>
services.endlessh.enable

Whether to enable endlessh service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/endlessh.nix>
services.endlessh.extraOptions

Additional command line options to pass to the endlessh daemon.

Type: list of string

Default: [ ]

Example:

[
  "-6"
  "-d 9000"
  "-v"
]

Declared by:

<nixpkgs/nixos/modules/services/security/endlessh.nix>
services.endlessh.openFirewall

Whether to open a firewall port for the SSH listener.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/endlessh.nix>
services.endlessh.port

Specifies on which port the endlessh daemon listens for SSH connections.

Setting this to 22 may conflict with services.openssh.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 2222

Example: 22

Declared by:

<nixpkgs/nixos/modules/services/security/endlessh.nix>
services.endlessh-go.enable

Whether to enable endlessh-go service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/endlessh-go.nix>
services.endlessh-go.package

The endlessh-go package to use.

Type: package

Default: pkgs.endlessh-go

Declared by:

<nixpkgs/nixos/modules/services/security/endlessh-go.nix>
services.endlessh-go.extraOptions

Additional command line options to pass to the endlessh-go daemon.

Type: list of string

Default: [ ]

Example:

[
  "-conn_type=tcp4"
  "-max_clients=8192"
]

Declared by:

<nixpkgs/nixos/modules/services/security/endlessh-go.nix>
services.endlessh-go.listenAddress

Interface address to bind the endlessh-go daemon to SSH connections.

Type: string

Default: "0.0.0.0"

Example: "[::]"

Declared by:

<nixpkgs/nixos/modules/services/security/endlessh-go.nix>
services.endlessh-go.openFirewall

Whether to open a firewall port for the SSH listener.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/endlessh-go.nix>
services.endlessh-go.port

Specifies on which port the endlessh-go daemon listens for SSH connections.

Setting this to 22 may conflict with services.openssh.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 2222

Example: 22

Declared by:

<nixpkgs/nixos/modules/services/security/endlessh-go.nix>
services.endlessh-go.prometheus.enable

Whether to enable Prometheus integration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/endlessh-go.nix>
services.endlessh-go.prometheus.listenAddress

Interface address to bind the endlessh-go daemon to answer Prometheus queries.

Type: string

Default: "0.0.0.0"

Example: "[::]"

Declared by:

<nixpkgs/nixos/modules/services/security/endlessh-go.nix>
services.endlessh-go.prometheus.port

Specifies on which port the endlessh-go daemon listens for Prometheus queries.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 2112

Example: 9119

Declared by:

<nixpkgs/nixos/modules/services/security/endlessh-go.nix>
services.engelsystem.enable

Whether to enable engelsystem, an online tool for coordinating volunteers and shifts on large events.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/engelsystem.nix>
services.engelsystem.package

The engelsystem package to use.

Type: package

Default: pkgs.engelsystem

Declared by:

<nixpkgs/nixos/modules/services/web-apps/engelsystem.nix>
services.engelsystem.createDatabase

Whether to create a local database automatically. This will override every database setting in services.engelsystem.config.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/engelsystem.nix>
services.engelsystem.domain

Domain to serve on.

Type: string

Example: "engelsystem.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/engelsystem.nix>
services.engelsystem.settings

Options to be added to config.php, as a nix attribute set. Options containing secret data should be set to an attribute set containing the attribute _secret - a string pointing to a file containing the value the option should be set to. See the example to get a better picture of this: in the resulting config.php file, the email.password key will be set to the contents of the /var/keys/engelsystem/mail file.

See https://engelsystem.de/doc/admin/configuration/ for available options.

Note that the admin user login credentials cannot be set here - they always default to admin:asdfasdf. Log in and change them immediately.

Type: attribute set

Default:

{
  database = {
    database = "engelsystem";
    host = "localhost";
    username = "engelsystem";
  };
}

Example:

{
  autoarrive = true;
  database = {
    database = "engelsystem";
    host = "database.example.com";
    password = {
      _secret = "/var/keys/engelsystem/database";
    };
    username = "engelsystem";
  };
  default_locale = "de_DE";
  email = {
    driver = "smtp";
    encryption = "tls";
    from = {
      address = "engelsystem@example.com";
      name = "example engelsystem";
    };
    host = "smtp.example.com";
    password = {
      _secret = "/var/keys/engelsystem/mail";
    };
    port = 587;
    username = "engelsystem@example.com";
  };
  maintenance = false;
  min_password_length = 6;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/engelsystem.nix>
services.envfs.enable

Fuse filesystem that returns symlinks to executables based on the PATH of the requesting process. This is useful to execute shebangs on NixOS that assume hard coded locations in locations like /bin or /usr/bin etc.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/envfs.nix>
services.envfs.package

Which package to use for the envfs.

Type: package

Default: pkgs.envfs

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/envfs.nix>
services.envfs.extraFallbackPathCommands

Extra commands to run in the package that contains fallback executables in case not other executable is found

Type: strings concatenated with “\n”

Default: ""

Example: "ln -s $''{pkgs.bash}/bin/bash $out/bash"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/envfs.nix>
services.envoy.enable

Whether to enable Envoy reverse proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/envoy.nix>
services.envoy.package

The envoy package to use.

Type: package

Default: pkgs.envoy

Declared by:

<nixpkgs/nixos/modules/services/networking/envoy.nix>
services.envoy.requireValidConfig

Whether a failure during config validation at build time is fatal. When the config can’t be checked during build time, for example when it includes other files, disable this option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/envoy.nix>
services.envoy.settings

Specify the configuration for Envoy in Nix.

Type: JSON value

Default: { }

Example:

{
  admin = {
    access_log_path = "/dev/null";
    address = {
      socket_address = {
        protocol = "TCP";
        address = "127.0.0.1";
        port_value = 9901;
      };
    };
  };
  static_resources = {
    listeners = [];
    clusters = [];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/envoy.nix>
services.epgstation.enable

Whether to enable EPGStation: DVR system for Mirakurun-managed TV tuners.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/video/epgstation/default.nix>
services.epgstation.package

The epgstation package to use.

Type: package

Default: pkgs.epgstation

Declared by:

<nixpkgs/nixos/modules/services/video/epgstation/default.nix>
services.epgstation.database.name

Name of the MySQL database that holds EPGStation’s data.

Type: string

Default: "epgstation"

Declared by:

<nixpkgs/nixos/modules/services/video/epgstation/default.nix>
services.epgstation.database.passwordFile

A file containing the password for the database named database.name.

Type: path

Example: "/run/keys/epgstation-db-password"

Declared by:

<nixpkgs/nixos/modules/services/video/epgstation/default.nix>
services.epgstation.ffmpeg

The ffmpeg package to use.

Type: package

Default: pkgs.ffmpeg-headless

Example: ffmpeg-full

Declared by:

<nixpkgs/nixos/modules/services/video/epgstation/default.nix>
services.epgstation.openFirewall

Open ports in the firewall for the EPGStation web interface.

Warning

Exposing EPGStation to the open internet is generally advised against. Only use it inside a trusted local network, or consider putting it behind a VPN if you want remote access.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/video/epgstation/default.nix>
services.epgstation.settings

Options to add to config.yml.

Documentation: https://github.com/l3tnun/EPGStation/blob/master/doc/conf-manual.md

Type: YAML value

Default: { }

Example:

{
  conflictPriority = 10;
  recPriority = 20;
}

Declared by:

<nixpkgs/nixos/modules/services/video/epgstation/default.nix>
services.epgstation.settings.clientSocketioPort

Socket.io port that the web client is going to connect to. This may be different from services.epgstation.settings.socketioPort if EPGStation is hidden behind a reverse proxy.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: config.services.epgstation.settings.socketioPort

Declared by:

<nixpkgs/nixos/modules/services/video/epgstation/default.nix>
services.epgstation.settings.concurrentEncodeNum

The maximum number of encoding jobs that EPGStation would run at the same time.

Type: positive integer, meaning >0

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/video/epgstation/default.nix>
services.epgstation.settings.encode

Encoding presets for recorded videos.

Type: list of (attribute set)

Default:

[
  {
    name = "H.264";
    cmd = "%NODE% config.services.epgstation.package/libexec/enc.js";
    suffix = ".mp4";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/video/epgstation/default.nix>
services.epgstation.settings.encodeProcessNum

The maximum number of processes that EPGStation would allow to run at the same time for encoding or streaming videos.

Type: positive integer, meaning >0

Default: 4

Declared by:

<nixpkgs/nixos/modules/services/video/epgstation/default.nix>
services.epgstation.settings.mirakurunPath

URL to connect to Mirakurun.

Type: string

Default:

"http+unix://${lib.replaceStrings ["/"] ["%2F"] config.services.mirakurun.unixSocket}"

Example: "http://localhost:40772"

Declared by:

<nixpkgs/nixos/modules/services/video/epgstation/default.nix>
services.epgstation.settings.port

HTTP port for EPGStation to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 20772

Declared by:

<nixpkgs/nixos/modules/services/video/epgstation/default.nix>
services.epgstation.settings.socketioPort

Socket.io port for EPGStation to listen on. It is valid to share ports with services.epgstation.settings.port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: config.services.epgstation.settings.port + 1

Declared by:

<nixpkgs/nixos/modules/services/video/epgstation/default.nix>
services.epgstation.usePreconfiguredStreaming

Use preconfigured default streaming options.

Upstream defaults: https://github.com/l3tnun/EPGStation/blob/master/config/config.yml.template

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/video/epgstation/default.nix>
services.epmd.enable

Whether to enable socket activation for Erlang Port Mapper Daemon (epmd), which acts as a name server on all hosts involved in distributed Erlang computations.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/epmd.nix>
services.epmd.package

The erlang package to use.

Type: package

Default: pkgs.erlang

Declared by:

<nixpkgs/nixos/modules/services/networking/epmd.nix>
services.epmd.listenStream

the listenStream used by the systemd socket. see https://www.freedesktop.org/software/systemd/man/systemd.socket.html#ListenStream= for more information. use this to change the port epmd will run on. if not defined, epmd will use “[::]:4369”

Type: string

Default: "[::]:4369"

Declared by:

<nixpkgs/nixos/modules/services/networking/epmd.nix>
services.ergo.enable

Whether to enable Ergo service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ergo.nix>
services.ergo.api.keyHash

Hex-encoded Blake2b256 hash of an API key as a 64-chars long Base16 string.

Type: null or string

Default: null

Example: "324dcf027dd4a30a932c441f365a25e86b173defa4b8e58948253471b81b72cf"

Declared by:

<nixpkgs/nixos/modules/services/networking/ergo.nix>
services.ergo.api.listen.ip

IP address that the Ergo node API should listen on if api.keyHash is defined.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/ergo.nix>
services.ergo.api.listen.port

Listen port for the API endpoint if api.keyHash is defined.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9052

Declared by:

<nixpkgs/nixos/modules/services/networking/ergo.nix>
services.ergo.dataDir

The data directory for the Ergo node.

Type: path

Default: "/var/lib/ergo"

Declared by:

<nixpkgs/nixos/modules/services/networking/ergo.nix>
services.ergo.group

The group as which to run the Ergo node.

Type: string

Default: config.services.ergo.user

Declared by:

<nixpkgs/nixos/modules/services/networking/ergo.nix>
services.ergo.listen.ip

IP address on which the Ergo node should listen.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/ergo.nix>
services.ergo.listen.port

Listen port for the Ergo node.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9006

Declared by:

<nixpkgs/nixos/modules/services/networking/ergo.nix>
services.ergo.openFirewall

Open ports in the firewall for the Ergo node as well as the API.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ergo.nix>
services.ergo.testnet

Connect to testnet network instead of the default mainnet.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ergo.nix>
services.ergo.user

The user as which to run the Ergo node.

Type: string

Default: "ergo"

Declared by:

<nixpkgs/nixos/modules/services/networking/ergo.nix>
services.ergochat.enable

Whether to enable Ergo IRC daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ergochat.nix>
services.ergochat.configFile

Path to configuration file. Setting this will skip any configuration done via settings

Type: path

Default: generated config file from settings

Declared by:

<nixpkgs/nixos/modules/services/networking/ergochat.nix>
services.ergochat.openFilesLimit

Maximum number of open files. Limits the clients and server connections.

Type: signed integer

Default: 1024

Declared by:

<nixpkgs/nixos/modules/services/networking/ergochat.nix>
services.ergochat.settings

Ergo IRC daemon configuration file. https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml

Type: YAML value

Default:

{
  accounts = {
    authentication-enabled = true;
    multiclient = {
      allowed-by-default = true;
      always-on = "opt-out";
      auto-away = "opt-out";
      enabled = true;
    };
    registration = {
      allow-before-connect = true;
      bcrypt-cost = 4;
      email-verification = {
        enabled = false;
      };
      enabled = true;
      throttling = {
        duration = "10m";
        enabled = true;
        max-attempts = 30;
      };
    };
  };
  channels = {
    default-modes = "+ntC";
    registration = {
      enabled = true;
    };
  };
  datastore = {
    autoupgrade = true;
    path = "/var/lib/ergo/ircd.db";
  };
  history = {
    autoreplay-on-join = 0;
    autoresize-window = "3d";
    channel-length = 2048;
    chathistory-maxmessages = 100;
    client-length = 256;
    enabled = true;
    restrictions = {
      expire-time = "1w";
      grace-period = "1h";
      query-cutoff = "none";
    };
    retention = {
      allow-individual-delete = false;
      enable-account-indexing = false;
    };
    tagmsg-storage = {
      default = false;
      whitelist = [
        "+draft/react"
        "+react"
      ];
    };
    znc-maxmessages = 2048;
  };
  limits = {
    awaylen = 390;
    channellen = 64;
    identlen = 20;
    kicklen = 390;
    nicklen = 32;
    topiclen = 390;
  };
  network = {
    name = "testnetwork";
  };
  server = {
    casemapping = "permissive";
    check-ident = false;
    enforce-utf = true;
    forward-confirm-hostnames = false;
    ip-cloaking = {
      enabled = false;
    };
    ip-limits = {
      count = false;
      throttle = false;
    };
    listeners = {
      ":6667" = { };
    };
    lookup-hostnames = false;
    max-sendq = "1M";
    name = "example.com";
    relaymsg = {
      enabled = false;
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/ergochat.nix>
services.erigon.enable

Whether to enable Ethereum implementation on the efficiency frontier.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/erigon.nix>
services.erigon.package

The erigon package to use.

Type: package

Default: pkgs.erigon

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/erigon.nix>
services.erigon.extraArgs

Additional arguments passed to Erigon

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/erigon.nix>
services.erigon.secretJwtPath

Path to the secret jwt used for the http api authentication.

Type: path

Default: ""

Example: "config.age.secrets.ERIGON_JWT.path"

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/erigon.nix>
services.erigon.settings

Configuration for Erigon Refer to https://github.com/ledgerwatch/erigon#usage for details on supported values.

Type: TOML value

Default:

{
  datadir = "/var/lib/erigon";
  chain = "mainnet";
  http = true;
  "http.port" = 8545;
  "http.api" = ["eth" "debug" "net" "trace" "web3" "erigon"];
  ws = true;
  port = 30303;
  "authrpc.port" = 8551;
  "torrent.port" = 42069;
  "private.api.addr" = "localhost:9090";
  "log.console.verbosity" = 3; # info
}

Example:

{
  "authrpc.port" = 8551;
  chain = "mainnet";
  datadir = "/var/lib/erigon";
  http = true;
  "http.api" = [
    "eth"
    "debug"
    "net"
    "trace"
    "web3"
    "erigon"
  ];
  "http.port" = 8545;
  "log.console.verbosity" = 3;
  port = 30303;
  "private.api.addr" = "localhost:9090";
  "torrent.port" = 42069;
  ws = true;
}

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/erigon.nix>
services.eris-server.enable

Whether to enable an ERIS server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/eris-server.nix>
services.eris-server.package

Package to use for the ERIS server.

Type: package

Default: pkgs.eris-go

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/eris-server.nix>
services.eris-server.backends

List of backend URLs. Add “get” and “put” as query elements to enable those operations.

Type: list of string

Example:

[
  "badger+file:///var/db/eris.badger?get&put"
  "coap+tcp://eris.example.com:5683?get"
]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/eris-server.nix>
services.eris-server.decode

Whether the HTTP service (when enabled) will decode ERIS content at /uri-res/N2R?urn:eris:. Enabling this is recommended only for private or local-only servers.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/eris-server.nix>
services.eris-server.listenCoap

Server CoAP listen address. Listen on all IP addresses at port 5683 by default. Please note that the server can service client requests for ERIS-blocks by querying other clients connected to the server. Whether or not blocks are relayed back to the server depends on client configuration but be aware this may leak sensitive metadata and trigger network activity.

Type: null or string

Default: ":5683"

Example: "[::1]:5683"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/eris-server.nix>
services.eris-server.listenHttp

Server HTTP listen address. Do not listen by default.

Type: null or string

Default: null

Example: "[::1]:8080"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/eris-server.nix>
services.eris-server.mountpoint

Mountpoint for FUSE namespace that exposes “urn:eris:…” files.

Type: null or string

Default: null

Example: "/eris"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/eris-server.nix>
services.errbot.instances

Errbot instance configs

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/errbot.nix>
services.errbot.instances.<name>.admins

List of identifiers of errbot admins.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/errbot.nix>
services.errbot.instances.<name>.backend

Errbot backend name.

Type: string

Default: "XMPP"

Declared by:

<nixpkgs/nixos/modules/services/misc/errbot.nix>
services.errbot.instances.<name>.dataDir

Data directory for errbot instance.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/errbot.nix>
services.errbot.instances.<name>.extraConfig

String to be appended to the config verbatim

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/errbot.nix>
services.errbot.instances.<name>.identity

Errbot identity configuration

Type: attribute set

Declared by:

<nixpkgs/nixos/modules/services/misc/errbot.nix>
services.errbot.instances.<name>.logLevel

Errbot log level

Type: string

Default: "INFO"

Declared by:

<nixpkgs/nixos/modules/services/misc/errbot.nix>
services.errbot.instances.<name>.plugins

List of errbot plugin derivations.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/errbot.nix>
services.esdm.enable

Whether to enable ESDM service configuration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/esdm.nix>
services.esdm.enableLinuxCompatServices

Enable /dev/random, /dev/urandom and /proc/sys/kernel/random/* userspace wrapper.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/security/esdm.nix>
services.esdm.package

The esdm package to use.

Type: package

Default: pkgs.esdm

Declared by:

<nixpkgs/nixos/modules/services/security/esdm.nix>
services.espanso.enable

Whether to enable Espanso.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/espanso.nix>
services.espanso.package

The espanso package to use.

Type: package

Default: pkgs.espanso

Example: pkgs.espanso-wayland

Declared by:

<nixpkgs/nixos/modules/services/desktops/espanso.nix>
services.esphome.enable

Whether to enable esphome, for making custom firmwares for ESP32/ESP8266.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/home-automation/esphome.nix>
services.esphome.enableUnixSocket

Listen on a unix socket /run/esphome/esphome.sock instead of the TCP port.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/home-automation/esphome.nix>
services.esphome.package

The esphome package to use.

Type: package

Default: pkgs.esphome

Declared by:

<nixpkgs/nixos/modules/services/home-automation/esphome.nix>
services.esphome.address

esphome address

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/esphome.nix>
services.esphome.allowedDevices

A list of device nodes to which esphome has access to. Refer to DeviceAllow in systemd.resource-control(5) for more information. Beware that if a device is referred to by an absolute path instead of a device category, it will only allow devices that already are plugged in when the service is started.

Type: list of string

Default:

[
  "char-ttyS"
  "char-ttyUSB"
]

Example:

[
  "/dev/serial/by-id/usb-Silicon_Labs_CP2102_USB_to_UART_Bridge_Controller_0001-if00-port0"
]

Declared by:

<nixpkgs/nixos/modules/services/home-automation/esphome.nix>
services.esphome.openFirewall

Whether to open the firewall for the specified port.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/home-automation/esphome.nix>
services.esphome.port

esphome port

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6052

Declared by:

<nixpkgs/nixos/modules/services/home-automation/esphome.nix>
services.esphome.usePing

Use ping to check online status of devices instead of mDNS

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/home-automation/esphome.nix>
services.etcd.enable

Whether to enable etcd.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.package

The etcd package to use.

Type: package

Default: pkgs.etcd

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.advertiseClientUrls

Etcd list of this member’s client URLs to advertise to the rest of the cluster.

Type: list of string

Default: config.services.etcd.listenClientUrls

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.certFile

Cert file to use for clients

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.clientCertAuth

Whether to use certs for client authentication

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.dataDir

Etcd data directory.

Type: path

Default: "/var/lib/etcd"

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.discovery

Etcd discovery url

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.extraConf

Etcd extra configuration. See https://github.com/coreos/etcd/blob/master/Documentation/op-guide/configuration.md#configuration-flags

Type: attribute set of string

Default: { }

Example:

{
  "CORS" = "*";
  "NAME" = "default-name";
  "MAX_RESULT_BUFFER" = "1024";
  "MAX_CLUSTER_SIZE" = "9";
  "MAX_RETRY_ATTEMPTS" = "3";
}

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.initialAdvertisePeerUrls

Etcd list of this member’s peer URLs to advertise to rest of the cluster.

Type: list of string

Default: config.services.etcd.listenPeerUrls

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.initialCluster

Etcd initial cluster configuration for bootstrapping.

Type: list of string

Default: ["${config.services.etcd.name}=http://127.0.0.1:2380"]

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.initialClusterState

Etcd initial cluster configuration for bootstrapping.

Type: one of “new”, “existing”

Default: "new"

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.initialClusterToken

Etcd initial cluster token for etcd cluster during bootstrap.

Type: string

Default: "etcd-cluster"

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.keyFile

Key file to use for clients

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.listenClientUrls

Etcd list of URLs to listen on for client traffic.

Type: list of string

Default:

[
  "http://127.0.0.1:2379"
]

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.listenPeerUrls

Etcd list of URLs to listen on for peer traffic.

Type: list of string

Default:

[
  "http://127.0.0.1:2380"
]

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.name

Etcd unique node name.

Type: string

Default: config.networking.hostName

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.openFirewall

Open etcd ports in the firewall. Ports opened:

  • 2379/tcp for client requests

  • 2380/tcp for peer communication

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.peerCertFile

Cert file to use for peer to peer communication

Type: null or path

Default: config.services.etcd.certFile

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.peerClientCertAuth

Whether to check all incoming peer requests from the cluster for valid client certificates signed by the supplied CA

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.peerKeyFile

Key file to use for peer to peer communication

Type: null or path

Default: config.services.etcd.keyFile

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.peerTrustedCaFile

Certificate authority file to use for peer to peer communication

Type: null or path

Default: config.services.etcd.trustedCaFile

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etcd.trustedCaFile

Certificate authority file to use for clients

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/etcd.nix>
services.etebase-server.enable

Whether to enable the Etebase server.

Once enabled you need to create an admin user by invoking the shell command etebase-server createsuperuser with the user specified by the user option or a superuser. Then you can login and create accounts on your-etebase-server.com/admin

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/etebase-server.nix>
services.etebase-server.package

etebase-server package to use.

Type: package

Default: pkgs.python3.pkgs.etebase-server

Declared by:

<nixpkgs/nixos/modules/services/misc/etebase-server.nix>
services.etebase-server.dataDir

Directory to store the Etebase server data.

Type: string

Default: "/var/lib/etebase-server"

Declared by:

<nixpkgs/nixos/modules/services/misc/etebase-server.nix>
services.etebase-server.openFirewall

Whether to open ports in the firewall for the server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/etebase-server.nix>
services.etebase-server.port

Port to listen on.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8001

Declared by:

<nixpkgs/nixos/modules/services/misc/etebase-server.nix>
services.etebase-server.settings

Configuration for etebase-server. Refer to https://github.com/etesync/server/blob/master/etebase-server.ini.example and https://github.com/etesync/server/wiki for details on supported values.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  allowed_hosts = {
    allowed_host2 = "localhost";
  };
  global = {
    debug = true;
    media_root = "/path/to/media";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/etebase-server.nix>
services.etebase-server.settings.allowed_hosts.allowed_host1

The main host that is allowed access.

Type: string

Default: "0.0.0.0"

Example: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/misc/etebase-server.nix>
services.etebase-server.settings.database.engine

The database engine to use.

Type: one of “django.db.backends.sqlite3”, “django.db.backends.postgresql”

Default: "django.db.backends.sqlite3"

Declared by:

<nixpkgs/nixos/modules/services/misc/etebase-server.nix>
services.etebase-server.settings.database.name

The database name.

Type: string

Default: "${config.services.etebase-server.dataDir}/db.sqlite3"

Declared by:

<nixpkgs/nixos/modules/services/misc/etebase-server.nix>
services.etebase-server.settings.global.debug

Whether to set django’s DEBUG flag.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/etebase-server.nix>
services.etebase-server.settings.global.media_root

The media directory.

Type: string

Default: "${config.services.etebase-server.dataDir}/media"

Declared by:

<nixpkgs/nixos/modules/services/misc/etebase-server.nix>
services.etebase-server.settings.global.secret_file

The path to a file containing the secret used as django’s SECRET_KEY.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/etebase-server.nix>
services.etebase-server.settings.global.static_root

The directory for static files.

Type: string

Default: "${config.services.etebase-server.dataDir}/static"

Declared by:

<nixpkgs/nixos/modules/services/misc/etebase-server.nix>
services.etebase-server.unixSocket

The path to the socket to bind to.

Type: null or string

Default: null

Example: "/run/etebase-server/etebase-server.sock"

Declared by:

<nixpkgs/nixos/modules/services/misc/etebase-server.nix>
services.etebase-server.user

User under which Etebase server runs.

Type: string

Default: "etebase-server"

Declared by:

<nixpkgs/nixos/modules/services/misc/etebase-server.nix>
services.eternal-terminal.enable

Whether to enable Eternal Terminal server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/eternal-terminal.nix>
services.eternal-terminal.logSize

The maximum log size.

Type: signed integer

Default: 20971520

Declared by:

<nixpkgs/nixos/modules/services/networking/eternal-terminal.nix>
services.eternal-terminal.port

The port the server should listen on. Will use the server’s default (2022) if not specified.

Make sure to open this port in the firewall if necessary.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 2022

Declared by:

<nixpkgs/nixos/modules/services/networking/eternal-terminal.nix>
services.eternal-terminal.silent

If enabled, disables all logging.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/eternal-terminal.nix>
services.eternal-terminal.verbosity

The verbosity level (0-9).

Type: one of 0, 1, 2, 3, 4, 5, 6, 7, 8, 9

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/eternal-terminal.nix>
services.etesync-dav.enable

Whether to enable etesync-dav, end-to-end encrypted sync for contacts, calendars and tasks.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/etesync-dav.nix>
services.etesync-dav.apiUrl

The url to the etesync API.

Type: string

Default: "https://api.etebase.com/partner/etesync/"

Declared by:

<nixpkgs/nixos/modules/services/misc/etesync-dav.nix>
services.etesync-dav.host

The server host address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/misc/etesync-dav.nix>
services.etesync-dav.openFirewall

Whether to open the firewall for the specified port.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/etesync-dav.nix>
services.etesync-dav.port

The server host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 37358

Declared by:

<nixpkgs/nixos/modules/services/misc/etesync-dav.nix>
services.etesync-dav.sslCertificate

Path to server SSL certificate. It will be copied into etesync-dav’s data directory.

Type: null or path

Default: null

Example: "/var/etesync.crt"

Declared by:

<nixpkgs/nixos/modules/services/misc/etesync-dav.nix>
services.etesync-dav.sslCertificateKey

Path to server SSL certificate key. It will be copied into etesync-dav’s data directory.

Type: null or path

Default: null

Example: "/var/etesync.key"

Declared by:

<nixpkgs/nixos/modules/services/misc/etesync-dav.nix>
services.ethercalc.enable

ethercalc, an online collaborative spreadsheet server.

Persistent state will be maintained under /var/lib/ethercalc. Upstream supports using a redis server for storage and recommends the redis backend for intensive use; however, the Nix module doesn’t currently support redis.

Note that while ethercalc is a good and robust project with an active issue tracker, there haven’t been new commits since the end of 2020.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ethercalc.nix>
services.ethercalc.package

The ethercalc package to use.

Type: package

Default: pkgs.ethercalc

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ethercalc.nix>
services.ethercalc.host

Address to listen on (use 0.0.0.0 to allow access from any address).

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ethercalc.nix>
services.ethercalc.port

Port to bind to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ethercalc.nix>
services.evcc.enable

Whether to enable EVCC, the extensible EV Charge Controller with PV integration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/home-automation/evcc.nix>
services.evcc.extraArgs

Extra arguments to pass to the evcc executable.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/home-automation/evcc.nix>
services.evcc.settings

evcc configuration as a Nix attribute set.

Check for possible options in the sample [evcc.dist.yaml](https://github.com/andig/evcc/blob/0.131.11/evcc.dist.yaml].

Type: YAML value

Declared by:

<nixpkgs/nixos/modules/services/home-automation/evcc.nix>
services.evdevremapkeys.enable

Whether to enable evdevremapkeys, a daemon to remap events on linux input devices.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/evdevremapkeys.nix>
services.evdevremapkeys.settings

config.yaml for evdevremapkeys

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/evdevremapkeys.nix>
services.evremap.enable

Whether to enable evremap, a keyboard input remapper for Linux/Wayland systems.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/evremap.nix>
services.evremap.settings

Settings for evremap.

See the upstream documentation for how to configure evremap.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/evremap.nix>
services.evremap.settings.device_name

The name of the device that should be remapped.

You can get a list of devices by running evremap list-devices with elevated permissions.

Type: string

Example: "AT Translated Set 2 keyboard"

Declared by:

<nixpkgs/nixos/modules/services/misc/evremap.nix>
services.evremap.settings.dual_role

List of dual-role remappings that output different key sequences based on whether the input key is held or tapped.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    hold = [
      "KEY_LEFTCTRL"
    ];
    input = "KEY_CAPSLOCK";
    tap = [
      "KEY_ESC"
    ];
  }
]

Declared by:

<nixpkgs/nixos/modules/services/misc/evremap.nix>
services.evremap.settings.dual_role.*.hold

The key sequence that should be output when the input key is held.

You can get a list of keys by running evremap list-keys.

Type: list of key ID prefixed with KEY_

Declared by:

<nixpkgs/nixos/modules/services/misc/evremap.nix>
services.evremap.settings.dual_role.*.input

The key that should be remapped.

You can get a list of keys by running evremap list-keys.

Type: key ID prefixed with KEY_

Declared by:

<nixpkgs/nixos/modules/services/misc/evremap.nix>
services.evremap.settings.dual_role.*.tap

The key sequence that should be output when the input key is tapped.

You can get a list of keys by running evremap list-keys.

Type: list of key ID prefixed with KEY_

Declared by:

<nixpkgs/nixos/modules/services/misc/evremap.nix>
services.evremap.settings.remap

List of remappings.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    input = [
      "KEY_LEFTALT"
      "KEY_UP"
    ];
    output = [
      "KEY_PAGEUP"
    ];
  }
]

Declared by:

<nixpkgs/nixos/modules/services/misc/evremap.nix>
services.evremap.settings.remap.*.input

The key sequence that should be remapped.

You can get a list of keys by running evremap list-keys.

Type: list of key ID prefixed with KEY_

Declared by:

<nixpkgs/nixos/modules/services/misc/evremap.nix>
services.evremap.settings.remap.*.output

The key sequence that should be output when the input sequence is entered.

You can get a list of keys by running evremap list-keys.

Type: list of key ID prefixed with KEY_

Declared by:

<nixpkgs/nixos/modules/services/misc/evremap.nix>
services.exim.enable

Whether to enable the Exim mail transfer agent.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/exim.nix>
services.exim.package

The exim package to use. This can be used to enable features such as LDAP or PAM support.

Type: package

Default: pkgs.exim

Declared by:

<nixpkgs/nixos/modules/services/mail/exim.nix>
services.exim.config

Verbatim Exim configuration. This should not contain exim_user, exim_group, exim_path, or spool_directory.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/exim.nix>
services.exim.group

Group to use when no root privileges are required.

Type: string

Default: "exim"

Declared by:

<nixpkgs/nixos/modules/services/mail/exim.nix>
services.exim.queueRunnerInterval

How often to spawn a new queue runner.

Type: string

Default: "5m"

Declared by:

<nixpkgs/nixos/modules/services/mail/exim.nix>
services.exim.spoolDir

Location of the spool directory of exim.

Type: path

Default: "/var/spool/exim"

Declared by:

<nixpkgs/nixos/modules/services/mail/exim.nix>
services.exim.user

User to use when no root privileges are required. In particular, this applies when receiving messages and when doing remote deliveries. (Local deliveries run as various non-root users, typically as the owner of a local mailbox.) Specifying this value as root is not supported.

Type: string

Default: "exim"

Declared by:

<nixpkgs/nixos/modules/services/mail/exim.nix>
services.expressvpn.enable

Enable the ExpressVPN daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/expressvpn.nix>
services.factorio.enable

Whether to enable Factorio.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.package

The factorio-headless package to use.

Type: package

Default: pkgs.factorio-headless

Example: factorio-headless-experimental

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.admins

List of player names which will be admin.

Type: list of string

Default: [ ]

Example:

[
  "username"
]

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.allowedPlayers

If non-empty, only these player names are allowed to connect. The game will not be able to save any changes made in-game with the /whitelist console command, though they will still take effect until the server is restarted.

If empty, the whitelist defaults to open, but can be managed with the in-game /whitelist console command (see: /help whitelist), which will cause changes to be saved to the game’s state directory (see also: stateDirName).

Type: list of string

Default: [ ]

Example:

[
  "Rseding91"
  "Oxyd"
]

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.autosave-interval

Autosave interval in minutes.

Type: null or signed integer

Default: null

Example: 10

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.bind

The address to which the service should bind.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.configFile

The server’s configuration file.

The default file generated by this module contains lines essential to the server’s operation. Use its contents as a basis for any customizations.

Type: path

Default: configFile

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.description

Description of the game that will appear in the listing.

Type: null or string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.extraSettings

Extra game configuration that will go into server-settings.json

Type: attribute set

Default: { }

Example:

{
  max_players = 64;
}

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.extraSettingsFile

File, which is dynamically applied to server-settings.json before startup.

This option should be used for credentials.

For example a settings file could contain:

{
  "game-password": "hunter1"
}

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.game-name

Name of the game as it will appear in the game listing.

Type: null or string

Default: "Factorio Game"

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.game-password

Game password.

This option is insecure. Use extraSettingsFile instead.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.lan

Game will be broadcast on LAN.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.loadLatestSave

Load the latest savegame on startup. This overrides saveName, in that the latest save will always be used even if a saved game of the given name exists. It still controls the ‘canonical’ name of the savegame.

Set this to true to have the server automatically reload a recent autosave after a crash or desync.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.mods

Mods the server should install and activate.

The derivations in this list must “build” the mod by simply copying the .zip, named correctly, into the output directory. Eventually, there will be a way to pull in the most up-to-date list of derivations via nixos-channel. Until then, this is for experts only.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.mods-dat

Mods settings can be changed by specifying a dat file, in the mod settings file format.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.nonBlockingSaving

Highly experimental feature, enable only at your own risk of losing your saves. On UNIX systems, server will fork itself to create an autosave. Autosaving on connected Windows clients will be disabled regardless of autosave_only_on_server option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.openFirewall

Whether to automatically open the specified UDP port in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.password

Your factorio.com login credentials. Required for games with visibility public.

This option is insecure. Use extraSettingsFile instead.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.port

The port to which the service should bind.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 34197

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.public

Game will be published on the official Factorio matching server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.requireUserVerification

When set to true, the server will only allow clients that have a valid factorio.com account.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.saveName

The name of the savegame that will be used by the server.

When not present in /var/lib/${config.services.factorio.stateDirName}/saves, a new map with default settings will be generated before starting the service.

Type: string

Default: "default"

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.stateDirName

Name of the directory under /var/lib holding the server’s data.

The configuration and map will be stored here.

Type: string

Default: "factorio"

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.token

Authentication token. May be used instead of ‘password’ above.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.factorio.username

Your factorio.com login credentials. Required for games with visibility public.

This option is insecure. Use extraSettingsFile instead.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/factorio.nix>
services.fail2ban.enable

Whether to enable the fail2ban service.

See the documentation of services.fail2ban.jails for what jails are enabled by default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/fail2ban.nix>
services.fail2ban.package

The fail2ban package to use.

Type: package

Default: pkgs.fail2ban

Example: fail2ban_0_11

Declared by:

<nixpkgs/nixos/modules/services/security/fail2ban.nix>
services.fail2ban.packageFirewall

The firewall package used by fail2ban service. Defaults to the package for your firewall (iptables or nftables).

Type: package

Default: config.networking.firewall.package

Declared by:

<nixpkgs/nixos/modules/services/security/fail2ban.nix>
services.fail2ban.banaction

Default banning action (e.g. iptables, iptables-new, iptables-multiport, iptables-ipset-proto6-allports, shorewall, etc). It is used to define action_* variables. Can be overridden globally or per section within jail.local file

Type: string

Default: if config.networking.nftables.enable then "nftables-multiport" else "iptables-multiport"

Declared by:

<nixpkgs/nixos/modules/services/security/fail2ban.nix>
services.fail2ban.banaction-allports

Default banning action (e.g. iptables, iptables-new, iptables-multiport, shorewall, etc) for “allports” jails. It is used to define action_* variables. Can be overridden globally or per section within jail.local file

Type: string

Default: if config.networking.nftables.enable then "nftables-allports" else "iptables-allports"

Declared by:

<nixpkgs/nixos/modules/services/security/fail2ban.nix>
services.fail2ban.bantime

Number of seconds that a host is banned.

Type: string

Default: "10m"

Example: "1h"

Declared by:

<nixpkgs/nixos/modules/services/security/fail2ban.nix>
services.fail2ban.bantime-increment.enable

“bantime.increment” allows to use database for searching of previously banned ip’s to increase a default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32 …

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/fail2ban.nix>
services.fail2ban.bantime-increment.factor

“bantime.factor” is a coefficient to calculate exponent growing of the formula or common multiplier, default value of factor is 1 and with default value of formula, the ban time grows by 1, 2, 4, 8, 16 …

Type: null or string

Default: null

Example: "4"

Declared by:

<nixpkgs/nixos/modules/services/security/fail2ban.nix>
services.fail2ban.bantime-increment.formula

“bantime.formula” used by default to calculate next value of ban time, default value below, the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32 …

Type: null or string

Default: null

Example: "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"

Declared by:

<nixpkgs/nixos/modules/services/security/fail2ban.nix>
services.fail2ban.bantime-increment.maxtime

“bantime.maxtime” is the max number of seconds using the ban time can reach (don’t grows further)

Type: null or string

Default: null

Example: "48h"

Declared by:

<nixpkgs/nixos/modules/services/security/fail2ban.nix>
services.fail2ban.bantime-increment.multipliers

“bantime.multipliers” used to calculate next value of ban time instead of formula, corresponding previously ban count and given “bantime.factor” (for multipliers default is 1); following example grows ban time by 1, 2, 4, 8, 16 … and if last ban count greater as multipliers count, always used last multiplier (64 in example), for factor ‘1’ and original ban time 600 - 10.6 hours

Type: null or string

Default: null

Example: "1 2 4 8 16 32 64"

Declared by:

<nixpkgs/nixos/modules/services/security/fail2ban.nix>
services.fail2ban.bantime-increment.overalljails

“bantime.overalljails” (if true) specifies the search of IP in the database will be executed cross over all jails, if false (default), only current jail of the ban IP will be searched.

Type: null or boolean

Default: null

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/fail2ban.nix>
services.fail2ban.bantime-increment.rndtime

“bantime.rndtime” is the max number of seconds using for mixing with random time to prevent “clever” botnets calculate exact time IP can be unbanned again

Type: null or string

Default: null

Example: "8m"

Declared by:

<nixpkgs/nixos/modules/services/security/fail2ban.nix>
services.fail2ban.daemonSettings

The contents of Fail2ban’s main configuration file. It’s generally not necessary to change it.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default:

{
  Definition = {
    logtarget = "SYSLOG";
    socket = "/run/fail2ban/fail2ban.sock";
    pidfile = "/run/fail2ban/fail2ban.pid";
    dbfile = "/var/lib/fail2ban/fail2ban.sqlite3";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/security/fail2ban.nix>
services.fail2ban.extraPackages

Extra packages to be made available to the fail2ban service. The example contains the packages needed by the iptables-ipset-proto6 action.

Type: list of package

Default: [ ]

Example: [ pkgs.ipset ]

Declared by:

<nixpkgs/nixos/modules/services/security/fail2ban.nix>
services.fail2ban.ignoreIP

“ignoreIP” can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban will not ban a host which matches an address in this list. Several addresses can be defined using space (and/or comma) separator.

Type: list of string

Default: [ ]

Example:

[
  "192.168.0.0/16"
  "2001:DB8::42"
]

Declared by:

<nixpkgs/nixos/modules/services/security/fail2ban.nix>
services.fail2ban.jails

The configuration of each Fail2ban “jail”. A jail consists of an action (such as blocking a port using iptables) that is triggered when a filter applied to a log file triggers more than a certain number of times in a certain time period. Actions are defined in /etc/fail2ban/action.d, while filters are defined in /etc/fail2ban/filter.d.

NixOS comes with a default sshd jail; for it to work well, services.openssh.logLevel should be set to "VERBOSE" or higher so that fail2ban can observe failed login attempts. This module sets it to "VERBOSE" if not set otherwise, so enabling fail2ban can make SSH logs more verbose.

Type: attribute set of (strings concatenated with “\n” or (submodule))

Default: { }

Example:

{
  apache-nohome-iptables = {
    settings = {
      # Block an IP address if it accesses a non-existent
      # home directory more than 5 times in 10 minutes,
      # since that indicates that it's scanning.
      filter = "apache-nohome";
      action = ''iptables-multiport[name=HTTP, port="http,https"]'';
      logpath = "/var/log/httpd/error_log*";
      backend = "auto";
      findtime = 600;
      bantime = 600;
      maxretry = 5;
    };
  };
  dovecot = {
    settings = {
      # block IPs which failed to log-in
      # aggressive mode add blocking for aborted connections
      filter = "dovecot[mode=aggressive]";
      maxretry = 3;
    };
  };
};

Declared by:

<nixpkgs/nixos/modules/services/security/fail2ban.nix>
services.fail2ban.maxretry

Number of failures before a host gets banned.

Type: unsigned integer, meaning >=0

Default: 3

Declared by:

<nixpkgs/nixos/modules/services/security/fail2ban.nix>
services.fakeroute.enable

Whether to enable the fakeroute service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/fakeroute.nix>
services.fakeroute.route

Fake route that will appear after the real one to any host running a traceroute.

Type: list of string

Default: [ ]

Example:

[
  "216.102.187.130"
  "4.0.1.122"
  "198.116.142.34"
  "63.199.8.242"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/fakeroute.nix>
services.fanout.enable

Whether to enable fanout.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/config/fanout.nix>
services.fanout.bufferSize

Size of /dev/fanout buffer in bytes

Type: signed integer

Default: 16384

Declared by:

<nixpkgs/nixos/modules/config/fanout.nix>
services.fanout.fanoutDevices

Number of /dev/fanout devices

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/config/fanout.nix>
services.fastnetmon-advanced.enable

Whether to enable the fastnetmon-advanced DDoS Protection daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/fastnetmon-advanced.nix>
services.fastnetmon-advanced.enableAdvancedTrafficPersistence

Store historical flow data in clickhouse

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/fastnetmon-advanced.nix>
services.fastnetmon-advanced.bgpPeers

BGP Peers to declaratively load into FastNetMon Advanced

Type: attribute set of (YAML value)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/fastnetmon-advanced.nix>
services.fastnetmon-advanced.hostgroups

Hostgroups to declaratively load into FastNetMon Advanced

Type: attribute set of (YAML value)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/fastnetmon-advanced.nix>
services.fastnetmon-advanced.settings

Extra configuration options to declaratively load into FastNetMon Advanced.

See the FastNetMon Advanced Configuration options reference for more details.

Type: YAML value

Default: { }

Example:

{
  networks_list = [ "192.0.2.0/24" ];
  gobgp = true;
  gobgp_flow_spec_announces = true;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/fastnetmon-advanced.nix>
services.fastnetmon-advanced.traffic_db.settings

Additional settings for /etc/fastnetmon/traffic_db.conf

Type: YAML value

Declared by:

<nixpkgs/nixos/modules/services/networking/fastnetmon-advanced.nix>
services.fcgiwrap.instances

Configuration for fcgiwrap instances.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-servers/fcgiwrap.nix>
services.fcgiwrap.instances.<name>.process.group

Group as which this instance of fcgiwrap will be run.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/fcgiwrap.nix>
services.fcgiwrap.instances.<name>.process.prefork

Number of processes to prefork.

Type: positive integer, meaning >0

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/web-servers/fcgiwrap.nix>
services.fcgiwrap.instances.<name>.process.user

User as which this instance of fcgiwrap will be run. Set to null (the default) to use a dynamically allocated user.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/fcgiwrap.nix>
services.fcgiwrap.instances.<name>.socket.address

Socket address. In case of a UNIX socket, this should be its filesystem path.

Type: string

Default: "/run/fcgiwrap-‹name›.sock"

Example: "1.2.3.4:5678"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/fcgiwrap.nix>
services.fcgiwrap.instances.<name>.socket.group

Group to be set as owner of the UNIX socket.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/fcgiwrap.nix>
services.fcgiwrap.instances.<name>.socket.mode

Mode to be set on the UNIX socket. Defaults to private to the socket’s owner.

Type: null or string

Default:

if config.socket.type == "unix" then "0600" else null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/fcgiwrap.nix>
services.fcgiwrap.instances.<name>.socket.type

Socket type: ‘unix’, ‘tcp’ or ‘tcp6’.

Type: one of “unix”, “tcp”, “tcp6”

Default: "unix"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/fcgiwrap.nix>
services.fcgiwrap.instances.<name>.socket.user

User to be set as owner of the UNIX socket.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/fcgiwrap.nix>
services.fcron.enable

Whether to enable the fcron daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/scheduling/fcron.nix>
services.fcron.allow

Users allowed to use fcrontab and fcrondyn (one name per line, all for everyone).

Type: list of string

Default:

[
  "all"
]

Declared by:

<nixpkgs/nixos/modules/services/scheduling/fcron.nix>
services.fcron.deny

Users forbidden from using fcron.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/scheduling/fcron.nix>
services.fcron.maxSerialJobs

Maximum number of serial jobs which can run simultaneously.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/scheduling/fcron.nix>
services.fcron.queuelen

Number of jobs the serial queue and the lavg queue can contain.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/scheduling/fcron.nix>
services.fcron.systab

The “system” crontab contents.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/scheduling/fcron.nix>
services.fedimintd

Specification of one or more fedimintd instances.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.enable

Whether to enable fedimintd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.package

The fedimint package to use.

Type: package

Default: pkgs.fedimint

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.api.bind

Address to bind on for API connections relied by the reverse proxy/tls terminator.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.api.openFirewall

Opens port in firewall for fedimintd’s api port

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.api.port

Port to bind on for API connections relied by the reverse proxy/tls terminator.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8174

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.api.url

Public URL of the API address of the reverse proxy/tls terminator. Usually starting with wss://.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.bitcoin.network

Bitcoin network to participate in.

Type: string

Default: "signet"

Example: "bitcoin"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.bitcoin.rpc.kind

Kind of a bitcoin node.

Type: string

Default: "bitcoind"

Example: "electrum"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.bitcoin.rpc.secretFile

If set the URL specified in bitcoin.rpc.url will get the content of this file added as an URL password, so http://user@example.com will turn into http://user:SOMESECRET@example.com.

Example:

/etc/nix-bitcoin-secrets/bitcoin-rpcpassword-public (for nix-bitcoin default)

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.bitcoin.rpc.url

Bitcoin node (bitcoind/electrum/esplora) address to connect to

Type: string

Default: "http://127.0.0.1:38332"

Example: "signet"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.consensus.finalityDelay

Consensus peg-in finality delay.

Type: unsigned integer, meaning >=0

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.dataDir

Path to the data dir fedimintd will use to store its data. Note that due to using the DynamicUser feature of systemd, this value should not be changed and is set to be read only.

Type: path (read only)

Default: "/var/lib/fedimintd-‹name›/"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.environment

Extra Environment variables to pass to the fedimintd.

Type: attribute set of string

Default:

{
  RUST_BACKTRACE = "1";
}

Example:

{
  RUST_BACKTRACE = "1";
  RUST_LOG = "info,fm=debug";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.enable

Whether to configure nginx for fedimintd

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config

Overrides to the nginx vhost section for api

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.config.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.fqdn

Public domain of the API address of the reverse proxy/tls terminator.

Type: string

Example: "api.myfedimint.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.nginx.path

Path to host the API on and forward to the daemon’s api port

Type: string

Default: "/ws/"

Example: "/"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.p2p.bind

Address to bind on for p2p connections from peers

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.p2p.openFirewall

Opens port in firewall for fedimintd’s p2p port

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.p2p.port

Port to bind on for p2p connections from peers

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8173

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.fedimintd.<name>.p2p.url

Public address for p2p connections from peers

Type: string

Example: "fedimint://p2p.myfedimint.com:8173"

Declared by:

<nixpkgs/nixos/modules/services/networking/fedimintd.nix>
services.felix.enable

Whether to enable the Apache Felix OSGi service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/felix.nix>
services.felix.bundles

List of bundles that should be activated on startup

Type: list of package

Default: [ pkgs.felix_remoteshell ]

Declared by:

<nixpkgs/nixos/modules/services/misc/felix.nix>
services.felix.group

Group account under which Apache Felix runs.

Type: string

Default: "osgi"

Declared by:

<nixpkgs/nixos/modules/services/misc/felix.nix>
services.felix.user

User account under which Apache Felix runs.

Type: string

Default: "osgi"

Declared by:

<nixpkgs/nixos/modules/services/misc/felix.nix>
services.ferm.enable

Whether to enable Ferm Firewall. Warning: Enabling this service WILL disable the existing NixOS firewall! Default firewall rules provided by packages are not considered at the moment.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ferm.nix>
services.ferm.package

The ferm package to use.

Type: package

Default: pkgs.ferm

Declared by:

<nixpkgs/nixos/modules/services/networking/ferm.nix>
services.ferm.config

Verbatim ferm.conf configuration.

Type: strings concatenated with “\n”

Default: empty firewall, allows any traffic

Declared by:

<nixpkgs/nixos/modules/services/networking/ferm.nix>
services.ferretdb.enable

Whether to enable FerretDB, an Open Source MongoDB alternative.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/ferretdb.nix>
services.ferretdb.package

FerretDB package to use.

Type: package

Default: "pkgs.ferretdb"

Example: pkgs.ferretdb

Declared by:

<nixpkgs/nixos/modules/services/databases/ferretdb.nix>
services.ferretdb.settings

Additional configuration for FerretDB, see https://docs.ferretdb.io/configuration/flags/ for supported values.

Type: attribute set of string

Example:

{
  FERRETDB_LOG_LEVEL = "warn";
  FERRETDB_MODE = "normal";
}

Declared by:

<nixpkgs/nixos/modules/services/databases/ferretdb.nix>
services.filebeat.enable

Whether to enable filebeat.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/logging/filebeat.nix>
services.filebeat.package

The filebeat package to use.

Type: package

Default: pkgs.filebeat

Example: filebeat7

Declared by:

<nixpkgs/nixos/modules/services/logging/filebeat.nix>
services.filebeat.inputs

Inputs specify how Filebeat locates and processes input data.

This is like services.filebeat.settings.filebeat.inputs, but structured as an attribute set. This has the benefit that multiple NixOS modules can contribute settings to a single filebeat input.

An input type can be specified multiple times by choosing a different <name> for each, but setting services.filebeat.inputs.<name>.type to the same value.

See https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html.

Type: attribute set of (JSON value)

Default: { }

Example:

{
  journald.id = "everything";  # Only for filebeat7
  log = {
    enabled = true;
    paths = [
      "/var/log/*.log"
    ];
  };
};

Declared by:

<nixpkgs/nixos/modules/services/logging/filebeat.nix>
services.filebeat.inputs.<name>.type

The input type.

Look for the value after type: on the individual input pages linked from https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/logging/filebeat.nix>
services.filebeat.modules

Filebeat modules provide a quick way to get started processing common log formats. They contain default configurations, Elasticsearch ingest pipeline definitions, and Kibana dashboards to help you implement and deploy a log monitoring solution.

This is like services.filebeat.settings.filebeat.modules, but structured as an attribute set. This has the benefit that multiple NixOS modules can contribute settings to a single filebeat module.

A module can be specified multiple times by choosing a different <name> for each, but setting services.filebeat.modules.<name>.module to the same value.

See https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-modules.html.

Type: attribute set of (JSON value)

Default: { }

Example:

{
  nginx = {
    access = {
      enabled = true;
      var.paths = [ "/path/to/log/nginx/access.log*" ];
    };
    error = {
      enabled = true;
      var.paths = [ "/path/to/log/nginx/error.log*" ];
    };
  };
};

Declared by:

<nixpkgs/nixos/modules/services/logging/filebeat.nix>
services.filebeat.modules.<name>.module

The name of the module.

Look for the value after module: on the individual input pages linked from https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-modules.html.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/logging/filebeat.nix>
services.filebeat.settings

Configuration for filebeat. See https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html for supported values.

Options containing secret data should be set to an attribute set containing the attribute _secret - a string pointing to a file containing the value the option should be set to. See the example to get a better picture of this: in the resulting filebeat.yml file, the output.elasticsearch.password key will be set to the contents of the /var/keys/elasticsearch_password file.

Type: JSON value

Default: { }

Example:

{
  settings = {
    output.elasticsearch = {
      hosts = [ "myEShost:9200" ];
      username = "filebeat_internal";
      password = { _secret = "/var/keys/elasticsearch_password"; };
    };
    logging.level = "info";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/logging/filebeat.nix>
services.filebeat.settings.output.elasticsearch.hosts

The list of Elasticsearch nodes to connect to.

The events are distributed to these nodes in round robin order. If one node becomes unreachable, the event is automatically sent to another node. Each Elasticsearch node can be defined as a URL or IP:PORT. For example: http://192.15.3.2, https://es.found.io:9230 or 192.24.3.2:9300. If no port is specified, 9200 is used.

Type: list of string

Default:

[
  "127.0.0.1:9200"
]

Example:

[
  "myEShost:9200"
]

Declared by:

<nixpkgs/nixos/modules/services/logging/filebeat.nix>
services.filesender.enable

Whether to enable FileSender.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/filesender.nix>
services.filesender.package

The filesender package to use.

Type: package

Default: pkgs.filesender

Declared by:

<nixpkgs/nixos/modules/services/web-apps/filesender.nix>
services.filesender.configureNginx

Configure nginx as a reverse proxy for FileSender.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/filesender.nix>
services.filesender.database.createLocally

Create the PostgreSQL database and database user locally.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/filesender.nix>
services.filesender.database.hostname

Database hostname.

Type: string

Default: "/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/filesender.nix>
services.filesender.database.name

Database name.

Type: string

Default: "filesender"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/filesender.nix>
services.filesender.database.passwordFile

A file containing the password corresponding to services.filesender.database.user.

Type: null or path

Default: null

Example: "/run/keys/filesender-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/filesender.nix>
services.filesender.database.port

Database port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5432

Declared by:

<nixpkgs/nixos/modules/services/web-apps/filesender.nix>
services.filesender.database.user

Database user.

Type: string

Default: "filesender"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/filesender.nix>
services.filesender.localDomain

The domain serving your FileSender instance.

Type: string

Example: "filesender.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/filesender.nix>
services.filesender.poolSettings

Options for FileSender’s PHP pool. See the documentation on php-fpm.conf for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = "32";
  "pm.max_requests" = "500";
  "pm.max_spare_servers" = "4";
  "pm.min_spare_servers" = "2";
  "pm.start_servers" = "2";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/filesender.nix>
services.filesender.settings

Configuration options used by FileSender. See for available options.

Type: PHP value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/filesender.nix>
services.filesender.settings.admin

UIDs (as per the configured saml_uid_attribute) of FileSender administrators. Accounts with these UIDs can access the Admin page through the web UI.

Type: strings concatenated with “,”

Declared by:

<nixpkgs/nixos/modules/services/web-apps/filesender.nix>
services.filesender.settings.admin_email

Email address of FileSender administrator(s). Emails regarding disk full etc. are sent here. You should use a role-address here.

Type: strings concatenated with “,”

Declared by:

<nixpkgs/nixos/modules/services/web-apps/filesender.nix>
services.filesender.settings.log_facilities

Defines where FileSender logging is sent. You can sent logging to a file, to syslog or to the default PHP log facility (as configured through your webserver’s PHP module). The directive takes an array of one or more logging targets. Logging can be sent to multiple targets simultaneously. Each logging target is a list containing the name of the logging target and a number of attributes which vary per log target. See below for the exact definiation of each log target.

Type: PHP value

Default:

[
  {
    type = "error_log";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/filesender.nix>
services.filesender.settings.site_url

Site URL. Used in emails, to build URLs for logging in, logging out, build URL for upload endpoint for web workers, to include scripts etc.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/filesender.nix>
services.filesender.settings.storage_filesystem_path

When using storage type filesystem this is the absolute path to the file system where uploaded files are stored until they expire. Your FileSender storage root.

Type: null or string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/filesender.nix>
services.filesender.user

User under which filesender runs.

Type: string

Default: "filesender"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/filesender.nix>
services.firebird.enable

Whether to enable the Firebird super server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/firebird.nix>
services.firebird.package

The firebird package to use. For SuperServer use override: pkgs.firebird_3.override { superServer = true; };

Type: package

Default: pkgs.firebird

Example: firebird_3

Declared by:

<nixpkgs/nixos/modules/services/databases/firebird.nix>
services.firebird.baseDir

Location containing data/ and system/ directories. data/ stores the databases, system/ stores the password database security2.fdb.

Type: string

Default: "/var/lib/firebird"

Declared by:

<nixpkgs/nixos/modules/services/databases/firebird.nix>
services.firebird.port

Port Firebird uses.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3050

Declared by:

<nixpkgs/nixos/modules/services/databases/firebird.nix>
services.firebird.user

User account under which firebird runs.

Type: string

Default: "firebird"

Declared by:

<nixpkgs/nixos/modules/services/databases/firebird.nix>
services.firefly-iii.enable

Whether to enable Firefly III: A free and open source personal finance manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii.nix>
services.firefly-iii.enableNginx

Whether to enable nginx or not. If enabled, an nginx virtual host will be created for access to firefly-iii. If not enabled, then you may use ${config.services.firefly-iii.package} as your document root in whichever webserver you wish to setup.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii.nix>
services.firefly-iii.package

The firefly-iii package to use.

Type: package

Default: pkgs.firefly-iii

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii.nix>
services.firefly-iii.dataDir

The place where firefly-iii stores its state.

Type: path

Default: "/var/lib/firefly-iii"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii.nix>
services.firefly-iii.group

Group under which firefly-iii runs. It is best to set this to the group of whatever webserver is being used as the frontend.

Type: string

Default: "If `services.firefly-iii.enableNginx` is true then `nginx` else firefly-iii"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii.nix>
services.firefly-iii.poolConfig

Options for the Firefly III PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

''
  {
    "pm" = "dynamic";
    "pm.max_children" = 32;
    "pm.start_servers" = 2;
    "pm.min_spare_servers" = 2;
    "pm.max_spare_servers" = 4;
    "pm.max_requests" = 500;
  }
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii.nix>
services.firefly-iii.settings

Options for firefly-iii configuration. Refer to https://github.com/firefly-iii/firefly-iii/blob/main/.env.example for details on supported values. All <option>_FILE values supported by upstream are supported here.

APP_URL will be the same as services.firefly-iii.virtualHost if the former is unset in services.firefly-iii.settings.

Type: attribute set of (string or signed integer or boolean)

Default: { }

Example:

{
  APP_ENV = "production";
  APP_KEY_FILE = "/var/secrets/firefly-iii-app-key.txt";
  SITE_OWNER = "mail@example.com";
  DB_CONNECTION = "mysql";
  DB_HOST = "db";
  DB_PORT = 3306;
  DB_DATABASE = "firefly";
  DB_USERNAME = "firefly";
  DB_PASSWORD_FILE = "/var/secrets/firefly-iii-mysql-password.txt";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii.nix>
services.firefly-iii.settings.APP_ENV

The app environment. It is recommended to keep this at “local”. Possible values are “local”, “production” and “testing”

Type: one of “local”, “production”, “testing”

Default: "local"

Example: "production"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii.nix>
services.firefly-iii.settings.APP_KEY_FILE

The path to your appkey. The file should contain a 32 character random app key. This may be set using echo "base64:$(head -c 32 /dev/urandom | base64)" > /path/to/key-file.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii.nix>
services.firefly-iii.settings.APP_URL

The APP_URL used by firefly-iii internally. Please make sure this URL matches the external URL of your Firefly III installation. It is used to validate specific requests and to generate URLs in emails.

Type: string

Default:

''
  http(s)://''${config.services.firefly-iii.virtualHost}
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii.nix>
services.firefly-iii.settings.DB_CONNECTION

The type of database you wish to use. Can be one of “sqlite”, “mysql” or “pgsql”.

Type: one of “sqlite”, “pgsql”, “mysql”

Default: "sqlite"

Example: "pgsql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii.nix>
services.firefly-iii.settings.DB_HOST

The machine which hosts your database. This is left at the default value for “mysql” because we use the “DB_SOCKET” option to connect to a unix socket instead. “pgsql” requires that the unix socket location be specified here instead of at “DB_SOCKET”. This option does not affect “sqlite”.

Type: string

Default:

''
  "localhost" if DB_CONNECTION is "sqlite" or "mysql", "/run/postgresql" if "pgsql".
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii.nix>
services.firefly-iii.settings.DB_PORT

The port your database is listening at. sqlite does not require this value to be filled.

Type: null or signed integer

Default:

''
  `null` if DB_CONNECTION is "sqlite", `3306` if "mysql", `5432` if "pgsql"
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii.nix>
services.firefly-iii.user

User account under which firefly-iii runs.

Type: string

Default: "firefly-iii"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii.nix>
services.firefly-iii.virtualHost

The hostname at which you wish firefly-iii to be served. If you have enabled nginx using services.firefly-iii.enableNginx then this will be used.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii.nix>
services.firefly-iii-data-importer.enable

Whether to enable Firefly III Data Importer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii-data-importer.nix>
services.firefly-iii-data-importer.enableNginx

Whether to enable nginx or not. If enabled, an nginx virtual host will be created for access to firefly-iii data importer. If not enabled, then you may use ${config.services.firefly-iii-data-importer.package} as your document root in whichever webserver you wish to setup.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii-data-importer.nix>
services.firefly-iii-data-importer.package

The firefly-iii-data-importer package served by php-fpm and the webserver of choice. This option can be used to point the webserver to the correct root. It may also be used to set the package to a different version, say a development version.

Type: package

Default: pkgs.firefly-iii-data-importer

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii-data-importer.nix>
services.firefly-iii-data-importer.dataDir

The place where firefly-iii data importer stores its state.

Type: path

Default: "/var/lib/firefly-iii-data-importer"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii-data-importer.nix>
services.firefly-iii-data-importer.group

Group under which firefly-iii-data-importer runs. It is best to set this to the group of whatever webserver is being used as the frontend.

Type: string

Default: "If `services.firefly-iii-data-importer.enableNginx` is true then `nginx` else firefly-iii-data-importer"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii-data-importer.nix>
services.firefly-iii-data-importer.poolConfig

Options for the Firefly III Data Importer PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  "pm" = "dynamic";
  "pm.max_children" = 32;
  "pm.start_servers" = 2;
  "pm.min_spare_servers" = 2;
  "pm.max_spare_servers" = 4;
  "pm.max_requests" = 500;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii-data-importer.nix>
services.firefly-iii-data-importer.settings

Options for firefly-iii data importer configuration. Refer to https://github.com/firefly-iii/data-importer/blob/main/.env.example for details on supported values. All <option>_FILE values supported by upstream are supported here.

APP_URL will be the same as services.firefly-iii-data-importer.virtualHost if the former is unset in services.firefly-iii-data-importer.settings.

Type: attribute set of (string or signed integer or boolean)

Default: { }

Example:

{
  APP_ENV = "local";
  LOG_CHANNEL = "syslog";
  FIREFLY_III_ACCESS_TOKEN= = "/var/secrets/firefly-iii-access-token.txt";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii-data-importer.nix>
services.firefly-iii-data-importer.user

User account under which firefly-iii-data-importer runs.

Type: string

Default: "firefly-iii-data-importer"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii-data-importer.nix>
services.firefly-iii-data-importer.virtualHost

The hostname at which you wish firefly-iii-data-importer to be served. If you have enabled nginx using services.firefly-iii-data-importer.enableNginx then this will be used.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/firefly-iii-data-importer.nix>
services.firefox-syncserver.enable

Whether to enable the Firefox Sync storage service.

Out of the box this will not be very useful unless you also configure at least one service and one nodes by inserting them into the mysql database manually, e.g. by running

  INSERT INTO `services` (`id`, `service`, `pattern`) VALUES ('1', 'sync-1.5', '{node}/1.5/{uid}');
  INSERT INTO `nodes` (`id`, `service`, `node`, `available`, `current_load`,
      `capacity`, `downed`, `backoff`)
    VALUES ('1', '1', 'https://mydomain.tld', '1', '0', '10', '0', '0');

services.firefox-syncserver.singleNode.enable does this automatically when enabled .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/firefox-syncserver.nix>
services.firefox-syncserver.package

Package to use.

Type: package

Default: pkgs.syncstorage-rs

Declared by:

<nixpkgs/nixos/modules/services/networking/firefox-syncserver.nix>
services.firefox-syncserver.database.createLocally

Whether to create database and user on the local machine if they do not exist. This includes enabling unix domain socket authentication for the configured user.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/firefox-syncserver.nix>
services.firefox-syncserver.database.host

Database host name. localhost is treated specially and inserts systemd dependencies, other hostnames or IP addresses of the local machine do not.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/networking/firefox-syncserver.nix>
services.firefox-syncserver.database.name

Database to use for storage. Will be created automatically if it does not exist and config.services.firefox-syncserver.database.createLocally is set.

Type: string matching the pattern [a-z_][a-z0-9_]*

Default: "firefox_syncserver"

Declared by:

<nixpkgs/nixos/modules/services/networking/firefox-syncserver.nix>
services.firefox-syncserver.database.user

Username for database connections.

Type: string

Default: "firefox-syncserver"

Declared by:

<nixpkgs/nixos/modules/services/networking/firefox-syncserver.nix>
services.firefox-syncserver.logLevel

Log level to run with. This can be a simple log level like error or trace, or a more complicated logging expression.

Type: string

Default: "error"

Declared by:

<nixpkgs/nixos/modules/services/networking/firefox-syncserver.nix>
services.firefox-syncserver.secrets

A file containing the various secrets. Should be in the format expected by systemd’s EnvironmentFile directory. Two secrets are currently available: SYNC_MASTER_SECRET and SYNC_TOKENSERVER__FXA_METRICS_HASH_SECRET.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/firefox-syncserver.nix>
services.firefox-syncserver.settings

Settings for the sync server. These take priority over values computed from NixOS options.

See the example config in https://github.com/mozilla-services/syncstorage-rs/blob/master/config/local.example.toml and the doc comments on the Settings structs in https://github.com/mozilla-services/syncstorage-rs/blob/master/syncstorage-settings/src/lib.rs and https://github.com/mozilla-services/syncstorage-rs/blob/master/tokenserver-settings/src/lib.rs for available options.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/firefox-syncserver.nix>
services.firefox-syncserver.settings.port

Port to bind to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5000

Declared by:

<nixpkgs/nixos/modules/services/networking/firefox-syncserver.nix>
services.firefox-syncserver.settings.tokenserver.enabled

Whether to enable the token service as well.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/firefox-syncserver.nix>
services.firefox-syncserver.singleNode.enable

Whether to enable auto-configuration for a simple single-node setup.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/firefox-syncserver.nix>
services.firefox-syncserver.singleNode.enableNginx

Whether to enable nginx virtualhost definitions.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/firefox-syncserver.nix>
services.firefox-syncserver.singleNode.enableTLS

Whether to enable automatic TLS setup.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/firefox-syncserver.nix>
services.firefox-syncserver.singleNode.capacity

How many sync accounts are allowed on this server. Setting this value equal to or less than the number of currently active accounts will effectively deny service to accounts not yet registered here.

Type: unsigned integer, meaning >=0

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/networking/firefox-syncserver.nix>
services.firefox-syncserver.singleNode.hostname

Host name to use for this service.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/firefox-syncserver.nix>
services.firefox-syncserver.singleNode.url

URL of the host. If you are not using the automatic webserver proxy setup you will have to change this setting or your sync server may not be functional.

Type: string

Default:

${if cfg.singleNode.enableTLS then "https" else "http"}://${config.services.firefox-syncserver.singleNode.hostname}

Declared by:

<nixpkgs/nixos/modules/services/networking/firefox-syncserver.nix>
services.fireqos.enable

Whether to enable FireQOS.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/fireqos.nix>
services.fireqos.config

The FireQOS configuration.

Type: strings concatenated with “\n”

Example:

''
  interface wlp3s0 world-in input rate 10mbit ethernet
    class web commit 50kbit
      match tcp ports 80,443
  
  interface wlp3s0 world-out input rate 10mbit ethernet
    class web commit 50kbit
      match tcp ports 80,443
''

Declared by:

<nixpkgs/nixos/modules/services/networking/fireqos.nix>
services.flannel.enable

Whether to enable flannel.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/flannel.nix>
services.flannel.package

The flannel package to use.

Type: package

Default: pkgs.flannel

Declared by:

<nixpkgs/nixos/modules/services/networking/flannel.nix>
services.flannel.backend

Type of backend to use and specific configurations for that backend.

Type: attribute set

Default:

{
  Type = "vxlan";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/flannel.nix>
services.flannel.etcd.caFile

Etcd certificate authority file

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/flannel.nix>
services.flannel.etcd.certFile

Etcd cert file

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/flannel.nix>
services.flannel.etcd.endpoints

Etcd endpoints

Type: list of string

Default:

[
  "http://127.0.0.1:2379"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/flannel.nix>
services.flannel.etcd.keyFile

Etcd key file

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/flannel.nix>
services.flannel.etcd.prefix

Etcd key prefix

Type: string

Default: "/coreos.com/network"

Declared by:

<nixpkgs/nixos/modules/services/networking/flannel.nix>
services.flannel.iface

Interface to use (IP or name) for inter-host communication. Defaults to the interface for the default route on the machine.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/flannel.nix>
services.flannel.kubeconfig

Path to kubeconfig to use for storing flannel config using the Kubernetes API

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/flannel.nix>
services.flannel.network

IPv4 network in CIDR format to use for the entire flannel network.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/flannel.nix>
services.flannel.nodeName

Needed when running with Kubernetes as backend as this cannot be auto-detected";

Type: null or string

Default: config.networking.fqdnOrHostName

Example: "node1.example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/flannel.nix>
services.flannel.publicIp

IP accessible by other nodes for inter-host communication. Defaults to the IP of the interface being used for communication.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/flannel.nix>
services.flannel.storageBackend

Determines where flannel stores its configuration at runtime

Type: one of “etcd”, “kubernetes”

Default: "etcd"

Declared by:

<nixpkgs/nixos/modules/services/networking/flannel.nix>
services.flannel.subnetLen

The size of the subnet allocated to each host. Defaults to 24 (i.e. /24) unless the Network was configured to be smaller than a /24 in which case it is one less than the network.

Type: signed integer

Default: 24

Declared by:

<nixpkgs/nixos/modules/services/networking/flannel.nix>
services.flannel.subnetMax

The end of IP range which the subnet allocation should start with. Defaults to the last subnet of Network.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/flannel.nix>
services.flannel.subnetMin

The beginning of IP range which the subnet allocation should start with. Defaults to the first subnet of Network.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/flannel.nix>
services.flaresolverr.enable

Whether to enable FlareSolverr, a proxy server to bypass Cloudflare protection.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/flaresolverr.nix>
services.flaresolverr.package

The flaresolverr package to use.

Type: package

Default: pkgs.flaresolverr

Declared by:

<nixpkgs/nixos/modules/services/misc/flaresolverr.nix>
services.flaresolverr.openFirewall

Open the port in the firewall for FlareSolverr.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/flaresolverr.nix>
services.flaresolverr.port

The port on which FlareSolverr will listen for incoming HTTP traffic.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8191

Declared by:

<nixpkgs/nixos/modules/services/misc/flaresolverr.nix>
services.flarum.enable

Whether to enable Flarum discussion platform.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/flarum.nix>
services.flarum.package

The flarum package to use.

Type: package

Default: pkgs.flarum

Declared by:

<nixpkgs/nixos/modules/services/web-apps/flarum.nix>
services.flarum.adminEmail

Email for first web application administrator

Type: string

Default: "admin@example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/flarum.nix>
services.flarum.adminUser

Username for first web application administrator

Type: string

Default: "flarum"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/flarum.nix>
services.flarum.baseUrl

Change domain instead.

Type: string

Default: "http://localhost"

Example: "https://forum.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/flarum.nix>
services.flarum.createDatabaseLocally

Create the database and database user locally, and run installation.

WARNING: Due to https://github.com/flarum/framework/issues/4018, this option is set to false by default. The ‘flarum install’ command may delete existing database tables. Only set this to true if you are certain you are working with a fresh, empty database.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/flarum.nix>
services.flarum.database

MySQL database parameters

Type: attribute set of (string or boolean or signed integer)

Default:

{
  database = "flarum";
  driver = "mysql";
  host = "localhost";
  password = "";
  port = 3306;
  prefix = "";
  strict = false;
  username = "flarum";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/flarum.nix>
services.flarum.domain

Domain to serve on.

Type: string

Default: "localhost"

Example: "forum.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/flarum.nix>
services.flarum.forumTitle

Title of the forum.

Type: string

Default: "A Flarum Forum on NixOS"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/flarum.nix>
services.flarum.group

System group to run Flarum

Type: string

Default: "flarum"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/flarum.nix>
services.flarum.initialAdminPassword

Initial password for the adminUser

Type: string

Default: "flarum"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/flarum.nix>
services.flarum.stateDir

Home directory for writable storage

Type: path

Default: "/var/lib/flarum"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/flarum.nix>
services.flarum.user

System user to run Flarum

Type: string

Default: "flarum"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/flarum.nix>
services.flatpak.enable

Whether to enable flatpak.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/flatpak.nix>
services.flatpak.package

The flatpak package to use.

Type: package

Default: pkgs.flatpak

Declared by:

<nixpkgs/nixos/modules/services/desktops/flatpak.nix>
services.flexget.enable

Whether to enable FlexGet daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/torrent/flexget.nix>
services.flexget.package

The flexget package to use.

Type: package

Default: pkgs.flexget

Declared by:

<nixpkgs/nixos/modules/services/torrent/flexget.nix>
services.flexget.config

The YAML configuration for FlexGet.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/torrent/flexget.nix>
services.flexget.homeDir

Where files live.

Type: path

Default: "/var/lib/deluge"

Example: "/home/flexget"

Declared by:

<nixpkgs/nixos/modules/services/torrent/flexget.nix>
services.flexget.interval

When to perform a flexget run. See man 7 systemd.time for the format.

Type: string

Default: "10m"

Example: "1h"

Declared by:

<nixpkgs/nixos/modules/services/torrent/flexget.nix>
services.flexget.systemScheduler

When true, execute the runs via the flexget-runner.timer. If false, you have to specify the settings yourself in the YML file.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/torrent/flexget.nix>
services.flexget.user

The user under which to run flexget.

Type: string

Default: "deluge"

Example: "some_user"

Declared by:

<nixpkgs/nixos/modules/services/torrent/flexget.nix>
services.flood.enable

Whether to enable flood.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/torrent/flood.nix>
services.flood.package

The flood package to use.

Type: package

Default: pkgs.flood

Declared by:

<nixpkgs/nixos/modules/services/torrent/flood.nix>
services.flood.extraArgs

Extra arguments passed to flood.

Type: list of string

Default: [ ]

Example:

[
  "--baseuri=/"
]

Declared by:

<nixpkgs/nixos/modules/services/torrent/flood.nix>
services.flood.host

Host to bind webserver.

Type: string

Default: "localhost"

Example: "::"

Declared by:

<nixpkgs/nixos/modules/services/torrent/flood.nix>
services.flood.openFirewall

Whether to open the firewall for the port in services.flood.port.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/torrent/flood.nix>
services.flood.port

Port to bind webserver.

Type: signed integer

Default: 3000

Example: 3001

Declared by:

<nixpkgs/nixos/modules/services/torrent/flood.nix>
services.fluentd.enable

Whether to enable fluentd, a data/log collector.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/logging/fluentd.nix>
services.fluentd.package

The fluentd package to use.

Type: package

Default: pkgs.fluentd

Declared by:

<nixpkgs/nixos/modules/services/logging/fluentd.nix>
services.fluentd.config

Fluentd config.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/logging/fluentd.nix>
services.fluentd.plugins

A list of plugin paths to pass into fluentd. It will make plugins defined in ruby files there available in your config.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/logging/fluentd.nix>
services.fluidd.enable

Whether to enable Fluidd, a Klipper web interface for managing your 3d printer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.package

The fluidd package to use.

Type: package

Default: pkgs.fluidd

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.hostName

Hostname to serve fluidd on

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx

Extra configuration for the nginx virtual host of fluidd.

Type: submodule

Default: { }

Example:

{
  serverAliases = [ "fluidd.${config.networking.domain}" ];
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.fluidd.nginx.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/fluidd.nix>
services.foldingathome.enable

Whether to enable Folding@home client.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/computing/foldingathome/client.nix>
services.foldingathome.package

The fahclient package to use.

Type: package

Default: pkgs.fahclient

Declared by:

<nixpkgs/nixos/modules/services/computing/foldingathome/client.nix>
services.foldingathome.daemonNiceLevel

Daemon process priority for FAHClient. 0 is the default Unix process priority, 19 is the lowest.

Type: integer between -20 and 19 (both inclusive)

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/computing/foldingathome/client.nix>
services.foldingathome.extraArgs

Extra startup options for the FAHClient. Run fah-client --help to find all the available options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/computing/foldingathome/client.nix>
services.foldingathome.team

The team ID associated with the reported computation results. This will be used in the ranking statistics.

By default, use the NixOS folding@home team ID is being used.

Type: signed integer

Default: 236565

Declared by:

<nixpkgs/nixos/modules/services/computing/foldingathome/client.nix>
services.foldingathome.user

The user associated with the reported computation results. This will be used in the ranking statistics.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/computing/foldingathome/client.nix>
services.forgejo.enable

Whether to enable Forgejo, a software forge.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.package

The forgejo-lts package to use.

Type: package

Default: pkgs.forgejo-lts

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.customDir

Base directory for custom templates and other options.

If services.forgejo.useWizard is disabled (default), this directory will also hold secrets and the resulting app.ini config at runtime.

Type: string

Default: "${config.services.forgejo.stateDir}/custom"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.database.createDatabase

Whether to create a local database automatically.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.database.host

Database host address.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.database.name

Database name.

Type: string

Default: "forgejo"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.database.passwordFile

A file containing the password corresponding to services.forgejo.database.user.

Type: null or path

Default: null

Example: "/run/keys/forgejo-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.database.path

Path to the sqlite3 database file.

Type: string

Default: "${config.services.forgejo.stateDir}/data/forgejo.db"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.database.port

Database host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

if config.services.forgejo.database.type != "postgresql"
then 3306
else 5432

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.database.socket

Path to the unix socket file to use for authentication.

Type: null or path

Default: null

Example: "/run/mysqld/mysqld.sock"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.database.type

Database engine to use.

Type: one of “sqlite3”, “mysql”, “postgres”

Default: "sqlite3"

Example: "mysql"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.database.user

Database user.

Type: string

Default: "forgejo"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.dump.enable

Whether to enable periodic dumps via the built-in dump command.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.dump.backupDir

Path to the directory where the dump archives will be stored.

Type: string

Default: "${config.services.forgejo.stateDir}/dump"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.dump.file

Filename to be used for the dump. If null a default name is chosen by forgejo.

Type: null or string

Default: null

Example: "forgejo-dump"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.dump.interval

Run a Forgejo dump at this interval. Runs by default at 04:31 every day.

The format is described in systemd.time(7).

Type: string

Default: "04:31"

Example: "hourly"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.dump.type

Archive format used to store the dump file.

Type: one of “zip”, “tar”, “tar.sz”, “tar.gz”, “tar.xz”, “tar.bz2”, “tar.br”, “tar.lz4”, “tar.zst”

Default: "zip"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.group

Group under which Forgejo runs.

Type: string

Default: "forgejo"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.lfs.enable

Enables git-lfs support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.lfs.contentDir

Where to store LFS files.

Type: string

Default: "${config.services.forgejo.stateDir}/data/lfs"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.repositoryRoot

Path to the git repositories.

Type: string

Default: "${config.services.forgejo.stateDir}/repositories"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.secrets

This is a small wrapper over systemd’s LoadCredential.

It takes the same sections and keys as services.forgejo.settings, but the value of each key is a path instead of a string or bool.

The path is then loaded as credential, exported as environment variable and then feed through https://codeberg.org/forgejo/forgejo/src/branch/forgejo/contrib/environment-to-ini/environment-to-ini.go.

It does the required environment variable escaping for you.

Note

Keys specified here take priority over the ones in services.forgejo.settings!

Type: attribute set of attribute set of path

Default: { }

Example:

{
  metrics = {
    TOKEN = "/run/keys/forgejo-metrics-token";
  };
  camo = {
    HMAC_KEY = "/run/keys/forgejo-camo-hmac";
  };
  service = {
    HCAPTCHA_SECRET = "/run/keys/forgejo-hcaptcha-secret";
    HCAPTCHA_SITEKEY = "/run/keys/forgejo-hcaptcha-sitekey";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.settings

Free-form settings written directly to the app.ini configfile file. Refer to https://forgejo.org/docs/latest/admin/config-cheat-sheet/ for supported values.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  DEFAULT = {
    RUN_MODE = "dev";
  };
  "cron.sync_external_users" = {
    RUN_AT_START = true;
    SCHEDULE = "@every 24h";
    UPDATE_EXISTING = true;
  };
  mailer = {
    ENABLED = true;
    MAILER_TYPE = "sendmail";
    FROM = "do-not-reply@example.org";
    SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
  };
  other = {
    SHOW_FOOTER_VERSION = false;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.settings.log.LEVEL

General log level.

Type: one of “Trace”, “Debug”, “Info”, “Warn”, “Error”, “Critical”

Default: "Info"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.settings.log.ROOT_PATH

Root path for log files.

Type: string

Default: "${config.services.forgejo.stateDir}/log"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.settings.server.DISABLE_SSH

Disable external SSH feature.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.settings.server.DOMAIN

Domain name of your server.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.settings.server.HTTP_ADDR

Listen address. Must be a path when using a unix socket.

Type: string or path

Default: if lib.hasSuffix "+unix" cfg.settings.server.PROTOCOL then "/run/forgejo/forgejo.sock" else "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.settings.server.HTTP_PORT

Listen port. Ignored when using a unix socket.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.settings.server.PROTOCOL

Listen protocol. +unix means “over unix”, not “in addition to.”

Type: one of “http”, “https”, “fcgi”, “http+unix”, “fcgi+unix”

Default: "http"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.settings.server.ROOT_URL

Full public URL of Forgejo server.

Type: string

Default: "http://${config.services.forgejo.settings.server.DOMAIN}:${toString config.services.forgejo.settings.server.HTTP_PORT}/"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.settings.server.SSH_PORT

SSH port displayed in clone URL. The option is required to configure a service when the external visible port differs from the local listening port i.e. if port forwarding is used.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 22

Example: 2222

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.settings.server.STATIC_ROOT_PATH

Upper level of template and static files path.

Type: string or path

Default: config.services.forgejo.package.data

Example: "/var/lib/forgejo/data"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.settings.session.COOKIE_SECURE

Marks session cookies as “secure” as a hint for browsers to only send them via HTTPS. This option is recommend, if Forgejo is being served over HTTPS.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.stateDir

Forgejo data directory.

Type: string

Default: "/var/lib/forgejo"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.useWizard

Whether to use the built-in installation wizard instead of declaratively managing the app.ini config file in nix.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.forgejo.user

User account under which Forgejo runs.

Type: string

Default: "forgejo"

Declared by:

<nixpkgs/nixos/modules/services/misc/forgejo.nix>
services.foundationdb.enable

Whether to enable FoundationDB Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.package

The FoundationDB package to use for this server. This must be specified by the user in order to ensure migrations and upgrades are controlled appropriately.

Type: package

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.backupProcesses

Number of backup_agent processes to run for snapshots.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.class

Process class

Type: null or one of “storage”, “transaction”, “stateless”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.dataDir

Data directory. All cluster data will be put under here.

Type: path

Default: "/var/lib/foundationdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.extraReadWritePaths

An extra set of filesystem paths that FoundationDB can read to and write from. By default, FoundationDB runs under a heavily namespaced systemd environment without write access to most of the filesystem outside of its data and log directories. By adding paths to this list, the set of writeable paths will be expanded. This is useful for allowing e.g. backups to local files, which must be performed on behalf of the foundationdb service.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.group

Group account under which FoundationDB runs.

Type: string

Default: "foundationdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.listenAddress

Publicly visible IP address of the process. Port is determined by process ID

Type: string

Default: "public"

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.listenPortStart

Starting port number for database listening sockets. Every FDB process binds to a subsequent port, to this number reflects the start of the overall range. e.g. having 8 server processes will use all ports between 4500 and 4507.

Type: signed integer

Default: 4500

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.locality

FoundationDB locality settings.

Type: submodule

Default:

{
  dataHall = null;
  datacenterId = null;
  machineId = null;
  zoneId = null;
}

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.locality.dataHall

Data hall identifier key. All processes physically located in a data hall should share the id. If you are depending on data hall based replication this must be set on all processes.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.locality.datacenterId

Data center identifier key. All processes physically located in a data center should share the id. If you are depending on data center based replication this must be set on all processes.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.locality.machineId

Machine identifier key. All processes on a machine should share a unique id. By default, processes on a machine determine a unique id to share. This does not generally need to be set.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.locality.zoneId

Zone identifier key. Processes that share a zone id are considered non-unique for the purposes of data replication. If unset, defaults to machine id.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.logDir

Log directory.

Type: path

Default: "/var/log/foundationdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.logSize

Roll over to a new log file after the current log file reaches the specified size.

Type: string

Default: "10MiB"

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.maxLogSize

Delete the oldest log file when the total size of all log files exceeds the specified size. If set to 0, old log files will not be deleted.

Type: string

Default: "100MiB"

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.memory

Maximum memory used by the process. The default value is 8GiB. When specified without a unit, MiB is assumed. This parameter does not change the memory allocation of the program. Rather, it sets a hard limit beyond which the process will kill itself and be restarted. The default value of 8GiB is double the intended memory usage in the default configuration (providing an emergency buffer to deal with memory leaks or similar problems). It is not recommended to decrease the value of this parameter below its default value. It may be increased if you wish to allocate a very large amount of storage engine memory or cache. In particular, when the storageMemory parameter is increased, the memory parameter should be increased by an equal amount.

Type: string

Default: "8GiB"

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.openFirewall

Open the firewall ports corresponding to FoundationDB processes and coordinators using config.networking.firewall.*.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.pidfile

Path to pidfile for fdbmonitor.

Type: path

Default: "/run/foundationdb.pid"

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.publicAddress

Publicly visible IP address of the process. Port is determined by process ID

Type: string

Default: "auto"

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.restartDelay

Number of seconds to wait before restarting servers.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.serverProcesses

Number of fdbserver processes to run.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.storageMemory

Maximum memory used for data storage. The default value is 1GiB. When specified without a unit, MB is assumed. Clusters using the memory storage engine will be restricted to using this amount of memory per process for purposes of data storage. Memory overhead associated with storing the data is counted against this total. If you increase the storageMemory, you should also increase the memory parameter by the same amount.

Type: string

Default: "1GiB"

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.tls

FoundationDB Transport Security Layer (TLS) settings.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.tls.allowedPeers

“Peer verification string”. This may be used to adjust which TLS client certificates a server will accept, as a form of user authorization; for example, it may only accept TLS clients who offer a certificate abiding by some locality or organization name.

For more information, please see the FoundationDB documentation.

Type: string

Default: "Check.Valid=1,Check.Unexpired=1"

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.tls.certificate

Path to the TLS certificate file. This certificate will be offered to, and may be verified by, clients.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.tls.key

Private key file for the certificate.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.traceFormat

Trace logging format.

Type: one of “xml”, “json”

Default: "xml"

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.foundationdb.user

User account under which FoundationDB runs.

Type: string

Default: "foundationdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/foundationdb.nix>
services.fprintd.enable

Whether to enable fprintd daemon and PAM module for fingerprint readers handling.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/fprintd.nix>
services.fprintd.package

fprintd package to use.

Type: package

Default: if config.services.fprintd.tod.enable then pkgs.fprintd-tod else pkgs.fprintd

Declared by:

<nixpkgs/nixos/modules/services/security/fprintd.nix>
services.fprintd.tod.enable

Whether to enable Touch OEM Drivers library support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/fprintd.nix>
services.fprintd.tod.driver

Touch OEM Drivers (TOD) package to use.

Type: package

Example: pkgs.libfprint-2-tod1-goodix

Declared by:

<nixpkgs/nixos/modules/services/security/fprintd.nix>
services.fractalart.enable

Enable FractalArt for generating colorful wallpapers on login

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/fractalart.nix>
services.fractalart.height

Screen height

Type: null or signed integer

Default: null

Example: 1080

Declared by:

<nixpkgs/nixos/modules/services/x11/fractalart.nix>
services.fractalart.width

Screen width

Type: null or signed integer

Default: null

Example: 1920

Declared by:

<nixpkgs/nixos/modules/services/x11/fractalart.nix>
services.freeciv.enable

Whether to enable freeciv.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/games/freeciv.nix>
services.freeciv.openFirewall

Whether to enable opening the firewall for the port listening for clients.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/games/freeciv.nix>
services.freeciv.settings

Parameters of freeciv-server.

Type: freeciv-server params

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/games/freeciv.nix>
services.freeciv.settings.Announce

Announce game in LAN using given protocol.

Type: one of “IPv4”, “IPv6”, “none”

Default: "none"

Declared by:

<nixpkgs/nixos/modules/services/games/freeciv.nix>
services.freeciv.settings.Database

Enable database connection with given configuration.

Type: null or string

Default:

''
  [fcdb]
    backend="sqlite"
    database="/var/lib/freeciv/auth.sqlite"
''

Declared by:

<nixpkgs/nixos/modules/services/games/freeciv.nix>
services.freeciv.settings.Guests

Whether to enable guests to login if auth is enabled.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/games/freeciv.nix>
services.freeciv.settings.Newusers

Whether to enable new users to login if auth is enabled.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/games/freeciv.nix>
services.freeciv.settings.auth

Whether to enable server authentication.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/games/freeciv.nix>
services.freeciv.settings.debug

Set debug log level.

Type: integer between 0 and 3 (both inclusive)

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/games/freeciv.nix>
services.freeciv.settings.exit-on-end

Whether to enable exit instead of restarting when a game ends.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/games/freeciv.nix>
services.freeciv.settings.port

Listen for clients on given port

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5556

Declared by:

<nixpkgs/nixos/modules/services/games/freeciv.nix>
services.freeciv.settings.quitidle

Quit if no players for given time in seconds.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/freeciv.nix>
services.freeciv.settings.read

Startup script.

Type: strings concatenated with “\n”

Default:

''
  /fcdb lua sqlite_createdb()
''

Declared by:

<nixpkgs/nixos/modules/services/games/freeciv.nix>
services.freeciv.settings.saves

Save games to given directory, a sub-directory named after the starting date of the service will me inserted to preserve older saves.

Type: null or string

Default: "/var/lib/freeciv/saves/"

Declared by:

<nixpkgs/nixos/modules/services/games/freeciv.nix>
services.freefall.enable

Whether to protect HP/Dell laptop hard drives (not SSDs) in free fall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/freefall.nix>
services.freefall.package

The freefall package to use.

Type: package

Default: pkgs.freefall

Declared by:

<nixpkgs/nixos/modules/services/hardware/freefall.nix>
services.freefall.devices

Device paths to all internal spinning hard drives.

Type: list of string

Default:

[
  "/dev/sda"
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/freefall.nix>
services.freenet.enable

Enable the Freenet daemon

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/freenet.nix>
services.freenet.nice

Set the nice level for the Freenet daemon

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/networking/freenet.nix>
services.freeradius.enable

Whether to enable the freeradius server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/freeradius.nix>
services.freeradius.package

The freeradius package to use.

Type: package

Default: pkgs.freeradius

Declared by:

<nixpkgs/nixos/modules/services/networking/freeradius.nix>
services.freeradius.configDir

The path of the freeradius server configuration directory.

Type: path

Default: "/etc/raddb"

Declared by:

<nixpkgs/nixos/modules/services/networking/freeradius.nix>
services.freeradius.debug

Whether to enable debug logging for freeradius (-xx option). This should not be left on, since it includes sensitive data such as passwords in the logs.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/freeradius.nix>
services.freeswitch.enable

Whether to enable FreeSWITCH.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/freeswitch.nix>
services.freeswitch.enableReload

Issue the reloadxml command to FreeSWITCH when configuration directory changes (instead of restart). See FreeSWITCH documentation for more info. The configuration directory is exposed at /etc/freeswitch. See also systemd.services.*.restartIfChanged.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/freeswitch.nix>
services.freeswitch.package

The freeswitch package to use.

Type: package

Default: pkgs.freeswitch

Declared by:

<nixpkgs/nixos/modules/services/misc/freeswitch.nix>
services.freeswitch.configDir

Override file in FreeSWITCH config template directory. Each top-level attribute denotes a file path in the configuration directory, its value is the file path. See FreeSWITCH documentation for more info. Also check available templates in FreeSWITCH repository.

Type: attribute set of path

Default: { }

Example:

{
  "freeswitch.xml" = ./freeswitch.xml;
  "dialplan/default.xml" = pkgs.writeText "dialplan-default.xml" ''
    [xml lines]
  '';
}

Declared by:

<nixpkgs/nixos/modules/services/misc/freeswitch.nix>
services.freeswitch.configTemplate

Configuration template to use. See available templates in FreeSWITCH repository. You can also set your own configuration directory.

Type: path

Default: "${config.services.freeswitch.package}/share/freeswitch/conf/vanilla"

Example: "${config.services.freeswitch.package}/share/freeswitch/conf/minimal"

Declared by:

<nixpkgs/nixos/modules/services/misc/freeswitch.nix>
services.freshrss.enable

Whether to enable FreshRSS RSS aggregator and reader with php-fpm backend.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/freshrss.nix>
services.freshrss.package

The freshrss package to use.

Type: package

Default: pkgs.freshrss

Declared by:

<nixpkgs/nixos/modules/services/web-apps/freshrss.nix>
services.freshrss.authType

Authentication type for FreshRSS.

Type: one of “form”, “http_auth”, “none”

Default: "form"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/freshrss.nix>
services.freshrss.baseUrl

Default URL for FreshRSS.

Type: string

Example: "https://freshrss.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/freshrss.nix>
services.freshrss.dataDir

Default data folder for FreshRSS.

Type: string

Default: "/var/lib/freshrss"

Example: "/mnt/freshrss"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/freshrss.nix>
services.freshrss.database.host

Database host for FreshRSS.

Type: null or string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/freshrss.nix>
services.freshrss.database.name

Database name for FreshRSS.

Type: null or string

Default: "freshrss"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/freshrss.nix>
services.freshrss.database.passFile

Database password file for FreshRSS.

Type: null or path

Default: null

Example: "/run/secrets/freshrss"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/freshrss.nix>
services.freshrss.database.port

Database port for FreshRSS.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Example: 3306

Declared by:

<nixpkgs/nixos/modules/services/web-apps/freshrss.nix>
services.freshrss.database.tableprefix

Database table prefix for FreshRSS.

Type: null or string

Default: null

Example: "freshrss"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/freshrss.nix>
services.freshrss.database.type

Database type.

Type: one of “sqlite”, “pgsql”, “mysql”

Default: "sqlite"

Example: "pgsql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/freshrss.nix>
services.freshrss.database.user

Database user for FreshRSS.

Type: null or string

Default: "freshrss"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/freshrss.nix>
services.freshrss.defaultUser

Default username for FreshRSS.

Type: string

Default: "admin"

Example: "eva"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/freshrss.nix>
services.freshrss.extensions

Additional extensions to be used.

Type: list of package

Default: []

Example:

with freshrss-extensions; [
  youtube
] ++ [
  (freshrss-extensions.buildFreshRssExtension {
    FreshRssExtUniqueId = "ReadingTime";
    pname = "reading-time";
    version = "1.5";
    src = pkgs.fetchFromGitLab {
      domain = "framagit.org";
      owner = "Lapineige";
      repo = "FreshRSS_Extension-ReadingTime";
      rev = "fb6e9e944ef6c5299fa56ffddbe04c41e5a34ebf";
     hash = "sha256-C5cRfaphx4Qz2xg2z+v5qRji8WVSIpvzMbethTdSqsk=";
   };
  })
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/freshrss.nix>
services.freshrss.language

Default language for FreshRSS.

Type: string

Default: "en"

Example: "de"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/freshrss.nix>
services.freshrss.passwordFile

Password for the defaultUser for FreshRSS.

Type: null or path

Default: null

Example: "/run/secrets/freshrss"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/freshrss.nix>
services.freshrss.pool

Name of the php-fpm pool to use and setup. If not specified, a pool will be created with default values.

Type: null or string

Default: "freshrss"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/freshrss.nix>
services.freshrss.user

User under which FreshRSS runs.

Type: string

Default: "freshrss"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/freshrss.nix>
services.freshrss.virtualHost

Name of the nginx virtualhost to use and setup. If null, do not setup any virtualhost. You may need to configure the virtualhost further through services.nginx.virtualHosts.<virtualhost>, for example to enable SSL.

Type: null or string

Default: "freshrss"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/freshrss.nix>
services.frigate.enable

Whether to enable Frigate NVR.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/video/frigate.nix>
services.frigate.package

The frigate package to use.

Type: package

Default: pkgs.frigate

Declared by:

<nixpkgs/nixos/modules/services/video/frigate.nix>
services.frigate.hostname

Hostname of the nginx vhost to configure.

Only nginx is supported by upstream for direct reverse proxying.

Type: string

Example: "frigate.exampe.com"

Declared by:

<nixpkgs/nixos/modules/services/video/frigate.nix>
services.frigate.settings

Frigate configuration as a nix attribute set.

See the project documentation for how to configure frigate.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/video/frigate.nix>
services.frigate.settings.cameras

Attribute set of cameras configurations.

https://docs.frigate.video/configuration/cameras

Type: attribute set of (YAML value)

Declared by:

<nixpkgs/nixos/modules/services/video/frigate.nix>
services.frigate.settings.cameras.<name>.ffmpeg.inputs

List of inputs for this camera.

Type: list of (YAML value)

Declared by:

<nixpkgs/nixos/modules/services/video/frigate.nix>
services.frigate.settings.cameras.<name>.ffmpeg.inputs.*.path

Stream URL

Type: string

Example: "rtsp://192.0.2.1:554/rtsp"

Declared by:

<nixpkgs/nixos/modules/services/video/frigate.nix>
services.frigate.settings.cameras.<name>.ffmpeg.inputs.*.roles

List of roles for this stream

Type: list of (one of “audio”, “detect”, “record”)

Example:

[
  "detect"
  "record"
]

Declared by:

<nixpkgs/nixos/modules/services/video/frigate.nix>
services.frigate.settings.database.path

Path to the SQLite database used

Type: path

Default: "/var/lib/frigate/frigate.db"

Declared by:

<nixpkgs/nixos/modules/services/video/frigate.nix>
services.frigate.settings.mqtt.enabled

Whether to enable MQTT support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/video/frigate.nix>
services.frigate.settings.mqtt.host

MQTT server hostname

Type: null or string

Default: null

Example: "mqtt.example.com"

Declared by:

<nixpkgs/nixos/modules/services/video/frigate.nix>
services.frigate.vaapiDriver

Force usage of a particular VA-API driver for video acceleration. Use together with settings.ffmpeg.hwaccel_args.

Setting this is not required for VA-API to work, but it can help steer VA-API towards the correct card if you have multiple.

Note

For VA-API to work you must enable hardware.graphics.enable (sufficient for AMDGPU) and pass for example pkgs.intel-media-driver (required for Intel 5th Gen. and newer) into hardware.graphics.extraPackages.

See also:

  • https://docs.frigate.video/configuration/hardware_acceleration

  • https://docs.frigate.video/configuration/ffmpeg_presets#hwaccel-presets

Type: null or one of “i965”, “iHD”, “nouveau”, “vdpau”, “nvidia”, “radeonsi”

Default: null

Example: "radeonsi"

Declared by:

<nixpkgs/nixos/modules/services/video/frigate.nix>
services.frp.enable

Whether to enable frp.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/frp.nix>
services.frp.package

The frp package to use.

Type: package

Default: pkgs.frp

Declared by:

<nixpkgs/nixos/modules/services/networking/frp.nix>
services.frp.role

The frp consists of client and server. The server is usually deployed on the machine with a public IP address, and the client is usually deployed on the machine where the Intranet service to be penetrated resides.

Type: one of “server”, “client”

Declared by:

<nixpkgs/nixos/modules/services/networking/frp.nix>
services.frp.settings

Frp configuration, for configuration options see the example of client or server on github.

Type: TOML value

Default: { }

Example:

{
  serverAddr = "x.x.x.x";
  serverPort = 7000;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/frp.nix>
services.frr.babeld.enable

Whether to enable FRR babeld.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.babeld.extraOptions

Extra options to be appended to the FRR babeld daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.babeld.options

Options for the FRR babeld daemon.

Type: list of string

Default:

[
  "-A 127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.bfdd.enable

Whether to enable FRR bfdd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.bfdd.extraOptions

Extra options to be appended to the FRR bfdd daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.bfdd.options

Options for the FRR bfdd daemon.

Type: list of string

Default:

[
  "-A 127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.bgpd.enable

Whether to enable FRR bgpd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.bgpd.extraOptions

Extra options to be appended to the FRR bgpd daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.bgpd.options

Options for the FRR bgpd daemon.

Type: list of string

Default:

[
  "-A 127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.config

FRR configuration statements.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  router rip
    network 10.0.0.0/8
  router ospf
    network 10.0.0.0/8 area 0
  router bgp 65001
    neighbor 10.0.0.1 remote-as 65001
''

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.configFile

Configuration file to use for FRR. By default the NixOS generated files are used.

Type: null or path

Default: null

Example: "/etc/frr/frr.conf"

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.eigrpd.enable

Whether to enable FRR eigrpd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.eigrpd.extraOptions

Extra options to be appended to the FRR eigrpd daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.eigrpd.options

Options for the FRR eigrpd daemon.

Type: list of string

Default:

[
  "-A 127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.fabricd.enable

Whether to enable FRR fabricd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.fabricd.extraOptions

Extra options to be appended to the FRR fabricd daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.fabricd.options

Options for the FRR fabricd daemon.

Type: list of string

Default:

[
  "-A 127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.isisd.enable

Whether to enable FRR isisd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.isisd.extraOptions

Extra options to be appended to the FRR isisd daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.isisd.options

Options for the FRR isisd daemon.

Type: list of string

Default:

[
  "-A 127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.ldpd.enable

Whether to enable FRR ldpd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.ldpd.extraOptions

Extra options to be appended to the FRR ldpd daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.ldpd.options

Options for the FRR ldpd daemon.

Type: list of string

Default:

[
  "-A 127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.mgmtd.extraOptions

Extra options to be appended to the FRR mgmtd daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.mgmtd.options

Options for the FRR mgmtd daemon.

Type: list of string

Default:

[
  "-A 127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.nhrpd.enable

Whether to enable FRR nhrpd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.nhrpd.extraOptions

Extra options to be appended to the FRR nhrpd daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.nhrpd.options

Options for the FRR nhrpd daemon.

Type: list of string

Default:

[
  "-A 127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.openFilesLimit

This is the maximum number of FD’s that will be available. Use a reasonable value for your setup if you are expecting a large number of peers in say BGP.

Type: unsigned integer, meaning >=0

Default: 1024

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.ospf6d.enable

Whether to enable FRR ospf6d.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.ospf6d.extraOptions

Extra options to be appended to the FRR ospf6d daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.ospf6d.options

Options for the FRR ospf6d daemon.

Type: list of string

Default:

[
  "-A ::1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.ospfd.enable

Whether to enable FRR ospfd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.ospfd.extraOptions

Extra options to be appended to the FRR ospfd daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.ospfd.options

Options for the FRR ospfd daemon.

Type: list of string

Default:

[
  "-A 127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.pathd.enable

Whether to enable FRR pathd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.pathd.extraOptions

Extra options to be appended to the FRR pathd daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.pathd.options

Options for the FRR pathd daemon.

Type: list of string

Default:

[
  "-A 127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.pbrd.enable

Whether to enable FRR pbrd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.pbrd.extraOptions

Extra options to be appended to the FRR pbrd daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.pbrd.options

Options for the FRR pbrd daemon.

Type: list of string

Default:

[
  "-A 127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.pim6d.enable

Whether to enable FRR pim6d.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.pim6d.extraOptions

Extra options to be appended to the FRR pim6d daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.pim6d.options

Options for the FRR pim6d daemon.

Type: list of string

Default:

[
  "-A ::1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.pimd.enable

Whether to enable FRR pimd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.pimd.extraOptions

Extra options to be appended to the FRR pimd daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.pimd.options

Options for the FRR pimd daemon.

Type: list of string

Default:

[
  "-A 127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.ripd.enable

Whether to enable FRR ripd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.ripd.extraOptions

Extra options to be appended to the FRR ripd daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.ripd.options

Options for the FRR ripd daemon.

Type: list of string

Default:

[
  "-A 127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.ripngd.enable

Whether to enable FRR ripngd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.ripngd.extraOptions

Extra options to be appended to the FRR ripngd daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.ripngd.options

Options for the FRR ripngd daemon.

Type: list of string

Default:

[
  "-A ::1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.sharpd.enable

Whether to enable FRR sharpd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.sharpd.extraOptions

Extra options to be appended to the FRR sharpd daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.sharpd.options

Options for the FRR sharpd daemon.

Type: list of string

Default:

[
  "-A 127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.staticd.extraOptions

Extra options to be appended to the FRR staticd daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.staticd.options

Options for the FRR staticd daemon.

Type: list of string

Default:

[
  "-A 127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.vrrpd.enable

Whether to enable FRR vrrpd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.vrrpd.extraOptions

Extra options to be appended to the FRR vrrpd daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.vrrpd.options

Options for the FRR vrrpd daemon.

Type: list of string

Default:

[
  "-A 127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.zebra.extraOptions

Extra options to be appended to the FRR zebra daemon options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.frr.zebra.options

Options for the FRR zebra daemon.

Type: list of string

Default:

[
  "-A 127.0.0.1 -s 90000000"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/frr.nix>
services.fstrim.enable

Whether to enable periodic SSD TRIM of mounted partitions in background.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/fstrim.nix>
services.fstrim.interval

How often we run fstrim. For most desktop and server systems a sufficient trimming frequency is once a week.

The format is described in systemd.time(7).

Type: string

Default: "weekly"

Declared by:

<nixpkgs/nixos/modules/services/misc/fstrim.nix>
services.fusionInventory.enable

Whether to enable Fusion Inventory Agent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/fusion-inventory.nix>
services.fusionInventory.extraConfig

Configuration that is injected verbatim into the configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/fusion-inventory.nix>
services.fusionInventory.servers

The urls of the OCS/GLPI servers to connect to.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/fusion-inventory.nix>
services.fwupd.enable

Whether to enable fwupd, a DBus service that allows applications to update firmware.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/fwupd.nix>
services.fwupd.package

The fwupd package to use.

Type: package

Default: pkgs.fwupd

Declared by:

<nixpkgs/nixos/modules/services/hardware/fwupd.nix>
services.fwupd.daemonSettings

Configurations for the fwupd daemon.

Type: section of an INI file (attrs of INI atom (null, bool, int, float or string) or a non-empty list of them)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/hardware/fwupd.nix>
services.fwupd.daemonSettings.DisabledDevices

List of device GUIDs to be disabled.

Type: list of string

Default: [ ]

Example:

[
  "2082b5e0-7a64-478a-b1b2-e3404fab6dad"
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/fwupd.nix>
services.fwupd.daemonSettings.DisabledPlugins

List of plugins to be disabled.

Type: list of string

Default: [ ]

Example:

[
  "udev"
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/fwupd.nix>
services.fwupd.daemonSettings.EspLocation

The EFI system partition (ESP) path used if UDisks is not available or if this partition is not mounted at /boot/efi, /boot, or /efi

Type: path

Default: config.boot.loader.efi.efiSysMountPoint

Declared by:

<nixpkgs/nixos/modules/services/hardware/fwupd.nix>
services.fwupd.extraRemotes

Enables extra remotes in fwupd. See /etc/fwupd/remotes.d.

Type: list of string

Default: [ ]

Example:

[
  "lvfs-testing"
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/fwupd.nix>
services.fwupd.extraTrustedKeys

Installing a public key allows firmware signed with a matching private key to be recognized as trusted, which may require less authentication to install than for untrusted files. By default trusted firmware can be upgraded (but not downgraded) without the user or administrator password. Only very few keys are installed by default.

Type: list of path

Default: [ ]

Example: [ /etc/nixos/fwupd/myfirmware.pem ]

Declared by:

<nixpkgs/nixos/modules/services/hardware/fwupd.nix>
services.fwupd.uefiCapsuleSettings

UEFI capsule configurations for the fwupd daemon.

Type: section of an INI file (attrs of INI atom (null, bool, int, float or string) or a non-empty list of them)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/hardware/fwupd.nix>
services.g810-led.enable

Whether to enable g810-led, a Linux LED controller for some Logitech G Keyboards.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/g810-led.nix>
services.g810-led.package

The g810-led package to use.

Type: package

Default: pkgs.g810-led

Declared by:

<nixpkgs/nixos/modules/services/hardware/g810-led.nix>
services.g810-led.profile

Keyboard profile to apply at boot time.

The upstream repository provides example configurations.

Type: null or strings concatenated with “\n”

Default: null

Example:

''
  # G810-LED Profile (turn all keys on)
  
  # Set all keys on
  a ffffff
  
  # Commit changes
  c
''

Declared by:

<nixpkgs/nixos/modules/services/hardware/g810-led.nix>
services.galene.enable

Whether to enable Galene Service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/galene.nix>
services.galene.package

The galene package to use.

Type: package

Default: pkgs.galene

Declared by:

<nixpkgs/nixos/modules/services/web-apps/galene.nix>
services.galene.certFile

Path to the server’s certificate. The file is copied at runtime to Galene’s data directory where it needs to reside.

Type: null or string

Default: null

Example: "/path/to/your/cert.pem"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/galene.nix>
services.galene.dataDir

Data directory.

Type: string

Default: "${config.services.galene.stateDir}/data"

Example: "/var/lib/galene/data"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/galene.nix>
services.galene.group

Group under which galene runs.

Type: string

Default: "galene"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/galene.nix>
services.galene.groupsDir

Web server directory.

Type: string

Default: "${config.services.galene.stateDir}/groups"

Example: "/var/lib/galene/groups"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/galene.nix>
services.galene.httpAddress

HTTP listen address for galene.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/galene.nix>
services.galene.httpPort

HTTP listen port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8443

Declared by:

<nixpkgs/nixos/modules/services/web-apps/galene.nix>
services.galene.insecure

Whether Galene should listen in http or in https. If left as the default value (false), Galene needs to be fed a private key and a certificate.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/galene.nix>
services.galene.keyFile

Path to the server’s private key. The file is copied at runtime to Galene’s data directory where it needs to reside.

Type: null or string

Default: null

Example: "/path/to/your/key.pem"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/galene.nix>
services.galene.recordingsDir

Recordings directory.

Type: string

Default: "${config.services.galene.stateDir}/recordings"

Example: "/var/lib/galene/recordings"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/galene.nix>
services.galene.stateDir

The directory where Galene stores its internal state. If left as the default value this directory will automatically be created before the Galene server starts, otherwise the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions.

Type: string

Default: "/var/lib/galene"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/galene.nix>
services.galene.staticDir

Web server directory.

Type: string

Default: "${package.static}/static"

Example: "/var/lib/galene/static"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/galene.nix>
services.galene.turnAddress

Built-in TURN server listen address and port. Set to “” to disable.

Type: string

Default: "auto"

Example: "127.0.0.1:1194"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/galene.nix>
services.galene.user

User account under which galene runs.

Type: string

Default: "galene"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/galene.nix>
services.gammu-smsd.enable

Whether to enable gammu-smsd daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.backend.files.errorSMSPath

Where SMSes with error in transmission is placed

Type: path

Default: "/var/spool/sms/error/"

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.backend.files.inboxPath

Where the received SMSes are stored

Type: path

Default: "/var/spool/sms/inbox/"

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.backend.files.outboxPath

Where SMSes to be sent should be placed

Type: path

Default: "/var/spool/sms/outbox/"

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.backend.files.sentSMSPath

Where the transmitted SMSes are placed

Type: path

Default: "/var/spool/sms/sent/"

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.backend.service

Service to use to store sms data.

Type: one of “null”, “files”, “sql”

Default: "null"

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.backend.sql.database

Database name to store sms data

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.backend.sql.driver

DB driver to use

Type: one of “native_mysql”, “native_pgsql”, “odbc”, “dbi”

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.backend.sql.host

Database server address

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.backend.sql.password

User password used for connection to the database

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.backend.sql.sqlDialect

SQL dialect to use (odbc driver only)

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.backend.sql.user

User name used for connection to the database

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.device.connection

Protocol which will be used to talk to the phone

Type: string

Default: "at"

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.device.group

Owner group of the device

Type: string

Default: "root"

Example: "dialout"

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.device.path

Device node or address of the phone

Type: path

Example: "/dev/ttyUSB2"

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.device.pin

PIN code for the simcard

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.device.synchronizeTime

Whether to set time from computer to the phone during starting connection

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.extraConfig.gammu

Extra config lines to be added into [gammu] section

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.extraConfig.smsd

Extra config lines to be added into [smsd] section

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.log.file

Path to file where information about communication will be stored

Type: string

Default: "syslog"

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.log.format

Determines what will be logged to the LogFile

Type: one of “nothing”, “text”, “textall”, “textalldate”, “errors”, “errorsdate”, “binary”

Default: "errors"

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gammu-smsd.user

User that has access to the device

Type: string

Default: "smsd"

Declared by:

<nixpkgs/nixos/modules/services/misc/gammu-smsd.nix>
services.gancio.enable

Whether to enable Gancio, a shared agenda for local communities.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.package

The gancio package to use.

Type: package

Default: pkgs.gancio

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx

Extra configuration for the nginx virtual host of gancio.

Type: submodule

Default: { }

Example:

{
  enableACME = false;
  forceSSL = false;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.nginx.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.plugins

Paths of gancio plugins to activate (linked under $WorkingDirectory/plugins/).

Type: list of package

Default: [ ]

Example: [ pkgs.gancioPlugins.telegram-bridge ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.settings

Configuration for Gancio, see https://gancio.org/install/config for supported values.

Type: JSON value

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.settings.baseurl

The full URL under which the server is reachable.

Type: string

Default: "https://${cfg.settings.hostname}"

Example: "https://demo.gancio.org/gancio"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.settings.db.database

Name of the PostgreSQL database

Type: null or string (read only)

Default:

''
  if cfg.settings.db.dialect == "postgres" then cfg.user else null
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.settings.db.dialect

The database dialect to use

Type: one of “sqlite”, “postgres”

Default: "sqlite"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.settings.db.host

Connection string for the PostgreSQL database

Type: null or string (read only)

Default:

''
  if cfg.settings.db.dialect == "postgres" then "/run/postgresql" else null
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.settings.db.storage

Location for the SQLite database.

Type: null or string (read only)

Default:

''
  if cfg.settings.db.dialect == "sqlite" then "/var/lib/gancio/db.sqlite" else null
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.settings.hostname

The domain name under which the server is reachable.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.settings.log_level

Gancio log level.

Type: one of “debug”, “info”, “warning”, “error”

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.settings.log_path

Directory Gancio logs into

Type: string (read only)

Default: "/var/log/gancio"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.settings.server.socket

The unix socket for the gancio server to listen on.

Type: path (read only)

Default: "/run/gancio/socket"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.user

The user (and PostgreSQL database name) used to run the gancio server

Type: string

Default: "gancio"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.gancio.userLocale

Override default locales within gancio. See [https://framagit.org/les/gancio/tree/master/locales](default languages and locales).

Type: attribute set of attribute set of attribute set of string

Default: { }

Example:

{
  en = {
    register = {
      description = "My new registration page description";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gancio.nix>
services.garage.enable

Whether to enable Garage Object Storage (S3 compatible).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/garage.nix>
services.garage.package

Garage package to use, needs to be set explicitly. If you are upgrading from a major version, please read NixOS and Garage release notes for upgrade instructions.

Type: package

Declared by:

<nixpkgs/nixos/modules/services/web-servers/garage.nix>
services.garage.environmentFile

File containing environment variables to be passed to the Garage server.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/garage.nix>
services.garage.extraEnvironment

Extra environment variables to pass to the Garage server.

Type: attribute set of string

Default: { }

Example:

{
  RUST_BACKTRACE = "yes";
}

Declared by:

<nixpkgs/nixos/modules/services/web-servers/garage.nix>
services.garage.logLevel

Garage log level, see https://garagehq.deuxfleurs.fr/documentation/quick-start/#launching-the-garage-server for examples.

Type: one of “error”, “warn”, “info”, “debug”, “trace”

Default: "info"

Example: "debug"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/garage.nix>
services.garage.settings

Garage configuration, see https://garagehq.deuxfleurs.fr/documentation/reference-manual/configuration/ for reference.

Type: TOML value

Declared by:

<nixpkgs/nixos/modules/services/web-servers/garage.nix>
services.garage.settings.data_dir

The directory in which Garage will store the data blocks of objects. This folder can be placed on an HDD. Since v0.9.0, Garage supports multiple data directories, refer to https://garagehq.deuxfleurs.fr/documentation/reference-manual/configuration/#data_dir for the exact format.

Type: path or list of (attribute set)

Default: "/var/lib/garage/data"

Example:

[
  {
    capacity = "2T";
    path = "/var/lib/garage/data";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/garage.nix>
services.garage.settings.metadata_dir

The metadata directory, put this on a fast disk (e.g. SSD) if possible.

Type: path

Default: "/var/lib/garage/meta"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/garage.nix>
services.gateone.enable

Whether to enable GateOne server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/gateone.nix>
services.gateone.pidDir

Path of pid files for GateOne.

Type: path

Default: "/run/gateone"

Declared by:

<nixpkgs/nixos/modules/services/networking/gateone.nix>
services.gateone.settingsDir

Path of configuration files for GateOne.

Type: path

Default: "/var/lib/gateone"

Declared by:

<nixpkgs/nixos/modules/services/networking/gateone.nix>
services.gatus.enable

Whether to enable Gatus.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/gatus.nix>
services.gatus.package

The gatus package to use.

Type: package

Default: pkgs.gatus

Declared by:

<nixpkgs/nixos/modules/services/monitoring/gatus.nix>
services.gatus.configFile

Path to the Gatus configuration file. Overrides any configuration made using the settings option.

Type: path

Default:

let settingsFormat = pkgs.formats.yaml { }; in settingsFormat.generate "gatus.yaml" cfg.settings;

Declared by:

<nixpkgs/nixos/modules/services/monitoring/gatus.nix>
services.gatus.environmentFile

File to load as environment file. Environmental variables from this file can be interpolated in the configuration file using ${VARIABLE}. This is useful to avoid putting secrets into the nix store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/gatus.nix>
services.gatus.openFirewall

Whether to open the firewall for the Gatus web interface.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/gatus.nix>
services.gatus.settings

Configuration for Gatus. Supported options can be found at the docs.

Type: YAML value

Default: { }

Example:

{
  web.port = 8080;
  endpoints = [{
    name = "website";
    url = "https://twin.sh/health";
    interval = "5m";
    conditions = [
      "[STATUS] == 200"
      "[BODY].status == UP"
      "[RESPONSE_TIME] < 300"
    ];
  }];
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/gatus.nix>
services.gatus.settings.web.port

The TCP port to serve the Gatus service at.

Type: signed integer

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/monitoring/gatus.nix>
services.gdomap.enable

Whether to enable GNUstep Distributed Objects name server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/gdomap.nix>
services.gemstash.enable

Whether to enable gemstash, a cache for rubygems.org and a private gem server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/development/gemstash.nix>
services.gemstash.openFirewall

Whether to open the firewall for the port in services.gemstash.bind.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/development/gemstash.nix>
services.gemstash.settings

Configuration for Gemstash. The details can be found at in gemstash documentation. Each key set here is automatically prefixed with “:” to match the gemstash expectations.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/development/gemstash.nix>
services.gemstash.settings.base_path

Path to store the gem files and the sqlite database. If left unchanged, the directory will be created.

Type: path

Default: "/var/lib/gemstash"

Declared by:

<nixpkgs/nixos/modules/services/development/gemstash.nix>
services.gemstash.settings.bind

Host and port combination for the server to listen on.

Type: string

Default: "tcp://0.0.0.0:9292"

Declared by:

<nixpkgs/nixos/modules/services/development/gemstash.nix>
services.gemstash.settings.db_adapter

Which database type to use. For choices other than sqlite3, the dbUrl has to be specified as well.

Type: null or one of “sqlite3”, “postgres”, “mysql”, “mysql2”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/development/gemstash.nix>
services.gemstash.settings.db_url

The database to connect to when using postgres, mysql, or mysql2.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/development/gemstash.nix>
services.geoclue2.enable

Whether to enable GeoClue 2 daemon, a DBus service that provides location information for accessing.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/geoclue2.nix>
services.geoclue2.enable3G

Whether to enable 3G source.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/geoclue2.nix>
services.geoclue2.enableCDMA

Whether to enable CDMA source.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/geoclue2.nix>
services.geoclue2.enableDemoAgent

Whether to use the GeoClue demo agent. This should be overridden by desktop environments that provide their own agent.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/geoclue2.nix>
services.geoclue2.enableModemGPS

Whether to enable Modem-GPS source.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/geoclue2.nix>
services.geoclue2.enableNmea

Whether to fetch location from NMEA sources on local network.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/geoclue2.nix>
services.geoclue2.enableWifi

Whether to enable WiFi source.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/geoclue2.nix>
services.geoclue2.package

The geoclue2 package to use

Type: package

Default: pkgs.geoclue2

Declared by:

<nixpkgs/nixos/modules/services/desktops/geoclue2.nix>
services.geoclue2.appConfig

Specify extra settings per application.

Type: attribute set of (submodule)

Default: { }

Example:

"com.github.app" = {
  isAllowed = true;
  isSystem = true;
  users = [ "300" ];
};

Declared by:

<nixpkgs/nixos/modules/services/desktops/geoclue2.nix>
services.geoclue2.appConfig.<name>.desktopID

Desktop ID of the application.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/desktops/geoclue2.nix>
services.geoclue2.appConfig.<name>.isAllowed

Whether the application will be allowed access to location information.

Type: boolean

Declared by:

<nixpkgs/nixos/modules/services/desktops/geoclue2.nix>
services.geoclue2.appConfig.<name>.isSystem

Whether the application is a system component or not.

Type: boolean

Declared by:

<nixpkgs/nixos/modules/services/desktops/geoclue2.nix>
services.geoclue2.appConfig.<name>.users

List of UIDs of all users for which this application is allowed location info access, Defaults to an empty string to allow it for all users.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/desktops/geoclue2.nix>
services.geoclue2.geoProviderUrl

The url to the wifi GeoLocation Service.

Type: string

Default: "https://location.services.mozilla.com/v1/geolocate?key=geoclue"

Example: "https://www.googleapis.com/geolocation/v1/geolocate?key=YOUR_KEY"

Declared by:

<nixpkgs/nixos/modules/services/desktops/geoclue2.nix>
services.geoclue2.submissionNick

A nickname to submit network data with. Must be 2-32 characters long.

Type: string

Default: "geoclue"

Declared by:

<nixpkgs/nixos/modules/services/desktops/geoclue2.nix>
services.geoclue2.submissionUrl

The url to submit data to a GeoLocation Service.

Type: string

Default: "https://location.services.mozilla.com/v1/submit?key=geoclue"

Declared by:

<nixpkgs/nixos/modules/services/desktops/geoclue2.nix>
services.geoclue2.submitData

Whether to submit data to a GeoLocation Service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/geoclue2.nix>
services.geoipupdate.enable

Whether to enable periodic downloading of GeoIP databases using geoipupdate .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/geoipupdate.nix>
services.geoipupdate.interval

Update the GeoIP databases at this time / interval. The format is described in systemd.time(7).

Type: string

Default: "weekly"

Declared by:

<nixpkgs/nixos/modules/services/misc/geoipupdate.nix>
services.geoipupdate.settings

geoipupdate configuration options. See https://github.com/maxmind/geoipupdate/blob/main/doc/GeoIP.conf.md for a full list of available options.

Settings containing secret data should be set to an attribute set containing the attribute _secret - a string pointing to a file containing the value the option should be set to. See the example to get a better picture of this: in the resulting GeoIP.conf file, the ProxyUserPassword key will be set to the contents of the /run/keys/proxy_pass file.

Type: attribute set of (string or signed integer or boolean or list of (string or signed integer or boolean))

Example:

{
  AccountID = 200001;
  DatabaseDirectory = "/var/lib/GeoIP";
  LicenseKey = { _secret = "/run/keys/maxmind_license_key"; };
  Proxy = "10.0.0.10:8888";
  ProxyUserPassword = { _secret = "/run/keys/proxy_pass"; };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/geoipupdate.nix>
services.geoipupdate.settings.AccountID

Your MaxMind account ID.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/services/misc/geoipupdate.nix>
services.geoipupdate.settings.DatabaseDirectory

The directory to store the database files in. The directory will be automatically created, the owner changed to geoip and permissions set to world readable. This applies if the directory already exists as well, so don’t use a directory with sensitive contents.

Type: path

Default: "/var/lib/GeoIP"

Example: "/run/GeoIP"

Declared by:

<nixpkgs/nixos/modules/services/misc/geoipupdate.nix>
services.geoipupdate.settings.EditionIDs

List of database edition IDs. This includes new string IDs like GeoIP2-City and old numeric IDs like 106.

Type: list of (string or signed integer)

Example:

[
  "GeoLite2-ASN"
  "GeoLite2-City"
  "GeoLite2-Country"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/geoipupdate.nix>
services.geoipupdate.settings.LicenseKey

A file containing the MaxMind license key.

Always handled as a secret whether the value is wrapped in a { _secret = ...; } attrset or not (refer to services.geoipupdate.settings for details).

Type: path or attribute set of path

Declared by:

<nixpkgs/nixos/modules/services/misc/geoipupdate.nix>
services.gerrit.enable

Whether to enable Gerrit service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gerrit.nix>
services.gerrit.package

The gerrit package to use.

Type: package

Default: pkgs.gerrit

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gerrit.nix>
services.gerrit.builtinPlugins

List of builtins plugins to install. Those are shipped in the gerrit.war file.

Type: list of (one of “codemirror-editor”, “commit-message-length-validator”, “delete-project”, “download-commands”, “gitiles”, “hooks”, “plugin-manager”, “replication”, “reviewnotes”, “singleusergroup”, “webhooks”)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gerrit.nix>
services.gerrit.jvmHeapLimit

How much memory to allocate to the JVM heap

Type: string

Default: "1024m"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gerrit.nix>
services.gerrit.jvmOpts

A list of JVM options to start gerrit with.

Type: list of string

Default:

[
  "-Dflogger.backend_factory=com.google.common.flogger.backend.log4j.Log4jBackendFactory#getInstance"
  "-Dflogger.logging_context=com.google.gerrit.server.logging.LoggingContext#getInstance"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gerrit.nix>
services.gerrit.jvmPackage

The jre_headless package to use.

Type: package

Default: pkgs.jre_headless

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gerrit.nix>
services.gerrit.listenAddress

hostname:port to listen for HTTP traffic.

This is bound using the systemd socket activation.

Type: string

Default: "[::]:8080"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gerrit.nix>
services.gerrit.plugins

List of plugins to add to Gerrit. Each derivation is a jar file itself where the name of the derivation is the name of plugin.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gerrit.nix>
services.gerrit.replicationSettings

Replication configuration. This will be generated to the etc/replication.config file.

Type: lazy attribute set of lazy attribute set of (string or boolean or signed integer or list of (string or boolean or signed integer) or lazy attribute set of (string or boolean or signed integer or list of (string or boolean or signed integer)))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gerrit.nix>
services.gerrit.serverId

Set a UUID that uniquely identifies the server.

This can be generated with nix-shell -p util-linux --run uuidgen.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gerrit.nix>
services.gerrit.settings

Gerrit configuration. This will be generated to the etc/gerrit.config file.

Type: lazy attribute set of lazy attribute set of (string or boolean or signed integer or list of (string or boolean or signed integer) or lazy attribute set of (string or boolean or signed integer or list of (string or boolean or signed integer)))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gerrit.nix>
services.geth

Specification of one or more geth instances.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.enable

Whether to enable Go Ethereum Node.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.package

The geth package to use.

Type: package

Default: pkgs.go-ethereum.geth

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.authrpc.enable

Whether to enable Go Ethereum Auth RPC API.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.authrpc.address

Listen address of Go Ethereum Auth RPC API.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.authrpc.jwtsecret

Path to a JWT secret for authenticated RPC endpoint.

Type: string

Default: ""

Example: "/var/run/geth/jwtsecret"

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.authrpc.port

Port number of Go Ethereum Auth RPC API.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8551

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.authrpc.vhosts

List of virtual hostnames from which to accept requests.

Type: null or (list of string)

Default:

[
  "localhost"
]

Example:

[
  "localhost"
  "geth.example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.extraArgs

Additional arguments passed to Go Ethereum.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.gcmode

Blockchain garbage collection mode.

Type: one of “full”, “archive”

Default: "full"

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.http.enable

Whether to enable Go Ethereum HTTP API.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.http.address

Listen address of Go Ethereum HTTP API.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.http.apis

APIs to enable over WebSocket

Type: null or (list of string)

Default: null

Example:

[
  "net"
  "eth"
]

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.http.port

Port number of Go Ethereum HTTP API.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8545

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.maxpeers

Maximum peers to connect to.

Type: signed integer

Default: 50

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.metrics.enable

Whether to enable Go Ethereum prometheus metrics.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.metrics.address

Listen address of Go Ethereum metrics service.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.metrics.port

Port number of Go Ethereum metrics service.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6060

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.network

The network to connect to. Mainnet (null) is the default ethereum network.

Type: null or one of “goerli”, “holesky”, “rinkeby”, “yolov2”, “ropsten”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.port

Port number Go Ethereum will be listening on, both TCP and UDP.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 30303

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.syncmode

Blockchain sync mode.

Type: one of “snap”, “fast”, “full”, “light”

Default: "snap"

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.websocket.enable

Whether to enable Go Ethereum WebSocket API.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.websocket.address

Listen address of Go Ethereum WebSocket API.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.websocket.apis

APIs to enable over WebSocket

Type: null or (list of string)

Default: null

Example:

[
  "net"
  "eth"
]

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.geth.<name>.websocket.port

Port number of Go Ethereum WebSocket API.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8546

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/geth.nix>
services.getty.autologinOnce

If enabled the automatic login will only happen in the first tty once per boot. This can be useful to avoid retyping the account password on systems with full disk encrypted.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/ttys/getty.nix>
services.getty.autologinUser

Username of the account that will be automatically logged in at the console. If unspecified, a login prompt is shown as usual.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/ttys/getty.nix>
services.getty.extraArgs

Additional arguments passed to agetty.

Type: list of string

Default: [ ]

Example:

[
  "--nohostname"
]

Declared by:

<nixpkgs/nixos/modules/services/ttys/getty.nix>
services.getty.greetingLine

Welcome line printed by agetty. The default shows current NixOS version label, machine type and tty.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/ttys/getty.nix>
services.getty.helpLine

Help line printed by agetty below the welcome line. Used by the installation CD to give some hints on how to proceed.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/ttys/getty.nix>
services.getty.loginOptions

Template for arguments to be passed to login(1).

See agetty(1) for details, including security considerations. If unspecified, agetty will not be invoked with a --login-options option.

Type: null or string

Default: null

Example: "-h darkstar -- \\u"

Declared by:

<nixpkgs/nixos/modules/services/ttys/getty.nix>
services.getty.loginProgram

Path to the login binary executed by agetty.

Type: path

Default: "${pkgs.shadow}/bin/login"

Declared by:

<nixpkgs/nixos/modules/services/ttys/getty.nix>
services.ghostunnel.enable

Whether to enable ghostunnel.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ghostunnel.nix>
services.ghostunnel.package

The ghostunnel package to use.

Type: package

Default: pkgs.ghostunnel

Declared by:

<nixpkgs/nixos/modules/services/networking/ghostunnel.nix>
services.ghostunnel.servers

Server mode ghostunnels (TLS listener -> plain TCP/UNIX target)

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/ghostunnel.nix>
services.ghostunnel.servers.<name>.allowAll

If true, allow all clients, do not check client cert subject.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ghostunnel.nix>
services.ghostunnel.servers.<name>.allowCN

Allow client if common name appears in the list.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ghostunnel.nix>
services.ghostunnel.servers.<name>.allowDNS

Allow client if DNS subject alternative name appears in the list.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ghostunnel.nix>
services.ghostunnel.servers.<name>.allowOU

Allow client if organizational unit name appears in the list.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ghostunnel.nix>
services.ghostunnel.servers.<name>.allowURI

Allow client if URI subject alternative name appears in the list.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ghostunnel.nix>
services.ghostunnel.servers.<name>.cacert

Path to CA bundle file (PEM/X509). Uses system trust store if null.

Type: null or string

Declared by:

<nixpkgs/nixos/modules/services/networking/ghostunnel.nix>
services.ghostunnel.servers.<name>.cert

Path to certificate (PEM with certificate chain).

Not required if keystore is set.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ghostunnel.nix>
services.ghostunnel.servers.<name>.disableAuthentication

Disable client authentication, no client certificate will be required.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ghostunnel.nix>
services.ghostunnel.servers.<name>.extraArguments

Extra arguments to pass to ghostunnel server

Type: strings concatenated with " "

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/ghostunnel.nix>
services.ghostunnel.servers.<name>.key

Path to certificate private key (PEM with private key).

Not required if keystore is set.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ghostunnel.nix>
services.ghostunnel.servers.<name>.keystore

Path to keystore (combined PEM with cert/key, or PKCS12 keystore).

NB: storepass is not supported because it would expose credentials via /proc/*/cmdline.

Specify this or cert and key.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ghostunnel.nix>
services.ghostunnel.servers.<name>.listen

Address and port to listen on (can be HOST:PORT, unix:PATH).

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/ghostunnel.nix>
services.ghostunnel.servers.<name>.target

Address to forward connections to (can be HOST:PORT or unix:PATH).

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/ghostunnel.nix>
services.ghostunnel.servers.<name>.unsafeTarget

If set, does not limit target to localhost, 127.0.0.1, [::1], or UNIX sockets.

This is meant to protect against accidental unencrypted traffic on untrusted networks.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ghostunnel.nix>
services.gitDaemon.enable

Enable Git daemon, which allows public hosting of git repositories without any access controls. This is mostly intended for read-only access.

You can allow write access by setting daemon.receivepack configuration item of the repository to true. This is solely meant for a closed LAN setting where everybody is friendly.

If you need any access controls, use something else.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/git-daemon.nix>
services.gitDaemon.package

The git package to use.

Type: package

Default: pkgs.git

Declared by:

<nixpkgs/nixos/modules/services/networking/git-daemon.nix>
services.gitDaemon.basePath

Remap all the path requests as relative to the given path. For example, if you set base-path to /srv/git, then if you later try to pull git://example.com/hello.git, Git daemon will interpret the path as /srv/git/hello.git.

Type: string

Default: ""

Example: "/srv/git/"

Declared by:

<nixpkgs/nixos/modules/services/networking/git-daemon.nix>
services.gitDaemon.exportAll

Publish all directories that look like Git repositories (have the objects and refs subdirectories), even if they do not have the git-daemon-export-ok file.

If disabled, you need to touch .git/git-daemon-export-ok in each repository you want the daemon to publish.

Warning: enabling this without a repository whitelist or basePath publishes every git repository you have.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/git-daemon.nix>
services.gitDaemon.group

Group under which Git daemon would be running.

Type: string

Default: "git"

Declared by:

<nixpkgs/nixos/modules/services/networking/git-daemon.nix>
services.gitDaemon.listenAddress

Listen on a specific IP address or hostname.

Type: string

Default: ""

Example: "example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/git-daemon.nix>
services.gitDaemon.options

Extra configuration options to be passed to Git daemon.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/git-daemon.nix>
services.gitDaemon.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9418

Declared by:

<nixpkgs/nixos/modules/services/networking/git-daemon.nix>
services.gitDaemon.repositories

A whitelist of paths of git repositories, or directories containing repositories all of which would be published. Paths must not end in “/”.

Warning: leaving this empty and enabling exportAll publishes all repositories in your filesystem or basePath if specified.

Type: list of string

Default: [ ]

Example:

[
  "/srv/git"
  "/home/user/git/repo2"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/git-daemon.nix>
services.gitDaemon.user

User under which Git daemon would be running.

Type: string

Default: "git"

Declared by:

<nixpkgs/nixos/modules/services/networking/git-daemon.nix>
services.gitea.enable

Enable Gitea Service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.package

The gitea package to use.

Type: package

Default: pkgs.gitea

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.appName

Application name.

Type: string

Default: "gitea: Gitea Service"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.camoHmacKeyFile

Path to a file containing the camo HMAC key.

Type: null or string

Default: null

Example: "/var/lib/secrets/gitea/camoHmacKey"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.customDir

Gitea custom directory. Used for config, custom templates and other options.

Type: string

Default: "${config.services.gitea.stateDir}/custom"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.database.createDatabase

Whether to create a local database automatically.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.database.host

Database host address.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.database.name

Database name.

Type: string

Default: "gitea"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.database.password

The password corresponding to database.user. Warning: this is stored in cleartext in the Nix store! Use database.passwordFile instead.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.database.passwordFile

A file containing the password corresponding to database.user.

Type: null or path

Default: null

Example: "/run/keys/gitea-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.database.path

Path to the sqlite3 database file.

Type: string

Default: "${config.services.gitea.stateDir}/data/gitea.db"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.database.port

Database host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

if config.services.gitea.database.type != "postgresql"
then 3306
else 5432

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.database.socket

Path to the unix socket file to use for authentication.

Type: null or path

Default: null

Example: "/run/mysqld/mysqld.sock"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.database.type

Database engine to use.

Type: one of “sqlite3”, “mysql”, “postgres”

Default: "sqlite3"

Example: "mysql"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.database.user

Database user.

Type: string

Default: "gitea"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.dump.enable

Enable a timer that runs gitea dump to generate backup-files of the current gitea database and repositories.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.dump.backupDir

Path to the dump files.

Type: string

Default: "${config.services.gitea.stateDir}/dump"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.dump.file

Filename to be used for the dump. If null a default name is chosen by gitea.

Type: null or string

Default: null

Example: "gitea-dump"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.dump.interval

Run a gitea dump at this interval. Runs by default at 04:31 every day.

The format is described in systemd.time(7).

Type: string

Default: "04:31"

Example: "hourly"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.dump.type

Archive format used to store the dump file.

Type: one of “zip”, “rar”, “tar”, “sz”, “tar.gz”, “tar.xz”, “tar.bz2”, “tar.br”, “tar.lz4”, “tar.zst”

Default: "zip"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.extraConfig

Configuration lines appended to the generated gitea configuration file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.group

Group under which gitea runs.

Type: string

Default: "gitea"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.lfs.enable

Enables git-lfs support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.lfs.contentDir

Where to store LFS files.

Type: string

Default: "${config.services.gitea.stateDir}/data/lfs"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.mailerPasswordFile

Path to a file containing the SMTP password.

Type: null or string

Default: null

Example: "/var/lib/secrets/gitea/mailpw"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.metricsTokenFile

Path to a file containing the metrics authentication token.

Type: null or string

Default: null

Example: "/var/lib/secrets/gitea/metrics_token"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.repositoryRoot

Path to the git repositories.

Type: string

Default: "${config.services.gitea.stateDir}/repositories"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.settings

Gitea configuration. Refer to https://docs.gitea.io/en-us/config-cheat-sheet/ for details on supported values.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  "cron.sync_external_users" = {
    RUN_AT_START = true;
    SCHEDULE = "@every 24h";
    UPDATE_EXISTING = true;
  };
  mailer = {
    ENABLED = true;
    MAILER_TYPE = "sendmail";
    FROM = "do-not-reply@example.org";
    SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail";
  };
  other = {
    SHOW_FOOTER_VERSION = false;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.settings.log.LEVEL

General log level.

Type: one of “Trace”, “Debug”, “Info”, “Warn”, “Error”, “Critical”

Default: "Info"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.settings.log.ROOT_PATH

Root path for log files.

Type: string

Default: "${config.services.gitea.stateDir}/log"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.settings.server.DISABLE_SSH

Disable external SSH feature.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.settings.server.DOMAIN

Domain name of your server.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.settings.server.HTTP_ADDR

Listen address. Must be a path when using a unix socket.

Type: string or path

Default: if lib.hasSuffix "+unix" cfg.settings.server.PROTOCOL then "/run/gitea/gitea.sock" else "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.settings.server.HTTP_PORT

Listen port. Ignored when using a unix socket.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.settings.server.PROTOCOL

Listen protocol. +unix means “over unix”, not “in addition to.”

Type: one of “http”, “https”, “fcgi”, “http+unix”, “fcgi+unix”

Default: "http"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.settings.server.ROOT_URL

Full public URL of gitea server.

Type: string

Default: "http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}/"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.settings.server.SSH_PORT

SSH port displayed in clone URL. The option is required to configure a service when the external visible port differs from the local listening port i.e. if port forwarding is used.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 22

Example: 2222

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.settings.server.STATIC_ROOT_PATH

Upper level of template and static files path.

Type: string or path

Default: config.services.gitea.package.data

Example: "/var/lib/gitea/data"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.settings.service.DISABLE_REGISTRATION

By default any user can create an account on this gitea instance. This can be disabled by using this option.

Note: please keep in mind that this should be added after the initial deploy unless services.gitea.useWizard is true as the first registered user will be the administrator if no install wizard is used.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.settings.session.COOKIE_SECURE

Marks session cookies as “secure” as a hint for browsers to only send them via HTTPS. This option is recommend, if gitea is being served over HTTPS.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.stateDir

Gitea data directory.

Type: string

Default: "/var/lib/gitea"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.useWizard

Do not generate a configuration and use gitea’ installation wizard instead. The first registered user will be administrator.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea.user

User account under which gitea runs.

Type: string

Default: "gitea"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitea.nix>
services.gitea-actions-runner.package

The gitea-actions-runner package to use.

Type: package

Default: pkgs.gitea-actions-runner

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitea-actions-runner.nix>
services.gitea-actions-runner.instances

Gitea Actions Runner instances.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitea-actions-runner.nix>
services.gitea-actions-runner.instances.<name>.enable

Whether to enable Gitea Actions Runner instance.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitea-actions-runner.nix>
services.gitea-actions-runner.instances.<name>.hostPackages

List of packages, that are available to actions, when the runner is configured with a host execution label.

Type: list of package

Default:

with pkgs; [
  bash
  coreutils
  curl
  gawk
  gitMinimal
  gnused
  nodejs
  wget
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitea-actions-runner.nix>
services.gitea-actions-runner.instances.<name>.labels

Labels used to map jobs to their runtime environment. Changing these labels currently requires a new registration token.

Many common actions require bash, git and nodejs, as well as a filesystem that follows the filesystem hierarchy standard.

Type: list of string

Example:

[
  # provide a debian base with nodejs for actions
  "debian-latest:docker://node:18-bullseye"
  # fake the ubuntu name, because node provides no ubuntu builds
  "ubuntu-latest:docker://node:18-bullseye"
  # provide native execution on the host
  #"native:host"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitea-actions-runner.nix>
services.gitea-actions-runner.instances.<name>.name

The name identifying the runner instance towards the Gitea/Forgejo instance.

Type: string

Example: config.networking.hostName

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitea-actions-runner.nix>
services.gitea-actions-runner.instances.<name>.settings

Configuration for act_runner daemon. See https://gitea.com/gitea/act_runner/src/branch/main/internal/pkg/config/config.example.yaml for an example configuration

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitea-actions-runner.nix>
services.gitea-actions-runner.instances.<name>.token

Plain token to register at the configured Gitea/Forgejo instance.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitea-actions-runner.nix>
services.gitea-actions-runner.instances.<name>.tokenFile

Path to an environment file, containing the TOKEN environment variable, that holds a token to register at the configured Gitea/Forgejo instance.

Type: null or string or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitea-actions-runner.nix>
services.gitea-actions-runner.instances.<name>.url

Base URL of your Gitea/Forgejo instance.

Type: string

Example: "https://forge.example.com"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitea-actions-runner.nix>
services.github-runners

Multiple GitHub Runners.

Type: attribute set of (submodule)

Default: { }

Example:

{
  runner1 = {
    enable = true;
    name = "runner1";
    tokenFile = "/secrets/token1";
    url = "https://github.com/owner/repo";
  };
  runner2 = {
    enable = true;
    name = "runner2";
    tokenFile = "/secrets/token2";
    url = "https://github.com/owner/repo";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/github-runner/options.nix>
services.github-runners.<name>.enable

Whether to enable GitHub Actions runner.

Note: GitHub recommends using self-hosted runners with private repositories only. Learn more here: About self-hosted runners.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/github-runner/options.nix>
services.github-runners.<name>.package

The github-runner package to use.

Type: package

Default: pkgs.github-runner

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/github-runner/options.nix>
services.github-runners.<name>.ephemeral

If enabled, causes the following behavior:

  • Passes the --ephemeral flag to the runner configuration script

  • De-registers and stops the runner with GitHub after it has processed one job

  • On stop, systemd wipes the runtime directory (this always happens, even without using the ephemeral option)

  • Restarts the service after its successful exit

  • On start, wipes the state directory and configures a new runner

You should only enable this option if tokenFile points to a file which contains a personal access token (PAT). If you’re using the option with a registration token, restarting the service will fail as soon as the registration token expired.

Changing this option triggers a new runner registration.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/github-runner/options.nix>
services.github-runners.<name>.extraEnvironment

Extra environment variables to set for the runner, as an attrset.

Type: attribute set

Default: { }

Example:

{
  GIT_CONFIG = "/path/to/git/config";
}

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/github-runner/options.nix>
services.github-runners.<name>.extraLabels

Extra labels in addition to the default (unless disabled through the noDefaultLabels option).

Changing this option triggers a new runner registration.

Type: list of string

Default: [ ]

Example: [ "nixos" ]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/github-runner/options.nix>
services.github-runners.<name>.extraPackages

Extra packages to add to PATH of the service to make them available to workflows.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/github-runner/options.nix>
services.github-runners.<name>.group

Group under which to run the service.

The effect of this option depends on the value of the user option:

  • group == null and user == null: The service runs with a dynamically allocated user and group.

  • group == null and user != null: The service runs as the given user and its default group.

  • group != null and user == null: This configuration is invalid. In this case, the service would use the given group but run as root implicitly. If this is really what you want, set user = "root" explicitly.

Type: null or string

Default: groupname

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/github-runner/options.nix>
services.github-runners.<name>.name

Name of the runner to configure. If null, defaults to the hostname.

Changing this option triggers a new runner registration.

Type: null or string

Default: "‹name›"

Example: "nixos"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/github-runner/options.nix>
services.github-runners.<name>.noDefaultLabels

Disables adding the default labels. Also see the extraLabels option.

Changing this option triggers a new runner registration.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/github-runner/options.nix>
services.github-runners.<name>.nodeRuntimes

List of Node.js runtimes the runner should support.

Type: non-empty (list of value “node20” (singular enum))

Default:

[
  "node20"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/github-runner/options.nix>
services.github-runners.<name>.replace

Replace any existing runner with the same name.

Without this flag, registering a new runner with the same name fails.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/github-runner/options.nix>
services.github-runners.<name>.runnerGroup

Name of the runner group to add this runner to (defaults to the default runner group).

Changing this option triggers a new runner registration.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/github-runner/options.nix>
services.github-runners.<name>.serviceOverrides

Modify the systemd service. Can be used to, e.g., adjust the sandboxing options. See systemd.exec(5) for more options.

Type: attribute set

Default: { }

Example:

{
  ProtectHome = false;
  RestrictAddressFamilies = [
    "AF_PACKET"
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/github-runner/options.nix>
services.github-runners.<name>.tokenFile

The full path to a file which contains either

  • a fine-grained personal access token (PAT),

  • a classic PAT

  • or a runner registration token

Changing this option or the tokenFile’s content triggers a new runner registration.

We suggest using the fine-grained PATs. A runner registration token is valid only for 1 hour after creation, so the next time the runner configuration changes this will give you hard-to-debug HTTP 404 errors in the configure step.

The file should contain exactly one line with the token without any newline. (Use echo -n '…token…' > …token file… to make sure no newlines sneak in.)

If the file contains a PAT, the service creates a new registration token on startup as needed. If a registration token is given, it can be used to re-register a runner of the same name but is time-limited as noted above.

For fine-grained PATs:

Give it “Read and Write access to organization/repository self hosted runners”, depending on whether it is organization wide or per-repository. You might have to experiment a little, fine-grained PATs are a beta Github feature and still subject to change; nonetheless they are the best option at the moment.

For classic PATs:

Make sure the PAT has a scope of admin:org for organization-wide registrations or a scope of repo for a single repository.

For runner registration tokens:

Nothing special needs to be done, but updating will break after one hour, so these are not recommended.

Type: path

Example: "/run/secrets/github-runner/nixos.token"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/github-runner/options.nix>
services.github-runners.<name>.url

Repository to add the runner to.

Changing this option triggers a new runner registration.

IMPORTANT: If your token is org-wide (not per repository), you need to provide a github org link, not a single repository, so do it like this https://github.com/nixos, not like this https://github.com/nixos/nixpkgs. Otherwise, you are going to get a 404 NotFound from POST https://api.github.com/actions/runner-registration in the configure script.

Type: string

Example: "https://github.com/nixos/nixpkgs"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/github-runner/options.nix>
services.github-runners.<name>.user

User under which to run the service.

If this option and the group option is set to null, the service runs as a dynamically allocated user.

Also see the group option for an overview on the effects of the user and group settings.

Type: null or string

Default: username

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/github-runner/options.nix>
services.github-runners.<name>.workDir

Working directory, available as $GITHUB_WORKSPACE during workflow runs and used as a default for repository checkouts. The service cleans this directory on every service start.

A value of null will default to the systemd RuntimeDirectory.

Changing this option triggers a new runner registration.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/github-runner/options.nix>
services.gitlab.enable

Enable the gitlab service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.packages.gitaly

The gitaly package to use.

Type: package

Default: pkgs.gitaly

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.packages.gitlab

The gitlab package to use.

Type: package

Default: pkgs.gitlab

Example: gitlab-ee

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.packages.gitlab-shell

The gitlab-shell package to use.

Type: package

Default: pkgs.gitlab-shell

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.packages.gitlab-workhorse

The gitlab-workhorse package to use.

Type: package

Default: pkgs.gitlab-workhorse

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.packages.pages

The gitlab-pages package to use.

Type: package

Default: pkgs.gitlab-pages

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.backup.keepTime

How long to keep the backups around, in hours. 0 means “keep forever”.

Type: signed integer

Default: 0

Example: 48

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.backup.path

GitLab path for backups.

Type: string

Default: config.services.gitlab.statePath + "/backup"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.backup.skip

Directories to exclude from the backup. The example excludes CI artifacts and LFS objects from the backups. The tar option skips the creation of a tar file.

Refer to https://docs.gitlab.com/ee/raketasks/backup_restore.html#excluding-specific-directories-from-the-backup for more information.

Type: one of “db”, “uploads”, “builds”, “artifacts”, “lfs”, “registry”, “pages”, “repositories”, “tar” or list of (one of “db”, “uploads”, “builds”, “artifacts”, “lfs”, “registry”, “pages”, “repositories”, “tar”)

Default: [ ]

Example:

[
  "artifacts"
  "lfs"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.backup.startAt

The time(s) to run automatic backup of GitLab state. Specified in systemd’s time format; see systemd.time(7).

Type: string or list of string

Default: [ ]

Example: "03:00"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.backup.uploadOptions

GitLab automatic upload specification. Tells GitLab to upload the backup to a remote location when done.

Attributes specified here are added under production -> backup -> upload in config/gitlab.yml.

Type: attribute set

Default: { }

Example:

{
  # Fog storage connection settings, see http://fog.io/storage/
  connection = {
    provider = "AWS";
    region = "eu-north-1";
    aws_access_key_id = "AKIAXXXXXXXXXXXXXXXX";
    aws_secret_access_key = { _secret = config.deployment.keys.aws_access_key.path; };
  };

  # The remote 'directory' to store your backups in.
  # For S3, this would be the bucket name.
  remote_directory = "my-gitlab-backups";

  # Use multipart uploads when file size reaches 100MB, see
  # http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
  multipart_chunk_size = 104857600;

  # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
  encryption = "AES256";

  # Specifies Amazon S3 storage class to use for backups, this is optional
  storage_class = "STANDARD";
};

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.databaseCreateLocally

Whether a database should be automatically created on the local host. Set this to false if you plan on provisioning a local database yourself. This has no effect if services.gitlab.databaseHost is customized.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.databaseHost

GitLab database hostname. An empty string means “use local unix socket connection”.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.databaseName

GitLab database name.

Type: string

Default: "gitlab"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.databasePasswordFile

File containing the GitLab database user password.

This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.databasePool

Database connection pool size.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.databaseUsername

GitLab database user.

Type: string

Default: "gitlab"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.extraConfig

Extra options to be added under production in config/gitlab.yml, as a nix attribute set.

Options containing secret data should be set to an attribute set containing the attribute _secret - a string pointing to a file containing the value the option should be set to. See the example to get a better picture of this: in the resulting config/gitlab.yml file, the production.omniauth.providers[0].args.client_options.secret key will be set to the contents of the /var/keys/gitlab_oidc_secret file.

Type: YAML value

Default: { }

Example:

{
  gitlab = {
    default_projects_features = {
      builds = false;
    };
  };
  omniauth = {
    enabled = true;
    auto_sign_in_with_provider = "openid_connect";
    allow_single_sign_on = ["openid_connect"];
    block_auto_created_users = false;
    providers = [
      {
        name = "openid_connect";
        label = "OpenID Connect";
        args = {
          name = "openid_connect";
          scope = ["openid" "profile"];
          response_type = "code";
          issuer = "https://keycloak.example.com/auth/realms/My%20Realm";
          discovery = true;
          client_auth_method = "query";
          uid_field = "preferred_username";
          client_options = {
            identifier = "gitlab";
            secret = { _secret = "/var/keys/gitlab_oidc_secret"; };
            redirect_uri = "https://git.example.com/users/auth/openid_connect/callback";
          };
        };
      }
    ];
  };
};

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.extraDatabaseConfig

Extra configuration in config/database.yml.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.extraEnv

Additional environment variables for the GitLab environment.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.extraGitlabRb

Extra configuration to be placed in config/extra-gitlab.rb. This can be used to add configuration not otherwise exposed through this module’s options.

Type: string

Default: ""

Example:

''
  if Rails.env.production?
    Rails.application.config.action_mailer.delivery_method = :sendmail
    ActionMailer::Base.delivery_method = :sendmail
    ActionMailer::Base.sendmail_settings = {
      location: "/run/wrappers/bin/sendmail",
      arguments: "-i -t"
    }
  end
''

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.extraShellConfig

Extra configuration to merge into shell-config.yml

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.group

Group to run gitlab and all related services.

Type: string

Default: "gitlab"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.host

GitLab host name. Used e.g. for copy-paste URLs.

Type: string

Default: config.networking.hostName

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.https

Whether gitlab prints URLs with https as scheme.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.initialRootEmail

Initial email address of the root account if this is a new install.

Type: string

Default: "admin@local.host"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.initialRootPasswordFile

File containing the initial password of the root account if this is a new install.

This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.logrotate.enable

Enable rotation of log files.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.logrotate.frequency

How often to rotate the logs.

Type: string

Default: "daily"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.logrotate.keep

How many rotations to keep.

Type: signed integer

Default: 30

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.pages.enable

Whether to enable the GitLab Pages service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.pages.settings

Configuration options to set in the GitLab Pages config file.

Options containing secret data should be set to an attribute set containing the attribute _secret - a string pointing to a file containing the value the option should be set to. See the example to get a better picture of this: in the resulting configuration file, the auth-client-secret and auth-secret keys will be set to the contents of the /var/keys/auth-client-secret and /var/keys/auth-secret files respectively.

Type: attribute set of (null or string or signed integer or boolean or (attribute set))

Example:

{
  pages-domain = "example.com";
  auth-client-id = "generated-id-xxxxxxx";
  auth-client-secret = { _secret = "/var/keys/auth-client-secret"; };
  auth-redirect-uri = "https://projects.example.com/auth";
  auth-secret = { _secret = "/var/keys/auth-secret"; };
  auth-server = "https://gitlab.example.com";
}

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.pages.settings.artifacts-server

API URL to proxy artifact requests to.

Type: null or string

Default: "http(s)://<services.gitlab.host>/api/v4"

Example: "https://gitlab.example.com/api/v4"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.pages.settings.gitlab-server

Public GitLab server URL.

Type: null or string

Default: "http(s)://<services.gitlab.host>"

Example: "https://gitlab.example.com"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.pages.settings.internal-gitlab-server

Internal GitLab server used for API requests, useful if you want to send that traffic over an internal load balancer. By default, the value of services.gitlab.pages.settings.gitlab-server is used.

Type: null or string

Default: "http(s)://<services.gitlab.host>"

Example: "https://gitlab.example.internal"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.pages.settings.listen-http

The address(es) to listen on for HTTP requests.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.pages.settings.listen-https

The address(es) to listen on for HTTPS requests.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.pages.settings.listen-proxy

The address(es) to listen on for proxy requests.

Type: list of string

Default:

[
  "127.0.0.1:8090"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.pages.settings.pages-domain

The domain to serve static pages on.

Type: null or string

Example: "example.com"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.pages.settings.pages-root

The directory where pages are stored.

Type: string

Default: config.services.gitlab.extraConfig.production.shared.path + "/pages"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.port

GitLab server port for copy-paste URLs, e.g. 80 or 443 if you’re service over https.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.puma.threadsMax

The maximum number of threads Puma should use per worker. This limits how many threads Puma will automatically spawn in response to requests. In contrast to workers, threads will never be able to run Ruby code in parallel, but give higher IO parallelism.

Note

Each thread consumes memory and contributes to Global VM Lock contention, so be careful when increasing this.

Type: signed integer

Default: 4

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.puma.threadsMin

The minimum number of threads Puma should use per worker.

Note

Each thread consumes memory and contributes to Global VM Lock contention, so be careful when increasing this.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.puma.workers

The number of worker processes Puma should spawn. This controls the amount of parallel Ruby code can be executed. GitLab recommends Number of CPU cores - 1, but at least two.

Note

Each worker consumes quite a bit of memory, so be careful when increasing this.

Type: signed integer

Default: 2

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.redisUrl

Redis URL for all GitLab services.

Type: string

Default: "unix:/run/gitlab/redis.sock"

Example: "redis://localhost:6379/"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.registry.enable

Enable GitLab container registry.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.registry.package

Container registry package to use.

External container registries such as pkgs.docker-distribution are not supported anymore since GitLab 16.0.0.

Type: package

Default: pkgs.docker-distribution

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.registry.certFile

Path to GitLab container registry certificate.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.registry.defaultForProjects

If GitLab container registry should be enabled by default for projects.

Type: boolean

Default: config.services.gitlab.registry.enable

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.registry.externalAddress

External address used to access registry from the internet

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.registry.externalPort

External port used to access registry from the internet

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.registry.host

GitLab container registry host name.

Type: string

Default: config.services.gitlab.host

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.registry.issuer

GitLab container registry issuer.

Type: string

Default: "gitlab-issuer"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.registry.keyFile

Path to GitLab container registry certificate-key.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.registry.port

GitLab container registry port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 4567

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.registry.serviceName

GitLab container registry service name.

Type: string

Default: "container_registry"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.secrets.dbFile

A file containing the secret used to encrypt variables in the DB. If you change or lose this key you will be unable to access variables stored in database.

Make sure the secret is at least 32 characters and all random, no regular words or you’ll be exposed to dictionary attacks.

This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.secrets.jwsFile

A file containing the secret used to encrypt session keys. If you change or lose this key, users will be disconnected.

Make sure the secret is an RSA private key in PEM format. You can generate one with

openssl genrsa 2048

This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.secrets.otpFile

A file containing the secret used to encrypt secrets for OTP tokens. If you change or lose this key, users which have 2FA enabled for login won’t be able to login anymore.

Make sure the secret is at least 32 characters and all random, no regular words or you’ll be exposed to dictionary attacks.

This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.secrets.secretFile

A file containing the secret used to encrypt variables in the DB. If you change or lose this key you will be unable to access variables stored in database.

Make sure the secret is at least 32 characters and all random, no regular words or you’ll be exposed to dictionary attacks.

This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.sidekiq.concurrency

How many processor threads to use for processing sidekiq background job queues. When null, the GitLab default is used.

See https://docs.gitlab.com/ee/administration/sidekiq/extra_sidekiq_processes.html#manage-thread-counts-explicitly for details.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.sidekiq.memoryKiller.enable

Whether the Sidekiq MemoryKiller should be turned on. MemoryKiller kills Sidekiq when its memory consumption exceeds a certain limit.

See https://docs.gitlab.com/ee/administration/operations/sidekiq_memory_killer.html for details.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.sidekiq.memoryKiller.graceTime

The time MemoryKiller waits after noticing excessive memory consumption before killing Sidekiq.

Type: signed integer

Default: 900

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.sidekiq.memoryKiller.maxMemory

The maximum amount of memory, in MiB, a Sidekiq worker is allowed to consume before being killed.

Type: signed integer

Default: 2000

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.sidekiq.memoryKiller.shutdownWait

The time allowed for all jobs to finish before Sidekiq is killed forcefully.

Type: signed integer

Default: 30

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.smtp.enable

Enable gitlab mail delivery over SMTP.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.smtp.enableStartTLSAuto

Whether to try to use StartTLS.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.smtp.address

Address of the SMTP server for GitLab.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.smtp.authentication

Authentication type to use, see http://api.rubyonrails.org/classes/ActionMailer/Base.html

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.smtp.domain

HELO domain to use for outgoing mail.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.smtp.opensslVerifyMode

How OpenSSL checks the certificate, see http://api.rubyonrails.org/classes/ActionMailer/Base.html

Type: string

Default: "peer"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.smtp.passwordFile

File containing the password of the SMTP server for GitLab.

This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.smtp.port

Port of the SMTP server for GitLab.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 25

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.smtp.tls

Whether to use TLS wrapper-mode.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.smtp.username

Username of the SMTP server for GitLab.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.statePath

GitLab state directory. Configuration, repositories and logs, among other things, are stored here.

The directory will be created automatically if it doesn’t exist already. Its parent directories must be owned by either root or the user set in services.gitlab.user.

Type: string

Default: "/var/gitlab/state"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.user

User to run gitlab and all related services.

Type: string

Default: "gitlab"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab.workhorse.config

Configuration options to add to Workhorse’s configuration file.

See https://gitlab.com/gitlab-org/gitlab/-/blob/master/workhorse/config.toml.example and https://docs.gitlab.com/ee/development/workhorse/configuration.html for examples and option documentation.

Options containing secret data should be set to an attribute set containing the attribute _secret - a string pointing to a file containing the value the option should be set to. See the example to get a better picture of this: in the resulting configuration file, the object_storage.s3.aws_secret_access_key key will be set to the contents of the /var/keys/aws_secret_access_key file.

Type: TOML value

Default: { }

Example:

{
  object_storage.provider = "AWS";
  object_storage.s3 = {
    aws_access_key_id = "AKIAXXXXXXXXXXXXXXXX";
    aws_secret_access_key = { _secret = "/var/keys/aws_secret_access_key"; };
  };
};

Declared by:

<nixpkgs/nixos/modules/services/misc/gitlab.nix>
services.gitlab-runner.enable

Whether to enable Gitlab Runner.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.package

The gitlab-runner package to use.

Type: package

Default: pkgs.gitlab-runner

Example: gitlab-runner_1_11

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.clear-docker-cache.enable

Whether to periodically prune gitlab runner’s Docker resources. If enabled, a systemd timer will run clear-docker-cache as specified by the dates option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.clear-docker-cache.package

Docker package to use for clearing up docker cache.

Type: unspecified value

Default: config.virtualisation.docker.package

Example: pkgs.docker

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.clear-docker-cache.dates

Specification (in the format described by systemd.time(7)) of the time at which the prune will occur.

Type: string

Default: "weekly"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.clear-docker-cache.flags

Any additional flags passed to clear-docker-cache.

Type: list of string

Default: [ ]

Example:

[
  "prune"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.configFile

Configuration file for gitlab-runner.

configFile takes precedence over services. checkInterval and concurrent will be ignored too.

This option is deprecated, please use services instead. You can use registrationConfigFile and registrationFlags for settings not covered by this module.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.extraPackages

Extra packages to add to PATH for the gitlab-runner process.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.gracefulTermination

Finish all remaining jobs before stopping. If not set gitlab-runner will stop immediately without waiting for jobs to finish, which will lead to failed builds.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.gracefulTimeout

Time to wait until a graceful shutdown is turned into a forceful one.

Type: string

Default: "infinity"

Example: "5min 20s"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services

GitLab Runner services.

Type: attribute set of (submodule)

Default: { }

Example:

{
  # runner for building in docker via host's nix-daemon
  # nix store will be readable in runner, might be insecure
  nix = {
    # File should contain at least these two variables:
    # - `CI_SERVER_URL`
    # - `REGISTRATION_TOKEN`
    #
    # NOTE: Support for runner registration tokens will be removed in GitLab 18.0.
    # Please migrate to runner authentication tokens soon. For reference, the example
    # runners below this one are configured with authentication tokens instead.
    registrationConfigFile = "/run/secrets/gitlab-runner-registration";

    dockerImage = "alpine";
    dockerVolumes = [
      "/nix/store:/nix/store:ro"
      "/nix/var/nix/db:/nix/var/nix/db:ro"
      "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
    ];
    dockerDisableCache = true;
    preBuildScript = pkgs.writeScript "setup-container" ''
      mkdir -p -m 0755 /nix/var/log/nix/drvs
      mkdir -p -m 0755 /nix/var/nix/gcroots
      mkdir -p -m 0755 /nix/var/nix/profiles
      mkdir -p -m 0755 /nix/var/nix/temproots
      mkdir -p -m 0755 /nix/var/nix/userpool
      mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
      mkdir -p -m 1777 /nix/var/nix/profiles/per-user
      mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
      mkdir -p -m 0700 "$HOME/.nix-defexpr"

      . ${pkgs.nix}/etc/profile.d/nix.sh

      ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}

      ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable
      ${pkgs.nix}/bin/nix-channel --update nixpkgs
    '';
    environmentVariables = {
      ENV = "/etc/profile";
      USER = "root";
      NIX_REMOTE = "daemon";
      PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
      NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
    };
    tagList = [ "nix" ];
  };
  # runner for building docker images
  docker-images = {
    # File should contain at least these two variables:
    # `CI_SERVER_URL`
    # `CI_SERVER_TOKEN`
    authenticationTokenConfigFile = "/run/secrets/gitlab-runner-docker-images-token-env";

    dockerImage = "docker:stable";
    dockerVolumes = [
      "/var/run/docker.sock:/var/run/docker.sock"
    ];
    tagList = [ "docker-images" ];
  };
  # runner for executing stuff on host system (very insecure!)
  # make sure to add required packages (including git!)
  # to `environment.systemPackages`
  shell = {
    # File should contain at least these two variables:
    # `CI_SERVER_URL`
    # `CI_SERVER_TOKEN`
    authenticationTokenConfigFile = "/run/secrets/gitlab-runner-shell-token-env";

    executor = "shell";
    tagList = [ "shell" ];
  };
  # runner for everything else
  default = {
    # File should contain at least these two variables:
    # `CI_SERVER_URL`
    # `CI_SERVER_TOKEN`
    authenticationTokenConfigFile = "/run/secrets/gitlab-runner-default-token-env";
    dockerImage = "debian:stable";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.authenticationTokenConfigFile

Absolute path to a file containing environment variables used for gitlab-runner registrations with runner authentication tokens. They replace the deprecated runner registration tokens, as outlined in the GitLab documentation.

A list of all supported environment variables can be found with gitlab-runner register --help.

The ones you probably want to set are:

  • CI_SERVER_URL=<CI server URL>

  • CI_SERVER_TOKEN=<runner authentication token secret>

Warning

Make sure to use a quoted absolute path, or it is going to be copied to Nix Store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.buildsDir

Absolute path to a directory where builds will be stored in context of selected executor (Locally, Docker, SSH).

Type: null or path

Default: null

Example: "/var/lib/gitlab-runner/builds"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.cloneUrl

Overwrite the URL for the GitLab instance. Used if the Runner can’t connect to GitLab on the URL GitLab exposes itself.

Type: null or string

Default: null

Example: "http://gitlab.example.local"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.debugTraceDisabled

When set to true Runner will disable the possibility of using the CI_DEBUG_TRACE feature.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.description

Name/description of the runner.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.dockerAllowedImages

Whitelist allowed images.

Type: list of string

Default: [ ]

Example:

[
  "ruby:*"
  "python:*"
  "php:*"
  "my.registry.tld:5000/*:*"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.dockerAllowedServices

Whitelist allowed services.

Type: list of string

Default: [ ]

Example:

[
  "postgres:9"
  "redis:*"
  "mysql:*"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.dockerDisableCache

Disable all container caching.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.dockerExtraHosts

Add a custom host-to-IP mapping.

Type: list of string

Default: [ ]

Example:

[
  "other-host:127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.dockerImage

Docker image to be used.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.dockerPrivileged

Give extended privileges to container.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.dockerVolumes

Bind-mount a volume and create it if it doesn’t exist prior to mounting.

Type: list of string

Default: [ ]

Example:

[
  "/var/run/docker.sock:/var/run/docker.sock"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.environmentVariables

Custom environment variables injected to build environment. For secrets you can use registrationConfigFile with RUNNER_ENV variable set.

Type: attribute set of string

Default: { }

Example:

{
  NAME = "value";
}

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.executor

Select executor, eg. shell, docker, etc. See runner documentation for more information.

Type: string

Default: "docker"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.limit

Limit how many jobs can be handled concurrently by this service. 0 (default) simply means don’t limit.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.maximumTimeout

What is the maximum timeout (in seconds) that will be set for job when using this Runner. 0 (default) simply means don’t limit.

This option has no effect for runners registered with an runner authentication tokens and will be ignored.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.postBuildScript

Runner-specific command script executed after code is pulled and just after build executes.

Type: null or string or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.postGetSourcesScript

Runner-specific command script executed after code is pulled.

Type: null or string or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.preBuildScript

Runner-specific command script executed after code is pulled, just before build executes.

Type: null or string or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.preGetSourcesScript

Runner-specific command script executed before code is pulled.

Type: null or string or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.protected

When set to true Runner will only run on pipelines triggered on protected branches.

This option has no effect for runners registered with an runner authentication tokens and will be ignored.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.registrationConfigFile

Absolute path to a file with environment variables used for gitlab-runner registration with runner registration tokens.

A list of all supported environment variables can be found in gitlab-runner register --help.

The ones you probably want to set are:

  • CI_SERVER_URL=<CI server URL>

  • REGISTRATION_TOKEN=<registration secret>

Support for runner registration tokens is deprecated since GitLab 16.0, has been disabled by default in GitLab 17.0 and will be removed in GitLab 18.0, as outlined in the GitLab documentation. Please consider migrating to runner authentication tokens and check the documentation on services.gitlab-runner.services.<name>.authenticationTokenConfigFile.

Warning

Make sure to use a quoted absolute path, or it is going to be copied to Nix Store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.registrationFlags

Extra command-line flags passed to gitlab-runner register. Execute gitlab-runner register --help for a list of supported flags.

Type: list of string

Default: [ ]

Example:

[
  "--docker-helper-image my/gitlab-runner-helper"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.requestConcurrency

Limit number of concurrent requests for new jobs from GitLab.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.runUntagged

Register to run untagged builds; defaults to true when tagList is empty.

This option has no effect for runners registered with an runner authentication tokens and will be ignored.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.services.<name>.tagList

Tag list.

This option has no effect for runners registered with an runner authentication tokens and will be ignored.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitlab-runner.settings

Global gitlab-runner configuration. See https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section for supported values.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gitlab-runner.nix>
services.gitolite.enable

Enable gitolite management under the gitolite user. After switching to a configuration with Gitolite enabled, you can then run git clone gitolite@host:gitolite-admin.git to manage it further.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gitolite.nix>
services.gitolite.enableGitAnnex

Enable git-annex support. Uses the extraGitoliteRc option to apply the necessary configuration.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gitolite.nix>
services.gitolite.adminPubkey

Initial administrative public key for Gitolite. This should be an SSH Public Key. Note that this key will only be used once, upon the first initialization of the Gitolite user. The key string cannot have any line breaks in it.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/gitolite.nix>
services.gitolite.commonHooks

A list of custom git hooks that get copied to ~/.gitolite/hooks/common.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/gitolite.nix>
services.gitolite.dataDir

The gitolite home directory used to store all repositories. If left as the default value this directory will automatically be created before the gitolite server starts, otherwise the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions.

Type: string

Default: "/var/lib/gitolite"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitolite.nix>
services.gitolite.description

Gitolite user account’s description.

Type: string

Default: "Gitolite user"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitolite.nix>
services.gitolite.extraGitoliteRc

Extra configuration to append to the default ~/.gitolite.rc.

This should be Perl code that modifies the %RC configuration variable. The default ~/.gitolite.rc content is generated by invoking gitolite print-default-rc, and extra configuration from this option is appended to it. The result is placed to Nix store, and the ~/.gitolite.rc file becomes a symlink to it.

If you already have a customized (or otherwise changed) ~/.gitolite.rc file, NixOS will refuse to replace it with a symlink, and the gitolite-init initialization service will fail. In this situation, in order to use this option, you will need to take any customizations you may have in ~/.gitolite.rc, convert them to appropriate Perl statements, add them to this option, and remove the file.

See also the enableGitAnnex option.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  $RC{UMASK} = 0027;
  $RC{SITE_INFO} = 'This is our private repository host';
  push( @{$RC{ENABLE}}, 'Kindergarten' ); # enable the command/feature
  @{$RC{ENABLE}} = grep { $_ ne 'desc' } @{$RC{ENABLE}}; # disable the command/feature
''

Declared by:

<nixpkgs/nixos/modules/services/misc/gitolite.nix>
services.gitolite.group

Primary group of the Gitolite user account.

Type: string

Default: "gitolite"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitolite.nix>
services.gitolite.user

Gitolite user account. This is the username of the gitolite endpoint.

Type: string

Default: "gitolite"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitolite.nix>
services.gitwatch

A set of git repositories to watch for. See gitwatch for more.

Type: attribute set of (submodule)

Default: { }

Example:

{
  disabled-repo = {
    branch = "autobranch";
    enable = false;
    path = "/home/user/disabled-project";
    remote = "git@github.com:me/my-old-project.git";
    user = "user";
  };
  my-repo = {
    enable = true;
    path = "/home/user/watched-project";
    remote = "git@github.com:me/my-project.git";
    user = "user";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/gitwatch.nix>
services.gitwatch.<name>.enable

Whether to enable watching for repo.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/gitwatch.nix>
services.gitwatch.<name>.branch

Optional branch in remote repository

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/gitwatch.nix>
services.gitwatch.<name>.path

The path to repo in local machine

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/gitwatch.nix>
services.gitwatch.<name>.remote

Optional url of remote repository

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/gitwatch.nix>
services.gitwatch.<name>.user

The name of services’s user

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/gitwatch.nix>
services.gitweb.extraConfig

Verbatim configuration text appended to the generated gitweb.conf file.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  $feature{'highlight'}{'default'} = [1];
  $feature{'ctags'}{'default'} = [1];
  $feature{'avatar'}{'default'} = ['gravatar'];
''

Declared by:

<nixpkgs/nixos/modules/services/misc/gitweb.nix>
services.gitweb.gitwebTheme

Use an alternative theme for gitweb, strongly inspired by GitHub.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gitweb.nix>
services.gitweb.projectroot

Path to git projects (bare repositories) that should be served by gitweb. Must not end with a slash.

Type: path

Default: "/srv/git"

Declared by:

<nixpkgs/nixos/modules/services/misc/gitweb.nix>
services.glance.enable

Whether to enable glance.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/glance.nix>
services.glance.package

The glance package to use.

Type: package

Default: pkgs.glance

Declared by:

<nixpkgs/nixos/modules/services/web-apps/glance.nix>
services.glance.openFirewall

Whether to open the firewall for Glance. This adds services.glance.settings.server.port to networking.firewall.allowedTCPPorts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/glance.nix>
services.glance.settings

Configuration written to a yaml file that is read by glance. See https://github.com/glanceapp/glance/blob/main/docs/configuration.md for more.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/glance.nix>
services.glance.settings.pages

List of pages to be present on the dashboard.

See https://github.com/glanceapp/glance/blob/main/docs/configuration.md#pages--columns

Type: YAML value

Default:

[
  {
    columns = [
      {
        size = "full";
        widgets = [
          {
            type = "calendar";
          }
        ];
      }
    ];
    name = "Calendar";
  }
]

Example:

[
  {
    columns = [
      {
        size = "full";
        widgets = [
          {
            type = "calendar";
          }
          {
            location = "Nivelles, Belgium";
            type = "weather";
          }
        ];
      }
    ];
    name = "Home";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/glance.nix>
services.glance.settings.server.host

Glance bind address

Type: string

Default: "127.0.0.1"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/glance.nix>
services.glance.settings.server.port

Glance port to listen on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Example: 5678

Declared by:

<nixpkgs/nixos/modules/services/web-apps/glance.nix>
services.glances.enable

Whether to enable Glances.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/glances.nix>
services.glances.package

The glances package to use.

Type: package

Default: pkgs.glances

Declared by:

<nixpkgs/nixos/modules/services/monitoring/glances.nix>
services.glances.extraArgs

Extra command-line arguments to pass to glances.

See https://glances.readthedocs.io/en/latest/cmds.html for all available options.

Type: list of string

Default:

[
  "--webserver"
]

Example:

[
  "--webserver"
  "--disable-webui"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/glances.nix>
services.glances.openFirewall

Open port in the firewall for glances.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/glances.nix>
services.glances.port

Port the server will isten on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 61208

Declared by:

<nixpkgs/nixos/modules/services/monitoring/glances.nix>
services.globalprotect.enable

Whether to enable globalprotect.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/globalprotect-vpn.nix>
services.globalprotect.csdWrapper

A script that will produce a Host Integrity Protection (HIP) report, as described at https://www.infradead.org/openconnect/hip.html

Type: null or path

Default: null

Example: "${pkgs.openconnect}/libexec/openconnect/hipreport.sh"

Declared by:

<nixpkgs/nixos/modules/services/networking/globalprotect-vpn.nix>
services.globalprotect.settings

GlobalProtect-openconnect configuration. For more information, visit https://github.com/yuezk/GlobalProtect-openconnect/wiki/Configuration.

Type: attribute set

Default: { }

Example:

{
  "vpn1.company.com" = {
    openconnect-args = "--script=/path/to/vpnc-script";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/globalprotect-vpn.nix>
services.glusterfs.enable

Whether to enable GlusterFS Daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/glusterfs.nix>
services.glusterfs.enableGlustereventsd

Whether to enable the GlusterFS Events Daemon

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/glusterfs.nix>
services.glusterfs.extraFlags

Extra flags passed to the GlusterFS daemon

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/glusterfs.nix>
services.glusterfs.killMode

The systemd KillMode to use for glusterd.

glusterd spawns other daemons like gsyncd. If you want these to stop when glusterd is stopped (e.g. to ensure that NixOS config changes are reflected even for these sub-daemons), set this to ‘control-group’. If however you want running volume processes (glusterfsd) and thus gluster mounts not be interrupted when glusterd is restarted (for example, when you want to restart them manually at a later time), set this to ‘process’.

Type: one of “control-group”, “process”, “mixed”, “none”

Default: "control-group"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/glusterfs.nix>
services.glusterfs.logLevel

Log level used by the GlusterFS daemon

Type: one of “DEBUG”, “INFO”, “WARNING”, “ERROR”, “CRITICAL”, “TRACE”, “NONE”

Default: "INFO"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/glusterfs.nix>
services.glusterfs.stopKillTimeout

The systemd TimeoutStopSec to use.

After this time after having been asked to shut down, glusterd (and depending on the killMode setting also its child processes) are killed by systemd.

The default is set low because GlusterFS (as of 3.10) is known to not tell its children (like gsyncd) to terminate at all.

Type: string

Default: "5s"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/glusterfs.nix>
services.glusterfs.tlsSettings

Make the server communicate via TLS. This means it will only connect to other gluster servers having certificates signed by the same CA.

Enabling this will create a file /var/lib/glusterd/secure-access. Disabling will delete this file again.

See also: https://gluster.readthedocs.io/en/latest/Administrator%20Guide/SSL/

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/glusterfs.nix>
services.glusterfs.tlsSettings.caCert

Path certificate authority used to sign the cluster certificates.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/glusterfs.nix>
services.glusterfs.tlsSettings.tlsKeyPath

Path to the private key used for TLS.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/glusterfs.nix>
services.glusterfs.tlsSettings.tlsPem

Path to the certificate used for TLS.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/glusterfs.nix>
services.glusterfs.useRpcbind

Enable use of rpcbind. This is required for Gluster’s NFS functionality.

You may want to turn it off to reduce the attack surface for DDoS reflection attacks.

See https://davelozier.com/glusterfs-and-rpcbind-portmap-ddos-reflection-attacks/ and https://bugzilla.redhat.com/show_bug.cgi?id=1426842 for details.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/glusterfs.nix>
services.gmediarender.enable

Whether to enable the gmediarender DLNA renderer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/gmediarender.nix>
services.gmediarender.package

The gmediarender package to use.

Type: package

Default: pkgs.gmrender-resurrect

Declared by:

<nixpkgs/nixos/modules/services/audio/gmediarender.nix>
services.gmediarender.audioDevice

The audio device to use.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/audio/gmediarender.nix>
services.gmediarender.audioSink

The audio sink to use.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/audio/gmediarender.nix>
services.gmediarender.friendlyName

A “friendly name” for identifying the endpoint.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/audio/gmediarender.nix>
services.gmediarender.initialVolume

A default volume attenuation (in dB) for the endpoint.

Type: null or signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/audio/gmediarender.nix>
services.gmediarender.port

Port that will be used to accept client connections.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/audio/gmediarender.nix>
services.gmediarender.uuid

A UUID for uniquely identifying the endpoint. If you have multiple renderers on your network, you MUST set this.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/audio/gmediarender.nix>
services.gnome.at-spi2-core.enable

Whether to enable at-spi2-core, a service for the Assistive Technologies available on the GNOME platform.

Enable this if you get the error or warning The name org.a11y.Bus was not provided by any .service files.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome/at-spi2-core.nix>
services.gnome.core-developer-tools.enable

Whether to enable GNOME core developer tools.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix>
services.gnome.core-os-services.enable

Whether to enable essential services for GNOME3.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix>
services.gnome.core-shell.enable

Whether to enable GNOME Shell services.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix>
services.gnome.core-utilities.enable

Whether to enable GNOME core utilities.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix>
services.gnome.evolution-data-server.enable

Whether to enable Evolution Data Server, a collection of services for storing addressbooks and calendars.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome/evolution-data-server.nix>
services.gnome.evolution-data-server.plugins

Plugins for Evolution Data Server.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome/evolution-data-server.nix>
services.gnome.games.enable

Whether to enable GNOME games.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix>
services.gnome.glib-networking.enable

Whether to enable network extensions for GLib.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome/glib-networking.nix>
services.gnome.gnome-browser-connector.enable

Whether to enable native host connector for the GNOME Shell browser extension, a DBus service allowing to install GNOME Shell extensions from a web browser .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome/gnome-browser-connector.nix>
services.gnome.gnome-initial-setup.enable

Whether to enable GNOME Initial Setup, a Simple, easy, and safe way to prepare a new system.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome/gnome-initial-setup.nix>
services.gnome.gnome-keyring.enable

Whether to enable GNOME Keyring daemon, a service designed to take care of the user’s security credentials, such as user names and passwords .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome/gnome-keyring.nix>
services.gnome.gnome-online-accounts.enable

Whether to enable GNOME Online Accounts daemon, a service that provides a single sign-on framework for the GNOME desktop.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome/gnome-online-accounts.nix>
services.gnome.gnome-remote-desktop.enable

Whether to enable Remote Desktop support using Pipewire.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome/gnome-remote-desktop.nix>
services.gnome.gnome-settings-daemon.enable

Whether to enable GNOME Settings Daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome/gnome-settings-daemon.nix>
services.gnome.gnome-user-share.enable

Whether to enable GNOME User Share, a user-level file sharing service for GNOME.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome/gnome-user-share.nix>
services.gnome.localsearch.enable

Whether to enable LocalSearch, indexing services for TinySPARQL search engine and metadata storage system.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome/localsearch.nix>
services.gnome.rygel.enable

Whether to enable Rygel UPnP Mediaserver.

You will need to also allow UPnP connections in firewall, see the following comment.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome/rygel.nix>
services.gnome.rygel.package

The rygel package to use.

Type: package

Default: pkgs.rygel

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome/rygel.nix>
services.gnome.sushi.enable

Whether to enable Sushi, a quick previewer for nautilus.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome/sushi.nix>
services.gnome.tinysparql.enable

Whether to enable TinySPARQL services, a search engine, search tool and metadata storage system.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/gnome/tinysparql.nix>
services.gns3-server.enable

Whether to enable GNS3 Server daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/gns3-server.nix>
services.gns3-server.package

The gns3-server package to use.

Type: package

Default: pkgs.gns3-server

Declared by:

<nixpkgs/nixos/modules/services/networking/gns3-server.nix>
services.gns3-server.auth.enable

Whether to enable password based HTTP authentication to access the GNS3 Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/gns3-server.nix>
services.gns3-server.auth.passwordFile

A file containing the password to access the GNS3 Server.

Warning

This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.

Type: null or path

Default: null

Example: "/run/secrets/gns3-server-password"

Declared by:

<nixpkgs/nixos/modules/services/networking/gns3-server.nix>
services.gns3-server.auth.user

Username used to access the GNS3 Server.

Type: null or string

Default: null

Example: "gns3"

Declared by:

<nixpkgs/nixos/modules/services/networking/gns3-server.nix>
services.gns3-server.dynamips.enable

Whether to enable Dynamips support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/gns3-server.nix>
services.gns3-server.dynamips.package

The dynamips package to use.

Type: package

Default: pkgs.dynamips

Declared by:

<nixpkgs/nixos/modules/services/networking/gns3-server.nix>
services.gns3-server.log.debug

Whether to enable debug logging.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/gns3-server.nix>
services.gns3-server.log.file

Path of the file GNS3 Server should log to.

Type: null or path

Default: "/var/log/gns3/server.log"

Declared by:

<nixpkgs/nixos/modules/services/networking/gns3-server.nix>
services.gns3-server.settings

The global options in config file in ini format.

Refer to https://docs.gns3.com/docs/using-gns3/administration/gns3-server-configuration-file/ for all available options.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  host = "127.0.0.1";
  port = 3080;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/gns3-server.nix>
services.gns3-server.ssl.enable

Whether to enable SSL encryption.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/gns3-server.nix>
services.gns3-server.ssl.certFile

Path to the SSL certificate file. This certificate will be offered to, and may be verified by, clients.

Type: null or path

Default: null

Example: "/var/lib/gns3/ssl/server.pem"

Declared by:

<nixpkgs/nixos/modules/services/networking/gns3-server.nix>
services.gns3-server.ssl.keyFile

Private key file for the certificate.

Type: null or path

Default: null

Example: "/var/lib/gns3/ssl/server.key"

Declared by:

<nixpkgs/nixos/modules/services/networking/gns3-server.nix>
services.gns3-server.ubridge.enable

Whether to enable uBridge support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/gns3-server.nix>
services.gns3-server.ubridge.package

The ubridge package to use.

Type: package

Default: pkgs.ubridge

Declared by:

<nixpkgs/nixos/modules/services/networking/gns3-server.nix>
services.gns3-server.vpcs.enable

Whether to enable VPCS support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/gns3-server.nix>
services.gns3-server.vpcs.package

The vpcs package to use.

Type: package

Default: pkgs.vpcs

Declared by:

<nixpkgs/nixos/modules/services/networking/gns3-server.nix>
services.gnunet.enable

Whether to run the GNUnet daemon. GNUnet is GNU’s anonymous peer-to-peer communication and file sharing framework.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/gnunet.nix>
services.gnunet.package

The gnunet package to use.

Type: package

Default: pkgs.gnunet

Example: gnunet_git

Declared by:

<nixpkgs/nixos/modules/services/networking/gnunet.nix>
services.gnunet.extraOptions

Additional options that will be copied verbatim in gnunet.conf. See gnunet.conf(5) for details.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/gnunet.nix>
services.gnunet.fileSharing.quota

Maximum file system usage (in MiB) for file sharing.

Type: signed integer

Default: 1024

Declared by:

<nixpkgs/nixos/modules/services/networking/gnunet.nix>
services.gnunet.load.hardNetUpBandwidth

Hard bandwidth limit (in bits per second) when uploading data.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/gnunet.nix>
services.gnunet.load.maxNetDownBandwidth

Maximum bandwidth usage (in bits per second) for GNUnet when downloading data.

Type: signed integer

Default: 50000

Declared by:

<nixpkgs/nixos/modules/services/networking/gnunet.nix>
services.gnunet.load.maxNetUpBandwidth

Maximum bandwidth usage (in bits per second) for GNUnet when downloading data.

Type: signed integer

Default: 50000

Declared by:

<nixpkgs/nixos/modules/services/networking/gnunet.nix>
services.gnunet.tcp.port

The TCP port for use by GNUnet.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 2086

Declared by:

<nixpkgs/nixos/modules/services/networking/gnunet.nix>
services.gnunet.udp.port

The UDP port for use by GNUnet.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 2086

Declared by:

<nixpkgs/nixos/modules/services/networking/gnunet.nix>
services.go-autoconfig.enable

Whether to enable IMAP/SMTP autodiscover feature for mail clients.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/go-autoconfig.nix>
services.go-autoconfig.settings

Configuration for go-autoconfig. See https://github.com/L11R/go-autoconfig/blob/master/config.yml for more information.

Type: YAML value

Default: { }

Example:

{
  service_addr = ":1323";
  domain = "autoconfig.example.org";
  imap = {
    server = "example.org";
    port = 993;
  };
  smtp = {
    server = "example.org";
    port = 465;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/go-autoconfig.nix>
services.go-camo.enable

Whether to enable go-camo service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/go-camo.nix>
services.go-camo.extraOptions

Extra options passed to the go-camo command.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/go-camo.nix>
services.go-camo.keyFile

A file containing the HMAC key to use for signing URLs. The file can contain any string. Can be generated using “openssl rand -base64 18 > the_file”.

Type: path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/go-camo.nix>
services.go-camo.listen

Address:Port to bind to for HTTP (default: 0.0.0.0:8080).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/go-camo.nix>
services.go-camo.sslCert

Path to TLS certificate.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/go-camo.nix>
services.go-camo.sslKey

Path to TLS private key.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/go-camo.nix>
services.go-camo.sslListen

Address:Port to bind to for HTTPS.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/go-camo.nix>
services.go-neb.enable

Whether to enable an extensible matrix bot written in Go.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/go-neb.nix>
services.go-neb.baseUrl

Public-facing endpoint that can receive webhooks.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/go-neb.nix>
services.go-neb.bindAddress

Port (and optionally address) to listen on.

Type: string

Default: ":4050"

Declared by:

<nixpkgs/nixos/modules/services/networking/go-neb.nix>
services.go-neb.config

Your config.yaml as a Nix attribute set. See config.sample.yaml for possible options.

Type: YAML value

Declared by:

<nixpkgs/nixos/modules/services/networking/go-neb.nix>
services.go-neb.secretFile

Environment variables from this file will be interpolated into the final config file using envsubst with this syntax: $ENVIRONMENT or ${VARIABLE}. The file should contain lines formatted as SECRET_VAR=SECRET_VALUE. This is useful to avoid putting secrets into the nix store.

Type: null or path

Default: null

Example: "/run/keys/go-neb.env"

Declared by:

<nixpkgs/nixos/modules/services/networking/go-neb.nix>
services.go-shadowsocks2.server.enable

Whether to enable go-shadowsocks2 server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/go-shadowsocks2.nix>
services.go-shadowsocks2.server.listenAddress

Server listen address or URL

Type: string

Example: "ss://AEAD_CHACHA20_POLY1305:your-password@:8488"

Declared by:

<nixpkgs/nixos/modules/services/networking/go-shadowsocks2.nix>
services.go2rtc.enable

Whether to enable go2rtc streaming server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/video/go2rtc/default.nix>
services.go2rtc.package

The go2rtc package to use.

Type: package

Default: pkgs.go2rtc

Declared by:

<nixpkgs/nixos/modules/services/video/go2rtc/default.nix>
services.go2rtc.settings

go2rtc configuration as a Nix attribute set.

See the wiki for possible configuration options.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/video/go2rtc/default.nix>
services.go2rtc.settings.api.listen

API listen address, conforming to a Go address string.

Type: string

Default: ":1984"

Example: "127.0.0.1:1984"

Declared by:

<nixpkgs/nixos/modules/services/video/go2rtc/default.nix>
services.go2rtc.settings.ffmpeg.bin

The ffmpeg package to use for transcoding.

Type: path

Default: lib.getExe pkgs.ffmpeg-headless

Declared by:

<nixpkgs/nixos/modules/services/video/go2rtc/default.nix>
services.go2rtc.settings.streams

Stream source configuration. Multiple source types are supported.

Check the configuration reference for possible options.

Type: attribute set of (string or list of string)

Default: { }

Example:

{
  cam1 = "onvif://admin:password@192.168.1.123:2020";
  cam2 = "tcp://192.168.1.123:12345";
}

Declared by:

<nixpkgs/nixos/modules/services/video/go2rtc/default.nix>
services.goatcounter.enable

Whether to enable goatcounter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/goatcounter.nix>
services.goatcounter.package

The goatcounter package to use.

Type: package

Default: pkgs.goatcounter

Declared by:

<nixpkgs/nixos/modules/services/web-apps/goatcounter.nix>
services.goatcounter.address

Web interface address.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/goatcounter.nix>
services.goatcounter.extraArgs

List of extra arguments to be passed to goatcounter cli. See goatcounter help serve for more information.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/goatcounter.nix>
services.goatcounter.port

Web interface port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8081

Declared by:

<nixpkgs/nixos/modules/services/web-apps/goatcounter.nix>
services.goatcounter.proxy

Whether Goatcounter service is running behind a reverse proxy. Will listen for HTTPS if false. Refer to documentation for more details.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/goatcounter.nix>
services.gobgpd.enable

Whether to enable GoBGP Routing Daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/gobgpd.nix>
services.gobgpd.settings

GoBGP configuration. Refer to https://github.com/osrg/gobgp#documentation for details on supported values.

Type: TOML value

Default: { }

Example:

{
  global = {
    config = {
      as = 64512;
      router-id = "192.168.255.1";
    };
  };
  neighbors = [
    {
      config = {
        neighbor-address = "10.0.255.1";
        peer-as = 65001;
      };
    }
    {
      config = {
        neighbor-address = "10.0.255.2";
        peer-as = 65002;
      };
    }
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/networking/gobgpd.nix>
services.gocd-agent.enable

Whether to enable gocd-agent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix>
services.gocd-agent.packages

Packages to add to PATH for the Go.CD agent process.

Type: list of package

Default: [ pkgs.stdenv pkgs.jre pkgs.git config.programs.ssh.package pkgs.nix ]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix>
services.gocd-agent.agentConfig

Agent registration configuration.

Type: string

Default: ""

Example:

''
  agent.auto.register.resources=ant,java
  agent.auto.register.environments=QA,Performance
  agent.auto.register.hostname=Agent01
''

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix>
services.gocd-agent.environment

Additional environment variables to be passed to the Go.CD agent process. As a base environment, Go.CD agent receives NIX_PATH from environment.sessionVariables, NIX_REMOTE is set to “daemon”.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix>
services.gocd-agent.extraGroups

List of extra groups that the “gocd-agent” user should be a part of.

Type: list of string

Default: [ ]

Example:

[
  "wheel"
  "docker"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix>
services.gocd-agent.extraOptions

Specifies additional command line arguments to pass to Go.CD agent java process. Example contains debug and gcLog arguments.

Type: list of string

Default: [ ]

Example:

[
  "-X debug"
  "-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006"
  "-verbose:gc"
  "-Xloggc:go-agent-gc.log"
  "-XX:+PrintGCTimeStamps"
  "-XX:+PrintTenuringDistribution"
  "-XX:+PrintGCDetails"
  "-XX:+PrintGC"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix>
services.gocd-agent.goServer

URL of the GoCD Server to attach the Go.CD Agent to.

Type: string

Default: "https://127.0.0.1:8154/go"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix>
services.gocd-agent.group

If the default user “gocd-agent” is configured then this is the primary group of that user.

Type: string

Default: "gocd-agent"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix>
services.gocd-agent.initialJavaHeapSize

Specifies the initial java heap memory size for the Go.CD agent java process.

Type: string

Default: "128m"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix>
services.gocd-agent.maxJavaHeapMemory

Specifies the java maximum heap memory size for the Go.CD agent java process.

Type: string

Default: "256m"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix>
services.gocd-agent.startupOptions

Specifies startup command line arguments to pass to Go.CD agent java process.

Type: list of string

Default:

[
  "-Xms${config.services.gocd-agent.initialJavaHeapSize}"
  "-Xmx${config.services.gocd-agent.maxJavaHeapMemory}"
  "-Djava.io.tmpdir=/tmp"
  "-Dcruise.console.publish.interval=10"
  "-Djava.security.egd=file:/dev/./urandom"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix>
services.gocd-agent.user

User the Go.CD agent should execute under.

Type: string

Default: "gocd-agent"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix>
services.gocd-agent.workDir

Specifies the working directory in which the Go.CD agent java archive resides.

Type: string

Default: "/var/lib/go-agent"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-agent/default.nix>
services.gocd-server.enable

Whether to enable gocd-server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix>
services.gocd-server.packages

Packages to add to PATH for the Go.CD server’s process.

Type: list of package

Default: [ pkgs.stdenv pkgs.jre pkgs.git config.programs.ssh.package pkgs.nix ]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix>
services.gocd-server.environment

Additional environment variables to be passed to the gocd-server process. As a base environment, gocd-server receives NIX_PATH from environment.sessionVariables, NIX_REMOTE is set to “daemon”.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix>
services.gocd-server.extraGroups

List of extra groups that the “gocd-server” user should be a part of.

Type: list of string

Default: [ ]

Example:

[
  "wheel"
  "docker"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix>
services.gocd-server.extraOptions

Specifies additional command line arguments to pass to Go.CD server’s java process. Example contains debug and gcLog arguments.

Type: list of string

Default: [ ]

Example:

[
  "-X debug"
  "-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005"
  "-verbose:gc"
  "-Xloggc:go-server-gc.log"
  "-XX:+PrintGCTimeStamps"
  "-XX:+PrintTenuringDistribution"
  "-XX:+PrintGCDetails"
  "-XX:+PrintGC"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix>
services.gocd-server.group

If the default user “gocd-server” is configured then this is the primary group of that user.

Type: string

Default: "gocd-server"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix>
services.gocd-server.initialJavaHeapSize

Specifies the initial java heap memory size for the Go.CD server’s java process.

Type: string

Default: "512m"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix>
services.gocd-server.listenAddress

Specifies the bind address on which the Go.CD server HTTP interface listens.

Type: string

Default: "0.0.0.0"

Example: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix>
services.gocd-server.maxJavaHeapMemory

Specifies the java maximum heap memory size for the Go.CD server’s java process.

Type: string

Default: "1024m"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix>
services.gocd-server.port

Specifies port number on which the Go.CD server HTTP interface listens.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8153

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix>
services.gocd-server.sslPort

Specifies port number on which the Go.CD server HTTPS interface listens.

Type: signed integer

Default: 8154

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix>
services.gocd-server.startupOptions

Specifies startup command line arguments to pass to Go.CD server java process.

Type: list of string

Default:

[
  "-Xms${config.services.gocd-server.initialJavaHeapSize}"
  "-Xmx${config.services.gocd-server.maxJavaHeapMemory}"
  "-Dcruise.listen.host=${config.services.gocd-server.listenAddress}"
  "-Duser.language=en"
  "-Djruby.rack.request.size.threshold.bytes=30000000"
  "-Duser.country=US"
  "-Dcruise.config.dir=${config.services.gocd-server.workDir}/conf"
  "-Dcruise.config.file=${config.services.gocd-server.workDir}/conf/cruise-config.xml"
  "-Dcruise.server.port=${toString config.services.gocd-server.port}"
  "-Dcruise.server.ssl.port=${toString config.services.gocd-server.sslPort}"
  "--add-opens=java.base/java.lang=ALL-UNNAMED"
  "--add-opens=java.base/java.util=ALL-UNNAMED"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix>
services.gocd-server.user

User the Go.CD server should execute under.

Type: string

Default: "gocd-server"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix>
services.gocd-server.workDir

Specifies the working directory in which the Go.CD server java archive resides.

Type: string

Default: "/var/lib/go-server"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/gocd-server/default.nix>
services.goeland.enable

Whether to enable goeland, an alternative to rss2email.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/goeland.nix>
services.goeland.schedule

How often to run goeland, in systemd time format.

Type: string

Default: "12h"

Example: "Mon, 00:00:00"

Declared by:

<nixpkgs/nixos/modules/services/mail/goeland.nix>
services.goeland.settings

Configuration of goeland. See the example config file for the available options.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/mail/goeland.nix>
services.goeland.stateDir

The data directory for goeland where the database will reside if using the unseen filter. If left as the default value this directory will automatically be created before the goeland server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions.

Type: path

Default: "/var/lib/goeland"

Declared by:

<nixpkgs/nixos/modules/services/mail/goeland.nix>
services.gollum.enable

Whether to enable Gollum, a git-powered wiki service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/gollum.nix>
services.gollum.package

The gollum package to use.

Type: package

Default: pkgs.gollum

Declared by:

<nixpkgs/nixos/modules/services/misc/gollum.nix>
services.gollum.address

IP address on which the web server will listen.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/misc/gollum.nix>
services.gollum.allowUploads

Enable uploads of external files

Type: null or one of “dir”, “page”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/gollum.nix>
services.gollum.branch

Git branch to serve

Type: string

Default: "master"

Example: "develop"

Declared by:

<nixpkgs/nixos/modules/services/misc/gollum.nix>
services.gollum.emoji

Parse and interpret emoji tags

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gollum.nix>
services.gollum.extraConfig

Content of the configuration file

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/gollum.nix>
services.gollum.group

Specifies the owner group of the wiki directory

Type: string

Default: "gollum"

Declared by:

<nixpkgs/nixos/modules/services/misc/gollum.nix>
services.gollum.h1-title

Use the first h1 as page title

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gollum.nix>
services.gollum.local-time

Use the browser’s local timezone instead of the server’s for displaying dates.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gollum.nix>
services.gollum.math

Enable support for math rendering using KaTeX

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gollum.nix>
services.gollum.no-edit

Disable editing pages

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gollum.nix>
services.gollum.port

Port on which the web server will run.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 4567

Declared by:

<nixpkgs/nixos/modules/services/misc/gollum.nix>
services.gollum.stateDir

Specifies the path of the repository directory. If it does not exist, Gollum will create it on startup.

Type: path

Default: "/var/lib/gollum"

Declared by:

<nixpkgs/nixos/modules/services/misc/gollum.nix>
services.gollum.user

Specifies the owner of the wiki directory

Type: string

Default: "gollum"

Declared by:

<nixpkgs/nixos/modules/services/misc/gollum.nix>
services.gollum.user-icons

Enable specific user icons for history view

Type: null or one of “gravatar”, “identicon”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/gollum.nix>
services.gonic.enable

Whether to enable Gonic music server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/gonic.nix>
services.gonic.settings

Configuration for Gonic, see https://github.com/sentriz/gonic#configuration-options for supported values.

Type: attribute set of (atom (null, bool, int, float or string) or a list of them for duplicate keys)

Default:

{
  cache-path = "/var/cache/gonic";
  listen-addr = "127.0.0.1:4747";
  tls-cert = null;
  tls-key = null;
}

Example:

{
  music-path = [
    "/mnt/music"
  ];
  podcast-path = "/mnt/podcasts";
}

Declared by:

<nixpkgs/nixos/modules/services/audio/gonic.nix>
services.goss.enable

Whether to enable Goss daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/goss.nix>
services.goss.package

The goss package to use.

Type: package

Default: pkgs.goss

Declared by:

<nixpkgs/nixos/modules/services/monitoring/goss.nix>
services.goss.environment

Environment variables to set for the goss service.

See https://github.com/goss-org/goss/blob/master/docs/manual.md

Type: attribute set of string

Default: { }

Example:

{
  GOSS_FMT = "json";
  GOSS_LISTEN = ":8080";
  GOSS_LOGLEVEL = "FATAL";
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/goss.nix>
services.goss.settings

The global options in config file in yaml format.

Refer to https://github.com/goss-org/goss/blob/master/docs/goss-json-schema.yaml for schema.

Type: YAML value

Default: { }

Example:

{
  addr = {
    "tcp://localhost:8080" = {
      local-address = "127.0.0.1";
      reachable = true;
    };
  };
  service = {
    goss = {
      enabled = true;
      running = true;
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/goss.nix>
services.gotenberg.enable

Whether to enable Gotenberg, a stateless API for PDF files.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.enableBasicAuth

HTTP Basic Authentication.

If you set this, be sure to set GOTENBERG_API_BASIC_AUTH_USERNAMEand GOTENBERG_API_BASIC_AUTH_PASSWORD in your services.gotenberg.environmentFile file.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.package

The gotenberg package to use.

Type: package

Default: pkgs.gotenberg

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.chromium.package

The chromium package to use.

Type: package

Default: pkgs.chromium

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.chromium.autoStart

Automatically start chromium when Gotenberg starts. If false, Chromium will start on the first conversion request that uses it.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.chromium.disableJavascript

Disable Javascript execution.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.chromium.disableRoutes

Disable all routes allowing Chromium-based conversion.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.chromium.maxQueueSize

Maximum queue size for chromium-based conversions. Setting to 0 disables the limit.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.environmentFile

Environment file to load extra environment variables from.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.extraArgs

Any extra command-line flags to pass to the Gotenberg service.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.extraFontPackages

Extra fonts to make available.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.libreoffice.package

The libreoffice package to use.

Type: package

Default: pkgs.libreoffice

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.libreoffice.autoStart

Automatically start LibreOffice when Gotenberg starts. If false, Chromium will start on the first conversion request that uses it.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.libreoffice.disableRoutes

Disable all routes allowing LibreOffice-based conversion.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.libreoffice.maxQueueSize

Maximum queue size for LibreOffice-based conversions. Setting to 0 disables the limit.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.libreoffice.restartAfter

Restart LibreOffice after this many conversions. Setting to 0 disables this feature.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.logLevel

The logging level for Gotenberg.

Type: one of “error”, “warn”, “info”, “debug”

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.pdfEngines

PDF engines to enable. Each one can be used to perform a specific task. See the documentation for more details. Defaults to all possible PDF engines.

Type: list of (one of “pdftk”, “qpdf”, “libreoffice-pdfengine”, “exiftool”, “pdfcpu”)

Default:

[
  "pdftk"
  "qpdf"
  "libreoffice-pdfengine"
  "exiftool"
  "pdfcpu"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.port

Port on which the API should listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.rootPath

Root path for the Gotenberg API.

Type: string

Default: "/"

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotenberg.timeout

Timeout for API requests.

Type: null or string

Default: "30s"

Declared by:

<nixpkgs/nixos/modules/services/misc/gotenberg.nix>
services.gotify.enable

Whether to enable Gotify webserver.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gotify-server.nix>
services.gotify.package

The gotify-server package to use.

Type: package

Default: pkgs.gotify-server

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gotify-server.nix>
services.gotify.environment

Config environment variables for the gotify-server. See https://gotify.net/docs/config for more details.

Type: attribute set of (string or signed integer)

Default: { }

Example:

{
  GOTIFY_DATABASE_DIALECT = "sqlite3";
  GOTIFY_SERVER_PORT = 8080;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gotify-server.nix>
services.gotify.environmentFiles

Files containing additional config environment variables for gotify-server. Secrets should be set in environmentFiles instead of environment.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gotify-server.nix>
services.gotify.stateDirectoryName

The name of the directory below /var/lib where gotify stores its runtime data.

Type: string

Default: "gotify-server"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gotify-server.nix>
services.gotosocial.enable

Whether to enable ActivityPub social network server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gotosocial.nix>
services.gotosocial.package

The gotosocial package to use.

Type: package

Default: pkgs.gotosocial

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gotosocial.nix>
services.gotosocial.environmentFile

File path containing environment variables for configuring the GoToSocial service in the format of an EnvironmentFile as described by systemd.exec(5).

This option could be used to pass sensitive configuration to the GoToSocial daemon.

Please refer to the Environment Variables section in the documentation.

Type: null or path

Default: null

Example: "/root/nixos/secrets/gotosocial.env"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gotosocial.nix>
services.gotosocial.openFirewall

Open the configured port in the firewall. Using a reverse proxy instead is highly recommended.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gotosocial.nix>
services.gotosocial.settings

Contents of the GoToSocial YAML config.

Please refer to the documentation and example config.

Please note that the host option cannot be changed later so it is important to configure this correctly before you start GoToSocial.

Type: YAML value

Default:

{
  application-name = "gotosocial";
  bind-address = "127.0.0.1";
  db-address = "/var/lib/gotosocial/database.sqlite";
  db-type = "sqlite";
  port = 8080;
  protocol = "https";
  storage-local-base-path = "/var/lib/gotosocial/storage";
}

Example:

{
  application-name = "My GoToSocial";
  host = "gotosocial.example.com";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gotosocial.nix>
services.gotosocial.setupPostgresqlDB

Whether to setup a local postgres database and populate the db-type fields in services.gotosocial.settings.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/gotosocial.nix>
services.govee2mqtt.enable

Whether to enable Govee2MQTT.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/home-automation/govee2mqtt.nix>
services.govee2mqtt.package

The govee2mqtt package to use.

Type: package

Default: pkgs.govee2mqtt

Declared by:

<nixpkgs/nixos/modules/services/home-automation/govee2mqtt.nix>
services.govee2mqtt.environmentFile

Environment file as defined in systemd.exec(5).

See upstream documentation https://github.com/wez/govee2mqtt/blob/main/docs/CONFIG.md.

Type: path

Example: "/var/lib/govee2mqtt/govee2mqtt.env"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/govee2mqtt.nix>
services.govee2mqtt.group

Group under which Govee2MQTT should run.

Type: string

Default: "govee2mqtt"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/govee2mqtt.nix>
services.govee2mqtt.user

User under which Govee2MQTT should run.

Type: string

Default: "govee2mqtt"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/govee2mqtt.nix>
services.goxlr-utility.enable

Whether to enable goxlr-utility for controlling your TC-Helicon GoXLR or GoXLR Mini

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/audio/goxlr-utility.nix>
services.goxlr-utility.package

The goxlr-utility package to use.

Type: package

Default: pkgs.goxlr-utility

Declared by:

<nixpkgs/nixos/modules/services/audio/goxlr-utility.nix>
services.goxlr-utility.autoStart.xdg

Start the daemon automatically using XDG autostart. Sets xdg.autostart.enable = true if not already enabled.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/audio/goxlr-utility.nix>
services.gpm.enable

Whether to enable GPM, the General Purpose Mouse daemon, which enables mouse support in virtual consoles.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/ttys/gpm.nix>
services.gpm.protocol

Mouse protocol to use.

Type: string

Default: "ps/2"

Declared by:

<nixpkgs/nixos/modules/services/ttys/gpm.nix>
services.gpsd.enable

Whether to enable gpsd, a GPS service daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gpsd.nix>
services.gpsd.debugLevel

The debugging level.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/misc/gpsd.nix>
services.gpsd.devices

List of devices that gpsd should subscribe to.

A device may be a local serial device for GPS input, or a URL of the form: [{dgpsip|ntrip}://][user:passwd@]host[:port][/stream] in which case it specifies an input source for DGPS or ntrip data.

Type: list of string

Default:

[
  "/dev/ttyUSB0"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/gpsd.nix>
services.gpsd.extraArgs

A list of extra command line arguments to pass to gpsd. Check gpsd(8) mangpage for possible arguments.

Type: list of string

Default: [ ]

Example:

[
  "-r"
  "-s"
  "19200"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/gpsd.nix>
services.gpsd.listenany

Listen on all addresses rather than just loopback.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gpsd.nix>
services.gpsd.nowait

don’t wait for client connects to poll GPS

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/gpsd.nix>
services.gpsd.port

The port where to listen for TCP connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 2947

Declared by:

<nixpkgs/nixos/modules/services/misc/gpsd.nix>
services.gpsd.readonly

Whether to enable the broken-device-safety, otherwise known as read-only mode. Some popular bluetooth and USB receivers lock up or become totally inaccessible when probed or reconfigured. This switch prevents gpsd from writing to a receiver. This means that gpsd cannot configure the receiver for optimal performance, but it also means that gpsd cannot break the receiver. A better solution would be for Bluetooth to not be so fragile. A platform independent method to identify serial-over-Bluetooth devices would also be nice.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/gpsd.nix>
services.grafana.enable

Whether to enable grafana.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.package

The grafana package to use.

Type: package

Default: pkgs.grafana

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.dataDir

Data directory.

Type: path

Default: "/var/lib/grafana"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.declarativePlugins

If non-null, then a list of packages containing Grafana plugins to install. If set, plugins cannot be manually installed.

Type: null or (list of path)

Default: null

Example: with pkgs.grafanaPlugins; [ grafana-piechart-panel ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.enable

Whether to enable provision.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.contactPoints.path

Path to YAML contact points configuration. Can’t be used with services.grafana.provision.alerting.contactPoints.settings simultaneously. Can be either a directory or a single YAML file. Will end up in the store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.contactPoints.settings

Grafana contact points configuration in Nix. Can’t be used with services.grafana.provision.alerting.contactPoints.path simultaneously. See https://grafana.com/docs/grafana/latest/administration/provisioning/#contact-points for supported options.

Type: null or (submodule)

Default: null

Example:

{
  apiVersion = 1;

  contactPoints = [{
    orgId = 1;
    name = "cp_1";
    receivers = [{
      uid = "first_uid";
      type = "prometheus-alertmanager";
      settings.url = "http://test:9000";
    }];
  }];

  deleteContactPoints = [{
    orgId = 1;
    uid = "first_uid";
  }];
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.contactPoints.settings.apiVersion

Config file version.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.contactPoints.settings.contactPoints

List of contact points to import or update.

Type: list of (YAML value)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.contactPoints.settings.contactPoints.*.name

Name of the contact point. Required.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.contactPoints.settings.deleteContactPoints

List of receivers that should be deleted.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.contactPoints.settings.deleteContactPoints.*.orgId

Organization ID, default = 1.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.contactPoints.settings.deleteContactPoints.*.uid

Unique identifier for the receiver. Required.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.muteTimings.path

Path to YAML mute timings configuration. Can’t be used with services.grafana.provision.alerting.muteTimings.settings simultaneously. Can be either a directory or a single YAML file. Will end up in the store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.muteTimings.settings

Grafana mute timings configuration in Nix. Can’t be used with services.grafana.provision.alerting.muteTimings.path simultaneously. See https://grafana.com/docs/grafana/latest/administration/provisioning/#mute-timings for supported options.

Type: null or (submodule)

Default: null

Example:

{
  apiVersion = 1;

  muteTimes = [{
    orgId = 1;
    name = "mti_1";
    time_intervals = [{
      times = [{
        start_time = "06:00";
        end_time = "23:59";
      }];
      weekdays = [
        "monday:wednesday"
        "saturday"
        "sunday"
      ];
      months = [
        "1:3"
        "may:august"
        "december"
      ];
      years = [
        "2020:2022"
        "2030"
      ];
      days_of_month = [
        "1:5"
        "-3:-1"
      ];
    }];
  }];

  deleteMuteTimes = [{
    orgId = 1;
    name = "mti_1";
  }];
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.muteTimings.settings.apiVersion

Config file version.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.muteTimings.settings.deleteMuteTimes

List of mute time intervals that should be deleted.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.muteTimings.settings.deleteMuteTimes.*.name

Name of the mute time interval, must be unique. Required.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.muteTimings.settings.deleteMuteTimes.*.orgId

Organization ID, default = 1.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.muteTimings.settings.muteTimes

List of mute time intervals to import or update.

Type: list of (YAML value)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.muteTimings.settings.muteTimes.*.name

Name of the mute time interval, must be unique. Required.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.policies.path

Path to YAML notification policies configuration. Can’t be used with services.grafana.provision.alerting.policies.settings simultaneously. Can be either a directory or a single YAML file. Will end up in the store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.policies.settings

Grafana notification policies configuration in Nix. Can’t be used with services.grafana.provision.alerting.policies.path simultaneously. See https://grafana.com/docs/grafana/latest/administration/provisioning/#notification-policies for supported options.

Type: null or (submodule)

Default: null

Example:

{
  apiVersion = 1;

  policies = [{
    orgId = 1;
    receiver = "grafana-default-email";
    group_by = [ "..." ];
    matchers = [
      "alertname = Watchdog"
      "severity =~ \"warning|critical\""
    ];
    mute_time_intervals = [
      "abc"
    ];
    group_wait = "30s";
    group_interval = "5m";
    repeat_interval = "4h";
  }];

  resetPolicies = [
    1
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.policies.settings.apiVersion

Config file version.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.policies.settings.policies

List of contact points to import or update.

Type: list of (YAML value)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.policies.settings.resetPolicies

List of orgIds that should be reset to the default policy.

Type: list of signed integer

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.rules.path

Path to YAML rules configuration. Can’t be used with services.grafana.provision.alerting.rules.settings simultaneously. Can be either a directory or a single YAML file. Will end up in the store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.rules.settings

Grafana rules configuration in Nix. Can’t be used with services.grafana.provision.alerting.rules.path simultaneously. See https://grafana.com/docs/grafana/latest/administration/provisioning/#rules for supported options.

Type: null or (submodule)

Default: null

Example:

{
  apiVersion = 1;

  groups = [{
    orgId = 1;
    name = "my_rule_group";
    folder = "my_first_folder";
    interval = "60s";
    rules = [{
      uid = "my_id_1";
      title = "my_first_rule";
      condition = "A";
      data = [{
        refId = "A";
        datasourceUid = "-100";
        model = {
          conditions = [{
            evaluator = {
              params = [ 3 ];
              type = "git";
            };
            operator.type = "and";
            query.params = [ "A" ];
            reducer.type = "last";
            type = "query";
          }];
          datasource = {
            type = "__expr__";
            uid = "-100";
          };
          expression = "1==0";
          intervalMs = 1000;
          maxDataPoints = 43200;
          refId = "A";
          type = "math";
        };
      }];
      dashboardUid = "my_dashboard";
      panelId = 123;
      noDataState = "Alerting";
      for = "60s";
      annotations.some_key = "some_value";
      labels.team = "sre_team1";
    }];
  }];

  deleteRules = [{
    orgId = 1;
    uid = "my_id_1";
  }];
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.rules.settings.apiVersion

Config file version.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.rules.settings.deleteRules

List of alert rule UIDs that should be deleted.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.rules.settings.deleteRules.*.orgId

Organization ID, default = 1

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.rules.settings.deleteRules.*.uid

Unique identifier for the rule. Required.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.rules.settings.groups

List of rule groups to import or update.

Type: list of (YAML value)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.rules.settings.groups.*.folder

Name of the folder the rule group will be stored in. Required.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.rules.settings.groups.*.interval

Interval that the rule group should be evaluated at. Required.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.rules.settings.groups.*.name

Name of the rule group. Required.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.templates.path

Path to YAML templates configuration. Can’t be used with services.grafana.provision.alerting.templates.settings simultaneously. Can be either a directory or a single YAML file. Will end up in the store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.templates.settings

Grafana templates configuration in Nix. Can’t be used with services.grafana.provision.alerting.templates.path simultaneously. See https://grafana.com/docs/grafana/latest/administration/provisioning/#templates for supported options.

Type: null or (submodule)

Default: null

Example:

{
  apiVersion = 1;

  templates = [{
    orgId = 1;
    name = "my_first_template";
    template = "Alerting with a custom text template";
  }];

  deleteTemplates = [{
    orgId = 1;
    name = "my_first_template";
  }];
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.templates.settings.apiVersion

Config file version.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.templates.settings.deleteTemplates

List of alert rule UIDs that should be deleted.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.templates.settings.deleteTemplates.*.name

Name of the template, must be unique. Required.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.templates.settings.deleteTemplates.*.orgId

Organization ID, default = 1.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.templates.settings.templates

List of templates to import or update.

Type: list of (YAML value)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.templates.settings.templates.*.name

Name of the template, must be unique. Required.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.alerting.templates.settings.templates.*.template

Alerting with a custom text template

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.dashboards

Declaratively provision Grafana’s dashboards.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.dashboards.path

Path to YAML dashboard configuration. Can’t be used with services.grafana.provision.dashboards.settings simultaneously. Can be either a directory or a single YAML file. Will end up in the store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.dashboards.settings

Grafana dashboard configuration in Nix. Can’t be used with services.grafana.provision.dashboards.path simultaneously. See https://grafana.com/docs/grafana/latest/administration/provisioning/#dashboards for supported options.

Type: null or (submodule)

Default: null

Example:

{
  apiVersion = 1;

  providers = [{
      name = "default";
      options.path = "/var/lib/grafana/dashboards";
  }];
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.dashboards.settings.apiVersion

Config file version.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.dashboards.settings.providers

List of dashboards to insert/update.

Type: list of (YAML value)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.dashboards.settings.providers.*.name

A unique provider name.

Type: string

Default: "default"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.dashboards.settings.providers.*.options.path

Path grafana will watch for dashboards. Required when using the ‘file’ type.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.dashboards.settings.providers.*.type

Dashboard provider type.

Type: string

Default: "file"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.datasources

Declaratively provision Grafana’s datasources.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.datasources.path

Path to YAML datasource configuration. Can’t be used with services.grafana.provision.datasources.settings simultaneously. Can be either a directory or a single YAML file. Will end up in the store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.datasources.settings

Grafana datasource configuration in Nix. Can’t be used with services.grafana.provision.datasources.path simultaneously. See https://grafana.com/docs/grafana/latest/administration/provisioning/#data-sources for supported options.

Type: null or (submodule)

Default: null

Example:

{
  apiVersion = 1;

  datasources = [{
    name = "Graphite";
    type = "graphite";
  }];

  deleteDatasources = [{
    name = "Graphite";
    orgId = 1;
  }];
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.datasources.settings.apiVersion

Config file version.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.datasources.settings.datasources

List of datasources to insert/update.

Type: list of (YAML value)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.datasources.settings.datasources.*.access

Access mode. proxy or direct (Server or Browser in the UI). Required.

Type: one of “proxy”, “direct”

Default: "proxy"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.datasources.settings.datasources.*.editable

Allow users to edit datasources from the UI.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.datasources.settings.datasources.*.jsonData

Extra data for datasource plugins.

Type: null or (attribute set)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.datasources.settings.datasources.*.name

Name of the datasource. Required.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.datasources.settings.datasources.*.secureJsonData

Datasource specific secure configuration. Please note that the contents of this option will end up in a world-readable Nix store. Use the file provider pointing at a reasonably secured file in the local filesystem to work around that. Look at the documentation for details: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider

Type: null or (attribute set)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.datasources.settings.datasources.*.type

Datasource type. Required.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.datasources.settings.datasources.*.uid

Custom UID which can be used to reference this datasource in other parts of the configuration, if not specified will be generated automatically.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.datasources.settings.datasources.*.url

Url of the datasource.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.datasources.settings.deleteDatasources

List of datasources that should be deleted from the database.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.datasources.settings.deleteDatasources.*.name

Name of the datasource to delete.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.provision.datasources.settings.deleteDatasources.*.orgId

Organization ID of the datasource to delete.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings

Grafana settings. See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/ for available options. INI format is used.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string) or a non-empty list of them)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.analytics.check_for_plugin_updates

When set to false, disables checking for new versions of installed plugins from https://grafana.com. When enabled, the check for a new plugin runs every 10 minutes. It will notify, via the UI, when a new plugin update exists. The check itself will not prompt any auto-updates of the plugin, nor will it send any sensitive information.

Type: boolean

Default: cfg.declarativePlugins == null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.analytics.check_for_updates

When set to false, disables checking for new versions of Grafana from Grafana’s GitHub repository. When enabled, the check for a new version runs every 10 minutes. It will notify, via the UI, when a new version is available. The check itself will not prompt any auto-updates of the Grafana software, nor will it send any sensitive information.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.analytics.feedback_links_enabled

Set to false to remove all feedback links from the UI.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.analytics.reporting_enabled

When enabled Grafana will send anonymous usage statistics to stats.grafana.org. No IP addresses are being tracked, only simple counters to track running instances, versions, dashboard and error counts. Counters are sent every 24 hours.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.ca_cert_path

The path to the CA certificate to use.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.cache_mode

For sqlite3 only. Shared cache setting used for connecting to the database.

Type: one of “private”, “shared”

Default: "private"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.client_cert_path

The path to the client cert. Only if server requires client authentication.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.client_key_path

The path to the client key. Only if server requires client authentication.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.conn_max_lifetime

Sets the maximum amount of time a connection may be reused. The default is 14400 (which means 14400 seconds or 4 hours). For MySQL, this setting should be shorter than the wait_timeout variable.

Type: signed integer

Default: 14400

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.host

Only applicable to MySQL or Postgres. Includes IP or hostname and port or in case of Unix sockets the path to it. For example, for MySQL running on the same host as Grafana: host = "127.0.0.1:3306" or with Unix sockets: host = "/var/run/mysqld/mysqld.sock"

Type: string

Default: "127.0.0.1:3306"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.isolation_level

Only the MySQL driver supports isolation levels in Grafana. In case the value is empty, the driver’s default isolation level is applied.

Type: null or one of “READ-UNCOMMITTED”, “READ-COMMITTED”, “REPEATABLE-READ”, “SERIALIZABLE”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.locking_attempt_timeout_sec

For mysql, if the migrationLocking feature toggle is set, specify the time (in seconds) to wait before failing to lock the database for the migrations.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.log_queries

Set to true to log the sql calls and execution times

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.max_idle_conn

The maximum number of connections in the idle connection pool.

Type: signed integer

Default: 2

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.max_open_conn

The maximum number of open connections to the database.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.name

The name of the Grafana database.

Type: string

Default: "grafana"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.password

The database user’s password (not applicable for sqlite3).

Please note that the contents of this option will end up in a world-readable Nix store. Use the file provider pointing at a reasonably secured file in the local filesystem to work around that. Look at the documentation for details: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.path

Only applicable to sqlite3 database. The file path where the database will be stored.

Type: path

Default: "${config.services.grafana.dataDir}/data/grafana.db"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.query_retries

This setting applies to sqlite3 only and controls the number of times the system retries a query when the database is locked.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.server_cert_name

The common name field of the certificate used by the mysql or postgres server. Not necessary if ssl_mode is set to skip-verify.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.ssl_mode

For Postgres, use either disable, require or verify-full. For MySQL, use either true, false, or skip-verify.

Type: one of “disable”, “require”, “verify-full”, “true”, “false”, “skip-verify”

Default: "disable"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.transaction_retries

This setting applies to sqlite3 only and controls the number of times the system retries a transaction when the database is locked.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.type

Database type.

Type: one of “mysql”, “sqlite3”, “postgres”

Default: "sqlite3"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.user

The database user (not applicable for sqlite3).

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.database.wal

For sqlite3 only. Setting to enable/disable Write-Ahead Logging.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.paths.plugins

Directory where grafana will automatically scan and look for plugins

Type: path

Default: if (cfg.declarativePlugins == null) then "${cfg.dataDir}/plugins" else declarativePlugins

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.paths.provisioning

Folder that contains provisioning config files that grafana will apply on startup and while running. Don’t change the value of this option if you are planning to use services.grafana.provision options.

Type: path

Default: "directory with links to files generated from services.grafana.provision"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.admin_email

The email of the default Grafana Admin, created on startup.

Type: string

Default: "admin@localhost"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.admin_password

Default admin password. Please note that the contents of this option will end up in a world-readable Nix store. Use the file provider pointing at a reasonably secured file in the local filesystem to work around that. Look at the documentation for details: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider

Type: string

Default: "admin"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.admin_user

Default admin username.

Type: string

Default: "admin"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.allow_embedding

When false, the HTTP header X-Frame-Options: deny will be set in Grafana HTTP responses which will instruct browsers to not allow rendering Grafana in a <frame>, <iframe>, <embed> or <object>. The main goal is to mitigate the risk of Clickjacking.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.content_security_policy

Set to true to add the Content-Security-Policy header to your requests. CSP allows to control resources that the user agent can load and helps prevent XSS attacks.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.content_security_policy_report_only

Set to true to add the Content-Security-Policy-Report-Only header to your requests. CSP in Report Only mode enables you to experiment with policies by monitoring their effects without enforcing them. You can enable both policies simultaneously.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.cookie_samesite

Sets the SameSite cookie attribute and prevents the browser from sending this cookie along with cross-site requests. The main goal is to mitigate the risk of cross-origin information leakage. This setting also provides some protection against cross-site request forgery attacks (CSRF), read more about SameSite here. Using value disabled does not add any SameSite attribute to cookies.

Type: one of “lax”, “strict”, “none”, “disabled”

Default: "lax"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.cookie_secure

Set to true if you host Grafana behind HTTPS.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.csrf_additional_headers

List of allowed headers to be set by the user. Suggested to use for if authentication lives behind reverse proxies.

Type: string or list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.csrf_trusted_origins

List of additional allowed URLs to pass by the CSRF check. Suggested when authentication comes from an IdP.

Type: string or list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.data_source_proxy_whitelist

Define a whitelist of allowed IP addresses or domains, with ports, to be used in data source URLs with the Grafana data source proxy. Format: ip_or_domain:port separated by spaces. PostgreSQL, MySQL, and MSSQL data sources do not use the proxy and are therefore unaffected by this setting.

Type: string or list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.disable_brute_force_login_protection

Set to true to disable brute force login protection.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.disable_gravatar

Set to true to disable the use of Gravatar for user profile images.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.disable_initial_admin_creation

Disable creation of admin user on first start of Grafana.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.secret_key

Secret key used for signing. Please note that the contents of this option will end up in a world-readable Nix store. Use the file provider pointing at a reasonably secured file in the local filesystem to work around that. Look at the documentation for details: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider

Type: string

Default: "SW2YcwTIb9zpOOhoPsMm"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.strict_transport_security

Set to true if you want to enable HTTP Strict-Transport-Security (HSTS) response header. Only use this when HTTPS is enabled in your configuration, or when there is another upstream system that ensures your application does HTTPS (like a frontend load balancer). HSTS tells browsers that the site should only be accessed using HTTPS.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.strict_transport_security_max_age_seconds

Sets how long a browser should cache HSTS in seconds. Only applied if strict_transport_security is enabled.

Type: signed integer

Default: 86400

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.strict_transport_security_preload

Set to true to enable HSTS preloading option. Only applied if strict_transport_security is enabled.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.strict_transport_security_subdomains

Set to true to enable HSTS includeSubDomains option. Only applied if strict_transport_security is enabled.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.x_content_type_options

Set to false to disable the X-Content-Type-Options response header. The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.security.x_xss_protection

Set to false to disable the X-XSS-Protection header, which tells browsers to stop pages from loading when they detect reflected cross-site scripting (XSS) attacks.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.server.enable_gzip

Set this option to true to enable HTTP compression, this can improve transfer speed and bandwidth utilization. It is recommended that most users set it to true. By default it is set to false for compatibility reasons.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.server.cdn_url

Specify a full HTTP URL address to the root of your Grafana CDN assets. Grafana will add edition and version paths.

For example, given a cdn url like https://cdn.myserver.com grafana will try to load a javascript file from http://cdn.myserver.com/grafana-oss/7.4.0/public/build/app.<hash>.js.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.server.cert_file

Path to the certificate file (if protocol is set to https or h2).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.server.cert_key

Path to the certificate key file (if protocol is set to https or h2).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.server.domain

The public facing domain name used to access grafana from a browser.

This setting is only used in the default value of the root_url setting. If you set the latter manually, this option does not have to be specified.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.server.enforce_domain

Redirect to correct domain if the host header does not match the domain. Prevents DNS rebinding attacks.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.server.http_addr

Listening address.

Note

This setting intentionally varies from upstream’s default to be a bit more secure by default.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.server.http_port

Listening port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.server.protocol

Which protocol to listen.

Type: one of “http”, “https”, “h2”, “socket”

Default: "http"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.server.read_timeout

Sets the maximum time using a duration format (5s/5m/5ms) before timing out read of an incoming request and closing idle connections. 0 means there is no timeout for reading the request.

Type: string

Default: "0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.server.root_url

This is the full URL used to access Grafana from a web browser. This is important if you use Google or GitHub OAuth authentication (for the callback URL to be correct).

This setting is also important if you have a reverse proxy in front of Grafana that exposes it through a subpath. In that case add the subpath to the end of this URL setting.

Type: string

Default: "%(protocol)s://%(domain)s:%(http_port)s/"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.server.router_logging

Set to true for Grafana to log all HTTP requests (not just errors). These are logged as Info level events to the Grafana log.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.server.serve_from_sub_path

Serve Grafana from subpath specified in the root_url setting. By default it is set to false for compatibility reasons.

By enabling this setting and using a subpath in root_url above, e.g. root_url = "http://localhost:3000/grafana", Grafana is accessible on http://localhost:3000/grafana. If accessed without subpath, Grafana will redirect to an URL with the subpath.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.server.socket

Path where the socket should be created when protocol=socket. Make sure that Grafana has appropriate permissions before you change this setting.

Type: string

Default: "/run/grafana/grafana.sock"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.server.socket_gid

GID where the socket should be set when protocol=socket. Make sure that the target group is in the group of Grafana process and that Grafana process is the file owner before you change this setting. It is recommended to set the gid as http server user gid. Not set when the value is -1.

Type: signed integer

Default: -1

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.server.socket_mode

Mode where the socket should be set when protocol=socket. Make sure that Grafana process is the file owner before you change this setting.

Type: string

Default: "0660"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.server.static_root_path

Root path for static assets.

Type: string

Default: "${package}/share/grafana/public"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.smtp.enabled

Whether to enable SMTP.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.smtp.cert_file

File path to a cert file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.smtp.ehlo_identity

Name to be used as client identity for EHLO in SMTP dialog.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.smtp.from_address

Address used when sending out emails.

Type: string

Default: "admin@grafana.localhost"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.smtp.from_name

Name to be used as client identity for EHLO in SMTP dialog.

Type: string

Default: "Grafana"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.smtp.host

Host to connect to.

Type: string

Default: "localhost:25"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.smtp.key_file

File path to a key file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.smtp.password

Password used for authentication. Please note that the contents of this option will end up in a world-readable Nix store. Use the file provider pointing at a reasonably secured file in the local filesystem to work around that. Look at the documentation for details: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.smtp.skip_verify

Verify SSL for SMTP server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.smtp.startTLS_policy

StartTLS policy when connecting to server.

Type: null or one of “OpportunisticStartTLS”, “MandatoryStartTLS”, “NoStartTLS”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.smtp.user

User used for authentication.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.users.allow_org_create

Set to false to prohibit users from creating new organizations.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.users.allow_sign_up

Set to false to prohibit users from being able to sign up / create user accounts. The admin user can still create users.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.users.auto_assign_org

Set to true to automatically add new users to the main organization (id 1). When set to false, new users automatically cause a new organization to be created for that new user. The organization will be created even if the allow_org_create setting is set to false.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.users.auto_assign_org_id

Set this value to automatically add new users to the provided org. This requires auto_assign_org to be set to true. Please make sure that this organization already exists.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.users.auto_assign_org_role

The role new users will be assigned for the main organization (if the auto_assign_org setting is set to true).

Type: one of “Viewer”, “Editor”, “Admin”

Default: "Viewer"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.users.default_language

This setting configures the default UI language, which must be a supported IETF language tag, such as en-US.

Type: string

Default: "en-US"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.users.default_theme

Sets the default UI theme. system matches the user’s system theme.

Type: one of “dark”, “light”, “system”

Default: "dark"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.users.editors_can_admin

Editors can administrate dashboards, folders and teams they create.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.users.hidden_users

This is a comma-separated list of usernames. Users specified here are hidden in the Grafana UI. They are still visible to Grafana administrators and to themselves.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.users.home_page

Path to a custom home page. Users are only redirected to this if the default home dashboard is used. It should match a frontend route and contain a leading slash.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.users.login_hint

Text used as placeholder text on login page for login/username input.

Type: string

Default: "email or username"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.users.password_hint

Text used as placeholder text on login page for password input.

Type: string

Default: "password"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.users.user_invite_max_lifetime_duration

The duration in time a user invitation remains valid before expiring. This setting should be expressed as a duration. Examples: 6h (hours), 2d (days), 1w (week). The minimum supported duration is 15m (15 minutes).

Type: string

Default: "24h"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.users.verify_email_enabled

Require email validation before sign up completes.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana.settings.users.viewers_can_edit

Viewers can access and use Explore and perform temporary edits on panels in dashboards they have access to. They cannot save their changes.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana.nix>
services.grafana-agent.enable

Whether to enable grafana-agent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-agent.nix>
services.grafana-agent.package

The grafana-agent package to use.

Type: package

Default: pkgs.grafana-agent

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-agent.nix>
services.grafana-agent.credentials

Credentials to load at service startup. Keys that are UPPER_SNAKE will be loaded as env vars. Values are absolute paths to the credentials.

Type: attribute set of string

Default: { }

Example:

{
  LOGS_REMOTE_WRITE_URL = "/run/keys/grafana_agent_logs_remote_write_url";
  LOGS_REMOTE_WRITE_USERNAME = "/run/keys/grafana_agent_logs_remote_write_username";
  METRICS_REMOTE_WRITE_URL = "/run/keys/grafana_agent_metrics_remote_write_url";
  METRICS_REMOTE_WRITE_USERNAME = "/run/keys/grafana_agent_metrics_remote_write_username";
  logs_remote_write_password = "/run/keys/grafana_agent_logs_remote_write_password";
  metrics_remote_write_password = "/run/keys/grafana_agent_metrics_remote_write_password";
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-agent.nix>
services.grafana-agent.extraFlags

Extra command-line flags passed to grafana-agent.

See https://grafana.com/docs/agent/latest/static/configuration/flags/

Type: list of string

Default: [ ]

Example:

[
  "-enable-features=integrations-next"
  "-disable-reporting"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-agent.nix>
services.grafana-agent.settings

Configuration for grafana-agent.

See https://grafana.com/docs/agent/latest/configuration/

Type: YAML value

Default:

{
  metrics = {
    wal_directory = "\${STATE_DIRECTORY}";
    global.scrape_interval = "5s";
  };
  integrations = {
    agent.enabled = true;
    agent.scrape_integration = true;
    node_exporter.enabled = true;
  };
}

Example:

{
  logs = {
    configs = [
      {
        clients = [
          {
            basic_auth = {
              password_file = "\${CREDENTIALS_DIRECTORY}/logs_remote_write_password";
              username = "\${LOGS_REMOTE_WRITE_USERNAME}";
            };
            url = "\${LOGS_REMOTE_WRITE_URL}";
          }
        ];
        name = "default";
        positions = {
          filename = "\${STATE_DIRECTORY}/loki_positions.yaml";
        };
        scrape_configs = [
          {
            job_name = "journal";
            journal = {
              labels = {
                job = "systemd-journal";
              };
              max_age = "12h";
            };
            relabel_configs = [
              {
                source_labels = [
                  "__journal__systemd_unit"
                ];
                target_label = "systemd_unit";
              }
              {
                source_labels = [
                  "__journal__hostname"
                ];
                target_label = "nodename";
              }
              {
                source_labels = [
                  "__journal_syslog_identifier"
                ];
                target_label = "syslog_identifier";
              }
            ];
          }
        ];
      }
    ];
  };
  metrics = {
    global = {
      remote_write = [
        {
          basic_auth = {
            password_file = "\${CREDENTIALS_DIRECTORY}/metrics_remote_write_password";
            username = "\${METRICS_REMOTE_WRITE_USERNAME}";
          };
          url = "\${METRICS_REMOTE_WRITE_URL}";
        }
      ];
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-agent.nix>
services.grafana-image-renderer.enable

Whether to enable grafana-image-renderer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-image-renderer.nix>
services.grafana-image-renderer.chromium

The chromium to use for image rendering.

Type: package

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-image-renderer.nix>
services.grafana-image-renderer.provisionGrafana

Whether to enable Grafana configuration for grafana-image-renderer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-image-renderer.nix>
services.grafana-image-renderer.settings

Configuration attributes for grafana-image-renderer.

See https://github.com/grafana/grafana-image-renderer/blob/ce1f81438e5f69c7fd7c73ce08bab624c4c92e25/default.json for supported values.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-image-renderer.nix>
services.grafana-image-renderer.settings.rendering.args

List of CLI flags passed to chromium.

Type: list of string

Default:

[
  "--no-sandbox"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-image-renderer.nix>
services.grafana-image-renderer.settings.rendering.height

Height of the PNG used to display the alerting graph.

Type: positive integer, meaning >0

Default: 500

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-image-renderer.nix>
services.grafana-image-renderer.settings.rendering.mode

Rendering mode of grafana-image-renderer:

  • default: Creates on browser-instance per rendering request.

  • reusable: One browser instance will be started and reused for each rendering request.

  • clustered: allows to precisely configure how many browser-instances are supposed to be used. The values for that mode can be declared in rendering.clustering.

Type: one of “default”, “reusable”, “clustered”

Default: "default"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-image-renderer.nix>
services.grafana-image-renderer.settings.rendering.width

Width of the PNG used to display the alerting graph.

Type: positive integer, meaning >0

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-image-renderer.nix>
services.grafana-image-renderer.settings.service.logging.level

The log-level of the grafana-image-renderer.service-unit.

Type: one of “error”, “warning”, “info”, “debug”

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-image-renderer.nix>
services.grafana-image-renderer.settings.service.port

The TCP port to use for the rendering server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8081

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-image-renderer.nix>
services.grafana-image-renderer.verbose

Whether to enable verbosity for the service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-image-renderer.nix>
services.grafana_reporter.enable

Whether to enable grafana_reporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-reporter.nix>
services.grafana_reporter.addr

Listening address.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-reporter.nix>
services.grafana_reporter.grafana.addr

Grafana address.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-reporter.nix>
services.grafana_reporter.grafana.port

Grafana port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-reporter.nix>
services.grafana_reporter.grafana.protocol

Grafana protocol.

Type: one of “http”, “https”

Default: "http"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-reporter.nix>
services.grafana_reporter.port

Listening port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8686

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-reporter.nix>
services.grafana_reporter.templateDir

Optional template directory to use custom tex templates

Type: string or path

Default: pkgs.grafana_reporter

Declared by:

<nixpkgs/nixos/modules/services/monitoring/grafana-reporter.nix>
services.graphite.carbon.enableAggregator

Whether to enable carbon aggregator, the carbon buffering service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.enableCache

Whether to enable carbon cache, the graphite storage daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.enableRelay

Whether to enable carbon relay, the carbon replication and sharding service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.aggregationRules

Defines if and how received metrics will be aggregated.

Type: null or string

Default: null

Example:

''
  <env>.applications.<app>.all.requests (60) = sum <env>.applications.<app>.*.requests
  <env>.applications.<app>.all.latency (60) = avg <env>.applications.<app>.*.latency
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.blacklist

Any metrics received which match one of the expressions will be dropped.

Type: null or string

Default: null

Example: "^some\\.noisy\\.metric\\.prefix\\..*"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.config

Content of carbon configuration file.

Type: string

Default:

''
  [cache]
  # Listen on localhost by default for security reasons
  UDP_RECEIVER_INTERFACE = 127.0.0.1
  PICKLE_RECEIVER_INTERFACE = 127.0.0.1
  LINE_RECEIVER_INTERFACE = 127.0.0.1
  CACHE_QUERY_INTERFACE = 127.0.0.1
  # Do not log every update
  LOG_UPDATES = False
  LOG_CACHE_HITS = False
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.relayRules

Relay rules are used to send certain metrics to a certain backend.

Type: null or string

Default: null

Example:

''
  [example]
  pattern = ^mydata\.foo\..+
  servers = 10.1.2.3, 10.1.2.4:2004, myserver.mydomain.com
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.rewriteRules

Regular expression patterns that can be used to rewrite metric names in a search and replace fashion.

Type: null or string

Default: null

Example:

''
  [post]
  _sum$ =
  _avg$ =
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.storageAggregation

Defines how to aggregate data to lower-precision retentions.

Type: null or string

Default: null

Example:

''
  [all_min]
  pattern = \.min$
  xFilesFactor = 0.1
  aggregationMethod = min
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.storageSchemas

Defines retention rates for storing metrics.

Type: null or string

Default: ""

Example:

''
  [apache_busyWorkers]
  pattern = ^servers\.www.*\.workers\.busyWorkers$
  retentions = 15s:7d,1m:21d,15m:5y
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.carbon.whitelist

Only metrics received which match one of the expressions will be persisted.

Type: null or string

Default: null

Example: ".*"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.dataDir

Data directory for graphite.

Type: path

Default: "/var/db/graphite"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.seyren.enable

Whether to enable seyren service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.seyren.extraConfig

Extra seyren configuration. See https://github.com/scobal/seyren#config

Type: attribute set of string

Default: { }

Example:

{
  GRAPHITE_USERNAME = "user";
  GRAPHITE_PASSWORD = "pass";
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.seyren.graphiteUrl

Host where graphite service runs.

Type: string

Default: "http://${config.services.graphite.web.listenAddress}:${toString config.services.graphite.web.port}"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.seyren.mongoUrl

Mongodb connection string.

Type: string

Default: "mongodb://${config.services.mongodb.bind_ip}:27017/seyren"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.seyren.port

Seyren listening port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8081

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.seyren.seyrenUrl

Host where seyren is accessible.

Type: string

Default: "http://localhost:${toString config.services.graphite.seyren.port}/"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.web.enable

Whether to enable graphite web frontend.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.web.extraConfig

Graphite webapp settings. See: https://graphite.readthedocs.io/en/latest/config-local-settings.html

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.web.listenAddress

Graphite web frontend listen address.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graphite.web.port

Graphite web frontend port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/monitoring/graphite.nix>
services.graylog.enable

Whether to enable Graylog, a log management solution.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/logging/graylog.nix>
services.graylog.package

Graylog package to use.

Type: package

Default: pkgs.graylog-5_1

Declared by:

<nixpkgs/nixos/modules/services/logging/graylog.nix>
services.graylog.dataDir

Directory used to store Graylog server state.

Type: string

Default: "/var/lib/graylog/data"

Declared by:

<nixpkgs/nixos/modules/services/logging/graylog.nix>
services.graylog.elasticsearchHosts

List of valid URIs of the http ports of your elastic nodes. If one or more of your elasticsearch hosts require authentication, include the credentials in each node URI that requires authentication

Type: list of string

Example: [ "http://node1:9200" "http://user:password@node2:19200" ]

Declared by:

<nixpkgs/nixos/modules/services/logging/graylog.nix>
services.graylog.extraConfig

Any other configuration options you might want to add

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/logging/graylog.nix>
services.graylog.isMaster

Whether this is the master instance of your Graylog cluster

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/logging/graylog.nix>
services.graylog.messageJournalDir

The directory which will be used to store the message journal. The directory must be exclusively used by Graylog and must not contain any other files than the ones created by Graylog itself

Type: string

Default: "/var/lib/graylog/data/journal"

Declared by:

<nixpkgs/nixos/modules/services/logging/graylog.nix>
services.graylog.mongodbUri

MongoDB connection string. See http://docs.mongodb.org/manual/reference/connection-string/ for details

Type: string

Default: "mongodb://localhost/graylog"

Declared by:

<nixpkgs/nixos/modules/services/logging/graylog.nix>
services.graylog.nodeIdFile

Path of the file containing the graylog node-id

Type: string

Default: "/var/lib/graylog/server/node-id"

Declared by:

<nixpkgs/nixos/modules/services/logging/graylog.nix>
services.graylog.passwordSecret

You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters. Generate one by using for example: pwgen -N 1 -s 96

Type: string

Declared by:

<nixpkgs/nixos/modules/services/logging/graylog.nix>
services.graylog.plugins

Extra graylog plugins

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/logging/graylog.nix>
services.graylog.rootPasswordSha2

You MUST specify a hash password for the root user (which you only need to initially set up the system and in case you lose connectivity to your authentication backend) This password cannot be changed using the API or via the web interface. If you need to change it, modify it here. Create one by using for example: echo -n yourpassword | shasum -a 256 and use the resulting hash value as string for the option

Type: string

Example: "e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e952"

Declared by:

<nixpkgs/nixos/modules/services/logging/graylog.nix>
services.graylog.rootUsername

Name of the default administrator user

Type: string

Default: "admin"

Declared by:

<nixpkgs/nixos/modules/services/logging/graylog.nix>
services.graylog.user

User account under which graylog runs

Type: string

Default: "graylog"

Declared by:

<nixpkgs/nixos/modules/services/logging/graylog.nix>
services.greenclip.enable

Whether to enable Greenclip, a clipboard manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/greenclip.nix>
services.greenclip.package

The greenclip package to use.

Type: package

Default: pkgs.haskellPackages.greenclip

Declared by:

<nixpkgs/nixos/modules/services/misc/greenclip.nix>
services.greetd.enable

Whether to enable greetd, a minimal and flexible login manager daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/display-managers/greetd.nix>
services.greetd.package

The greetd package to use.

Type: package

Default: pkgs.greetd.greetd

Declared by:

<nixpkgs/nixos/modules/services/display-managers/greetd.nix>
services.greetd.restart

Whether to restart greetd when it terminates (e.g. on failure). This is usually desirable so a user can always log in, but should be disabled when using ‘settings.initial_session’ (autologin), because every greetd restart will trigger the autologin again.

Type: boolean

Default: !(config.services.greetd.settings ? initial_session)

Declared by:

<nixpkgs/nixos/modules/services/display-managers/greetd.nix>
services.greetd.settings

greetd configuration (documentation) as a Nix attribute set.

Type: TOML value

Example:

{
  default_session = {
    command = "${pkgs.greetd.greetd}/bin/agreety --cmd sway";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/display-managers/greetd.nix>
services.greetd.vt

The virtual console (tty) that greetd should use. This option also disables getty on that tty.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/display-managers/greetd.nix>
services.grocy.enable

Whether to enable grocy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/grocy.nix>
services.grocy.package

The grocy package to use.

Type: package

Default: pkgs.grocy

Declared by:

<nixpkgs/nixos/modules/services/web-apps/grocy.nix>
services.grocy.dataDir

Home directory of the grocy user which contains the application’s state.

Type: string

Default: "/var/lib/grocy"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/grocy.nix>
services.grocy.hostName

FQDN for the grocy instance.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/grocy.nix>
services.grocy.nginx.enableSSL

Whether or not to enable SSL (with ACME and let’s encrypt) for the grocy vhost.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/grocy.nix>
services.grocy.phpfpm.settings

Options for grocy’s PHPFPM pool.

Type: attribute set of (signed integer or string or boolean)

Default:

{
  catch_workers_output = true;
  "listen.owner" = "nginx";
  "php_admin_flag[log_errors]" = true;
  "php_admin_value[error_log]" = "stderr";
  pm = "dynamic";
  "pm.max_children" = "32";
  "pm.max_requests" = "500";
  "pm.max_spare_servers" = "4";
  "pm.min_spare_servers" = "2";
  "pm.start_servers" = "2";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/grocy.nix>
services.grocy.settings.calendar.firstDayOfWeek

Which day of the week (0=Sunday, 1=Monday etc.) should be the first day.

Type: null or one of 0, 1, 2, 3, 4, 5, 6

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/grocy.nix>
services.grocy.settings.calendar.showWeekNumber

Show the number of the weeks in the calendar views.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/grocy.nix>
services.grocy.settings.culture

Display language of the frontend.

Type: one of “de”, “en”, “da”, “en_GB”, “es”, “fr”, “hu”, “it”, “nl”, “no”, “pl”, “pt_BR”, “ru”, “sk_SK”, “sv_SE”, “tr”

Default: "en"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/grocy.nix>
services.grocy.settings.currency

ISO 4217 code for the currency to display.

Type: string

Default: "USD"

Example: "EUR"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/grocy.nix>
services.gsignond.enable

Whether to enable gSignOn daemon, a DBus service which performs user authentication on behalf of its clients.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/gsignond.nix>
services.gsignond.plugins

What plugins to use with the gSignOn daemon.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/desktops/gsignond.nix>
services.guacamole-client.enable

Whether to enable Apache Guacamole Client (Tomcat).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/guacamole-client.nix>
services.guacamole-client.enableWebserver

Enable the Guacamole web application in a Tomcat webserver.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/guacamole-client.nix>
services.guacamole-client.package

The guacamole-client package to use.

Type: package

Default: pkgs.guacamole-client

Declared by:

<nixpkgs/nixos/modules/services/web-apps/guacamole-client.nix>
services.guacamole-client.settings

Configuration written to guacamole.properties.

Note

The Guacamole web application uses one main configuration file called guacamole.properties. This file is the common location for all configuration properties read by Guacamole or any extension of Guacamole, including authentication providers.

Type: attribute set of (string, package, bool, int or float)

Default:

{
  guacd-hostname = "localhost";
  guacd-port = 4822;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/guacamole-client.nix>
services.guacamole-server.enable

Whether to enable Apache Guacamole Server (guacd).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/guacamole-server.nix>
services.guacamole-server.package

The guacamole-server package to use.

Type: package

Default: pkgs.guacamole-server

Declared by:

<nixpkgs/nixos/modules/services/web-apps/guacamole-server.nix>
services.guacamole-server.extraEnvironment

Environment variables to pass to guacd.

Type: attribute set of string

Default: { }

Example:

{
  ENVIRONMENT = "production";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/guacamole-server.nix>
services.guacamole-server.host

The host name or IP address the server should listen to.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/guacamole-server.nix>
services.guacamole-server.logbackXml

Configuration file that correspond to logback.xml.

Type: null or path

Default: null

Example: "/path/to/logback.xml"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/guacamole-server.nix>
services.guacamole-server.port

The port the guacd server should listen to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 4822

Declared by:

<nixpkgs/nixos/modules/services/web-apps/guacamole-server.nix>
services.guacamole-server.userMappingXml

Configuration file that correspond to user-mapping.xml.

Type: null or path

Default: null

Example: "/path/to/user-mapping.xml"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/guacamole-server.nix>
services.guix.enable

Whether to enable Guix build daemon service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/guix>
services.guix.package

The guix package to use. It should contain guix-daemon and guix executable.

Type: package

Default: pkgs.guix

Declared by:

<nixpkgs/nixos/modules/services/misc/guix>
services.guix.extraArgs

Extra flags to pass to the Guix daemon service.

Type: list of string

Default: [ ]

Example:

[
  "--max-jobs=4"
  "--debug"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/guix>
services.guix.gc.enable

Whether to enable automatic garbage collection service for Guix.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/guix>
services.guix.gc.dates

How often the garbage collection occurs. This takes the time format from systemd.time(7).

Type: string

Default: "03:15"

Example: "weekly"

Declared by:

<nixpkgs/nixos/modules/services/misc/guix>
services.guix.gc.extraArgs

List of arguments to be passed to guix gc.

When given no option, it will try to collect all garbage which is often inconvenient so it is recommended to set some options.

Type: list of string

Default: [ ]

Example:

[
  "--delete-generations=1m"
  "--free-space=10G"
  "--optimize"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/guix>
services.guix.group

The group of the Guix build user pool.

Type: string

Default: "guixbuild"

Example: "guixbuild"

Declared by:

<nixpkgs/nixos/modules/services/misc/guix>
services.guix.nrBuildUsers

Number of Guix build users to be used in the build pool.

Type: unsigned integer, meaning >=0

Default: 10

Example: 20

Declared by:

<nixpkgs/nixos/modules/services/misc/guix>
services.guix.publish.enable

Whether to enable substitute server for your Guix store directory.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/guix>
services.guix.publish.extraArgs

Extra flags to pass to the substitute server.

Type: list of string

Default: [ ]

Example:

[
  "--compression=zstd:6"
  "--discover=no"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/guix>
services.guix.publish.generateKeyPair

Whether to generate signing keys in /etc/guix which are required to initialize a substitute server. Otherwise, --public-key=$FILE and --private-key=$FILE can be passed in services.guix.publish.extraArgs.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/misc/guix>
services.guix.publish.port

Port of the substitute server to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8181

Example: 8200

Declared by:

<nixpkgs/nixos/modules/services/misc/guix>
services.guix.publish.user

Name of the user to change once the server is up.

Type: string

Default: "guix-publish"

Declared by:

<nixpkgs/nixos/modules/services/misc/guix>
services.guix.stateDir

The state directory where Guix service will store its data such as its user-specific profiles, cache, and state files.

Warning

Changing it to something other than the default will rebuild the package.

Type: path

Default: "/var"

Example: "/gnu/var"

Declared by:

<nixpkgs/nixos/modules/services/misc/guix>
services.guix.storeDir

The store directory where the Guix service will serve to/from. Take note Guix cannot take advantage of substitutes if you set it something other than /gnu/store since most of the cached builds are assumed to be in there.

Warning

This will also recompile all packages because the normal cache no longer applies.

Type: path

Default: "/gnu/store"

Declared by:

<nixpkgs/nixos/modules/services/misc/guix>
services.guix.substituters.authorizedKeys

A list of signing keys for each substitute server to be authorized as a source of substitutes. Without this, the listed substitute servers from services.guix.substituters.urls would be ignored with some exceptions.

Type: list of path

Default:

''
  The packaged signing keys from {option}`services.guix.package`.
''

Example:

options.services.guix.substituters.authorizedKeys.default ++ [
  (builtins.fetchurl {
    url = "https://guix.example.com/signing-key.pub";
  })

  (builtins.fetchurl {
    url = "https://guix.example.org/static/signing-key.pub";
  })
]

Declared by:

<nixpkgs/nixos/modules/services/misc/guix>
services.guix.substituters.urls

A list of substitute servers’ URLs for the Guix daemon to download substitutes from.

Type: list of string

Default:

[
  "https://ci.guix.gnu.org"
  "https://bordeaux.guix.gnu.org"
  "https://berlin.guix.gnu.org"
]

Example:

options.services.guix.substituters.urls.default ++ [
  "https://guix.example.com"
  "https://guix.example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/guix>
services.gvfs.enable

Whether to enable GVfs, a userspace virtual filesystem.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/gvfs.nix>
services.gvfs.package

The gvfs package to use.

Type: package

Default: pkgs.gnome.gvfs

Declared by:

<nixpkgs/nixos/modules/services/desktops/gvfs.nix>
services.gvpe.enable

Whether to enable gvpe.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/gvpe.nix>
services.gvpe.configFile

GVPE config file, if already present

Type: null or path

Default: null

Example: "/root/my-gvpe-conf"

Declared by:

<nixpkgs/nixos/modules/services/networking/gvpe.nix>
services.gvpe.configText

GVPE config contents

Type: null or strings concatenated with “\n”

Default: null

Example:

''
  tcp-port = 655
  udp-port = 655
  mtu = 1480
  ifname = vpn0
  
  node = alpha
  hostname = alpha.example.org
  connect = always
  enable-udp = true
  enable-tcp = true
  on alpha if-up = if-up-0
  on alpha pid-file = /var/gvpe/gvpe.pid
''

Declared by:

<nixpkgs/nixos/modules/services/networking/gvpe.nix>
services.gvpe.customIFSetup

Additional commands to apply in ifup script

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/gvpe.nix>
services.gvpe.ipAddress

IP address to assign to GVPE interface

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/gvpe.nix>
services.gvpe.nodename

GVPE node name

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/gvpe.nix>
services.gvpe.subnet

IP subnet assigned to GVPE network

Type: null or string

Default: null

Example: "10.0.0.0/8"

Declared by:

<nixpkgs/nixos/modules/services/networking/gvpe.nix>
services.hadoop.package

The hadoop package to use.

Type: package

Default: pkgs.hadoop

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/default.nix>
services.hadoop.containerExecutorCfg

Yarn container-executor.cfg definition https://hadoop.apache.org/docs/r2.7.2/hadoop-yarn/hadoop-yarn-site/SecureContainer.html

Type: attribute set of anything

Default:

{
  "feature.mount-cgroup.enabled" = 1;
  "feature.terminal.enabled" = 1;
  "min.user.id" = 1000;
  "yarn.nodemanager.linux-container-executor.group" = "hadoop";
}

Example:

options.services.hadoop.containerExecutorCfg.default // {
  "feature.terminal.enabled" = 0;
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/default.nix>
services.hadoop.coreSite

Hadoop core-site.xml definition https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/core-default.xml

Type: attribute set of anything

Default: { }

Example:

{
  "fs.defaultFS" = "hdfs://localhost";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/default.nix>
services.hadoop.extraConfDirs

Directories containing additional config files to be added to HADOOP_CONF_DIR

Type: list of path

Default: [ ]

Example:

[
  ./extraHDFSConfs
  ./extraYARNConfs
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/default.nix>
services.hadoop.gatewayRole.enable

Whether to enable gateway role for deploying hadoop configs.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/default.nix>
services.hadoop.gatewayRole.enableHbaseCli

Whether to enable HBase CLI tools.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.package

The hbase package to use.

Type: package

Default: pkgs.hbase

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.master.enable

Whether to enable HBase master.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.master.environment

Environment variables passed to master.

Type: attribute set of string

Default: { }

Example:

{
  HBASE_MASTER_OPTS = "-Dcom.sun.management.jmxremote.ssl=true";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.master.extraFlags

Extra flags for the master service.

Type: list of string

Default: [ ]

Example: [ "--backup" ]

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.master.initHDFS

Whether to enable initialization of the hbase directory on HDFS.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.master.openFirewall

Open firewall ports for HBase master.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.master.restartIfChanged

Restart master con config change.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.regionServer.enable

Whether to enable HBase regionServer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.regionServer.environment

Environment variables passed to regionServer.

Type: attribute set of string

Default: { }

Example:

{
  HBASE_MASTER_OPTS = "-Dcom.sun.management.jmxremote.ssl=true";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.regionServer.extraFlags

Extra flags for the regionServer service.

Type: list of string

Default: [ ]

Example: [ "--backup" ]

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.regionServer.openFirewall

Open firewall ports for HBase regionServer.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.regionServer.overrideHosts

Remove /etc/hosts entries for “127.0.0.2” and “::1” defined in nixos/modules/config/networking.nix Regionservers must be able to resolve their hostnames to their IP addresses, through PTR records or /etc/hosts entries.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.regionServer.restartIfChanged

Restart regionServer con config change.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.rest.enable

Whether to enable HBase rest.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.rest.environment

Environment variables passed to rest.

Type: attribute set of string

Default: { }

Example:

{
  HBASE_MASTER_OPTS = "-Dcom.sun.management.jmxremote.ssl=true";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.rest.extraFlags

Extra flags for the rest service.

Type: list of string

Default: [ ]

Example: [ "--backup" ]

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.rest.infoPort

web UI port

Type: signed integer

Default: 8085

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.rest.openFirewall

Open firewall ports for HBase rest.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.rest.port

RPC port

Type: signed integer

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.rest.restartIfChanged

Restart rest con config change.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.rootdir

This option will set “hbase.rootdir” in hbase-site.xml and determine the directory shared by region servers and into which HBase persists. The URL should be ‘fully-qualified’ to include the filesystem scheme. If a core-site.xml is provided, the FS scheme defaults to the value of “fs.defaultFS”.

Filesystems other than HDFS (like S3, QFS, Swift) are also supported.

Type: string

Default: "/hbase"

Example: "hdfs://nameservice1/hbase"

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.thrift.enable

Whether to enable HBase thrift.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.thrift.environment

Environment variables passed to thrift.

Type: attribute set of string

Default: { }

Example:

{
  HBASE_MASTER_OPTS = "-Dcom.sun.management.jmxremote.ssl=true";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.thrift.extraFlags

Extra flags for the thrift service.

Type: list of string

Default: [ ]

Example: [ "--backup" ]

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.thrift.infoPort

web UI port

Type: signed integer

Default: 9095

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.thrift.openFirewall

Open firewall ports for HBase thrift.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.thrift.port

RPC port

Type: signed integer

Default: 9090

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.thrift.restartIfChanged

Restart thrift con config change.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbase.zookeeperQuorum

This option will set “hbase.zookeeper.quorum” in hbase-site.xml. Comma separated list of servers in the ZooKeeper ensemble.

Type: null or strings concatenated with “,”

Default: null

Example: "zk1.internal,zk2.internal,zk3.internal"

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbaseSite

Additional options and overrides for hbase-site.xml https://github.com/apache/hbase/blob/rel/2.4.11/hbase-common/src/main/resources/hbase-default.xml

Type: attribute set of anything

Default: { }

Example:

{
  "hbase.hregion.max.filesize" = 20*1024*1024*1024;
  "hbase.table.normalization.enabled" = "true";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hbaseSiteDefault

Default options for hbase-site.xml

Type: attribute set of anything

Default:

{
  "hbase.cluster.distributed" = "true";
  "hbase.master.info.bindAddress" = "0.0.0.0";
  "hbase.master.ipc.address" = "0.0.0.0";
  "hbase.regionserver.info.bindAddress" = "0.0.0.0";
  "hbase.regionserver.ipc.address" = "0.0.0.0";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hbase.nix>
services.hadoop.hdfs.datanode.enable

Whether to enable HDFS DataNode.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.datanode.dataDirs

Tier and path definitions for datanode storage.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.datanode.dataDirs.*.path

Determines where on the local filesystem a data node should store its blocks.

Type: path

Example:

[
  "/var/lib/hadoop/hdfs/dn"
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.datanode.dataDirs.*.type

Storage types ([SSD]/[DISK]/[ARCHIVE]/[RAM_DISK]) for HDFS storage policies.

Type: one of “SSD”, “DISK”, “ARCHIVE”, “RAM_DISK”

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.datanode.extraEnv

Extra environment variables for HDFS DataNode

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.datanode.extraFlags

Extra command line flags to pass to HDFS DataNode

Type: list of string

Default: [ ]

Example:

[
  "-Dcom.sun.management.jmxremote"
  "-Dcom.sun.management.jmxremote.port=8010"
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.datanode.openFirewall

Open firewall ports for HDFS DataNode.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.datanode.restartIfChanged

Automatically restart the service on config change. This can be set to false to defer restarts on clusters running critical applications. Please consider the security implications of inadvertently running an older version, and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.httpfs.enable

Whether to enable HDFS JournalNode.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.httpfs.extraEnv

Extra environment variables for HDFS JournalNode

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.httpfs.extraFlags

Extra command line flags to pass to HDFS JournalNode

Type: list of string

Default: [ ]

Example:

[
  "-Dcom.sun.management.jmxremote"
  "-Dcom.sun.management.jmxremote.port=8010"
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.httpfs.openFirewall

Open firewall ports for HDFS JournalNode.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.httpfs.restartIfChanged

Automatically restart the service on config change. This can be set to false to defer restarts on clusters running critical applications. Please consider the security implications of inadvertently running an older version, and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.httpfs.tempPath

HTTPFS_TEMP path used by HTTPFS

Type: path

Default: "/tmp/hadoop/httpfs"

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.journalnode.enable

Whether to enable HDFS JournalNode.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.journalnode.extraEnv

Extra environment variables for HDFS JournalNode

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.journalnode.extraFlags

Extra command line flags to pass to HDFS JournalNode

Type: list of string

Default: [ ]

Example:

[
  "-Dcom.sun.management.jmxremote"
  "-Dcom.sun.management.jmxremote.port=8010"
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.journalnode.openFirewall

Open firewall ports for HDFS JournalNode.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.journalnode.restartIfChanged

Automatically restart the service on config change. This can be set to false to defer restarts on clusters running critical applications. Please consider the security implications of inadvertently running an older version, and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.namenode.enable

Whether to enable HDFS NameNode.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.namenode.extraEnv

Extra environment variables for HDFS NameNode

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.namenode.extraFlags

Extra command line flags to pass to HDFS NameNode

Type: list of string

Default: [ ]

Example:

[
  "-Dcom.sun.management.jmxremote"
  "-Dcom.sun.management.jmxremote.port=8010"
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.namenode.formatOnInit

Format HDFS namenode on first start. This is useful for quickly spinning up ephemeral HDFS clusters with a single namenode. For HA clusters, initialization involves multiple steps across multiple nodes. Follow this guide to initialize an HA cluster manually: https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/HDFSHighAvailabilityWithQJM.html

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.namenode.openFirewall

Open firewall ports for HDFS NameNode.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.namenode.restartIfChanged

Automatically restart the service on config change. This can be set to false to defer restarts on clusters running critical applications. Please consider the security implications of inadvertently running an older version, and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.zkfc.enable

Whether to enable HDFS ZooKeeper failover controller.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.zkfc.extraEnv

Extra environment variables for HDFS ZooKeeper failover controller

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.zkfc.extraFlags

Extra command line flags to pass to HDFS ZooKeeper failover controller

Type: list of string

Default: [ ]

Example:

[
  "-Dcom.sun.management.jmxremote"
  "-Dcom.sun.management.jmxremote.port=8010"
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfs.zkfc.restartIfChanged

Automatically restart the service on config change. This can be set to false to defer restarts on clusters running critical applications. Please consider the security implications of inadvertently running an older version, and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/hdfs.nix>
services.hadoop.hdfsSite

Additional options and overrides for hdfs-site.xml https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/hdfs-default.xml

Type: attribute set of anything

Default: { }

Example:

{
  "dfs.nameservices" = "namenode1";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/default.nix>
services.hadoop.hdfsSiteDefault

Default options for hdfs-site.xml

Type: attribute set of anything

Default:

{
  "dfs.namenode.http-address" = "0.0.0.0:9870";
  "dfs.namenode.http-bind-host" = "0.0.0.0";
  "dfs.namenode.rpc-bind-host" = "0.0.0.0";
  "dfs.namenode.servicerpc-bind-host" = "0.0.0.0";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/default.nix>
services.hadoop.httpfsSite

Hadoop httpfs-site.xml definition https://hadoop.apache.org/docs/current/hadoop-hdfs-httpfs/httpfs-default.html

Type: attribute set of anything

Default: { }

Example:

{
  "hadoop.http.max.threads" = 500;
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/default.nix>
services.hadoop.log4jProperties

log4j.properties file added to HADOOP_CONF_DIR

Type: path

Default:

"${config.services.hadoop.package}/etc/hadoop/log4j.properties"

Example:

"${pkgs.hadoop}/etc/hadoop/log4j.properties";

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/default.nix>
services.hadoop.mapredSite

Additional options and overrides for mapred-site.xml https://hadoop.apache.org/docs/current/hadoop-mapreduce-client/hadoop-mapreduce-client-core/mapred-default.xml

Type: attribute set of anything

Default: { }

Example:

{
  "mapreduce.map.java.opts" = "-Xmx900m -XX:+UseParallelGC";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/default.nix>
services.hadoop.mapredSiteDefault

Default options for mapred-site.xml

Type: attribute set of anything

Default:

{
  "mapreduce.framework.name" = "yarn";
  "yarn.app.mapreduce.am.env" = "HADOOP_MAPRED_HOME=${config.services.hadoop.package}";
  "mapreduce.map.env" = "HADOOP_MAPRED_HOME=${config.services.hadoop.package}";
  "mapreduce.reduce.env" = "HADOOP_MAPRED_HOME=${config.services.hadoop.package}";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/default.nix>
services.hadoop.yarn.nodemanager.enable

Whether to enable Hadoop YARN NodeManager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix>
services.hadoop.yarn.nodemanager.addBinBash

Add /bin/bash. This is needed by the linux container executor’s launch script.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix>
services.hadoop.yarn.nodemanager.extraEnv

Extra environment variables

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix>
services.hadoop.yarn.nodemanager.extraFlags

Extra command line flags to pass to the service

Type: list of string

Default: [ ]

Example:

[
  "-Dcom.sun.management.jmxremote"
  "-Dcom.sun.management.jmxremote.port=8010"
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix>
services.hadoop.yarn.nodemanager.localDir

List of directories to store localized files in.

Type: null or (list of path)

Default: null

Example:

[
  "/var/lib/hadoop/yarn/nm"
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix>
services.hadoop.yarn.nodemanager.openFirewall

Open firewall ports for nodemanager. Because containers can listen on any ephemeral port, TCP ports 1024–65535 will be opened.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix>
services.hadoop.yarn.nodemanager.resource.cpuVCores

Number of vcores that can be allocated for containers.

Type: null or (positive integer, meaning >0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix>
services.hadoop.yarn.nodemanager.resource.maximumAllocationMB

The maximum physical memory any container can be allocated.

Type: null or (positive integer, meaning >0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix>
services.hadoop.yarn.nodemanager.resource.maximumAllocationVCores

The maximum virtual CPU cores any container can be allocated.

Type: null or (positive integer, meaning >0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix>
services.hadoop.yarn.nodemanager.resource.memoryMB

Amount of physical memory, in MB, that can be allocated for containers.

Type: null or (positive integer, meaning >0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix>
services.hadoop.yarn.nodemanager.restartIfChanged

Automatically restart the service on config change. This can be set to false to defer restarts on clusters running critical applications. Please consider the security implications of inadvertently running an older version, and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix>
services.hadoop.yarn.nodemanager.useCGroups

Use cgroups to enforce resource limits on containers

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix>
services.hadoop.yarn.resourcemanager.enable

Whether to enable Hadoop YARN ResourceManager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix>
services.hadoop.yarn.resourcemanager.extraEnv

Extra environment variables

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix>
services.hadoop.yarn.resourcemanager.extraFlags

Extra command line flags to pass to the service

Type: list of string

Default: [ ]

Example:

[
  "-Dcom.sun.management.jmxremote"
  "-Dcom.sun.management.jmxremote.port=8010"
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix>
services.hadoop.yarn.resourcemanager.openFirewall

Open firewall ports for resourcemanager

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix>
services.hadoop.yarn.resourcemanager.restartIfChanged

Automatically restart the service on config change. This can be set to false to defer restarts on clusters running critical applications. Please consider the security implications of inadvertently running an older version, and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/yarn.nix>
services.hadoop.yarnSite

Additional options and overrides for yarn-site.xml https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-common/yarn-default.xml

Type: attribute set of anything

Default: { }

Example:

{
  "yarn.resourcemanager.hostname" = "${config.networking.hostName}";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/default.nix>
services.hadoop.yarnSiteDefault

Default options for yarn-site.xml

Type: attribute set of anything

Default:

{
  "yarn.nodemanager.admin-env" = "PATH=$PATH";
  "yarn.nodemanager.aux-services" = "mapreduce_shuffle";
  "yarn.nodemanager.aux-services.mapreduce_shuffle.class" = "org.apache.hadoop.mapred.ShuffleHandler";
  "yarn.nodemanager.bind-host" = "0.0.0.0";
  "yarn.nodemanager.container-executor.class" = "org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor";
  "yarn.nodemanager.env-whitelist" = "JAVA_HOME,HADOOP_COMMON_HOME,HADOOP_HDFS_HOME,HADOOP_CONF_DIR,CLASSPATH_PREPEND_DISTCACHE,HADOOP_YARN_HOME,HADOOP_HOME,LANG,TZ";
  "yarn.nodemanager.linux-container-executor.group" = "hadoop";
  "yarn.nodemanager.linux-container-executor.path" = "/run/wrappers/yarn-nodemanager/bin/container-executor";
  "yarn.nodemanager.log-dirs" = "/var/log/hadoop/yarn/nodemanager";
  "yarn.resourcemanager.bind-host" = "0.0.0.0";
  "yarn.resourcemanager.scheduler.class" = "org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairScheduler";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/hadoop/default.nix>
services.haka.enable

Whether to enable Haka.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/haka.nix>
services.haka.package

The haka package to use.

Type: package

Default: pkgs.haka

Declared by:

<nixpkgs/nixos/modules/services/security/haka.nix>
services.haka.configFile

Specify which configuration file Haka uses. It can be absolute path or a path relative to the sample directory of the haka git repo.

Type: string

Default: "empty.lua"

Example: "/srv/haka/myfilter.lua"

Declared by:

<nixpkgs/nixos/modules/services/security/haka.nix>
services.haka.dump.enable

Whether to enable dump.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/haka.nix>
services.haka.dump.input

Path to file where incoming packets are dumped

Type: path

Default: "/tmp/input.pcap"

Example: "/path/to/file.pcap"

Declared by:

<nixpkgs/nixos/modules/services/security/haka.nix>
services.haka.dump.output

Path to file where outgoing packets are dumped

Type: path

Default: "/tmp/output.pcap"

Example: "/path/to/file.pcap"

Declared by:

<nixpkgs/nixos/modules/services/security/haka.nix>
services.haka.interfaces

Specify which interface(s) Haka listens to. Use ‘any’ to listen to all interfaces.

Type: list of string

Default:

[
  "eth0"
]

Example:

[
  "any"
]

Declared by:

<nixpkgs/nixos/modules/services/security/haka.nix>
services.haka.nfqueue

Whether to enable nfqueue.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/haka.nix>
services.haka.pcap

Whether to enable pcap

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/security/haka.nix>
services.haka.threads

The number of threads that will be used. All system threads are used by default.

Type: signed integer

Default: 0

Example: 4

Declared by:

<nixpkgs/nixos/modules/services/security/haka.nix>
services.handheld-daemon.enable

Whether to enable Handheld Daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/handheld-daemon.nix>
services.handheld-daemon.package

The handheld-daemon package to use.

Type: package

Default: pkgs.handheld-daemon

Declared by:

<nixpkgs/nixos/modules/services/hardware/handheld-daemon.nix>
services.handheld-daemon.ui.enable

Whether to enable Handheld Daemon UI.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/handheld-daemon.nix>
services.handheld-daemon.ui.package

The handheld-daemon-ui package to use.

Type: package

Default: pkgs.handheld-daemon-ui

Declared by:

<nixpkgs/nixos/modules/services/hardware/handheld-daemon.nix>
services.handheld-daemon.user

The user to run Handheld Daemon with.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/hardware/handheld-daemon.nix>
services.hans.clients

Each attribute of this option defines a systemd service that runs hans. Many or none may be defined. The name of each service is hans-«name» where «name» is the name of the corresponding attribute name.

Type: attribute set of (submodule)

Default: { }

Example:

{
  foo = {
    server = "192.0.2.1";
    extraConfig = "-v";
  }
}

Declared by:

<nixpkgs/nixos/modules/services/networking/hans.nix>
services.hans.clients.<name>.extraConfig

Additional command line parameters

Type: string

Default: ""

Example: "-v"

Declared by:

<nixpkgs/nixos/modules/services/networking/hans.nix>
services.hans.clients.<name>.passwordFile

File that contains password

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/hans.nix>
services.hans.clients.<name>.server

IP address of server running hans

Type: string

Default: ""

Example: "192.0.2.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/hans.nix>
services.hans.server.enable

enable hans server

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hans.nix>
services.hans.server.extraConfig

Additional command line parameters

Type: string

Default: ""

Example: "-v"

Declared by:

<nixpkgs/nixos/modules/services/networking/hans.nix>
services.hans.server.ip

The assigned ip range

Type: string

Default: ""

Example: "198.51.100.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/hans.nix>
services.hans.server.passwordFile

File that contains password

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/hans.nix>
services.hans.server.respondToSystemPings

Force hans respond to ordinary pings

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hans.nix>
services.haproxy.enable

Whether to enable HAProxy, the reliable, high performance TCP/HTTP load balancer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/haproxy.nix>
services.haproxy.package

The haproxy package to use.

Type: package

Default: pkgs.haproxy

Declared by:

<nixpkgs/nixos/modules/services/networking/haproxy.nix>
services.haproxy.config

Contents of the HAProxy configuration file, haproxy.conf.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/haproxy.nix>
services.haproxy.group

Group account under which haproxy runs.

Type: string

Default: "haproxy"

Declared by:

<nixpkgs/nixos/modules/services/networking/haproxy.nix>
services.haproxy.user

User account under which haproxy runs.

Type: string

Default: "haproxy"

Declared by:

<nixpkgs/nixos/modules/services/networking/haproxy.nix>
services.hardware.argonone.enable

Whether to enable the driver for Argon One Raspberry Pi case fan and power button.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/argonone.nix>
services.hardware.argonone.package

The package implementing the Argon One driver

Type: package

Default: pkgs.argononed

Declared by:

<nixpkgs/nixos/modules/services/hardware/argonone.nix>
services.hardware.bolt.enable

Whether to enable Bolt, a userspace daemon to enable security levels for Thunderbolt 3 on GNU/Linux.

Bolt is used by GNOME 3 to handle Thunderbolt settings.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/bolt.nix>
services.hardware.bolt.package

The bolt package to use.

Type: package

Default: pkgs.bolt

Declared by:

<nixpkgs/nixos/modules/services/hardware/bolt.nix>
services.hardware.lcd.client.enable

Enable the LCD panel client (LCDproc)

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/lcd.nix>
services.hardware.lcd.client.extraConfig

Additional configuration added verbatim to the client config.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/hardware/lcd.nix>
services.hardware.lcd.client.restartForever

Try restarting the client forever.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/lcd.nix>
services.hardware.lcd.server.enable

Enable the LCD panel server (LCDd)

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/lcd.nix>
services.hardware.lcd.server.extraConfig

Additional configuration added verbatim to the server config.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/hardware/lcd.nix>
services.hardware.lcd.server.openPorts

Open the ports in the firewall

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/lcd.nix>
services.hardware.lcd.server.usbGroup

The group to use for settings permissions. This group must exist or you will have to create it.

Type: string

Default: "dialout"

Declared by:

<nixpkgs/nixos/modules/services/hardware/lcd.nix>
services.hardware.lcd.server.usbPermissions

Set group-write permissions on a USB device.

A USB connected LCD panel will most likely require having its permissions modified for lcdd to write to it. Enabling this option sets group-write permissions on the device identified by services.hardware.lcd.usbVid and services.hardware.lcd.usbPid. In order to find the values, you can run the lsusb command. Example output:

Bus 005 Device 002: ID 0403:c630 Future Technology Devices International, Ltd lcd2usb interface

In this case the vendor id is 0403 and the product id is c630.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/lcd.nix>
services.hardware.lcd.server.usbPid

The product ID of the USB device to claim.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/hardware/lcd.nix>
services.hardware.lcd.server.usbVid

The vendor ID of the USB device to claim.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/hardware/lcd.nix>
services.hardware.lcd.serverHost

Host on which LCDd is listening.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/hardware/lcd.nix>
services.hardware.lcd.serverPort

Port on which LCDd is listening.

Type: signed integer

Default: 13666

Declared by:

<nixpkgs/nixos/modules/services/hardware/lcd.nix>
services.hardware.openrgb.enable

Whether to enable OpenRGB server, for RGB lighting control.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/openrgb.nix>
services.hardware.openrgb.package

The openrgb package to use.

Type: package

Default: pkgs.openrgb

Declared by:

<nixpkgs/nixos/modules/services/hardware/openrgb.nix>
services.hardware.openrgb.motherboard

CPU family of motherboard. Allows for addition motherboard i2c support.

Type: null or one of “amd”, “intel”

Default: if config.hardware.cpu.intel.updateMicrocode then “intel” else if config.hardware.cpu.amd.updateMicrocode then “amd” else null;

Declared by:

<nixpkgs/nixos/modules/services/hardware/openrgb.nix>
services.hardware.openrgb.server.port

Set server port of openrgb.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6742

Declared by:

<nixpkgs/nixos/modules/services/hardware/openrgb.nix>
services.hardware.pommed.enable

Whether to use the pommed tool to handle Apple laptop keyboard hotkeys.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/pommed.nix>
services.hardware.pommed.configFile

The path to the pommed.conf file. Leave to null to use the default config file (/etc/pommed.conf.mactel). See the files /etc/pommed.conf.mactel and /etc/pommed.conf.pmac for examples to build on.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/pommed.nix>
services.harmonia.enable

Whether to enable Harmonia: Nix binary cache written in Rust.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/harmonia.nix>
services.harmonia.package

The harmonia package to use.

Type: package

Default: pkgs.harmonia

Declared by:

<nixpkgs/nixos/modules/services/networking/harmonia.nix>
services.harmonia.settings

Settings to merge with the default configuration. For the list of the default configuration, see https://github.com/nix-community/harmonia/tree/master#configuration.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/harmonia.nix>
services.harmonia.signKeyPath

DEPRECATED: Use services.harmonia.signKeyPaths instead. Path to the signing key to use for signing the cache

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/harmonia.nix>
services.harmonia.signKeyPaths

Paths to the signing keys to use for signing the cache

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/harmonia.nix>
services.haste-server.enable

Whether to enable haste-server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/editors/haste.nix>
services.haste-server.openFirewall

Whether to enable firewall passthrough for haste-server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/editors/haste.nix>
services.haste-server.settings

Configuration for haste-server. For documentation see project readme

Type: JSON value

Declared by:

<nixpkgs/nixos/modules/services/editors/haste.nix>
services.hatsu.enable

Whether to enable Self-hosted and fully-automated ActivityPub bridge for static sites.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hatsu.nix>
services.hatsu.package

The hatsu package to use.

Type: package

Default: pkgs.hatsu

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hatsu.nix>
services.hatsu.settings

Configuration for Hatsu, see <link xlink:href=“https://hatsu.cli.rs/admins/environments.html”/> for supported values.

Type: attribute set of (null or boolean or signed integer or 16 bit unsigned integer; between 0 and 65535 (both inclusive) or string)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hatsu.nix>
services.hatsu.settings.HATSU_DATABASE_URL

Database URL.

Type: string

Default: "sqlite:///var/lib/hatsu/hatsu.sqlite?mode=rwc"

Example: "postgres://username:password@host/database"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hatsu.nix>
services.hatsu.settings.HATSU_DOMAIN

The domain name of your instance (eg ‘hatsu.local’).

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hatsu.nix>
services.hatsu.settings.HATSU_LISTEN_HOST

Host where hatsu should listen for incoming requests.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hatsu.nix>
services.hatsu.settings.HATSU_LISTEN_PORT

Port where hatsu should listen for incoming requests.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3939

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hatsu.nix>
services.hatsu.settings.HATSU_PRIMARY_ACCOUNT

The primary account of your instance (eg ‘example.com’).

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hatsu.nix>
services.haveged.enable

Whether to enable haveged entropy daemon, which refills /dev/random when low. NOTE: does nothing on kernels newer than 5.6 .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/haveged.nix>
services.haveged.refill_threshold

The number of bits of available entropy beneath which haveged should refill the entropy pool.

Type: signed integer

Default: 1024

Declared by:

<nixpkgs/nixos/modules/services/security/haveged.nix>
services.hbase-standalone.enable

Whether to enable HBase master in standalone mode with embedded regionserver and zookeper. Do not use this configuration for production nor for evaluating HBase performance .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/hbase-standalone.nix>
services.hbase-standalone.package

The hbase package to use.

Type: package

Default: pkgs.hbase

Declared by:

<nixpkgs/nixos/modules/services/databases/hbase-standalone.nix>
services.hbase-standalone.dataDir

Specifies location of HBase database files. This location should be writable and readable for the user the HBase service runs as (hbase by default).

Type: path

Default: "/var/lib/hbase"

Declared by:

<nixpkgs/nixos/modules/services/databases/hbase-standalone.nix>
services.hbase-standalone.group

Group account under which HBase runs.

Type: string

Default: "hbase"

Declared by:

<nixpkgs/nixos/modules/services/databases/hbase-standalone.nix>
services.hbase-standalone.logDir

Specifies the location of HBase log files.

Type: path

Default: "/var/log/hbase"

Declared by:

<nixpkgs/nixos/modules/services/databases/hbase-standalone.nix>
services.hbase-standalone.settings

configurations in hbase-site.xml, see https://github.com/apache/hbase/blob/master/hbase-server/src/test/resources/hbase-site.xml for details.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  "hbase.rootdir" = "file://${config.services.hbase-standalone.dataDir}/hbase";
  "hbase.zookeeper.property.dataDir" = "${config.services.hbase-standalone.dataDir}/zookeeper";
}

Declared by:

<nixpkgs/nixos/modules/services/databases/hbase-standalone.nix>
services.hbase-standalone.user

User account under which HBase runs.

Type: string

Default: "hbase"

Declared by:

<nixpkgs/nixos/modules/services/databases/hbase-standalone.nix>
services.hdapsd.enable

Whether to enable Hard Drive Active Protection System Daemon, devices are detected and managed automatically by udev and systemd .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/hdaps.nix>
services.hddfancontrol.enable

Whether to enable hddfancontrol daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/hddfancontrol.nix>
services.hddfancontrol.disks

Drive(s) to get temperature from

Type: list of path

Default: [ ]

Example:

[
  "/dev/sda"
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/hddfancontrol.nix>
services.hddfancontrol.extraArgs

Extra commandline arguments for hddfancontrol

Type: list of string

Default: [ ]

Example:

[
  "--pwm-start-value=32"
  "--pwm-stop-value=0"
  "--spin-down-time=900"
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/hddfancontrol.nix>
services.hddfancontrol.pwmPaths

PWM filepath(s) to control fan speed (under /sys)

Type: list of path

Default: [ ]

Example:

[
  "/sys/class/hwmon/hwmon2/pwm1"
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/hddfancontrol.nix>
services.hddfancontrol.smartctl

Probe temperature using smartctl instead of hddtemp or hdparm

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/hddfancontrol.nix>
services.headphones.enable

Whether to enable the headphones server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/headphones.nix>
services.headphones.configFile

Path to config file.

Type: path

Default: "${config.services.headphones.dataDir}/config.ini"

Declared by:

<nixpkgs/nixos/modules/services/misc/headphones.nix>
services.headphones.dataDir

Path where to store data files.

Type: path

Default: "/var/lib/headphones"

Declared by:

<nixpkgs/nixos/modules/services/misc/headphones.nix>
services.headphones.group

Group to run the service as

Type: string

Default: "headphones"

Declared by:

<nixpkgs/nixos/modules/services/misc/headphones.nix>
services.headphones.host

Host to listen on.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/misc/headphones.nix>
services.headphones.port

Port to bind to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8181

Declared by:

<nixpkgs/nixos/modules/services/misc/headphones.nix>
services.headphones.user

User to run the service as

Type: string

Default: "headphones"

Declared by:

<nixpkgs/nixos/modules/services/misc/headphones.nix>
services.headscale.enable

Whether to enable headscale, Open Source coordination server for Tailscale.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.package

The headscale package to use.

Type: package

Default: pkgs.headscale

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.address

Listening address of headscale.

Type: string

Default: "127.0.0.1"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.group

Group under which headscale runs.

Note

If left as the default value this group will automatically be created on system activation, otherwise you are responsible for ensuring the user exists before the headscale service starts.

Type: string

Default: "headscale"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.port

Listening port of headscale.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Example: 443

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings

Overrides to config.yaml as a Nix attribute set. Check the example config for possible options.

Type: YAML value

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.database.postgres.host

Database host address.

Type: null or string

Default: null

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.database.postgres.name

Database name.

Type: null or string

Default: null

Example: "headscale"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.database.postgres.password_file

A file containing the password corresponding to database.user.

Type: null or path

Default: null

Example: "/run/keys/headscale-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.database.postgres.port

Database host port.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Example: 3306

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.database.postgres.user

Database user.

Type: null or string

Default: null

Example: "headscale"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.database.sqlite.path

Path to the sqlite3 database file.

Type: null or string

Default: "/var/lib/headscale/db.sqlite"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.database.sqlite.write_ahead_log

Enable WAL mode for SQLite. This is recommended for production environments. https://www.sqlite.org/wal.html

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.database.type

Database engine to use. Please note that using Postgres is highly discouraged as it is only supported for legacy reasons. All new development, testing and optimisations are done with SQLite in mind.

Type: one of “sqlite”, “sqlite3”, “postgres”

Default: "sqlite"

Example: "postgres"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.derp.auto_update_enable

Whether to automatically update DERP maps on a set frequency.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.derp.paths

List of file paths containing DERP maps. See How Tailscale works for more information on DERP maps.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.derp.server.private_key_path

Path to derp private key file, generated automatically if it does not exist.

Type: path

Default: "/var/lib/headscale/derp_server_private.key"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.derp.update_frequency

Frequency to update DERP maps.

Type: string

Default: "24h"

Example: "5m"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.derp.urls

List of urls containing DERP maps. See How Tailscale works for more information on DERP maps.

Type: list of string

Default:

[
  "https://controlplane.tailscale.com/derpmap/default"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.dns.base_domain

Defines the base domain to create the hostnames for MagicDNS. This domain must be different from the server_url domain. base_domain must be a FQDN, without the trailing dot. The FQDN of the hosts will be hostname.base_domain (e.g. myhost.tailnet.example.com).

Type: string

Default: ""

Example: "tailnet.example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.dns.magic_dns

Whether to use MagicDNS.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.dns.nameservers.global

List of nameservers to pass to Tailscale clients.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.dns.search_domains

Search domains to inject to Tailscale clients.

Type: list of string

Default: [ ]

Example:

[
  "mydomain.internal"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.ephemeral_node_inactivity_timeout

Time before an inactive ephemeral node is deleted.

Type: string

Default: "30m"

Example: "5m"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.log.format

headscale log format.

Type: string

Default: "text"

Example: "json"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.log.level

headscale log level.

Type: string

Default: "info"

Example: "debug"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.noise.private_key_path

Path to noise private key file, generated automatically if it does not exist.

Type: path

Default: "/var/lib/headscale/noise_private.key"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.oidc.allowed_domains

Allowed principal domains. if an authenticated user’s domain is not in this list authentication request will be rejected.

Type: list of string

Default: [ ]

Example:

[
  "example.com"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.oidc.allowed_users

Users allowed to authenticate even if not in allowedDomains.

Type: list of string

Default: [ ]

Example:

[
  "alice@example.com"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.oidc.client_id

OpenID Connect client ID.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.oidc.client_secret_path

Path to OpenID Connect client secret file. Expands environment variables in format ${VAR}.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.oidc.extra_params

Custom query parameters to send with the Authorize Endpoint request.

Type: attribute set of string

Default: { }

Example:

{
  domain_hint = "example.com";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.oidc.issuer

URL to OpenID issuer.

Type: string

Default: ""

Example: "https://openid.example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.oidc.scope

Scopes used in the OIDC flow.

Type: list of string

Default:

[
  "openid"
  "profile"
  "email"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.oidc.strip_email_domain

Whether the domain part of the email address should be removed when generating namespaces.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.policy.mode

The mode can be “file” or “database” that defines where the ACL policies are stored and read from.

Type: one of “file”, “database”

Default: "file"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.policy.path

If the mode is set to “file”, the path to a HuJSON file containing ACL policies.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.prefixes.allocation

Strategy used for allocation of IPs to nodes, available options:

  • sequential (default): assigns the next free IP from the previous given IP.

  • random: assigns the next free IP from a pseudo-random IP generator (crypto/rand).

Type: one of “sequential”, “random”

Default: "sequential"

Example: "random"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.prefixes.v4

Each prefix consists of either an IPv4 or IPv6 address, and the associated prefix length, delimited by a slash. It must be within IP ranges supported by the Tailscale client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.

Type: string

Default: "100.64.0.0/10"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.prefixes.v6

Each prefix consists of either an IPv4 or IPv6 address, and the associated prefix length, delimited by a slash. It must be within IP ranges supported by the Tailscale client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.

Type: string

Default: "fd7a:115c:a1e0::/48"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.server_url

The url clients will connect to.

Type: string

Default: "http://127.0.0.1:8080"

Example: "https://myheadscale.example.com:443"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.tls_cert_path

Path to already created certificate.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.tls_key_path

Path to key for already created certificate.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.tls_letsencrypt_challenge_type

Type of ACME challenge to use, currently supported types: HTTP-01 or TLS-ALPN-01.

Type: one of “TLS-ALPN-01”, “HTTP-01”

Default: "HTTP-01"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.tls_letsencrypt_hostname

Domain name to request a TLS certificate for.

Type: null or string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.settings.tls_letsencrypt_listen

When HTTP-01 challenge is chosen, letsencrypt must set up a verification endpoint, and it will be listening on: :http = port 80.

Type: null or string

Default: ":http"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.headscale.user

User account under which headscale runs.

Note

If left as the default value this user will automatically be created on system activation, otherwise you are responsible for ensuring the user exists before the headscale service starts.

Type: string

Default: "headscale"

Declared by:

<nixpkgs/nixos/modules/services/networking/headscale.nix>
services.healthchecks.enable

Enable healthchecks. It is expected to be run behind a HTTP reverse proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/healthchecks.nix>
services.healthchecks.package

The healthchecks package to use.

Type: package

Default: pkgs.healthchecks

Declared by:

<nixpkgs/nixos/modules/services/web-apps/healthchecks.nix>
services.healthchecks.dataDir

The directory used to store all data for healthchecks.

Note

If left as the default value this directory will automatically be created before the healthchecks server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions.

Type: string

Default: "/var/lib/healthchecks"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/healthchecks.nix>
services.healthchecks.group

Group account under which healthchecks runs.

Note

If left as the default value this group will automatically be created on system activation, otherwise you are responsible for ensuring the group exists before the healthchecks service starts.

Type: string

Default: "healthchecks"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/healthchecks.nix>
services.healthchecks.listenAddress

Address the server will listen on.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/healthchecks.nix>
services.healthchecks.port

Port the server will listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/healthchecks.nix>
services.healthchecks.settings

Environment variables which are read by healthchecks (local)_settings.py.

Settings which are explicitly covered in options below, are type-checked and/or transformed before added to the environment, everything else is passed as a string.

See https://healthchecks.io/docs/self_hosted_configuration/ for a full documentation of settings.

We add additional variables to this list inside the packages local_settings.py.

  • STATIC_ROOT to set a state directory for dynamically generated static files.

  • SECRET_KEY_FILE to read SECRET_KEY from a file at runtime and keep it out of /nix/store.

  • _FILE variants for several values that hold sensitive information in Healthchecks configuration so that they also can be read from a file and kept out of /nix/store. To see which values have support for a _FILE variant, run:

    • nix-instantiate --eval --expr '(import <nixpkgs> {}).healthchecks.secrets'

    • or nix eval 'nixpkgs#healthchecks.secrets' if the flake support has been enabled.

If the same variable is set in both settings and settingsFile the value from settingsFile has priority.

Type: attribute set of string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/healthchecks.nix>
services.healthchecks.settings.ALLOWED_HOSTS

The host/domain names that this site can serve.

Type: list of string

Default:

[
  "*"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/healthchecks.nix>
services.healthchecks.settings.DB

Database engine to use.

Type: one of “sqlite”, “postgres”, “mysql”

Default: "sqlite"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/healthchecks.nix>
services.healthchecks.settings.DB_NAME

Database name.

Type: string

Default:

if config.services.healthchecks.settings.DB == "sqlite"
then "${config.services.healthchecks.dataDir}/healthchecks.sqlite"
else "hc"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/healthchecks.nix>
services.healthchecks.settings.DEBUG

Enable debug mode.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/healthchecks.nix>
services.healthchecks.settings.REGISTRATION_OPEN

A boolean that controls whether site visitors can create new accounts. Set it to false if you are setting up a private Healthchecks instance, but it needs to be publicly accessible (so, for example, your cloud services can send pings to it). If you close new user registration, you can still selectively invite users to your team account.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/healthchecks.nix>
services.healthchecks.settings.SECRET_KEY_FILE

Path to a file containing the secret key.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/healthchecks.nix>
services.healthchecks.settingsFile

Environment variables which are read by healthchecks (local)_settings.py.

Settings which are explicitly covered in options below, are type-checked and/or transformed before added to the environment, everything else is passed as a string.

See https://healthchecks.io/docs/self_hosted_configuration/ for a full documentation of settings.

We add additional variables to this list inside the packages local_settings.py.

  • STATIC_ROOT to set a state directory for dynamically generated static files.

  • SECRET_KEY_FILE to read SECRET_KEY from a file at runtime and keep it out of /nix/store.

  • _FILE variants for several values that hold sensitive information in Healthchecks configuration so that they also can be read from a file and kept out of /nix/store. To see which values have support for a _FILE variant, run:

    • nix-instantiate --eval --expr '(import <nixpkgs> {}).healthchecks.secrets'

    • or nix eval 'nixpkgs#healthchecks.secrets' if the flake support has been enabled.

If the same variable is set in both settings and settingsFile the value from settingsFile has priority.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/healthchecks.nix>
services.healthchecks.user

User account under which healthchecks runs.

Note

If left as the default value this user will automatically be created on system activation, otherwise you are responsible for ensuring the user exists before the healthchecks service starts.

Type: string

Default: "healthchecks"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/healthchecks.nix>
services.heapster.enable

Whether to enable Heapster monitoring.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/heapster.nix>
services.heapster.package

The heapster package to use.

Type: package

Default: pkgs.heapster

Declared by:

<nixpkgs/nixos/modules/services/monitoring/heapster.nix>
services.heapster.extraOpts

Heapster extra options

Type: strings concatenated with " "

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/heapster.nix>
services.heapster.sink

Heapster metic sink

Type: string

Example: "influxdb:http://localhost:8086"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/heapster.nix>
services.heapster.source

Heapster metric source

Type: string

Example: "kubernetes:https://kubernetes.default"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/heapster.nix>
services.heartbeat.enable

Whether to enable heartbeat, uptime monitoring.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/logging/heartbeat.nix>
services.heartbeat.package

The heartbeat package to use.

Type: package

Default: pkgs.heartbeat

Example: heartbeat7

Declared by:

<nixpkgs/nixos/modules/services/logging/heartbeat.nix>
services.heartbeat.extraConfig

Any other configuration options you want to add

Type: strings concatenated with “\n”

Default:

''
  heartbeat.monitors:
  - type: http
    urls: ["http://localhost:9200"]
    schedule: '@every 10s'
''

Declared by:

<nixpkgs/nixos/modules/services/logging/heartbeat.nix>
services.heartbeat.name

Name of the beat

Type: string

Default: "heartbeat"

Declared by:

<nixpkgs/nixos/modules/services/logging/heartbeat.nix>
services.heartbeat.stateDir

The state directory. heartbeat’s own logs and other data are stored here.

Type: string

Default: "/var/lib/heartbeat"

Declared by:

<nixpkgs/nixos/modules/services/logging/heartbeat.nix>
services.heartbeat.tags

Tags to place on the shipped log messages

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/logging/heartbeat.nix>
services.hebbot.enable

Whether to enable hebbot.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/hebbot.nix>
services.hebbot.botPasswordFile

A path to the password file for your bot.

Consider using a path that does not end up in your Nix store as it would be world readable.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/matrix/hebbot.nix>
services.hebbot.settings

Configuration for Hebbot, see, for examples:

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/hebbot.nix>
services.hebbot.templates.project

A path to the Markdown file for the project template.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/matrix/hebbot.nix>
services.hebbot.templates.report

A path to the Markdown file for the report template.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/matrix/hebbot.nix>
services.hebbot.templates.section

A path to the Markdown file for the section template.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/matrix/hebbot.nix>
services.hedgedoc.enable

Whether to enable the HedgeDoc Markdown Editor.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hedgedoc.nix>
services.hedgedoc.package

The hedgedoc package to use.

Type: package

Default: pkgs.hedgedoc

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hedgedoc.nix>
services.hedgedoc.environmentFile

Environment file as defined in systemd.exec(5).

Secrets may be passed to the service without adding them to the world-readable Nix store, by specifying placeholder variables as the option value in Nix and setting these variables accordingly in the environment file.

  # snippet of HedgeDoc-related config
  services.hedgedoc.settings.dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@db-host:5432/hedgedocdb";
  services.hedgedoc.settings.minio.secretKey = "$MINIO_SECRET_KEY";
  # content of the environment file
  DB_PASSWORD=verysecretdbpassword
  MINIO_SECRET_KEY=verysecretminiokey

Note that this file needs to be available on the host on which HedgeDoc is running.

Type: null or path

Default: null

Example: "/var/lib/hedgedoc/hedgedoc.env"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hedgedoc.nix>
services.hedgedoc.settings

HedgeDoc configuration, see https://docs.hedgedoc.org/configuration/ for documentation.

Type: JSON value

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hedgedoc.nix>
services.hedgedoc.settings.allowGravatar

Whether to enable Libravatar as profile picture source on your instance.

Despite the naming of the setting, Hedgedoc replaced Gravatar with Libravatar in CodiMD 1.4.0

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hedgedoc.nix>
services.hedgedoc.settings.allowOrigin

List of domains to whitelist.

Type: list of string

Default:

with config.services.hedgedoc.settings; [ host ] ++ lib.optionals (domain != null) [ domain ]

Example:

[
  "localhost"
  "hedgedoc.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hedgedoc.nix>
services.hedgedoc.settings.db

Specify the configuration for sequelize. HedgeDoc supports mysql, postgres, sqlite and mssql. See https://sequelize.readthedocs.io/en/v3/ for more information.

Note

The relevant parts will be overriden if you set dbURL.

Type: attribute set

Default:

{
  dialect = "sqlite";
  storage = "/var/lib/hedgedoc/db.sqlite";
}

Example:

db = {
  username = "hedgedoc";
  database = "hedgedoc";
  host = "localhost:5432";
  # or via socket
  # host = "/run/postgresql";
  dialect = "postgresql";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hedgedoc.nix>
services.hedgedoc.settings.domain

Domain to use for website.

This is useful if you are trying to run hedgedoc behind a reverse proxy.

Type: null or string

Default: null

Example: "hedgedoc.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hedgedoc.nix>
services.hedgedoc.settings.host

Address to listen on.

Type: null or string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hedgedoc.nix>
services.hedgedoc.settings.path

Path to UNIX domain socket to listen on

Note

If specified, host and port will be ignored.

Type: null or path

Default: null

Example: "/run/hedgedoc/hedgedoc.sock"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hedgedoc.nix>
services.hedgedoc.settings.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Example: 80

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hedgedoc.nix>
services.hedgedoc.settings.protocolUseSSL

Use https:// for all links.

This is useful if you are trying to run hedgedoc behind a reverse proxy.

Note

Only applied if domain is set.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hedgedoc.nix>
services.hedgedoc.settings.uploadsPath

Directory for storing uploaded images.

Type: path

Default: "/var/lib/hedgedoc/uploads"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hedgedoc.nix>
services.hedgedoc.settings.urlPath

URL path for the website.

This is useful if you are hosting hedgedoc on a path like www.example.com/hedgedoc

Type: null or string

Default: null

Example: "hedgedoc"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hedgedoc.nix>
services.hedgedoc.settings.useSSL

Enable to use SSL server.

Note

This will also enable protocolUseSSL.

It will also require you to set the following:

  • sslKeyPath

  • sslCertPath

  • sslCAPath

  • dhParamPath

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hedgedoc.nix>
services.heisenbridge.enable

Whether to enable the Matrix to IRC bridge.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/heisenbridge.nix>
services.heisenbridge.package

The heisenbridge package to use.

Type: package

Default: pkgs.heisenbridge

Declared by:

<nixpkgs/nixos/modules/services/misc/heisenbridge.nix>
services.heisenbridge.address

Address to listen on. IPv6 does not seem to be supported.

Type: string

Default: "127.0.0.1"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/misc/heisenbridge.nix>
services.heisenbridge.debug

More verbose logging. Recommended during initial setup.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/heisenbridge.nix>
services.heisenbridge.extraArgs

Heisenbridge is configured over the command line. Append extra arguments here

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/heisenbridge.nix>
services.heisenbridge.homeserver

The URL to the home server for client-server API calls

Type: string

Example: "http://localhost:8008"

Declared by:

<nixpkgs/nixos/modules/services/misc/heisenbridge.nix>
services.heisenbridge.identd.enable

Whether to enable identd service support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/heisenbridge.nix>
services.heisenbridge.identd.port

identd listen port

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 113

Declared by:

<nixpkgs/nixos/modules/services/misc/heisenbridge.nix>
services.heisenbridge.namespaces

Configure the ‘namespaces’ section of the registration.yml for the bridge and the server

Type: JSON value

Default:

{
  aliases = [ ];
  rooms = [ ];
  users = [
    {
      exclusive = true;
      regex = "@irc_.*";
    }
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/misc/heisenbridge.nix>
services.heisenbridge.owner

Set owner MXID otherwise first talking local user will claim the bridge

Type: null or string

Default: null

Example: "@admin:example.org"

Declared by:

<nixpkgs/nixos/modules/services/misc/heisenbridge.nix>
services.heisenbridge.port

The port to listen on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9898

Declared by:

<nixpkgs/nixos/modules/services/misc/heisenbridge.nix>
services.heisenbridge.registrationUrl

The URL where the application service is listening for HS requests, from the Matrix HS perspective.# The default value assumes the bridge runs on the same host as the home server, in the same network.

Type: string

Default: "http://$\${cfg.address}:$\${toString cfg.port}"

Example: "https://matrix.example.org"

Declared by:

<nixpkgs/nixos/modules/services/misc/heisenbridge.nix>
services.hercules-ci-agent.enable

Enable to run Hercules CI Agent as a system service.

Hercules CI is a continuous integation service that is centered around Nix.

Support is available at help@hercules-ci.com.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix>
services.hercules-ci-agent.package

The hercules-ci-agent package to use.

Type: package

Default: pkgs.hercules-ci-agent

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix>
services.hercules-ci-agent.settings

These settings are written to the agent.toml file.

Not all settings are listed as options, can be set nonetheless.

For the exhaustive list of settings, see https://docs.hercules-ci.com/hercules-ci/reference/agent-config/.

Type: TOML value

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix>
services.hercules-ci-agent.settings.apiBaseUrl

API base URL that the agent will connect to.

When using Hercules CI Enterprise, set this to the URL where your Hercules CI server is reachable.

Type: string

Default: "https://hercules-ci.com"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix>
services.hercules-ci-agent.settings.baseDirectory

State directory (secrets, work directory, etc) for agent

Type: path

Default: "/var/lib/hercules-ci-agent"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix>
services.hercules-ci-agent.settings.binaryCachesPath

Path to a JSON file containing binary cache secret keys.

As these values are confidential, they should not be in the store, but copied over using other means, such as agenix, NixOps deployment.keys, or manual installation.

The format is described on https://docs.hercules-ci.com/hercules-ci-agent/binary-caches-json/.

Type: path

Default: staticSecretsDirectory + "/binary-caches.json"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix>
services.hercules-ci-agent.settings.clusterJoinTokenPath

Location of the cluster-join-token.key file.

You can retrieve the contents of the file when creating a new agent via https://hercules-ci.com/dashboard.

As this value is confidential, it should not be in the store, but installed using other means, such as agenix, NixOps deployment.keys, or manual installation.

The contents of the file are used for authentication between the agent and the API.

Type: path

Default: staticSecretsDirectory + "/cluster-join-token.key"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix>
services.hercules-ci-agent.settings.concurrentTasks

Number of tasks to perform simultaneously.

A task is a single derivation build, an evaluation or an effect run. At minimum, you need 2 concurrent tasks for x86_64-linux in your cluster, to allow for import from derivation.

concurrentTasks can be around the CPU core count or lower if memory is the bottleneck.

The optimal value depends on the resource consumption characteristics of your workload, including memory usage and in-task parallelism. This is typically determined empirically.

When scaling, it is generally better to have a double-size machine than two machines, because each split of resources causes inefficiencies; particularly with regards to build latency because of extra downloads.

Type: positive integer, meaning >0, or value “auto” (singular enum)

Default: "auto", meaning equal to the number of CPU cores.

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix>
services.hercules-ci-agent.settings.labels

A key-value map of user data.

This data will be available to organization members in the dashboard and API.

The values can be of any TOML type that corresponds to a JSON type, but arrays can not contain tables/objects due to limitations of the TOML library. Values involving arrays of non-primitive types may not be representable currently.

Type: TOML value

Default:

{
  agent.source = "..."; # One of "nixpkgs", "flake", "override"
  lib.version = "...";
  pkgs.version = "...";
}

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix>
services.hercules-ci-agent.settings.secretsJsonPath

Path to a JSON file containing secrets for effects.

As these values are confidential, they should not be in the store, but copied over using other means, such as agenix, NixOps deployment.keys, or manual installation.

The format is described on https://docs.hercules-ci.com/hercules-ci-agent/secrets-json/.

Type: path

Default: staticSecretsDirectory + "/secrets.json"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix>
services.hercules-ci-agent.settings.staticSecretsDirectory

This is the default directory to look for statically configured secrets like cluster-join-token.key.

See also clusterJoinTokenPath and binaryCachesPath for fine-grained configuration.

Type: path

Default: baseDirectory + "/secrets"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix>
services.hercules-ci-agent.settings.workDirectory

The directory in which temporary subdirectories are created for task state. This includes sources for Nix evaluation.

Type: path

Default: baseDirectory + "/work"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hercules-ci-agent/common.nix>
services.hickory-dns.enable

Whether to enable hickory-dns.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/hickory-dns.nix>
services.hickory-dns.package

The hickory-dns package to use. ::: {.note} The package must provide meta.mainProgram which names the server binary; any other utilities (client, resolver) are not needed. :::

Type: package

Default: pkgs.hickory-dns

Declared by:

<nixpkgs/nixos/modules/services/networking/hickory-dns.nix>
services.hickory-dns.configFile

Path to an existing toml file to configure hickory-dns with.

This can usually be left unspecified, in which case it will be generated from the values in settings. If manually specified, then the options in settings are ignored.

Type: path

Default:

let toml = pkgs.formats.toml { }; in toml.generate "hickory-dns.toml" cfg.settings

Declared by:

<nixpkgs/nixos/modules/services/networking/hickory-dns.nix>
services.hickory-dns.debug

Log DEBUG, INFO, WARN and ERROR messages. This option is mutually exclusive with the debug option. If neither quiet nor debug are enabled, logging defaults to the INFO level.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hickory-dns.nix>
services.hickory-dns.quiet

Log ERROR level messages only. This option is mutually exclusive with the debug option. If neither quiet nor debug are enabled, logging defaults to the INFO level.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hickory-dns.nix>
services.hickory-dns.settings

Settings for hickory-dns. The options enumerated here are not exhaustive. Refer to upstream documentation for all available options:

Type: TOML value

Declared by:

<nixpkgs/nixos/modules/services/networking/hickory-dns.nix>
services.hickory-dns.settings.directory

The directory in which hickory-dns should look for .zone files, whenever zones aren’t specified by absolute path.

Type: string

Default: "/var/lib/hickory-dns"

Declared by:

<nixpkgs/nixos/modules/services/networking/hickory-dns.nix>
services.hickory-dns.settings.listen_addrs_ipv4

List of ipv4 addresses on which to listen for DNS queries.

Type: list of string

Default:

[
  "0.0.0.0"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/hickory-dns.nix>
services.hickory-dns.settings.listen_addrs_ipv6

List of ipv6 addresses on which to listen for DNS queries.

Type: list of string

Default: lib.optional config.networking.enableIPv6 "::0"

Declared by:

<nixpkgs/nixos/modules/services/networking/hickory-dns.nix>
services.hickory-dns.settings.listen_port

Port to listen on (applies to all listen addresses).

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 53

Declared by:

<nixpkgs/nixos/modules/services/networking/hickory-dns.nix>
services.hickory-dns.settings.zones

List of zones to serve.

Type: list of ((TOML value) or string convertible to it)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/hickory-dns.nix>
services.hickory-dns.settings.zones.*.file

Path to the .zone file. If not fully-qualified, this path will be interpreted relative to the directory option. If omitted, defaults to the value of the zone option suffixed with “.zone”.

Type: path or string

Default: "${config.zone}.zone"

Declared by:

<nixpkgs/nixos/modules/services/networking/hickory-dns.nix>
services.hickory-dns.settings.zones.*.zone

Zone name, like “example.com”, “localhost”, or “0.0.127.in-addr.arpa”.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/hickory-dns.nix>
services.hickory-dns.settings.zones.*.zone_type

One of:

  • “Primary” (the master, authority for the zone).

  • “Secondary” (the slave, replicated from the primary).

  • “Hint” (a cached zone with recursive resolver abilities).

  • “Forward” (a cached zone where all requests are forwarded to another resolver).

For more details about these zone types, consult the documentation for BIND, though note that hickory-dns supports only a subset of BIND’s zone types: https://bind9.readthedocs.io/en/v9_18_4/reference.html#type

Type: one of “Primary”, “Secondary”, “Hint”, “Forward”

Default: "Primary"

Declared by:

<nixpkgs/nixos/modules/services/networking/hickory-dns.nix>
services.hitch.enable

Whether to enable Hitch Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/hitch/default.nix>
services.hitch.backend

The host and port Hitch connects to when receiving a connection in the form [HOST]:PORT

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-servers/hitch/default.nix>
services.hitch.ciphers

The list of ciphers to use

Type: string

Default: "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/hitch/default.nix>
services.hitch.extraConfig

Additional configuration lines

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/hitch/default.nix>
services.hitch.frontend

The port and interface of the listen endpoint in the form [HOST]:PORT[+CERT].

Type: string or list of string

Default: "[127.0.0.1]:443"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/hitch/default.nix>
services.hitch.group

The group to run as

Type: string

Default: "hitch"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/hitch/default.nix>
services.hitch.ocsp-stapling.enabled

Whether to enable OCSP Stapling

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/hitch/default.nix>
services.hitch.pem-files

PEM files to use

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/hitch/default.nix>
services.hitch.user

The user to run as

Type: string

Default: "hitch"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/hitch/default.nix>
services.hledger-web.enable

Whether to enable hledger-web service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hledger-web.nix>
services.hledger-web.allow

User’s access level for changing data.

  • view: view only permission.

  • add: view and add permissions.

  • edit: view, add, and edit permissions.

  • sandstorm: permissions from the X-Sandstorm-Permissions request header.

Type: one of “view”, “add”, “edit”, “sandstorm”

Default: "view"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hledger-web.nix>
services.hledger-web.baseUrl

Base URL, when sharing over a network.

Type: null or string

Default: null

Example: "https://example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hledger-web.nix>
services.hledger-web.extraOptions

Extra command line arguments to pass to hledger-web.

Type: list of string

Default: [ ]

Example:

[
  "--forecast"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hledger-web.nix>
services.hledger-web.host

Address to listen on.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hledger-web.nix>
services.hledger-web.journalFiles

Paths to journal files relative to services.hledger-web.stateDir.

Type: list of string

Default:

[
  ".hledger.journal"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hledger-web.nix>
services.hledger-web.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5000

Example: 80

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hledger-web.nix>
services.hledger-web.serveApi

Whether to enable serving only the JSON web API, without the web UI.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hledger-web.nix>
services.hledger-web.stateDir

Path the service has access to. If left as the default value this directory will automatically be created before the hledger-web server starts, otherwise the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions.

Type: path

Default: "/var/lib/hledger-web"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/hledger-web.nix>
services.hockeypuck.enable

Whether to enable Hockeypuck OpenPGP Key Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/hockeypuck.nix>
services.hockeypuck.port

HKP port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 11371

Declared by:

<nixpkgs/nixos/modules/services/security/hockeypuck.nix>
services.hockeypuck.settings

Configuration file for hockeypuck, here you can override certain settings (loglevel and openpgp.db.dsn) by just setting those values.

For other settings you need to use lib.mkForce to override them.

This service doesn’t provision or enable postgres on your system, it rather assumes that you enable postgres and create the database yourself.

Example:

  services.postgresql = {
    enable = true;
    ensureDatabases = [ "hockeypuck" ];
    ensureUsers = [{
      name = "hockeypuck";
      ensureDBOwnership = true;
    }];
  };

Type: TOML value

Default: { }

Example:

{
  hockeypuck = {
    loglevel = "INFO";
    logfile = "/var/log/hockeypuck/hockeypuck.log";
    indexTemplate = "${pkgs.hockeypuck-web}/share/templates/index.html.tmpl";
    vindexTemplate = "${pkgs.hockeypuck-web}/share/templates/index.html.tmpl";
    statsTemplate = "${pkgs.hockeypuck-web}/share/templates/stats.html.tmpl";
    webroot = "${pkgs.hockeypuck-web}/share/webroot";

    hkp.bind = ":${toString cfg.port}";

    openpgp.db = {
      driver = "postgres-jsonb";
      dsn = "database=hockeypuck host=/var/run/postgresql sslmode=disable";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/security/hockeypuck.nix>
services.hologram-agent.enable

Whether to enable the Hologram agent for AWS instance credentials

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/hologram-agent.nix>
services.hologram-agent.dialAddress

Hologram server and port.

Type: string

Default: "localhost:3100"

Declared by:

<nixpkgs/nixos/modules/services/security/hologram-agent.nix>
services.hologram-agent.httpPort

Port for metadata service to listen on.

Type: string

Default: "80"

Declared by:

<nixpkgs/nixos/modules/services/security/hologram-agent.nix>
services.hologram-server.enable

Whether to enable the Hologram server for AWS instance credentials

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/hologram-server.nix>
services.hologram-server.enableLdapRoles

Whether to assign user roles based on the user’s LDAP group memberships

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/hologram-server.nix>
services.hologram-server.awsAccount

AWS account number

Type: string

Declared by:

<nixpkgs/nixos/modules/services/security/hologram-server.nix>
services.hologram-server.awsDefaultRole

AWS default role

Type: string

Declared by:

<nixpkgs/nixos/modules/services/security/hologram-server.nix>
services.hologram-server.cacheTimeoutSeconds

How often (in seconds) to refresh the LDAP cache

Type: signed integer

Default: 3600

Declared by:

<nixpkgs/nixos/modules/services/security/hologram-server.nix>
services.hologram-server.groupClassAttr

The objectclass attribute to search for groups when enableLdapRoles is true

Type: string

Default: "groupOfNames"

Declared by:

<nixpkgs/nixos/modules/services/security/hologram-server.nix>
services.hologram-server.ldapBaseDN

The base DN for your Hologram users

Type: string

Declared by:

<nixpkgs/nixos/modules/services/security/hologram-server.nix>
services.hologram-server.ldapBindDN

DN of account to use to query the LDAP server

Type: string

Declared by:

<nixpkgs/nixos/modules/services/security/hologram-server.nix>
services.hologram-server.ldapBindPassword

Password of account to use to query the LDAP server

Type: string

Declared by:

<nixpkgs/nixos/modules/services/security/hologram-server.nix>
services.hologram-server.ldapHost

Address of the LDAP server to use

Type: string

Declared by:

<nixpkgs/nixos/modules/services/security/hologram-server.nix>
services.hologram-server.ldapInsecure

Whether to connect to LDAP over SSL or not

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/hologram-server.nix>
services.hologram-server.ldapUserAttr

The LDAP attribute for usernames

Type: string

Default: "cn"

Declared by:

<nixpkgs/nixos/modules/services/security/hologram-server.nix>
services.hologram-server.listenAddress

Address and port to listen on

Type: string

Default: "0.0.0.0:3100"

Declared by:

<nixpkgs/nixos/modules/services/security/hologram-server.nix>
services.hologram-server.roleAttr

Which LDAP group attribute to search for authorized role ARNs

Type: string

Default: "businessCategory"

Declared by:

<nixpkgs/nixos/modules/services/security/hologram-server.nix>
services.hologram-server.statsAddress

Address of statsd server

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/security/hologram-server.nix>
services.home-assistant.enable

Whether to enable Home Assistant. Please note that this installation method is unsupported upstream.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.package

The Home Assistant package to use.

Type: package

Default:

pkgs.home-assistant.overrideAttrs (oldAttrs: {
  doInstallCheck = false;
})

Example:

pkgs.home-assistant.override {
  extraPackages = python3Packages: with python3Packages; [
    psycopg2
  ];
  extraComponents = [
    "default_config"
    "esphome"
    "met"
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.config

Your configuration.yaml as a Nix attribute set.

YAML functions like secrets can be passed as a string and will be unquoted automatically.

Unless this option is explicitly set to null we assume your configuration.yaml is managed through this module and thereby overwritten on startup.

Type: null or (YAML value)

Example:

{
  homeassistant = {
    name = "Home";
    latitude = "!secret latitude";
    longitude = "!secret longitude";
    elevation = "!secret elevation";
    unit_system = "metric";
    time_zone = "UTC";
  };
  frontend = {
    themes = "!include_dir_merge_named themes";
  };
  http = {};
  feedreader.urls = [ "https://nixos.org/blogs.xml" ];
}

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.config.homeassistant.latitude

Latitude of your location required to calculate the time the sun rises and sets.

Type: null or floating point number or string

Default: null

Example: 52.3

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.config.homeassistant.longitude

Longitude of your location required to calculate the time the sun rises and sets.

Type: null or floating point number or string

Default: null

Example: 4.9

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.config.homeassistant.name

Name of the location where Home Assistant is running.

Type: null or string

Default: null

Example: "Home"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.config.homeassistant.temperature_unit

Override temperature unit set by unit_system. C for Celsius, F for Fahrenheit.

Type: null or one of “C”, “F”

Default: null

Example: "C"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.config.homeassistant.time_zone

Pick your time zone from the column TZ of Wikipedia’s list of tz database time zones.

Type: null or string

Default:

config.time.timeZone or null

Example: "Europe/Amsterdam"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.config.homeassistant.unit_system

The unit system to use. This also sets temperature_unit, Celsius for Metric and Fahrenheit for Imperial.

Type: null or one of “metric”, “imperial”

Default: null

Example: "metric"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.config.http.server_host

Only listen to incoming requests on specific IP/host. The default listed assumes support for IPv4 and IPv6.

Type: string or list of string

Default:

[
  "0.0.0.0"
  "::"
]

Example: "::1"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.config.http.server_port

The port on which to listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8123

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.config.lovelace.mode

In what mode should the main Lovelace panel be, yaml or storage (UI managed).

Type: one of “yaml”, “storage”

Default:

if cfg.lovelaceConfig != null
  then "yaml"
else "storage";

Example: "yaml"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.configDir

The config directory, where your configuration.yaml is located.

Type: path

Default: "/var/lib/hass"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.configWritable

Whether to make configuration.yaml writable.

This will allow you to edit it from Home Assistant’s web interface.

This only has an effect if config is set. However, bear in mind that it will be overwritten at every start of the service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.customComponents

List of custom component packages to install.

Available components can be found below pkgs.home-assistant-custom-components.

Type: list of package that is a Home Assistant component

Default: [ ]

Example:

with pkgs.home-assistant-custom-components; [
  prometheus_sensor
];

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.customLovelaceModules

List of custom lovelace card packages to load as lovelace resources.

Available cards can be found below pkgs.home-assistant-custom-lovelace-modules.

Note

Automatic loading only works with lovelace in yaml mode.

Type: list of package

Default: [ ]

Example:

with pkgs.home-assistant-custom-lovelace-modules; [
  mini-graph-card
  mini-media-player
];

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.defaultIntegrations

List of integrations set are always set up, unless in recovery mode.

Type: list of (one of “3_day_blinds”, “abode”, “accuweather”, “acer_projector”, “acmeda”, “acomax”, “actiontec”, “adax”, “adguard”, “ads”, “advantage_air”, “aemet”, “aep_ohio”, “aep_texas”, “aftership”, “agent_dvr”, “air_quality”, “airgradient”, “airly”, “airnow”, “airq”, “airthings”, “airthings_ble”, “airtouch4”, “airtouch5”, “airvisual”, “airvisual_pro”, “airzone”, “airzone_cloud”, “aladdin_connect”, “alarm_control_panel”, “alarmdecoder”, “alert”, “alexa”, “alpha_vantage”, “amazon_polly”, “amberelectric”, “ambient_network”, “ambient_station”, “amcrest”, “amp_motorization”, “ampio”, “analytics”, “analytics_insights”, “android_ip_webcam”, “androidtv”, “androidtv_remote”, “anel_pwrctrl”, “anova”, “anthemav”, “anthropic”, “anwb_energie”, “aosmith”, “apache_kafka”, “apcupsd”, “api”, “appalachianpower”, “apple_tv”, “application_credentials”, “apprise”, “aprilaire”, “aprs”, “aps”, “apsystems”, “aquacell”, “aqualogic”, “aquostv”, “aranet”, “arcam_fmj”, “arest”, “arris_tg2492lg”, “artsound”, “aruba”, “arve”, “arwn”, “aseko_pool_live”, “assist_pipeline”, “assist_satellite”, “asuswrt”, “atag”, “aten_pe”, “atlanticcityelectric”, “atome”, “august”, “august_ble”, “aurora”, “aurora_abb_powerone”, “aussie_broadband”, “autarco”, “auth”, “automation”, “avea”, “avion”, “awair”, “aws”, “axis”, “azure_data_explorer”, “azure_devops”, “azure_event_hub”, “azure_service_bus”, “backup”, “baf”, “baidu”, “balboa”, “bang_olufsen”, “bayesian”, “bbox”, “beewi_smartclim”, “bge”, “binary_sensor”, “bitcoin”, “bizkaibus”, “blackbird”, “blebox”, “blink”, “bliss_automation”, “bloc_blinds”, “blockchain”, “blue_current”, “bluemaestro”, “blueprint”, “bluesound”, “bluetooth”, “bluetooth_adapters”, “bluetooth_le_tracker”, “bluetooth_tracker”, “bmw_connected_drive”, “bond”, “bosch_shc”, “brandt”, “braviatv”, “brel_home”, “bring”, “broadlink”, “brother”, “brottsplatskartan”, “browser”, “brunt”, “bryant_evolution”, “bsblan”, “bswitch”, “bt_home_hub_5”, “bt_smarthub”, “bthome”, “bticino”, “bubendorff”, “buienradar”, “button”, “caldav”, “calendar”, “cambridge_audio”, “camera”, “canary”, “cast”, “ccm15”, “cert_expiry”, “chacon_dio”, “channels”, “cisco_ios”, “cisco_mobility_express”, “cisco_webex_teams”, “citybikes”, “clementine”, “clickatell”, “clicksend”, “clicksend_tts”, “climate”, “cloud”, “cloudflare”, “cmus”, “co2signal”, “coautilities”, “coinbase”, “color_extractor”, “comed”, “comed_hourly_pricing”, “comelit”, “comfoconnect”, “command_line”, “compensation”, “concord232”, “coned”, “config”, “configurator”, “control4”, “conversation”, “coolmaster”, “counter”, “cover”, “cozytouch”, “cppm_tracker”, “cpuspeed”, “cribl”, “crownstone”, “cups”, “currencylayer”, “dacia”, “daikin”, “danfoss_air”, “datadog”, “date”, “datetime”, “ddwrt”, “deako”, “debugpy”, “deconz”, “decora”, “decora_wifi”, “default_config”, “delijn”, “delmarva”, “deluge”, “demo”, “denon”, “denonavr”, “derivative”, “devialet”, “device_automation”, “device_sun_light_trigger”, “device_tracker”, “devolo_home_control”, “devolo_home_network”, “dexcom”, “dhcp”, “diagnostics”, “dialogflow”, “diaz”, “digital_loggers”, “digital_ocean”, “directv”, “discogs”, “discord”, “discovergy”, “dlib_face_detect”, “dlib_face_identify”, “dlink”, “dlna_dmr”, “dlna_dms”, “dnsip”, “dominos”, “doods”, “doorbird”, “dooya”, “dormakaba_dkey”, “downloader”, “dremel_3d_printer”, “drop_connect”, “dsmr”, “dsmr_reader”, “dte_energy_bridge”, “dublin_bus_transport”, “duckdns”, “duke_energy”, “dunehd”, “duotecno”, “duquesne_light”, “dwd_weather_warnings”, “dweet”, “dynalite”, “eafm”, “eastron”, “easyenergy”, “ebox”, “ebusd”, “ecoal_boiler”, “ecobee”, “ecoforest”, “econet”, “ecovacs”, “ecowitt”, “eddystone_temperature”, “edimax”, “edl21”, “efergy”, “egardia”, “eight_sleep”, “electrasmart”, “electric_kiwi”, “elevenlabs”, “elgato”, “eliqonline”, “elkm1”, “elmax”, “elv”, “elvia”, “emby”, “emoncms”, “emoncms_history”, “emonitor”, “emulated_hue”, “emulated_kasa”, “emulated_roku”, “energenie_power_sockets”, “energie_vanons”, “energy”, “energyzero”, “enigma2”, “enmax”, “enocean”, “enphase_envoy”, “entur_public_transport”, “environment_canada”, “envisalink”, “ephember”, “epic_games_store”, “epion”, “epson”, “eq3btsmart”, “escea”, “esera_onewire”, “esphome”, “etherscan”, “eufy”, “eufylife_ble”, “event”, “evergy”, “everlights”, “evil_genius_labs”, “evohome”, “ezviz”, “faa_delays”, “facebook”, “fail2ban”, “familyhub”, “fan”, “fastdotcom”, “feedreader”, “ffmpeg”, “ffmpeg_motion”, “ffmpeg_noise”, “fibaro”, “fido”, “file”, “file_upload”, “filesize”, “filter”, “fints”, “fire_tv”, “fireservicerota”, “firmata”, “fitbit”, “fivem”, “fixer”, “fjaraskupan”, “fleetgo”, “flexit”, “flexit_bacnet”, “flexom”, “flic”, “flick_electric”, “flipr”, “flo”, “flock”, “flume”, “flux”, “flux_led”, “folder”, “folder_watcher”, “foobot”, “forecast_solar”, “forked_daapd”, “fortios”, “foscam”, “foursquare”, “free_mobile”, “freebox”, “freedns”, “freedompro”, “fritz”, “fritzbox”, “fritzbox_callmonitor”, “fronius”, “frontend”, “frontier_silicon”, “fujitsu_anywair”, “fujitsu_fglair”, “fully_kiosk”, “futurenow”, “fyta”, “garadget”, “garages_amsterdam”, “gardena_bluetooth”, “gaviota”, “gc100”, “gdacs”, “generic”, “generic_hygrostat”, “generic_thermostat”, “geniushub”, “geo_json_events”, “geo_location”, “geo_rss_events”, “geocaching”, “geofency”, “geonetnz_quakes”, “geonetnz_volcano”, “gios”, “github”, “gitlab_ci”, “gitter”, “glances”, “go2rtc”, “goalzero”, “gogogate2”, “goodwe”, “google”, “google_assistant”, “google_assistant_sdk”, “google_cloud”, “google_generative_ai_conversation”, “google_mail”, “google_maps”, “google_photos”, “google_pubsub”, “google_sheets”, “google_tasks”, “google_translate”, “google_travel_time”, “google_wifi”, “govee_ble”, “govee_light_local”, “gpsd”, “gpslogger”, “graphite”, “gree”, “greeneye_monitor”, “greenwave”, “group”, “growatt_server”, “gstreamer”, “gtfs”, “guardian”, “habitica”, “hardkernel”, “hardware”, “harman_kardon_avr”, “harmony”, “hassio”, “havana_shade”, “haveibeenpwned”, “hddtemp”, “hdmi_cec”, “heatmiser”, “heiwa”, “heos”, “here_travel_time”, “hexaom”, “hi_kumo”, “hikvision”, “hikvisioncam”, “hisense_aehw4a1”, “history”, “history_stats”, “hitron_coda”, “hive”, “hko”, “hlk_sw16”, “holiday”, “home_connect”, “home_plus_control”, “homeassistant”, “homeassistant_alerts”, “homeassistant_green”, “homeassistant_hardware”, “homeassistant_sky_connect”, “homeassistant_yellow”, “homekit”, “homekit_controller”, “homematic”, “homematicip_cloud”, “homewizard”, “homeworks”, “honeywell”, “horizon”, “hp_ilo”, “html5”, “http”, “huawei_lte”, “hue”, “huisbaasje”, “humidifier”, “hunterdouglas_powerview”, “hurrican_shutters_wholesale”, “husqvarna_automower”, “husqvarna_automower_ble”, “huum”, “hvv_departures”, “hydrawise”, “hyperion”, “ialarm”, “iammeter”, “iaqualink”, “ibeacon”, “icloud”, “idasen_desk”, “idteck_prox”, “ifttt”, “iglo”, “ign_sismologia”, “ihc”, “image”, “image_processing”, “image_upload”, “imap”, “imgw_pib”, “improv_ble”, “incomfort”, “indianamichiganpower”, “influxdb”, “inkbird”, “input_boolean”, “input_button”, “input_datetime”, “input_number”, “input_select”, “input_text”, “inspired_shades”, “insteon”, “integration”, “intellifire”, “intent”, “intent_script”, “intesishome”, “ios”, “iotawatt”, “iotty”, “iperf3”, “ipma”, “ipp”, “iqvia”, “irish_rail_transport”, “iron_os”, “isal”, “iskra”, “islamic_prayer_times”, “ismartwindow”, “israel_rail”, “iss”, “ista_ecotrend”, “isy994”, “itach”, “itunes”, “izone”, “jellyfin”, “jewish_calendar”, “joaoapps_join”, “juicenet”, “justnimbus”, “jvc_projector”, “kaiterra”, “kaleidescape”, “kankun”, “keba”, “keenetic_ndms2”, “kef”, “kegtron”, “kentuckypower”, “keyboard”, “keyboard_remote”, “keymitt_ble”, “kira”, “kitchen_sink”, “kiwi”, “kmtronic”, “knocki”, “knx”, “kodi”, “konnected”, “kostal_plenticore”, “kraken”, “krispol”, “kulersky”, “kwb”, “lacrosse”, “lacrosse_view”, “lamarzocco”, “lametric”, “landisgyr_heat_meter”, “lannouncer”, “lastfm”, “launch_library”, “laundrify”, “lawn_mower”, “lcn”, “ld2410_ble”, “leaone”, “led_ble”, “legrand”, “lektrico”, “lg_netcast”, “lg_soundbar”, “lg_thinq”, “lidarr”, “life360”, “lifx”, “lifx_cloud”, “light”, “lightwave”, “limitlessled”, “linear_garage_door”, “linkplay”, “linksys_smart”, “linode”, “linux_battery”, “lirc”, “litejet”, “litterrobot”, “livisi”, “llamalab_automate”, “local_calendar”, “local_file”, “local_ip”, “local_todo”, “locative”, “lock”, “logbook”, “logentries”, “logger”, “london_air”, “london_underground”, “lookin”, “loqed”, “lovelace”, “luci”, “luftdaten”, “lupusec”, “lutron”, “lutron_caseta”, “luxaflex”, “lw12wifi”, “lyric”, “madeco”, “madvr”, “mailgun”, “manual”, “manual_mqtt”, “marantz”, “martec”, “marytts”, “mastodon”, “matrix”, “matter”, “maxcube”, “mazda”, “mealie”, “meater”, “medcom_ble”, “media_extractor”, “media_player”, “media_source”, “mediaroom”, “melcloud”, “melissa”, “melnor”, “meraki”, “mercury_nz”, “message_bird”, “met”, “met_eireann”, “meteo_france”, “meteoalarm”, “meteoclimatic”, “metoffice”, “mfi”, “microbees”, “microsoft”, “microsoft_face”, “microsoft_face_detect”, “microsoft_face_identify”, “mijndomein_energie”, “mikrotik”, “mill”, “min_max”, “minecraft_server”, “mini_connected”, “minio”, “mjpeg”, “moat”, “mobile_app”, “mochad”, “modbus”, “modem_callerid”, “modern_forms”, “moehlenhoff_alpha2”, “mold_indicator”, “monarch_money”, “monessen”, “monoprice”, “monzo”, “moon”, “mopeka”, “motion_blinds”, “motionblinds_ble”, “motioneye”, “motionmount”, “mpd”, “mqtt”, “mqtt_eventstream”, “mqtt_json”, “mqtt_room”, “mqtt_statestream”, “msteams”, “mullvad”, “mutesync”, “my”, “myq”, “mysensors”, “mystrom”, “mythicbeastsdns”, “myuplink”, “nad”, “nam”, “namecheapdns”, “nanoleaf”, “neato”, “nederlandse_spoorwegen”, “ness_alarm”, “nest”, “netatmo”, “netdata”, “netgear”, “netgear_lte”, “netio”, “network”, “neurio_energy”, “nexia”, “nexity”, “nextbus”, “nextcloud”, “nextdns”, “nfandroidtv”, “nibe_heatpump”, “nice_go”, “nightscout”, “niko_home_control”, “nilu”, “nina”, “nissan_leaf”, “nmap_tracker”, “nmbs”, “no_ip”, “noaa_tides”, “nobo_hub”, “norway_air”, “notify”, “notify_events”, “notion”, “nsw_fuel_station”, “nsw_rural_fire_service_feed”, “nuheat”, “nuki”, “numato”, “number”, “nut”, “nutrichef”, “nws”, “nx584”, “nyt_games”, “nzbget”, “oasa_telematics”, “obihai”, “octoprint”, “oem”, “ohmconnect”, “ollama”, “ombi”, “omnilogic”, “onboarding”, “oncue”, “ondilo_ico”, “onewire”, “onkyo”, “onvif”, “open_meteo”, “openai_conversation”, “openalpr_cloud”, “openerz”, “openevse”, “openexchangerates”, “opengarage”, “openhardwaremonitor”, “openhome”, “opensensemap”, “opensky”, “opentherm_gw”, “openuv”, “openweathermap”, “opnsense”, “opower”, “opple”, “oralb”, “oru”, “oru_opower”, “orvibo”, “osoenergy”, “osramlightify”, “otbr”, “otp”, “ourgroceries”, “overkiz”, “ovo_energy”, “owntracks”, “p1_monitor”, “palazzetti”, “panasonic_bluray”, “panasonic_viera”, “pandora”, “panel_custom”, “pcs_lighting”, “peco”, “peco_opower”, “pegel_online”, “pencom”, “pepco”, “permobil”, “persistent_notification”, “person”, “pge”, “philips_js”, “pi_hole”, “picnic”, “picotts”, “pilight”, “pinecil”, “ping”, “pioneer”, “piper”, “pjlink”, “plaato”, “plant”, “plex”, “plugwise”, “plum_lightpad”, “pocketcasts”, “point”, “poolsense”, “portlandgeneral”, “powerwall”, “private_ble_device”, “profiler”, “progettihwsw”, “proliphix”, “prometheus”, “prosegur”, “prowl”, “proximity”, “proxmoxve”, “proxy”, “prusalink”, “ps4”, “pse”, “psoklahoma”, “pulseaudio_loopback”, “pure_energie”, “purpleair”, “push”, “pushbullet”, “pushover”, “pushsafer”, “pvoutput”, “pvpc_hourly_pricing”, “pyload”, “python_script”, “qbittorrent”, “qingping”, “qld_bushfire”, “qnap”, “qnap_qsw”, “qrcode”, “quadrafire”, “quantum_gateway”, “qvr_pro”, “qwikswitch”, “rabbitair”, “rachio”, “radarr”, “radio_browser”, “radiotherm”, “rainbird”, “raincloud”, “rainforest_eagle”, “rainforest_raven”, “rainmachine”, “random”, “rapt_ble”, “raspberry_pi”, “raspyrfm”, “raven_rock_mfg”, “rdw”, “recollect_waste”, “recorder”, “recovery_mode”, “recswitch”, “reddit”, “refoss”, “rejseplanen”, “remember_the_milk”, “remote”, “remote_rpi_gpio”, “renault”, “renson”, “reolink”, “repairs”, “repetier”, “rest”, “rest_command”, “rexel”, “rflink”, “rfxtrx”, “rhasspy”, “ridwell”, “ring”, “ripple”, “risco”, “rituals_perfume_genie”, “rmvtransport”, “roborock”, “rocketchat”, “roku”, “romy”, “roomba”, “roon”, “route53”, “rova”, “rpi_camera”, “rpi_power”, “rss_feed_template”, “rtorrent”, “rtsp_to_webrtc”, “ruckus_unleashed”, “russound_rio”, “russound_rnet”, “ruuvi_gateway”, “ruuvitag_ble”, “rympro”, “sabnzbd”, “saj”, “samsam”, “samsungtv”, “sanix”, “satel_integra”, “scene”, “schedule”, “schlage”, “schluter”, “scl”, “scrape”, “screenaway”, “screenlogic”, “script”, “scsgate”, “search”, “season”, “select”, “sendgrid”, “sense”, “sensibo”, “sensirion_ble”, “sensor”, “sensorblue”, “sensorpro”, “sensorpush”, “sensoterra”, “sentry”, “senz”, “serial”, “serial_pm”, “sesame”, “seven_segments”, “seventeentrack”, “sfr_box”, “sharkiq”, “shell_command”, “shelly”, “shodan”, “shopping_list”, “sia”, “sigfox”, “sighthound”, “signal_messenger”, “simplefin”, “simplepush”, “simplisafe”, “simply_automated”, “simu”, “simulated”, “sinch”, “siren”, “sisyphus”, “sky_hub”, “skybeacon”, “skybell”, “slack”, “sleepiq”, “slide”, “slimproto”, “sma”, “smappee”, “smart_blinds”, “smart_home”, “smart_meter_texas”, “smarther”, “smartthings”, “smarttub”, “smarty”, “smhi”, “smlight”, “sms”, “smtp”, “smud”, “snapcast”, “snips”, “snmp”, “snooz”, “solaredge”, “solaredge_local”, “solarlog”, “solax”, “soma”, “somfy”, “somfy_mylink”, “sonarr”, “songpal”, “sonos”, “sony_projector”, “soundtouch”, “spaceapi”, “spc”, “speedtestdotnet”, “spider”, “splunk”, “spotify”, “sql”, “squeezebox”, “srp_energy”, “ssdp”, “starline”, “starlingbank”, “starlink”, “startca”, “statistics”, “statsd”, “steam_online”, “steamist”, “stiebel_eltron”, “stookalert”, “stookwijzer”, “stream”, “streamlabswater”, “stt”, “subaru”, “suez_water”, “sun”, “sunweg”, “supervisord”, “supla”, “surepetcare”, “swepco”, “swiss_hydrological_data”, “swiss_public_transport”, “swisscom”, “switch”, “switch_as_x”, “switchbee”, “switchbot”, “switchbot_cloud”, “switcher_kis”, “switchmate”, “symfonisk”, “syncthing”, “syncthru”, “synology_chat”, “synology_dsm”, “synology_srm”, “syslog”, “system_bridge”, “system_health”, “system_log”, “systemmonitor”, “tado”, “tag”, “tailscale”, “tailwind”, “tami4”, “tank_utility”, “tankerkoenig”, “tapsaff”, “tasmota”, “tautulli”, “tcp”, “technove”, “ted5000”, “tedee”, “telegram”, “telegram_bot”, “tellduslive”, “tellstick”, “telnet”, “temper”, “template”, “tensorflow”, “tesla_fleet”, “tesla_wall_connector”, “teslemetry”, “tessie”, “text”, “thermobeacon”, “thermoplus”, “thermopro”, “thethingsnetwork”, “thingspeak”, “thinkingcleaner”, “thomson”, “thread”, “threshold”, “tibber”, “tikteck”, “tile”, “tilt_ble”, “time”, “time_date”, “timer”, “tmb”, “tod”, “todo”, “todoist”, “tolo”, “tomato”, “tomorrowio”, “toon”, “torque”, “totalconnect”, “touchline”, “touchline_sl”, “tplink”, “tplink_lte”, “tplink_omada”, “tplink_tapo”, “traccar”, “traccar_server”, “trace”, “tractive”, “tradfri”, “trafikverket_camera”, “trafikverket_ferry”, “trafikverket_train”, “trafikverket_weatherstation”, “transmission”, “transport_nsw”, “travisci”, “trend”, “triggercmd”, “tts”, “tuya”, “twentemilieu”, “twilio”, “twilio_call”, “twilio_sms”, “twinkly”, “twitch”, “twitter”, “ubiwizz”, “ubus”, “uk_transport”, “ukraine_alarm”, “ultraloq”, “unifi”, “unifi_direct”, “unifiled”, “unifiprotect”, “universal”, “upb”, “upc_connect”, “upcloud”, “update”, “upnp”, “uprise_smart_shades”, “uptime”, “uptimerobot”, “usb”, “usgs_earthquakes_feed”, “utility_meter”, “uvc”, “v2c”, “vacuum”, “vallox”, “valve”, “vasttrafik”, “velbus”, “velux”, “venstar”, “vera”, “verisure”, “vermont_castings”, “versasense”, “version”, “vesync”, “viaggiatreno”, “vicare”, “vilfo”, “vivotek”, “vizio”, “vlc”, “vlc_telnet”, “vodafone_station”, “voicerss”, “voip”, “volkszaehler”, “volumio”, “volvooncall”, “vulcan”, “vultr”, “w800rf32”, “wake_on_lan”, “wake_word”, “wallbox”, “waqi”, “water_heater”, “waterfurnace”, “watson_iot”, “watttime”, “waze_travel_time”, “weather”, “weatherflow”, “weatherflow_cloud”, “weatherkit”, “webhook”, “webmin”, “webostv”, “websocket_api”, “weheat”, “wemo”, “whirlpool”, “whisper”, “whois”, “wiffi”, “wilight”, “wirelesstag”, “withings”, “wiz”, “wled”, “wmspro”, “wolflink”, “workday”, “worldclock”, “worldtidesinfo”, “worxlandroid”, “ws66i”, “wsdot”, “wyoming”, “x10”, “xbox”, “xeoma”, “xiaomi”, “xiaomi_aqara”, “xiaomi_ble”, “xiaomi_miio”, “xiaomi_tv”, “xmpp”, “xs1”, “yale”, “yale_home”, “yale_smart_alarm”, “yalexs_ble”, “yamaha”, “yamaha_musiccast”, “yandex_transport”, “yandextts”, “yardian”, “yeelight”, “yeelightsunflower”, “yi”, “yolink”, “youless”, “youtube”, “zabbix”, “zamg”, “zengge”, “zeroconf”, “zerproc”, “zestimate”, “zeversolar”, “zha”, “zhong_hong”, “ziggo_mediabox_xl”, “zodiac”, “zondergas”, “zone”, “zoneminder”, “zwave_js”, “zwave_me”) (read only)

Default:

[
  "application_credentials"
  "frontend"
  "hardware"
  "logger"
  "network"
  "system_health"
  "automation"
  "person"
  "scene"
  "script"
  "tag"
  "zone"
  "counter"
  "input_boolean"
  "input_button"
  "input_datetime"
  "input_number"
  "input_select"
  "input_text"
  "schedule"
  "timer"
  "backup"
]

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.extraArgs

Extra arguments to pass to the hass executable.

Type: list of string

Default: [ ]

Example:

[
  "--debug"
]

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.extraComponents

List of components that have their dependencies included in the package.

The component name can be found in the URL, for example https://www.home-assistant.io/integrations/ffmpeg/ would map to ffmpeg.

Type: list of (one of “3_day_blinds”, “abode”, “accuweather”, “acer_projector”, “acmeda”, “acomax”, “actiontec”, “adax”, “adguard”, “ads”, “advantage_air”, “aemet”, “aep_ohio”, “aep_texas”, “aftership”, “agent_dvr”, “air_quality”, “airgradient”, “airly”, “airnow”, “airq”, “airthings”, “airthings_ble”, “airtouch4”, “airtouch5”, “airvisual”, “airvisual_pro”, “airzone”, “airzone_cloud”, “aladdin_connect”, “alarm_control_panel”, “alarmdecoder”, “alert”, “alexa”, “alpha_vantage”, “amazon_polly”, “amberelectric”, “ambient_network”, “ambient_station”, “amcrest”, “amp_motorization”, “ampio”, “analytics”, “analytics_insights”, “android_ip_webcam”, “androidtv”, “androidtv_remote”, “anel_pwrctrl”, “anova”, “anthemav”, “anthropic”, “anwb_energie”, “aosmith”, “apache_kafka”, “apcupsd”, “api”, “appalachianpower”, “apple_tv”, “application_credentials”, “apprise”, “aprilaire”, “aprs”, “aps”, “apsystems”, “aquacell”, “aqualogic”, “aquostv”, “aranet”, “arcam_fmj”, “arest”, “arris_tg2492lg”, “artsound”, “aruba”, “arve”, “arwn”, “aseko_pool_live”, “assist_pipeline”, “assist_satellite”, “asuswrt”, “atag”, “aten_pe”, “atlanticcityelectric”, “atome”, “august”, “august_ble”, “aurora”, “aurora_abb_powerone”, “aussie_broadband”, “autarco”, “auth”, “automation”, “avea”, “avion”, “awair”, “aws”, “axis”, “azure_data_explorer”, “azure_devops”, “azure_event_hub”, “azure_service_bus”, “backup”, “baf”, “baidu”, “balboa”, “bang_olufsen”, “bayesian”, “bbox”, “beewi_smartclim”, “bge”, “binary_sensor”, “bitcoin”, “bizkaibus”, “blackbird”, “blebox”, “blink”, “bliss_automation”, “bloc_blinds”, “blockchain”, “blue_current”, “bluemaestro”, “blueprint”, “bluesound”, “bluetooth”, “bluetooth_adapters”, “bluetooth_le_tracker”, “bluetooth_tracker”, “bmw_connected_drive”, “bond”, “bosch_shc”, “brandt”, “braviatv”, “brel_home”, “bring”, “broadlink”, “brother”, “brottsplatskartan”, “browser”, “brunt”, “bryant_evolution”, “bsblan”, “bswitch”, “bt_home_hub_5”, “bt_smarthub”, “bthome”, “bticino”, “bubendorff”, “buienradar”, “button”, “caldav”, “calendar”, “cambridge_audio”, “camera”, “canary”, “cast”, “ccm15”, “cert_expiry”, “chacon_dio”, “channels”, “cisco_ios”, “cisco_mobility_express”, “cisco_webex_teams”, “citybikes”, “clementine”, “clickatell”, “clicksend”, “clicksend_tts”, “climate”, “cloud”, “cloudflare”, “cmus”, “co2signal”, “coautilities”, “coinbase”, “color_extractor”, “comed”, “comed_hourly_pricing”, “comelit”, “comfoconnect”, “command_line”, “compensation”, “concord232”, “coned”, “config”, “configurator”, “control4”, “conversation”, “coolmaster”, “counter”, “cover”, “cozytouch”, “cppm_tracker”, “cpuspeed”, “cribl”, “crownstone”, “cups”, “currencylayer”, “dacia”, “daikin”, “danfoss_air”, “datadog”, “date”, “datetime”, “ddwrt”, “deako”, “debugpy”, “deconz”, “decora”, “decora_wifi”, “default_config”, “delijn”, “delmarva”, “deluge”, “demo”, “denon”, “denonavr”, “derivative”, “devialet”, “device_automation”, “device_sun_light_trigger”, “device_tracker”, “devolo_home_control”, “devolo_home_network”, “dexcom”, “dhcp”, “diagnostics”, “dialogflow”, “diaz”, “digital_loggers”, “digital_ocean”, “directv”, “discogs”, “discord”, “discovergy”, “dlib_face_detect”, “dlib_face_identify”, “dlink”, “dlna_dmr”, “dlna_dms”, “dnsip”, “dominos”, “doods”, “doorbird”, “dooya”, “dormakaba_dkey”, “downloader”, “dremel_3d_printer”, “drop_connect”, “dsmr”, “dsmr_reader”, “dte_energy_bridge”, “dublin_bus_transport”, “duckdns”, “duke_energy”, “dunehd”, “duotecno”, “duquesne_light”, “dwd_weather_warnings”, “dweet”, “dynalite”, “eafm”, “eastron”, “easyenergy”, “ebox”, “ebusd”, “ecoal_boiler”, “ecobee”, “ecoforest”, “econet”, “ecovacs”, “ecowitt”, “eddystone_temperature”, “edimax”, “edl21”, “efergy”, “egardia”, “eight_sleep”, “electrasmart”, “electric_kiwi”, “elevenlabs”, “elgato”, “eliqonline”, “elkm1”, “elmax”, “elv”, “elvia”, “emby”, “emoncms”, “emoncms_history”, “emonitor”, “emulated_hue”, “emulated_kasa”, “emulated_roku”, “energenie_power_sockets”, “energie_vanons”, “energy”, “energyzero”, “enigma2”, “enmax”, “enocean”, “enphase_envoy”, “entur_public_transport”, “environment_canada”, “envisalink”, “ephember”, “epic_games_store”, “epion”, “epson”, “eq3btsmart”, “escea”, “esera_onewire”, “esphome”, “etherscan”, “eufy”, “eufylife_ble”, “event”, “evergy”, “everlights”, “evil_genius_labs”, “evohome”, “ezviz”, “faa_delays”, “facebook”, “fail2ban”, “familyhub”, “fan”, “fastdotcom”, “feedreader”, “ffmpeg”, “ffmpeg_motion”, “ffmpeg_noise”, “fibaro”, “fido”, “file”, “file_upload”, “filesize”, “filter”, “fints”, “fire_tv”, “fireservicerota”, “firmata”, “fitbit”, “fivem”, “fixer”, “fjaraskupan”, “fleetgo”, “flexit”, “flexit_bacnet”, “flexom”, “flic”, “flick_electric”, “flipr”, “flo”, “flock”, “flume”, “flux”, “flux_led”, “folder”, “folder_watcher”, “foobot”, “forecast_solar”, “forked_daapd”, “fortios”, “foscam”, “foursquare”, “free_mobile”, “freebox”, “freedns”, “freedompro”, “fritz”, “fritzbox”, “fritzbox_callmonitor”, “fronius”, “frontend”, “frontier_silicon”, “fujitsu_anywair”, “fujitsu_fglair”, “fully_kiosk”, “futurenow”, “fyta”, “garadget”, “garages_amsterdam”, “gardena_bluetooth”, “gaviota”, “gc100”, “gdacs”, “generic”, “generic_hygrostat”, “generic_thermostat”, “geniushub”, “geo_json_events”, “geo_location”, “geo_rss_events”, “geocaching”, “geofency”, “geonetnz_quakes”, “geonetnz_volcano”, “gios”, “github”, “gitlab_ci”, “gitter”, “glances”, “go2rtc”, “goalzero”, “gogogate2”, “goodwe”, “google”, “google_assistant”, “google_assistant_sdk”, “google_cloud”, “google_generative_ai_conversation”, “google_mail”, “google_maps”, “google_photos”, “google_pubsub”, “google_sheets”, “google_tasks”, “google_translate”, “google_travel_time”, “google_wifi”, “govee_ble”, “govee_light_local”, “gpsd”, “gpslogger”, “graphite”, “gree”, “greeneye_monitor”, “greenwave”, “group”, “growatt_server”, “gstreamer”, “gtfs”, “guardian”, “habitica”, “hardkernel”, “hardware”, “harman_kardon_avr”, “harmony”, “hassio”, “havana_shade”, “haveibeenpwned”, “hddtemp”, “hdmi_cec”, “heatmiser”, “heiwa”, “heos”, “here_travel_time”, “hexaom”, “hi_kumo”, “hikvision”, “hikvisioncam”, “hisense_aehw4a1”, “history”, “history_stats”, “hitron_coda”, “hive”, “hko”, “hlk_sw16”, “holiday”, “home_connect”, “home_plus_control”, “homeassistant”, “homeassistant_alerts”, “homeassistant_green”, “homeassistant_hardware”, “homeassistant_sky_connect”, “homeassistant_yellow”, “homekit”, “homekit_controller”, “homematic”, “homematicip_cloud”, “homewizard”, “homeworks”, “honeywell”, “horizon”, “hp_ilo”, “html5”, “http”, “huawei_lte”, “hue”, “huisbaasje”, “humidifier”, “hunterdouglas_powerview”, “hurrican_shutters_wholesale”, “husqvarna_automower”, “husqvarna_automower_ble”, “huum”, “hvv_departures”, “hydrawise”, “hyperion”, “ialarm”, “iammeter”, “iaqualink”, “ibeacon”, “icloud”, “idasen_desk”, “idteck_prox”, “ifttt”, “iglo”, “ign_sismologia”, “ihc”, “image”, “image_processing”, “image_upload”, “imap”, “imgw_pib”, “improv_ble”, “incomfort”, “indianamichiganpower”, “influxdb”, “inkbird”, “input_boolean”, “input_button”, “input_datetime”, “input_number”, “input_select”, “input_text”, “inspired_shades”, “insteon”, “integration”, “intellifire”, “intent”, “intent_script”, “intesishome”, “ios”, “iotawatt”, “iotty”, “iperf3”, “ipma”, “ipp”, “iqvia”, “irish_rail_transport”, “iron_os”, “isal”, “iskra”, “islamic_prayer_times”, “ismartwindow”, “israel_rail”, “iss”, “ista_ecotrend”, “isy994”, “itach”, “itunes”, “izone”, “jellyfin”, “jewish_calendar”, “joaoapps_join”, “juicenet”, “justnimbus”, “jvc_projector”, “kaiterra”, “kaleidescape”, “kankun”, “keba”, “keenetic_ndms2”, “kef”, “kegtron”, “kentuckypower”, “keyboard”, “keyboard_remote”, “keymitt_ble”, “kira”, “kitchen_sink”, “kiwi”, “kmtronic”, “knocki”, “knx”, “kodi”, “konnected”, “kostal_plenticore”, “kraken”, “krispol”, “kulersky”, “kwb”, “lacrosse”, “lacrosse_view”, “lamarzocco”, “lametric”, “landisgyr_heat_meter”, “lannouncer”, “lastfm”, “launch_library”, “laundrify”, “lawn_mower”, “lcn”, “ld2410_ble”, “leaone”, “led_ble”, “legrand”, “lektrico”, “lg_netcast”, “lg_soundbar”, “lg_thinq”, “lidarr”, “life360”, “lifx”, “lifx_cloud”, “light”, “lightwave”, “limitlessled”, “linear_garage_door”, “linkplay”, “linksys_smart”, “linode”, “linux_battery”, “lirc”, “litejet”, “litterrobot”, “livisi”, “llamalab_automate”, “local_calendar”, “local_file”, “local_ip”, “local_todo”, “locative”, “lock”, “logbook”, “logentries”, “logger”, “london_air”, “london_underground”, “lookin”, “loqed”, “lovelace”, “luci”, “luftdaten”, “lupusec”, “lutron”, “lutron_caseta”, “luxaflex”, “lw12wifi”, “lyric”, “madeco”, “madvr”, “mailgun”, “manual”, “manual_mqtt”, “marantz”, “martec”, “marytts”, “mastodon”, “matrix”, “matter”, “maxcube”, “mazda”, “mealie”, “meater”, “medcom_ble”, “media_extractor”, “media_player”, “media_source”, “mediaroom”, “melcloud”, “melissa”, “melnor”, “meraki”, “mercury_nz”, “message_bird”, “met”, “met_eireann”, “meteo_france”, “meteoalarm”, “meteoclimatic”, “metoffice”, “mfi”, “microbees”, “microsoft”, “microsoft_face”, “microsoft_face_detect”, “microsoft_face_identify”, “mijndomein_energie”, “mikrotik”, “mill”, “min_max”, “minecraft_server”, “mini_connected”, “minio”, “mjpeg”, “moat”, “mobile_app”, “mochad”, “modbus”, “modem_callerid”, “modern_forms”, “moehlenhoff_alpha2”, “mold_indicator”, “monarch_money”, “monessen”, “monoprice”, “monzo”, “moon”, “mopeka”, “motion_blinds”, “motionblinds_ble”, “motioneye”, “motionmount”, “mpd”, “mqtt”, “mqtt_eventstream”, “mqtt_json”, “mqtt_room”, “mqtt_statestream”, “msteams”, “mullvad”, “mutesync”, “my”, “myq”, “mysensors”, “mystrom”, “mythicbeastsdns”, “myuplink”, “nad”, “nam”, “namecheapdns”, “nanoleaf”, “neato”, “nederlandse_spoorwegen”, “ness_alarm”, “nest”, “netatmo”, “netdata”, “netgear”, “netgear_lte”, “netio”, “network”, “neurio_energy”, “nexia”, “nexity”, “nextbus”, “nextcloud”, “nextdns”, “nfandroidtv”, “nibe_heatpump”, “nice_go”, “nightscout”, “niko_home_control”, “nilu”, “nina”, “nissan_leaf”, “nmap_tracker”, “nmbs”, “no_ip”, “noaa_tides”, “nobo_hub”, “norway_air”, “notify”, “notify_events”, “notion”, “nsw_fuel_station”, “nsw_rural_fire_service_feed”, “nuheat”, “nuki”, “numato”, “number”, “nut”, “nutrichef”, “nws”, “nx584”, “nyt_games”, “nzbget”, “oasa_telematics”, “obihai”, “octoprint”, “oem”, “ohmconnect”, “ollama”, “ombi”, “omnilogic”, “onboarding”, “oncue”, “ondilo_ico”, “onewire”, “onkyo”, “onvif”, “open_meteo”, “openai_conversation”, “openalpr_cloud”, “openerz”, “openevse”, “openexchangerates”, “opengarage”, “openhardwaremonitor”, “openhome”, “opensensemap”, “opensky”, “opentherm_gw”, “openuv”, “openweathermap”, “opnsense”, “opower”, “opple”, “oralb”, “oru”, “oru_opower”, “orvibo”, “osoenergy”, “osramlightify”, “otbr”, “otp”, “ourgroceries”, “overkiz”, “ovo_energy”, “owntracks”, “p1_monitor”, “palazzetti”, “panasonic_bluray”, “panasonic_viera”, “pandora”, “panel_custom”, “pcs_lighting”, “peco”, “peco_opower”, “pegel_online”, “pencom”, “pepco”, “permobil”, “persistent_notification”, “person”, “pge”, “philips_js”, “pi_hole”, “picnic”, “picotts”, “pilight”, “pinecil”, “ping”, “pioneer”, “piper”, “pjlink”, “plaato”, “plant”, “plex”, “plugwise”, “plum_lightpad”, “pocketcasts”, “point”, “poolsense”, “portlandgeneral”, “powerwall”, “private_ble_device”, “profiler”, “progettihwsw”, “proliphix”, “prometheus”, “prosegur”, “prowl”, “proximity”, “proxmoxve”, “proxy”, “prusalink”, “ps4”, “pse”, “psoklahoma”, “pulseaudio_loopback”, “pure_energie”, “purpleair”, “push”, “pushbullet”, “pushover”, “pushsafer”, “pvoutput”, “pvpc_hourly_pricing”, “pyload”, “python_script”, “qbittorrent”, “qingping”, “qld_bushfire”, “qnap”, “qnap_qsw”, “qrcode”, “quadrafire”, “quantum_gateway”, “qvr_pro”, “qwikswitch”, “rabbitair”, “rachio”, “radarr”, “radio_browser”, “radiotherm”, “rainbird”, “raincloud”, “rainforest_eagle”, “rainforest_raven”, “rainmachine”, “random”, “rapt_ble”, “raspberry_pi”, “raspyrfm”, “raven_rock_mfg”, “rdw”, “recollect_waste”, “recorder”, “recovery_mode”, “recswitch”, “reddit”, “refoss”, “rejseplanen”, “remember_the_milk”, “remote”, “remote_rpi_gpio”, “renault”, “renson”, “reolink”, “repairs”, “repetier”, “rest”, “rest_command”, “rexel”, “rflink”, “rfxtrx”, “rhasspy”, “ridwell”, “ring”, “ripple”, “risco”, “rituals_perfume_genie”, “rmvtransport”, “roborock”, “rocketchat”, “roku”, “romy”, “roomba”, “roon”, “route53”, “rova”, “rpi_camera”, “rpi_power”, “rss_feed_template”, “rtorrent”, “rtsp_to_webrtc”, “ruckus_unleashed”, “russound_rio”, “russound_rnet”, “ruuvi_gateway”, “ruuvitag_ble”, “rympro”, “sabnzbd”, “saj”, “samsam”, “samsungtv”, “sanix”, “satel_integra”, “scene”, “schedule”, “schlage”, “schluter”, “scl”, “scrape”, “screenaway”, “screenlogic”, “script”, “scsgate”, “search”, “season”, “select”, “sendgrid”, “sense”, “sensibo”, “sensirion_ble”, “sensor”, “sensorblue”, “sensorpro”, “sensorpush”, “sensoterra”, “sentry”, “senz”, “serial”, “serial_pm”, “sesame”, “seven_segments”, “seventeentrack”, “sfr_box”, “sharkiq”, “shell_command”, “shelly”, “shodan”, “shopping_list”, “sia”, “sigfox”, “sighthound”, “signal_messenger”, “simplefin”, “simplepush”, “simplisafe”, “simply_automated”, “simu”, “simulated”, “sinch”, “siren”, “sisyphus”, “sky_hub”, “skybeacon”, “skybell”, “slack”, “sleepiq”, “slide”, “slimproto”, “sma”, “smappee”, “smart_blinds”, “smart_home”, “smart_meter_texas”, “smarther”, “smartthings”, “smarttub”, “smarty”, “smhi”, “smlight”, “sms”, “smtp”, “smud”, “snapcast”, “snips”, “snmp”, “snooz”, “solaredge”, “solaredge_local”, “solarlog”, “solax”, “soma”, “somfy”, “somfy_mylink”, “sonarr”, “songpal”, “sonos”, “sony_projector”, “soundtouch”, “spaceapi”, “spc”, “speedtestdotnet”, “spider”, “splunk”, “spotify”, “sql”, “squeezebox”, “srp_energy”, “ssdp”, “starline”, “starlingbank”, “starlink”, “startca”, “statistics”, “statsd”, “steam_online”, “steamist”, “stiebel_eltron”, “stookalert”, “stookwijzer”, “stream”, “streamlabswater”, “stt”, “subaru”, “suez_water”, “sun”, “sunweg”, “supervisord”, “supla”, “surepetcare”, “swepco”, “swiss_hydrological_data”, “swiss_public_transport”, “swisscom”, “switch”, “switch_as_x”, “switchbee”, “switchbot”, “switchbot_cloud”, “switcher_kis”, “switchmate”, “symfonisk”, “syncthing”, “syncthru”, “synology_chat”, “synology_dsm”, “synology_srm”, “syslog”, “system_bridge”, “system_health”, “system_log”, “systemmonitor”, “tado”, “tag”, “tailscale”, “tailwind”, “tami4”, “tank_utility”, “tankerkoenig”, “tapsaff”, “tasmota”, “tautulli”, “tcp”, “technove”, “ted5000”, “tedee”, “telegram”, “telegram_bot”, “tellduslive”, “tellstick”, “telnet”, “temper”, “template”, “tensorflow”, “tesla_fleet”, “tesla_wall_connector”, “teslemetry”, “tessie”, “text”, “thermobeacon”, “thermoplus”, “thermopro”, “thethingsnetwork”, “thingspeak”, “thinkingcleaner”, “thomson”, “thread”, “threshold”, “tibber”, “tikteck”, “tile”, “tilt_ble”, “time”, “time_date”, “timer”, “tmb”, “tod”, “todo”, “todoist”, “tolo”, “tomato”, “tomorrowio”, “toon”, “torque”, “totalconnect”, “touchline”, “touchline_sl”, “tplink”, “tplink_lte”, “tplink_omada”, “tplink_tapo”, “traccar”, “traccar_server”, “trace”, “tractive”, “tradfri”, “trafikverket_camera”, “trafikverket_ferry”, “trafikverket_train”, “trafikverket_weatherstation”, “transmission”, “transport_nsw”, “travisci”, “trend”, “triggercmd”, “tts”, “tuya”, “twentemilieu”, “twilio”, “twilio_call”, “twilio_sms”, “twinkly”, “twitch”, “twitter”, “ubiwizz”, “ubus”, “uk_transport”, “ukraine_alarm”, “ultraloq”, “unifi”, “unifi_direct”, “unifiled”, “unifiprotect”, “universal”, “upb”, “upc_connect”, “upcloud”, “update”, “upnp”, “uprise_smart_shades”, “uptime”, “uptimerobot”, “usb”, “usgs_earthquakes_feed”, “utility_meter”, “uvc”, “v2c”, “vacuum”, “vallox”, “valve”, “vasttrafik”, “velbus”, “velux”, “venstar”, “vera”, “verisure”, “vermont_castings”, “versasense”, “version”, “vesync”, “viaggiatreno”, “vicare”, “vilfo”, “vivotek”, “vizio”, “vlc”, “vlc_telnet”, “vodafone_station”, “voicerss”, “voip”, “volkszaehler”, “volumio”, “volvooncall”, “vulcan”, “vultr”, “w800rf32”, “wake_on_lan”, “wake_word”, “wallbox”, “waqi”, “water_heater”, “waterfurnace”, “watson_iot”, “watttime”, “waze_travel_time”, “weather”, “weatherflow”, “weatherflow_cloud”, “weatherkit”, “webhook”, “webmin”, “webostv”, “websocket_api”, “weheat”, “wemo”, “whirlpool”, “whisper”, “whois”, “wiffi”, “wilight”, “wirelesstag”, “withings”, “wiz”, “wled”, “wmspro”, “wolflink”, “workday”, “worldclock”, “worldtidesinfo”, “worxlandroid”, “ws66i”, “wsdot”, “wyoming”, “x10”, “xbox”, “xeoma”, “xiaomi”, “xiaomi_aqara”, “xiaomi_ble”, “xiaomi_miio”, “xiaomi_tv”, “xmpp”, “xs1”, “yale”, “yale_home”, “yale_smart_alarm”, “yalexs_ble”, “yamaha”, “yamaha_musiccast”, “yandex_transport”, “yandextts”, “yardian”, “yeelight”, “yeelightsunflower”, “yi”, “yolink”, “youless”, “youtube”, “zabbix”, “zamg”, “zengge”, “zeroconf”, “zerproc”, “zestimate”, “zeversolar”, “zha”, “zhong_hong”, “ziggo_mediabox_xl”, “zodiac”, “zondergas”, “zone”, “zoneminder”, “zwave_js”, “zwave_me”)

Default:

[
  "default_config"
  "met"
  "esphome"
]

Example:

[
  "analytics"
  "default_config"
  "esphome"
  "my"
  "shopping_list"
  "wled"
]

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.extraPackages

List of packages to add to propagatedBuildInputs.

A popular example is python3Packages.psycopg2 for PostgreSQL support in the recorder component.

Type: function that evaluates to a(n) list of package

Default:

python3Packages: with python3Packages; [];

Example:

python3Packages: with python3Packages; [
  # postgresql support
  psycopg2
];

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.lovelaceConfig

Your ui-lovelace.yaml as a Nix attribute set. Setting this option will automatically set lovelace.mode to yaml.

Beware that setting this option will delete your previous ui-lovelace.yaml

Type: null or YAML value

Default: null

Example:

{
  title = "My Awesome Home";
  views = [ {
    title = "Example";
    cards = [ {
      type = "markdown";
      title = "Lovelace";
      content = "Welcome to your **Lovelace UI**.";
    } ];
  } ];
}

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.lovelaceConfigWritable

Whether to make ui-lovelace.yaml writable.

This will allow you to edit it from Home Assistant’s web interface.

This only has an effect if lovelaceConfig is set. However, bear in mind that it will be overwritten at every start of the service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.home-assistant.openFirewall

Whether to open the firewall for the specified port.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/home-automation/home-assistant.nix>
services.homebox.enable

Whether to enable homebox.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/homebox.nix>
services.homebox.package

The homebox package to use.

Type: package

Default: pkgs.homebox

Declared by:

<nixpkgs/nixos/modules/services/web-apps/homebox.nix>
services.homebox.settings

The homebox configuration as Environment variables. For definitions and available options see the upstream documentation.

Type: attribute set of string

Default:

''
  HBOX_STORAGE_DATA = "/var/lib/homebox/data";
  HBOX_STORAGE_SQLITE_URL = "/var/lib/homebox/data/homebox.db?_pragma=busy_timeout=999&_pragma=journal_mode=WAL&_fk=1";
  HBOX_OPTIONS_ALLOW_REGISTRATION = "false";
  HBOX_MODE = "production";
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/homebox.nix>
services.homed.enable

Whether to enable systemd home area/user account manager .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/homed.nix>
services.homepage-dashboard.enable

Whether to enable Homepage Dashboard, a highly customizable application dashboard.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/homepage-dashboard.nix>
services.homepage-dashboard.package

The homepage-dashboard package to use.

Type: package

Default: pkgs.homepage-dashboard

Declared by:

<nixpkgs/nixos/modules/services/misc/homepage-dashboard.nix>
services.homepage-dashboard.bookmarks

Homepage bookmarks configuration.

See https://gethomepage.dev/latest/configs/bookmarks/.

Type: YAML value

Default: [ ]

Example:

[
  {
    Developer = [
      {
        Github = [
          {
            abbr = "GH";
            href = "https://github.com/";
          }
        ];
      }
    ];
  }
  {
    Entertainment = [
      {
        YouTube = [
          {
            abbr = "YT";
            href = "https://youtube.com/";
          }
        ];
      }
    ];
  }
]

Declared by:

<nixpkgs/nixos/modules/services/misc/homepage-dashboard.nix>
services.homepage-dashboard.customCSS

Custom CSS for styling Homepage.

See https://gethomepage.dev/latest/configs/custom-css-js/.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/homepage-dashboard.nix>
services.homepage-dashboard.customJS

Custom Javascript for Homepage.

See https://gethomepage.dev/latest/configs/custom-css-js/.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/homepage-dashboard.nix>
services.homepage-dashboard.docker

Homepage docker configuration.

See https://gethomepage.dev/latest/configs/docker/.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/homepage-dashboard.nix>
services.homepage-dashboard.environmentFile

The path to an environment file that contains environment variables to pass to the homepage-dashboard service, for the purpose of passing secrets to the service.

See the upstream documentation:

https://gethomepage.dev/latest/installation/docker/#using-environment-secrets

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/homepage-dashboard.nix>
services.homepage-dashboard.kubernetes

Homepage kubernetes configuration.

See https://gethomepage.dev/latest/configs/kubernetes/.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/homepage-dashboard.nix>
services.homepage-dashboard.listenPort

Port for Homepage to bind to.

Type: signed integer

Default: 8082

Declared by:

<nixpkgs/nixos/modules/services/misc/homepage-dashboard.nix>
services.homepage-dashboard.openFirewall

Open ports in the firewall for Homepage.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/homepage-dashboard.nix>
services.homepage-dashboard.services

Homepage services configuration.

See https://gethomepage.dev/latest/configs/services/.

Type: YAML value

Default: [ ]

Example:

[
  {
    "My First Group" = [
      {
        "My First Service" = {
          description = "Homepage is awesome";
          href = "http://localhost/";
        };
      }
    ];
  }
  {
    "My Second Group" = [
      {
        "My Second Service" = {
          description = "Homepage is the best";
          href = "http://localhost/";
        };
      }
    ];
  }
]

Declared by:

<nixpkgs/nixos/modules/services/misc/homepage-dashboard.nix>
services.homepage-dashboard.settings

Homepage settings.

See https://gethomepage.dev/latest/configs/settings/.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/homepage-dashboard.nix>
services.homepage-dashboard.widgets

Homepage widgets configuration.

See https://gethomepage.dev/latest/configs/service-widgets/.

Type: YAML value

Default: [ ]

Example:

[
  {
    resources = {
      cpu = true;
      disk = "/";
      memory = true;
    };
  }
  {
    search = {
      provider = "duckduckgo";
      target = "_blank";
    };
  }
]

Declared by:

<nixpkgs/nixos/modules/services/misc/homepage-dashboard.nix>
services.honk.enable

Whether to enable the Honk server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/honk.nix>
services.honk.package

The honk package to use.

Type: package

Default: pkgs.honk

Declared by:

<nixpkgs/nixos/modules/services/web-apps/honk.nix>
services.honk.extraCSS

An extra CSS file to be loaded by the client.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/honk.nix>
services.honk.extraJS

An extra JavaScript file to be loaded by the client.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/honk.nix>
services.honk.host

The host name or IP address the server should listen to.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/honk.nix>
services.honk.passwordFile

Password for admin account. NOTE: Should be string not a store path, to prevent the password from being world readable

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-apps/honk.nix>
services.honk.port

The port the server should listen to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/web-apps/honk.nix>
services.honk.servername

The server name.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/honk.nix>
services.honk.username

The admin account username.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/honk.nix>
services.hoogle.enable

Whether to enable Haskell documentation server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/development/hoogle.nix>
services.hoogle.packages

The Haskell packages to generate documentation for.

The option value is a function that takes the package set specified in the haskellPackages option as its sole parameter and returns a list of packages.

Type: function that evaluates to a(n) list of package

Default: hp: []

Example: hp: with hp; [ text lens ]

Declared by:

<nixpkgs/nixos/modules/services/development/hoogle.nix>
services.hoogle.extraOptions

Additional command-line arguments to pass to hoogle server

Type: list of string

Default: [ ]

Example:

[
  "--no-security-headers"
]

Declared by:

<nixpkgs/nixos/modules/services/development/hoogle.nix>
services.hoogle.haskellPackages

Which haskell package set to use.

Type: attribute set

Default: pkgs.haskellPackages

Declared by:

<nixpkgs/nixos/modules/services/development/hoogle.nix>
services.hoogle.home

Url for hoogle logo

Type: string

Default: "https://hoogle.haskell.org"

Declared by:

<nixpkgs/nixos/modules/services/development/hoogle.nix>
services.hoogle.host

Set the host to bind on.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/development/hoogle.nix>
services.hoogle.port

Port number Hoogle will be listening to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/development/hoogle.nix>
services.hostapd.enable

Whether to enable hostapd, a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and RADIUS authentication server .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.package

The hostapd package to use.

Type: package

Default: pkgs.hostapd

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios

This option allows you to define APs for one or multiple physical radios. At least one radio must be specified.

For each radio, hostapd requires a separate logical interface (like wlp3s0, wlp3s1, …). A default interface is usually be created automatically by your system, but to use multiple radios of a single device, it may be required to create additional logical interfaces for example by using networking.wlanInterfaces.

Each physical radio can only support a single hardware-mode that is configured via (services.hostapd.radios.<radio>.band). To create a dual-band or tri-band AP, you will have to use a device that has multiple physical radios and supports configuring multiple APs (Refer to valid interface combinations in iw list).

Type: attribute set of (submodule)

Default: { }

Example:

{
  # Simple 2.4GHz AP
  wlp2s0 = {
    # countryCode = "US";
    networks.wlp2s0 = {
      ssid = "AP 1";
      authentication.saePasswords = [{ password = "a flakey password"; }]; # Use saePasswordsFile if possible.
    };
  };

  # WiFi 5 (5GHz) with two advertised networks
  wlp3s0 = {
    band = "5g";
    channel = 0; # Enable automatic channel selection (ACS). Use only if your hardware supports it.
    # countryCode = "US";
    networks.wlp3s0 = {
      ssid = "My AP";
      authentication.saePasswords = [{ password = "a flakey password"; }]; # Use saePasswordsFile if possible.
    };
    networks.wlp3s0-1 = {
      ssid = "Open AP with WiFi5";
      authentication.mode = "none";
    };
  };

  # Legacy WPA2 example
  wlp4s0 = {
    # countryCode = "US";
    networks.wlp4s0 = {
      ssid = "AP 2";
      authentication = {
        mode = "wpa2-sha256";
        wpaPassword = "a flakey password"; # Use wpaPasswordFile if possible.
      };
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.band

Specifies the frequency band to use, possible values are 2g for 2.4 GHz, 5g for 5 GHz, 6g for 6 GHz and 60g for 60 GHz.

Type: one of “2g”, “5g”, “6g”, “60g”

Default: "2g"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.channel

The channel to operate on. Use 0 to enable ACS (Automatic Channel Selection). Beware that not every device supports ACS in which case hostapd will fail to start.

Type: signed integer

Default: 0

Example: 11

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.countryCode

Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed to indicate country in which device is operating. This can limit available channels and transmit power. These two octets are used as the first two octets of the Country String (dot11CountryString).

Setting this will force you to also enable IEEE 802.11d and IEEE 802.11h.

IEEE 802.11d: This advertises the countryCode and the set of allowed channels and transmit power levels based on the regulatory limits.

IEEE802.11h: This enables radar detection and DFS (Dynamic Frequency Selection) support if available. DFS support is required on outdoor 5 GHz channels in most countries of the world.

Type: null or string

Default: null

Example: "US"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.driver

The driver hostapd will use. nl80211 is used with all Linux mac80211 drivers. none is used if building a standalone RADIUS server that does not control any wireless/wired driver. Most applications will probably use the default.

Type: string

Default: "nl80211"

Example: "none"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.dynamicConfigScripts

All of these scripts will be executed in lexicographical order before hostapd is started, right after the global segment was generated and may dynamically append global options the generated configuration file.

The first argument will point to the configuration file that you may append to.

Type: attribute set of path

Default: { }

Example:

{
  exampleDynamicConfig = pkgs.writeShellScript "dynamic-config" ''
    HOSTAPD_CONFIG=$1

    cat >> "$HOSTAPD_CONFIG" << EOF
    # Add some dynamically generated statements here,
    # for example based on the physical adapter in use
    EOF
  '';
}

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks

This defines a BSS, colloquially known as a WiFi network. You have to specify at least one.

Type: attribute set of (submodule)

Default: { }

Example:

{
  wlp2s0 = {
    ssid = "Primary advertised network";
    authentication.saePasswords = [{ password = "a flakey password"; }]; # Use saePasswordsFile if possible.
  };
  wlp2s0-1 = {
    ssid = "Secondary advertised network (Open)";
    authentication.mode = "none";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.apIsolate

Isolate traffic between stations (clients) and prevent them from communicating with each other.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.authentication.enableRecommendedPairwiseCiphers

Additionally enable the recommended set of pairwise ciphers. This enables newer secure ciphers, additionally to those defined in pairwiseCiphers. You will have to test whether your hardware supports these by trial-and-error, because even if iw list indicates hardware support, your driver might not expose it.

Beware hostapd will most likely not return a useful error message in case this is enabled despite the driver or hardware not supporting the newer ciphers. Look out for messages like Failed to set beacon parameters.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.authentication.mode

Selects the authentication mode for this AP.

  • "none": Don’t configure any authentication. This will disable wpa alltogether and create an open AP. Use settings together with this option if you want to configure the authentication manually. Any password options will still be effective, if set.

  • "wpa2-sha1": Not recommended. WPA2-Personal using HMAC-SHA1. Passwords are set using wpaPassword or preferably by wpaPasswordFile or wpaPskFile.

  • "wpa2-sha256": WPA2-Personal using HMAC-SHA256 (IEEE 802.11i/RSN). Passwords are set using wpaPassword or preferably by wpaPasswordFile or wpaPskFile.

  • "wpa3-sae-transition": Use WPA3-Personal (SAE) if possible, otherwise fallback to WPA2-SHA256. Only use if necessary and switch to the newer WPA3-SAE when possible. You will have to specify both wpaPassword and saePasswords (or one of their alternatives).

  • "wpa3-sae": Use WPA3-Personal (SAE). This is currently the recommended way to setup a secured WiFi AP (as of March 2023) and therefore the default. Passwords are set using either saePasswords or preferably saePasswordsFile.

Type: one of “none”, “wpa2-sha1”, “wpa2-sha256”, “wpa3-sae-transition”, “wpa3-sae”

Default: "wpa3-sae"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.authentication.pairwiseCiphers

Set of accepted cipher suites (encryption algorithms) for pairwise keys (unicast packets). By default this allows just CCMP, which is the only commonly supported secure option. Use enableRecommendedPairwiseCiphers to also enable newer recommended ciphers.

Please refer to the hostapd documentation for allowed values. Generally, only CCMP or GCMP modes should be considered safe options. Most devices support CCMP while GCMP is often only available with devices supporting WiFi 5 (IEEE 802.11ac) or higher.

Type: list of string

Default:

[
  "CCMP"
]

Example:

[
  "CCMP-256"
  "GCMP-256"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.authentication.saeAddToMacAllow

If set, all sae password entries that have a non-wildcard MAC associated to them will additionally be used to populate the MAC allow list. This is additional to any entries set via macAllow or macAllowFile.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords

Sets allowed passwords for WPA3-SAE.

The last matching (based on peer MAC address and identifier) entry is used to select which password to use. An empty string has the special meaning of removing all previously added entries.

Warning: These entries will get put into a world-readable file in the Nix store! Using saePasswordFile instead is recommended.

Not used when mode is "wpa2-sha1" or "wpa2-sha256".

Type: list of (submodule)

Default: [ ]

Example:

[
  # Any client may use these passwords
  { password = "Wi-Figure it out"; }
  { password = "second password for everyone"; mac = "ff:ff:ff:ff:ff:ff"; }

  # Only the client with MAC-address 11:22:33:44:55:66 can use this password
  { password = "sekret pazzword"; mac = "11:22:33:44:55:66"; }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords.*.id

If this attribute is given with non-zero length, it will set the password identifier for this entry. It can then only be used with that identifier.

Type: null or string

Default: null

Example: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords.*.mac

If this attribute is not included, or if is set to the wildcard address (ff:ff:ff:ff:ff:ff), the entry is available for any station (client) to use. If a specific peer MAC address is included, only a station with that MAC address is allowed to use the entry.

Type: null or string

Default: null

Example: "11:22:33:44:55:66"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords.*.password

The password for this entry. SAE technically imposes no restrictions on password length or character set. But due to limitations of hostapd’s config file format, a true newline character cannot be parsed.

Warning: This password will get put into a world-readable file in the Nix store! Using wpaPasswordFile or wpaPskFile is recommended.

Type: string

Example: "a flakey password"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords.*.pk

If this attribute is given, SAE-PK will be enabled for this connection. This prevents evil-twin attacks, but a public key is required additionally to connect. (Essentially adds pubkey authentication such that the client can verify identity of the AP)

Type: null or string

Default: null

Example: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords.*.vlanid

If this attribute is given, all clients using this entry will get tagged with the given VLAN ID.

Type: null or signed integer

Default: null

Example: 1

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.authentication.saePasswordsFile

Sets the password for WPA3-SAE. Follows the same rules as saePasswords, but reads the entries from the given file to prevent them from being put into the Nix store.

One entry per line, empty lines and lines beginning with # will be ignored. Each line must match the following format, although the order of optional parameters doesn’t matter: <password>[|mac=<peer mac>][|vlanid=<VLAN ID>][|pk=<m:ECPrivateKey-base64>][|id=<identifier>]

Not used when mode is "wpa2-sha1" or "wpa2-sha256".

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.authentication.wpaPassword

Sets the password for WPA-PSK that will be converted to the pre-shared key. The password length must be in the range [8, 63] characters. While some devices may allow arbitrary characters (such as UTF-8) to be used, but the standard specifies that each character in the passphrase must be an ASCII character in the range [0x20, 0x7e] (IEEE Std. 802.11i-2004, Annex H.4.1). Use emojis at your own risk.

Not used when mode is "wpa3-sae".

Warning: This password will get put into a world-readable file in the Nix store! Using wpaPasswordFile or wpaPskFile instead is recommended.

Type: null or string

Default: null

Example: "a flakey password"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.authentication.wpaPasswordFile

Sets the password for WPA-PSK. Follows the same rules as wpaPassword, but reads the password from the given file to prevent the password from being put into the Nix store.

Not used when mode is "wpa3-sae".

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.authentication.wpaPskFile

Sets the password(s) for WPA-PSK. Similar to wpaPasswordFile, but additionally allows specifying multiple passwords, and some other options.

Each line, except for empty lines and lines starting with #, must contain a MAC address and either a 64-hex-digit PSK or a password separated with a space. The password must follow the same rules as outlined in wpaPassword. The special MAC address 00:00:00:00:00:00 can be used to configure PSKs that any client can use.

An optional key identifier can be added by prefixing the line with keyid=<keyid_string> An optional VLAN ID can be specified by prefixing the line with vlanid=<VLAN ID>. An optional WPS tag can be added by prefixing the line with wps=<0/1> (default: 0). Any matching entry with that tag will be used when generating a PSK for a WPS Enrollee instead of generating a new random per-Enrollee PSK.

Not used when mode is "wpa3-sae".

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.bssid

Specifies the BSSID for this BSS. Usually determined automatically, but for now you have to manually specify them when using multiple BSS. Try assigning related addresses from the locally administered MAC address ranges, by reusing the hardware address but replacing the second nibble with 2, 6, A or E. (e.g. if real address is XX:XX:XX:XX:XX, try X2:XX:XX:XX:XX:XX, X6:XX:XX:XX:XX:XX, … for the second, third, … BSS)

Type: null or string

Default: null

Example: "11:22:33:44:55:66"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.dynamicConfigScripts

All of these scripts will be executed in lexicographical order before hostapd is started, right after the bss segment was generated and may dynamically append bss options to the generated configuration file.

The first argument will point to the configuration file that you may append to. The second and third argument will point to this BSS’s MAC allow and MAC deny file respectively.

Type: attribute set of path

Default: { }

Example:

{
  exampleDynamicConfig = pkgs.writeShellScript "dynamic-config" ''
    HOSTAPD_CONFIG=$1
    # These always exist, but may or may not be used depending on the actual configuration
    MAC_ALLOW_FILE=$2
    MAC_DENY_FILE=$3

    cat >> "$HOSTAPD_CONFIG" << EOF
    # Add some dynamically generated statements here
    EOF
  '';
}

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.group

Members of this group can access the control socket for this interface.

Type: string

Default: "wheel"

Example: "network"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.ignoreBroadcastSsid

Send empty SSID in beacons and ignore probe request frames that do not specify full SSID, i.e., require stations to know SSID. Note that this does not increase security, since your clients will then broadcast the SSID instead, which can increase congestion.

  • "disabled": Advertise ssid normally.

  • "empty": send empty (length=0) SSID in beacon and ignore probe request for broadcast SSID

  • "clear": clear SSID (ASCII 0), but keep the original length (this may be required with some legacy clients that do not support empty SSID) and ignore probe requests for broadcast SSID. Only use this if empty does not work with your clients.

Type: one of “disabled”, “empty”, “clear”

Default: "disabled"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.logLevel

Levels (minimum value for logged events): 0 = verbose debugging 1 = debugging 2 = informational messages 3 = notification 4 = warning

Type: signed integer

Default: 2

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.macAcl

Station MAC address -based authentication. The following modes are available:

  • "deny": Allow unless listed in macDeny (default)

  • "allow": Deny unless listed in macAllow

  • "radius": Use external radius server, but check both macAllow and macDeny first

Please note that this kind of access control requires a driver that uses hostapd to take care of management frame processing and as such, this can be used with driver=hostap or driver=nl80211, but not with driver=atheros.

Type: one of “deny”, “allow”, “radius”

Default: "deny"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.macAllow

Specifies the MAC addresses to allow if macAcl is set to "allow" or "radius". These values will be world-readable in the Nix store. Values will automatically be merged with macAllowFile if necessary.

Type: list of string

Default: [ ]

Example:

[
  "11:22:33:44:55:66"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.macAllowFile

Specifies a file containing the MAC addresses to allow if macAcl is set to "allow" or "radius". The file should contain exactly one MAC address per line. Comments and empty lines are ignored, only lines starting with a valid MAC address will be considered (e.g. 11:22:33:44:55:66) and any content after the MAC address is ignored.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.macDeny

Specifies the MAC addresses to deny if macAcl is set to "deny" or "radius". These values will be world-readable in the Nix store. Values will automatically be merged with macDenyFile if necessary.

Type: list of string

Default: [ ]

Example:

[
  "11:22:33:44:55:66"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.macDenyFile

Specifies a file containing the MAC addresses to deny if macAcl is set to "deny" or "radius". The file should contain exactly one MAC address per line. Comments and empty lines are ignored, only lines starting with a valid MAC address will be considered (e.g. 11:22:33:44:55:66) and any content after the MAC address is ignored.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.settings

Extra configuration options to put at the end of this BSS’s defintion in the hostapd.conf for the associated interface. To find out which options are global and which are per-bss you have to read hostapd’s source code, which is non-trivial and not documented otherwise.

Lists will be converted to multiple definitions of the same key, and booleans to 0/1. Otherwise, the inputs are not modified or checked for correctness.

Type: attribute set of (atom (bool, int or string) or a list of them for duplicate keys)

Default: { }

Example:

{
  multi_ap = true;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.ssid

SSID to be used in IEEE 802.11 management frames.

Type: string

Example: "❄️ cool ❄️"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.networks.<name>.utf8Ssid

Whether the SSID is to be interpreted using UTF-8 encoding.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.noScan

Disables scan for overlapping BSSs in HT40+/- mode. Caution: turning this on will likely violate regulatory requirements!

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.settings

Extra configuration options to put at the end of global initialization, before defining BSSs. To find out which options are global and which are per-bss you have to read hostapd’s source code, which is non-trivial and not documented otherwise.

Lists will be converted to multiple definitions of the same key, and booleans to 0/1. Otherwise, the inputs are not modified or checked for correctness.

Type: attribute set of (atom (bool, int or string) or a list of them for duplicate keys)

Default: { }

Example:

{
  acs_exclude_dfs = true;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.wifi4.enable

Enables support for IEEE 802.11n (WiFi 4, HT). This is enabled by default, since the vase majority of devices are expected to support this.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.wifi4.capabilities

HT (High Throughput) capabilities given as a list of flags. Please refer to the hostapd documentation for allowed values and only set values supported by your physical adapter.

The default contains common values supported by most adapters.

Type: list of string

Default:

[
  "HT40"
  "SHORT-GI-20"
  "SHORT-GI-40"
]

Example:

[
  "LDPC"
  "HT40+"
  "HT40-"
  "GF"
  "SHORT-GI-20"
  "SHORT-GI-40"
  "TX-STBC"
  "RX-STBC1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.wifi4.require

Require stations (clients) to support WiFi 4 (HT) and disassociate them if they don’t.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.wifi5.enable

Enables support for IEEE 802.11ac (WiFi 5, VHT)

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.wifi5.capabilities

VHT (Very High Throughput) capabilities given as a list of flags. Please refer to the hostapd documentation for allowed values and only set values supported by your physical adapter.

Type: list of string

Default: [ ]

Example:

[
  "SHORT-GI-80"
  "TX-STBC-2BY1"
  "RX-STBC-1"
  "RX-ANTENNA-PATTERN"
  "TX-ANTENNA-PATTERN"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.wifi5.operatingChannelWidth

Determines the operating channel width for VHT.

  • "20or40": 20 or 40 MHz operating channel width

  • "80": 80 MHz channel width

  • "160": 160 MHz channel width

  • "80+80": 80+80 MHz channel width

Type: one of “20or40”, “80”, “160”, “80+80”

Default: "20or40"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.wifi5.require

Require stations (clients) to support WiFi 5 (VHT) and disassociate them if they don’t.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.wifi6.enable

Enables support for IEEE 802.11ax (WiFi 6, HE)

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.wifi6.multiUserBeamformer

HE multi user beamformee support

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.wifi6.operatingChannelWidth

Determines the operating channel width for HE.

  • "20or40": 20 or 40 MHz operating channel width

  • "80": 80 MHz channel width

  • "160": 160 MHz channel width

  • "80+80": 80+80 MHz channel width

Type: one of “20or40”, “80”, “160”, “80+80”

Default: "20or40"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.wifi6.require

Require stations (clients) to support WiFi 6 (HE) and disassociate them if they don’t.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.wifi6.singleUserBeamformee

HE single user beamformee support

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.wifi6.singleUserBeamformer

HE single user beamformer support

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.wifi7.enable

Enables support for IEEE 802.11be (WiFi 7, EHT). This is currently experimental and requires you to manually enable CONFIG_IEEE80211BE when building hostapd.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.wifi7.multiUserBeamformer

EHT multi user beamformee support

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.wifi7.operatingChannelWidth

Determines the operating channel width for EHT.

  • "20or40": 20 or 40 MHz operating channel width

  • "80": 80 MHz channel width

  • "160": 160 MHz channel width

  • "80+80": 80+80 MHz channel width

Type: one of “20or40”, “80”, “160”, “80+80”

Default: "20or40"

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.wifi7.singleUserBeamformee

EHT single user beamformee support

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hostapd.radios.<name>.wifi7.singleUserBeamformer

EHT single user beamformer support

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hostapd.nix>
services.hound.enable

Whether to enable hound.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/search/hound.nix>
services.hound.package

The hound package to use.

Type: package

Default: pkgs.hound

Declared by:

<nixpkgs/nixos/modules/services/search/hound.nix>
services.hound.group

Group the hound daemon should execute under.

Type: string

Default: "hound"

Declared by:

<nixpkgs/nixos/modules/services/search/hound.nix>
services.hound.home

The path to use as hound’s $HOME. If the default user “hound” is configured then this is the home of the “hound” user.

Type: path

Default: "/var/lib/hound"

Declared by:

<nixpkgs/nixos/modules/services/search/hound.nix>
services.hound.listen

Listen on this [IP]:port

Type: string

Default: "0.0.0.0:6080"

Example: ":6080"

Declared by:

<nixpkgs/nixos/modules/services/search/hound.nix>
services.hound.settings

The full configuration of the Hound daemon. See the upstream documentation https://github.com/hound-search/hound/blob/main/docs/config-options.md for details.

Note

The dbpath should be an absolute path to a writable directory. :::.com/hound-search/hound/blob/main/docs/config-options.md>.

Type: JSON value

Example:

{
  max-concurrent-indexers = 2;
  repos.nixpkgs.url = "https://www.github.com/NixOS/nixpkgs.git";
}

Declared by:

<nixpkgs/nixos/modules/services/search/hound.nix>
services.hound.user

User the hound daemon should execute under.

Type: string

Default: "hound"

Declared by:

<nixpkgs/nixos/modules/services/search/hound.nix>
services.hqplayerd.enable

Whether to enable HQPlayer Embedded.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/hqplayerd.nix>
services.hqplayerd.auth.password

Password used for HQPlayer’s WebUI.

Without this you will need to manually create the credentials after first start by going to http://your.ip/8088/auth

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/audio/hqplayerd.nix>
services.hqplayerd.auth.username

Username used for HQPlayer’s WebUI.

Without this you will need to manually create the credentials after first start by going to http://your.ip/8088/auth

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/audio/hqplayerd.nix>
services.hqplayerd.config

HQplayer daemon configuration, written to /etc/hqplayer/hqplayerd.xml.

Refer to share/doc/hqplayerd/readme.txt in the hqplayerd derivation for possible values.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/audio/hqplayerd.nix>
services.hqplayerd.licenseFile

Path to the HQPlayer license key file.

Without this, the service will run in trial mode and restart every 30 minutes.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/audio/hqplayerd.nix>
services.hqplayerd.openFirewall

Opens ports needed for the WebUI and controller API.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/audio/hqplayerd.nix>
services.htpdate.enable

Enable htpdate daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/htpdate.nix>
services.htpdate.extraOptions

Additional command line arguments to pass to htpdate.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/htpdate.nix>
services.htpdate.proxy

HTTP proxy used for requests.

Type: string

Default: ""

Example: "127.0.0.1:8118"

Declared by:

<nixpkgs/nixos/modules/services/networking/htpdate.nix>
services.htpdate.servers

HTTP servers to use for time synchronization.

Type: list of string

Default:

[
  "www.google.com"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/htpdate.nix>
services.httpd.enable

Whether to enable the Apache HTTP Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.enableMellon

Whether to enable the mod_auth_mellon module.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.enablePHP

Whether to enable the PHP module.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.enablePerl

Whether to enable the Perl module (mod_perl).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.package

The apacheHttpd package to use.

Type: package

Default: pkgs.apacheHttpd

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.adminAddr

E-mail address of the server administrator.

Type: null or string

Default: null

Example: "admin@example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.configFile

Override the configuration file used by Apache. By default, NixOS generates one automatically.

Type: path

Default: confFile

Example: pkgs.writeText "httpd.conf" "# my custom config file ..."

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.extraConfig

Configuration lines appended to the generated Apache configuration file. Note that this mechanism will not work when configFile is overridden.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.extraModules

Additional Apache modules to be used. These can be specified as a string in the case of modules distributed with Apache, or as an attribute set specifying the name and path of the module.

Type: list of unspecified value

Default: [ ]

Example:

[
  "proxy_connect"
  { name = "jk"; path = "${pkgs.apacheHttpdPackages.mod_jk}/modules/mod_jk.so"; }
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.group

Group under which httpd children processes run.

Type: string

Default: "wwwrun"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.logDir

Directory for Apache’s log files. It is created automatically.

Type: path

Default: "/var/log/httpd"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.logFormat

Log format for log files. Possible values are: combined, common, referer, agent, none. See https://httpd.apache.org/docs/2.4/logs.html for more details.

Type: string

Default: "common"

Example: "combined"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.logPerVirtualHost

If enabled, each virtual host gets its own access.log and error.log, namely suffixed by the hostName of the virtual host.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.maxClients

Maximum number of httpd processes (prefork)

Type: signed integer

Default: 150

Example: 8

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.maxRequestsPerChild

Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited.

Type: signed integer

Default: 0

Example: 500

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.mpm

Multi-processing module to be used by Apache. Available modules are prefork (handles each request in a separate child process), worker (hybrid approach that starts a number of child processes each running a number of threads) and event (the default; a recent variant of worker that handles persistent connections more efficiently).

Type: one of “event”, “prefork”, “worker”

Default: "event"

Example: "worker"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.phpOptions

Options appended to the PHP configuration file php.ini.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  date.timezone = "CET"
''

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.phpPackage

The php package to use.

Type: package

Default: pkgs.php

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.sslCiphers

Cipher Suite available for negotiation in SSL proxy handshake.

Type: string

Default: "HIGH:!aNULL:!MD5:!EXP"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.sslProtocols

Allowed SSL/TLS protocol versions.

Type: string

Default: "All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"

Example: "All -SSLv2 -SSLv3"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.user

User account under which httpd children processes run.

If you require the main httpd process to run as root add the following configuration:

systemd.services.httpd.serviceConfig.User = lib.mkForce "root";

Type: string

Default: "wwwrun"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts

Specification of the virtual hosts served by Apache. Each element should be an attribute set specifying the configuration of the virtual host.

Type: attribute set of (submodule)

Default:

{
  localhost = {
    documentRoot = "${package.out}/htdocs";
  };
}

Example:

{
  "foo.example.com" = {
    forceSSL = true;
    documentRoot = "/var/www/foo.example.com"
  };
  "bar.example.com" = {
    addSSL = true;
    documentRoot = "/var/www/bar.example.com";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.enableUserDir

Whether to enable serving ~/public_html as /~«username».

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.acmeRoot

Directory for the acme challenge which is PUBLIC, don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.adminAddr

E-mail address of the server administrator.

Type: null or string

Default: null

Example: "admin@example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.documentRoot

The path of Apache’s document root directory. If left undefined, an empty directory in the Nix store will be used as root.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.extraConfig

These lines go to httpd.conf verbatim. They will go after directories and directory aliases defined by default.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  <Directory /home>
    Options FollowSymlinks
    AllowOverride All
  </Directory>
''

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.forceSSL

Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.globalRedirect

If set, all requests for this host are redirected permanently to the given URL.

Type: null or string

Default: null

Example: "http://newserver.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.hostName

Canonical hostname for the server.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.http2

Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. However, if you use the prefork mpm, there will be severe restrictions. Refer to https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config for details.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.listen

Listen addresses and ports for this virtual host.

Note

This option overrides addSSL, forceSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    ip = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    ip = "192.154.1.1";
    port = 80;
  }
  {
    ip = "*";
    port = 8080;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.listen.*.ip

IP to listen on. 0.0.0.0 for IPv4 only, * for all.

Type: string

Default: "*"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.listen.*.port

Port to listen on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.listen.*.ssl

Whether to enable SSL (https) support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Type: non-empty (list of string)

Default:

[
  "*"
]

Example:

[
  "127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.locations

Declarative location config. See https://httpd.apache.org/docs/2.4/mod/core.html#location for details.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
  "/foo/bar.png" = {
    alias = "/home/eelco/some-file.png";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.locations.<name>.alias

Alias directory for requests. See https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.locations.<name>.index

Adds DirectoryIndex directive. See https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.locations.<name>.proxyPass

Sets up a simple reverse proxy as described by https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.logFormat

Log format for Apache’s log files. Possible values are: combined, common, referer, agent.

Type: string

Default: "common"

Example: "combined"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.robotsEntries

Specification of pages to be ignored by web crawlers. See http://www.robotstxt.org/ for details.

Type: strings concatenated with “\n”

Default: ""

Example: "Disallow: /foo/"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.servedDirs

This option provides a simple way to serve static directories.

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    dir = "/home/eelco/Dev/nix-homepage";
    urlPath = "/nix";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.servedFiles

This option provides a simple way to serve individual, static files.

Note

This option has been deprecated and will be removed in a future version of NixOS. You can achieve the same result by making use of the locations.<name>.alias option.

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    file = "/home/eelco/some-file.png";
    urlPath = "/foo/bar.png";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "www.example.org:8080"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.sslServerCert

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.sslServerChain

Path to server SSL chain file.

Type: null or path

Default: null

Example: "/var/ca.pem"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.sslServerKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.httpd.virtualHosts.<name>.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix>
services.https-dns-proxy.enable

Whether to enable https-dns-proxy daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/https-dns-proxy.nix>
services.https-dns-proxy.address

The address on which to listen

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/https-dns-proxy.nix>
services.https-dns-proxy.extraArgs

Additional arguments to pass to the process.

Type: list of string

Default:

[
  "-v"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/https-dns-proxy.nix>
services.https-dns-proxy.port

The port on which to listen

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5053

Declared by:

<nixpkgs/nixos/modules/services/networking/https-dns-proxy.nix>
services.https-dns-proxy.preferIPv4

https_dns_proxy will by default use IPv6 and fail if it is not available. To play it safe, we choose IPv4.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/https-dns-proxy.nix>
services.https-dns-proxy.provider.ips

The custom provider IPs

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/networking/https-dns-proxy.nix>
services.https-dns-proxy.provider.kind

The upstream provider to use or custom in case you do not trust any of the predefined providers or just want to use your own.

The default is quad9 and there are privacy and security trade-offs when using any upstream provider. Please consider that before using any of them.

Supported providers: cloudflare, custom, google, opendns, quad9

If you pick the custom provider, you will need to provide the bootstrap IP addresses as well as the resolver https URL.

Type: one of “cloudflare”, “custom”, “google”, “opendns”, “quad9”

Default: "quad9"

Declared by:

<nixpkgs/nixos/modules/services/networking/https-dns-proxy.nix>
services.https-dns-proxy.provider.url

The custom provider URL

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/https-dns-proxy.nix>
services.hydra.enable

Whether to run Hydra services.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.package

The hydra package to use.

Type: package

Default: pkgs.hydra

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.buildMachinesFiles

List of files containing build machines.

Type: list of path

Default: lib.optional (config.nix.buildMachines != []) "/etc/nix/machines"

Example:

[
  "/etc/nix/machines"
  "/var/lib/hydra/provisioner/machines"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.dbi

The DBI string for Hydra database connection.

NOTE: Attempts to set application_name will be overridden by hydra-TYPE (where TYPE is e.g. evaluator, queue-runner, etc.) in all hydra services to more easily distinguish where queries are coming from.

Type: string

Default: "dbi:Pg:dbname=hydra;user=hydra;"

Example: "dbi:Pg:dbname=hydra;host=postgres.example.org;user=foo;"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.debugServer

Whether to run the server in debug mode.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.extraConfig

Extra lines for the Hydra configuration.

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.extraEnv

Extra environment variables for Hydra.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.gcRootsDir

Directory that holds Hydra garbage collector roots.

Type: path

Default: "/nix/var/nix/gcroots/hydra"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.hydraURL

The base URL for the Hydra webserver instance. Used for links in emails.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.listenHost

The hostname or address to listen on or * to listen on all interfaces.

Type: string

Default: "*"

Example: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.logo

Path to a file containing the logo of your Hydra instance.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.maxServers

Maximum number of starman workers to spawn.

Type: signed integer

Default: 25

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.maxSpareServers

Maximum number of spare starman workers to keep.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.minSpareServers

Minimum number of spare starman workers to keep.

Type: signed integer

Default: 4

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.minimumDiskFree

Threshold of minimum disk space (GiB) to determine if the queue runner should run or not.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.minimumDiskFreeEvaluator

Threshold of minimum disk space (GiB) to determine if the evaluator should run or not.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.notificationSender

Sender email address used for email notifications.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.port

TCP port the web server should listen to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.smtpHost

Hostname of the SMTP server to use to send email.

Type: null or string

Default: null

Example: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.tracker

Piece of HTML that is included on all pages.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hydra.useSubstitutes

Whether to use binary caches for downloading store paths. Note that binary substitutions trigger (a potentially large number of) additional HTTP requests that slow down the queue monitor thread significantly. Also, this Hydra instance will serve those downloaded store paths to its users with its own signature attached as if it had built them itself, so don’t enable this feature unless your active binary caches are absolute trustworthy.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/hydra/default.nix>
services.hylafax.enable

Whether to enable HylaFAX server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.areaCode

Area code for server and all modems.

Type: null or non-empty string

Default: null

Example: "30"

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.autostart

Autostart the HylaFAX queue manager at system start. If this is false, the queue manager will still be started if there are pending jobs or if a user tries to connect to it.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.commonModemConfig

Attribute set of default values for modem config files etc/config.*. Values can be either strings or integers (which will be added to the config file verbatimly) or lists thereof (which will be translated to multiple lines with the same configuration key). Boolean values are translated to “Yes” or “No”. The default contains some reasonable configuration to yield an operational system.

Think twice before changing paths of fax-processing scripts.

Type: attribute set of ((list of ((string or signed integer convertible to it) or boolean convertible to it)) or ((string or signed integer convertible to it) or boolean convertible to it) convertible to it)

Example:

{
  InternationalPrefix = "00";
  LongDistancePrefix = "0";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.countryCode

Country code for server and all modems.

Type: null or non-empty string

Default: null

Example: "49"

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.faxcron.enable.frequency

purging old files from the spooling area with faxcron with the given frequency (see systemd.time(7))

Type: null or non-empty string

Default: null

Example: "daily"

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.faxcron.enable.spoolInit

Whether to enable purging old files from the spooling area with faxcron each time the spooling area is initialized .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.faxcron.infoDays

Set the expiration time for data in the remote machine information directory in days.

Type: positive integer, meaning >0

Default: 30

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.faxcron.logDays

Set the expiration time for session trace log files in days.

Type: positive integer, meaning >0

Default: 30

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.faxcron.rcvDays

Set the expiration time for files in the received facsimile queue in days.

Type: positive integer, meaning >0

Default: 7

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.faxqConfig

Attribute set of lines for the global faxq config file etc/config. Values can be either strings or integers (which will be added to the config file verbatimly) or lists thereof (which will be translated to multiple lines with the same configuration key). Boolean values are translated to “Yes” or “No”. The default contains some reasonable configuration to yield an operational system.

Type: attribute set of ((list of ((string or signed integer convertible to it) or boolean convertible to it)) or ((string or signed integer convertible to it) or boolean convertible to it) convertible to it)

Example:

{
  InternationalPrefix = "00";
  LongDistancePrefix = "0";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.faxqclean.enable.frequency

Purge old files from the spooling area with faxcron with the given frequency (see systemd.time(7)).

Type: null or non-empty string

Default: null

Example: "daily"

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.faxqclean.enable.spoolInit

Whether to enable purging old files from the spooling area with faxqclean each time the spooling area is initialized .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.faxqclean.archiving

Enable or suppress job archiving: never disables job archiving, as-flagged archives jobs that have been flagged for archiving by sendfax, always forces archiving of all jobs. See also sendfax(1) and faxqclean(8).

Type: one of “never”, “as-flagged”, “always”

Default: "as-flagged"

Example: "always"

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.faxqclean.docqMinutes

Set the document age threshold (in minutes) that controls how long unreferenced files may reside in the docq directory.

Type: positive integer, meaning >0

Default: 60

Example: 24*60

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.faxqclean.doneqMinutes

Set the job age threshold (in minutes) that controls how long jobs may reside in the doneq directory.

Type: positive integer, meaning >0

Default: 15

Example: 24*60

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.hfaxdConfig

Attribute set of lines for the global hfaxd config file etc/hfaxd.conf. Values can be either strings or integers (which will be added to the config file verbatimly) or lists thereof (which will be translated to multiple lines with the same configuration key). Boolean values are translated to “Yes” or “No”. The default contains some reasonable configuration to yield an operational system.

Type: attribute set of ((list of ((string or signed integer convertible to it) or boolean convertible to it)) or ((string or signed integer convertible to it) or boolean convertible to it) convertible to it)

Example:

{
  RecvqProtection = "0400";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.internationalPrefix

International prefix for server and all modems.

Type: null or string

Default: null

Example: "00"

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.longDistancePrefix

Long distance prefix for server and all modems.

Type: null or string

Default: null

Example: "0"

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.modems

Description of installed modems. At least on modem must be defined to enable the HylaFAX server.

Type: attribute set of (submodule)

Default: { }

Example:

{
  ttyS1 = {
    config = {
      FAXNumber = "123456";
      LocalIdentifier = "Smith";
    };
    type = "cirrus";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.modems.<name>.config

Attribute set of values for the given modem. Values can be either strings or integers (which will be added to the config file verbatimly) or lists thereof (which will be translated to multiple lines with the same configuration key). Boolean values are translated to “Yes” or “No”. The default contains some reasonable configuration to yield an operational system.

Options defined here override options in commonModemConfig for this modem.

Type: attribute set of ((list of ((string or signed integer convertible to it) or boolean convertible to it)) or ((string or signed integer convertible to it) or boolean convertible to it) convertible to it)

Example:

{
  AreaCode = "49";
  FAXNumber = "123456";
  LocalCode = "30";
  LocalIdentifier = "LostInBerlin";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.modems.<name>.name

Name of modem device, will be searched for in /dev.

Type: non-empty string

Example: "ttyS1"

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.modems.<name>.type

Name of modem configuration file, will be searched for in config in the spooling area directory.

Type: non-empty string

Example: "cirrus"

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.sendmailPath

Path to sendmail program. The default uses the local sendmail wrapper (see config.services.mail.sendmailSetuidWrapper), otherwise the false binary to cause an error if used.

Type: path

Example: "${pkgs.postfix}/bin/sendmail"

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.spoolAreaPath

The spooling area will be created/maintained at the location given here.

Type: path

Default: "/var/spool/fax"

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.spoolExtraInit

Additional shell code that is executed within the spooling area directory right after its setup.

Type: strings concatenated with “\n”

Default: ""

Example: "chmod 0755 . # everyone may read my faxes"

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hylafax.userAccessFile

The hosts.hfaxd file entry in the spooling area will be symlinked to the location given here. This file must exist and be readable only by the uucp user. See hosts.hfaxd(5) for details. This configuration permits access for all users:

  environment.etc."hosts.hfaxd" = {
    mode = "0600";
    user = "uucp";
    text = ".*";
  };

Note that host-based access can be controlled with config.systemd.sockets.hylafax-hfaxd.listenStreams; by default, only 127.0.0.1 is permitted to connect.

Type: path

Default: "/etc/hosts.hfaxd"

Declared by:

<nixpkgs/nixos/modules/services/networking/hylafax/options.nix>
services.hypridle.enable

Whether to enable hypridle, Hyprland’s idle daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/wayland/hypridle.nix>
services.hypridle.package

The hypridle package to use.

Type: package

Default: pkgs.hypridle

Declared by:

<nixpkgs/nixos/modules/services/wayland/hypridle.nix>
services.i2p.enable

Whether to enable I2P router.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2p.nix>
services.i2pd.enable

Enables I2Pd as a running service upon activation. Please read https://i2pd.readthedocs.io/en/latest/ for further configuration help.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.enableIPv4

Whether to enable IPv4 connectivity.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.enableIPv6

Whether to enable IPv6 connectivity.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.package

The i2pd package to use.

Type: package

Default: pkgs.i2pd

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.address

Your external IP or hostname.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.addressbook.defaulturl

AddressBook subscription URL for initial setup

Type: string

Default: "http://joajgazyztfssty4w2on5oaqksz6tqoxbduy553y34mf4byv6gpq.b32.i2p/export/alive-hosts.txt"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.addressbook.subscriptions

AddressBook subscription URLs

Type: list of string

Default:

[
  "http://inr.i2p/export/alive-hosts.txt"
  "http://i2p-projekt.i2p/hosts.txt"
  "http://stats.i2p/cgi-bin/newhosts.txt"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.bandwidth

Set a router bandwidth limit integer in KBps. If not set, i2pd defaults to 32KBps.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.dataDir

Alternative path to storage of i2pd data (RI, keys, peer profiles, …)

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.exploratory.inbound.length

Guaranteed minimum hops for exploratory tunnels.

Type: signed integer

Default: 3

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.exploratory.inbound.quantity

Number of simultaneous exploratory tunnels.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.exploratory.outbound.length

Guaranteed minimum hops for exploratory tunnels.

Type: signed integer

Default: 3

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.exploratory.outbound.quantity

Number of simultaneous exploratory tunnels.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.family

Specify a family the router belongs to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.floodfill

If the router is declared to be unreachable and needs introduction nodes.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.ifname

Network interface to bind to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.ifname4

IPv4 interface to bind to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.ifname6

IPv6 interface to bind to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.inTunnels

Serve something on I2P network at port and delegate requests to address inPort.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.inTunnels.<name>.enable

Whether to enable ‹name›.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.inTunnels.<name>.accessList

I2P nodes that are allowed to connect to this service.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.inTunnels.<name>.address

Bind address for ‹name› endpoint.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.inTunnels.<name>.crypto.tagsToSend

Number of ElGamal/AES tags to send.

Type: signed integer

Default: 40

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.inTunnels.<name>.destination

Remote endpoint, I2P hostname or b32.i2p address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.inTunnels.<name>.inPort

Service port. Default to the tunnel’s listen port.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.inTunnels.<name>.inbound.length

Guaranteed minimum hops for ‹name› tunnels.

Type: signed integer

Default: 3

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.inTunnels.<name>.inbound.quantity

Number of simultaneous ‹name› tunnels.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.inTunnels.<name>.keys

Keyset used for tunnel identity.

Type: string

Default: "‹name›-keys.dat"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.inTunnels.<name>.name

The endpoint name.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.inTunnels.<name>.outbound.length

Guaranteed minimum hops for ‹name› tunnels.

Type: signed integer

Default: 3

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.inTunnels.<name>.outbound.quantity

Number of simultaneous ‹name› tunnels.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.inTunnels.<name>.port

Bind port for ‹name› endpoint.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.limits.coreSize

Maximum size of corefile in Kb (0 - use system limit).

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.limits.ntcpHard

Maximum number of active transit sessions.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.limits.ntcpSoft

Threshold to start probabalistic backoff with ntcp sessions (default: use system limit).

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.limits.ntcpThreads

Maximum number of threads used by NTCP DH worker.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.limits.openFiles

Maximum number of open files (0 - use system default).

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.limits.transittunnels

Maximum number of active transit sessions.

Type: signed integer

Default: 2500

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.logCLFTime

Whether to enable full CLF-formatted date and time to log.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.logLevel

The log level. i2pd defaults to “info” but that generates copious amounts of log messages.

We default to “error” which is similar to the default log level of tor.

Type: one of “debug”, “info”, “warn”, “error”

Default: "error"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.nat

Whether to enable NAT bypass.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.netid

I2P overlay netid.

Type: signed integer

Default: 2

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.notransit

Tells the router to not accept transit tunnels during startup.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.ntcp

Whether to enable ntcp.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.ntcp2.enable

Whether to enable NTCP2.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.ntcp2.port

Port to listen for incoming NTCP2 connections (0=auto).

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.ntcp2.published

Whether to enable NTCP2 publication.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.ntcpProxy

Proxy URL for NTCP transport.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.outTunnels

Connect to someone as a client and establish a local accept endpoint

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.outTunnels.<name>.enable

Whether to enable ‹name›.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.outTunnels.<name>.address

Bind address for ‹name› endpoint.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.outTunnels.<name>.crypto.tagsToSend

Number of ElGamal/AES tags to send.

Type: signed integer

Default: 40

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.outTunnels.<name>.destination

Remote endpoint, I2P hostname or b32.i2p address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.outTunnels.<name>.destinationPort

Connect to particular port at destination.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.outTunnels.<name>.inbound.length

Guaranteed minimum hops for ‹name› tunnels.

Type: signed integer

Default: 3

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.outTunnels.<name>.inbound.quantity

Number of simultaneous ‹name› tunnels.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.outTunnels.<name>.keys

Keyset used for tunnel identity.

Type: string

Default: "‹name›-keys.dat"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.outTunnels.<name>.name

The endpoint name.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.outTunnels.<name>.outbound.length

Guaranteed minimum hops for ‹name› tunnels.

Type: signed integer

Default: 3

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.outTunnels.<name>.outbound.quantity

Number of simultaneous ‹name› tunnels.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.outTunnels.<name>.port

Bind port for ‹name› endpoint.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.port

I2P listen port. If no one is given the router will pick between 9111 and 30777.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.precomputation.elgamal

Whenever to use precomputated tables for ElGamal. i2pd defaults to false to save 64M of memory (and looses some performance).

We default to true as that is what most users want anyway.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.bob.enable

Whether to enable bob.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.bob.address

Bind address for bob endpoint.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.bob.name

The endpoint name.

Type: string

Default: "bob"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.bob.port

Bind port for bob endpoint.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 2827

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.http.enable

Whether to enable http.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.http.address

Bind address for http endpoint.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.http.auth

Whether to enable webconsole authentication.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.http.hostname

Expected hostname for WebUI.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.http.name

The endpoint name.

Type: string

Default: "http"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.http.pass

Password for webconsole access.

Type: string

Default: "i2pd"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.http.port

Bind port for http endpoint.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 7070

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.http.strictHeaders

Enable strict host checking on WebUI.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.http.user

Username for webconsole access

Type: string

Default: "i2pd"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.httpProxy.enable

Whether to enable httpproxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.httpProxy.address

Bind address for httpproxy endpoint.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.httpProxy.inbound.length

Guaranteed minimum hops for httpproxy tunnels.

Type: signed integer

Default: 3

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.httpProxy.inbound.quantity

Number of simultaneous httpproxy tunnels.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.httpProxy.keys

File to persist HTTPPROXY keys.

Type: null or string

Default: "httpproxy-keys.dat"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.httpProxy.latency.max

Max latency for tunnels.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.httpProxy.latency.min

Min latency for tunnels.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.httpProxy.name

The endpoint name.

Type: string

Default: "httpproxy"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.httpProxy.outbound.length

Guaranteed minimum hops for httpproxy tunnels.

Type: signed integer

Default: 3

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.httpProxy.outbound.quantity

Number of simultaneous httpproxy tunnels.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.httpProxy.outproxy

Upstream outproxy bind address.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.httpProxy.port

Bind port for httpproxy endpoint.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 4444

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.i2cp.enable

Whether to enable i2cp.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.i2cp.address

Bind address for i2cp endpoint.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.i2cp.name

The endpoint name.

Type: string

Default: "i2cp"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.i2cp.port

Bind port for i2cp endpoint.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 7654

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.i2pControl.enable

Whether to enable i2pcontrol.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.i2pControl.address

Bind address for i2pcontrol endpoint.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.i2pControl.name

The endpoint name.

Type: string

Default: "i2pcontrol"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.i2pControl.port

Bind port for i2pcontrol endpoint.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 7650

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.sam.enable

Whether to enable sam.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.sam.address

Bind address for sam endpoint.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.sam.name

The endpoint name.

Type: string

Default: "sam"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.sam.port

Bind port for sam endpoint.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 7656

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.socksProxy.enable

Whether to enable socksproxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.socksProxy.address

Bind address for socksproxy endpoint.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.socksProxy.inbound.length

Guaranteed minimum hops for socksproxy tunnels.

Type: signed integer

Default: 3

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.socksProxy.inbound.quantity

Number of simultaneous socksproxy tunnels.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.socksProxy.keys

File to persist SOCKSPROXY keys.

Type: null or string

Default: "socksproxy-keys.dat"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.socksProxy.latency.max

Max latency for tunnels.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.socksProxy.latency.min

Min latency for tunnels.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.socksProxy.name

The endpoint name.

Type: string

Default: "socksproxy"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.socksProxy.outbound.length

Guaranteed minimum hops for socksproxy tunnels.

Type: signed integer

Default: 3

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.socksProxy.outbound.quantity

Number of simultaneous socksproxy tunnels.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.socksProxy.outproxy

Upstream outproxy bind address.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.socksProxy.outproxyEnable

Whether to enable SOCKS outproxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.socksProxy.outproxyPort

Upstream outproxy bind port.

Type: signed integer

Default: 4444

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.proto.socksProxy.port

Bind port for socksproxy endpoint.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 4447

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.reseed.file

Full path to SU3 file to reseed from.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.reseed.floodfill

Path to router info of floodfill to reseed from.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.reseed.proxy

URL for reseed proxy, supports http/socks.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.reseed.urls

Reseed URLs.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.reseed.verify

Whether to enable SU3 signature verification.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.reseed.zipfile

Path to local .zip file to reseed from.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.share

Limit of transit traffic from max bandwidth in percents.

Type: signed integer

Default: 100

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.ssu

Whether to enable ssu.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.trust.enable

Whether to enable explicit trust options.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.trust.family

Router Family to trust for first hops.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.trust.hidden

Whether to enable router concealment.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.trust.routers

Only connect to the listed routers.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.upnp.enable

Whether to enable UPnP service discovery.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.upnp.name

Name i2pd appears in UPnP forwardings list.

Type: string

Default: "I2Pd"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.websocket.enable

Whether to enable websockets.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.websocket.address

Bind address for websockets endpoint.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.websocket.name

The endpoint name.

Type: string

Default: "websockets"

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.websocket.port

Bind port for websockets endpoint.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 7666

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.yggdrasil.enable

Whether to enable Yggdrasil.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.i2pd.yggdrasil.address

Your local yggdrasil address. Specify it if you want to bind your router to a particular address.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/i2pd.nix>
services.icecast.enable

Whether to enable Icecast server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/icecast.nix>
services.icecast.admin.password

Password used for all administration functions.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/audio/icecast.nix>
services.icecast.admin.user

Username used for all administration functions.

Type: string

Default: "admin"

Declared by:

<nixpkgs/nixos/modules/services/audio/icecast.nix>
services.icecast.extraConf

icecast.xml content.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/audio/icecast.nix>
services.icecast.group

Group privileges for the server.

Type: string

Default: "nogroup"

Declared by:

<nixpkgs/nixos/modules/services/audio/icecast.nix>
services.icecast.hostname

DNS name or IP address that will be used for the stream directory lookups or possibly the playlist generation if a Host header is not provided.

Type: null or string

Default: config.networking.domain

Declared by:

<nixpkgs/nixos/modules/services/audio/icecast.nix>
services.icecast.listen.address

Address Icecast will listen on.

Type: string

Default: "::"

Declared by:

<nixpkgs/nixos/modules/services/audio/icecast.nix>
services.icecast.listen.port

TCP port that will be used to accept client connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8000

Declared by:

<nixpkgs/nixos/modules/services/audio/icecast.nix>
services.icecast.logDir

Base directory used for logging.

Type: path

Default: "/var/log/icecast"

Declared by:

<nixpkgs/nixos/modules/services/audio/icecast.nix>
services.icecast.user

User privileges for the server.

Type: string

Default: "nobody"

Declared by:

<nixpkgs/nixos/modules/services/audio/icecast.nix>
services.icecream.daemon.enable

Whether to enable Icecream Daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/daemon.nix>
services.icecream.daemon.package

The icecream package to use.

Type: package

Default: pkgs.icecream

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/daemon.nix>
services.icecream.daemon.cacheLimit

Maximum size in Megabytes of cache used to store compile environments of compile clients.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 256

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/daemon.nix>
services.icecream.daemon.extraArgs

Additional command line parameters.

Type: list of string

Default: [ ]

Example:

[
  "-v"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/daemon.nix>
services.icecream.daemon.hostname

Hostname of the daemon in the icecream infrastructure.

Uses the hostname retrieved via uname if set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/daemon.nix>
services.icecream.daemon.maxProcesses

Maximum number of compile jobs started in parallel for this daemon.

Uses the number of CPUs if set to null.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/daemon.nix>
services.icecream.daemon.netName

Network name to connect to. A scheduler with the same name needs to be running.

Type: string

Default: "ICECREAM"

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/daemon.nix>
services.icecream.daemon.nice

The level of niceness to use.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/daemon.nix>
services.icecream.daemon.noRemote

Prevent jobs from other nodes being scheduled on this daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/daemon.nix>
services.icecream.daemon.openBroadcast

Whether to automatically open the firewall for scheduler discovery.

Type: boolean

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/daemon.nix>
services.icecream.daemon.openFirewall

Whether to automatically open receive port in the firewall.

Type: boolean

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/daemon.nix>
services.icecream.daemon.schedulerHost

Explicit scheduler hostname, useful in firewalled environments.

Uses scheduler autodiscovery via broadcast if set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/daemon.nix>
services.icecream.daemon.user

User to run the icecream daemon as. Set to root to enable receive of remote compile environments.

Type: string

Default: "icecc"

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/daemon.nix>
services.icecream.scheduler.enable

Whether to enable Icecream Scheduler.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/scheduler.nix>
services.icecream.scheduler.package

The icecream package to use.

Type: package

Default: pkgs.icecream

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/scheduler.nix>
services.icecream.scheduler.extraArgs

Additional command line parameters

Type: list of string

Default: [ ]

Example:

[
  "-v"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/scheduler.nix>
services.icecream.scheduler.netName

Network name for the icecream scheduler.

Uses the default ICECREAM if null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/scheduler.nix>
services.icecream.scheduler.openFirewall

Whether to automatically open the daemon port in the firewall.

Type: boolean

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/scheduler.nix>
services.icecream.scheduler.openTelnet

Whether to open the telnet TCP port on 8766.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/scheduler.nix>
services.icecream.scheduler.persistentClientConnection

Whether to prevent clients from connecting to a better scheduler.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/scheduler.nix>
services.icecream.scheduler.port

Server port to listen for icecream daemon requests.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8765

Declared by:

<nixpkgs/nixos/modules/services/networking/icecream/scheduler.nix>
services.icingaweb2.enable

Whether to enable the icingaweb2 web interface.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix>
services.icingaweb2.authentications

authentication.ini contents. Will automatically be converted to a .ini file.

If the value is null, no authentication.ini is created and you can modify it manually (e.g. via the web interface).

Type: null or (attribute set)

Default: null

Example:

{
  icingaweb = {
    backend = "db";
    resource = "icingaweb_db";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix>
services.icingaweb2.generalConfig

config.ini contents. Will automatically be converted to a .ini file. If you don’t set global.module_path, the module will take care of it.

If the value is null, no config.ini is created and you can modify it manually (e.g. via the web interface). Note that you need to update module_path manually.

Type: null or (attribute set)

Default: null

Example:

{
  general = {
    config_resource = "icingaweb_db";
    showStacktraces = 1;
  };
  logging = {
    level = "CRITICAL";
    log = "syslog";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix>
services.icingaweb2.groupBackends

groups.ini contents. Will automatically be converted to a .ini file.

If the value is null, no groups.ini is created and you can modify it manually (e.g. via the web interface).

Type: null or (attribute set)

Default: null

Example:

{
  icingaweb = {
    backend = "db";
    resource = "icingaweb_db";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix>
services.icingaweb2.libraryPaths

Libraries to add to the Icingaweb2 library path. The name of the attribute is the name of the library, the value is the package to add.

Type: attribute set of package

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix>
services.icingaweb2.modulePackages

Name-package attrset of Icingaweb 2 modules packages to enable.

If you enable modules manually (e.g. via the web ui), they will not be touched.

Type: attribute set of package

Default: { }

Example:

{
  "snow" = icingaweb2Modules.theme-snow;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix>
services.icingaweb2.modules.doc.enable

Whether to enable the icingaweb2 doc module.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix>
services.icingaweb2.modules.migrate.enable

Whether to enable the icingaweb2 migrate module.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix>
services.icingaweb2.modules.monitoring.enable

Whether to enable the icingaweb2 monitoring module.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix>
services.icingaweb2.modules.monitoring.backends

Monitoring backends to define

Type: attribute set of (submodule)

Default:

{
  icinga = {
    resource = "icinga_ido";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix>
services.icingaweb2.modules.monitoring.backends.<name>.disabled

Disable this backend

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix>
services.icingaweb2.modules.monitoring.backends.<name>.resource

Name of the IDO resource

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix>
services.icingaweb2.modules.monitoring.generalConfig.mutable

Make config.ini of the monitoring module mutable (e.g. via the web interface).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix>
services.icingaweb2.modules.monitoring.generalConfig.protectedVars

List of string patterns for custom variables which should be excluded from user’s view.

Type: list of string

Default:

[
  "*pw*"
  "*pass*"
  "community"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix>
services.icingaweb2.modules.monitoring.mutableBackends

Make backends.ini of the monitoring module mutable (e.g. via the web interface).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix>
services.icingaweb2.modules.monitoring.mutableTransports

Make commandtransports.ini of the monitoring module mutable (e.g. via the web interface).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix>
services.icingaweb2.modules.monitoring.transports

Command transports to define

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix>
services.icingaweb2.modules.monitoring.transports.<name>.host

Host for the api or remote transport

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix>
services.icingaweb2.modules.monitoring.transports.<name>.instance

Assign a icinga instance to this transport

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix>
services.icingaweb2.modules.monitoring.transports.<name>.password

Password for the api transport

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix>
services.icingaweb2.modules.monitoring.transports.<name>.path

Path to the socket for local or remote transports

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix>
services.icingaweb2.modules.monitoring.transports.<name>.port

Port to connect to for the api or remote transport

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix>
services.icingaweb2.modules.monitoring.transports.<name>.resource

SSH identity resource for the remote transport

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix>
services.icingaweb2.modules.monitoring.transports.<name>.type

Type of this transport

Type: one of “api”, “local”, “remote”

Default: "api"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix>
services.icingaweb2.modules.monitoring.transports.<name>.username

Username for the api or remote transport

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/module-monitoring.nix>
services.icingaweb2.modules.setup.enable

Whether to enable the icingaweb2 setup module.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix>
services.icingaweb2.modules.test.enable

Whether to enable the icingaweb2 test module.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix>
services.icingaweb2.modules.translation.enable

Whether to enable the icingaweb2 translation module.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix>
services.icingaweb2.pool

Name of existing PHP-FPM pool that is used to run Icingaweb2. If not specified, a pool will automatically created with default values.

Type: string

Default: "icingaweb2"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix>
services.icingaweb2.resources

resources.ini contents. Will automatically be converted to a .ini file.

If the value is null, no resources.ini is created and you can modify it manually (e.g. via the web interface). Note that if you set passwords here, they will go into the nix store.

Type: null or (attribute set)

Default: null

Example:

{
  icingaweb_db = {
    db = "mysql";
    dbname = "icingaweb2";
    host = "localhost";
    password = "icingaweb2";
    type = "db";
    username = "icingaweb2";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix>
services.icingaweb2.roles

roles.ini contents. Will automatically be converted to a .ini file.

If the value is null, no roles.ini is created and you can modify it manually (e.g. via the web interface).

Type: null or (attribute set)

Default: null

Example:

{
  Administrators = {
    permissions = "*";
    users = "admin";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix>
services.icingaweb2.timezone

PHP-compliant timezone specification

Type: string

Default: "UTC"

Example: "Europe/Berlin"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix>
services.icingaweb2.virtualHost

Name of the nginx virtualhost to use and setup. If null, no virtualhost is set up.

Type: null or string

Default: "icingaweb2"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix>
services.ifm.enable

Whether to enable Improved file manager, a single-file web-based filemanager

Lightweight and minimal, served using PHP’s built-in server .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ifm.nix>
services.ifm.dataDir

Directory to serve throught the file managing service

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ifm.nix>
services.ifm.listenAddress

Address on which the service is listening

Type: string

Default: "127.0.0.1"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ifm.nix>
services.ifm.port

Port on which to serve the IFM service

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9090

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ifm.nix>
services.ifm.settings

Configuration of the IFM service.

See the documentation for available options and default values.

Type: attribute set of anything

Default: { }

Example:

{
  IFM_GUI_SHOWPATH = 0;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ifm.nix>
services.ihaskell.enable

Autostart an IHaskell notebook service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/ihaskell.nix>
services.ihaskell.extraPackages

Extra packages available to ghc when running ihaskell. The value must be a function which receives the attrset defined in haskellPackages as the sole argument.

Type: function that evaluates to a(n) list of package

Default: haskellPackages: []

Example:

haskellPackages: [
  haskellPackages.wreq
  haskellPackages.lens
]

Declared by:

<nixpkgs/nixos/modules/services/misc/ihaskell.nix>
services.illum.enable

Enable illum, a daemon for controlling screen brightness with brightness buttons.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/illum.nix>
services.imaginary.enable

Whether to enable imaginary image processing microservice.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/imaginary.nix>
services.imaginary.address

Bind address. Corresponds to the -a flag. Set to "" to bind to all addresses.

Type: string

Default: "localhost"

Example: "[::1]"

Declared by:

<nixpkgs/nixos/modules/services/networking/imaginary.nix>
services.imaginary.port

Bind port. Corresponds to the -p flag.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8088

Declared by:

<nixpkgs/nixos/modules/services/networking/imaginary.nix>
services.imaginary.settings

Command line arguments passed to the imaginary executable, stripped of the prefix -. See upstream’s README for all options.

Type: attribute set of (boolean or signed integer or non-empty (list of string) or string)

Declared by:

<nixpkgs/nixos/modules/services/networking/imaginary.nix>
services.imaginary.settings.return-size

Return the image size in the HTTP headers.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/imaginary.nix>
services.immich.enable

Whether to enable Immich.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.package

The immich package to use.

Type: package

Default: pkgs.immich

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.database.enable

Whether to enable the postgresql database for use with immich. See services.postgresql.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.database.createDB

Whether to enable the automatic creation of the database for immich…

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.database.host

Hostname or address of the postgresql server. If an absolute path is given here, it will be interpreted as a unix socket path.

Type: string

Default: "/run/postgresql"

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.database.name

The name of the immich database.

Type: string

Default: "immich"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.database.port

Port of the postgresql server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5432

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.database.user

The database user for immich.

Type: string

Default: "immich"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.environment

Extra configuration environment variables. Refer to the documentation for options tagged with ‘server’, ‘api’ or ‘microservices’.

Type: attribute set of string

Default: { }

Example:

{
  IMMICH_LOG_LEVEL = "verbose";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.group

The group immich should run as.

Type: string

Default: "immich"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.host

The host that immich will listen on.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.machine-learning.enable

Whether to enable immich’s machine-learning functionality to detect faces and search for objects.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.machine-learning.environment

Extra configuration environment variables. Refer to the documentation for options tagged with ‘machine-learning’.

Type: attribute set of string

Default: { }

Example:

{
  MACHINE_LEARNING_MODEL_TTL = "600";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.mediaLocation

Directory used to store media files. If it is not the default, the directory has to be created manually such that the immich user is able to read and write to it.

Type: path

Default: "/var/lib/immich"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.openFirewall

Whether to open the immich port in the firewall

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.port

The port that immich will listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 2283

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.redis.enable

Whether to enable a redis cache for use with immich.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.redis.host

The host that redis will listen on.

Type: string

Default: config.services.redis.servers.immich.unixSocket

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.redis.port

The port that redis will listen on. Set to zero to disable TCP.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.secretsFile

Path of a file with extra environment variables to be loaded from disk. This file is not added to the nix store, so it can be used to pass secrets to immich. Refer to the documentation for options.

To set a database password set this to a file containing:

DB_PASSWORD=<pass>

Type: null or string

Default: null

Example: "/run/secrets/immich"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.settings

Configuration for Immich. See https://immich.app/docs/install/config-file/ or navigate to https://my.immich.app/admin/system-settings for options and defaults. Setting it to null allows configuring Immich in the web interface.

Type: null or (JSON value)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.settings.newVersionCheck.enabled

Check for new versions. This feature relies on periodic communication with github.com.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.settings.server.externalDomain

Domain for publicly shared links, including http(s)://.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.immich.user

The user immich should run as.

Type: string

Default: "immich"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/immich.nix>
services.inadyn.enable

Whether to enable synchronise your machine’s IP address with a dynamic DNS provider using inadyn .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.configFile

Configuration file for inadyn.

Setting this will override all other configuration options.

Passed to the inadyn service using LoadCredential.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.group

Group account under which inadyn runs.

Note

If left as the default value this user will automatically be created on system activation, otherwise you are responsible for ensuring the user exists before the inadyn service starts.

Type: string

Default: "inadyn"

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.interval

How often to check the current IP. Uses the format described in systemd.time(7)";

Type: string

Default: "*-*-* *:*:00"

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.logLevel

Set inadyn’s log level.

Type: one of “none”, “err”, “warning”, “info”, “notice”, “debug”

Default: "notice"

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.settings

See inadyn.conf (5)

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.settings.allow-ipv6

Whether to get IPv6 addresses from interfaces.

Type: boolean

Default: "`config.networking.enableIPv6`"

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.settings.custom

Settings for custom DNS providers.

Type: attribute set of (attribute set)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.settings.custom.<name>.ddns-path

DDNS server path.

See inadnyn.conf (5) for a list for format specifiers that can be used.

Type: string

Example: "/update?user=%u&password=%p&domain=%h&myip=%i"

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.settings.custom.<name>.ddns-server

DDNS server name.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.settings.custom.<name>.hostname

Hostname alias(es).

Type: string or list of string

Default: "*"

Example: "your.cool-domain.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.settings.custom.<name>.include

File to include additional settings for this provider from.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.settings.custom.<name>.password

Password for this DDNS provider.

WARNING: This will be world-readable in the nix store. To store credentials securely, use the include or configFile options.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.settings.custom.<name>.ssl

Whether to use HTTPS for this DDNS provider.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.settings.custom.<name>.username

Username for this DDNS provider.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.settings.forced-update

Duration (in seconds) after which an update is forced.

Type: positive integer, meaning >0

Default: 2592000

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.settings.provider

Settings for DDNS providers built-in to inadyn.

For a list of built-in providers, see inadyn.conf (5).

Type: attribute set of (attribute set)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.settings.provider.<name>.hostname

Hostname alias(es).

Type: string or list of string

Default: "*"

Example: "your.cool-domain.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.settings.provider.<name>.include

File to include additional settings for this provider from.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.settings.provider.<name>.password

Password for this DDNS provider.

WARNING: This will be world-readable in the nix store. To store credentials securely, use the include or configFile options.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.settings.provider.<name>.ssl

Whether to use HTTPS for this DDNS provider.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.settings.provider.<name>.username

Username for this DDNS provider.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.inadyn.user

User account under which inadyn runs.

Note

If left as the default value this user will automatically be created on system activation, otherwise you are responsible for ensuring the user exists before the inadyn service starts.

Type: string

Default: "inadyn"

Declared by:

<nixpkgs/nixos/modules/services/networking/inadyn.nix>
services.incron.enable

Whether to enable the incron daemon.

Note that commands run under incrontab only support common Nix profiles for the PATH provided variable.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/incron.nix>
services.incron.allow

Users allowed to use incrontab.

If empty then no user will be allowed to have their own incrontab. If null then will defer to deny. If both allow and deny are null then all users will be allowed to have their own incrontab.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/incron.nix>
services.incron.deny

Users forbidden from using incrontab.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/incron.nix>
services.incron.extraPackages

Extra packages available to the system incrontab.

Type: list of package

Default: [ ]

Example: [ pkgs.rsync ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/incron.nix>
services.incron.systab

The system incrontab contents.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  /var/mail IN_CLOSE_WRITE abc $@/$#
  /tmp IN_ALL_EVENTS efg $@/$# $&
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/incron.nix>
services.infinoted.enable

Whether to enable infinoted.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/editors/infinoted.nix>
services.infinoted.package

The libinfinity package to use.

Type: package

Default: pkgs.libinfinity

Declared by:

<nixpkgs/nixos/modules/services/editors/infinoted.nix>
services.infinoted.certificateChain

Chain of CA-certificates to which our certificateFile is relative. Optional for TLS.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/editors/infinoted.nix>
services.infinoted.certificateFile

Server certificate to use for TLS

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/editors/infinoted.nix>
services.infinoted.extraConfig

Additional configuration to append to infinoted.conf

Type: strings concatenated with “\n”

Default:

''
  [autosave]
  interval=10
''

Declared by:

<nixpkgs/nixos/modules/services/editors/infinoted.nix>
services.infinoted.group

What to call the primary group of the dedicated user under which infinoted is run

Type: string

Default: "infinoted"

Declared by:

<nixpkgs/nixos/modules/services/editors/infinoted.nix>
services.infinoted.keyFile

Private key to use for TLS

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/editors/infinoted.nix>
services.infinoted.passwordFile

File to read server-wide password from

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/editors/infinoted.nix>
services.infinoted.plugins

Plugins to enable

Type: list of string

Default:

[
  "note-text"
  "note-chat"
  "logging"
  "autosave"
]

Declared by:

<nixpkgs/nixos/modules/services/editors/infinoted.nix>
services.infinoted.port

Port to listen on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6523

Declared by:

<nixpkgs/nixos/modules/services/editors/infinoted.nix>
services.infinoted.rootDirectory

Root of the directory structure to serve

Type: path

Default: "/var/lib/infinoted/documents/"

Declared by:

<nixpkgs/nixos/modules/services/editors/infinoted.nix>
services.infinoted.securityPolicy

How strictly to enforce clients connection with TLS.

Type: one of “no-tls”, “allow-tls”, “require-tls”

Default: "require-tls"

Declared by:

<nixpkgs/nixos/modules/services/editors/infinoted.nix>
services.infinoted.user

What to call the dedicated user under which infinoted is run

Type: string

Default: "infinoted"

Declared by:

<nixpkgs/nixos/modules/services/editors/infinoted.nix>
services.influxdb.enable

Whether to enable the influxdb server

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb.nix>
services.influxdb.package

The influxdb package to use.

Type: package

Default: pkgs.influxdb

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb.nix>
services.influxdb.dataDir

Data directory for influxd data files.

Type: path

Default: "/var/db/influxdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb.nix>
services.influxdb.extraConfig

Extra configuration options for influxdb

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb.nix>
services.influxdb.group

Group under which influxdb runs

Type: string

Default: "influxdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb.nix>
services.influxdb.user

User account under which influxdb runs

Type: string

Default: "influxdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb.nix>
services.influxdb2.enable

Whether to enable the influxdb2 server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.package

The influxdb2 package to use.

Type: package

Default: pkgs.influxdb2

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.enable

Whether to enable initial database setup and provisioning.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.initialSetup.bucket

Primary bucket name

Type: string

Example: "example"

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.initialSetup.organization

Primary organization name

Type: string

Example: "main"

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.initialSetup.passwordFile

Password for primary user. Don’t use a file from the nix store!

Type: path

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.initialSetup.retention

The duration in seconds for which the bucket will retain data (0 is infinite).

Type: unsigned integer, meaning >=0

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.initialSetup.tokenFile

API Token to set for the admin user. Don’t use a file from the nix store!

Type: path

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.initialSetup.username

Primary username

Type: string

Default: "admin"

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.organizations

Organizations to provision.

Type: attribute set of (submodule)

Default: { }

Example:

{
  myorg = {
    description = "My organization";
    buckets.mybucket = {
      description = "My bucket";
      retention = 31536000; # 1 year
    };
    auths.mytoken = {
      readBuckets = ["mybucket"];
      tokenFile = "/run/secrets/mytoken";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.organizations.<name>.auths

API tokens to provision for the user in this organization.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.organizations.<name>.auths.<name>.allAccess

Grants all permissions in the associated organization.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.organizations.<name>.auths.<name>.description

Optional description for the API token. Note that the actual token will always be created with a descriptionregardless of whether this is given or not. The name is always added plus a unique suffix to later identify the token to track whether it has already been created.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.organizations.<name>.auths.<name>.id

A unique identifier for this authentication token. Since influx doesn’t store names for tokens, this will be hashed and appended to the description to identify the token.

Type: string (read only)

Default: "<a hash derived from org and name>"

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.organizations.<name>.auths.<name>.operator

Grants all permissions in all organizations.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.organizations.<name>.auths.<name>.present

Whether to ensure that this user is present or absent.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.organizations.<name>.auths.<name>.readBuckets

The organization’s buckets which should be allowed to be read

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.organizations.<name>.auths.<name>.readPermissions

The read permissions to include for this token. Access is usually granted only for resources in the associated organization.

Available permissions are authorizations, buckets, dashboards, orgs, tasks, telegrafs, users, variables, secrets, labels, views, documents, notificationRules, notificationEndpoints, checks, dbrp, annotations, sources, scrapers, notebooks, remotes, replications.

Refer to influx auth create --help for a full list with descriptions.

buckets grants read access to all associated buckets. Use readBuckets to define more granular access permissions.

Type: list of (one of “authorizations”, “buckets”, “dashboards”, “orgs”, “tasks”, “telegrafs”, “users”, “variables”, “secrets”, “labels”, “views”, “documents”, “notificationRules”, “notificationEndpoints”, “checks”, “dbrp”, “annotations”, “sources”, “scrapers”, “notebooks”, “remotes”, “replications”)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.organizations.<name>.auths.<name>.tokenFile

The token value. If not given, influx will automatically generate one.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.organizations.<name>.auths.<name>.writeBuckets

The organization’s buckets which should be allowed to be written

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.organizations.<name>.auths.<name>.writePermissions

The read permissions to include for this token. Access is usually granted only for resources in the associated organization.

Available permissions are authorizations, buckets, dashboards, orgs, tasks, telegrafs, users, variables, secrets, labels, views, documents, notificationRules, notificationEndpoints, checks, dbrp, annotations, sources, scrapers, notebooks, remotes, replications.

Refer to influx auth create --help for a full list with descriptions.

buckets grants write access to all associated buckets. Use writeBuckets to define more granular access permissions.

Type: list of (one of “authorizations”, “buckets”, “dashboards”, “orgs”, “tasks”, “telegrafs”, “users”, “variables”, “secrets”, “labels”, “views”, “documents”, “notificationRules”, “notificationEndpoints”, “checks”, “dbrp”, “annotations”, “sources”, “scrapers”, “notebooks”, “remotes”, “replications”)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.organizations.<name>.buckets

Buckets to provision in this organization.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.organizations.<name>.buckets.<name>.description

Optional description for the bucket.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.organizations.<name>.buckets.<name>.present

Whether to ensure that this bucket is present or absent.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.organizations.<name>.buckets.<name>.retention

The duration in seconds for which the bucket will retain data (0 is infinite).

Type: unsigned integer, meaning >=0

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.organizations.<name>.description

Optional description for the organization.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.organizations.<name>.present

Whether to ensure that this organization is present or absent.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.users

Users to provision.

Type: attribute set of (submodule)

Default: { }

Example:

{
  # admin = {}; /* The initialSetup.username will automatically be added. */
  myuser.passwordFile = "/run/secrets/myuser_password";
}

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.users.<name>.passwordFile

Password for the user. If unset, the user will not be able to log in until a password is set by an operator! Don’t use a file from the nix store!

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.provision.users.<name>.present

Whether to ensure that this user is present or absent.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.influxdb2.settings

configuration options for influxdb2, see https://docs.influxdata.com/influxdb/v2.0/reference/config-options for details.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/databases/influxdb2.nix>
services.infnoise.enable

Whether to enable the Infinite Noise TRNG driver.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/infnoise.nix>
services.infnoise.fillDevRandom

Whether to run the infnoise driver as a daemon to refill /dev/random.

If disabled, you can use the infnoise command-line tool to manually obtain randomness.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/security/infnoise.nix>
services.input-remapper.enable

Whether to enable input-remapper, an easy to use tool to change the mapping of your input device buttons.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/input-remapper.nix>
services.input-remapper.enableUdevRules

Whether to enable udev rules added by input-remapper to handle hotplugged devices. Currently disabled by default due to https://github.com/sezanzeb/input-remapper/issues/140.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/input-remapper.nix>
services.input-remapper.package

The input-remapper package to use.

Type: package

Default: pkgs.input-remapper

Declared by:

<nixpkgs/nixos/modules/services/misc/input-remapper.nix>
services.input-remapper.serviceWantedBy

Specifies the WantedBy setting for the input-remapper service.

Type: list of string

Default:

[
  "graphical.target"
]

Example:

[
  "multi-user.target"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/input-remapper.nix>
services.inspircd.enable

Whether to enable InspIRCd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/inspircd.nix>
services.inspircd.package

The InspIRCd package to use. This is mainly useful to specify an overridden version of the pkgs.inspircd dervivation, for example if you want to use a more minimal InspIRCd distribution with less modules enabled or with modules enabled which can’t be distributed in binary form due to licensing issues.

Type: package

Default: pkgs.inspircd

Example: pkgs.inspircdMinimal

Declared by:

<nixpkgs/nixos/modules/services/networking/inspircd.nix>
services.inspircd.config

Verbatim inspircd.conf file. For a list of options, consult the InspIRCd documentation, the Module documentation and the example configuration files distributed with pkgs.inspircd.doc

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/networking/inspircd.nix>
services.interception-tools.enable

Whether to enable the interception tools service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/interception-tools.nix>
services.interception-tools.plugins

A list of interception tools plugins that will be made available to use inside the udevmon configuration.

Type: list of package

Default: [ pkgs.interception-tools-plugins.caps2esc ]

Declared by:

<nixpkgs/nixos/modules/services/hardware/interception-tools.nix>
services.interception-tools.udevmonConfig

String of udevmon YAML configuration, or path to a udevmon YAML configuration file.

Type: string or path

Default:

''
  - JOB: "intercept -g $DEVNODE | caps2esc | uinput -d $DEVNODE"
    DEVICE:
      EVENTS:
        EV_KEY: [KEY_CAPSLOCK, KEY_ESC]
''

Example:

''
  - JOB: "intercept -g $DEVNODE | y2z | x2y | uinput -d $DEVNODE"
    DEVICE:
      EVENTS:
        EV_KEY: [KEY_X, KEY_Y]
''

Declared by:

<nixpkgs/nixos/modules/services/hardware/interception-tools.nix>
services.intune.enable

Whether to enable Microsoft Intune.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/intune.nix>
services.invidious.enable

Whether to enable Invidious.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invidious.nix>
services.invidious.package

The invidious package to use.

Type: package

Default: pkgs.invidious

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invidious.nix>
services.invidious.address

The IP address Invidious should bind to.

Type: string

Default: if config.services.invidious.nginx.enable then "127.0.0.1" else "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invidious.nix>
services.invidious.database.createLocally

Whether to create a local database with PostgreSQL.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invidious.nix>
services.invidious.database.host

The database host Invidious should use.

If null, the local unix socket is used. Otherwise TCP is used.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invidious.nix>
services.invidious.database.passwordFile

Path to file containing the database password.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invidious.nix>
services.invidious.database.port

The port of the database Invidious should use.

Defaults to the the default postgresql port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: config.services.postgresql.settings.port

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invidious.nix>
services.invidious.domain

The FQDN Invidious is reachable on.

This is used to configure nginx and for building absolute URLs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invidious.nix>
services.invidious.extraSettingsFile

A file including Invidious settings.

It gets merged with the settings specified in services.invidious.settings and can be used to store secrets like hmac_key outside of the nix store.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invidious.nix>
services.invidious.hmacKeyFile

A path to a file containing the hmac_key. If null, a key will be generated automatically on first start.

If non-null, this option overrides any hmac_key specified in services.invidious.settings or via services.invidious.extraSettingsFile.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invidious.nix>
services.invidious.http3-ytproxy.enable

Whether to enable http3-ytproxy for faster loading of images and video playback.

If services.invidious.nginx.enable is used, nginx will be configured automatically. If not, you need to configure a reverse proxy yourself according to https://docs.invidious.io/improve-public-instance/#3-speed-up-video-playback-with-http3-ytproxy.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invidious.nix>
services.invidious.http3-ytproxy.package

The http3-ytproxy package to use.

Type: package

Default: pkgs.http3-ytproxy

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invidious.nix>
services.invidious.nginx.enable

Whether to configure nginx as a reverse proxy for Invidious.

It serves it under the domain specified in services.invidious.settings.domain with enabled TLS and ACME. Further configuration can be done through services.nginx.virtualHosts.${config.services.invidious.settings.domain}.*, which can also be used to disable AMCE and TLS.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invidious.nix>
services.invidious.port

The port Invidious should listen on.

To allow access from outside, you can use either services.invidious.nginx or add config.services.invidious.port to networking.firewall.allowedTCPPorts.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invidious.nix>
services.invidious.serviceScale

How many invidious instances to run.

See https://docs.invidious.io/improve-public-instance/#2-multiple-invidious-processes for more details on how this is intended to work. All instances beyond the first one have the options channel_threads and feed_threads set to 0 to avoid conflicts with multiple instances refreshing subscriptions. Instances will be configured to bind to consecutive ports starting with services.invidious.port for the first instance.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invidious.nix>
services.invidious.settings

The settings Invidious should use.

See config.example.yml for a list of all possible options.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invidious.nix>
services.invidious.sig-helper.enable

Whether to enable and configure inv-sig-helper to emulate the youtube client’s javascript. This is required to make certain videos playable.

This will download and run completely untrusted javascript from youtube! While this service is sandboxed, this may still be an issue!

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invidious.nix>
services.invidious.sig-helper.package

The inv-sig-helper package to use.

Type: package

Default: pkgs.inv-sig-helper

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invidious.nix>
services.invidious.sig-helper.listenAddress

The IP address/port where inv-sig-helper should listen.

Type: string

Default: "127.0.0.1:2999"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invidious.nix>
services.invidious-router.enable

Whether to enable the invidious-router service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/invidious-router.nix>
services.invidious-router.package

The invidious-router package to use.

Type: package

Default: pkgs.invidious-router

Declared by:

<nixpkgs/nixos/modules/services/misc/invidious-router.nix>
services.invidious-router.address

Address on which invidious-router should listen on.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/misc/invidious-router.nix>
services.invidious-router.nginx.enable

Whether to enable Automatic nginx proxy configuration .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/invidious-router.nix>
services.invidious-router.nginx.domain

The domain on which invidious-router should be served.

Type: string

Example: "invidious-router.example.com"

Declared by:

<nixpkgs/nixos/modules/services/misc/invidious-router.nix>
services.invidious-router.nginx.extraDomains

Additional domains to serve invidious-router on.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/invidious-router.nix>
services.invidious-router.port

Port to bind to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8050

Declared by:

<nixpkgs/nixos/modules/services/misc/invidious-router.nix>
services.invidious-router.settings

Configuration for invidious-router. Check https://gitlab.com/gaincoder/invidious-router#configuration for configuration options.

Type: YAML value

Default:

{
  api = {
    allowed_regions = [
      "AT"
      "DE"
      "CH"
    ];
    enabled = true;
    filter_regions = true;
    url = "https://api.invidious.io/instances.json";
  };
  app = {
    enable_youtube_fallback = false;
    listen = "127.0.0.1:8050";
    reload_instance_list_interval = "60s";
  };
  healthcheck = {
    allowed_status_codes = [
      200
    ];
    filter_by_response_time = {
      enabled = true;
      qty_of_top_results = 3;
    };
    interval = "10s";
    minimum_ratio = 0.2;
    path = "/";
    remove_no_ratio = true;
    text_not_present = "YouTube is currently trying to block Invidious instances";
    timeout = "1s";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/invidious-router.nix>
services.invoiceplane

InvoicePlane configuration.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invoiceplane.nix>
services.invoiceplane.sites

Specification of one or more InvoicePlane sites to serve

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invoiceplane.nix>
services.invoiceplane.sites.<name>.enable

Whether to enable InvoicePlane web application.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invoiceplane.nix>
services.invoiceplane.sites.<name>.cron.enable

Enable cron service which periodically runs Invoiceplane tasks. Requires key taken from the administration page. Refer to https://wiki.invoiceplane.com/en/1.0/modules/recurring-invoices on how to configure it.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invoiceplane.nix>
services.invoiceplane.sites.<name>.cron.key

Cron key taken from the administration page.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invoiceplane.nix>
services.invoiceplane.sites.<name>.database.createLocally

Create the database and database user locally.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invoiceplane.nix>
services.invoiceplane.sites.<name>.database.host

Database host address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invoiceplane.nix>
services.invoiceplane.sites.<name>.database.name

Database name.

Type: string

Default: "invoiceplane"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invoiceplane.nix>
services.invoiceplane.sites.<name>.database.passwordFile

A file containing the password corresponding to database.user.

Type: null or path

Default: null

Example: "/run/keys/invoiceplane-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invoiceplane.nix>
services.invoiceplane.sites.<name>.database.port

Database host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3306

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invoiceplane.nix>
services.invoiceplane.sites.<name>.database.user

Database user.

Type: string

Default: "invoiceplane"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invoiceplane.nix>
services.invoiceplane.sites.<name>.invoiceTemplates

List of path(s) to respective template(s) which are copied from the ‘invoice_templates/pdf’ directory.

Note

These templates need to be packaged before use, see example.

Type: list of path

Default: [ ]

Example:

let
  # Let's package an example template
  template-vtdirektmarketing = pkgs.stdenv.mkDerivation {
    name = "vtdirektmarketing";
    # Download the template from a public repository
    src = pkgs.fetchgit {
      url = "https://git.project-insanity.org/onny/invoiceplane-vtdirektmarketing.git";
      sha256 = "1hh0q7wzsh8v8x03i82p6qrgbxr4v5fb05xylyrpp975l8axyg2z";
    };
    sourceRoot = ".";
    # Installing simply means copying template php file to the output directory
    installPhase = ""
      mkdir -p $out
      cp invoiceplane-vtdirektmarketing/vtdirektmarketing.php $out/
    "";
  };
# And then pass this package to the template list like this:
in [ template-vtdirektmarketing ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invoiceplane.nix>
services.invoiceplane.sites.<name>.poolConfig

Options for the InvoicePlane PHP pool. See the documentation on php-fpm.conf for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = 32;
  "pm.max_requests" = 500;
  "pm.max_spare_servers" = 4;
  "pm.min_spare_servers" = 2;
  "pm.start_servers" = 2;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invoiceplane.nix>
services.invoiceplane.sites.<name>.settings

Structural InvoicePlane configuration. Refer to https://github.com/InvoicePlane/InvoicePlane/blob/master/ipconfig.php.example for details and supported values.

Type: attribute set of anything

Default: { }

Example:

{
  SETUP_COMPLETED = true;
  DISABLE_SETUP = true;
  IP_URL = "https://invoice.example.com";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invoiceplane.nix>
services.invoiceplane.sites.<name>.stateDir

This directory is used for uploads of attachments and cache. The directory passed here is automatically created and permissions adjusted as required.

Type: path

Default: "/var/lib/invoiceplane/‹name›"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invoiceplane.nix>
services.invoiceplane.webserver

Which webserver to use for virtual host management.

Type: one of “caddy”, “nginx”

Default: "caddy"

Example: "nginx"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/invoiceplane.nix>
services.iodine.clients

Each attribute of this option defines a systemd service that runs iodine. Many or none may be defined. The name of each service is iodine-«name» where «name» is the name of the corresponding attribute name.

Type: attribute set of (submodule)

Default: { }

Example:

{
  foo = {
    server = "tunnel.mdomain.com";
    relay = "8.8.8.8";
    extraConfig = "-v";
  }
}

Declared by:

<nixpkgs/nixos/modules/services/networking/iodine.nix>
services.iodine.clients.<name>.extraConfig

Additional command line parameters

Type: string

Default: ""

Example: "-l 192.168.1.10 -p 23"

Declared by:

<nixpkgs/nixos/modules/services/networking/iodine.nix>
services.iodine.clients.<name>.passwordFile

Path to a file containing the password.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/iodine.nix>
services.iodine.clients.<name>.relay

DNS server to use as an intermediate relay to the iodined server

Type: string

Default: ""

Example: "8.8.8.8"

Declared by:

<nixpkgs/nixos/modules/services/networking/iodine.nix>
services.iodine.clients.<name>.server

Hostname of server running iodined

Type: string

Default: ""

Example: "tunnel.mydomain.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/iodine.nix>
services.iodine.server.enable

enable iodined server

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/iodine.nix>
services.iodine.server.domain

Domain or subdomain of which nameservers point to us

Type: string

Default: ""

Example: "tunnel.mydomain.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/iodine.nix>
services.iodine.server.extraConfig

Additional command line parameters

Type: string

Default: ""

Example: "-l 192.168.1.10 -p 23"

Declared by:

<nixpkgs/nixos/modules/services/networking/iodine.nix>
services.iodine.server.ip

The assigned ip address or ip range

Type: string

Default: ""

Example: "172.16.10.1/24"

Declared by:

<nixpkgs/nixos/modules/services/networking/iodine.nix>
services.iodine.server.passwordFile

File that contains password

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/iodine.nix>
services.iperf3.enable

Whether to enable iperf3 network throughput testing server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/iperf3.nix>
services.iperf3.package

The iperf3 package to use.

Type: package

Default: pkgs.iperf3

Declared by:

<nixpkgs/nixos/modules/services/networking/iperf3.nix>
services.iperf3.affinity

CPU affinity for the process.

Type: null or (unsigned integer, meaning >=0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/iperf3.nix>
services.iperf3.authorizedUsersFile

Path to the configuration file containing authorized users credentials to run iperf tests.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/iperf3.nix>
services.iperf3.bind

Bind to the specific interface associated with the given address.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/iperf3.nix>
services.iperf3.debug

Emit debugging output.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/iperf3.nix>
services.iperf3.extraFlags

Extra flags to pass to iperf3(1).

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/iperf3.nix>
services.iperf3.forceFlush

Force flushing output at every interval.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/iperf3.nix>
services.iperf3.openFirewall

Open ports in the firewall for iperf3.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/iperf3.nix>
services.iperf3.port

Server port to listen on for iperf3 client requests.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5201

Declared by:

<nixpkgs/nixos/modules/services/networking/iperf3.nix>
services.iperf3.rsaPrivateKey

Path to the RSA private key (not password-protected) used to decrypt authentication credentials from the client.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/iperf3.nix>
services.iperf3.verbose

Give more detailed output.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/iperf3.nix>
services.ipp-usb.enable

Whether to enable ipp-usb, a daemon to turn an USB printer/scanner supporting IPP everywhere (aka AirPrint, WSD, AirScan) into a locally accessible network printer/scanner.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/printing/ipp-usb.nix>
services.iptsd.enable

Whether to enable the userspace daemon for Intel Precise Touch & Stylus.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/iptsd.nix>
services.iptsd.config

Configuration for IPTSD. See the reference configuration for available options and defaults.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/hardware/iptsd.nix>
services.iptsd.config.Stylus.Disable

Disables the stylus. No stylus data will be processed.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/iptsd.nix>
services.iptsd.config.Touchscreen.DisableOnPalm

Ignore all touchscreen inputs if a palm was registered on the display.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/iptsd.nix>
services.iptsd.config.Touchscreen.DisableOnStylus

Ignore all touchscreen inputs if a stylus is in proximity.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/iptsd.nix>
services.ircdHybrid.enable

Whether to enable IRCD.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix>
services.ircdHybrid.adminEmail

IRCD server administrator e-mail.

Type: string

Default: "<bit-bucket@example.com>"

Example: "<name@domain.tld>"

Declared by:

<nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix>
services.ircdHybrid.certificate

IRCD server SSL certificate. There are some limitations - read manual.

Type: null or path

Default: null

Example: /root/certificates/irc.pem

Declared by:

<nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix>
services.ircdHybrid.description

IRCD server description.

Type: string

Default: "Hybrid-7 IRC server."

Declared by:

<nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix>
services.ircdHybrid.extraIPs

Extra IP’s to bind.

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix>
services.ircdHybrid.extraPort

Extra port to avoid filtering.

Type: string

Default: "7117"

Declared by:

<nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix>
services.ircdHybrid.rsaKey

IRCD server RSA key.

Type: null or path

Default: null

Example: /root/certificates/irc.key

Declared by:

<nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix>
services.ircdHybrid.serverName

IRCD server name.

Type: string

Default: "hades.arpa"

Declared by:

<nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix>
services.ircdHybrid.sid

IRCD server unique ID in a net of servers.

Type: string

Default: "0NL"

Declared by:

<nixpkgs/nixos/modules/services/networking/ircd-hybrid/default.nix>
services.irkerd.enable

Whether to enable irker, an IRC notification daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/irkerd.nix>
services.irkerd.listenAddress

Specifies the bind address on which the irker daemon listens. The default is localhost.

Irker authors strongly warn about the risks of running this on a publicly accessible interface, so change this with caution.

Type: string

Default: "localhost"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/misc/irkerd.nix>
services.irkerd.nick

Nick to use for irker

Type: string

Default: "irker"

Declared by:

<nixpkgs/nixos/modules/services/misc/irkerd.nix>
services.irkerd.openPorts

Open ports in the firewall for irkerd

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/irkerd.nix>
services.irqbalance.enable

Whether to enable irqbalance daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/irqbalance.nix>
services.isso.enable

Whether to enable isso, a commenting server similar to Disqus.

Note: The application’s author suppose to run isso behind a reverse proxy. The embedded solution offered by NixOS is also only suitable for small installations below 20 requests per second .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/isso.nix>
services.isso.settings

Configuration for isso.

See Isso Server Configuration for supported values.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Example:

{
  general = {
    host = "http://localhost";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/isso.nix>
services.ivpn.enable

This option enables iVPN daemon. This sets networking.firewall.checkReversePath to “loose”, which might be undesirable for security.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ivpn.nix>
services.jack.alsa.enable

Route audio to/from generic ALSA-using applications using ALSA JACK PCM plugin.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/audio/jack.nix>
services.jack.alsa.support32Bit

Whether to support sound for 32-bit ALSA applications on 64-bit system.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/audio/jack.nix>
services.jack.jackd.enable

Whether to enable JACK Audio Connection Kit. You need to add yourself to the “jackaudio” group .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/jack.nix>
services.jack.jackd.extraOptions

Specifies startup command line arguments to pass to JACK server.

Type: list of string

Default:

[
  "-dalsa"
]

Example:

[ "-dalsa" "--device" "hw:1" ];

Declared by:

<nixpkgs/nixos/modules/services/audio/jack.nix>
services.jack.jackd.session

Commands to run after JACK is started.

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/audio/jack.nix>
services.jack.loopback.enable

Create ALSA loopback device, instead of using PCM plugin. Has broader application support (things like Steam will work), but may need fine-tuning for concrete hardware.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/audio/jack.nix>
services.jack.loopback.config

ALSA config for loopback device.

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/audio/jack.nix>
services.jack.loopback.dmixConfig

For music production software that still doesn’t support JACK natively you would like to put buffer/period adjustments here to decrease dmix device latency.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  period_size 2048
  periods 2
''

Declared by:

<nixpkgs/nixos/modules/services/audio/jack.nix>
services.jack.loopback.index

Index of an ALSA loopback device.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/audio/jack.nix>
services.jack.loopback.session

Additional commands to run to setup loopback device.

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/audio/jack.nix>
services.jackett.enable

Whether to enable Jackett, API support for your favorite torrent trackers.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/jackett.nix>
services.jackett.package

The jackett package to use.

Type: package

Default: pkgs.jackett

Declared by:

<nixpkgs/nixos/modules/services/misc/jackett.nix>
services.jackett.dataDir

The directory where Jackett stores its data files.

Type: string

Default: "/var/lib/jackett/.config/Jackett"

Declared by:

<nixpkgs/nixos/modules/services/misc/jackett.nix>
services.jackett.group

Group under which Jackett runs.

Type: string

Default: "jackett"

Declared by:

<nixpkgs/nixos/modules/services/misc/jackett.nix>
services.jackett.openFirewall

Open ports in the firewall for the Jackett web interface.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/jackett.nix>
services.jackett.port

Port serving the web interface

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9117

Declared by:

<nixpkgs/nixos/modules/services/misc/jackett.nix>
services.jackett.user

User account under which Jackett runs.

Type: string

Default: "jackett"

Declared by:

<nixpkgs/nixos/modules/services/misc/jackett.nix>
services.jboss.enable

Whether to enable JBoss. WARNING : this package is outdated and is known to have vulnerabilities.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/jboss/default.nix>
services.jboss.deployDir

Location of the deployment files

Type: string

Default: "/nix/var/nix/profiles/default/server/default/deploy/"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/jboss/default.nix>
services.jboss.libUrl

Location where the shared library JARs are stored

Type: string

Default: "file:///nix/var/nix/profiles/default/server/default/lib"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/jboss/default.nix>
services.jboss.logDir

Location of the logfile directory of JBoss

Type: string

Default: "/var/log/jboss"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/jboss/default.nix>
services.jboss.serverDir

Location of the server instance files

Type: string

Default: "/var/jboss/server"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/jboss/default.nix>
services.jboss.tempDir

Location where JBoss stores its temp files

Type: string

Default: "/tmp"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/jboss/default.nix>
services.jboss.useJK

Whether to use to connector to the Apache HTTP server

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/jboss/default.nix>
services.jboss.user

User account under which jboss runs.

Type: string

Default: "nobody"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/jboss/default.nix>
services.jellyfin.enable

Whether to enable Jellyfin Media Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/jellyfin.nix>
services.jellyfin.package

The jellyfin package to use.

Type: package

Default: pkgs.jellyfin

Declared by:

<nixpkgs/nixos/modules/services/misc/jellyfin.nix>
services.jellyfin.cacheDir

Directory containing the jellyfin server cache, passed with --cachedir see #cache-directory

Type: path

Default: "/var/cache/jellyfin"

Declared by:

<nixpkgs/nixos/modules/services/misc/jellyfin.nix>
services.jellyfin.configDir

Directory containing the server configuration files, passed with --configdir see configuration-directory

Type: path

Default: "\${cfg.dataDir}/config"

Declared by:

<nixpkgs/nixos/modules/services/misc/jellyfin.nix>
services.jellyfin.dataDir

Base data directory, passed with --datadir see #data-directory

Type: path

Default: "/var/lib/jellyfin"

Declared by:

<nixpkgs/nixos/modules/services/misc/jellyfin.nix>
services.jellyfin.group

Group under which jellyfin runs.

Type: string

Default: "jellyfin"

Declared by:

<nixpkgs/nixos/modules/services/misc/jellyfin.nix>
services.jellyfin.logDir

Directory where the Jellyfin logs will be stored, passed with --logdir see #log-directory

Type: path

Default: "\${cfg.dataDir}/log"

Declared by:

<nixpkgs/nixos/modules/services/misc/jellyfin.nix>
services.jellyfin.openFirewall

Open the default ports in the firewall for the media server. The HTTP/HTTPS ports can be changed in the Web UI, so this option should only be used if they are unchanged, see Port Bindings.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/jellyfin.nix>
services.jellyfin.user

User account under which Jellyfin runs.

Type: string

Default: "jellyfin"

Declared by:

<nixpkgs/nixos/modules/services/misc/jellyfin.nix>
services.jellyseerr.enable

Whether to enable Jellyseerr, a requests manager for Jellyfin.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/jellyseerr.nix>
services.jellyseerr.package

The jellyseerr package to use.

Type: package

Default: pkgs.jellyseerr

Declared by:

<nixpkgs/nixos/modules/services/misc/jellyseerr.nix>
services.jellyseerr.openFirewall

Open port in the firewall for the Jellyseerr web interface.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/jellyseerr.nix>
services.jellyseerr.port

The port which the Jellyseerr web UI should listen to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5055

Declared by:

<nixpkgs/nixos/modules/services/misc/jellyseerr.nix>
services.jenkins.enable

Whether to enable the jenkins continuous integration server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.package

The jenkins package to use.

Type: package

Default: pkgs.jenkins

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.packages

Packages to add to PATH for the jenkins process.

Type: list of package

Default: [ pkgs.stdenv pkgs.git pkgs.jdk17 config.programs.ssh.package pkgs.nix ]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.environment

Additional environment variables to be passed to the jenkins process. As a base environment, jenkins receives NIX_PATH from environment.sessionVariables, NIX_REMOTE is set to “daemon” and JENKINS_HOME is set to the value of services.jenkins.home. This option has precedence and can be used to override those mentioned variables.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.extraGroups

List of extra groups that the “jenkins” user should be a part of.

Type: list of string

Default: [ ]

Example:

[
  "wheel"
  "dialout"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.extraJavaOptions

Additional command line arguments to pass to the Java run time (as opposed to Jenkins).

Type: list of string

Default: [ ]

Example:

[
  "-Xmx80m"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.extraOptions

Additional command line arguments to pass to Jenkins.

Type: list of string

Default: [ ]

Example:

[
  "--debug=9"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.group

If the default user “jenkins” is configured then this is the primary group of that user.

Type: string

Default: "jenkins"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.home

The path to use as JENKINS_HOME. If the default user “jenkins” is configured then this is the home of the “jenkins” user.

Type: path

Default: "/var/lib/jenkins"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.jobBuilder.enable

Whether to enable the Jenkins Job Builder (JJB) service. It allows defining jobs for Jenkins in a declarative manner.

Jobs managed through the Jenkins WebUI (or by other means) are left unchanged.

Note that it really is declarative configuration; if you remove a previously defined job, the corresponding job directory will be deleted.

Please see the Jenkins Job Builder documentation for more info: https://jenkins-job-builder.readthedocs.io/ .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/job-builder.nix>
services.jenkins.jobBuilder.accessToken

User token in Jenkins used to reload config. WARNING: This token will be world readable in the Nix store. To keep it secret, use the accessTokenFile option instead.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/job-builder.nix>
services.jenkins.jobBuilder.accessTokenFile

File containing the API token for the accessUser user.

Type: string

Default: "${config.services.jenkins.home}/secrets/initialAdminPassword"

Example: "/run/keys/jenkins-job-builder-access-token"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/job-builder.nix>
services.jenkins.jobBuilder.accessUser

User id in Jenkins used to reload config.

Type: string

Default: "admin"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/job-builder.nix>
services.jenkins.jobBuilder.jsonJobs

Job descriptions for Jenkins Job Builder in JSON format.

Type: list of string

Default: [ ]

Example:

[
  ''
    [ { "job":
        { "name": "jenkins-job-test-2",
          "builders": [ "shell": "echo 'Hello world!'" ]
        }
      }
    ]
  ''
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/job-builder.nix>
services.jenkins.jobBuilder.nixJobs

Job descriptions for Jenkins Job Builder in Nix format.

This is a trivial wrapper around jsonJobs, using builtins.toJSON behind the scene.

Type: list of (attribute set)

Default: [ ]

Example:

[ { job =
    { name = "jenkins-job-test-3";
      builders = [
        { shell = "echo 'Hello world!'"; }
      ];
    };
  }
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/job-builder.nix>
services.jenkins.jobBuilder.yamlJobs

Job descriptions for Jenkins Job Builder in YAML format.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  - job:
      name: jenkins-job-test-1
      builders:
        - shell: echo 'Hello world!'
''

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/job-builder.nix>
services.jenkins.listenAddress

Specifies the bind address on which the jenkins HTTP interface listens. The default is the wildcard address.

Type: string

Default: "0.0.0.0"

Example: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.plugins

A set of plugins to activate. Note that this will completely remove and replace any previously installed plugins. If you have manually-installed plugins that you want to keep while using this module, set this option to null. You can generate this set with a tool such as jenkinsPlugins2nix.

Type: null or (attribute set of package)

Default: null

Example:

import path/to/jenkinsPlugins2nix-generated-plugins.nix { inherit (pkgs) fetchurl stdenv; }

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.port

Specifies port number on which the jenkins HTTP interface listens. The default is 8080.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.prefix

Specifies a urlPrefix to use with jenkins. If the example /jenkins is given, the jenkins server will be accessible using localhost:8080/jenkins.

Type: string

Default: ""

Example: "/jenkins"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.user

User the jenkins server should execute under.

Type: string

Default: "jenkins"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkins.withCLI

Whether to make the CLI available.

More info about the CLI available at https://www.jenkins.io/doc/book/managing/cli .

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/default.nix>
services.jenkinsSlave.enable

If true the system will be configured to work as a jenkins slave. If the system is also configured to work as a jenkins master then this has no effect. In progress: Currently only assures the jenkins user is configured.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix>
services.jenkinsSlave.group

If the default slave agent user “jenkins” is configured then this is the primary group of that user.

Type: string

Default: "jenkins"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix>
services.jenkinsSlave.home

The path to use as JENKINS_HOME. If the default user “jenkins” is configured then this is the home of the “jenkins” user.

Type: path

Default: "/var/lib/jenkins"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix>
services.jenkinsSlave.javaPackage

The jdk package to use.

Type: package

Default: pkgs.jdk

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix>
services.jenkinsSlave.user

User the jenkins slave agent should execute under.

Type: string

Default: "jenkins"

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/jenkins/slave.nix>
services.jibri.enable

Whether to enable Jitsi BRoadcasting Infrastructure. Currently Jibri must be run on a host that is also running services.jitsi-meet.enable, so for most use cases it will be simpler to run services.jitsi-meet.jibri.enable.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/jibri/default.nix>
services.jibri.config

Jibri configuration. See https://github.com/jitsi/jibri/blob/master/src/main/resources/reference.conf for default configuration with comments.

Type: HOCON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/jibri/default.nix>
services.jibri.finalizeScript

This script runs when jibri finishes recording a video of a conference.

Type: path

Default:

pkgs.writeScript "finalize_recording.sh" ''''
#!/bin/sh

RECORDINGS_DIR=$1

echo "This is a dummy finalize script" > /tmp/finalize.out
echo "The script was invoked with recordings directory $RECORDINGS_DIR." >> /tmp/finalize.out
echo "You should put any finalize logic (renaming, uploading to a service" >> /tmp/finalize.out
echo "or storage provider, etc.) in this script" >> /tmp/finalize.out

exit 0
'''';

Example:

pkgs.writeScript "finalize_recording.sh" ''''
#!/bin/sh
RECORDINGS_DIR=$1
${pkgs.rclone}/bin/rclone copy $RECORDINGS_DIR RCLONE_REMOTE:jibri-recordings/ -v --log-file=/var/log/jitsi/jibri/recording-upload.txt
exit 0
'''';

Declared by:

<nixpkgs/nixos/modules/services/networking/jibri/default.nix>
services.jibri.ignoreCert

Whether to enable the flag “–ignore-certificate-errors” for the Chromium browser opened by Jibri. Intended for use in automated tests or anywhere else where using a verified cert for Jitsi-Meet is not possible.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/jibri/default.nix>
services.jibri.xmppEnvironments

XMPP servers to connect to.

Type: attribute set of (submodule)

Default: { }

Example:

"jitsi-meet" = {
  xmppServerHosts = [ "localhost" ];
  xmppDomain = config.services.jitsi-meet.hostName;

  control.muc = {
    domain = "internal.${config.services.jitsi-meet.hostName}";
    roomName = "JibriBrewery";
    nickname = "jibri";
  };

  control.login = {
    domain = "auth.${config.services.jitsi-meet.hostName}";
    username = "jibri";
    passwordFile = "/var/lib/jitsi-meet/jibri-auth-secret";
  };

  call.login = {
    domain = "recorder.${config.services.jitsi-meet.hostName}";
    username = "recorder";
    passwordFile = "/var/lib/jitsi-meet/jibri-recorder-secret";
  };

  usageTimeout = "0";
  disableCertificateVerification = true;
  stripFromRoomDomain = "conference.";
};

Declared by:

<nixpkgs/nixos/modules/services/networking/jibri/default.nix>
services.jibri.xmppEnvironments.<name>.call.login.domain

The domain part of the JID for the recorder.

Type: string

Example: "recorder.xmpp.example.org"

Declared by:

<nixpkgs/nixos/modules/services/networking/jibri/default.nix>
services.jibri.xmppEnvironments.<name>.call.login.passwordFile

File containing the password for the user.

Type: string

Example: "/run/keys/jibri-recorder-xmpp1"

Declared by:

<nixpkgs/nixos/modules/services/networking/jibri/default.nix>
services.jibri.xmppEnvironments.<name>.call.login.username

User part of the JID for the recorder.

Type: string

Default: "recorder"

Declared by:

<nixpkgs/nixos/modules/services/networking/jibri/default.nix>
services.jibri.xmppEnvironments.<name>.control.login.domain

The domain part of the JID for this Jibri instance.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/jibri/default.nix>
services.jibri.xmppEnvironments.<name>.control.login.passwordFile

File containing the password for the user.

Type: string

Example: "/run/keys/jibri-xmpp1"

Declared by:

<nixpkgs/nixos/modules/services/networking/jibri/default.nix>
services.jibri.xmppEnvironments.<name>.control.login.username

User part of the JID.

Type: string

Default: "jvb"

Declared by:

<nixpkgs/nixos/modules/services/networking/jibri/default.nix>
services.jibri.xmppEnvironments.<name>.control.muc.domain

The domain part of the MUC to connect to for control.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/jibri/default.nix>
services.jibri.xmppEnvironments.<name>.control.muc.nickname

The nickname for this Jibri instance in the MUC.

Type: string

Default: "jibri"

Declared by:

<nixpkgs/nixos/modules/services/networking/jibri/default.nix>
services.jibri.xmppEnvironments.<name>.control.muc.roomName

The room name of the MUC to connect to for control.

Type: string

Default: "JibriBrewery"

Declared by:

<nixpkgs/nixos/modules/services/networking/jibri/default.nix>
services.jibri.xmppEnvironments.<name>.disableCertificateVerification

Whether to skip validation of the server’s certificate.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/jibri/default.nix>
services.jibri.xmppEnvironments.<name>.stripFromRoomDomain

The prefix to strip from the room’s JID domain to derive the call URL.

Type: string

Default: "0"

Example: "conference."

Declared by:

<nixpkgs/nixos/modules/services/networking/jibri/default.nix>
services.jibri.xmppEnvironments.<name>.usageTimeout

The duration that the Jibri session can be. A value of zero means indefinitely.

Type: string

Default: "0"

Example: "1 hour"

Declared by:

<nixpkgs/nixos/modules/services/networking/jibri/default.nix>
services.jibri.xmppEnvironments.<name>.xmppDomain

The base XMPP domain.

Type: string

Example: "xmpp.example.org"

Declared by:

<nixpkgs/nixos/modules/services/networking/jibri/default.nix>
services.jibri.xmppEnvironments.<name>.xmppServerHosts

Hostnames of the XMPP servers to connect to.

Type: list of string

Example:

[
  "xmpp.example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/jibri/default.nix>
services.jicofo.enable

Whether to enable Jitsi Conference Focus - component of Jitsi Meet.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/jicofo.nix>
services.jicofo.bridgeMuc

JID of the internal MUC used to communicate with Videobridges.

Type: string

Example: "jvbbrewery@internal.meet.example.org"

Declared by:

<nixpkgs/nixos/modules/services/networking/jicofo.nix>
services.jicofo.componentPasswordFile

Path to file containing component secret.

Type: string

Example: "/run/keys/jicofo-component"

Declared by:

<nixpkgs/nixos/modules/services/networking/jicofo.nix>
services.jicofo.config

Contents of the jicofo.conf configuration file.

Type: HOCON value

Default: { }

Example:

{
  jicofo.bridge.max-bridge-participants = 42;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/jicofo.nix>
services.jicofo.userDomain

Domain part of the JID for XMPP user connection.

Type: string

Example: "auth.meet.example.org"

Declared by:

<nixpkgs/nixos/modules/services/networking/jicofo.nix>
services.jicofo.userName

User part of the JID for XMPP user connection.

Type: string

Default: "focus"

Declared by:

<nixpkgs/nixos/modules/services/networking/jicofo.nix>
services.jicofo.userPasswordFile

Path to file containing password for XMPP user connection.

Type: string

Example: "/run/keys/jicofo-user"

Declared by:

<nixpkgs/nixos/modules/services/networking/jicofo.nix>
services.jicofo.xmppDomain

Domain name of the XMMP server to which to connect as a component.

If null, xmppHost is used.

Type: null or string

Example: "meet.example.org"

Declared by:

<nixpkgs/nixos/modules/services/networking/jicofo.nix>
services.jicofo.xmppHost

Hostname of the XMPP server to connect to.

Type: string

Example: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/networking/jicofo.nix>
services.jigasi.enable

Whether to enable Jitsi Gateway to SIP - component of Jitsi Meet.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/jigasi.nix>
services.jigasi.bridgeMuc

JID of the internal MUC used to communicate with Videobridges.

Type: string

Example: "jigasibrewery@internal.meet.example.org"

Declared by:

<nixpkgs/nixos/modules/services/networking/jigasi.nix>
services.jigasi.componentPasswordFile

Path to file containing component secret.

Type: string

Example: "/run/keys/jigasi-component"

Declared by:

<nixpkgs/nixos/modules/services/networking/jigasi.nix>
services.jigasi.config

Contents of the <filename>sip-communicator.properties</filename> configuration file for jigasi.

Type: attribute set of string

Default: { }

Example:

{
  "org.jitsi.jigasi.auth.URL" = "XMPP:jitsi-meet.example.com";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/jigasi.nix>
services.jigasi.defaultJvbRoomName

Name of the default JVB room that will be joined if no special header is included in SIP invite.

Type: string

Default: ""

Example: "siptest"

Declared by:

<nixpkgs/nixos/modules/services/networking/jigasi.nix>
services.jigasi.environmentFile

File containing environment variables to be passed to the jigasi service, in which secret tokens can be specified securely by defining values for <literal>JIGASI_SIPUSER</literal>, <literal>JIGASI_SIPPWD</literal>, <literal>JIGASI_SIPSERVER</literal> and <literal>JIGASI_SIPPORT</literal>.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/jigasi.nix>
services.jigasi.userDomain

Domain part of the JID for XMPP user connection.

Type: string

Example: "internal.meet.example.org"

Declared by:

<nixpkgs/nixos/modules/services/networking/jigasi.nix>
services.jigasi.userName

User part of the JID for XMPP user connection.

Type: string

Default: "callcontrol"

Declared by:

<nixpkgs/nixos/modules/services/networking/jigasi.nix>
services.jigasi.userPasswordFile

Path to file containing password for XMPP user connection.

Type: string

Example: "/run/keys/jigasi-user"

Declared by:

<nixpkgs/nixos/modules/services/networking/jigasi.nix>
services.jigasi.xmppDomain

Domain name of the XMMP server to which to connect as a component.

If null, <option>xmppHost</option> is used.

Type: null or string

Example: "meet.example.org"

Declared by:

<nixpkgs/nixos/modules/services/networking/jigasi.nix>
services.jigasi.xmppHost

Hostname of the XMPP server to connect to.

Type: string

Example: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/networking/jigasi.nix>
services.jirafeau.enable

Whether to enable Jirafeau file upload application.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.package

The jirafeau package to use.

Type: package

Default: pkgs.jirafeau

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.adminPasswordSha256

SHA-256 of the desired administration password. Leave blank/unset for no password.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.dataDir

Location of Jirafeau storage directory.

Type: path

Default: "/var/lib/jirafeau/data/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.extraConfig

Jirefeau configuration. Refer to https://gitlab.com/mojo42/Jirafeau/-/blob/4.4.0/lib/config.original.php for supported values.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  $cfg['style'] = 'courgette';
  $cfg['organisation'] = 'ACME';
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.hostName

URL of instance. Must have trailing slash.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.maxUploadSizeMegabytes

Maximum upload size of accepted files.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.maxUploadTimeout

Timeout for reading client request bodies and headers. Refer to http://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout and http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_timeout for accepted values.

Type: string

Default: "30m"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig

Extra configuration for the nginx virtual host of Jirafeau.

Type: submodule

Default: { }

Example:

{
  serverAliases = [ "wiki.${config.networking.domain}" ];
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.nginxConfig.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jirafeau.poolConfig

Options for Jirafeau PHP pool. See documentation on php-fpm.conf for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = 32;
  "pm.max_requests" = 500;
  "pm.max_spare_servers" = 4;
  "pm.min_spare_servers" = 2;
  "pm.start_servers" = 2;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jirafeau.nix>
services.jitsi-meet.enable

Whether to enable Jitsi Meet - Secure, Simple and Scalable Video Conferences.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix>
services.jitsi-meet.caddy.enable

Whether to enable caddy reverse proxy to expose jitsi-meet.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix>
services.jitsi-meet.config

Client-side web application settings that override the defaults in config.js.

See https://github.com/jitsi/jitsi-meet/blob/master/config.js for default configuration with comments.

Type: attribute set

Default: { }

Example:

{
  enableWelcomePage = false;
  defaultLang = "fi";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix>
services.jitsi-meet.excalidraw.enable

Whether to enable Excalidraw collaboration backend for Jitsi.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix>
services.jitsi-meet.excalidraw.port

The port which the Excalidraw backend for Jitsi should listen to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3002

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix>
services.jitsi-meet.extraConfig

Text to append to config.js web application config file.

Can be used to insert JavaScript logic to determine user’s region in cascading bridges setup.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix>
services.jitsi-meet.hostName

FQDN of the Jitsi Meet instance.

Type: string

Example: "meet.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix>
services.jitsi-meet.interfaceConfig

Client-side web-app interface settings that override the defaults in interface_config.js.

See https://github.com/jitsi/jitsi-meet/blob/master/interface_config.js for default configuration with comments.

Type: attribute set

Default: { }

Example:

{
  SHOW_JITSI_WATERMARK = false;
  SHOW_WATERMARK_FOR_GUESTS = false;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix>
services.jitsi-meet.jibri.enable

Whether to enable a Jibri instance and configure it to connect to Prosody.

Additional configuration is possible with services.jibri, and services.jibri.finalizeScript is especially useful.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix>
services.jitsi-meet.jicofo.enable

Whether to enable JiCoFo instance and configure it to connect to Prosody.

Additional configuration is possible with services.jicofo.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix>
services.jitsi-meet.jigasi.enable

Whether to enable jigasi instance and configure it to connect to Prosody.

Additional configuration is possible with <option>services.jigasi</option>.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix>
services.jitsi-meet.nginx.enable

Whether to enable nginx virtual host that will serve the javascript application and act as a proxy for the XMPP server. Further nginx configuration can be done by adapting services.nginx.virtualHosts.<hostName>. When this is enabled, ACME will be used to retrieve a TLS certificate by default. To disable this, set the services.nginx.virtualHosts.<hostName>.enableACME to false and if appropriate do the same for services.nginx.virtualHosts.<hostName>.forceSSL.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix>
services.jitsi-meet.prosody.enable

Whether to configure Prosody to relay XMPP messages between Jitsi Meet components. Turn this off if you want to configure it manually.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix>
services.jitsi-meet.prosody.lockdown

Whether to disable Prosody features not needed by Jitsi Meet.

The default Prosody configuration assumes that it will be used as a general-purpose XMPP server rather than as a companion service for Jitsi Meet. This option reconfigures Prosody to only listen on localhost without support for TLS termination, XMPP federation or the file transfer proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix>
services.jitsi-meet.secureDomain.enable

Whether to enable Authenticated room creation.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix>
services.jitsi-meet.secureDomain.authentication

The authentication type to be used by jitsi

Type: string

Default: "internal_hashed"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix>
services.jitsi-meet.videobridge.enable

Jitsi Videobridge instance and configure it to connect to Prosody.

Additional configuration is possible with services.jitsi-videobridge

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix>
services.jitsi-meet.videobridge.passwordFile

File containing password to the Prosody account for videobridge.

If null, a file with password will be generated automatically. Setting this option is useful if you plan to connect additional videobridges to the XMPP server.

Type: null or string

Default: null

Example: "/run/keys/videobridge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/jitsi-meet.nix>
services.jitsi-videobridge.enable

Whether to enable Jitsi Videobridge, a WebRTC compatible video router.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/jitsi-videobridge.nix>
services.jitsi-videobridge.colibriRestApi

Whether to enable the private rest API for the COLIBRI control interface. Needed for monitoring jitsi, enabling scraping of the /colibri/stats endpoint.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/jitsi-videobridge.nix>
services.jitsi-videobridge.config

Videobridge configuration.

See https://github.com/jitsi/jitsi-videobridge/blob/master/jvb/src/main/resources/reference.conf for default configuration with comments.

Type: attribute set

Default: { }

Example:

{
  videobridge = {
    ice.udp.port = 5000;
    websockets = {
      enabled = true;
      server-id = "jvb1";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/jitsi-videobridge.nix>
services.jitsi-videobridge.extraProperties

Additional Java properties passed to jitsi-videobridge.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/jitsi-videobridge.nix>
services.jitsi-videobridge.nat.harvesterAddresses

Addresses of public STUN services to use to automatically find the public and local addresses of this Jitsi-Videobridge instance without the need for manual configuration.

This option is ignored if services.jitsi-videobridge.nat.localAddress and services.jitsi-videobridge.nat.publicAddress are set.

Type: list of string

Default:

[
  "stunserver.stunprotocol.org:3478"
  "stun.framasoft.org:3478"
  "meet-jit-si-turnrelay.jitsi.net:443"
]

Example: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/jitsi-videobridge.nix>
services.jitsi-videobridge.nat.localAddress

Local address to assume when running behind NAT.

Type: null or string

Default: null

Example: "192.168.1.42"

Declared by:

<nixpkgs/nixos/modules/services/networking/jitsi-videobridge.nix>
services.jitsi-videobridge.nat.publicAddress

Public address to assume when running behind NAT.

Type: null or string

Default: null

Example: "1.2.3.4"

Declared by:

<nixpkgs/nixos/modules/services/networking/jitsi-videobridge.nix>
services.jitsi-videobridge.openFirewall

Whether to open ports in the firewall for the videobridge.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/jitsi-videobridge.nix>
services.jitsi-videobridge.xmppConfigs

XMPP servers to connect to.

See https://github.com/jitsi/jitsi-videobridge/blob/master/doc/muc.md for more information.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "localhost" = {
    hostName = "localhost";
    userName = "jvb";
    domain = "auth.xmpp.example.org";
    passwordFile = "/var/lib/jitsi-meet/videobridge-secret";
    mucJids = "jvbbrewery@internal.xmpp.example.org";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/jitsi-videobridge.nix>
services.jitsi-videobridge.xmppConfigs.<name>.disableCertificateVerification

Whether to skip validation of the server’s certificate.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/jitsi-videobridge.nix>
services.jitsi-videobridge.xmppConfigs.<name>.domain

Domain part of JID of the XMPP user, if it is different from hostName.

Type: null or string

Default: null

Example: "auth.xmpp.example.org"

Declared by:

<nixpkgs/nixos/modules/services/networking/jitsi-videobridge.nix>
services.jitsi-videobridge.xmppConfigs.<name>.hostName

Hostname of the XMPP server to connect to. Name of the attribute set is used by default.

Type: string

Example: "xmpp.example.org"

Declared by:

<nixpkgs/nixos/modules/services/networking/jitsi-videobridge.nix>
services.jitsi-videobridge.xmppConfigs.<name>.mucJids

JID of the MUC to join. JiCoFo needs to be configured to join the same MUC.

Type: string

Example: "jvbbrewery@internal.xmpp.example.org"

Declared by:

<nixpkgs/nixos/modules/services/networking/jitsi-videobridge.nix>
services.jitsi-videobridge.xmppConfigs.<name>.mucNickname

Videobridges use the same XMPP account and need to be distinguished by the nickname (aka resource part of the JID). By default, system hostname is used.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/jitsi-videobridge.nix>
services.jitsi-videobridge.xmppConfigs.<name>.passwordFile

File containing the password for the user.

Type: string

Example: "/run/keys/jitsi-videobridge-xmpp1"

Declared by:

<nixpkgs/nixos/modules/services/networking/jitsi-videobridge.nix>
services.jitsi-videobridge.xmppConfigs.<name>.userName

User part of the JID.

Type: string

Default: "jvb"

Declared by:

<nixpkgs/nixos/modules/services/networking/jitsi-videobridge.nix>
services.jitterentropy-rngd.enable

Whether to enable jitterentropy-rngd service configuration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/jitterentropy-rngd.nix>
services.jitterentropy-rngd.package

The jitterentropy-rngd package to use.

Type: package

Default: pkgs.jitterentropy-rngd

Declared by:

<nixpkgs/nixos/modules/services/security/jitterentropy-rngd.nix>
services.jmusicbot.enable

Whether to enable jmusicbot, a Discord music bot that’s easy to set up and run yourself.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/jmusicbot.nix>
services.jmusicbot.package

The jmusicbot package to use.

Type: package

Default: pkgs.jmusicbot

Declared by:

<nixpkgs/nixos/modules/services/audio/jmusicbot.nix>
services.jmusicbot.stateDir

The directory where config.txt and serversettings.json is saved. If left as the default value this directory will automatically be created before JMusicBot starts, otherwise the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions. Untouched by the value of this option config.txt needs to be placed manually into this directory.

Type: path

Default: "/var/lib/jmusicbot/"

Declared by:

<nixpkgs/nixos/modules/services/audio/jmusicbot.nix>
services.jotta-cli.enable

Whether to enable Jottacloud Command-line Tool.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/jotta-cli.nix>
services.jotta-cli.package

The jotta-cli package to use.

Type: package

Default: pkgs.jotta-cli

Declared by:

<nixpkgs/nixos/modules/services/networking/jotta-cli.nix>
services.jotta-cli.options

Command-line options passed to jottad.

Type: list of string

Default:

[
  "stdoutlog"
  "datadir"
  "%h/.jottad/"
]

Example: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/jotta-cli.nix>
services.journalbeat.enable

Whether to enable journalbeat.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/logging/journalbeat.nix>
services.journalbeat.package

The journalbeat package to use.

Type: package

Default: pkgs.journalbeat

Declared by:

<nixpkgs/nixos/modules/services/logging/journalbeat.nix>
services.journalbeat.extraConfig

Any other configuration options you want to add

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/logging/journalbeat.nix>
services.journalbeat.name

Name of the beat

Type: string

Default: "journalbeat"

Declared by:

<nixpkgs/nixos/modules/services/logging/journalbeat.nix>
services.journalbeat.stateDir

Directory below /var/lib/ to store journalbeat’s own logs and other data. This directory will be created automatically using systemd’s StateDirectory mechanism.

Type: string

Default: "journalbeat"

Declared by:

<nixpkgs/nixos/modules/services/logging/journalbeat.nix>
services.journalbeat.tags

Tags to place on the shipped log messages

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/logging/journalbeat.nix>
services.journald.console

If non-empty, write log messages to the specified TTY device.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald.nix>
services.journald.extraConfig

Extra config options for systemd-journald. See journald.conf(5) for available options.

Type: strings concatenated with “\n”

Default: ""

Example: "Storage=volatile"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald.nix>
services.journald.forwardToSyslog

Whether to forward log messages to syslog.

Type: boolean

Default: services.rsyslogd.enable || services.syslog-ng.enable

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald.nix>
services.journald.gateway.enable

Whether to enable the HTTP gateway to the journal.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-gateway.nix>
services.journald.gateway.cert

The path to a file or AF_UNIX stream socket to read the server certificate from.

The certificate must be in PEM format. This option switches systemd-journal-gatewayd into HTTPS mode and must be used together with services.journald.gateway.key.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-gateway.nix>
services.journald.gateway.key

Specify the path to a file or AF_UNIX stream socket to read the secret server key corresponding to the certificate specified with services.journald.gateway.cert from.

The key must be in PEM format.

This key should not be world-readable, and must be readably by the systemd-journal-gateway user.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-gateway.nix>
services.journald.gateway.merge

Serve entries interleaved from all available journals, including other machines.

This has the same meaning as --merge option for journalctl(1).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-gateway.nix>
services.journald.gateway.port

The port to listen to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 19531

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-gateway.nix>
services.journald.gateway.system

Serve entries from system services and the kernel.

This has the same meaning as --system for journalctl(1).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-gateway.nix>
services.journald.gateway.trust

Specify the path to a file or AF_UNIX stream socket to read a CA certificate from.

The certificate must be in PEM format.

Setting this option enforces client certificate checking.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-gateway.nix>
services.journald.gateway.user

Serve entries from services for the current user.

This has the same meaning as --user for journalctl(1).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-gateway.nix>
services.journald.rateLimitBurst

Configures the rate limiting burst limit (number of messages per interval) that is applied to all messages generated on the system. This rate limiting is applied per-service, so that two services which log do not interfere with each other’s limit.

Note that the effective rate limit is multiplied by a factor derived from the available free disk space for the journal as described on journald.conf(5).

Note that the total amount of logs stored is limited by journald settings such as SystemMaxUse, which defaults to 10% the file system size (capped at max 4GB), and SystemKeepFree, which defaults to 15% of the file system size.

It is thus recommended to compute what period of time that you will be able to store logs for when an application logs at full burst rate. With default settings for log lines that are 100 Bytes long, this can amount to just a few hours.

Type: signed integer

Default: 10000

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald.nix>
services.journald.rateLimitInterval

Configures the rate limiting interval that is applied to all messages generated on the system. This rate limiting is applied per-service, so that two services which log do not interfere with each other’s limit. The value may be specified in the following units: s, min, h, ms, us. To turn off any kind of rate limiting, set either value to 0.

See services.journald.rateLimitBurst for important considerations when setting this value.

Type: string

Default: "30s"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald.nix>
services.journald.remote.enable

Whether to enable receiving systemd journals from the network.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-remote.nix>
services.journald.remote.listen

Which protocol to listen to.

Type: one of “https”, “http”

Default: "https"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-remote.nix>
services.journald.remote.output

The location of the output journal.

In case the output file is not specified, journal files will be created underneath the selected directory. Files will be called remote-hostname.journal, where the hostname part is the escaped hostname of the source endpoint of the connection, or the numerical address if the hostname cannot be determined.

Type: string

Default: "/var/log/journal/remote/"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-remote.nix>
services.journald.remote.port

The port to listen to.

Note that this option is used only if services.journald.upload.listen is configured to be either “https” or “http”.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 19532

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-remote.nix>
services.journald.remote.settings

Configuration in the journal-remote configuration file. See journal-remote.conf(5) for available options.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string) or a list of them for duplicate keys)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-remote.nix>
services.journald.remote.settings.Remote.Seal

Periodically sign the data in the journal using Forward Secure Sealing.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-remote.nix>
services.journald.remote.settings.Remote.ServerCertificateFile

A path to a SSL certificate file in PEM format.

This option can be used with listen = "https". If the path refers to an AF_UNIX stream socket in the file system a connection is made to it and the certificate read from it.

Type: string

Default: "/etc/ssl/certs/journal-remote.pem"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-remote.nix>
services.journald.remote.settings.Remote.ServerKeyFile

A path to a SSL secret key file in PEM format.

Note that due to security reasons, systemd-journal-remote will refuse files from the world-readable /nix/store. This file should be readable by the “” user.

This option can be used with listen = "https". If the path refers to an AF_UNIX stream socket in the file system a connection is made to it and the key read from it.

Type: string

Default: "/etc/ssl/private/journal-remote.pem"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-remote.nix>
services.journald.remote.settings.Remote.SplitMode

With “host”, a separate output file is used, based on the hostname of the other endpoint of a connection. With “none”, only one output journal file is used.

Type: one of “host”, “none”

Default: "host"

Example: "none"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-remote.nix>
services.journald.remote.settings.Remote.TrustedCertificateFile

A path to a SSL CA certificate file in PEM format, or all.

If all is set, then client certificate checking will be disabled.

This option can be used with listen = "https". If the path refers to an AF_UNIX stream socket in the file system a connection is made to it and the certificate read from it.

Type: string

Default: "/etc/ssl/ca/trusted.pem"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-remote.nix>
services.journald.storage

Controls where to store journal data. See journald.conf(5) for further information.

Type: one of “persistent”, “volatile”, “auto”, “none”

Default: "persistent"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald.nix>
services.journald.upload.enable

Whether to enable uploading the systemd journal to a remote server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-upload.nix>
services.journald.upload.settings

Configuration for journal-upload. See journal-upload.conf(5) for available options.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string) or a list of them for duplicate keys)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-upload.nix>
services.journald.upload.settings.Upload.NetworkTimeoutSec

When network connectivity to the server is lost, this option configures the time to wait for the connectivity to get restored.

If the server is not reachable over the network for the configured time, systemd-journal-upload exits. Takes a value in seconds (or in other time units if suffixed with “ms”, “min”, “h”, etc). For details, see systemd.time(5).

Type: null or string

Default: null

Example: "1s"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-upload.nix>
services.journald.upload.settings.Upload.ServerCertificateFile

SSL CA certificate in PEM format.

In contrary to what the name suggests, this option configures the client certificate sent to the remote journal server.

Type: null or string

Default: null

Example: ./server-ca.pem

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-upload.nix>
services.journald.upload.settings.Upload.ServerKeyFile

SSL key in PEM format.

In contrary to what the name suggests, this option configures the client private key sent to the remote journal server.

This key should not be world-readable, and must be readably by the systemd-journal group.

Type: null or string

Default: null

Example: ./server-key.pem

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-upload.nix>
services.journald.upload.settings.Upload.TrustedCertificateFile

SSL CA certificate.

This certificate will be used to check the remote journal HTTPS server certificate.

Type: null or string

Default: null

Example: ./ca

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-upload.nix>
services.journald.upload.settings.Upload.URL

The URL to upload the journal entries to.

See the description of --url= option in systemd-journal-upload(8) for the description of possible values.

Type: string

Example: "https://192.168.1.1"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/journald-upload.nix>
services.journaldriver.enable

Whether to enable journaldriver to forward journald logs to Stackdriver Logging.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/logging/journaldriver.nix>
services.journaldriver.applicationCredentials

Path to the service account private key (in JSON-format) used to forward log entries to Stackdriver Logging on non-GCP instances.

This option is required on non-GCP machines, but should not be set on GCP instances.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/logging/journaldriver.nix>
services.journaldriver.googleCloudProject

Configures the name of the Google Cloud project to which to forward journald logs.

This option is required on non-GCP machines, but should not be set on GCP instances.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/logging/journaldriver.nix>
services.journaldriver.logLevel

Log level at which journaldriver logs its own output.

Type: string

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/logging/journaldriver.nix>
services.journaldriver.logName

Configures the name of the target log in Stackdriver Logging. This option can be set to, for example, the hostname of a machine to improve the user experience in the logging overview.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/logging/journaldriver.nix>
services.journaldriver.logStream

Configures the name of the Stackdriver Logging log stream into which to write journald entries.

This option is required on non-GCP machines, but should not be set on GCP instances.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/logging/journaldriver.nix>
services.journalwatch.enable

If enabled, periodically check the journal with journalwatch and report the results by mail.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/logging/journalwatch.nix>
services.journalwatch.package

The journalwatch package to use.

Type: package

Default: pkgs.journalwatch

Declared by:

<nixpkgs/nixos/modules/services/logging/journalwatch.nix>
services.journalwatch.accuracy

The time window around the interval in which the journalwatch run will be scheduled.

The format is described in systemd.time(7).

Type: string

Default: "10min"

Declared by:

<nixpkgs/nixos/modules/services/logging/journalwatch.nix>
services.journalwatch.extraConfig

Extra lines to be added verbatim to the journalwatch/config configuration file. You can add any commandline argument to the config, without the ‘–’. See journalwatch --help for all arguments and their description.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/logging/journalwatch.nix>
services.journalwatch.filterBlocks

filterBlocks can be defined to blacklist journal messages which are not errors. Each block matches on a log entry field, and the filters in that block then are matched against all messages with a matching log entry field.

All messages whose PRIORITY is at least 6 (INFO) are processed by journalwatch. If you don’t specify any filterBlocks, PRIORITY is reduced to 5 (NOTICE) by default.

All regular expressions are extended Python regular expressions, for details see: http://doc.pyschools.com/html/regex.html

Type: list of (submodule)

Default:

[
  {
    filters = ''
      (Stopped|Stopping|Starting|Started) .*
      (Created slice|Removed slice) user-\d*\.slice\.
      Received SIGRTMIN\+24 from PID .*
      (Reached target|Stopped target) .*
      Startup finished in \d*ms\.
    '';
    match = "SYSLOG_IDENTIFIER = systemd";
  }
]

Example:

[
  {
    filters = ''
      New session [a-z]?\d+ of user \w+\.
      Removed session [a-z]?\d+\.
    '';
    match = "_SYSTEMD_UNIT = systemd-logind.service";
  }
  {
    filters = ''
      pam_unix\(crond:session\): session (opened|closed) for user \w+
      \(\w+\) CMD .*
    '';
    match = "SYSLOG_IDENTIFIER = /(CROND|crond)/";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/logging/journalwatch.nix>
services.journalwatch.filterBlocks.*.filters

The filters to apply on all messages which satisfy match. Any of those messages that match any specified filter will be removed from journalwatch’s output. Each filter is an extended Python regular expression. You can specify multiple filters and separate them by newlines. Lines starting with ‘#’ are comments. Inline-comments are not permitted.

Type: string

Example:

''
  (Stopped|Stopping|Starting|Started) .*
  (Reached target|Stopped target) .*
''

Declared by:

<nixpkgs/nixos/modules/services/logging/journalwatch.nix>
services.journalwatch.filterBlocks.*.match

Syntax: field = value Specifies the log entry field this block should apply to. If the field of a message matches this value, this patternBlock’s filters are applied. If value starts and ends with a slash, it is interpreted as an extended python regular expression, if not, it’s an exact match. The journal fields are explained in systemd.journal-fields(7).

Type: string

Example: "SYSLOG_IDENTIFIER = systemd"

Declared by:

<nixpkgs/nixos/modules/services/logging/journalwatch.nix>
services.journalwatch.interval

How often to run journalwatch.

The format is described in systemd.time(7).

Type: string

Default: "hourly"

Declared by:

<nixpkgs/nixos/modules/services/logging/journalwatch.nix>
services.journalwatch.mailBinary

Sendmail-compatible binary to be used to send the messages.

Type: path

Default: "/run/wrappers/bin/sendmail"

Declared by:

<nixpkgs/nixos/modules/services/logging/journalwatch.nix>
services.journalwatch.mailFrom

Mail address to send journalwatch reports from.

Type: string

Default: "journalwatch@${config.networking.hostName}"

Declared by:

<nixpkgs/nixos/modules/services/logging/journalwatch.nix>
services.journalwatch.mailTo

Mail address to send journalwatch reports to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/logging/journalwatch.nix>
services.journalwatch.priority

Lowest priority of message to be considered. A value between 7 (“debug”), and 0 (“emerg”). Defaults to 6 (“info”). If you don’t care about anything with “info” priority, you can reduce this to e.g. 5 (“notice”) to considerably reduce the amount of messages without needing many filterBlocks.

Type: signed integer

Default: 6

Declared by:

<nixpkgs/nixos/modules/services/logging/journalwatch.nix>
services.joycond.enable

Whether to enable support for Nintendo Pro Controllers and Joycons.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/joycond.nix>
services.joycond.package

The joycond package to use.

Type: package

Default: pkgs.joycond

Declared by:

<nixpkgs/nixos/modules/services/hardware/joycond.nix>
services.jupyter.enable

Whether to enable Jupyter development server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/development/jupyter/default.nix>
services.jupyter.package

The notebook package to use.

Type: package

Default: pkgs.python3.pkgs.notebook

Declared by:

<nixpkgs/nixos/modules/services/development/jupyter/default.nix>
services.jupyter.command

Which command the service runs. Note that not all jupyter packages have all commands, e.g. jupyter-lab isn’t present in the default package.

Type: string

Default: "jupyter-notebook"

Example: "jupyter-lab"

Declared by:

<nixpkgs/nixos/modules/services/development/jupyter/default.nix>
services.jupyter.group

Name of the group used to run the jupyter service. Use this if you want to create a group of users that are able to view the notebook directory’s content.

Type: string

Default: "jupyter"

Example: "users"

Declared by:

<nixpkgs/nixos/modules/services/development/jupyter/default.nix>
services.jupyter.ip

IP address Jupyter will be listening on.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/development/jupyter/default.nix>
services.jupyter.kernels

Declarative kernel config.

Kernels can be declared in any language that supports and has the required dependencies to communicate with a jupyter server. In python’s case, it means that ipykernel package must always be included in the list of packages of the targeted environment.

Type: null or (attribute set of (JSON value))

Default: null

Example:

{
  python3 = let
    env = (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
            ipykernel
            pandas
            scikit-learn
          ]));
  in {
    displayName = "Python 3 for machine learning";
    argv = [
      "${env.interpreter}"
      "-m"
      "ipykernel_launcher"
      "-f"
      "{connection_file}"
    ];
    language = "python";
    logo32 = "${env.sitePackages}/ipykernel/resources/logo-32x32.png";
    logo64 = "${env.sitePackages}/ipykernel/resources/logo-64x64.png";
    extraPaths = {
      "cool.txt" = pkgs.writeText "cool" "cool content";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/development/jupyter/default.nix>
services.jupyter.kernels.<name>.argv

Command and arguments to start the kernel.

Type: list of string

Example:

[
  "{customEnv.interpreter}"
  "-m"
  "ipykernel_launcher"
  "-f"
  "{connection_file}"
]

Declared by:

<nixpkgs/nixos/modules/services/development/jupyter/default.nix>
services.jupyter.kernels.<name>.displayName

Name that will be shown to the user.

Type: string

Default: ""

Example:

"Python 3"
"Python 3 for Data Science"

Declared by:

<nixpkgs/nixos/modules/services/development/jupyter/default.nix>
services.jupyter.kernels.<name>.env

Environment variables to set for the kernel.

Type: attribute set of string

Default: { }

Example:

{
  OMP_NUM_THREADS = "1";
}

Declared by:

<nixpkgs/nixos/modules/services/development/jupyter/default.nix>
services.jupyter.kernels.<name>.extraPaths

Extra paths to link in kernel directory

Type: attribute set of path

Default: { }

Example: "{ examples = ${env.sitePack}/IRkernel/kernelspec/kernel.js"; }

Declared by:

<nixpkgs/nixos/modules/services/development/jupyter/default.nix>
services.jupyter.kernels.<name>.language

Language of the environment. Typically the name of the binary.

Type: string

Example: "python"

Declared by:

<nixpkgs/nixos/modules/services/development/jupyter/default.nix>
services.jupyter.kernels.<name>.logo32

Path to 32x32 logo png.

Type: null or path

Default: null

Example: "${env.sitePackages}/ipykernel/resources/logo-32x32.png"

Declared by:

<nixpkgs/nixos/modules/services/development/jupyter/default.nix>
services.jupyter.kernels.<name>.logo64

Path to 64x64 logo png.

Type: null or path

Default: null

Example: "${env.sitePackages}/ipykernel/resources/logo-64x64.png"

Declared by:

<nixpkgs/nixos/modules/services/development/jupyter/default.nix>
services.jupyter.notebookConfig

Raw jupyter config.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/development/jupyter/default.nix>
services.jupyter.notebookDir

Root directory for notebooks.

Type: string

Default: "~/"

Declared by:

<nixpkgs/nixos/modules/services/development/jupyter/default.nix>
services.jupyter.password

Password to use with notebook. Can be generated using: In [1]: from notebook.auth import passwd In [2]: passwd(‘test’) Out[2]: ‘sha1:1b961dc713fb:88483270a63e57d18d43cf337e629539de1436ba’ NOTE: you need to keep the single quote inside the nix string. Or you can use a python oneliner: “open(‘/path/secret_file’, ‘r’, encoding=‘utf8’).read().strip()” It will be interpreted at the end of the notebookConfig.

Type: string

Example: "'sha1:1b961dc713fb:88483270a63e57d18d43cf337e629539de1436ba'"

Declared by:

<nixpkgs/nixos/modules/services/development/jupyter/default.nix>
services.jupyter.port

Port number Jupyter will be listening on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8888

Declared by:

<nixpkgs/nixos/modules/services/development/jupyter/default.nix>
services.jupyter.user

Name of the user used to run the jupyter service. For security reason, jupyter should really not be run as root. If not set (jupyter), the service will create a jupyter user with appropriate settings.

Type: string

Default: "jupyter"

Example: "aborsu"

Declared by:

<nixpkgs/nixos/modules/services/development/jupyter/default.nix>
services.jupyterhub.enable

Whether to enable Jupyterhub development server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/development/jupyterhub/default.nix>
services.jupyterhub.authentication

Jupyterhub authentication to use

There are many authenticators available including: oauth, pam, ldap, kerberos, etc.

Type: string

Default: "jupyterhub.auth.PAMAuthenticator"

Declared by:

<nixpkgs/nixos/modules/services/development/jupyterhub/default.nix>
services.jupyterhub.extraConfig

Extra contents appended to the jupyterhub configuration

Jupyterhub configuration is a normal python file using Traitlets. https://jupyterhub.readthedocs.io/en/stable/getting-started/config-basics.html. The base configuration of this module was designed to have sane defaults for configuration but you can override anything since this is a python file.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  c.SystemdSpawner.mem_limit = '8G'
  c.SystemdSpawner.cpu_limit = 2.0
''

Declared by:

<nixpkgs/nixos/modules/services/development/jupyterhub/default.nix>
services.jupyterhub.host

Bind IP JupyterHub will be listening on

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/development/jupyterhub/default.nix>
services.jupyterhub.jupyterhubEnv

Python environment to run jupyterhub

Customizing will affect the packages available in the hub and proxy. This will allow packages to be available for the extraConfig that you may need. This will not normally need to be changed.

Type: package

Default:

pkgs.python3.withPackages (p: with p; [
  jupyterhub
  jupyterhub-systemdspawner
])

Declared by:

<nixpkgs/nixos/modules/services/development/jupyterhub/default.nix>
services.jupyterhub.jupyterlabEnv

Python environment to run jupyterlab

Customizing will affect the packages available in the jupyterlab server and the default kernel provided. This is the way to customize the jupyterlab extensions and jupyter notebook extensions. This will not normally need to be changed.

Type: package

Default:

pkgs.python3.withPackages (p: with p; [
  jupyterhub
  jupyterlab
])

Declared by:

<nixpkgs/nixos/modules/services/development/jupyterhub/default.nix>
services.jupyterhub.kernels

Declarative kernel config

Kernels can be declared in any language that supports and has the required dependencies to communicate with a jupyter server. In python’s case, it means that ipykernel package must always be included in the list of packages of the targeted environment.

Type: null or (attribute set of (JSON value))

Default: null

Example:

{
  python3 = let
    env = (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
            ipykernel
            pandas
            scikit-learn
          ]));
  in {
    displayName = "Python 3 for machine learning";
    argv = [
      "${env.interpreter}"
      "-m"
      "ipykernel_launcher"
      "-f"
      "{connection_file}"
    ];
    language = "python";
    logo32 = "${env}/${env.sitePackages}/ipykernel/resources/logo-32x32.png";
    logo64 = "${env}/${env.sitePackages}/ipykernel/resources/logo-64x64.png";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/development/jupyterhub/default.nix>
services.jupyterhub.kernels.<name>.argv

Command and arguments to start the kernel.

Type: list of string

Example:

[
  "{customEnv.interpreter}"
  "-m"
  "ipykernel_launcher"
  "-f"
  "{connection_file}"
]

Declared by:

<nixpkgs/nixos/modules/services/development/jupyterhub/default.nix>
services.jupyterhub.kernels.<name>.displayName

Name that will be shown to the user.

Type: string

Default: ""

Example:

"Python 3"
"Python 3 for Data Science"

Declared by:

<nixpkgs/nixos/modules/services/development/jupyterhub/default.nix>
services.jupyterhub.kernels.<name>.env

Environment variables to set for the kernel.

Type: attribute set of string

Default: { }

Example:

{
  OMP_NUM_THREADS = "1";
}

Declared by:

<nixpkgs/nixos/modules/services/development/jupyterhub/default.nix>
services.jupyterhub.kernels.<name>.extraPaths

Extra paths to link in kernel directory

Type: attribute set of path

Default: { }

Example: "{ examples = ${env.sitePack}/IRkernel/kernelspec/kernel.js"; }

Declared by:

<nixpkgs/nixos/modules/services/development/jupyterhub/default.nix>
services.jupyterhub.kernels.<name>.language

Language of the environment. Typically the name of the binary.

Type: string

Example: "python"

Declared by:

<nixpkgs/nixos/modules/services/development/jupyterhub/default.nix>
services.jupyterhub.kernels.<name>.logo32

Path to 32x32 logo png.

Type: null or path

Default: null

Example: "${env.sitePackages}/ipykernel/resources/logo-32x32.png"

Declared by:

<nixpkgs/nixos/modules/services/development/jupyterhub/default.nix>
services.jupyterhub.kernels.<name>.logo64

Path to 64x64 logo png.

Type: null or path

Default: null

Example: "${env.sitePackages}/ipykernel/resources/logo-64x64.png"

Declared by:

<nixpkgs/nixos/modules/services/development/jupyterhub/default.nix>
services.jupyterhub.port

Port number Jupyterhub will be listening on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8000

Declared by:

<nixpkgs/nixos/modules/services/development/jupyterhub/default.nix>
services.jupyterhub.spawner

Jupyterhub spawner to use

There are many spawners available including: local process, systemd, docker, kubernetes, yarn, batch, etc.

Type: string

Default: "systemdspawner.SystemdSpawner"

Declared by:

<nixpkgs/nixos/modules/services/development/jupyterhub/default.nix>
services.jupyterhub.stateDirectory

Directory for jupyterhub state (token + database)

Type: string

Default: "jupyterhub"

Declared by:

<nixpkgs/nixos/modules/services/development/jupyterhub/default.nix>
services.k3s.enable

Whether to enable k3s.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.package

The k3s package to use.

Type: package

Default: pkgs.k3s

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.charts

Packaged Helm charts that are linked to /var/lib/rancher/k3s/server/static/charts before k3s starts. The attribute name will be used as the link target (relative to /var/lib/rancher/k3s/server/static/charts). The specified charts will only be placed on the file system and made available to the Kubernetes APIServer from within the cluster, you may use the k3s Helm controller to deploy the charts. This option only makes sense on server nodes (role = server).

Type: attribute set of (path or package)

Default: { }

Example:

nginx = ../charts/my-nginx-chart.tgz;
redis = ../charts/my-redis-chart.tgz;

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.clusterInit

Initialize HA cluster using an embedded etcd datastore.

If this option is false and role is server

On a server that was using the default embedded sqlite backend, enabling this option will migrate to an embedded etcd DB.

If an HA cluster using the embedded etcd datastore was already initialized, this option has no effect.

This option only makes sense in a server that is not connecting to another server.

If you are configuring an HA cluster with an embedded etcd, the 1st server must have clusterInit = true and other servers must connect to it using serverAddr.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.configPath

File path containing the k3s YAML config. This is useful when the config is generated (for example on boot).

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.containerdConfigTemplate

Config template for containerd, to be placed at /var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl. See the K3s docs on configuring containerd.

Type: null or string

Default: null

Example:

# Base K3s config
{{ template "base" . }}

# Add a custom runtime
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes."custom"]
  runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes."custom".options]
  BinaryName = "/path/to/custom-container-runtime"

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.disableAgent

Only run the server. This option only makes sense for a server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.environmentFile

File path containing environment variables for configuring the k3s service in the format of an EnvironmentFile. See systemd.exec(5).

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.extraFlags

Extra flags to pass to the k3s command.

Type: string or list of string

Default: [ ]

Example:

[
  "--no-deploy traefik"
  "--cluster-cidr 10.24.0.0/16"
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.extraKubeProxyConfig

Extra configuration to add to the kube-proxy’s configuration file. The subset of the kube-proxy’s configuration that can be configured via a file is defined by the KubeProxyConfiguration struct. Note that the kubeconfig param will be override by clientConnection.kubeconfig, so you must set the clientConnection.kubeconfig if you want to use extraKubeProxyConfig.

Type: attribute set of anything

Default: { }

Example:

{
  clientConnection = {
    kubeconfig = "/var/lib/rancher/k3s/agent/kubeproxy.kubeconfig";
  };
  mode = "nftables";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.extraKubeletConfig

Extra configuration to add to the kubelet’s configuration file. The subset of the kubelet’s configuration that can be configured via a file is defined by the KubeletConfiguration struct. See the documentation for further information.

Type: attribute set of anything

Default: { }

Example:

{
  containerLogMaxSize = "5Mi";
  memoryThrottlingFactor = 0.69;
  podsPerCore = 3;
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.gracefulNodeShutdown.enable

Whether to enable graceful node shutdowns where the kubelet attempts to detect node system shutdown and terminates pods running on the node. See the documentation for further information. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.gracefulNodeShutdown.shutdownGracePeriod

Specifies the total duration that the node should delay the shutdown by. This is the total grace period for pod termination for both regular and critical pods.

Type: non-empty string

Default: "30s"

Example: "1m30s"

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.gracefulNodeShutdown.shutdownGracePeriodCriticalPods

Specifies the duration used to terminate critical pods during a node shutdown. This should be less than shutdownGracePeriod.

Type: non-empty string

Default: "10s"

Example: "15s"

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.images

List of derivations that provide container images. All images are linked to /var/lib/rancher/k3s/agent/images before k3s starts and consequently imported by the k3s agent. Consider importing the k3s airgap images archive of the k3s package in use, if you want to pre-provision this node with all k3s container images. This option only makes sense on nodes with an enabled agent.

Type: list of package

Default: [ ]

Example:

[
  (pkgs.dockerTools.pullImage {
    imageName = "docker.io/bitnami/keycloak";
    imageDigest = "sha256:714dfadc66a8e3adea6609bda350345bd3711657b7ef3cf2e8015b526bac2d6b";
    hash = "sha256-IM2BLZ0EdKIZcRWOtuFY9TogZJXCpKtPZnMnPsGlq0Y=";
    finalImageTag = "21.1.2-debian-11-r0";
  })

  config.services.k3s.package.airgapImages
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.manifests

Auto-deploying manifests that are linked to /var/lib/rancher/k3s/server/manifests before k3s starts. Note that deleting manifest files will not remove or otherwise modify the resources it created. Please use the the --disable flag or .skip files to delete/disable AddOns, as mentioned in the docs. This option only makes sense on server nodes (role = server). Read the auto-deploying manifests docs for further information.

Type: attribute set of (submodule)

Default: { }

Example:

deployment.source = ../manifests/deployment.yaml;
my-service = {
  enable = false;
  target = "app-service.yaml";
  content = {
    apiVersion = "v1";
    kind = "Service";
    metadata = {
      name = "app-service";
    };
    spec = {
      selector = {
        "app.kubernetes.io/name" = "MyApp";
      };
      ports = [
        {
          name = "name-of-service-port";
          protocol = "TCP";
          port = 80;
          targetPort = "http-web-svc";
        }
      ];
    };
  }
};

nginx.content = [
  {
    apiVersion = "v1";
    kind = "Pod";
    metadata = {
      name = "nginx";
      labels = {
        "app.kubernetes.io/name" = "MyApp";
      };
    };
    spec = {
      containers = [
        {
          name = "nginx";
          image = "nginx:1.14.2";
          ports = [
            {
              containerPort = 80;
              name = "http-web-svc";
            }
          ];
        }
      ];
    };
  }
  {
    apiVersion = "v1";
    kind = "Service";
    metadata = {
      name = "nginx-service";
    };
    spec = {
      selector = {
        "app.kubernetes.io/name" = "MyApp";
      };
      ports = [
        {
          name = "name-of-service-port";
          protocol = "TCP";
          port = 80;
          targetPort = "http-web-svc";
        }
      ];
    };
  }
];

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.manifests.<name>.enable

Whether this manifest file should be generated.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.manifests.<name>.content

Content of the manifest file. A single attribute set will generate a single document YAML file. A list of attribute sets will generate multiple documents separated by --- in a single YAML file.

Type: null or (attribute set) or list of (attribute set)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.manifests.<name>.source

Path of the source .yaml file.

Type: path

Example: ./manifests/app.yaml

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.manifests.<name>.target

Name of the symlink (relative to /var/lib/rancher/k3s/server/manifests). Defaults to the attribute name.

Type: non-empty string

Example: manifest.yaml

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.role

Whether k3s should run as a server or agent.

If it’s a server:

  • By default it also runs workloads as an agent.

  • Starts by default as a standalone server using an embedded sqlite datastore.

  • Configure clusterInit = true to switch over to embedded etcd datastore and enable HA mode.

  • Configure serverAddr to join an already-initialized HA cluster.

If it’s an agent:

  • serverAddr is required.

Type: one of “server”, “agent”

Default: "server"

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.serverAddr

The k3s server to connect to.

Servers and agents need to communicate each other. Read the networking docs to know how to configure the firewall.

Type: string

Default: ""

Example: "https://10.0.0.10:6443"

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.token

The k3s token to use when connecting to a server.

WARNING: This option will expose store your token unencrypted world-readable in the nix store. If this is undesired use the tokenFile option instead.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.k3s.tokenFile

File path containing k3s token to use when connecting to the server.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/k3s/default.nix>
services.kanata.enable

Whether to enable kanata, a tool to improve keyboard comfort and usability with advanced customization.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/kanata.nix>
services.kanata.package

The kanata package to use. ::: {.note} If danger-enable-cmd is enabled in any of the keyboards, the kanata-with-cmd package should be used. :::

Type: package

Default: pkgs.kanata

Example: pkgs.kanata-with-cmd

Declared by:

<nixpkgs/nixos/modules/services/hardware/kanata.nix>
services.kanata.keyboards

Keyboard configurations.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/hardware/kanata.nix>
services.kanata.keyboards.<name>.config

Configuration other than defcfg.

See the upstream documentation and example config files for more information.

Type: strings concatenated with “\n”

Example:

''
  (defsrc
    caps)
  
  (deflayermap (default-layer)
    ;; tap caps lock as caps lock, hold caps lock as left control
    caps (tap-hold 100 100 caps lctl))
''

Declared by:

<nixpkgs/nixos/modules/services/hardware/kanata.nix>
services.kanata.keyboards.<name>.configFile

The config file.

By default, it is generated by values from other kanata module options.

You can also set it to your own full config file which overrides all other kanata module options. See the upstream documentation and example config files for more information.

Type: path

Default: "A config file generated by values from other kanata module options."

Declared by:

<nixpkgs/nixos/modules/services/hardware/kanata.nix>
services.kanata.keyboards.<name>.devices

Paths to keyboard devices.

An empty list, the default value, lets kanata detect which input devices are keyboards and intercept them all.

Type: list of string

Default: [ ]

Example:

[
  "/dev/input/by-id/usb-0000_0000-event-kbd"
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/kanata.nix>
services.kanata.keyboards.<name>.extraArgs

Extra command line arguments passed to kanata.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/hardware/kanata.nix>
services.kanata.keyboards.<name>.extraDefCfg

Configuration of defcfg other than linux-dev (generated from the devices option) and linux-continue-if-no-devs-found (hardcoded to be yes).

See the upstream documentation and example config files for more information.

Type: strings concatenated with “\n”

Default: ""

Example: "danger-enable-cmd yes"

Declared by:

<nixpkgs/nixos/modules/services/hardware/kanata.nix>
services.kanata.keyboards.<name>.port

Port to run the TCP server on. null will not run the server.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Example: 6666

Declared by:

<nixpkgs/nixos/modules/services/hardware/kanata.nix>
services.kanboard.enable

Whether to enable Kanboard.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.package

The kanboard package to use.

Type: package

Default: pkgs.kanboard

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.dataDir

Default data folder for Kanboard.

Type: string

Default: "/var/lib/kanboard"

Example: "/mnt/kanboard"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.domain

FQDN for the Kanboard instance.

Type: string

Default: "kanboard"

Example: "kanboard.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.group

Group under which Kanboard runs.

Type: string

Default: "kanboard"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx

With this option, you can customize an NGINX virtual host which already has sensible defaults for Kanboard. Set to { } if you do not need any customization for the virtual host. If enabled, then by default, the serverName is ${domain}. If this is set to null (the default), no NGINX virtual host will be configured.

Type: null or (submodule)

Default: { }

Example:

{
  enableACME = true;
  forceHttps = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.nginx.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.phpfpm.settings

Options for kanboard’s PHPFPM pool.

Type: attribute set of (signed integer or string or boolean)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.settings

Customize the default settings, refer to https://github.com/kanboard/kanboard/blob/main/config.default.php for details on supported values.

Type: attribute set of (string or signed integer or boolean)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanboard.user

User under which Kanboard runs.

Type: string

Default: "kanboard"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kanboard.nix>
services.kanidm.enableClient

Whether to enable the Kanidm client.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.enablePam

Whether to enable the Kanidm PAM and NSS integration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.enableServer

Whether to enable the Kanidm server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.package

The kanidm package to use. If not set will receive a specific version based on stateVersion. Set to pkgs.kanidm to always receive the latest version, with the understanding that this could introduce breaking changes.

Type: package

Default: pkgs.kanidm

Example: kanidm_1_4

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.clientSettings

Configure Kanidm clients, needed for the PAM daemon. See the documentation and example configuration for possible values.

Type: TOML value

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.clientSettings.uri

Address of the Kanidm server.

Type: string

Example: "http://127.0.0.1:8080"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.enable

Whether to enable provisioning of groups, users and oauth2 resource servers.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.acceptInvalidCerts

Whether to allow invalid certificates when provisioning the target instance. By default this is only allowed when the instanceUrl is localhost. This is dangerous when used with an external URL.

Type: boolean

Default: "hasPrefix \"https://localhost:\" cfg.provision.instanceUrl"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.adminPasswordFile

Path to a file containing the admin password for kanidm. Do NOT use a file from the nix store here!

Type: null or path

Default: null

Example: "/run/secrets/kanidm-admin-password"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.autoRemove

Determines whether deleting an entity in this provisioning config should automatically cause them to be removed from kanidm, too. This works because the provisioning tool tracks all entities it has ever created. If this is set to false, you need to explicitly specify present = false to delete an entity.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.groups

Provisioning of kanidm groups

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.groups.<name>.members

List of kanidm entities (persons, groups, …) which are part of this group.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.groups.<name>.present

Whether to ensure that this group is present or absent.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.idmAdminPasswordFile

Path to a file containing the idm admin password for kanidm. Do NOT use a file from the nix store here! If this is not given but provisioning is enabled, the idm_admin password will be reset on each restart.

Type: null or path

Default: null

Example: "/run/secrets/kanidm-idm-admin-password"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.instanceUrl

The instance url to which the provisioning tool should connect.

Type: string

Default: "\"https://localhost:<port from serverSettings.bindaddress>\""

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.persons

Provisioning of kanidm persons

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.persons.<name>.displayName

Display name

Type: string

Example: "My User"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.persons.<name>.groups

List of groups this person should belong to.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.persons.<name>.legalName

Full legal name

Type: null or string

Default: null

Example: "Jane Doe"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.persons.<name>.mailAddresses

Mail addresses. First given address is considered the primary address.

Type: list of string

Default: [ ]

Example:

[
  "jane.doe@example.com"
]

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.persons.<name>.present

Whether to ensure that this person is present or absent.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.systems.oauth2

Provisioning of oauth2 resource servers

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.systems.oauth2.<name>.enableLegacyCrypto

Enable legacy crypto on this client. Allows JWT signing algorthms like RS256.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.systems.oauth2.<name>.enableLocalhostRedirects

Allow localhost redirects. Only for public clients.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.systems.oauth2.<name>.allowInsecureClientDisablePkce

Disable PKCE on this oauth2 resource server to work around insecure clients that may not support it. You should request the client to enable PKCE! Only for non-public clients.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.systems.oauth2.<name>.basicSecretFile

The basic secret to use for this service. If null, the random secret generated by kanidm will not be touched. Do NOT use a path from the nix store here!

Type: null or path

Default: null

Example: "/run/secrets/some-oauth2-basic-secret"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.systems.oauth2.<name>.claimMaps

Adds additional claims (and values) based on which kanidm groups an authenticating party belongs to. See Claim Maps for more information.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.systems.oauth2.<name>.claimMaps.<name>.joinType

Determines how multiple values are joined to create the claim value. See Claim Maps for more information.

Type: one of “array”, “csv”, “ssv”

Default: "array"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.systems.oauth2.<name>.claimMaps.<name>.valuesByGroup

Maps kanidm groups to values for the claim.

Type: attribute set of list of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.systems.oauth2.<name>.displayName

Display name

Type: string

Example: "Some Service"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.systems.oauth2.<name>.originLanding

When redirecting from the Kanidm Apps Listing page, some linked applications may need to land on a specific page to trigger oauth2/oidc interactions.

Type: string

Example: "https://someservice.example.com/home"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.systems.oauth2.<name>.originUrl

The redirect URL of the service. These need to exactly match the OAuth2 redirect target

Type: string matching the pattern .*://.*$ or non-empty (list of string matching the pattern .*://.*$)

Example: "https://someservice.example.com/auth/login"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.systems.oauth2.<name>.preferShortUsername

Use ‘name’ instead of ‘spn’ in the preferred_username claim

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.systems.oauth2.<name>.present

Whether to ensure that this oauth2 resource server is present or absent.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.systems.oauth2.<name>.public

Whether this is a public client (enforces PKCE, doesn’t use a basic secret)

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.systems.oauth2.<name>.removeOrphanedClaimMaps

Whether claim maps not specified here but present in kanidm should be removed from kanidm.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.systems.oauth2.<name>.scopeMaps

Maps kanidm groups to returned oauth scopes. See Scope Relations for more information.

Type: attribute set of list of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.provision.systems.oauth2.<name>.supplementaryScopeMaps

Maps kanidm groups to additionally returned oauth scopes. See Scope Relations for more information.

Type: attribute set of list of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.serverSettings

Settings for Kanidm, see the documentation and example configuration for possible values.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.serverSettings.bindaddress

Address/port combination the webserver binds to.

Type: string

Default: "127.0.0.1:8443"

Example: "[::1]:8443"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.serverSettings.db_path

Path to Kanidm database.

Type: path (read only)

Default: "/var/lib/kanidm/kanidm.db"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.serverSettings.domain

The domain that Kanidm manages. Must be below or equal to the domain specified in serverSettings.origin. This can be left at null, only if your instance has the role ReadOnlyReplica. While it is possible to change the domain later on, it requires extra steps! Please consider the warnings and execute the steps described in the documentation.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.serverSettings.ldapbindaddress

Address and port the LDAP server is bound to. Setting this to null disables the LDAP interface.

Type: null or string

Default: null

Example: "[::1]:636"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.serverSettings.log_level

Log level of the server.

Type: one of “info”, “debug”, “trace”

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.serverSettings.online_backup.path

Path to the output directory for backups.

Type: path

Default: "/var/lib/kanidm/backups"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.serverSettings.online_backup.schedule

The schedule for backups in cron format.

Type: string

Default: "00 22 * * *"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.serverSettings.online_backup.versions

Number of backups to keep.

The default is set to 0, in order to disable backups by default.

Type: unsigned integer, meaning >=0

Default: 0

Example: 7

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.serverSettings.origin

The origin of your Kanidm instance. Must have https as protocol.

Type: string matching the pattern ^https://.*

Example: "https://idm.example.org"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.serverSettings.role

The role of this server. This affects the replication relationship and thereby available features.

Type: one of “WriteReplica”, “WriteReplicaNoUI”, “ReadOnlyReplica”

Default: "WriteReplica"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.serverSettings.tls_chain

TLS chain in pem format.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.serverSettings.tls_key

TLS key in pem format.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.unixSettings

Configure Kanidm unix daemon. See the documentation and example configuration for possible values.

Type: TOML value

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.unixSettings.hsm_pin_path

Path to a HSM pin.

Type: path

Default: "/var/cache/kanidm-unixd/hsm-pin"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kanidm.unixSettings.pam_allowed_login_groups

Kanidm groups that are allowed to login using PAM.

Type: list of string

Example: "my_pam_group"

Declared by:

<nixpkgs/nixos/modules/services/security/kanidm.nix>
services.kapacitor.enable

Whether to enable kapacitor.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kapacitor.nix>
services.kapacitor.alerta.enable

Whether to enable kapacitor alerta integration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kapacitor.nix>
services.kapacitor.alerta.environment

Default Alerta environment

Type: string

Default: "Production"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kapacitor.nix>
services.kapacitor.alerta.origin

Default origin of alert

Type: string

Default: "kapacitor"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kapacitor.nix>
services.kapacitor.alerta.token

Default Alerta authentication token

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kapacitor.nix>
services.kapacitor.alerta.url

The URL to the Alerta REST API

Type: string

Default: "http://localhost:5000"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kapacitor.nix>
services.kapacitor.bind

Address to bind to. The default is to bind to all addresses

Type: string

Default: ""

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kapacitor.nix>
services.kapacitor.dataDir

Location where Kapacitor stores its state

Type: path

Default: "/var/lib/kapacitor"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kapacitor.nix>
services.kapacitor.defaultDatabase.enable

Whether to enable kapacitor.defaultDatabase.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kapacitor.nix>
services.kapacitor.defaultDatabase.password

The password to connect to the remote InfluxDB server

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kapacitor.nix>
services.kapacitor.defaultDatabase.url

The URL to an InfluxDB server that serves as the default database

Type: string

Example: "http://localhost:8086"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kapacitor.nix>
services.kapacitor.defaultDatabase.username

The username to connect to the remote InfluxDB server

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kapacitor.nix>
services.kapacitor.extraConfig

These lines go into kapacitord.conf verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kapacitor.nix>
services.kapacitor.group

Group under which Kapacitor runs

Type: string

Default: "kapacitor"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kapacitor.nix>
services.kapacitor.loadDirectory

Directory where to load services from, such as tasks, templates and handlers (or null to disable service loading on startup)

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kapacitor.nix>
services.kapacitor.port

Port of Kapacitor

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9092

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kapacitor.nix>
services.kapacitor.taskSnapshotInterval

Specifies how often to snapshot the task state (in InfluxDB time units)

Type: string

Default: "1m0s"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kapacitor.nix>
services.kapacitor.user

User account under which Kapacitor runs

Type: string

Default: "kapacitor"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kapacitor.nix>
services.karma.enable

Whether to enable the Karma dashboard service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/karma.nix>
services.karma.package

The karma package to use.

Type: package

Default: pkgs.karma

Declared by:

<nixpkgs/nixos/modules/services/monitoring/karma.nix>
services.karma.configFile

A YAML config file which can be used to configure karma instead of the nix-generated file.

Type: path

Default: "A configuration file generated from the provided nix attributes settings option."

Example: "/etc/karma/karma.conf"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/karma.nix>
services.karma.environment

Additional environment variables to provide to karma.

Type: attribute set of string

Default: { }

Example:

{
  ALERTMANAGER_NAME = "single";
  ALERTMANAGER_URI = "https://alertmanager.example.com";
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/karma.nix>
services.karma.extraOptions

Extra command line options.

Type: list of string

Default: [ ]

Example:

[
  "--alertmanager.timeout 10s"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/karma.nix>
services.karma.openFirewall

Whether to open ports in the firewall needed for karma to function.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/karma.nix>
services.karma.settings

Karma dashboard configuration as nix attributes.

Reference: https://github.com/prymitive/karma/blob/main/docs/CONFIGURATION.md

Type: YAML value

Default:

{
  listen = {
    address = "127.0.0.1";
  };
}

Example:

{
  alertmanager = {
    interval = "15s";
    servers = [
      {
        name = "prod";
        uri = "http://alertmanager.example.com";
      }
    ];
  };
  listen = {
    address = "192.168.1.4";
    port = "8000";
    prefix = "/dashboard";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/karma.nix>
services.karma.settings.listen.address

Hostname or IP to listen on.

Type: string

Default: "127.0.0.1"

Example: "[::]"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/karma.nix>
services.karma.settings.listen.port

HTTP port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Example: 8182

Declared by:

<nixpkgs/nixos/modules/services/monitoring/karma.nix>
services.kasmweb.enable

Whether to enable kasmweb.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kasmweb/default.nix>
services.kasmweb.datastorePath

The directory used to store all data for kasmweb.

Type: string

Default: "/var/lib/kasmweb"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kasmweb/default.nix>
services.kasmweb.defaultAdminPassword

default admin password to use.

Type: string

Default: "kasmweb"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kasmweb/default.nix>
services.kasmweb.defaultGuacToken

default guac token to use.

Type: string

Default: "kasmweb"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kasmweb/default.nix>
services.kasmweb.defaultManagerToken

default manager token to use.

Type: string

Default: "kasmweb"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kasmweb/default.nix>
services.kasmweb.defaultRegistrationToken

default registration token to use.

Type: string

Default: "kasmweb"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kasmweb/default.nix>
services.kasmweb.defaultUserPassword

default user password to use.

Type: string

Default: "kasmweb"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kasmweb/default.nix>
services.kasmweb.listenAddress

The address on which kasmweb should listen.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kasmweb/default.nix>
services.kasmweb.listenPort

The port on which kasmweb should listen.

Type: signed integer

Default: 443

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kasmweb/default.nix>
services.kasmweb.networkSubnet

The network subnet to use for the containers.

Type: string

Default: "172.20.0.0/16"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kasmweb/default.nix>
services.kasmweb.postgres.password

password to use for the postgres database.

Type: string

Default: "kasmweb"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kasmweb/default.nix>
services.kasmweb.postgres.user

Username to use for the postgres database.

Type: string

Default: "kasmweb"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kasmweb/default.nix>
services.kasmweb.redisPassword

password to use for the redis cache.

Type: string

Default: "kasmweb"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kasmweb/default.nix>
services.kasmweb.sslCertificate

The SSL certificate to be used for kasmweb.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kasmweb/default.nix>
services.kasmweb.sslCertificateKey

The SSL certificate’s key to be used for kasmweb. Make sure to specify this as a string and not a literal path, so that it is not accidentally included in your nixstore.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kasmweb/default.nix>
services.kavita.enable

Whether to enable Kavita reading server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kavita.nix>
services.kavita.package

The kavita package to use.

Type: package

Default: pkgs.kavita

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kavita.nix>
services.kavita.dataDir

The directory where Kavita stores its state.

Type: string

Default: "/var/lib/kavita"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kavita.nix>
services.kavita.settings

Kavita configuration options, as configured in appsettings.json.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kavita.nix>
services.kavita.settings.IpAddresses

IP Addresses to bind to. The default is to bind to all IPv4 and IPv6 addresses.

Type: strings concatenated with “,”

Default: "0.0.0.0,::"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kavita.nix>
services.kavita.settings.Port

Port to bind to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kavita.nix>
services.kavita.tokenKeyFile

A file containing the TokenKey, a secret with at 512+ bits. It can be generated with head -c 64 /dev/urandom | base64 --wrap=0.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kavita.nix>
services.kavita.user

User account under which Kavita runs.

Type: string

Default: "kavita"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kavita.nix>
services.kbfs.enable

Whether to mount the Keybase filesystem.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kbfs.nix>
services.kbfs.enableRedirector

Whether to enable the Keybase root redirector service, allowing any user to access KBFS files via /keybase, which will show different contents depending on the requester.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kbfs.nix>
services.kbfs.extraFlags

Additional flags to pass to the Keybase filesystem on launch.

Type: list of string

Default: [ ]

Example:

[
  "-label kbfs"
  "-mount-type normal"
]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kbfs.nix>
services.kbfs.mountPoint

Mountpoint for the Keybase filesystem.

Type: string

Default: "%h/keybase"

Example: "/keybase"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kbfs.nix>
services.kea.ctrl-agent

Kea Control Agent configuration

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.kea.ctrl-agent.enable

Whether to enable Kea Control Agent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.kea.ctrl-agent.configFile

Kea Control Agent configuration as a path, see https://kea.readthedocs.io/en/kea-2.6.1/arm/agent.html.

Takes preference over settings. Most users should prefer using settings instead.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.kea.ctrl-agent.extraArgs

List of additional arguments to pass to the daemon.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.kea.ctrl-agent.settings

Kea Control Agent configuration as an attribute set, see https://kea.readthedocs.io/en/kea-2.6.1/arm/agent.html.

Type: JSON value

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.kea.dhcp-ddns

Kea DHCP-DDNS configuration

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.kea.dhcp-ddns.enable

Whether to enable Kea DDNS server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.kea.dhcp-ddns.configFile

Kea DHCP-DDNS configuration as a path, see https://kea.readthedocs.io/en/kea-2.6.1/arm/ddns.html.

Takes preference over settings. Most users should prefer using settings instead.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.kea.dhcp-ddns.extraArgs

List of additional arguments to pass to the daemon.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.kea.dhcp-ddns.settings

Kea DHCP-DDNS configuration as an attribute set, see https://kea.readthedocs.io/en/kea-2.6.1/arm/ddns.html.

Type: JSON value

Default: null

Example:

{
  dns-server-timeout = 100;
  forward-ddns = {
    ddns-domains = [ ];
  };
  ip-address = "127.0.0.1";
  ncr-format = "JSON";
  ncr-protocol = "UDP";
  port = 53001;
  reverse-ddns = {
    ddns-domains = [ ];
  };
  tsig-keys = [ ];
}

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.kea.dhcp4

DHCP4 Server configuration

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.kea.dhcp4.enable

Whether to enable Kea DHCP4 server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.kea.dhcp4.configFile

Kea DHCP4 configuration as a path, see https://kea.readthedocs.io/en/kea-2.6.1/arm/dhcp4-srv.html.

Takes preference over settings. Most users should prefer using settings instead.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.kea.dhcp4.extraArgs

List of additional arguments to pass to the daemon.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.kea.dhcp4.settings

Kea DHCP4 configuration as an attribute set, see https://kea.readthedocs.io/en/kea-2.6.1/arm/dhcp4-srv.html.

Type: JSON value

Default: null

Example:

{
  interfaces-config = {
    interfaces = [
      "eth0"
    ];
  };
  lease-database = {
    name = "/var/lib/kea/dhcp4.leases";
    persist = true;
    type = "memfile";
  };
  rebind-timer = 2000;
  renew-timer = 1000;
  subnet4 = [
    {
      id = 1;
      pools = [
        {
          pool = "192.0.2.100 - 192.0.2.240";
        }
      ];
      subnet = "192.0.2.0/24";
    }
  ];
  valid-lifetime = 4000;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.kea.dhcp6

DHCP6 Server configuration

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.kea.dhcp6.enable

Whether to enable Kea DHCP6 server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.kea.dhcp6.configFile

Kea DHCP6 configuration as a path, see https://kea.readthedocs.io/en/kea-2.6.1/arm/dhcp6-srv.html.

Takes preference over settings. Most users should prefer using settings instead.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.kea.dhcp6.extraArgs

List of additional arguments to pass to the daemon.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.kea.dhcp6.settings

Kea DHCP6 configuration as an attribute set, see https://kea.readthedocs.io/en/kea-2.6.1/arm/dhcp6-srv.html.

Type: JSON value

Default: null

Example:

{
  interfaces-config = {
    interfaces = [
      "eth0"
    ];
  };
  lease-database = {
    name = "/var/lib/kea/dhcp6.leases";
    persist = true;
    type = "memfile";
  };
  preferred-lifetime = 3000;
  rebind-timer = 2000;
  renew-timer = 1000;
  subnet6 = [
    {
      id = 1;
      pools = [
        {
          pool = "2001:db8:1::1-2001:db8:1::ffff";
        }
      ];
      subnet = "2001:db8:1::/64";
    }
  ];
  valid-lifetime = 4000;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/kea.nix>
services.keepalived.enable

Whether to enable Keepalived.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.enableScriptSecurity

Don’t run scripts configured to be run as root if any part of the path is writable by a non-root user.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.extraConfig

Extra lines to be added verbatim to the configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.extraGlobalDefs

Extra lines to be added verbatim to the ‘global_defs’ block of the configuration file

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.openFirewall

Whether to automatically allow VRRP and AH packets in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.secretFile

Environment variables from this file will be interpolated into the final config file using envsubst with this syntax: $ENVIRONMENT or ${VARIABLE}. The file should contain lines formatted as SECRET_VAR=SECRET_VALUE. This is useful to avoid putting secrets into the nix store.

Type: null or path

Default: null

Example: "/run/keys/keepalived.env"

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.snmp.enable

Whether to enable the builtin AgentX subagent.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.snmp.enableChecker

Enable SNMP handling of checker element of KEEPALIVED MIB.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.snmp.enableKeepalived

Enable SNMP handling of vrrp element of KEEPALIVED MIB.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.snmp.enableRfc

Enable SNMP handling of RFC2787 and RFC6527 VRRP MIBs.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.snmp.enableRfcV2

Enable SNMP handling of RFC2787 VRRP MIB.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.snmp.enableRfcV3

Enable SNMP handling of RFC6527 VRRP MIB.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.snmp.enableTraps

Enable SNMP traps.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.snmp.socket

Socket to use for connecting to SNMP master agent. If this value is set to null, keepalived’s default will be used, which is unix:/var/agentx/master, unless using a network namespace, when the default is udp:localhost:705.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances

Declarative vhost config

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances.<name>.extraConfig

Extra lines to be added verbatim to the vrrp_instance section.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances.<name>.interface

Interface for inside_network, bound by vrrp.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances.<name>.noPreempt

VRRP will normally preempt a lower priority machine when a higher priority machine comes online. “nopreempt” allows the lower priority machine to maintain the master role, even when a higher priority machine comes back online. NOTE: For this to work, the initial state of this entry must be BACKUP.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances.<name>.priority

For electing MASTER, highest priority wins. To be MASTER, make 50 more than other machines.

Type: signed integer

Default: 100

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances.<name>.state

Initial state. As soon as the other machine(s) come up, an election will be held and the machine with the highest “priority” will become MASTER. So the entry here doesn’t matter a whole lot.

Type: one of “MASTER”, “BACKUP”

Default: "BACKUP"

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances.<name>.trackInterfaces

List of network interfaces to monitor for health tracking.

Type: list of string

Default: [ ]

Example:

[
  "eth0"
  "eth1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances.<name>.trackScripts

List of script names to invoke for health tracking.

Type: list of string

Default: [ ]

Example:

[
  "chk_cmd1"
  "chk_cmd2"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances.<name>.unicastPeers

Do not send VRRP adverts over VRRP multicast group. Instead it sends adverts to the following list of ip addresses using unicast design fashion. It can be cool to use VRRP FSM and features in a networking environment where multicast is not supported! IP Addresses specified can IPv4 as well as IPv6.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances.<name>.unicastSrcIp

Default IP for binding vrrpd is the primary IP on interface. If you want to hide location of vrrpd, use this IP as src_addr for unicast vrrp packets.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances.<name>.useVmac

Use VRRP Virtual MAC.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances.<name>.virtualIps

Declarative vhost config

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances.<name>.virtualIps.*.addr

IP address, optionally with a netmask: IPADDR[/MASK]

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances.<name>.virtualIps.*.brd

The broadcast address on the interface.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances.<name>.virtualIps.*.dev

The name of the device to add the address to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances.<name>.virtualIps.*.label

Each address may be tagged with a label string. In order to preserve compatibility with Linux-2.0 net aliases, this string must coincide with the name of the device or must be prefixed with the device name followed by colon.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances.<name>.virtualIps.*.scope

The scope of the area where this address is valid.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances.<name>.virtualRouterId

Arbitrary unique number 1…255. Used to differentiate multiple instances of vrrpd running on the same NIC (and hence same socket).

Type: integer between 1 and 255 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances.<name>.vmacInterface

Name of the vmac interface to use. keepalived will come up with a name if you don’t specify one.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpInstances.<name>.vmacXmitBase

Send/Recv VRRP messages from base interface instead of VMAC interface.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpScripts

Declarative vrrp script config

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpScripts.<name>.extraConfig

Extra lines to be added verbatim to the vrrp_script section.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpScripts.<name>.fall

Required number of failures for KO transition.

Type: signed integer

Default: 3

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpScripts.<name>.group

Name of group to run the script under. Defaults to user group.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpScripts.<name>.interval

Seconds between script invocations.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpScripts.<name>.rise

Required number of successes for OK transition.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpScripts.<name>.script

(Path of) Script command to execute followed by args, i.e. cmd [args]…

Type: string

Example: "${pkgs.curl} -f http://localhost:80"

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpScripts.<name>.timeout

Seconds after which script is considered to have failed.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpScripts.<name>.user

Name of user to run the script under.

Type: string

Default: "keepalived_script"

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.keepalived.vrrpScripts.<name>.weight

Following a failure, adjust the priority by this weight.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/keepalived/default.nix>
services.kerberos_server.enable

Whether to enable the kerberos authentication server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/system/kerberos/default.nix>
services.kerberos_server.settings

Settings for the kerberos server of choice.

See the following documentation:

Type: attribute set of attribute set of ((list of attribute set of ((list of (signed integer or string or boolean)) or signed integer or string or boolean)) or attribute set of ((list of (signed integer or string or boolean)) or signed integer or string or boolean) or (list of (signed integer or string or boolean)) or signed integer or string or boolean)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/system/kerberos/default.nix>
services.kerberos_server.settings.include

Files to include in the Kerberos configuration.

Type: (list of path) or path convertible to it

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/system/kerberos/default.nix>
services.kerberos_server.settings.includedir

Directories containing files to include in the Kerberos configuration.

Type: (list of path) or path convertible to it

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/system/kerberos/default.nix>
services.kerberos_server.settings.module

Modules to obtain Kerberos configuration from.

Type: (list of path) or path convertible to it

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/system/kerberos/default.nix>
services.kerberos_server.settings.realms

The realm(s) to serve keys for.

Type: attribute set of (attribute set of ((list of attribute set of ((list of (signed integer or string or boolean)) or signed integer or string or boolean)) or attribute set of ((list of (signed integer or string or boolean)) or signed integer or string or boolean) or (list of (signed integer or string or boolean)) or signed integer or string or boolean))

Declared by:

<nixpkgs/nixos/modules/services/system/kerberos/default.nix>
services.kerberos_server.settings.realms.<name>.acl

The privileges granted to a user.

Type: list of (submodule)

Default:

[
  {
    access = "all";
    principal = "*/admin";
  }
  {
    access = "all";
    principal = "admin";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/system/kerberos/default.nix>
services.kerberos_server.settings.realms.<name>.acl.*.access

The changes the principal is allowed to make.

Type: (list of (one of “add”, “cpw”, “delete”, “get”, “list”, “modify”)) or value “all” (singular enum)

Default: "all"

Declared by:

<nixpkgs/nixos/modules/services/system/kerberos/default.nix>
services.kerberos_server.settings.realms.<name>.acl.*.principal

Which principal the rule applies to

Type: string

Declared by:

<nixpkgs/nixos/modules/services/system/kerberos/default.nix>
services.kerberos_server.settings.realms.<name>.acl.*.target

The principals that ‘access’ applies to.

Type: string

Default: "*"

Declared by:

<nixpkgs/nixos/modules/services/system/kerberos/default.nix>
services.keter.enable

Whether to enable keter, a web app deployment manager. Note that this module only support loading of webapps: Keep an old app running and swap the ports when the new one is booted .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/keter>
services.keter.package

The keter package to be used

Type: package

Default: pkgs.haskellPackages.keter

Declared by:

<nixpkgs/nixos/modules/services/web-servers/keter>
services.keter.bundle.appName

The name keter assigns to this bundle

Type: string

Default: "myapp"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/keter>
services.keter.bundle.domain

The domain keter will bind to

Type: string

Default: "example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/keter>
services.keter.bundle.executable

The executable to be run

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-servers/keter>
services.keter.bundle.publicScript

Allows loading of public environment variables, these are emitted to the log so it shouldn’t contain secrets.

Type: string

Default: ""

Example: "ADMIN_EMAIL=hi@example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/keter>
services.keter.bundle.secretScript

Allows loading of private environment variables

Type: string

Default: ""

Example: "MY_AWS_KEY=$(cat /run/keys/AWS_ACCESS_KEY_ID)"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/keter>
services.keter.globalKeterConfig

Global config for keter, see https://github.com/snoyberg/keter/blob/master/etc/keter-config.yaml for reference

Type: YAML value

Declared by:

<nixpkgs/nixos/modules/services/web-servers/keter>
services.keter.globalKeterConfig.ip-from-header

You want that ip-from-header in the nginx setup case. It allows nginx setting the original ip address rather then it being localhost (due to reverse proxying)

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/keter>
services.keter.globalKeterConfig.listeners

You want that ip-from-header in the nginx setup case. It allows nginx setting the original ip address rather then it being localhost (due to reverse proxying). However if you configure keter to accept connections directly you may want to set this to false.

Type: list of (submodule)

Default:

[
  {
    host = "*";
    port = 6981;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/keter>
services.keter.globalKeterConfig.listeners.*.host

host

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-servers/keter>
services.keter.globalKeterConfig.listeners.*.port

port

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/services/web-servers/keter>
services.keter.globalKeterConfig.rotate-logs

emits keter logs and it’s applications to stderr. which allows journald to capture them. Set to true to let keter put the logs in files (useful on non systemd systems, this is the old approach where keter handled log management)

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/keter>
services.keter.root

Mutable state folder for keter

Type: string

Default: "/var/lib/keter"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/keter>
services.keybase.enable

Whether to start the Keybase service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/keybase.nix>
services.keycloak.enable

Whether to enable the Keycloak identity and access management server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.package

The keycloak package to use.

Type: package

Default: pkgs.keycloak

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.database.caCert

The SSL / TLS CA certificate that verifies the identity of the database server.

Required when PostgreSQL is used and SSL is turned on.

For MySQL, if left at null, the default Java keystore is used, which should suffice if the server certificate is issued by an official CA.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.database.createLocally

Whether a database should be automatically created on the local host. Set this to false if you plan on provisioning a local database yourself. This has no effect if services.keycloak.database.host is customized.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.database.host

Hostname of the database to connect to.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.database.name

Database name to use when connecting to an external or manually provisioned database; has no effect when a local database is automatically provisioned.

To use this with a local database, set services.keycloak.database.createLocally to false and create the database and user manually.

Type: string

Default: "keycloak"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.database.passwordFile

The path to a file containing the database password.

Type: path

Example: "/run/keys/db_password"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.database.port

Port of the database to connect to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: default port of selected database

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.database.type

The type of database Keycloak should connect to.

Type: one of “mysql”, “mariadb”, “postgresql”

Default: "postgresql"

Example: "mariadb"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.database.useSSL

Whether the database connection should be secured by SSL / TLS.

Type: boolean

Default: config.services.keycloak.database.host != "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.database.username

Username to use when connecting to an external or manually provisioned database; has no effect when a local database is automatically provisioned.

To use this with a local database, set services.keycloak.database.createLocally to false and create the database and user manually.

Type: string

Default: "keycloak"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.initialAdminPassword

Initial password set for the temporary admin user. The password is not stored safely and should be changed immediately in the admin panel.

See Admin bootstrap and recovery for details.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.plugins

Keycloak plugin jar, ear files or derivations containing them. Packaged plugins are available through pkgs.keycloak.plugins.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.settings

Configuration options corresponding to parameters set in conf/keycloak.conf.

Most available options are documented at https://www.keycloak.org/server/all-config.

Options containing secret data should be set to an attribute set containing the attribute _secret - a string pointing to a file containing the value the option should be set to. See the example to get a better picture of this: in the resulting conf/keycloak.conf file, the https-key-store-password key will be set to the contents of the /run/keys/store_password file.

Type: attribute set of (null or string or signed integer or boolean or attribute set of path)

Example:

{
  hostname = "keycloak.example.com";
  https-key-store-file = "/path/to/file";
  https-key-store-password = { _secret = "/run/keys/store_password"; };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.settings.hostname

The hostname part of the public URL used as base for all frontend requests.

See https://www.keycloak.org/server/hostname for more information about hostname configuration.

Type: null or string

Example: "keycloak.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.settings.hostname-backchannel-dynamic

Enables dynamic resolving of backchannel URLs, including hostname, scheme, port and context path.

See https://www.keycloak.org/server/hostname for more information about hostname configuration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.settings.http-host

On which address Keycloak should accept new connections.

Type: string

Default: "::"

Example: "::1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.settings.http-port

On which port Keycloak should listen for new HTTP connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 80

Example: 8080

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.settings.http-relative-path

The path relative to / for serving resources.

Note

In versions of Keycloak using Wildfly (<17), this defaulted to /auth. If upgrading from the Wildfly version of Keycloak, i.e. a NixOS version before 22.05, you’ll likely want to set this to /auth to keep compatibility with your clients.

See https://www.keycloak.org/migration/migrating-to-quarkus for more information on migrating from Wildfly to Quarkus.

Type: string

Default: "/"

Example: "/auth"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.settings.https-port

On which port Keycloak should listen for new HTTPS connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 443

Example: 8443

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.sslCertificate

The path to a PEM formatted certificate to use for TLS/SSL connections.

Type: null or path

Default: null

Example: "/run/keys/ssl_cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.sslCertificateKey

The path to a PEM formatted private key to use for TLS/SSL connections.

Type: null or path

Default: null

Example: "/run/keys/ssl_key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keycloak.themes

Additional theme packages for Keycloak. Each theme is linked into subdirectory with a corresponding attribute name.

Theme packages consist of several subdirectories which provide different theme types: for example, account, login etc. After adding a theme to this option you can select it by its name in Keycloak administration console.

Type: attribute set of package

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/keycloak.nix>
services.keyd.enable

Whether to enable keyd, a key remapping daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/keyd.nix>
services.keyd.keyboards

Configuration for one or more device IDs. Corresponding files in the /etc/keyd/ directory are created according to the name of the keys (like default or externalKeyboard).

Type: attribute set of (submodule)

Default: { }

Example:

{
  default = {
    ids = [ "*" ];
    settings = {
      main = {
        capslock = "overload(control, esc)";
      };
    };
  };
  externalKeyboard = {
    ids = [ "1ea7:0907" ];
    settings = {
      main = {
        esc = capslock;
      };
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/hardware/keyd.nix>
services.keyd.keyboards.<name>.extraConfig

Extra configuration that is appended to the end of the file. Do not write ids section here, use a separate option for it. You can use this option to define compound layers that must always be defined after the layer they are comprised.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  [control+shift]
  h = left
''

Declared by:

<nixpkgs/nixos/modules/services/hardware/keyd.nix>
services.keyd.keyboards.<name>.ids

Device identifiers, as shown by keyd(1).

Type: list of string

Default:

[
  "*"
]

Example:

[
  "*"
  "-0123:0456"
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/keyd.nix>
services.keyd.keyboards.<name>.settings

Configuration, except ids section, that is written to /etc/keyd/<keyboard>.conf. Appropriate names can be used to write non-alpha keys, for example “equal” instead of “=” sign (see https://github.com/NixOS/nixpkgs/issues/236622). See https://github.com/rvaiya/keyd how to configure.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  main = {
    capslock = "overload(control, esc)";
    rightalt = "layer(rightalt)";
  };
  rightalt = {
    h = "left";
    j = "down";
    k = "up";
    l = "right";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/hardware/keyd.nix>
services.kimai.sites

Specification of one or more Kimai sites to serve

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kimai.nix>
services.kimai.sites.<name>.package

The kimai package to use.

Type: package

Default: pkgs.kimai

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kimai.nix>
services.kimai.sites.<name>.database.charset

Database charset.

Type: string

Default: "utf8mb4"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kimai.nix>
services.kimai.sites.<name>.database.createLocally

Create the database and database user locally.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kimai.nix>
services.kimai.sites.<name>.database.host

Database host address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kimai.nix>
services.kimai.sites.<name>.database.name

Database name.

Type: string

Default: "kimai"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kimai.nix>
services.kimai.sites.<name>.database.passwordFile

A file containing the password corresponding to database.user.

Type: null or path

Default: null

Example: "/run/keys/kimai-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kimai.nix>
services.kimai.sites.<name>.database.port

Database host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3306

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kimai.nix>
services.kimai.sites.<name>.database.serverVersion

MySQL exact version string. Not used if createdLocally is set, but must be set otherwise. See https://www.kimai.org/documentation/installation.html#column-table_name-in-where-clause-is-ambiguous for how to set this value, especially if you’re using MariaDB.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kimai.nix>
services.kimai.sites.<name>.database.socket

Path to the unix socket file to use for authentication.

Type: null or path

Default: /run/mysqld/mysqld.sock

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kimai.nix>
services.kimai.sites.<name>.database.user

Database user.

Type: string

Default: "kimai"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kimai.nix>
services.kimai.sites.<name>.environmentFile

Securely pass environment variabels to Kimai. This can be used to set other environement variables such as MAILER_URL.

Type: null or path

Default: null

Example: "/run/secrets/kimai.env"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kimai.nix>
services.kimai.sites.<name>.poolConfig

Options for the Kimai PHP pool. See the documentation on php-fpm.conf for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = 32;
  "pm.max_requests" = 500;
  "pm.max_spare_servers" = 4;
  "pm.min_spare_servers" = 2;
  "pm.start_servers" = 2;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kimai.nix>
services.kimai.sites.<name>.settings

Structural Kimai’s local.yaml configuration. Refer to https://www.kimai.org/documentation/local-yaml.html#localyaml for details.

Type: attribute set of anything

Default: { }

Example:

{
  kimai = {
    timesheet = {
      rounding = {
        default = {
          begin = 15;
          end = 15;
        };
      };
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kimai.nix>
services.kimai.webserver

The webserver to configure for the PHP frontend.

At the moment, only nginx is supported. PRs are welcome for support for other web servers.

Type: value “nginx” (singular enum)

Default: "nginx"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/kimai.nix>
services.klipper.enable

Whether to enable Klipper, the 3D printer firmware.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/klipper.nix>
services.klipper.package

The klipper package to use.

Type: package

Default: pkgs.klipper

Declared by:

<nixpkgs/nixos/modules/services/misc/klipper.nix>
services.klipper.apiSocket

Path of the API socket to create.

Type: null or path

Default: "/run/klipper/api"

Declared by:

<nixpkgs/nixos/modules/services/misc/klipper.nix>
services.klipper.configFile

Path to default Klipper config.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/klipper.nix>
services.klipper.firmwares

Firmwares klipper should manage

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/klipper.nix>
services.klipper.firmwares.<name>.enable

Whether to enable building of firmware for manual flashing .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/klipper.nix>
services.klipper.firmwares.<name>.enableKlipperFlash

Whether to enable flashings scripts for firmware. This will add klipper-flash-$mcu scripts to your environment which can be called to flash the firmware. Please check the configs at klipper whether your board supports flashing via make flash .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/klipper.nix>
services.klipper.firmwares.<name>.configFile

Path to firmware config which is generated using klipper-genconf

Type: path

Declared by:

<nixpkgs/nixos/modules/services/misc/klipper.nix>
services.klipper.firmwares.<name>.serial

Path to serial port this printer is connected to. Leave null to derive it from service.klipper.settings.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/klipper.nix>
services.klipper.group

Group account under which Klipper runs.

If null is specified (default), a temporary user will be created by systemd.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/klipper.nix>
services.klipper.inputTTY

Path of the virtual printer symlink to create.

Type: path

Default: "/run/klipper/tty"

Declared by:

<nixpkgs/nixos/modules/services/misc/klipper.nix>
services.klipper.logFile

Path of the file Klipper should log to. If null, it logs to stdout, which is not recommended by upstream.

Type: null or path

Default: null

Example: "/var/lib/klipper/klipper.log"

Declared by:

<nixpkgs/nixos/modules/services/misc/klipper.nix>
services.klipper.mutableConfig

Whether to copy the config to a mutable directory instead of using the one directly from the nix store. This will only copy the config if the file at services.klipper.mutableConfigPath doesn’t exist.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/klipper.nix>
services.klipper.mutableConfigFolder

Path to mutable Klipper config file.

Type: path

Default: "/var/lib/klipper"

Declared by:

<nixpkgs/nixos/modules/services/misc/klipper.nix>
services.klipper.octoprintIntegration

Allows Octoprint to control Klipper.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/klipper.nix>
services.klipper.settings

Configuration for Klipper. See the documentation for supported values.

Type: null or (attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string) or a non-empty list of them))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/klipper.nix>
services.klipper.user

User account under which Klipper runs.

If null is specified (default), a temporary user will be created by systemd.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/klipper.nix>
services.kmonad.enable

Whether to enable KMonad: An advanced keyboard manager…

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/kmonad.nix>
services.kmonad.package

The kmonad package to use.

Type: package

Default: pkgs.kmonad

Declared by:

<nixpkgs/nixos/modules/services/hardware/kmonad.nix>
services.kmonad.extraArgs

Extra arguments to pass to KMonad.

Type: list of string

Default: [ ]

Example:

[
  "--log-level"
  "debug"
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/kmonad.nix>
services.kmonad.keyboards

Keyboard configuration.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/hardware/kmonad.nix>
services.kmonad.keyboards.<name>.config

Keyboard configuration.

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/hardware/kmonad.nix>
services.kmonad.keyboards.<name>.defcfg.enable

Whether to enable Automatically generate the defcfg block.

When this is option is set to true the config option for this keyboard should not include a defcfg block. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/kmonad.nix>
services.kmonad.keyboards.<name>.defcfg.allowCommands

Whether to enable Allow keys to run shell commands…

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/kmonad.nix>
services.kmonad.keyboards.<name>.defcfg.compose.delay

The delay (in milliseconds) between compose key sequences.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/hardware/kmonad.nix>
services.kmonad.keyboards.<name>.defcfg.compose.key

The (optional) compose key to use.

Type: null or string

Default: "ralt"

Declared by:

<nixpkgs/nixos/modules/services/hardware/kmonad.nix>
services.kmonad.keyboards.<name>.defcfg.fallthrough

Whether to enable Re-emit unhandled key events…

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/kmonad.nix>
services.kmonad.keyboards.<name>.device

Path to the keyboard’s device file.

Type: path

Example: "/dev/input/by-id/some-dev"

Declared by:

<nixpkgs/nixos/modules/services/hardware/kmonad.nix>
services.kmonad.keyboards.<name>.extraGroups

Extra permission groups to attach to the KMonad instance for this keyboard.

Since KMonad runs as an unprivileged user, it may sometimes need extra permissions in order to read the keyboard device file. If your keyboard’s device file isn’t in the input group you’ll need to list its group in this option.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/hardware/kmonad.nix>
services.kmonad.keyboards.<name>.name

Keyboard name.

Type: string

Example: "laptop-internal"

Declared by:

<nixpkgs/nixos/modules/services/hardware/kmonad.nix>
services.kmscon.enable

Use kmscon as the virtual console instead of gettys. kmscon is a kms/dri-based userspace virtual terminal implementation. It supports a richer feature set than the standard linux console VT, including full unicode support, and when the video card supports drm should be much faster.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/ttys/kmscon.nix>
services.kmscon.autologinUser

Username of the account that will be automatically logged in at the console. If unspecified, a login prompt is shown as usual.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/ttys/kmscon.nix>
services.kmscon.extraConfig

Extra contents of the kmscon.conf file.

Type: strings concatenated with “\n”

Default: ""

Example: "font-size=14"

Declared by:

<nixpkgs/nixos/modules/services/ttys/kmscon.nix>
services.kmscon.extraOptions

Extra flags to pass to kmscon.

Type: strings concatenated with " "

Default: ""

Example: "--term xterm-256color"

Declared by:

<nixpkgs/nixos/modules/services/ttys/kmscon.nix>
services.kmscon.fonts

Fonts used by kmscon, in order of priority.

Type: null or (non-empty (list of (submodule)))

Default: null

Example: [ { name = "Source Code Pro"; package = pkgs.source-code-pro; } ]

Declared by:

<nixpkgs/nixos/modules/services/ttys/kmscon.nix>
services.kmscon.fonts.*.package

Package providing the font.

Type: package

Declared by:

<nixpkgs/nixos/modules/services/ttys/kmscon.nix>
services.kmscon.fonts.*.name

Font name, as used by fontconfig.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/ttys/kmscon.nix>
services.kmscon.hwRender

Whether to use 3D hardware acceleration to render the console.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/ttys/kmscon.nix>
services.kmscon.useXkbConfig

Configure keymap from xserver keyboard settings.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/ttys/kmscon.nix>
services.knot.enable

Whether to enable Knot authoritative-only DNS server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/knot.nix>
services.knot.enableXDP

Extends the systemd unit with permissions to allow for the use of the eXpress Data Path (XDP).

Note

Make sure to read up on functional limitations when running in XDP mode.

Type: boolean

Default:

''
  Enabled when the `xdp.listen` setting is configured through `settings`.
''

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/knot.nix>
services.knot.package

The knot-dns package to use.

Type: package

Default: pkgs.knot-dns

Declared by:

<nixpkgs/nixos/modules/services/networking/knot.nix>
services.knot.checkConfig

Toggles the configuration test at build time. It runs in a sandbox, and therefore cannot be used in all scenarios.

Type: boolean

Default:

''
  Disabled when the config uses `keyFiles` or `enableXDP`.
''

Example: false

Declared by:

<nixpkgs/nixos/modules/services/networking/knot.nix>
services.knot.extraArgs

List of additional command line parameters for knotd

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/knot.nix>
services.knot.keyFiles

A list of files containing additional configuration to be included using the include directive. This option allows to include configuration like TSIG keys without exposing them to the nix store readable to any process. Note that using this option will also disable configuration checks at build time.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/knot.nix>
services.knot.settings

Extra configuration as nix values.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/knot.nix>
services.knot.settingsFile

As alternative to settings, you can provide whole configuration directly in the almost-YAML format of Knot DNS. You might want to utilize pkgs.writeText "knot.conf" "longConfigString" for this.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/knot.nix>
services.komga.enable

Whether to enable Komga, a free and open source comics/mangas media server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/komga.nix>
services.komga.group

Group under which Komga runs.

Type: string

Default: "komga"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/komga.nix>
services.komga.openFirewall

Whether to open the firewall for the port in services.komga.port.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/komga.nix>
services.komga.port

The port that Komga will listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/web-apps/komga.nix>
services.komga.stateDir

State and configuration directory Komga will use.

Type: string

Default: "/var/lib/komga"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/komga.nix>
services.komga.user

User account under which Komga runs.

Type: string

Default: "komga"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/komga.nix>
services.kresd.enable

Whether to enable knot-resolver domain name server. DNSSEC validation is turned on by default. You can run sudo nc -U /run/knot-resolver/control/1 and give commands interactively to kresd@1.service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/kresd.nix>
services.kresd.package

The knot-resolver package to use.

Type: package

Default: pkgs.knot-resolver

Example: knot-resolver.override { extraFeatures = true; }

Declared by:

<nixpkgs/nixos/modules/services/networking/kresd.nix>
services.kresd.extraConfig

Extra lines to be added verbatim to the generated configuration file. See upstream documentation https://www.knot-resolver.cz/documentation/stable/config-overview.html for more details.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/kresd.nix>
services.kresd.instances

The number of instances to start. They will be called kresd@{1,2,…}.service. Knot Resolver uses no threads, so this is the way to scale. You can dynamically start/stop them at will, so this is just system default.

Type: unsigned integer, meaning >=0

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/networking/kresd.nix>
services.kresd.listenDoH

Addresses and ports on which kresd should provide DNS over HTTPS/2 (see RFC 8484). For detailed syntax see ListenStream in systemd.socket(5).

Type: list of string

Default: [ ]

Example:

[
  "198.51.100.1:443"
  "[2001:db8::1]:443"
  "443"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/kresd.nix>
services.kresd.listenPlain

What addresses and ports the server should listen on. For detailed syntax see ListenStream in systemd.socket(5).

Type: list of string

Default:

[
  "[::1]:53"
  "127.0.0.1:53"
]

Example:

[
  "53"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/kresd.nix>
services.kresd.listenTLS

Addresses and ports on which kresd should provide DNS over TLS (see RFC 7858). For detailed syntax see ListenStream in systemd.socket(5).

Type: list of string

Default: [ ]

Example:

[
  "198.51.100.1:853"
  "[2001:db8::1]:853"
  "853"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/kresd.nix>
services.kthxbye.enable

Whether to enable kthxbye alert acknowledgement management daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kthxbye.nix>
services.kthxbye.package

The kthxbye package to use.

Type: package

Default: pkgs.kthxbye

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kthxbye.nix>
services.kthxbye.alertmanager.timeout

Alertmanager request timeout duration in the time.Duration format.

Type: string

Default: "1m0s"

Example: "30s"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kthxbye.nix>
services.kthxbye.alertmanager.uri

Alertmanager URI to use.

Type: string

Default: "http://localhost:9093"

Example: "https://alertmanager.example.com"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kthxbye.nix>
services.kthxbye.extendBy

Extend silences by adding DURATION seconds.

DURATION should be provided in the time.Duration format.

Type: string

Default: "15m0s"

Example: "6h0m0s"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kthxbye.nix>
services.kthxbye.extendIfExpiringIn

Extend silences that are about to expire in the next DURATION seconds.

DURATION should be provided in the time.Duration format.

Type: string

Default: "5m0s"

Example: "1m0s"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kthxbye.nix>
services.kthxbye.extendWithPrefix

Extend silences with comment starting with PREFIX string.

Type: string

Default: "ACK!"

Example: "!perma-silence"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kthxbye.nix>
services.kthxbye.extraOptions

Extra command line options.

Documentation can be found here.

Type: list of string

Default: [ ]

Example:

[
  "-extend-with-prefix 'ACK!'"
];

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kthxbye.nix>
services.kthxbye.interval

Silence check interval duration in the time.Duration format.

Type: string

Default: "45s"

Example: "30s"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kthxbye.nix>
services.kthxbye.listenAddress

The address to listen on for HTTP requests.

Type: string

Default: "0.0.0.0"

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kthxbye.nix>
services.kthxbye.logJSON

Format logged messages as JSON.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kthxbye.nix>
services.kthxbye.maxDuration

Maximum duration of a silence, it won’t be extended anymore after reaching it.

Duration should be provided in the time.Duration format.

Type: null or string

Default: null

Example: "30d"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kthxbye.nix>
services.kthxbye.openFirewall

Whether to open ports in the firewall needed for the daemon to function.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kthxbye.nix>
services.kthxbye.port

The port to listen on for HTTP requests.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/monitoring/kthxbye.nix>
services.kubernetes.package

The kubernetes package to use.

Type: package

Default: pkgs.kubernetes

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix>
services.kubernetes.addonManager.enable

Whether to enable Kubernetes addon manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/addon-manager.nix>
services.kubernetes.addonManager.addons

Kubernetes addons (any kind of Kubernetes resource can be an addon).

Type: attribute set of ((attribute set) or list of (attribute set))

Default: { }

Example:

{
  "my-service" = {
    "apiVersion" = "v1";
    "kind" = "Service";
    "metadata" = {
      "name" = "my-service";
      "namespace" = "default";
    };
    "spec" = { ... };
  };
}
// import <nixpkgs/nixos/modules/services/cluster/kubernetes/dns.nix> { cfg = config.services.kubernetes; };

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/addon-manager.nix>
services.kubernetes.addonManager.bootstrapAddons

Bootstrap addons are like regular addons, but they are applied with cluster-admin rights. They are applied at addon-manager startup only.

Type: attribute set of (attribute set)

Default: { }

Example:

{
  "my-service" = {
    "apiVersion" = "v1";
    "kind" = "Service";
    "metadata" = {
      "name" = "my-service";
      "namespace" = "default";
    };
    "spec" = { ... };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/addon-manager.nix>
services.kubernetes.addons.dns.enable

Whether to enable kubernetes dns addon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix>
services.kubernetes.addons.dns.clusterDomain

Dns cluster domain

Type: string

Default: "cluster.local"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix>
services.kubernetes.addons.dns.clusterIp

Dns addon clusterIP

Type: string

Default: The x.y.z.254 IP of config.services.kubernetes.apiserver.serviceClusterIpRange.

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix>
services.kubernetes.addons.dns.coredns

Docker image to seed for the CoreDNS container.

Type: attribute set

Default:

{
  finalImageTag = "1.10.1";
  imageDigest = "sha256:a0ead06651cf580044aeb0a0feba63591858fb2e43ade8c9dea45a6a89ae7e5e";
  imageName = "coredns/coredns";
  sha256 = "0wg696920smmal7552a2zdhfncndn5kfammfa8bk8l7dz9bhk0y1";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix>
services.kubernetes.addons.dns.corefile

Custom coredns corefile configuration.

See: https://coredns.io/manual/toc/#configuration.

Type: string

Default:

''
  .:10053 {
    errors
    health :10054
    kubernetes ${config.services.kubernetes.addons.dns.clusterDomain} in-addr.arpa ip6.arpa {
      pods insecure
      fallthrough in-addr.arpa ip6.arpa
    }
    prometheus :10055
    forward . /etc/resolv.conf
    cache 30
    loop
    reload
    loadbalance
  }
''

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix>
services.kubernetes.addons.dns.reconcileMode

Controls the addon manager reconciliation mode for the DNS addon.

Setting reconcile mode to EnsureExists makes it possible to tailor DNS behavior by editing the coredns ConfigMap.

See: https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/addon-manager/README.md.

Type: one of “Reconcile”, “EnsureExists”

Default: "Reconcile"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix>
services.kubernetes.addons.dns.replicas

Number of DNS pod replicas to deploy in the cluster.

Type: signed integer

Default: 2

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/addons/dns.nix>
services.kubernetes.apiserver.enable

Whether to enable Kubernetes apiserver.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.enableAdmissionPlugins

Kubernetes admission control plugins to enable. See https://kubernetes.io/docs/admin/admission-controllers/

Type: list of string

Default:

[
  "NamespaceLifecycle"
  "LimitRanger"
  "ServiceAccount"
  "ResourceQuota"
  "DefaultStorageClass"
  "DefaultTolerationSeconds"
  "NodeRestriction"
]

Example:

[
  "NamespaceLifecycle"
  "NamespaceExists"
  "LimitRanger"
  "SecurityContextDeny"
  "ServiceAccount"
  "ResourceQuota"
  "PodSecurityPolicy"
  "NodeRestriction"
  "DefaultStorageClass"
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.advertiseAddress

Kubernetes apiserver IP address on which to advertise the apiserver to members of the cluster. This address must be reachable by the rest of the cluster.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.allowPrivileged

Whether to allow privileged containers on Kubernetes.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.apiAudiences

Kubernetes apiserver ServiceAccount issuer.

Type: string

Default: "api,https://kubernetes.default.svc"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.authorizationMode

Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/Webhook/RBAC/Node). See https://kubernetes.io/docs/reference/access-authn-authz/authorization/

Type: list of (one of “AlwaysAllow”, “AlwaysDeny”, “ABAC”, “Webhook”, “RBAC”, “Node”)

Default:

[
  "RBAC"
  "Node"
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.authorizationPolicy

Kubernetes apiserver authorization policy file. See https://kubernetes.io/docs/reference/access-authn-authz/authorization/

Type: list of (attribute set)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.basicAuthFile

Kubernetes apiserver basic authentication file. See https://kubernetes.io/docs/reference/access-authn-authz/authentication

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.bindAddress

The IP address on which to listen for the --secure-port port. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.clientCaFile

Kubernetes apiserver CA file for client auth.

Type: null or path

Default: config.services.kubernetes.caFile

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.disableAdmissionPlugins

Kubernetes admission control plugins to disable. See https://kubernetes.io/docs/admin/admission-controllers/

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.etcd.caFile

Etcd ca file.

Type: null or path

Default: config.services.kubernetes.caFile

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.etcd.certFile

Etcd cert file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.etcd.keyFile

Etcd key file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.etcd.servers

List of etcd servers.

Type: list of string

Default:

[
  "http://127.0.0.1:2379"
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.extraOpts

Kubernetes apiserver extra command line options.

Type: strings concatenated with " "

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.extraSANs

Extra x509 Subject Alternative Names to be added to the kubernetes apiserver tls cert.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.featureGates

Attribute set of feature gates.

Type: attribute set of boolean

Default: config.services.kubernetes.featureGates

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.kubeletClientCaFile

Path to a cert file for connecting to kubelet.

Type: null or path

Default: config.services.kubernetes.caFile

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.kubeletClientCertFile

Client certificate to use for connections to kubelet.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.kubeletClientKeyFile

Key to use for connections to kubelet.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.preferredAddressTypes

List of the preferred NodeAddressTypes to use for kubelet connections.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.proxyClientCertFile

Client certificate to use for connections to proxy.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.proxyClientKeyFile

Key to use for connections to proxy.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.runtimeConfig

Api runtime configuration. See https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/

Type: string

Default: "authentication.k8s.io/v1beta1=true"

Example: "api/all=false,api/v1=true"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.securePort

Kubernetes apiserver secure port.

Type: signed integer

Default: 6443

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.serviceAccountIssuer

Kubernetes apiserver ServiceAccount issuer.

Type: string

Default: "https://kubernetes.default.svc"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.serviceAccountKeyFile

File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify ServiceAccount tokens. The specified file can contain multiple keys, and the flag can be specified multiple times with different files. If unspecified, --tls-private-key-file is used. Must be specified when --service-account-signing-key is provided

Type: path

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.serviceAccountSigningKeyFile

Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.serviceClusterIpRange

A CIDR notation IP range from which to assign service cluster IPs. This must not overlap with any IP ranges assigned to nodes for pods.

Type: string

Default: "10.0.0.0/24"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.storageBackend

Kubernetes apiserver storage backend.

Type: one of “etcd2”, “etcd3”

Default: "etcd3"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.tlsCertFile

Kubernetes apiserver certificate file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.tlsKeyFile

Kubernetes apiserver private key file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.tokenAuthFile

Kubernetes apiserver token authentication file. See https://kubernetes.io/docs/reference/access-authn-authz/authentication

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.verbosity

Optional glog verbosity level for logging statements. See https://github.com/kubernetes/community/blob/master/contributors/devel/logging.md

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserver.webhookConfig

Kubernetes apiserver Webhook config file. It uses the kubeconfig file format. See https://kubernetes.io/docs/reference/access-authn-authz/webhook/

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/apiserver.nix>
services.kubernetes.apiserverAddress

Clusterwide accessible address for the kubernetes apiserver, including protocol and optional port.

Type: string

Example: "https://kubernetes-apiserver.example.com:6443"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix>
services.kubernetes.caFile

Default kubernetes certificate authority

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix>
services.kubernetes.clusterCidr

Kubernetes controller manager and proxy CIDR Range for Pods in cluster.

Type: null or string

Default: "10.1.0.0/16"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix>
services.kubernetes.controllerManager.enable

Whether to enable Kubernetes controller manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix>
services.kubernetes.controllerManager.allocateNodeCIDRs

Whether to automatically allocate CIDR ranges for cluster nodes.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix>
services.kubernetes.controllerManager.bindAddress

Kubernetes controller manager listening address.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix>
services.kubernetes.controllerManager.clusterCidr

Kubernetes CIDR Range for Pods in cluster.

Type: string

Default: config.services.kubernetes.clusterCidr

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix>
services.kubernetes.controllerManager.extraOpts

Kubernetes controller manager extra command line options.

Type: strings concatenated with " "

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix>
services.kubernetes.controllerManager.featureGates

Attribute set of feature gates.

Type: attribute set of boolean

Default: config.services.kubernetes.featureGates

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix>
services.kubernetes.controllerManager.kubeconfig.caFile

Kubernetes controller manager certificate authority file used to connect to kube-apiserver.

Type: null or path

Default: config.services.kubernetes.caFile

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix>
services.kubernetes.controllerManager.kubeconfig.certFile

Kubernetes controller manager client certificate file used to connect to kube-apiserver.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix>
services.kubernetes.controllerManager.kubeconfig.keyFile

Kubernetes controller manager client key file used to connect to kube-apiserver.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix>
services.kubernetes.controllerManager.kubeconfig.server

Kubernetes controller manager kube-apiserver server address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix>
services.kubernetes.controllerManager.leaderElect

Whether to start leader election before executing main loop.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix>
services.kubernetes.controllerManager.rootCaFile

Kubernetes controller manager certificate authority file included in service account’s token secret.

Type: null or path

Default: config.services.kubernetes.caFile

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix>
services.kubernetes.controllerManager.securePort

Kubernetes controller manager secure listening port.

Type: signed integer

Default: 10252

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix>
services.kubernetes.controllerManager.serviceAccountKeyFile

Kubernetes controller manager PEM-encoded private RSA key file used to sign service account tokens

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix>
services.kubernetes.controllerManager.tlsCertFile

Kubernetes controller-manager certificate file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix>
services.kubernetes.controllerManager.tlsKeyFile

Kubernetes controller-manager private key file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix>
services.kubernetes.controllerManager.verbosity

Optional glog verbosity level for logging statements. See https://github.com/kubernetes/community/blob/master/contributors/devel/logging.md

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix>
services.kubernetes.dataDir

Kubernetes root directory for managing kubelet files.

Type: path

Default: "/var/lib/kubernetes"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix>
services.kubernetes.easyCerts

Automatically setup x509 certificates and keys for the entire cluster.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix>
services.kubernetes.featureGates

List set of feature gates.

Type: attribute set of boolean

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix>
services.kubernetes.flannel.enable

Whether to enable flannel networking.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix>
services.kubernetes.flannel.openFirewallPorts

Whether to open the Flannel UDP ports in the firewall on all interfaces.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/flannel.nix>
services.kubernetes.kubeconfig.caFile

Default kubeconfig certificate authority file used to connect to kube-apiserver.

Type: null or path

Default: config.services.kubernetes.caFile

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix>
services.kubernetes.kubeconfig.certFile

Default kubeconfig client certificate file used to connect to kube-apiserver.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix>
services.kubernetes.kubeconfig.keyFile

Default kubeconfig client key file used to connect to kube-apiserver.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix>
services.kubernetes.kubeconfig.server

Default kubeconfig kube-apiserver server address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix>
services.kubernetes.kubelet.enable

Whether to enable Kubernetes kubelet.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.address

Kubernetes kubelet info server listening address.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.clientCaFile

Kubernetes apiserver CA file for client authentication.

Type: null or path

Default: config.services.kubernetes.caFile

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.clusterDns

Use alternative DNS.

Type: list of string

Default:

[
  "10.1.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.clusterDomain

Use alternative domain.

Type: string

Default: config.services.kubernetes.addons.dns.clusterDomain

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.cni.packages

List of network plugin packages to install.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.cni.config

Kubernetes CNI configuration.

Type: list of (attribute set)

Default: [ ]

Example:

[{
  "cniVersion": "0.3.1",
  "name": "mynet",
  "type": "bridge",
  "bridge": "cni0",
  "isGateway": true,
  "ipMasq": true,
  "ipam": {
      "type": "host-local",
      "subnet": "10.22.0.0/16",
      "routes": [
          { "dst": "0.0.0.0/0" }
      ]
  }
} {
  "cniVersion": "0.3.1",
  "type": "loopback"
}]

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.cni.configDir

Path to Kubernetes CNI configuration directory.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.containerRuntimeEndpoint

Endpoint at which to find the container runtime api interface/socket

Type: string

Default: "unix:///run/containerd/containerd.sock"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.extraConfig

Kubernetes kubelet extra configuration file entries.

Type: attribute set of (attribute set)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.extraOpts

Kubernetes kubelet extra command line options.

Type: strings concatenated with " "

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.featureGates

Attribute set of feature gate

Type: attribute set of boolean

Default: config.services.kubernetes.featureGates

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.healthz.bind

Kubernetes kubelet healthz listening address.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.healthz.port

Kubernetes kubelet healthz port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 10248

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.hostname

Kubernetes kubelet hostname override.

Type: string

Default: config.networking.fqdnOrHostName

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.kubeconfig.caFile

Kubelet certificate authority file used to connect to kube-apiserver.

Type: null or path

Default: config.services.kubernetes.caFile

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.kubeconfig.certFile

Kubelet client certificate file used to connect to kube-apiserver.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.kubeconfig.keyFile

Kubelet client key file used to connect to kube-apiserver.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.kubeconfig.server

Kubelet kube-apiserver server address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.manifests

List of manifests to bootstrap with kubelet (only pods can be created as manifest entry)

Type: attribute set of (attribute set)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.nodeIp

IP address of the node. If set, kubelet will use this IP address for the node.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.port

Kubernetes kubelet info server listening port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 10250

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.registerNode

Whether to auto register kubelet with API server.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.seedDockerImages

List of docker images to preload on system

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.taints

Node taints (https://kubernetes.io/docs/concepts/configuration/assign-pod-node/).

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.taints.<name>.effect

Effect of taint.

Type: one of “NoSchedule”, “PreferNoSchedule”, “NoExecute”

Example: "NoSchedule"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.taints.<name>.key

Key of taint.

Type: string

Default: Name of this submodule.

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.taints.<name>.value

Value of taint.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.tlsCertFile

File containing x509 Certificate for HTTPS.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.tlsKeyFile

File containing x509 private key matching tlsCertFile.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.unschedulable

Whether to set node taint to unschedulable=true as it is the case of node that has only master role.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.kubelet.verbosity

Optional glog verbosity level for logging statements. See https://github.com/kubernetes/community/blob/master/contributors/devel/logging.md

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix>
services.kubernetes.lib

Common functions for the kubernetes modules.

Type: attribute set

Default:

{
  mkCert = <function, args: {CN, action?, fields?, hosts?, name, privateKeyGroup?, privateKeyOwner?}>;
  mkKubeConfig = <function>;
  mkKubeConfigOptions = <function>;
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix>
services.kubernetes.masterAddress

Clusterwide available network address or hostname for the kubernetes master server.

Type: string

Example: "master.example.com"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix>
services.kubernetes.path

Packages added to the services’ PATH environment variable. Both the bin and sbin subdirectories of each package are added.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix>
services.kubernetes.pki.enable

Whether to enable easyCert issuer service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix>
services.kubernetes.pki.caCertPathPrefix

Path-prefrix for the CA-certificate to be used for cfssl signing. Suffixes “.pem” and “-key.pem” will be automatically appended for the public and private keys respectively.

Type: string

Default: "${config.services.cfssl.dataDir}/ca"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix>
services.kubernetes.pki.caSpec

Certificate specification for the auto-generated CAcert.

Type: attribute set

Default:

{
  CN = "kubernetes-cluster-ca";
  L = "auto-generated";
  O = "NixOS";
  OU = "services.kubernetes.pki.caSpec";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix>
services.kubernetes.pki.certs

List of certificate specs to feed to cert generator.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix>
services.kubernetes.pki.cfsslAPIExtraSANs

Extra x509 Subject Alternative Names to be added to the cfssl API webserver TLS cert.

Type: list of string

Default: [ ]

Example:

[
  "subdomain.example.com"
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix>
services.kubernetes.pki.etcClusterAdminKubeconfig

Symlink a kubeconfig with cluster-admin privileges to environment path (/etc/<path>).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix>
services.kubernetes.pki.genCfsslAPICerts

Whether to automatically generate cfssl API webserver TLS cert and key, if they don’t exist.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix>
services.kubernetes.pki.genCfsslAPIToken

Whether to automatically generate cfssl API-token secret, if they doesn’t exist.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix>
services.kubernetes.pki.genCfsslCACert

Whether to automatically generate cfssl CA certificate and key, if they don’t exist.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix>
services.kubernetes.pki.pkiTrustOnBootstrap

Whether to always trust remote cfssl server upon initial PKI bootstrap.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix>
services.kubernetes.proxy.enable

Whether to enable Kubernetes proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix>
services.kubernetes.proxy.bindAddress

Kubernetes proxy listening address.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix>
services.kubernetes.proxy.extraOpts

Kubernetes proxy extra command line options.

Type: strings concatenated with " "

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix>
services.kubernetes.proxy.featureGates

Attribute set of feature gates.

Type: attribute set of boolean

Default: config.services.kubernetes.featureGates

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix>
services.kubernetes.proxy.hostname

Kubernetes proxy hostname override.

Type: string

Default: config.networking.hostName

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix>
services.kubernetes.proxy.kubeconfig.caFile

Kubernetes proxy certificate authority file used to connect to kube-apiserver.

Type: null or path

Default: config.services.kubernetes.caFile

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix>
services.kubernetes.proxy.kubeconfig.certFile

Kubernetes proxy client certificate file used to connect to kube-apiserver.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix>
services.kubernetes.proxy.kubeconfig.keyFile

Kubernetes proxy client key file used to connect to kube-apiserver.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix>
services.kubernetes.proxy.kubeconfig.server

Kubernetes proxy kube-apiserver server address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix>
services.kubernetes.proxy.verbosity

Optional glog verbosity level for logging statements. See https://github.com/kubernetes/community/blob/master/contributors/devel/logging.md

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix>
services.kubernetes.roles

Kubernetes role that this machine should take.

Master role will enable etcd, apiserver, scheduler, controller manager addon manager, flannel and proxy services. Node role will enable flannel, docker, kubelet and proxy services.

Type: list of (one of “master”, “node”)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix>
services.kubernetes.scheduler.enable

Whether to enable Kubernetes scheduler.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/scheduler.nix>
services.kubernetes.scheduler.address

Kubernetes scheduler listening address.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/scheduler.nix>
services.kubernetes.scheduler.extraOpts

Kubernetes scheduler extra command line options.

Type: strings concatenated with " "

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/scheduler.nix>
services.kubernetes.scheduler.featureGates

Attribute set of feature gates.

Type: attribute set of boolean

Default: config.services.kubernetes.featureGates

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/scheduler.nix>
services.kubernetes.scheduler.kubeconfig.caFile

Kubernetes scheduler certificate authority file used to connect to kube-apiserver.

Type: null or path

Default: config.services.kubernetes.caFile

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/scheduler.nix>
services.kubernetes.scheduler.kubeconfig.certFile

Kubernetes scheduler client certificate file used to connect to kube-apiserver.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/scheduler.nix>
services.kubernetes.scheduler.kubeconfig.keyFile

Kubernetes scheduler client key file used to connect to kube-apiserver.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/scheduler.nix>
services.kubernetes.scheduler.kubeconfig.server

Kubernetes scheduler kube-apiserver server address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/scheduler.nix>
services.kubernetes.scheduler.leaderElect

Whether to start leader election before executing main loop.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/scheduler.nix>
services.kubernetes.scheduler.port

Kubernetes scheduler listening port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 10251

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/scheduler.nix>
services.kubernetes.scheduler.verbosity

Optional glog verbosity level for logging statements. See https://github.com/kubernetes/community/blob/master/contributors/devel/logging.md

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/scheduler.nix>
services.kubernetes.secretsPath

Default location for kubernetes secrets. Not a store location.

Type: path

Default:

config.services.kubernetes.dataDir + "/secrets"

Declared by:

<nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix>
services.kubo.enable

Whether to enable the Interplanetary File System (WARNING: may cause severe network degradation). NOTE: after enabling this option and rebuilding your system, you need to log out and back in for the IPFS_PATH environment variable to be present in your shell. Until you do that, the CLI tools won’t be able to talk to the daemon by default .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.kubo.enableGC

Whether to enable automatic garbage collection

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.kubo.package

The kubo package to use.

Type: package

Default: pkgs.kubo

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.kubo.autoMigrate

Whether Kubo should try to run the fs-repo-migration at startup.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.kubo.autoMount

Whether Kubo should try to mount /ipfs and /ipns at startup.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.kubo.dataDir

The data dir for Kubo

Type: string

Default:

if lib.versionAtLeast config.system.stateVersion "17.09"
then "/var/lib/ipfs"
else "/var/lib/ipfs/.ipfs"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.kubo.defaultMode

systemd service that is enabled by default

Type: one of “online”, “offline”, “norouting”

Default: "online"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.kubo.emptyRepo

If set to false, the repo will be initialized with help files

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.kubo.extraFlags

Extra flags passed to the Kubo daemon

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.kubo.group

Group under which the Kubo daemon runs

Type: string

Default: "ipfs"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.kubo.localDiscovery

Whether to enable local discovery for the Kubo daemon. This will allow Kubo to scan ports on your local network. Some hosting services will ban you if you do this.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.kubo.serviceFdlimit

The fdlimit for the Kubo systemd unit or null to have the daemon attempt to manage it

Type: null or signed integer

Default: null

Example: 65536

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.kubo.settings

Attrset of daemon configuration. See https://github.com/ipfs/kubo/blob/master/docs/config.md for reference. You can’t set Identity or Pinning.

Type: JSON value

Default: { }

Example:

{
  Bootstrap = [
    "/ip4/128.199.219.111/tcp/4001/ipfs/QmSoLSafTMBsPKadTEgaXctDQVcqN88CNLHXMkTNwMKPnu"
    "/ip4/162.243.248.213/tcp/4001/ipfs/QmSoLueR4xBeUbY9WZ9xGUUxunbKWcrNFTDAadQJmocnWm"
  ];
  Datastore = {
    StorageMax = "100GB";
  };
  Discovery = {
    MDNS = {
      Enabled = false;
    };
  };
  Swarm = {
    AddrFilters = null;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.kubo.settings.Addresses.API

Multiaddr or array of multiaddrs describing the address to serve the local HTTP API on. In addition to the multiaddrs listed here, the daemon will also listen on a Unix domain socket. To allow the ipfs CLI tools to communicate with the daemon over that socket, add your user to the correct group, e.g. users.users.alice.extraGroups = [ config.services.kubo.group ];

Type: string or list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.kubo.settings.Addresses.Gateway

Where the IPFS Gateway can be reached

Type: string or list of string

Default: "/ip4/127.0.0.1/tcp/8080"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.kubo.settings.Addresses.Swarm

Where Kubo listens for incoming p2p connections

Type: list of string

Default:

[
  "/ip4/0.0.0.0/tcp/4001"
  "/ip6/::/tcp/4001"
  "/ip4/0.0.0.0/udp/4001/quic-v1"
  "/ip4/0.0.0.0/udp/4001/quic-v1/webtransport"
  "/ip4/0.0.0.0/udp/4001/webrtc-direct"
  "/ip6/::/udp/4001/quic-v1"
  "/ip6/::/udp/4001/quic-v1/webtransport"
  "/ip6/::/udp/4001/webrtc-direct"
]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.kubo.settings.Mounts.IPFS

Where to mount the IPFS namespace to

Type: string

Default: "/ipfs"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.kubo.settings.Mounts.IPNS

Where to mount the IPNS namespace to

Type: string

Default: "/ipns"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.kubo.startWhenNeeded

Whether to use socket activation to start Kubo when needed.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.kubo.user

User under which the Kubo daemon runs

Type: string

Default: "ipfs"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/kubo.nix>
services.lambdabot.enable

Enable the Lambdabot IRC bot

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/lambdabot.nix>
services.lambdabot.package

The lambdabot package to use.

Type: package

Default: pkgs.lambdabot

Declared by:

<nixpkgs/nixos/modules/services/networking/lambdabot.nix>
services.lambdabot.script

Lambdabot script

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/lambdabot.nix>
services.languagetool.enable

Whether to enable the LanguageTool server, a multilingual spelling, style, and grammar checker that helps correct or paraphrase texts.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/languagetool.nix>
services.languagetool.package

The languagetool package to use.

Type: package

Default: pkgs.languagetool

Declared by:

<nixpkgs/nixos/modules/services/misc/languagetool.nix>
services.languagetool.allowOrigin

Set the Access-Control-Allow-Origin header in the HTTP response, used for direct (non-proxy) JavaScript-based access from browsers. "*" to allow access from all sites.

Type: null or string

Default: null

Example: "https://my-website.org"

Declared by:

<nixpkgs/nixos/modules/services/misc/languagetool.nix>
services.languagetool.jrePackage

The jre package to use.

Type: package

Default: pkgs.jre

Declared by:

<nixpkgs/nixos/modules/services/misc/languagetool.nix>
services.languagetool.jvmOptions

Extra command line options for the JVM running languagetool. More information can be found here: https://docs.oracle.com/en/java/javase/19/docs/specs/man/java.html#standard-options-for-java

Type: list of string

Default: [ ]

Example:

[
  "-Xmx512m"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/languagetool.nix>
services.languagetool.port

Port on which LanguageTool listens.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8081

Example: 8081

Declared by:

<nixpkgs/nixos/modules/services/misc/languagetool.nix>
services.languagetool.public

Whether to enable access from anywhere (rather than just localhost).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/languagetool.nix>
services.languagetool.settings

Configuration file options for LanguageTool, see ‘languagetool-http-server --help’ for supported settings.

Type: attribute set of (string, package, bool, int or float)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/languagetool.nix>
services.languagetool.settings.cacheSize

Number of sentences cached.

Type: unsigned integer, meaning >=0

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/misc/languagetool.nix>
services.lanraragi.enable

Whether to enable LANraragi.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lanraragi.nix>
services.lanraragi.package

The lanraragi package to use.

Type: package

Default: pkgs.lanraragi

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lanraragi.nix>
services.lanraragi.passwordFile

A file containing the password for LANraragi’s admin interface.

Type: null or path

Default: null

Example: "/run/keys/lanraragi-password"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lanraragi.nix>
services.lanraragi.port

Port for LANraragi’s web interface.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lanraragi.nix>
services.lanraragi.redis.passwordFile

A file containing the password for LANraragi’s Redis server.

Type: null or path

Default: null

Example: "/run/keys/redis-lanraragi-password"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lanraragi.nix>
services.lanraragi.redis.port

Port for LANraragi’s Redis server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6379

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lanraragi.nix>
services.leaps.enable

Whether to enable leaps, a pair programming service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/leaps.nix>
services.leaps.address

Hostname or IP-address to listen to. By default it will listen on all interfaces.

Type: string

Default: ""

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/misc/leaps.nix>
services.leaps.path

Subdirectory used for reverse proxy setups

Type: path

Default: "/"

Declared by:

<nixpkgs/nixos/modules/services/misc/leaps.nix>
services.leaps.port

A port where leaps listens for incoming http requests

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/misc/leaps.nix>
services.legit.enable

Whether to enable legit git web frontend.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/legit.nix>
services.legit.package

The legit-web package to use.

Type: package

Default: pkgs.legit-web

Declared by:

<nixpkgs/nixos/modules/services/networking/legit.nix>
services.legit.group

Group account under which legit runs.

Type: string

Default: "legit"

Declared by:

<nixpkgs/nixos/modules/services/networking/legit.nix>
services.legit.settings

The primary legit configuration. See the sample configuration for possible values.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/legit.nix>
services.legit.settings.dirs.static

Directories where static files are located.

Type: path

Default: "${pkgs.legit-web}/lib/legit/static"

Declared by:

<nixpkgs/nixos/modules/services/networking/legit.nix>
services.legit.settings.dirs.templates

Directories where template files are located.

Type: path

Default: "${pkgs.legit-web}/lib/legit/templates"

Declared by:

<nixpkgs/nixos/modules/services/networking/legit.nix>
services.legit.settings.meta.description

Website description.

Type: string

Default: "git frontend"

Declared by:

<nixpkgs/nixos/modules/services/networking/legit.nix>
services.legit.settings.meta.title

Website title.

Type: string

Default: "legit"

Declared by:

<nixpkgs/nixos/modules/services/networking/legit.nix>
services.legit.settings.repo.ignore

Repositories to ignore.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/legit.nix>
services.legit.settings.repo.mainBranch

Main branch to look for.

Type: list of string

Default:

[
  "main"
  "master"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/legit.nix>
services.legit.settings.repo.readme

Readme files to look for.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/legit.nix>
services.legit.settings.repo.scanPath

Directory where legit will scan for repositories.

Type: path

Default: "/var/lib/legit"

Declared by:

<nixpkgs/nixos/modules/services/networking/legit.nix>
services.legit.settings.server.host

Host address.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/legit.nix>
services.legit.settings.server.name

Server name.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/networking/legit.nix>
services.legit.settings.server.port

Legit port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5555

Declared by:

<nixpkgs/nixos/modules/services/networking/legit.nix>
services.legit.user

User account under which legit runs.

Type: string

Default: "legit"

Declared by:

<nixpkgs/nixos/modules/services/networking/legit.nix>
services.lemmy.enable

Whether to enable lemmy a federated alternative to reddit in rust.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lemmy.nix>
services.lemmy.adminPasswordFile

File which contains the value of setup.admin_password.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lemmy.nix>
services.lemmy.caddy.enable

Whether to enable exposing lemmy with the caddy reverse proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lemmy.nix>
services.lemmy.database.createLocally

Whether to enable creation of database on the instance.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lemmy.nix>
services.lemmy.database.uri

The connection URI to use. Takes priority over the configuration file if set.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lemmy.nix>
services.lemmy.database.uriFile

File which contains the database uri.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lemmy.nix>
services.lemmy.nginx.enable

Whether to enable exposing lemmy with the nginx reverse proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lemmy.nix>
services.lemmy.pictrsApiKeyFile

File which contains the value of pictrs.api_key.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lemmy.nix>
services.lemmy.server.package

The lemmy-server package to use.

Type: package

Default: pkgs.lemmy-server

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lemmy.nix>
services.lemmy.settings

Lemmy configuration

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lemmy.nix>
services.lemmy.settings.captcha.enabled

Enable Captcha.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lemmy.nix>
services.lemmy.settings.captcha.difficulty

The difficultly of the captcha to solve.

Type: one of “easy”, “medium”, “hard”

Default: "medium"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lemmy.nix>
services.lemmy.settings.hostname

The domain name of your instance (eg ‘lemmy.ml’).

Type: string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lemmy.nix>
services.lemmy.settings.port

Port where lemmy should listen for incoming requests.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8536

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lemmy.nix>
services.lemmy.smtpPasswordFile

File which contains the value of email.smtp_password.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lemmy.nix>
services.lemmy.ui.package

The lemmy-ui package to use.

Type: package

Default: pkgs.lemmy-ui

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lemmy.nix>
services.lemmy.ui.port

Port where lemmy-ui should listen for incoming requests.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1234

Declared by:

<nixpkgs/nixos/modules/services/web-apps/lemmy.nix>
services.libinput.enable

Whether to enable libinput.

Type: boolean

Default: config.services.xserver.enable

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.accelPointsFallback

Sets the points of the fallback acceleration function. The value must be a list of floating point non-negative numbers. This only applies to the custom profile.

Type: null or (list of (signed integer or floating point number))

Default: null

Example:

[
  0.0
  1.0
  2.4
  2.5
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.accelPointsMotion

Sets the points of the (pointer) motion acceleration function. The value must be a list of floating point non-negative numbers. This only applies to the custom profile.

Type: null or (list of (signed integer or floating point number))

Default: null

Example:

[
  0.0
  1.0
  2.4
  2.5
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.accelPointsScroll

Sets the points of the scroll acceleration function. The value must be a list of floating point non-negative numbers. This only applies to the custom profile.

Type: null or (list of (signed integer or floating point number))

Default: null

Example:

[
  0.0
  1.0
  2.4
  2.5
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.accelProfile

Sets the pointer acceleration profile to the given profile. Permitted values are adaptive, flat, custom. Not all devices support this option or all profiles. If a profile is unsupported, the default profile for this is used. flat: Pointer motion is accelerated by a constant (device-specific) factor, depending on the current speed. adaptive: Pointer acceleration depends on the input speed. This is the default profile for most devices. custom: Allows the user to define a custom acceleration function. To define custom functions use the accelPoints<Fallback/Motion/Scroll> and accelStep<Fallback/Motion/Scroll> options.

Type: one of “flat”, “adaptive”, “custom”

Default: "adaptive"

Example: "flat"

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.accelSpeed

Cursor acceleration (how fast speed increases from minSpeed to maxSpeed). This only applies to the flat or adaptive profile.

Type: null or string

Default: null

Example: "-0.5"

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.accelStepFallback

Sets the step between the points of the fallback acceleration function. When a step of 0.0 is provided, libinput’s Fallback acceleration function is used. This only applies to the custom profile.

Type: null or signed integer or floating point number

Default: null

Example: 0.1

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.accelStepMotion

Sets the step between the points of the (pointer) motion acceleration function. When a step of 0.0 is provided, libinput’s Fallback acceleration function is used. This only applies to the custom profile.

Type: null or signed integer or floating point number

Default: null

Example: 0.1

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.accelStepScroll

Sets the step between the points of the scroll acceleration function. When a step of 0.0 is provided, libinput’s Fallback acceleration function is used. This only applies to the custom profile.

Type: null or signed integer or floating point number

Default: null

Example: 0.1

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.additionalOptions

Additional options for libinput mouse driver. See libinput(4) for available options.";

Type: strings concatenated with “\n”

Default: ""

Example:

''
  Option "DragLockButtons" "L1 B1 L2 B2"
''

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.buttonMapping

Sets the logical button mapping for this device, see XSetPointerMapping(3). The string must be a space-separated list of button mappings in the order of the logical buttons on the device, starting with button 1. The default mapping is “1 2 3 … 32”. A mapping of 0 deac‐ tivates the button. Multiple buttons can have the same mapping. Invalid mapping strings are discarded and the default mapping is used for all buttons. Buttons not specified in the user’s mapping use the default mapping. See section BUTTON MAPPING for more details.

Type: null or string

Default: null

Example: "1 6 3 4 5 0 7"

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.calibrationMatrix

A string of 9 space-separated floating point numbers. Sets the calibration matrix to the 3x3 matrix where the first row is (abc), the second row is (def) and the third row is (ghi).

Type: null or string

Default: null

Example: "0.5 0 0 0 0.8 0.1 0 0 1"

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.clickMethod

Enables a click method. Permitted values are none, buttonareas, clickfinger. Not all devices support all methods, if an option is unsupported, the default click method for this device is used.

Type: null or one of “none”, “buttonareas”, “clickfinger”

Default: null

Example: "buttonareas"

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.dev

Path for mouse device. Set to null to apply to any auto-detected mouse.

Type: null or string

Default: null

Example: "/dev/input/event0"

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.disableWhileTyping

Disable input method while typing.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.horizontalScrolling

Enables or disables horizontal scrolling. When disabled, this driver will discard any horizontal scroll events from libinput. This does not disable horizontal scroll events from libinput; it merely discards the horizontal axis from any scroll events.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.leftHanded

Enables left-handed button orientation, i.e. swapping left and right buttons.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.middleEmulation

Enables middle button emulation. When enabled, pressing the left and right buttons simultaneously produces a middle mouse button click.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.naturalScrolling

Enables or disables natural scrolling behavior.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.scrollButton

Designates a button as scroll button. If the ScrollMethod is button and the button is logically held down, x/y axis movement is converted into scroll events.

Type: null or signed integer

Default: null

Example: 1

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.scrollMethod

Specify the scrolling method: twofinger, edge, button, or none

Type: one of “twofinger”, “edge”, “button”, “none”

Default: "twofinger"

Example: "edge"

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.sendEventsMode

Sets the send events mode to disabled, enabled, or disabled-on-external-mouse

Type: one of “disabled”, “enabled”, “disabled-on-external-mouse”

Default: "enabled"

Example: "disabled"

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.tapping

Enables or disables tap-to-click behavior.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.tappingButtonMap

Set the button mapping for 1/2/3-finger taps to left/right/middle or left/middle/right, respectively.

Type: null or one of “lrm”, “lmr”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.tappingDragLock

Enables or disables drag lock during tapping behavior. When enabled, a finger up during tap- and-drag will not immediately release the button. If the finger is set down again within the timeout, the dragging process continues.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.mouse.transformationMatrix

A string of 9 space-separated floating point numbers. Sets the transformation matrix to the 3x3 matrix where the first row is (abc), the second row is (def) and the third row is (ghi).

Type: null or string

Default: null

Example: "0.5 0 0 0 0.8 0.1 0 0 1"

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.accelPointsFallback

Sets the points of the fallback acceleration function. The value must be a list of floating point non-negative numbers. This only applies to the custom profile.

Type: null or (list of (signed integer or floating point number))

Default: null

Example:

[
  0.0
  1.0
  2.4
  2.5
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.accelPointsMotion

Sets the points of the (pointer) motion acceleration function. The value must be a list of floating point non-negative numbers. This only applies to the custom profile.

Type: null or (list of (signed integer or floating point number))

Default: null

Example:

[
  0.0
  1.0
  2.4
  2.5
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.accelPointsScroll

Sets the points of the scroll acceleration function. The value must be a list of floating point non-negative numbers. This only applies to the custom profile.

Type: null or (list of (signed integer or floating point number))

Default: null

Example:

[
  0.0
  1.0
  2.4
  2.5
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.accelProfile

Sets the pointer acceleration profile to the given profile. Permitted values are adaptive, flat, custom. Not all devices support this option or all profiles. If a profile is unsupported, the default profile for this is used. flat: Pointer motion is accelerated by a constant (device-specific) factor, depending on the current speed. adaptive: Pointer acceleration depends on the input speed. This is the default profile for most devices. custom: Allows the user to define a custom acceleration function. To define custom functions use the accelPoints<Fallback/Motion/Scroll> and accelStep<Fallback/Motion/Scroll> options.

Type: one of “flat”, “adaptive”, “custom”

Default: "adaptive"

Example: "flat"

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.accelSpeed

Cursor acceleration (how fast speed increases from minSpeed to maxSpeed). This only applies to the flat or adaptive profile.

Type: null or string

Default: null

Example: "-0.5"

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.accelStepFallback

Sets the step between the points of the fallback acceleration function. When a step of 0.0 is provided, libinput’s Fallback acceleration function is used. This only applies to the custom profile.

Type: null or signed integer or floating point number

Default: null

Example: 0.1

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.accelStepMotion

Sets the step between the points of the (pointer) motion acceleration function. When a step of 0.0 is provided, libinput’s Fallback acceleration function is used. This only applies to the custom profile.

Type: null or signed integer or floating point number

Default: null

Example: 0.1

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.accelStepScroll

Sets the step between the points of the scroll acceleration function. When a step of 0.0 is provided, libinput’s Fallback acceleration function is used. This only applies to the custom profile.

Type: null or signed integer or floating point number

Default: null

Example: 0.1

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.additionalOptions

Additional options for libinput touchpad driver. See libinput(4) for available options.";

Type: strings concatenated with “\n”

Default: ""

Example:

''
  Option "DragLockButtons" "L1 B1 L2 B2"
''

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.buttonMapping

Sets the logical button mapping for this device, see XSetPointerMapping(3). The string must be a space-separated list of button mappings in the order of the logical buttons on the device, starting with button 1. The default mapping is “1 2 3 … 32”. A mapping of 0 deac‐ tivates the button. Multiple buttons can have the same mapping. Invalid mapping strings are discarded and the default mapping is used for all buttons. Buttons not specified in the user’s mapping use the default mapping. See section BUTTON MAPPING for more details.

Type: null or string

Default: null

Example: "1 6 3 4 5 0 7"

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.calibrationMatrix

A string of 9 space-separated floating point numbers. Sets the calibration matrix to the 3x3 matrix where the first row is (abc), the second row is (def) and the third row is (ghi).

Type: null or string

Default: null

Example: "0.5 0 0 0 0.8 0.1 0 0 1"

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.clickMethod

Enables a click method. Permitted values are none, buttonareas, clickfinger. Not all devices support all methods, if an option is unsupported, the default click method for this device is used.

Type: null or one of “none”, “buttonareas”, “clickfinger”

Default: null

Example: "buttonareas"

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.dev

Path for touchpad device. Set to null to apply to any auto-detected touchpad.

Type: null or string

Default: null

Example: "/dev/input/event0"

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.disableWhileTyping

Disable input method while typing.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.horizontalScrolling

Enables or disables horizontal scrolling. When disabled, this driver will discard any horizontal scroll events from libinput. This does not disable horizontal scroll events from libinput; it merely discards the horizontal axis from any scroll events.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.leftHanded

Enables left-handed button orientation, i.e. swapping left and right buttons.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.middleEmulation

Enables middle button emulation. When enabled, pressing the left and right buttons simultaneously produces a middle mouse button click.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.naturalScrolling

Enables or disables natural scrolling behavior.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.scrollButton

Designates a button as scroll button. If the ScrollMethod is button and the button is logically held down, x/y axis movement is converted into scroll events.

Type: null or signed integer

Default: null

Example: 1

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.scrollMethod

Specify the scrolling method: twofinger, edge, button, or none

Type: one of “twofinger”, “edge”, “button”, “none”

Default: "twofinger"

Example: "edge"

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.sendEventsMode

Sets the send events mode to disabled, enabled, or disabled-on-external-mouse

Type: one of “disabled”, “enabled”, “disabled-on-external-mouse”

Default: "enabled"

Example: "disabled"

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.tapping

Enables or disables tap-to-click behavior.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.tappingButtonMap

Set the button mapping for 1/2/3-finger taps to left/right/middle or left/middle/right, respectively.

Type: null or one of “lrm”, “lmr”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.tappingDragLock

Enables or disables drag lock during tapping behavior. When enabled, a finger up during tap- and-drag will not immediately release the button. If the finger is set down again within the timeout, the dragging process continues.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.libinput.touchpad.transformationMatrix

A string of 9 space-separated floating point numbers. Sets the transformation matrix to the 3x3 matrix where the first row is (abc), the second row is (def) and the third row is (ghi).

Type: null or string

Default: null

Example: "0.5 0 0 0 0.8 0.1 0 0 1"

Declared by:

<nixpkgs/nixos/modules/services/hardware/libinput.nix>
services.librenms.enable

Whether to enable LibreNMS network monitoring system.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.enableLocalBilling

Enable billing Cron-Jobs on the local instance. Enabled by default, but you may disable it on some nodes within a distributed poller setup. See the docs for more informations about billing with distributed pollers.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.enableOneMinutePolling

Enables the 1-Minute Polling. Changing this option will automatically convert your existing rrd files.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.package

The librenms package to use.

Type: package

Default: pkgs.librenms

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.dataDir

Path of the LibreNMS state directory.

Type: path

Default: "/var/lib/librenms"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.database.createLocally

Whether to create a local database automatically.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.database.database

Name of the database on the MySQL/MariaDB server.

Type: string

Default: "librenms"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.database.host

Hostname or IP of the MySQL/MariaDB server. Ignored if ‘socket’ is defined.

Type: unspecified value

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.database.passwordFile

A file containing the password for the user of the MySQL/MariaDB server. Must be readable for the LibreNMS user. Ignored if ‘socket’ is defined, mandatory otherwise.

Type: null or path

Default: null

Example: "/run/secrets/mysql.pass"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.database.port

Port of the MySQL/MariaDB server. Ignored if ‘socket’ is defined.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3306

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.database.socket

A unix socket to mysql, accessible by the librenms user. Useful when mysql is on the localhost.

Type: null or string

Default: null

Example: "/run/mysqld/mysqld.sock"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.database.username

Name of the user on the MySQL/MariaDB server. Ignored if ‘socket’ is defined.

Type: string

Default: "librenms"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.distributedPoller.enable

Configure this LibreNMS instance as a distributed poller. This will disable all web features and just configure the poller features. Use the mysql database of your main LibreNMS instance in the database settings.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.distributedPoller.distributedBilling

Enable distributed billing on this poller.

Note: according to the docs, billing should only be calculated on a single node per poller group. You can disable billing on some nodes with the services.librenms.enableLocalBilling option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.distributedPoller.group

Group(s) of this poller.

Type: string

Default: "0"

Example: "1,2"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.distributedPoller.memcachedHost

Hostname or IP of the memcached server.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.distributedPoller.memcachedPort

Port of the memcached server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 11211

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.distributedPoller.name

Custom name of this poller.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.distributedPoller.rrdcachedHost

Hostname or IP of the rrdcached server.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.distributedPoller.rrdcachedPort

Port of the memcached server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 42217

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.environmentFile

File containing env-vars to be substituted into the final config. Useful for secrets. Does not apply to settings defined in extraConfig.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.extraConfig

Additional config for LibreNMS that will be appended to the config.php. See https://github.com/librenms/librenms/blob/master/misc/config_definitions.json for possible options. Useful if you want to use PHP-Functions in your config.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.finalPackage

The final package used by the module. This is the package that has all overrides.

Type: package (read only)

Default: package

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.group

Name of the LibreNMS group.

Type: string

Default: "librenms"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.hostname

The hostname to serve LibreNMS on.

Type: string

Default: config.networking.fqdnOrHostName

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.logDir

Path of the LibreNMS logging directory.

Type: path

Default: "/var/log/librenms"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx

With this option, you can customize the nginx virtualHost settings.

Type: submodule

Default: { }

Example:

{
  serverAliases = [
    "librenms.${config.networking.domain}"
  ];
  # To enable encryption and let let's encrypt take care of certificate
  forceSSL = true;
  enableACME = true;
  # To set the LibreNMS virtualHost as the default virtualHost;
  default = true;
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.nginx.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.pollerThreads

Amount of threads of the cron-poller.

Type: signed integer

Default: 16

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.poolConfig

Options for the LibreNMS PHP pool. See the documentation on php-fpm.conf for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = 32;
  "pm.max_requests" = 500;
  "pm.max_spare_servers" = 4;
  "pm.min_spare_servers" = 2;
  "pm.start_servers" = 2;
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.settings

Attrset of the LibreNMS configuration. See https://docs.librenms.org/Support/Configuration/ for reference. All possible options are listed here. See https://docs.librenms.org/Extensions/Authentication/ for setting other authentication methods.

Type: JSON value

Default: { }

Example:

{
  base_url = "/librenms/";
  top_devices = true;
  top_ports = false;
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.useDistributedPollers

Enables distributed pollers for this LibreNMS instance. This will enable a local rrdcached and memcached server.

To use this feature, make sure to configure your firewall that the distributed pollers can reach the local mysql, rrdcached and memcached ports.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.librenms.user

Name of the LibreNMS user.

Type: string

Default: "librenms"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/librenms.nix>
services.libreswan.enable

Whether to enable Libreswan IPsec service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/libreswan.nix>
services.libreswan.configSetup

Options to go in the ‘config setup’ section of the Libreswan IPsec configuration

Type: strings concatenated with “\n”

Default:

''
  protostack=netkey
  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
''

Example:

''
  secretsfile=/root/ipsec.secrets
  protostack=netkey
  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
''

Declared by:

<nixpkgs/nixos/modules/services/networking/libreswan.nix>
services.libreswan.connections

A set of connections to define for the Libreswan IPsec service

Type: attribute set of strings concatenated with “\n”

Default: { }

Example:

{ myconnection = ''
    auto=add
    left=%defaultroute
    leftid=@user

    right=my.vpn.com

    ikev2=no
    ikelifetime=8h
  '';
}

Declared by:

<nixpkgs/nixos/modules/services/networking/libreswan.nix>
services.libreswan.disableRedirects

Whether to disable send and accept redirects for all network interfaces. See the Libreswan FAQ page for why this is recommended.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/libreswan.nix>
services.libreswan.policies

A set of policies to apply to the IPsec connections.

Note

The policy name must match the one of connection it needs to apply to.

Type: attribute set of strings concatenated with “\n”

Default: { }

Example:

{ private-or-clear = ''
    # Attempt opportunistic IPsec for the entire Internet
    0.0.0.0/0
    ::/0
  '';
}

Declared by:

<nixpkgs/nixos/modules/services/networking/libreswan.nix>
services.lidarr.enable

Whether to enable Lidarr, a Usenet/BitTorrent music downloader.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/lidarr.nix>
services.lidarr.package

The lidarr package to use.

Type: package

Default: pkgs.lidarr

Declared by:

<nixpkgs/nixos/modules/services/misc/lidarr.nix>
services.lidarr.dataDir

The directory where Lidarr stores its data files.

Type: string

Default: "/var/lib/lidarr/.config/Lidarr"

Declared by:

<nixpkgs/nixos/modules/services/misc/lidarr.nix>
services.lidarr.group

Group under which Lidarr runs.

Type: string

Default: "lidarr"

Declared by:

<nixpkgs/nixos/modules/services/misc/lidarr.nix>
services.lidarr.openFirewall

Open ports in the firewall for Lidarr

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/lidarr.nix>
services.lidarr.user

User account under which Lidarr runs.

Type: string

Default: "lidarr"

Declared by:

<nixpkgs/nixos/modules/services/misc/lidarr.nix>
services.lifecycled.enable

Whether to enable lifecycled, a daemon for responding to AWS AutoScaling Lifecycle Hooks.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/lifecycled.nix>
services.lifecycled.awsRegion

The region used for accessing AWS services.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/lifecycled.nix>
services.lifecycled.cloudwatchGroup

Write logs to a specific Cloudwatch Logs group.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/lifecycled.nix>
services.lifecycled.cloudwatchStream

Write logs to a specific Cloudwatch Logs stream. Defaults to the instance ID.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/lifecycled.nix>
services.lifecycled.debug

Enable debugging information.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/lifecycled.nix>
services.lifecycled.handler

The script to invoke to handle events.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/misc/lifecycled.nix>
services.lifecycled.instanceId

The instance ID to listen for events for.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/lifecycled.nix>
services.lifecycled.json

Enable JSON logging.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/lifecycled.nix>
services.lifecycled.noSpot

Disable the spot termination listener.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/lifecycled.nix>
services.lifecycled.queueCleaner.enable

Whether to enable lifecycled-queue-cleaner.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/lifecycled.nix>
services.lifecycled.queueCleaner.frequency

How often to trigger the queue cleaner.

NOTE: This string should be a valid value for a systemd timer’s OnCalendar configuration. See systemd.timer(5) for more information.

Type: string

Default: "hourly"

Declared by:

<nixpkgs/nixos/modules/services/misc/lifecycled.nix>
services.lifecycled.queueCleaner.parallel

The number of parallel deletes to run.

Type: unsigned integer, meaning >=0

Default: 20

Declared by:

<nixpkgs/nixos/modules/services/misc/lifecycled.nix>
services.lifecycled.snsTopic

The SNS topic that receives events.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/lifecycled.nix>
services.lighthouse.package

The lighthouse package to use.

Type: package

Default: pkgs.lighthouse

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.beacon

Beacon node

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.beacon.enable

Whether to enable Lightouse Beacon node.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.beacon.address

Listen address of Beacon node.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.beacon.dataDir

Directory where data will be stored. Each chain will be stored under it’s own specific subdirectory.

Type: string

Default: "/var/lib/lighthouse-beacon"

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.beacon.disableDepositContractSync

Explicitly disables syncing of deposit logs from the execution node. This overrides any previous option that depends on it. Useful if you intend to run a non-validating beacon node.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.beacon.execution.address

Listen address for the execution layer.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.beacon.execution.jwtPath

Path for the jwt secret required to connect to the execution layer.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.beacon.execution.port

Port number the Beacon node will be listening on for the execution layer.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8551

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.beacon.extraArgs

Additional arguments passed to the lighthouse beacon command.

Type: string

Default: ""

Example: ""

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.beacon.http.enable

Whether to enable Beacon node http api.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.beacon.http.address

Listen address of Beacon node RPC service.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.beacon.http.port

Port number of Beacon node RPC service.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5052

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.beacon.metrics.enable

Whether to enable Beacon node prometheus metrics.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.beacon.metrics.address

Listen address of Beacon node metrics service.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.beacon.metrics.port

Port number of Beacon node metrics service.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5054

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.beacon.openFirewall

Open the port in the firewall

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.beacon.port

Port number the Beacon node will be listening on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9000

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.extraArgs

Additional arguments passed to every lighthouse command.

Type: string

Default: ""

Example: ""

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.network

The network to connect to. Mainnet is the default ethereum network.

Type: one of “mainnet”, “gnosis”, “chiado”, “sepolia”, “holesky”

Default: "mainnet"

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.validator

Validator node

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.validator.enable

Enable Lightouse Validator node.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.validator.beaconNodes

Beacon nodes to connect to.

Type: list of string

Default:

[
  "http://localhost:5052"
]

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.validator.dataDir

Directory where data will be stored. Each chain will be stored under it’s own specific subdirectory.

Type: string

Default: "/var/lib/lighthouse-validator"

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.validator.extraArgs

Additional arguments passed to the lighthouse validator command.

Type: string

Default: ""

Example: ""

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.validator.metrics.enable

Whether to enable Validator node prometheus metrics.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.validator.metrics.address

Listen address of Validator node metrics service.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighthouse.validator.metrics.port

Port number of Validator node metrics service.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5056

Declared by:

<nixpkgs/nixos/modules/services/blockchain/ethereum/lighthouse.nix>
services.lighttpd.enable

Enable the lighttpd web server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix>
services.lighttpd.enableModules

List of lighttpd modules to enable. Sub-services take care of enabling modules as needed, so this option is mainly for when you want to add custom stuff to services.lighttpd.extraConfig that depends on a certain module.

Type: list of string

Default: [ ]

Example:

[
  "mod_cgi"
  "mod_status"
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix>
services.lighttpd.enableUpstreamMimeTypes

Whether to include the list of mime types bundled with lighttpd (upstream). If you disable this, no mime types will be added by NixOS and you will have to add your own mime types in services.lighttpd.extraConfig.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix>
services.lighttpd.package

The lighttpd package to use.

Type: package

Default: pkgs.lighttpd

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix>
services.lighttpd.cgit.enable

If true, enable cgit (fast web interface for git repositories) as a sub-service in lighttpd.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/cgit.nix>
services.lighttpd.cgit.configText

Verbatim contents of the cgit runtime configuration file. Documentation (with cgitrc example file) is available in “man cgitrc”. Or online: http://git.zx2c4.com/cgit/tree/cgitrc.5.txt

Type: strings concatenated with “\n”

Default: ""

Example:

''
  source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
  about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
  cache-size=1000
  scan-path=/srv/git
''

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/cgit.nix>
services.lighttpd.cgit.subdir

The subdirectory in which to serve cgit. The web application will be accessible at http://yourserver/${subdir}

Type: string

Default: "cgit"

Example: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/cgit.nix>
services.lighttpd.collectd.enable

Whether to enable collectd subservice accessible at http://yourserver/collectd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/collectd.nix>
services.lighttpd.collectd.collectionCgi

Path to collection.cgi script from (collectd sources)/contrib/collection.cgi This option allows to use a customized version

Type: path

Default: config.services.collectd.package configured for lighttpd

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/collectd.nix>
services.lighttpd.configText

Overridable config file contents to use for lighttpd. By default, use the contents automatically generated by NixOS.

Type: strings concatenated with “\n”

Default: ""

Example: "...verbatim config file contents..."

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix>
services.lighttpd.document-root

Document-root of the web server. Must be readable by the “lighttpd” user.

Type: path

Default: "/srv/www"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix>
services.lighttpd.extraConfig

These configuration lines will be appended to the generated lighttpd config file. Note that this mechanism does not work when the manual configText option is used.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix>
services.lighttpd.gitweb.enable

If true, enable gitweb in lighttpd. Access it at http://yourserver/gitweb

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/gitweb.nix>
services.lighttpd.mod_status

Show server status overview at /server-status, statistics at /server-statistics and list of loaded modules at /server-config.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix>
services.lighttpd.mod_userdir

If true, requests in the form /~user/page.html are rewritten to take the file public_html/page.html from the home directory of the user.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix>
services.lighttpd.port

TCP port number for lighttpd to bind to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 80

Declared by:

<nixpkgs/nixos/modules/services/web-servers/lighttpd/default.nix>
services.limesurvey.enable

Whether to enable Limesurvey web application.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.package

The limesurvey package to use.

Type: package

Default: pkgs.limesurvey

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.config

LimeSurvey configuration. Refer to https://manual.limesurvey.org/Optional_settings for details on supported values.

Type: limesurvey config type (str, int, bool or attribute set thereof)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.database.createLocally

Create the database and database user locally. This currently only applies if database type “mysql” is selected.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.database.dbEngine

Database storage engine to use.

Type: one of “MyISAM”, “InnoDB”

Default: "InnoDB"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.database.host

Database host address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.database.name

Database name.

Type: string

Default: "limesurvey"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.database.passwordFile

A file containing the password corresponding to database.user.

Type: null or path

Default: null

Example: "/run/keys/limesurvey-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.database.port

Database host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3306

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.database.socket

Path to the unix socket file to use for authentication.

Type: null or path

Default: /run/mysqld/mysqld.sock

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.database.type

Database engine to use.

Type: one of “mysql”, “pgsql”, “odbc”, “mssql”

Default: "mysql"

Example: "pgsql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.database.user

Database user.

Type: string

Default: "limesurvey"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.encryptionKeyFile

32-byte key used to encrypt variables in the database.

Note: It should be string not a store path in order to prevent the password from being world readable

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.encryptionNonceFile

24-byte used to encrypt variables in the database.

Note: It should be string not a store path in order to prevent the password from being world readable

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.poolConfig

Options for the LimeSurvey PHP pool. See the documentation on php-fpm.conf for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = 32;
  "pm.max_requests" = 500;
  "pm.max_spare_servers" = 4;
  "pm.min_spare_servers" = 2;
  "pm.start_servers" = 2;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost

Apache configuration can be done by adapting services.httpd.virtualHosts.<name>. See services.httpd.virtualHosts for further information.

Type: submodule

Example:

{
  hostName = "survey.example.org";
  adminAddr = "webmaster@example.org";
  forceSSL = true;
  enableACME = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.enableUserDir

Whether to enable serving ~/public_html as /~«username».

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.acmeRoot

Directory for the acme challenge which is PUBLIC, don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.adminAddr

E-mail address of the server administrator.

Type: null or string

Default: null

Example: "admin@example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.documentRoot

The path of Apache’s document root directory. If left undefined, an empty directory in the Nix store will be used as root.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.extraConfig

These lines go to httpd.conf verbatim. They will go after directories and directory aliases defined by default.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  <Directory /home>
    Options FollowSymlinks
    AllowOverride All
  </Directory>
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.forceSSL

Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.globalRedirect

If set, all requests for this host are redirected permanently to the given URL.

Type: null or string

Default: null

Example: "http://newserver.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.hostName

Canonical hostname for the server.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.http2

Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. However, if you use the prefork mpm, there will be severe restrictions. Refer to https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config for details.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.listen

Listen addresses and ports for this virtual host.

Note

This option overrides addSSL, forceSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    ip = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    ip = "192.154.1.1";
    port = 80;
  }
  {
    ip = "*";
    port = 8080;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.listen.*.ip

IP to listen on. 0.0.0.0 for IPv4 only, * for all.

Type: string

Default: "*"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.listen.*.port

Port to listen on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.listen.*.ssl

Whether to enable SSL (https) support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Type: non-empty (list of string)

Default:

[
  "*"
]

Example:

[
  "127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.locations

Declarative location config. See https://httpd.apache.org/docs/2.4/mod/core.html#location for details.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
  "/foo/bar.png" = {
    alias = "/home/eelco/some-file.png";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.locations.<name>.alias

Alias directory for requests. See https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.locations.<name>.index

Adds DirectoryIndex directive. See https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.locations.<name>.proxyPass

Sets up a simple reverse proxy as described by https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.logFormat

Log format for Apache’s log files. Possible values are: combined, common, referer, agent.

Type: string

Default: "common"

Example: "combined"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.robotsEntries

Specification of pages to be ignored by web crawlers. See http://www.robotstxt.org/ for details.

Type: strings concatenated with “\n”

Default: ""

Example: "Disallow: /foo/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.servedDirs

This option provides a simple way to serve static directories.

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    dir = "/home/eelco/Dev/nix-homepage";
    urlPath = "/nix";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.servedFiles

This option provides a simple way to serve individual, static files.

Note

This option has been deprecated and will be removed in a future version of NixOS. You can achieve the same result by making use of the locations.<name>.alias option.

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    file = "/home/eelco/some-file.png";
    urlPath = "/foo/bar.png";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "www.example.org:8080"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.sslServerCert

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.sslServerChain

Path to server SSL chain file.

Type: null or path

Default: null

Example: "/var/ca.pem"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.sslServerKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.limesurvey.virtualHost.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/limesurvey.nix>
services.liquidsoap.streams

Set of Liquidsoap streams to start, one systemd service per stream.

Type: attribute set of (path or string)

Default: { }

Example:

{
  myStream1 = "/etc/liquidsoap/myStream1.liq";
  myStream2 = ./myStream2.liq;
  myStream3 = "out(playlist(\"/srv/music/\"))";
}

Declared by:

<nixpkgs/nixos/modules/services/audio/liquidsoap.nix>
services.lirc.enable

Whether to enable the LIRC daemon, to receive and send infrared signals.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/lirc.nix>
services.lirc.configs

Configurations for lircd to load, see man:lircd.conf(5) for details (lircd.conf)

Type: list of strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/hardware/lirc.nix>
services.lirc.extraArguments

Extra arguments to lircd.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/hardware/lirc.nix>
services.lirc.options

LIRC default options described in man:lircd(8) (lirc_options.conf)

Type: strings concatenated with “\n”

Example:

''
  [lircd]
  nodaemon = False
''

Declared by:

<nixpkgs/nixos/modules/services/hardware/lirc.nix>
services.listmonk.enable

Whether to enable Listmonk, this module assumes a reverse proxy to be set.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/listmonk.nix>
services.listmonk.package

The listmonk package to use.

Type: package

Default: pkgs.listmonk

Declared by:

<nixpkgs/nixos/modules/services/mail/listmonk.nix>
services.listmonk.database.createLocally

Create the PostgreSQL database and database user locally.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/listmonk.nix>
services.listmonk.database.mutableSettings

Database settings will be reset to the value set in this module if this is not enabled. Enable this if you want to persist changes you have done in the application.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/mail/listmonk.nix>
services.listmonk.database.settings

Dynamic settings in the PostgreSQL database, set by a SQL script, see https://github.com/knadh/listmonk/blob/master/schema.sql#L177-L230 for details.

Type: null or ((list of string) or list of attribute set of anything or string or signed integer or boolean)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/listmonk.nix>
services.listmonk.database.settings."app.notify_emails"

Administrator emails for system notifications

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/listmonk.nix>
services.listmonk.database.settings."bounce.mailboxes"

List of bounce mailboxes

Type: list of (list of attribute set of anything)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/listmonk.nix>
services.listmonk.database.settings.messengers

List of messengers, see: https://github.com/knadh/listmonk/blob/master/models/settings.go#L64-L74 for options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/listmonk.nix>
services.listmonk.database.settings."privacy.domain_blocklist"

E-mail addresses with these domains are disallowed from subscribing.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/listmonk.nix>
services.listmonk.database.settings."privacy.exportable"

List of fields which can be exported through an automatic export request

Type: list of string

Default:

[
  "profile"
  "subscriptions"
  "campaign_views"
  "link_clicks"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/listmonk.nix>
services.listmonk.database.settings.smtp

List of outgoing SMTP servers

Type: list of (attribute set of anything)

Declared by:

<nixpkgs/nixos/modules/services/mail/listmonk.nix>
services.listmonk.database.settings.smtp.*.enabled

Whether to enable this SMTP server for listmonk.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/listmonk.nix>
services.listmonk.database.settings.smtp.*.host

Hostname for the SMTP server

Type: string

Declared by:

<nixpkgs/nixos/modules/services/mail/listmonk.nix>
services.listmonk.database.settings.smtp.*.max_conns

Maximum number of simultaneous connections, defaults to 1

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/mail/listmonk.nix>
services.listmonk.database.settings.smtp.*.port

Port for the SMTP server

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/services/mail/listmonk.nix>
services.listmonk.database.settings.smtp.*.tls_type

Type of TLS authentication with the SMTP server

Type: one of “none”, “STARTTLS”, “TLS”

Declared by:

<nixpkgs/nixos/modules/services/mail/listmonk.nix>
services.listmonk.secretFile

A file containing secrets as environment variables. See https://listmonk.app/docs/configuration/#environment-variables for details on supported values.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/listmonk.nix>
services.listmonk.settings

Static settings set in the config.toml, see https://github.com/knadh/listmonk/blob/master/config.toml.sample for details. You can set secrets using the secretFile option with environment variables following https://listmonk.app/docs/configuration/#environment-variables.

Type: TOML value

Declared by:

<nixpkgs/nixos/modules/services/mail/listmonk.nix>
services.litestream.enable

Whether to enable litestream.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/litestream/default.nix>
services.litestream.package

The litestream package to use.

Type: package

Default: pkgs.litestream

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/litestream/default.nix>
services.litestream.environmentFile

Environment file as defined in systemd.exec(5).

Secrets may be passed to the service without adding them to the world-readable Nix store, by specifying placeholder variables as the option value in Nix and setting these variables accordingly in the environment file.

By default, Litestream will perform environment variable expansion within the config file before reading it. Any references to $VAR or ${VAR} formatted variables will be replaced with their environment variable values. If no value is set then it will be replaced with an empty string.

  # Content of the environment file
  LITESTREAM_ACCESS_KEY_ID=AKIAxxxxxxxxxxxxxxxx
  LITESTREAM_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxx

Note that this file needs to be available on the host on which this exporter is running.

Type: null or path

Default: null

Example: "/run/secrets/litestream"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/litestream/default.nix>
services.litestream.settings

See the documentation.

Type: YAML value

Example:

{
  dbs = [
    {
      path = "/var/lib/db1";
      replicas = [
        {
          url = "s3://mybkt.litestream.io/db1";
        }
      ];
    }
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/litestream/default.nix>
services.livebook.enableUserService

Whether to enable a user service for Livebook.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/development/livebook.nix>
services.livebook.package

The livebook package to use.

Type: package

Default: pkgs.livebook

Declared by:

<nixpkgs/nixos/modules/services/development/livebook.nix>
services.livebook.environment

Environment variables to set.

Livebook is configured through the use of environment variables. The available configuration options can be found in the Livebook documentation.

Note that all environment variables set through this configuration parameter will be readable by anyone with access to the host machine. Therefore, sensitive information like LIVEBOOK_PASSWORD or LIVEBOOK_COOKIE should never be set using this configuration option, but should instead use services.livebook.environmentFile. See the documentation for that option for more information.

Any environment variables specified in the services.livebook.environmentFile will supersede environment variables specified in this option.

Type: attribute set of (null or boolean or signed integer or string)

Default: { }

Example:

{
  LIVEBOOK_PORT = 8080;
}

Declared by:

<nixpkgs/nixos/modules/services/development/livebook.nix>
services.livebook.environmentFile

Additional environment file as defined in systemd.exec(5).

Secrets like LIVEBOOK_PASSWORD (which is used to specify the password needed to access the livebook site) or LIVEBOOK_COOKIE (which is used to specify the cookie used to connect to the running Elixir system) may be passed to the service without making them readable to everyone with access to systemctl by using this configuration parameter.

Note that this file needs to be available on the host on which livebook is running.

For security purposes, this file should contain at least LIVEBOOK_PASSWORD or LIVEBOOK_TOKEN_ENABLED=false.

See the Livebook documentation and the services.livebook.environment configuration parameter for further options.

Type: null or path

Default: null

Example: "/var/lib/livebook.env"

Declared by:

<nixpkgs/nixos/modules/services/development/livebook.nix>
services.livebook.extraPackages

Extra packages to make available to the Livebook service.

Type: list of package

Default: [ ]

Example: with pkgs; [ gcc gnumake ]

Declared by:

<nixpkgs/nixos/modules/services/development/livebook.nix>
services.llama-cpp.enable

Whether to enable LLaMA C++ server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/llama-cpp.nix>
services.llama-cpp.package

The llama-cpp package to use.

Type: package

Default: pkgs.llama-cpp

Declared by:

<nixpkgs/nixos/modules/services/misc/llama-cpp.nix>
services.llama-cpp.extraFlags

Extra flags passed to llama-cpp-server.

Type: list of string

Default: [ ]

Example:

[
  "-c"
  "4096"
  "-ngl"
  "32"
  "--numa"
  "numactl"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/llama-cpp.nix>
services.llama-cpp.host

IP address the LLaMA C++ server listens on.

Type: string

Default: "127.0.0.1"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/misc/llama-cpp.nix>
services.llama-cpp.model

Model path.

Type: path

Example: "/models/mistral-instruct-7b/ggml-model-q4_0.gguf"

Declared by:

<nixpkgs/nixos/modules/services/misc/llama-cpp.nix>
services.llama-cpp.openFirewall

Open ports in the firewall for LLaMA C++ server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/llama-cpp.nix>
services.llama-cpp.port

Listen port for LLaMA C++ server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/misc/llama-cpp.nix>
services.lldap.enable

Whether to enable lldap, a lightweight authentication server that provides an opinionated, simplified LDAP interface for authentication.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/lldap.nix>
services.lldap.package

The lldap package to use.

Type: package

Default: pkgs.lldap

Declared by:

<nixpkgs/nixos/modules/services/databases/lldap.nix>
services.lldap.environment

Environment variables passed to the service. Any config option name prefixed with LLDAP_ takes priority over the one in the configuration file.

Type: attribute set of string

Default: { }

Example:

{
  LLDAP_JWT_SECRET_FILE = "/run/lldap/jwt_secret";
  LLDAP_LDAP_USER_PASS_FILE = "/run/lldap/user_password";
}

Declared by:

<nixpkgs/nixos/modules/services/databases/lldap.nix>
services.lldap.environmentFile

Environment file as defined in systemd.exec(5) passed to the service.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/lldap.nix>
services.lldap.settings

Free-form settings written directly to the lldap_config.toml file. Refer to https://github.com/lldap/lldap/blob/main/lldap_config.docker_template.toml for supported values.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/databases/lldap.nix>
services.lldap.settings.database_url

Database URL.

Type: string

Default: "sqlite://./users.db?mode=rwc"

Example: "postgres://postgres-user:password@postgres-server/my-database"

Declared by:

<nixpkgs/nixos/modules/services/databases/lldap.nix>
services.lldap.settings.http_host

The host address that the HTTP server will be bound to.

Type: string

Default: "::"

Declared by:

<nixpkgs/nixos/modules/services/databases/lldap.nix>
services.lldap.settings.http_port

The port on which to have the HTTP server, for user login and administration.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 17170

Declared by:

<nixpkgs/nixos/modules/services/databases/lldap.nix>
services.lldap.settings.http_url

The public URL of the server, for password reset links.

Type: string

Default: "http://localhost"

Declared by:

<nixpkgs/nixos/modules/services/databases/lldap.nix>
services.lldap.settings.ldap_base_dn

Base DN for LDAP.

Type: string

Example: "dc=example,dc=com"

Declared by:

<nixpkgs/nixos/modules/services/databases/lldap.nix>
services.lldap.settings.ldap_host

The host address that the LDAP server will be bound to.

Type: string

Default: "::"

Declared by:

<nixpkgs/nixos/modules/services/databases/lldap.nix>
services.lldap.settings.ldap_port

The port on which to have the LDAP server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3890

Declared by:

<nixpkgs/nixos/modules/services/databases/lldap.nix>
services.lldap.settings.ldap_user_dn

Admin username

Type: string

Default: "admin"

Declared by:

<nixpkgs/nixos/modules/services/databases/lldap.nix>
services.lldap.settings.ldap_user_email

Admin email.

Type: string

Default: "admin@example.com"

Declared by:

<nixpkgs/nixos/modules/services/databases/lldap.nix>
services.lldpd.enable

Whether to enable Link Layer Discovery Protocol Daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/lldpd.nix>
services.lldpd.extraArgs

List of command line parameters for lldpd

Type: list of string

Default: [ ]

Example:

[
  "-c"
  "-k"
  "-I eth0"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/lldpd.nix>
services.localtimed.enable

Enable localtimed, a simple daemon for keeping the system timezone up-to-date based on the current location. It uses geoclue2 to determine the current location.

To avoid silent overriding by the service, if you have explicitly set a timezone, either remove it or ensure that it is set with a lower priority than the default value using lib.mkDefault or lib.mkOverride. This is to make the choice deliberate. An error will be presented otherwise.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/system/localtimed.nix>
services.localtimed.package

The localtime package to use.

Type: package

Default: pkgs.localtime

Declared by:

<nixpkgs/nixos/modules/services/system/localtimed.nix>
services.localtimed.geoclue2Package

The Geoclue2 package to use.

Type: package

Default: pkgs.geoclue2-with-demo-agent

Declared by:

<nixpkgs/nixos/modules/services/system/localtimed.nix>
services.locate.enable

If enabled, NixOS will periodically update the database of files used by the locate command.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/misc/locate.nix>
services.locate.package

The locate package to use.

Type: package

Default: pkgs.findutils.locate

Example: mlocate

Declared by:

<nixpkgs/nixos/modules/misc/locate.nix>
services.locate.extraFlags

Extra flags to pass to updatedb.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/misc/locate.nix>
services.locate.interval

Update the locate database at this interval. Updates by default at 2:15 AM every day.

The format is described in systemd.time(7).

To disable automatic updates, set to "never" and run updatedb manually.

Type: string

Default: "02:15"

Example: "hourly"

Declared by:

<nixpkgs/nixos/modules/misc/locate.nix>
services.locate.localuser

The user to search non-network directories as, using su.

Type: null or string

Default: "nobody"

Declared by:

<nixpkgs/nixos/modules/misc/locate.nix>
services.locate.output

The database file to build.

Type: path

Default: "/var/cache/locatedb"

Declared by:

<nixpkgs/nixos/modules/misc/locate.nix>
services.locate.pruneBindMounts

Whether not to index bind mounts

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/misc/locate.nix>
services.locate.pruneFS

Which filesystem types to exclude from indexing

Type: list of string

Default:

[
  "afs"
  "anon_inodefs"
  "auto"
  "autofs"
  "bdev"
  "binfmt"
  "binfmt_misc"
  "ceph"
  "cgroup"
  "cgroup2"
  "cifs"
  "coda"
  "configfs"
  "cramfs"
  "cpuset"
  "curlftpfs"
  "debugfs"
  "devfs"
  "devpts"
  "devtmpfs"
  "ecryptfs"
  "eventpollfs"
  "exofs"
  "futexfs"
  "ftpfs"
  "fuse"
  "fusectl"
  "fusesmb"
  "fuse.ceph"
  "fuse.glusterfs"
  "fuse.gvfsd-fuse"
  "fuse.mfs"
  "fuse.rclone"
  "fuse.rozofs"
  "fuse.sshfs"
  "gfs"
  "gfs2"
  "hostfs"
  "hugetlbfs"
  "inotifyfs"
  "iso9660"
  "jffs2"
  "lustre"
  "lustre_lite"
  "misc"
  "mfs"
  "mqueue"
  "ncpfs"
  "nfs"
  "NFS"
  "nfs4"
  "nfsd"
  "nnpfs"
  "ocfs"
  "ocfs2"
  "pipefs"
  "proc"
  "ramfs"
  "rpc_pipefs"
  "securityfs"
  "selinuxfs"
  "sfs"
  "shfs"
  "smbfs"
  "sockfs"
  "spufs"
  "sshfs"
  "subfs"
  "supermount"
  "sysfs"
  "tmpfs"
  "tracefs"
  "ubifs"
  "udev"
  "udf"
  "usbfs"
  "vboxsf"
  "vperfctrfs"
]

Declared by:

<nixpkgs/nixos/modules/misc/locate.nix>
services.locate.pruneNames

Directory components which should exclude paths containing them from indexing

Type: list of string

Default: [ ".bzr" ".cache" ".git" ".hg" ".svn" ], if supported by the locate implementation (i.e. mlocate or plocate).

Declared by:

<nixpkgs/nixos/modules/misc/locate.nix>
services.locate.prunePaths

Which paths to exclude from indexing

Type: list of path

Default:

[
  "/tmp"
  "/var/tmp"
  "/var/cache"
  "/var/lock"
  "/var/run"
  "/var/spool"
  "/nix/store"
  "/nix/var/log/nix"
]

Declared by:

<nixpkgs/nixos/modules/misc/locate.nix>
services.logcheck.enable

Whether to enable logcheck cron job, to mail anomalies in the system logfiles to the administrator.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.config

Config options that you would like in logcheck.conf.

Type: strings concatenated with “\n”

Default: "FQDN=1"

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.extraGroups

Extra groups for the logcheck user, for example to be able to use sendmail, or to access certain log files.

Type: list of string

Default: [ ]

Example:

[
  "postdrop"
  "mongodb"
]

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.extraRulesDirs

Directories with extra rules.

Type: list of path

Default: [ ]

Example:

[
  "/etc/logcheck"
]

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.files

Which log files to check.

Type: list of path

Default:

[
  "/var/log/messages"
]

Example:

[
  "/var/log/messages"
  "/var/log/mail"
]

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.ignore

This option defines extra ignore rules.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.ignore.<name>.level

Set the logcheck level.

Type: one of “workstation”, “server”, “paranoid”

Default: "server"

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.ignore.<name>.regex

Regex specifying which log lines to ignore.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.ignoreCron

This option defines extra ignore rules for cronjobs.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.ignoreCron.<name>.cmdline

Command line for the cron job. Will be turned into a regex for the logcheck ignore rule.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.ignoreCron.<name>.timeArgs

“min hr dom mon dow” crontab time args, to auto-create a cronjob too. Leave at null to not do this and just add a logcheck ignore rule.

Type: null or string

Default: null

Example: "02 06 * * *"

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.ignoreCron.<name>.user

User that runs the cronjob.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.level

Set the logcheck level. Either “workstation”, “server”, or “paranoid”.

Type: string

Default: "server"

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.mailTo

Email address to send reports to.

Type: string

Default: "root"

Example: "you@domain.com"

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.timeOfDay

Time of day to run logcheck. A logcheck will be scheduled at xx:02 each day. Leave default (*) to run every hour. Of course when nothing special was logged, logcheck will be silent.

Type: string

Default: "*"

Example: "6"

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logcheck.user

Username for the logcheck user.

Type: string

Default: "logcheck"

Declared by:

<nixpkgs/nixos/modules/services/logging/logcheck.nix>
services.logind.extraConfig

Extra config options for systemd-logind. See logind.conf(5) for available options.

Type: strings concatenated with “\n”

Default: ""

Example: "IdleAction=lock"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/logind.nix>
services.logind.hibernateKey

Specifies what to do when the hibernate key is pressed.

Type: one of “ignore”, “poweroff”, “reboot”, “halt”, “kexec”, “suspend”, “hibernate”, “hybrid-sleep”, “suspend-then-hibernate”, “lock”

Default: "hibernate"

Example: "ignore"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/logind.nix>
services.logind.hibernateKeyLongPress

Specifies what to do when the hibernate key is long-pressed.

Type: one of “ignore”, “poweroff”, “reboot”, “halt”, “kexec”, “suspend”, “hibernate”, “hybrid-sleep”, “suspend-then-hibernate”, “lock”

Default: "ignore"

Example: "suspend"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/logind.nix>
services.logind.killUserProcesses

Specifies whether the processes of a user should be killed when the user logs out. If true, the scope unit corresponding to the session and all processes inside that scope will be terminated. If false, the scope is “abandoned” (see systemd.scope(5)), and processes are not killed.

See logind.conf(5) for more details.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/logind.nix>
services.logind.lidSwitch

Specifies what to do when the laptop lid is closed.

Type: one of “ignore”, “poweroff”, “reboot”, “halt”, “kexec”, “suspend”, “hibernate”, “hybrid-sleep”, “suspend-then-hibernate”, “lock”

Default: "suspend"

Example: "ignore"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/logind.nix>
services.logind.lidSwitchDocked

Specifies what to do when the laptop lid is closed and another screen is added.

Type: one of “ignore”, “poweroff”, “reboot”, “halt”, “kexec”, “suspend”, “hibernate”, “hybrid-sleep”, “suspend-then-hibernate”, “lock”

Default: "ignore"

Example: "suspend"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/logind.nix>
services.logind.lidSwitchExternalPower

Specifies what to do when the laptop lid is closed and the system is on external power. By default use the same action as specified in services.logind.lidSwitch.

Type: one of “ignore”, “poweroff”, “reboot”, “halt”, “kexec”, “suspend”, “hibernate”, “hybrid-sleep”, “suspend-then-hibernate”, “lock”

Default: services.logind.lidSwitch

Example: "ignore"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/logind.nix>
services.logind.powerKey

Specifies what to do when the power key is pressed.

Type: one of “ignore”, “poweroff”, “reboot”, “halt”, “kexec”, “suspend”, “hibernate”, “hybrid-sleep”, “suspend-then-hibernate”, “lock”

Default: "poweroff"

Example: "ignore"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/logind.nix>
services.logind.powerKeyLongPress

Specifies what to do when the power key is long-pressed.

Type: one of “ignore”, “poweroff”, “reboot”, “halt”, “kexec”, “suspend”, “hibernate”, “hybrid-sleep”, “suspend-then-hibernate”, “lock”

Default: "ignore"

Example: "reboot"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/logind.nix>
services.logind.rebootKey

Specifies what to do when the reboot key is pressed.

Type: one of “ignore”, “poweroff”, “reboot”, “halt”, “kexec”, “suspend”, “hibernate”, “hybrid-sleep”, “suspend-then-hibernate”, “lock”

Default: "reboot"

Example: "ignore"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/logind.nix>
services.logind.rebootKeyLongPress

Specifies what to do when the reboot key is long-pressed.

Type: one of “ignore”, “poweroff”, “reboot”, “halt”, “kexec”, “suspend”, “hibernate”, “hybrid-sleep”, “suspend-then-hibernate”, “lock”

Default: "poweroff"

Example: "ignore"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/logind.nix>
services.logind.suspendKey

Specifies what to do when the suspend key is pressed.

Type: one of “ignore”, “poweroff”, “reboot”, “halt”, “kexec”, “suspend”, “hibernate”, “hybrid-sleep”, “suspend-then-hibernate”, “lock”

Default: "suspend"

Example: "ignore"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/logind.nix>
services.logind.suspendKeyLongPress

Specifies what to do when the suspend key is long-pressed.

Type: one of “ignore”, “poweroff”, “reboot”, “halt”, “kexec”, “suspend”, “hibernate”, “hybrid-sleep”, “suspend-then-hibernate”, “lock”

Default: "hibernate"

Example: "ignore"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/logind.nix>
services.logkeys.enable

Whether to enable logkeys, a keylogger service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/logkeys.nix>
services.logkeys.device

Use the given device as keyboard input event device instead of /dev/input/eventX default.

Type: null or string

Default: null

Example: "/dev/input/event15"

Declared by:

<nixpkgs/nixos/modules/services/misc/logkeys.nix>
services.logmein-hamachi.enable

Whether to enable LogMeIn Hamachi, a proprietary (closed source) commercial VPN software.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/logmein-hamachi.nix>
services.logrotate.enable

Whether to enable the logrotate systemd service.

Type: boolean

Default: cfg.settings != {}

Example: true

Declared by:

<nixpkgs/nixos/modules/services/logging/logrotate.nix>
services.logrotate.allowNetworking

Whether to enable network access for logrotate.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/logging/logrotate.nix>
services.logrotate.checkConfig

Whether the config should be checked at build time.

Some options are not checkable at build time because of the build sandbox: for example, the test does not know about existing files and system users are not known. These limitations mean we must adjust the file for tests (missingok is forced and users are replaced by dummy users), so tests are complemented by a logrotate-checkconf service that is enabled by default. This extra check can be disabled by disabling it at the systemd level with the systemd.services.logrotate-checkconf.enable option.

Conversely there are still things that might make this check fail incorrectly (e.g. a file path where we don’t have access to intermediate directories): in this case you can disable the failing check with this option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/logging/logrotate.nix>
services.logrotate.configFile

Override the configuration file used by logrotate. By default, NixOS generates one automatically from services.logrotate.settings.

Type: path

Default:

''
  A configuration file automatically generated by NixOS.
''

Example:

pkgs.writeText "logrotate.conf" ''
  missingok
  "/var/log/*.log" {
    rotate 4
    weekly
  }
'';

Declared by:

<nixpkgs/nixos/modules/services/logging/logrotate.nix>
services.logrotate.extraArgs

Additional command line arguments to pass on logrotate invocation

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/logging/logrotate.nix>
services.logrotate.settings

logrotate freeform settings: each attribute here will define its own section, ordered by services.logrotate.settings.<name>.priority, which can either define files to rotate with their settings or settings common to all further files settings. All attribute names not explicitly defined as sub-options here are passed through as logrotate config directives, refer to https://linux.die.net/man/8/logrotate for details.

Type: attribute set of (attribute set of (null or signed integer or boolean or string))

Default: { }

Example:

{
  # global options
  header = {
    dateext = true;
  };
  # example custom files
  "/var/log/mylog.log" = {
    frequency = "daily";
    rotate = 3;
  };
  "multiple paths" = {
     files = [
      "/var/log/first*.log"
      "/var/log/second.log"
    ];
  };
  # specify custom order of sections
  "/var/log/myservice/*.log" = {
    # ensure lower priority
    priority = 110;
    postrotate = ''
      systemctl reload myservice
    '';
  };
};

Declared by:

<nixpkgs/nixos/modules/services/logging/logrotate.nix>
services.logrotate.settings.<name>.enable

Whether to enable setting individual kill switch.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/logging/logrotate.nix>
services.logrotate.settings.<name>.files

Single or list of files for which rules are defined. The files are quoted with double-quotes in logrotate configuration, so globs and spaces are supported. Note this setting is ignored if globals is true.

Type: string or list of string

Default:

''
  The attrset name if not specified
''

Declared by:

<nixpkgs/nixos/modules/services/logging/logrotate.nix>
services.logrotate.settings.<name>.frequency

How often to rotate the logs. Defaults to previously set global setting, which itself defaults to weekly.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/logging/logrotate.nix>
services.logrotate.settings.<name>.global

Whether this setting is a global option or not: set to have these settings apply to all files settings with a higher priority.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/logging/logrotate.nix>
services.logrotate.settings.<name>.priority

Order of this logrotate block in relation to the others. The semantics are the same as with lib.mkOrder. Smaller values are inserted first.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/logging/logrotate.nix>
services.logstash.enable

Enable logstash.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/logging/logstash.nix>
services.logstash.package

The logstash package to use.

Type: package

Default: pkgs.logstash

Declared by:

<nixpkgs/nixos/modules/services/logging/logstash.nix>
services.logstash.dataDir

A path to directory writable by logstash that it uses to store data. Plugins will also have access to this path.

Type: string

Default: "/var/lib/logstash"

Declared by:

<nixpkgs/nixos/modules/services/logging/logstash.nix>
services.logstash.extraJvmOptions

Extra JVM options, one per line (jvm.options format).

Type: strings concatenated with “\n”

Default: ""

Example:

''
  -Xms2g
  -Xmx2g
''

Declared by:

<nixpkgs/nixos/modules/services/logging/logstash.nix>
services.logstash.extraSettings

Extra Logstash settings in YAML format.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  pipeline:
    batch:
      size: 125
      delay: 5
''

Declared by:

<nixpkgs/nixos/modules/services/logging/logstash.nix>
services.logstash.filterConfig

logstash filter configuration.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  if [type] == "syslog" {
    # Keep only relevant systemd fields
    # https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html
    prune {
      whitelist_names => [
        "type", "@timestamp", "@version",
        "MESSAGE", "PRIORITY", "SYSLOG_FACILITY"
      ]
    }
  }
''

Declared by:

<nixpkgs/nixos/modules/services/logging/logstash.nix>
services.logstash.filterWorkers

The quantity of filter workers to run.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/logging/logstash.nix>
services.logstash.inputConfig

Logstash input configuration.

Type: strings concatenated with “\n”

Default: "generator { }"

Example:

''
  # Read from journal
  pipe {
    command => "${config.systemd.package}/bin/journalctl -f -o json"
    type => "syslog" codec => json {}
  }
''

Declared by:

<nixpkgs/nixos/modules/services/logging/logstash.nix>
services.logstash.listenAddress

Address on which to start webserver.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/logging/logstash.nix>
services.logstash.logLevel

Logging verbosity level.

Type: one of “debug”, “info”, “warn”, “error”, “fatal”

Default: "warn"

Declared by:

<nixpkgs/nixos/modules/services/logging/logstash.nix>
services.logstash.outputConfig

Logstash output configuration.

Type: strings concatenated with “\n”

Default: "stdout { codec => rubydebug }"

Example:

''
  redis { host => ["localhost"] data_type => "list" key => "logstash" codec => json }
  elasticsearch { }
''

Declared by:

<nixpkgs/nixos/modules/services/logging/logstash.nix>
services.logstash.plugins

The paths to find other logstash plugins in.

Type: list of path

Default: [ ]

Example: [ pkgs.logstash-contrib ]

Declared by:

<nixpkgs/nixos/modules/services/logging/logstash.nix>
services.logstash.port

Port on which to start webserver.

Type: string

Default: "9292"

Declared by:

<nixpkgs/nixos/modules/services/logging/logstash.nix>
services.loki.enable

Whether to enable loki.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/loki.nix>
services.loki.package

The grafana-loki package to use.

Type: package

Default: pkgs.grafana-loki

Declared by:

<nixpkgs/nixos/modules/services/monitoring/loki.nix>
services.loki.configFile

Specify a configuration file that Loki should use.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/loki.nix>
services.loki.configuration

Specify the configuration for Loki in Nix.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/loki.nix>
services.loki.dataDir

Specify the directory for Loki.

Type: path

Default: "/var/lib/loki"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/loki.nix>
services.loki.extraFlags

Specify a list of additional command line flags, which get escaped and are then passed to Loki.

Type: list of string

Default: [ ]

Example:

[
  "--server.http-listen-port=3101"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/loki.nix>
services.loki.group

Group under which the Loki service runs.

Type: string

Default: "loki"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/loki.nix>
services.loki.user

User under which the Loki service runs.

Type: string

Default: "loki"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/loki.nix>
services.lokinet.enable

Whether to enable Lokinet daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/lokinet.nix>
services.lokinet.package

The lokinet package to use.

Type: package

Default: pkgs.lokinet

Declared by:

<nixpkgs/nixos/modules/services/networking/lokinet.nix>
services.lokinet.settings

Configuration for Lokinet. Currently, the best way to view the available settings is by generating a config file using lokinet -g.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string) or a list of them for duplicate keys)

Default: { }

Example:

{
  dns = {
    bind = "127.3.2.1";
    upstream = [ "1.1.1.1" "8.8.8.8" ];
  };

  network.exit-node = [ "example.loki" "example2.loki" ];
}

Declared by:

<nixpkgs/nixos/modules/services/networking/lokinet.nix>
services.lokinet.settings.dns.bind

Address to bind to for handling DNS requests.

Type: string

Default: "127.3.2.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/lokinet.nix>
services.lokinet.settings.dns.upstream

Upstream resolver(s) to use as fallback for non-loki addresses. Multiple values accepted.

Type: list of string

Default:

[
  "9.9.9.10"
]

Example:

[
  "1.1.1.1"
  "8.8.8.8"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/lokinet.nix>
services.lokinet.settings.network.exit

Whether to act as an exit node. Beware that this increases demand on the server and may pose liability concerns. Enable at your own risk.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/lokinet.nix>
services.lokinet.settings.network.exit-node

Specify a .loki address and an optional ip range to use as an exit broker. See http://probably.loki/wiki/index.php?title=Exit_Nodes for a list of exit nodes.

Type: null or (list of string)

Default: null

Example:

''
  exit-node = [ "example.loki" ];              # maps all exit traffic to example.loki
  exit-node = [ "example.loki:100.0.0.0/24" ]; # maps 100.0.0.0/24 to example.loki
''

Declared by:

<nixpkgs/nixos/modules/services/networking/lokinet.nix>
services.lokinet.settings.network.keyfile

The private key to persist address with. If not specified the address will be ephemeral. This keyfile is generated automatically if the specified file doesn’t exist.

Type: null or string

Default: null

Example: "snappkey.private"

Declared by:

<nixpkgs/nixos/modules/services/networking/lokinet.nix>
services.lokinet.useLocally

Whether to use Lokinet locally.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/lokinet.nix>
services.longview.enable

If enabled, system metrics will be sent to Linode LongView.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/longview.nix>
services.longview.apacheStatusUrl

The Apache status page URL. If provided, Longview will gather statistics from this location. This requires Apache mod_status to be loaded and enabled.

Type: string

Default: ""

Example: "http://127.0.0.1/server-status"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/longview.nix>
services.longview.apiKey

Longview API key. To get this, look in Longview settings which are found at https://manager.linode.com/longview/.

Warning: this secret is stored in the world-readable Nix store! Use apiKeyFile instead.

Type: string

Default: ""

Example: "01234567-89AB-CDEF-0123456789ABCDEF"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/longview.nix>
services.longview.apiKeyFile

A file containing the Longview API key. To get this, look in Longview settings which are found at https://manager.linode.com/longview/.

apiKeyFile takes precedence over apiKey.

Type: null or path

Default: null

Example: "/run/keys/longview-api-key"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/longview.nix>
services.longview.mysqlPassword

The password corresponding to mysqlUser. Warning: this is stored in cleartext in the Nix store! Use mysqlPasswordFile instead.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/longview.nix>
services.longview.mysqlPasswordFile

A file containing the password corresponding to mysqlUser.

Type: null or path

Default: null

Example: "/run/keys/dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/longview.nix>
services.longview.mysqlUser

The user for connecting to the MySQL database. If provided, Longview will connect to MySQL and collect statistics about queries, etc. This user does not need to have been granted any extra privileges.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/longview.nix>
services.longview.nginxStatusUrl

The Nginx status page URL. Longview will gather statistics from this URL. This requires the Nginx stub_status module to be enabled and configured at the given location.

Type: string

Default: ""

Example: "http://127.0.0.1/nginx_status"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/longview.nix>
services.lorri.enable

Enables the daemon for lorri, a nix-shell replacement for project development. The socket-activated daemon starts on the first request issued by the lorri command.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/development/lorri.nix>
services.lorri.package

The lorri package to use.

Type: package

Default: pkgs.lorri

Declared by:

<nixpkgs/nixos/modules/services/development/lorri.nix>
services.lvm.enable

Whether to enable lvm2.

Note

The lvm2 package contains device-mapper udev rules and without those tools like cryptsetup do not fully function!

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/tasks/lvm.nix>
services.lvm.boot.thin.enable

Whether to enable support for booting from ThinLVs.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/tasks/lvm.nix>
services.lvm.boot.vdo.enable

Whether to enable support for booting from VDOLVs.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/tasks/lvm.nix>
services.lvm.dmeventd.enable

Whether to enable the LVM dmevent daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/tasks/lvm.nix>
services.lxd-image-server.enable

Whether to enable lxd-image-server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/lxd-image-server.nix>
services.lxd-image-server.group

Group assigned to the user and the webroot directory.

Type: string

Default: "nginx"

Example: "www-data"

Declared by:

<nixpkgs/nixos/modules/services/networking/lxd-image-server.nix>
services.lxd-image-server.nginx.enable

Whether to enable nginx.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/lxd-image-server.nix>
services.lxd-image-server.nginx.domain

Domain to use for nginx virtual host.

Type: string

Example: "images.example.org"

Declared by:

<nixpkgs/nixos/modules/services/networking/lxd-image-server.nix>
services.lxd-image-server.settings

Configuration for lxd-image-server.

Example see https://github.com/Avature/lxd-image-server/blob/master/config.toml.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/lxd-image-server.nix>
services.mackerel-agent.enable

Whether to enable mackerel.io agent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/mackerel-agent.nix>
services.mackerel-agent.apiKeyFile

Path to file containing the Mackerel API key. The file should contain a single line of the following form:

apikey = "EXAMPLE_API_KEY"

Type: path

Example: "/run/keys/mackerel-api-key"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/mackerel-agent.nix>
services.mackerel-agent.autoRetirement

Whether to enable retiring the host upon OS shutdown .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/mackerel-agent.nix>
services.mackerel-agent.runAsRoot

Whether to enable running as root.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/mackerel-agent.nix>
services.mackerel-agent.settings

Options for mackerel-agent.conf.

Documentation: https://mackerel.io/docs/entry/spec/agent

Type: TOML value

Default: { }

Example:

{
  silent = false;
  verbose = false;
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/mackerel-agent.nix>
services.mackerel-agent.settings.diagnostic

Whether to enable collecting memory usage for the agent itself.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/mackerel-agent.nix>
services.mackerel-agent.settings.host_status.on_start

Host status after agent startup.

Type: one of “working”, “standby”, “maintenance”, “poweroff”

Default: "working"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/mackerel-agent.nix>
services.mackerel-agent.settings.host_status.on_stop

Host status after agent shutdown.

Type: one of “working”, “standby”, “maintenance”, “poweroff”

Default: "poweroff"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/mackerel-agent.nix>
services.maddy.enable

Whether to enable Maddy, a free an open source mail server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/maddy.nix>
services.maddy.config

Server configuration, see https://maddy.email for more information. The default configuration of this module will setup minimal Maddy instance for mail transfer without TLS encryption.

Note

This should not be used in a production environment.

Type: null or strings concatenated with “\n”

Default:

''
  # Minimal configuration with TLS disabled, adapted from upstream example
  # configuration here https://github.com/foxcpp/maddy/blob/master/maddy.conf
  # Do not use this in production!
  
  auth.pass_table local_authdb {
    table sql_table {
      driver sqlite3
      dsn credentials.db
      table_name passwords
    }
  }
  
  storage.imapsql local_mailboxes {
    driver sqlite3
    dsn imapsql.db
  }
  
  table.chain local_rewrites {
    optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3"
    optional_step static {
      entry postmaster postmaster@$(primary_domain)
    }
    optional_step file /etc/maddy/aliases
  }
  
  msgpipeline local_routing {
    destination postmaster $(local_domains) {
      modify {
        replace_rcpt &local_rewrites
      }
      deliver_to &local_mailboxes
    }
    default_destination {
      reject 550 5.1.1 "User doesn't exist"
    }
  }
  
  smtp tcp://0.0.0.0:25 {
    limits {
      all rate 20 1s
      all concurrency 10
    }
    dmarc yes
    check {
      require_mx_record
      dkim
      spf
    }
    source $(local_domains) {
      reject 501 5.1.8 "Use Submission for outgoing SMTP"
    }
    default_source {
      destination postmaster $(local_domains) {
        deliver_to &local_routing
      }
      default_destination {
        reject 550 5.1.1 "User doesn't exist"
      }
    }
  }
  
  submission tcp://0.0.0.0:587 {
    limits {
      all rate 50 1s
    }
    auth &local_authdb
    source $(local_domains) {
      check {
          authorize_sender {
              prepare_email &local_rewrites
              user_to_email identity
          }
      }
      destination postmaster $(local_domains) {
          deliver_to &local_routing
      }
      default_destination {
          modify {
              dkim $(primary_domain) $(local_domains) default
          }
          deliver_to &remote_queue
      }
    }
    default_source {
      reject 501 5.1.8 "Non-local sender domain"
    }
  }
  
  target.remote outbound_delivery {
    limits {
      destination rate 20 1s
      destination concurrency 10
    }
    mx_auth {
      dane
      mtasts {
        cache fs
        fs_dir mtasts_cache/
      }
      local_policy {
          min_tls_level encrypted
          min_mx_level none
      }
    }
  }
  
  target.queue remote_queue {
    target &outbound_delivery
    autogenerated_msg_domain $(primary_domain)
    bounce {
      destination postmaster $(local_domains) {
        deliver_to &local_routing
      }
      default_destination {
          reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
      }
    }
  }
  
  imap tcp://0.0.0.0:143 {
    auth &local_authdb
    storage &local_mailboxes
  }
''

Declared by:

<nixpkgs/nixos/modules/services/mail/maddy.nix>
services.maddy.ensureAccounts

List of IMAP accounts which get automatically created. Note that for a complete setup, user credentials for these accounts are required and can be created using the ensureCredentials option. This option does not delete accounts which are not (anymore) listed.

Type: list of string

Default: [ ]

Example:

[
  "user1@localhost"
  "user2@localhost"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/maddy.nix>
services.maddy.ensureCredentials

List of user accounts which get automatically created if they don’t exist yet. Note that for a complete setup, corresponding mail boxes have to get created using the ensureAccounts option. This option does not delete accounts which are not (anymore) listed.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "user1@localhost" = {
    passwordFile = /secrets/user1-localhost;
  };
  "user2@localhost" = {
    passwordFile = /secrets/user2-localhost;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/mail/maddy.nix>
services.maddy.ensureCredentials.<name>.passwordFile

Specifies the path to a file containing the clear text password for the user.

Type: path

Default: null

Example: "/path/to/file"

Declared by:

<nixpkgs/nixos/modules/services/mail/maddy.nix>
services.maddy.group

Group account under which maddy runs.

Note

If left as the default value this group will automatically be created on system activation, otherwise the sysadmin is responsible for ensuring the group exists before the maddy service starts.

Type: string

Default: "maddy"

Declared by:

<nixpkgs/nixos/modules/services/mail/maddy.nix>
services.maddy.hostname

Hostname to use. It should be FQDN.

Type: string

Default: "localhost"

Example: "example.com"

Declared by:

<nixpkgs/nixos/modules/services/mail/maddy.nix>
services.maddy.localDomains

Define list of allowed domains.

Type: list of string

Default:

[
  "$(primary_domain)"
]

Example:

[
  "$(primary_domain)"
  "example.com"
  "other.example.com"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/maddy.nix>
services.maddy.openFirewall

Open the configured incoming and outgoing mail server ports.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/maddy.nix>
services.maddy.primaryDomain

Primary MX domain to use. It should be FQDN.

Type: string

Default: "localhost"

Example: "mail.example.com"

Declared by:

<nixpkgs/nixos/modules/services/mail/maddy.nix>
services.maddy.secrets

A list of files containing the various secrets. Should be in the format expected by systemd’s EnvironmentFile directory. Secrets can be referenced in the format {env:VAR}.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/maddy.nix>
services.maddy.tls.certificates

A list of attribute sets containing paths to TLS certificates and keys. Maddy will use SNI if multiple pairs are selected.

Type: list of (submodule)

Default: [ ]

Example:

[{
  keyPath = "/etc/ssl/mx1.example.org.key";
  certPath = "/etc/ssl/mx1.example.org.crt";
}]

Declared by:

<nixpkgs/nixos/modules/services/mail/maddy.nix>
services.maddy.tls.certificates.*.certPath

Path to the certificate used for TLS.

Type: path

Example: "/etc/ssl/mx1.example.org.crt"

Declared by:

<nixpkgs/nixos/modules/services/mail/maddy.nix>
services.maddy.tls.certificates.*.keyPath

Path to the private key used for TLS.

Type: path

Example: "/etc/ssl/mx1.example.org.key"

Declared by:

<nixpkgs/nixos/modules/services/mail/maddy.nix>
services.maddy.tls.extraConfig

Arguments for the specified certificate loader.

In case the tls loader is set, the defaults are considered secure and there is no need to change anything in most cases. For available options see upstream manual.

For ACME configuration, see following page.

Type: null or strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/maddy.nix>
services.maddy.tls.loader

TLS certificates are obtained by modules called “certificate loaders”.

The file loader module reads certificates from files specified by the certificates option.

Alternatively the acme module can be used to automatically obtain certificates using the ACME protocol.

Module configuration is done via the tls.extraConfig option.

Secrets such as API keys or passwords should not be supplied in plaintext. Instead the secrets option can be used to read secrets at runtime as environment variables. Secrets can be referenced with {env:VAR}.

Type: null or one of “off”, “file”, “acme”

Default: "off"

Declared by:

<nixpkgs/nixos/modules/services/mail/maddy.nix>
services.maddy.user

User account under which maddy runs.

Note

If left as the default value this user will automatically be created on system activation, otherwise the sysadmin is responsible for ensuring the user exists before the maddy service starts.

Type: string

Default: "maddy"

Declared by:

<nixpkgs/nixos/modules/services/mail/maddy.nix>
services.magic-wormhole-mailbox-server.enable

Whether to enable Magic Wormhole Mailbox Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/magic-wormhole-mailbox-server.nix>
services.magnetico.enable

Whether to enable Magnetico, Bittorrent DHT crawler.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/torrent/magnetico.nix>
services.magnetico.crawler.address

Address to be used for indexing DHT nodes.

Type: string

Default: "0.0.0.0"

Example: "1.2.3.4"

Declared by:

<nixpkgs/nixos/modules/services/torrent/magnetico.nix>
services.magnetico.crawler.extraOptions

Extra command line arguments to pass to magneticod.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/torrent/magnetico.nix>
services.magnetico.crawler.maxLeeches

Maximum number of simultaneous leeches.

Type: positive integer, meaning >0

Default: 200

Declared by:

<nixpkgs/nixos/modules/services/torrent/magnetico.nix>
services.magnetico.crawler.maxNeighbors

Maximum number of simultaneous neighbors of an indexer. Be careful changing this number: high values can very easily cause your network to be congested or even crash your router.

Type: positive integer, meaning >0

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/torrent/magnetico.nix>
services.magnetico.crawler.port

Port to be used for indexing DHT nodes. This port should be added to networking.firewall.allowedTCPPorts.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/torrent/magnetico.nix>
services.magnetico.web.address

Address the web interface will listen to.

Type: string

Default: "localhost"

Example: "1.2.3.4"

Declared by:

<nixpkgs/nixos/modules/services/torrent/magnetico.nix>
services.magnetico.web.credentials

The credentials to access the web interface, in case authentication is enabled, in the format username:hash. If unset no authentication will be required.

Usernames must start with a lowercase ([a-z]) ASCII character, might contain non-consecutive underscores except at the end, and consists of small-case a-z characters and digits 0-9. The htpasswd tool from the apacheHttpd package may be used to generate the hash: htpasswd -bnBC 12 username password

Warning

The hashes will be stored world-readable in the nix store. Consider using the credentialsFile option if you don’t want this.

Type: attribute set of string

Default: { }

Example:

{
  myuser = "$2y$12$YE01LZ8jrbQbx6c0s2hdZO71dSjn2p/O9XsYJpz.5968yCysUgiaG";
}

Declared by:

<nixpkgs/nixos/modules/services/torrent/magnetico.nix>
services.magnetico.web.credentialsFile

The path to the file holding the credentials to access the web interface. If unset no authentication will be required.

The file must contain user names and password hashes in the format username:hash, one for each line. Usernames must start with a lowecase ([a-z]) ASCII character, might contain non-consecutive underscores except at the end, and consists of small-case a-z characters and digits 0-9. The htpasswd tool from the apacheHttpd package may be used to generate the hash: htpasswd -bnBC 12 username password

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/torrent/magnetico.nix>
services.magnetico.web.extraOptions

Extra command line arguments to pass to magneticow.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/torrent/magnetico.nix>
services.magnetico.web.port

Port the web interface will listen to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/torrent/magnetico.nix>
services.mail.sendmailSetuidWrapper.capabilities

A comma-separated list of capability clauses to be given to the wrapper program. The format for capability clauses is described in the “TEXTUAL REPRESENTATION” section of the cap_from_text(3) manual page. For a list of capabilities supported by the system, check the capabilities(7) manual page.

Note

cap_setpcap, which is required for the wrapper program to be able to raise caps into the Ambient set is NOT raised to the Ambient set so that the real program cannot modify its own capabilities!! This may be too restrictive for cases in which the real program needs cap_setpcap but it at least leans on the side security paranoid vs. too relaxed.

Type: strings concatenated with “,”

Default: ""

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
services.mail.sendmailSetuidWrapper.group

The group of the wrapper program.

Type: string

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
services.mail.sendmailSetuidWrapper.owner

The owner of the wrapper program.

Type: string

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
services.mail.sendmailSetuidWrapper.permissions

The permissions of the wrapper program. The format is that of a symbolic or numeric file mode understood by chmod.

Type: file mode string

Default: "u+rx,g+x,o+x"

Example: "a+rx"

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
services.mail.sendmailSetuidWrapper.program

The name of the wrapper program. Defaults to the attribute name.

Type: null or string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
services.mail.sendmailSetuidWrapper.setgid

Whether to add the setgid bit the wrapper program.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
services.mail.sendmailSetuidWrapper.setuid

Whether to add the setuid bit the wrapper program.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
services.mail.sendmailSetuidWrapper.source

The absolute path to the program to be wrapped.

Type: path

Declared by:

<nixpkgs/nixos/modules/security/wrappers/default.nix>
services.mailcatcher.enable

Whether to enable MailCatcher, an SMTP server and web interface to locally test outbound emails.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/mailcatcher.nix>
services.mailcatcher.http.ip

The ip address of the http server.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailcatcher.nix>
services.mailcatcher.http.path

Prefix to all HTTP paths.

Type: null or string

Default: null

Example: "/mailcatcher"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailcatcher.nix>
services.mailcatcher.http.port

The port address of the http server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1080

Declared by:

<nixpkgs/nixos/modules/services/mail/mailcatcher.nix>
services.mailcatcher.smtp.ip

The ip address of the smtp server.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailcatcher.nix>
services.mailcatcher.smtp.port

The port address of the smtp server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1025

Declared by:

<nixpkgs/nixos/modules/services/mail/mailcatcher.nix>
services.mailhog.enable

Whether to enable MailHog, web and API based SMTP testing.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/mailhog.nix>
services.mailhog.apiPort

Port on which the API endpoint will listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8025

Declared by:

<nixpkgs/nixos/modules/services/mail/mailhog.nix>
services.mailhog.extraArgs

List of additional arguments to pass to the MailHog process.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/mailhog.nix>
services.mailhog.smtpPort

Port on which the SMTP endpoint will listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1025

Declared by:

<nixpkgs/nixos/modules/services/mail/mailhog.nix>
services.mailhog.storage

Store mails on disk or in memory.

Type: one of “maildir”, “memory”

Default: "memory"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailhog.nix>
services.mailhog.uiPort

Port on which the HTTP UI will listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8025

Declared by:

<nixpkgs/nixos/modules/services/mail/mailhog.nix>
services.mailman.enable

Enable Mailman on this host. Requires an active MTA on the host (e.g. Postfix).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.enablePostfix

Enable Postfix integration. Requires an active Postfix installation.

If you want to use another MTA, set this option to false and configure settings in services.mailman.settings.mta.

Refer to the Mailman manual for more info.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.extraPythonPackages

Packages to add to the python environment used by mailman and mailman-web

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.hyperkitty.enable

Whether to enable the Hyperkitty archiver for Mailman.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.hyperkitty.baseUrl

Where can Mailman connect to Hyperkitty’s internal API, preferably on localhost?

Type: string

Default: "http://localhost:18507/archives/"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.ldap.enable

Whether to enable LDAP auth.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.ldap.attrMap.email

LDAP-attribute that corresponds to the email-attribute in mailman.

Type: string

Default: "mail"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.ldap.attrMap.firstName

LDAP-attribute that corresponds to the firstName-attribute in mailman.

Type: string

Default: "givenName"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.ldap.attrMap.lastName

LDAP-attribute that corresponds to the lastName-attribute in mailman.

Type: string

Default: "sn"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.ldap.attrMap.username

LDAP-attribute that corresponds to the username-attribute in mailman.

Type: string

Default: "uid"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.ldap.bindDn

Service account to bind against.

Type: string

Example: "cn=root,dc=nixos,dc=org"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.ldap.bindPasswordFile

Path to the file containing the bind password of the service account defined by services.mailman.ldap.bindDn.

Type: string

Example: "/run/secrets/ldap-bind"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.ldap.groupSearch.ou

Organizational unit to look up a group.

Type: string

Example: "ou=groups,dc=nixos,dc=org"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.ldap.groupSearch.query

Query to find a group associated to a user in the LDAP database.

Type: string

Example: "(objectClass=groupOfNames)"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.ldap.groupSearch.type

Type of group to perform a group search against.

Type: one of “posixGroup”, “groupOfNames”, “memberDNGroup”, “nestedMemberDNGroup”, “nestedGroupOfNames”, “groupOfUniqueNames”, “nestedGroupOfUniqueNames”, “activeDirectoryGroup”, “nestedActiveDirectoryGroup”, “organizationalRoleGroup”, “nestedOrganizationalRoleGroup”

Default: "posixGroup"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.ldap.serverUri

LDAP host to connect against.

Type: string

Example: "ldaps://ldap.host"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.ldap.superUserGroup

Group where a user must be a member of to gain superuser rights.

Type: null or string

Default: null

Example: "cn=admin,ou=groups,dc=nixos,dc=org"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.ldap.userSearch.ou

Organizational unit to look up a user.

Type: string

Example: "ou=users,dc=nixos,dc=org"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.ldap.userSearch.query

Query to find a user in the LDAP database.

Type: string

Example: "(&(objectClass=inetOrgPerson)(|(uid=%(user)s)(mail=%(user)s)))"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.restApiPassFile

Path to the file containing the value for MAILMAN_REST_API_PASS.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.serve.enable

Whether to enable automatic nginx and uwsgi setup for mailman-web.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.serve.uwsgiSettings

Extra configuration to merge into uwsgi config.

Type: JSON value

Default: { }

Example:

{
  uwsgi = {
    buffer-size = 8192;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.serve.virtualRoot

Path to mount the mailman-web django application on.

Type: string

Default: "/"

Example: /lists

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.settings

Settings for mailman.cfg

Type: attribute set of attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.siteOwner

Certain messages that must be delivered to a human, but which can’t be delivered to a list owner (e.g. a bounce from a list owner), will be sent to this address. It should point to a human.

Type: string

Example: "postmaster@example.org"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.webHosts

The list of hostnames and/or IP addresses from which the Mailman Web UI will accept requests. By default, “localhost” and “127.0.0.1” are enabled. All additional names under which your web server accepts requests for the UI must be listed here or incoming requests will be rejected.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.webSettings

Overrides for the default mailman-web Django settings.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailman.webUser

User to run mailman-web as

Type: string

Default: "mailman-web"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailman.nix>
services.mailpit.instances

Configure mailpit instances. The attribute-set values are CLI flags passed to the mailpit CLI.

See upstream docs for all available options.

Type: attribute set of (attribute set of (string or signed integer or boolean))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/mail/mailpit.nix>
services.mailpit.instances.<name>.database

Specify the local database filename to store persistent data. If null, a temporary file will be created that will be removed when the application stops. It’s recommended to specify a relative path. The database will be written into the service’s state directory then.

Type: null or string

Default: null

Example: "mailpit.db"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailpit.nix>
services.mailpit.instances.<name>.listen

HTTP bind interface and port for UI.

Type: string

Default: "127.0.0.1:8025"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailpit.nix>
services.mailpit.instances.<name>.max

Maximum number of emails to keep. If the number is exceeded, old emails will be deleted.

Set to 0 to never prune old emails.

Type: unsigned integer, meaning >=0

Default: 500

Declared by:

<nixpkgs/nixos/modules/services/mail/mailpit.nix>
services.mailpit.instances.<name>.smtp

SMTP bind interface and port.

Type: string

Default: "127.0.0.1:1025"

Declared by:

<nixpkgs/nixos/modules/services/mail/mailpit.nix>
services.mainsail.enable

Whether to enable a modern and responsive user interface for Klipper.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.package

The mainsail package to use.

Type: package

Default: pkgs.mainsail

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.hostName

Hostname to serve mainsail on

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx

Extra configuration for the nginx virtual host of mainsail.

Type: submodule

Default: { }

Example:

{
  serverAliases = [ "mainsail.${config.networking.domain}" ];
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.mainsail.nginx.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mainsail.nix>
services.malcontent.enable

Whether to enable Malcontent, parental control support for applications.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/malcontent.nix>
services.mame.enable

Whether to setup TUN/TAP Ethernet interface for MAME emulator.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/mame.nix>
services.mame.emuAddr

IP address of the guest system. The same you set inside guest OS under MAME. Should be on the same subnet as services.mame.hostAddr.

Type: string

Example: "192.168.31.155"

Declared by:

<nixpkgs/nixos/modules/services/misc/mame.nix>
services.mame.hostAddr

IP address of the host system. Usually an address of the main network adapter or the adapter through which you get an internet connection.

Type: string

Example: "192.168.31.156"

Declared by:

<nixpkgs/nixos/modules/services/misc/mame.nix>
services.mame.user

User from which you run MAME binary.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/mame.nix>
services.manticore.enable

Whether to enable Manticoresearch.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/search/manticore.nix>
services.manticore.settings

Configuration for Manticoresearch. See https://manual.manticoresearch.com/Server settings for more information.

Type: JSON value

Default:

{
  searchd = {
    data_dir = "/var/lib/manticore";
    listen = [
      "127.0.0.1:9312"
      "127.0.0.1:9306:mysql"
      "127.0.0.1:9308:http"
    ];
    log = "/var/log/manticore/searchd.log";
    pid_file = "/run/manticore/searchd.pid";
    query_log = "/var/log/manticore/query.log";
  };
}

Example:

{
  searchd = {
      listen = [
        "127.0.0.1:9312"
        "127.0.0.1:9306:mysql"
        "127.0.0.1:9308:http"
      ];
      log = "/var/log/manticore/searchd.log";
      query_log = "/var/log/manticore/query.log";
      pid_file = "/run/manticore/searchd.pid";
      data_dir = "/var/lib/manticore";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/search/manticore.nix>
services.marytts.enable

Whether to enable MaryTTS.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/marytts.nix>
services.marytts.package

The marytts package to use.

Type: package

Default: pkgs.marytts

Declared by:

<nixpkgs/nixos/modules/services/audio/marytts.nix>
services.marytts.basePath

The base path in which MaryTTS runs.

Type: path

Default: "/var/lib/marytts"

Declared by:

<nixpkgs/nixos/modules/services/audio/marytts.nix>
services.marytts.openFirewall

Whether to open the port in the firewall for MaryTTS.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/marytts.nix>
services.marytts.port

Port to bind the MaryTTS server to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 59125

Declared by:

<nixpkgs/nixos/modules/services/audio/marytts.nix>
services.marytts.settings

Settings for MaryTTS.

See the default settings for a list of possible keys.

Type: attribute set of (string, package, bool, int or float)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/audio/marytts.nix>
services.marytts.userDictionaries

Paths to the user dictionary files for MaryTTS.

Type: list of path

Default: [ ]

Example:

[
  (pkgs.writeTextFile {
    name = "userdict-en_US";
    destination = "/userdict-en_US.txt";
    text = ''
      Nixpkgs | n I k s - ' p { - k @ - dZ @ s
    '';
  })
]

Declared by:

<nixpkgs/nixos/modules/services/audio/marytts.nix>
services.marytts.voices

Paths to the JAR files that contain additional voices for MaryTTS.

Voices are automatically detected by MaryTTS, so there is no need to alter your config to make use of new voices.

Type: list of path

Default: [ ]

Example:

[
  (pkgs.fetchzip {
    url = "https://github.com/marytts/voice-bits1-hsmm/releases/download/v5.2/voice-bits1-hsmm-5.2.zip";
    hash = "sha256-1nK+qZxjumMev7z5lgKr660NCKH5FDwvZ9sw/YYYeaA=";
  })
]

Declared by:

<nixpkgs/nixos/modules/services/audio/marytts.nix>
services.mastodon.enable

Whether to enable Mastodon, a federated social network server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.enableUnixSocket

Instead of binding to an IP address like 127.0.0.1, you may bind to a Unix socket. This variable is process-specific, e.g. you need different values for every process, and it works for both web (Puma) processes and streaming API (Node.js) processes.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.package

Mastodon package to use.

Type: package

Default: pkgs.mastodon

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.activeRecordEncryptionDeterministicKeyFile

This key must be set to enable the Active Record Encryption feature within Rails that Mastodon uses to encrypt and decrypt some database attributes. A new Active Record keys can be generated by running:

nix build -f '<nixpkgs>' mastodon; cd result; RAILS_ENV=production ./bin/rails db:encryption:init

If this file does not exist, it will be created with a new Active Record keys.

Type: string

Default: "/var/lib/mastodon/secrets/active-record-encryption-deterministic-key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.activeRecordEncryptionKeyDerivationSaltFile

This key must be set to enable the Active Record Encryption feature within Rails that Mastodon uses to encrypt and decrypt some database attributes. A new Active Record keys can be generated by running:

nix build -f '<nixpkgs>' mastodon; cd result; RAILS_ENV=production ./bin/rails db:encryption:init

If this file does not exist, it will be created with a new Active Record keys.

Type: string

Default: "/var/lib/mastodon/secrets/active-record-encryption-key-derivation-salt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.activeRecordEncryptionPrimaryKeyFile

This key must be set to enable the Active Record Encryption feature within Rails that Mastodon uses to encrypt and decrypt some database attributes. A new Active Record keys can be generated by running:

nix build -f '<nixpkgs>' mastodon; cd result; RAILS_ENV=production ./bin/rails db:encryption:init

If this file does not exist, it will be created with a new Active Record keys.

Type: string

Default: "/var/lib/mastodon/secrets/active-record-encryption-primary-key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.automaticMigrations

Do automatic database migrations.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.configureNginx

Configure nginx as a reverse proxy for mastodon. Note that this makes some assumptions on your setup, and sets settings that will affect other virtualHosts running on your nginx instance, if any. Alternatively you can configure a reverse-proxy of your choice to serve these paths:

/ -> $(nix-instantiate --eval '<nixpkgs>' -A mastodon.outPath)/public

/ -> 127.0.0.1:{{ webPort }} (If there was no file in the directory above.)

/system/ -> /var/lib/mastodon/public-system/

/api/v1/streaming/ -> 127.0.0.1:{{ streamingPort }}

Make sure that websockets are forwarded properly. You might want to set up caching of some requests. Take a look at mastodon’s provided nginx configuration at https://github.com/mastodon/mastodon/blob/master/dist/nginx.conf.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.database.createLocally

Configure local PostgreSQL database server for Mastodon.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.database.host

Database host address or unix socket.

Type: string

Default: "/run/postgresql"

Example: "192.168.23.42"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.database.name

Database name.

Type: string

Default: "mastodon"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.database.passwordFile

A file containing the password corresponding to database.user.

Type: null or path

Default: null

Example: "/var/lib/mastodon/secrets/db-password"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.database.port

Database host port.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

if config.services.mastodon.database.createLocally
then null
else 5432

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.database.user

Database user.

Type: string

Default: "mastodon"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.elasticsearch.host

Elasticsearch host. If it is not null, Elasticsearch full text search will be enabled.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.elasticsearch.passwordFile

Path to file containing password for optionally authenticating with Elasticsearch.

Type: null or path

Default: null

Example: "/var/lib/mastodon/secrets/elasticsearch-password"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.elasticsearch.port

Elasticsearch port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9200

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.elasticsearch.preset

It controls the ElasticSearch indices configuration (number of shards and replica).

Type: one of “single_node_cluster”, “small_cluster”, “large_cluster”

Default: "single_node_cluster"

Example: "large_cluster"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.elasticsearch.user

Used for optionally authenticating with Elasticsearch.

Type: null or string

Default: null

Example: "elasticsearch-mastodon"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.extraConfig

Extra environment variables to pass to all mastodon services.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.extraEnvFiles

Extra environment files to pass to all mastodon services. Useful for passing down environmental secrets.

Type: list of path

Default: [ ]

Example:

[
  "/etc/mastodon/s3config.env"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.group

Group under which mastodon runs.

Type: string

Default: "mastodon"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.localDomain

The domain serving your Mastodon instance.

Type: string

Example: "social.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.mediaAutoRemove.enable

Automatically remove remote media attachments and preview cards older than the configured amount of days.

Recommended in https://docs.joinmastodon.org/admin/setup/.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.mediaAutoRemove.olderThanDays

How old remote media needs to be in order to be removed.

Type: signed integer

Default: 30

Example: 14

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.mediaAutoRemove.startAt

How often to remove remote media.

The format is described in systemd.time(7).

Type: string

Default: "daily"

Example: "hourly"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.otpSecretFile

Path to file containing the OTP secret. A new OTP secret can be generated by running:

nix build -f '<nixpkgs>' mastodon; cd result; bin/bundle exec rails secret

If this file does not exist, it will be created with a new OTP secret.

Type: string

Default: "/var/lib/mastodon/secrets/otp-secret"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.redis.enableUnixSocket

Use Unix socket

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.redis.createLocally

Configure local Redis server for Mastodon.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.redis.host

Redis host.

Type: null or string

Default:

if config.services.mastodon.redis.createLocally && !config.services.mastodon.redis.enableUnixSocket then "127.0.0.1" else null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.redis.passwordFile

A file containing the password for Redis database.

Type: null or path

Default: null

Example: "/run/keys/mastodon-redis-password"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.redis.port

Redis port.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

if config.services.mastodon.redis.createLocally && !config.services.mastodon.redis.enableUnixSocket then 31637 else null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.secretKeyBaseFile

Path to file containing the secret key base. A new secret key base can be generated by running:

nix build -f '<nixpkgs>' mastodon; cd result; bin/bundle exec rails secret

If this file does not exist, it will be created with a new secret key base.

Type: string

Default: "/var/lib/mastodon/secrets/secret-key-base"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.sidekiqPort

TCP port used by the mastodon-sidekiq service.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 55002

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.sidekiqProcesses

How many Sidekiq processes should be used to handle background jobs, and which job classes they handle. Read the upstream documentation before configuring this!

Type: attribute set of (submodule)

Default:

{
  all = {
    jobClasses = [ ];
    threads = null;
  };
}

Example:

{
  all = {
    jobClasses = [ ];
    threads = null;
  };
  default = {
    jobClasses = [
      "default"
    ];
    threads = 10;
  };
  ingress = {
    jobClasses = [
      "ingress"
    ];
    threads = 5;
  };
  push-pull = {
    jobClasses = [
      "push"
      "pull"
    ];
    threads = 5;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.sidekiqProcesses.<name>.jobClasses

If not empty, which job classes should be executed by this process. Only one process should handle the ‘scheduler’ class. If left empty, this process will handle the ‘scheduler’ class.

Type: list of (one of “default”, “push”, “pull”, “mailers”, “scheduler”, “ingress”)

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.sidekiqProcesses.<name>.threads

Number of threads this process should use for executing jobs. If null, the configured sidekiqThreads are used.

Type: null or signed integer

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.sidekiqThreads

Worker threads used by the mastodon-sidekiq-all service. If sidekiqProcesses is configured and any processes specify null threads, this value is used.

Type: signed integer

Default: 25

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.smtp.authenticate

Authenticate with the SMTP server using username and password.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.smtp.createLocally

Configure local Postfix SMTP server for Mastodon.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.smtp.fromAddress

“From” address used when sending Emails to users.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.smtp.host

SMTP host used when sending emails to users.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.smtp.passwordFile

Path to file containing the SMTP password.

Type: null or path

Default: null

Example: "/var/lib/mastodon/secrets/smtp-password"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.smtp.port

SMTP port used when sending emails to users.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 25

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.smtp.user

SMTP login name.

Type: null or string

Default: null

Example: "mastodon@example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.streamingProcesses

Number of processes used by the mastodon-streaming service. Please define this explicitly, recommended is the amount of your CPU cores minus one.

Type: positive integer, meaning >0

Example: 3

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.trustedProxy

You need to set it to the IP from which your reverse proxy sends requests to Mastodon’s web process, otherwise Mastodon will record the reverse proxy’s own IP as the IP of all requests, which would be bad because IP addresses are used for important rate limits and security functions.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.user

User under which mastodon runs. If it is set to “mastodon”, that user will be created, otherwise it should be set to the name of a user created elsewhere. In both cases, the mastodon package will be added to the user’s package set and a tootctl wrapper to system packages that switches to the configured account and load the right environment.

Type: string

Default: "mastodon"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.vapidPrivateKeyFile

Path to file containing the private key used for Web Push Voluntary Application Server Identification. A new keypair can be generated by running:

nix build -f '<nixpkgs>' mastodon; cd result; bin/rake webpush:generate_keys

If this file does not exist, it will be created with a new private key.

Type: string

Default: "/var/lib/mastodon/secrets/vapid-private-key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.vapidPublicKeyFile

Path to file containing the public key used for Web Push Voluntary Application Server Identification. A new keypair can be generated by running:

nix build -f '<nixpkgs>' mastodon; cd result; RAILS_ENV=production bin/rake webpush:generate_keys

If mastodon.vapidPrivateKeyFiledoes not exist, it and this file will be created with a new keypair.

Type: string

Default: "/var/lib/mastodon/secrets/vapid-public-key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.webPort

TCP port used by the mastodon-web service.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 55001

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.webProcesses

Processes used by the mastodon-web service.

Type: signed integer

Default: 2

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.mastodon.webThreads

Threads per process used by the mastodon-web service.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mastodon.nix>
services.matomo.enable

Enable Matomo web analytics with php-fpm backend. Either the nginx option or the webServerUser option is mandatory.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.package

The matomo package to use.

Type: package

Default: pkgs.matomo

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.hostname

URL of the host, without https prefix. You may want to change it if you run Matomo on a different URL than matomo.yourdomain.

Type: string

Default:

"matomo.${config.networking.fqdnOrHostName}"

Example: "matomo.yourdomain.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx

With this option, you can customize an nginx virtualHost which already has sensible defaults for Matomo. Either this option or the webServerUser option is mandatory. Set this to {} to just enable the virtualHost if you don’t need any customization. If enabled, then by default, the serverName is ${user}.${config.networking.hostName}.${config.networking.domain}, SSL is active, and certificates are acquired via ACME. If this is set to null (the default), no nginx virtualHost will be configured.

Type: null or (submodule)

Default: null

Example:

{
  serverAliases = [
    "matomo.${config.networking.domain}"
    "stats.${config.networking.domain}"
  ];
  enableACME = false;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.nginx.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.periodicArchiveProcessing

Enable periodic archive processing, which generates aggregated reports from the visits.

This means that you can safely disable browser triggers for Matomo archiving, and safely enable to delete old visitor logs. Before deleting visitor logs, make sure though that you run systemctl start matomo-archive-processing.service at least once without errors if you have already collected data before.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matomo.webServerUser

Name of the web server user that forwards requests to services.phpfpm.pools.<name>.socket the fastcgi socket for Matomo if the nginx option is not used. Either this option or the nginx option is mandatory. If you want to use another webserver than nginx, you need to set this to that server’s user and pass fastcgi requests to index.php, matomo.php and piwik.php (legacy name) to this socket.

Type: null or string

Default: null

Example: "lighttpd"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/matomo.nix>
services.matrix-appservice-discord.enable

Whether to enable a bridge between Matrix and Discord.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-discord.nix>
services.matrix-appservice-discord.package

The matrix-appservice-discord package to use.

Type: package

Default: pkgs.matrix-appservice-discord

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-discord.nix>
services.matrix-appservice-discord.environmentFile

File containing environment variables to be passed to the matrix-appservice-discord service, in which secret tokens can be specified securely by defining values for APPSERVICE_DISCORD_AUTH_CLIENT_I_D and APPSERVICE_DISCORD_AUTH_BOT_TOKEN.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-discord.nix>
services.matrix-appservice-discord.localpart

The user_id localpart to assign to the AS.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-discord.nix>
services.matrix-appservice-discord.port

Port number on which the bridge should listen for internal communication with the Matrix homeserver.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9005

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-discord.nix>
services.matrix-appservice-discord.serviceDependencies

List of Systemd services to require and wait for when starting the application service, such as the Matrix homeserver if it’s running on the same host.

Type: list of string

Default:

lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-discord.nix>
services.matrix-appservice-discord.settings

config.yaml configuration as a Nix attribute set.

Configuration options should match those described in config.sample.yaml.

config.bridge.domain and config.bridge.homeserverUrl should be set to match the public host name of the Matrix homeserver for webhooks and avatars to work.

Secret tokens should be specified using environmentFile instead of this world-readable attribute set.

Type: attribute set

Default:

{
  auth = {
    botToken = "";
    clientID = "";
  };
  database = {
    filename = "/var/lib/matrix-appservice-discord/discord.db";
  };
}

Example:

{
  bridge = {
    domain = "public-domain.tld";
    homeserverUrl = "http://public-domain.tld:8008";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-discord.nix>
services.matrix-appservice-discord.url

The URL where the application service is listening for HS requests.

Type: string

Default: "http://localhost:${toString config.services.matrix-appservice-discord.port}"

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-discord.nix>
services.matrix-appservice-irc.enable

Whether to enable the Matrix/IRC bridge.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-appservice-irc.localpart

The user_id localpart to assign to the appservice

Type: string

Default: "appservice-irc"

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-appservice-irc.needBindingCap

Whether the daemon needs to bind to ports below 1024 (e.g. for the ident service)

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-appservice-irc.passwordEncryptionKeyLength

Length of the key to encrypt IRC passwords with

Type: unsigned integer, meaning >=0

Default: 4096

Example: 8192

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-appservice-irc.port

The port to listen on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8009

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-appservice-irc.registrationUrl

The URL where the application service is listening for homeserver requests, from the Matrix homeserver perspective.

Type: string

Example: "http://localhost:8009"

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-appservice-irc.settings

Configuration for the appservice, see https://github.com/matrix-org/matrix-appservice-irc/blob/3.0.3/config.sample.yaml for supported values

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-appservice-irc.settings.database

Configuration for the database

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-appservice-irc.settings.database.connectionString

The database connection string

Type: string

Default: "nedb://var/lib/matrix-appservice-irc/data"

Example: "postgres://username:password@host:port/databasename"

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-appservice-irc.settings.database.engine

Which database engine to use

Type: string

Default: "nedb"

Example: "postgres"

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-appservice-irc.settings.homeserver

Homeserver configuration

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-appservice-irc.settings.homeserver.domain

The ‘domain’ part for user IDs on this home server. Usually (but not always) is the “domain name” part of the homeserver URL.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-appservice-irc.settings.homeserver.url

The URL to the home server for client-server API calls

Type: string

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-appservice-irc.settings.ircService

IRC bridge configuration

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-appservice-irc.settings.ircService.mediaProxy.bindPort

Port that the media proxy binds to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 11111

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-appservice-irc.settings.ircService.mediaProxy.publicUrl

URL under which the media proxy is publicly acccessible.

Type: string

Example: "https://matrix.example.com/media"

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-appservice-irc.settings.ircService.mediaProxy.signingKeyPath

Path to the signing key file for authenticated media.

Type: path

Default: "/var/lib/matrix-appservice-irc/media-signingkey.jwk"

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-appservice-irc.settings.ircService.mediaProxy.ttlSeconds

Lifetime in seconds, that generated URLs stay valid.

Set the lifetime to 0 to prevent URLs from becoming invalid.

Type: unsigned integer, meaning >=0

Default: 3600

Example: 0

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-appservice-irc.settings.ircService.passwordEncryptionKeyPath

Location of the key with which IRC passwords are encrypted for storage. Will be generated on first run if not present.

Type: string

Default: "/var/lib/matrix-appservice-irc/passkey.pem"

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-appservice-irc.settings.ircService.servers

IRC servers to connect to

Type: JSON value

Declared by:

<nixpkgs/nixos/modules/services/matrix/appservice-irc.nix>
services.matrix-conduit.enable

Whether to enable matrix-conduit.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduit.nix>
services.matrix-conduit.package

The matrix-conduit package to use.

Type: package

Default: pkgs.matrix-conduit

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduit.nix>
services.matrix-conduit.extraEnvironment

Extra Environment variables to pass to the conduit server.

Type: attribute set of string

Default: { }

Example:

{
  RUST_BACKTRACE = "yes";
}

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduit.nix>
services.matrix-conduit.settings

Generates the conduit.toml configuration file. Refer to https://docs.conduit.rs/configuration.html for details on supported values. Note that database_path can not be edited because the service’s reliance on systemd StateDir.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduit.nix>
services.matrix-conduit.settings.global.address

Address to listen on for connections by the reverse proxy/tls terminator.

Type: string

Default: "::1"

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduit.nix>
services.matrix-conduit.settings.global.allow_check_for_updates

Whether to allow Conduit to automatically contact https://conduit.rs hourly to check for important Conduit news.

Disabled by default because nixpkgs handles updates.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduit.nix>
services.matrix-conduit.settings.global.allow_encryption

Whether new encrypted rooms can be created. Note: existing rooms will continue to work.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduit.nix>
services.matrix-conduit.settings.global.allow_federation

Whether this server federates with other servers.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduit.nix>
services.matrix-conduit.settings.global.allow_registration

Whether new users can register on this server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduit.nix>
services.matrix-conduit.settings.global.database_backend

The database backend for the service. Switching it on an existing instance will require manual migration of data.

Type: one of “sqlite”, “rocksdb”

Default: "sqlite"

Example: "rocksdb"

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduit.nix>
services.matrix-conduit.settings.global.database_path

Path to the conduit database, the directory where conduit will save its data. Note that due to using the DynamicUser feature of systemd, this value should not be changed and is set to be read only.

Type: string (read only)

Default: "/var/lib/matrix-conduit/"

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduit.nix>
services.matrix-conduit.settings.global.max_request_size

Max request size in bytes. Don’t forget to also change it in the proxy.

Type: positive integer, meaning >0

Default: 20000000

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduit.nix>
services.matrix-conduit.settings.global.port

The port Conduit will be running on. You need to set up a reverse proxy in your web server (e.g. apache or nginx), so all requests to /_matrix on port 443 and 8448 will be forwarded to the Conduit instance running on this port

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6167

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduit.nix>
services.matrix-conduit.settings.global.server_name

The server_name is the name of this server. It is used as a suffix for user # and room ids.

Type: string

Example: "example.com"

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduit.nix>
services.matrix-conduit.settings.global.trusted_servers

Servers trusted with signing server keys.

Type: list of string

Default:

[
  "matrix.org"
]

Declared by:

<nixpkgs/nixos/modules/services/matrix/conduit.nix>
services.matrix-hookshot.enable

Whether to enable matrix-hookshot, a bridge between Matrix and project management services.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/hookshot.nix>
services.matrix-hookshot.package

The matrix-hookshot package to use.

Type: package

Default: pkgs.matrix-hookshot

Declared by:

<nixpkgs/nixos/modules/services/matrix/hookshot.nix>
services.matrix-hookshot.registrationFile

Appservice registration file. As it contains secret tokens, you may not want to add this to the publicly readable Nix store.

Type: path

Example:

pkgs.writeText "matrix-hookshot-registration" \'\'
  id: matrix-hookshot
  as_token: aaaaaaaaaa
  hs_token: aaaaaaaaaa
  namespaces:
    rooms: []
    users:
      - regex: "@_webhooks_.*:foobar"
        exclusive: true

  sender_localpart: hookshot
  url: "http://localhost:9993"
  rate_limited: false
  \'\'

Declared by:

<nixpkgs/nixos/modules/services/matrix/hookshot.nix>
services.matrix-hookshot.serviceDependencies

List of Systemd services to require and wait for when starting the application service, such as the Matrix homeserver if it’s running on the same host.

Type: list of string

Default:

lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit

Declared by:

<nixpkgs/nixos/modules/services/matrix/hookshot.nix>
services.matrix-hookshot.settings

config.yml configuration as a Nix attribute set.

For details please see the documentation.

Type: YAML value

Default: { }

Example:

{
  bridge = {
    bindAddress = "127.0.0.1";
    domain = "example.com";
    mediaUrl = "https://example.com";
    port = 9993;
    url = "http://localhost:8008";
  };
  listeners = [
    {
      bindAddress = "0.0.0.0";
      port = 9000;
      resources = [
        "webhooks"
      ];
    }
    {
      bindAddress = "localhost";
      port = 9001;
      resources = [
        "metrics"
        "provisioning"
      ];
    }
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/matrix/hookshot.nix>
services.matrix-hookshot.settings.passFile

A passkey used to encrypt tokens stored inside the bridge. File will be generated if not found.

Type: path

Default: "/var/lib/matrix-hookshot/passkey.pem"

Declared by:

<nixpkgs/nixos/modules/services/matrix/hookshot.nix>
services.matrix-synapse.enable

Whether to enable matrix.org synapse, the reference homeserver.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.enableRegistrationScript

Whether to install the register_new_matrix_user script, that allows account creation on the terminal.

Note

This script does not work when the client listener uses UNIX domain sockets

Type: boolean

Default:

''
  Enabled if the client listener uses TCP sockets
''

Example: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.package

Reference to the matrix-synapse wrapper with all extras (e.g. for oidc or saml2) added to the PYTHONPATH of all executables.

This option is useful to reference the “final” matrix-synapse package that’s actually used by matrix-synapse.service. For instance, when using workers, it’s possible to run ${config.services.matrix-synapse.package}/bin/synapse_worker and no additional PYTHONPATH needs to be specified for extras or plugins configured via services.matrix-synapse.

However, this means that this option is supposed to be only declared by the services.matrix-synapse module itself and is thus read-only. In order to modify matrix-synapse itself, use an overlay to override pkgs.matrix-synapse-unwrapped.

Type: package (read only)

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.configFile

Path to the configuration file on the target system. Useful to configure e.g. workers that also need this.

Type: path (read only)

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.configureRedisLocally

Whether to automatically configure a local redis server for matrix-synapse.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.dataDir

The directory where matrix-synapse stores its stateful data such as certificates, media and uploads.

Type: string

Default: "/var/lib/matrix-synapse"

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.extraConfigFiles

Extra config files to include.

The configuration files will be included based on the command line argument --config-path. This allows to configure secrets without having to go through the Nix store, e.g. based on deployment keys if NixOps is in use.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.extras

Explicitly install extras provided by matrix-synapse. Most will require some additional configuration.

Extras will automatically be enabled, when the relevant configuration sections are present.

Please note that this option is additive: i.e. when adding a new item to this list, the defaults are still kept. To override the defaults as well, use lib.mkForce.

Type: list of (one of “cache-memory”, “jwt”, “oidc”, “postgres”, “redis”, “saml2”, “sentry”, “systemd”, “url-preview”, “user-search”)

Default:

[
  "systemd"
  "postgres"
  "url-preview"
  "user-search"
]

Example:

[
  "cache-memory" # Provide statistics about caching memory consumption
  "jwt"          # JSON Web Token authentication
  "oidc"         # OpenID Connect authentication
  "postgres"     # PostgreSQL database backend
  "redis"        # Redis support for the replication stream between worker processes
  "saml2"        # SAML2 authentication
  "sentry"       # Error tracking and performance metrics
  "systemd"      # Provide the JournalHandler used in the default log_config
  "url-preview"  # Support for oEmbed URL previews
  "user-search"  # Support internationalized domain names in user-search
]

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.log

Default configuration for the loggers used by matrix-synapse and its workers. The defaults are added with the default priority which means that these will be merged with additional declarations. These additional declarations also take precedence over the defaults when declared with at least normal priority. For instance the log-level for synapse and its workers can be changed like this:

{ lib, ... }: {
  services.matrix-synapse.log.root.level = "WARNING";
}

And another field can be added like this:

{
  services.matrix-synapse.log = {
    loggers."synapse.http.matrixfederationclient".level = "DEBUG";
  };
}

Additionally, the field handlers.journal.SYSLOG_IDENTIFIER will be added to each log config, i.e.

  • synapse for matrix-synapse.service

  • synapse-<worker name> for matrix-synapse-worker-<worker name>.service

This is only done if this option has a handlers.journal field declared.

To discard all settings declared by this option for each worker and synapse, lib.mkForce can be used.

To discard all settings declared by this option for a single worker or synapse only, services.matrix-synapse.workers.<name>.worker_log_config or services.matrix-synapse.settings.log_config can be used.

Type: attribute set of (YAML value)

Default:

{
  disable_existing_loggers = false;
  formatters = {
    journal_fmt = {
      format = "%(name)s: [%(request)s] %(message)s";
    };
  };
  handlers = {
    journal = {
      class = "systemd.journal.JournalHandler";
      formatter = "journal_fmt";
    };
  };
  root = {
    handlers = [
      "journal"
    ];
    level = "INFO";
  };
  version = 1;
}

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.plugins

List of additional Matrix plugins to make available.

Type: list of package

Default: [ ]

Example:

with config.services.matrix-synapse.package.plugins; [
  matrix-synapse-ldap3
  matrix-synapse-pam
];

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.serviceUnit

The systemd unit (a service or a target) for other services to depend on if they need to be started after matrix-synapse.

This option is useful as the actual parent unit for all matrix-synapse processes changes when configuring workers.

Type: string (read only)

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings

The primary synapse configuration. See the sample configuration for possible values.

Secrets should be passed in by using the extraConfigFiles option.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.enable_metrics

Enable collection and rendering of performance metrics

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.enable_registration

Enable registration for new users.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.app_service_config_files

A list of application service config file to use

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.database.args.database

Name of the database when using the psycopg2 backend, path to the database location when using sqlite3.

Type: string

Default:

{
  sqlite3 = "${services.matrix-synapse.dataDir}/homeserver.db";
  psycopg2 = "matrix-synapse";
}.${services.matrix-synapse.settings.database.name};

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.database.args.user

Username to connect with psycopg2, set to null when using sqlite3.

Type: null or string

Default:

{
  sqlite3 = null;
  psycopg2 = "matrix-synapse";
}.${cfg.settings.database.name};

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.database.name

The database engine name. Can be sqlite3 or psycopg2.

Type: one of “sqlite3”, “psycopg2”

Default:

if versionAtLeast config.system.stateVersion "18.03"
then "psycopg2"
else "sqlite3"

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.dynamic_thumbnails

Whether to generate new thumbnails on the fly to precisely match the resolution requested by the client. If true then whenever a new resolution is requested by the client the server will generate a new thumbnail. If false the server will pick a thumbnail from a precalculated list.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.listeners

List of ports that Synapse should listen on, their purpose and their configuration.

By default, synapse will be configured for client and federation traffic on port 8008, and use a UNIX domain socket for worker replication. See services.matrix-synapse.workers for more details.

Type: list of (submodule)

Default:

[
  {
    bind_addresses = [
      "127.0.0.1"
    ];
    port = 8008;
    resources = [
      {
        compress = true;
        names = [
          "client"
        ];
      }
      {
        compress = false;
        names = [
          "federation"
        ];
      }
    ];
    tls = false;
    type = "http";
    x_forwarded = true;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.listeners.*.bind_addresses

IP addresses to bind the listener to.

Type: null or (list of string)

Default:

if path != null then
  null
else
  [
    "::1"
    "127.0.0.1"
  ]

Example:

[
  "::"
  "0.0.0.0"
]

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.listeners.*.mode

File permissions on the UNIX domain socket.

Type: null or string matching the pattern ^[0,2-7]{3,4}$

Default:

if path != null then
  "660"
else
  null

Example: "660"

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.listeners.*.path

Unix domain socket path to bind this listener to.

Note

This option is incompatible with bind_addresses, port, tls and also does not support the metrics and manhole listener type.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.listeners.*.port

The port to listen for HTTP(S) requests on.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Example: 8448

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.listeners.*.resources

List of HTTP resources to serve on this listener.

Type: list of (submodule)

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.listeners.*.resources.*.compress

Whether synapse should compress HTTP responses to clients that support it. This should be disabled if running synapse behind a load balancer that can do automatic compression.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.listeners.*.resources.*.names

List of resources to host on this listener.

Type: list of (one of “client”, “consent”, “federation”, “health”, “keys”, “media”, “metrics”, “openid”, “replication”, “static”)

Example:

[
  "client"
]

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.listeners.*.tls

Whether to enable TLS on the listener socket.

Note

This option will be ignored for UNIX domain sockets.

Type: null or boolean

Default:

''
  Enabled for the main instance listener, unless it is configured with a UNIX domain socket path.
''

Example: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.listeners.*.type

The type of the listener, usually http.

Type: one of “http”, “manhole”, “metrics”, “replication”

Default: "http"

Example: "metrics"

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.listeners.*.x_forwarded

Use the X-Forwarded-For (XFF) header as the client IP and not the actual client IP.

Type: boolean

Default:

''
  Enabled if the listener is configured with a UNIX domain socket path
''

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.log_config

The file that holds the logging configuration.

Type: path

Default: Path to a yaml file generated from this Nix expression:

{
  disable_existing_loggers = false;
  formatters = {
    journal_fmt = {
      format = "%(name)s: [%(request)s] %(message)s";
    };
  };
  handlers = {
    journal = {
      SYSLOG_IDENTIFIER = "synapse";
      class = "systemd.journal.JournalHandler";
      formatter = "journal_fmt";
    };
  };
  root = {
    handlers = [
      "journal"
    ];
    level = "INFO";
  };
  version = 1;
}

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.macaroon_secret_key

Secret key for authentication tokens. If none is specified, the registration_shared_secret is used, if one is given; otherwise, a secret key is derived from the signing key.

Secrets should be passed in via extraConfigFiles!

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.max_image_pixels

Maximum number of pixels that will be thumbnailed

Type: string

Default: "32M"

Example: "64M"

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.max_upload_size

The largest allowed upload size in bytes

Type: string

Default: "50M"

Example: "100M"

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.media_store_path

Directory where uploaded images and attachments are stored.

Type: path

Default: "/var/lib/matrix-synapse/media_store for when system.stateVersion is at least 22.05, /var/lib/matrix-synapse/media when lower than 22.05"

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.pid_file

The file to store the PID in.

Type: path (read only)

Default: "/run/matrix-synapse.pid"

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.presence.enabled

Whether to enable presence tracking.

Presence tracking allows users to see the state (e.g online/offline) of other local and remote users.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.public_baseurl

The public-facing base URL for the client API (not including _matrix/…)

Type: null or string

Default: null

Example: "https://example.com:8448/"

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.redis

Redis configuration for synapse.

See the upstream documentation for available options.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.redis.enabled

Whether to use redis support

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.registration_shared_secret

If set, allows registration by anyone who also has the shared secret, even if registration is otherwise disabled.

Secrets should be passed in via extraConfigFiles!

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.report_stats

Whether or not to report anonymized homeserver usage statistics.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.server_name

The domain name of the server, with optional explicit port. This is used by remote servers to look up the server address. This is also the last part of your UserID.

The server_name cannot be changed later so it is important to configure this correctly before you start Synapse.

Type: string

Default: config.networking.hostName

Example: "example.com"

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.signing_key_path

Path to the signing key to sign messages with.

Type: path

Default: "/var/lib/matrix-synapse/homeserver.signing.key"

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.tls_certificate_path

PEM encoded X509 certificate for TLS. You can replace the self-signed certificate that synapse autogenerates on launch with your own SSL certificate + key pair if you like. Any required intermediary certificates can be appended after the primary certificate in hierarchical order.

Type: null or string

Default: null

Example: "/var/lib/acme/example.com/fullchain.pem"

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.tls_private_key_path

PEM encoded private key for TLS. Specify null if synapse is not speaking TLS directly.

Type: null or string

Default: null

Example: "/var/lib/acme/example.com/key.pem"

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.trusted_key_servers

The trusted servers to download signing keys from.

Type: list of (YAML value)

Default:

[
  {
    server_name = "matrix.org";
    verify_keys = {
      "ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
    };
  }
]

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.trusted_key_servers.*.server_name

Hostname of the trusted server.

Type: string

Example: "matrix.org"

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.turn_shared_secret

The shared secret used to compute passwords for the TURN server.

Secrets should be passed in via extraConfigFiles!

Type: string

Default: ""

Example:

config.services.coturn.static-auth-secret

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.turn_uris

The public URIs of the TURN server to give to clients

Type: list of string

Default: [ ]

Example:

[
  "turn:turn.example.com:3487?transport=udp"
  "turn:turn.example.com:3487?transport=tcp"
  "turns:turn.example.com:5349?transport=udp"
  "turns:turn.example.com:5349?transport=tcp"
]

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.url_preview_enabled

Is the preview URL API enabled? If enabled, you must specify an explicit url_preview_ip_range_blacklist of IPs that the spider is denied from accessing.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.url_preview_ip_range_blacklist

List of IP address CIDR ranges that the URL preview spider is denied from accessing.

Type: list of string

Default:

[
  "10.0.0.0/8"
  "100.64.0.0/10"
  "127.0.0.0/8"
  "169.254.0.0/16"
  "172.16.0.0/12"
  "192.0.0.0/24"
  "192.0.2.0/24"
  "192.168.0.0/16"
  "192.88.99.0/24"
  "198.18.0.0/15"
  "198.51.100.0/24"
  "2001:db8::/32"
  "203.0.113.0/24"
  "224.0.0.0/4"
  "::1/128"
  "fc00::/7"
  "fe80::/10"
  "fec0::/10"
  "ff00::/8"
]

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.url_preview_ip_range_whitelist

List of IP address CIDR ranges that the URL preview spider is allowed to access even if they are specified in url_preview_ip_range_blacklist.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.settings.url_preview_url_blacklist

Optional list of URL matches that the URL preview spider is denied from accessing.

Type: list of ((attribute set of string) or string convertible to it)

Default: [ ]

Example:

[
  { scheme = "http"; } # no http previews
  { netloc = "www.acme.com"; path = "/foo"; } # block http(s)://www.acme.com/foo
]

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.withJemalloc

Whether to preload jemalloc to reduce memory fragmentation and overall usage.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.workers

Options for configuring workers. Worker support will be enabled if at least one worker is configured here.

See the worker documention for possible options for each worker. Worker-specific options overriding the shared homeserver configuration can be specified here for each worker.

Note

Worker support will add a replication listener on port 9093 to the main synapse process using the default value of services.matrix-synapse.settings.listeners and configure that listener as services.matrix-synapse.settings.instance_map.main. If you set either of those options, make sure to configure a replication listener yourself.

A redis server is required for running workers. A local one can be enabled using services.matrix-synapse.configureRedisLocally.

Workers also require a proper reverse proxy setup to direct incoming requests to the appropriate process. See the reverse proxy documentation for a general reverse proxying setup and the worker documentation for the available endpoints per worker application.

Type: attribute set of (YAML value)

Default: { }

Example:

{
  "federation_sender" = { };
  "federation_receiver" = {
    worker_listeners = [
      {
        type = "http";
        port = 8009;
        bind_addresses = [ "127.0.0.1" ];
        tls = false;
        x_forwarded = true;
        resources = [{
          names = [ "federation" ];
        }];
      }
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.workers.<name>.worker_app

Type of this worker

Type: one of “synapse.app.generic_worker”, “synapse.app.media_repository”

Default: "synapse.app.generic_worker"

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.workers.<name>.worker_listeners

List of ports that this worker should listen on, their purpose and their configuration.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.workers.<name>.worker_listeners.*.bind_addresses

IP addresses to bind the listener to.

Type: null or (list of string)

Default:

if path != null then
  null
else
  [
    "::1"
    "127.0.0.1"
  ]

Example:

[
  "::"
  "0.0.0.0"
]

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.workers.<name>.worker_listeners.*.mode

File permissions on the UNIX domain socket.

Type: null or string matching the pattern ^[0,2-7]{3,4}$

Default:

if path != null then
  "660"
else
  null

Example: "660"

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.workers.<name>.worker_listeners.*.path

Unix domain socket path to bind this listener to.

Note

This option is incompatible with bind_addresses, port, tls and also does not support the metrics and manhole listener type.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.workers.<name>.worker_listeners.*.port

The port to listen for HTTP(S) requests on.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Example: 8448

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.workers.<name>.worker_listeners.*.resources

List of HTTP resources to serve on this listener.

Type: list of (submodule)

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.workers.<name>.worker_listeners.*.resources.*.compress

Whether synapse should compress HTTP responses to clients that support it. This should be disabled if running synapse behind a load balancer that can do automatic compression.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.workers.<name>.worker_listeners.*.resources.*.names

List of resources to host on this listener.

Type: list of (one of “client”, “consent”, “federation”, “health”, “keys”, “media”, “metrics”, “openid”, “replication”, “static”)

Example:

[
  "client"
]

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.workers.<name>.worker_listeners.*.tls

Whether to enable TLS on the listener socket.

Note

This option will be ignored for UNIX domain sockets.

Type: null or boolean

Default:

''
  Enabled for the main instance listener, unless it is configured with a UNIX domain socket path.
''

Example: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.workers.<name>.worker_listeners.*.type

The type of the listener, usually http.

Type: one of “http”, “manhole”, “metrics”, “replication”

Default: "http"

Example: "metrics"

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.workers.<name>.worker_listeners.*.x_forwarded

Use the X-Forwarded-For (XFF) header as the client IP and not the actual client IP.

Type: boolean

Default:

''
  Enabled if the listener is configured with a UNIX domain socket path
''

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matrix-synapse.workers.<name>.worker_log_config

The file for log configuration.

See the python documentation for the schema and the upstream repository for an example.

Type: path

Default: Path to a yaml file generated from this Nix expression:

{
  disable_existing_loggers = false;
  formatters = {
    journal_fmt = {
      format = "%(name)s: [%(request)s] %(message)s";
    };
  };
  handlers = {
    journal = {
      SYSLOG_IDENTIFIER = "synapse-‹name›";
      class = "systemd.journal.JournalHandler";
      formatter = "journal_fmt";
    };
  };
  root = {
    handlers = [
      "journal"
    ];
    level = "INFO";
  };
  version = 1;
}

Declared by:

<nixpkgs/nixos/modules/services/matrix/synapse.nix>
services.matter-server.enable

Whether to enable Matter-server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/home-automation/matter-server.nix>
services.matter-server.package

The python-matter-server package to use.

Type: package

Default: pkgs.python-matter-server

Declared by:

<nixpkgs/nixos/modules/services/home-automation/matter-server.nix>
services.matter-server.extraArgs

Extra arguments to pass to the matter-server executable. See https://github.com/home-assistant-libs/python-matter-server?tab=readme-ov-file#running-the-development-server for options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/home-automation/matter-server.nix>
services.matter-server.logLevel

Verbosity of logs from the matter-server

Type: one of “critical”, “error”, “warning”, “info”, “debug”

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/matter-server.nix>
services.matter-server.port

Port to expose the matter-server service on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5580

Declared by:

<nixpkgs/nixos/modules/services/home-automation/matter-server.nix>
services.matterbridge.enable

Whether to enable Matterbridge chat platform bridge.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/matterbridge.nix>
services.matterbridge.package

The matterbridge package to use.

Type: package

Default: pkgs.matterbridge

Declared by:

<nixpkgs/nixos/modules/services/networking/matterbridge.nix>
services.matterbridge.configFile

WARNING: THIS IS INSECURE, as your password will end up in /nix/store, thus publicly readable. Use services.matterbridge.configPath instead.

The matterbridge configuration file in the TOML file format.

Type: string

Example:

''
  # WARNING: as this file contains credentials, do not use this option!
  # It is kept only for backwards compatibility, and would cause your
  # credentials to be in the nix-store, thus with the world-readable
  # permission bits.
  # Use services.matterbridge.configPath instead.
  
  [irc]
      [irc.libera]
      Server="irc.libera.chat:6667"
      Nick="matterbot"
  
  [mattermost]
      [mattermost.work]
       # Do not prefix it with http:// or https://
       Server="yourmattermostserver.domain"
       Team="yourteam"
       Login="yourlogin"
       Password="yourpass"
       PrefixMessagesWithNick=true
  
  [[gateway]]
  name="gateway1"
  enable=true
      [[gateway.inout]]
      account="irc.libera"
      channel="#testing"
  
      [[gateway.inout]]
      account="mattermost.work"
      channel="off-topic"
''

Declared by:

<nixpkgs/nixos/modules/services/networking/matterbridge.nix>
services.matterbridge.configPath

The path to the matterbridge configuration file.

Type: null or string

Default: null

Example: "/etc/nixos/matterbridge.toml"

Declared by:

<nixpkgs/nixos/modules/services/networking/matterbridge.nix>
services.matterbridge.group

Group which runs the matterbridge service.

Type: string

Default: "matterbridge"

Declared by:

<nixpkgs/nixos/modules/services/networking/matterbridge.nix>
services.matterbridge.user

User which runs the matterbridge service.

Type: string

Default: "matterbridge"

Declared by:

<nixpkgs/nixos/modules/services/networking/matterbridge.nix>
services.mattermost.enable

Whether to enable Mattermost chat server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.mattermost.package

The mattermost package to use.

Type: package

Default: pkgs.mattermost

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.mattermost.environmentFile

Environment file (see systemd.exec(5) “EnvironmentFile=” section for the syntax) which sets config options for mattermost (see the mattermost documentation).

Settings defined in the environment file will overwrite settings set via nix or via the services.mattermost.extraConfig option.

Useful for setting config options without their value ending up in the (world-readable) nix store, e.g. for a database password.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.mattermost.extraConfig

Additional configuration options as Nix attribute set in config.json schema.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.mattermost.group

Group which runs the Mattermost service.

Type: string

Default: "mattermost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.mattermost.listenAddress

Address and port this Mattermost instance listens to.

Type: string

Default: ":8065"

Example: "[::1]:8065"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.mattermost.localDatabaseCreate

Create a local PostgreSQL database for Mattermost automatically.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.mattermost.localDatabaseName

Local Mattermost database name.

Type: string

Default: "mattermost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.mattermost.localDatabasePassword

Password for local Mattermost database user.

Type: string

Default: "mmpgsecret"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.mattermost.localDatabaseUser

Local Mattermost database username.

Type: string

Default: "mattermost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.mattermost.matterircd.enable

Whether to enable Mattermost IRC bridge.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.mattermost.matterircd.package

The matterircd package to use.

Type: package

Default: pkgs.matterircd

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.mattermost.matterircd.parameters

Set commandline parameters to pass to matterircd. See https://github.com/42wim/matterircd#usage for more information.

Type: list of string

Default: [ ]

Example:

[
  "-mmserver chat.example.com"
  "-bind [::]:6667"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.mattermost.mutableConfig

Whether the Mattermost config.json is writeable by Mattermost.

Most of the settings can be edited in the system console of Mattermost if this option is enabled. A template config using the options specified in services.mattermost will be generated but won’t be overwritten on changes or rebuilds.

If this option is disabled, changes in the system console won’t be possible (default). If an config.json is present, it will be overwritten!

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.mattermost.plugins

Plugins to add to the configuration. Overrides any installed if non-null. This is a list of paths to .tar.gz files or derivations evaluating to .tar.gz files.

Type: list of (path or package)

Default: [ ]

Example: "[ ./com.github.moussetc.mattermost.plugin.giphy-2.0.0.tar.gz ]"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.mattermost.preferNixConfig

If both mutableConfig and this option are set, the Nix configuration will take precedence over any settings configured in the server console.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.mattermost.siteName

Name of this Mattermost site.

Type: string

Default: "Mattermost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.mattermost.siteUrl

URL this Mattermost instance is reachable under, without trailing slash.

Type: string

Example: "https://chat.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.mattermost.statePath

Mattermost working directory

Type: string

Default: "/var/lib/mattermost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.mattermost.user

User which runs the Mattermost service.

Type: string

Default: "mattermost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mattermost.nix>
services.maubot.enable

Whether to enable maubot.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.package

The maubot package to use.

Type: package

Default: pkgs.maubot

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.configMutable

Whether maubot should write updated config into extraConfigFile. This will make your Nix module settings have no effect besides the initial config, as extraConfigFile takes precedence over NixOS settings!

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.dataDir

The directory where maubot stores its stateful data.

Type: string

Default: "/var/lib/maubot"

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.extraConfigFile

A file for storing secrets. You can pass homeserver registration keys here. If it already exists, it must contain server.unshared_secret which is used for signing API keys. If configMutable is not set to true, maubot user must have write access to this file.

Type: string

Default: "${config.services.maubot.dataDir}/config.yaml"

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.plugins

List of additional maubot plugins to make available.

Type: list of package

Default: [ ]

Example:

with config.services.maubot.package.plugins; [
  xyz.maubot.reactbot
  xyz.maubot.rss
];

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.pythonPackages

List of additional Python packages to make available for maubot.

Type: list of package

Default: [ ]

Example:

with pkgs.python3Packages; [
  aiohttp
];

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings

YAML settings for maubot. See the example configuration for more info.

Secrets should be passed in by using extraConfigFile.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.admins

List of administrator users. Plaintext passwords will be bcrypted on startup. Set empty password to prevent normal login. Root is a special user that can’t have a password and will always exist.

Type: attribute set of string

Default:

{
  root = "";
}

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.api_features

API feature switches.

Type: attribute set of boolean

Default:

{
  client = true;
  client_auth = true;
  client_proxy = true;
  dev_open = true;
  instance = true;
  instance_database = true;
  log = true;
  login = true;
  plugin = true;
  plugin_upload = true;
}

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.crypto_database

Separate database URL for the crypto database. By default, the regular database is also used for crypto.

Type: string

Default: "default"

Example: "postgresql://username:password@hostname/dbname"

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.database

The full URI to the database. SQLite and Postgres are fully supported. Other DBMSes supported by SQLAlchemy may or may not work.

Type: string

Default: "sqlite:maubot.db"

Example: "postgresql://username:password@hostname/dbname"

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.database_opts

Additional arguments for asyncpg.create_pool() or sqlite3.connect()

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.homeservers

Known homeservers. This is required for the mbc auth command and also allows more convenient access from the management UI. If you want to specify registration secrets, pass this via extraConfigFile instead.

Type: attribute set of (submodule)

Default:

{
  "matrix.org" = {
    url = "https://matrix-client.matrix.org";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.homeservers.<name>.url

Client-server API URL

Type: string

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.logging

Python logging configuration. See section 16.7.2 of the Python documentation for more info.

Type: attribute set

Default:

{
  formatters = {
    colored = {
      "()" = "maubot.lib.color_log.ColorFormatter";
      format = "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s";
    };
    normal = {
      format = "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s";
    };
  };
  handlers = {
    console = {
      class = "logging.StreamHandler";
      formatter = "colored";
    };
    file = {
      backupCount = 10;
      class = "logging.handlers.RotatingFileHandler";
      filename = "./maubot.log";
      formatter = "normal";
      maxBytes = 10485760;
    };
  };
  loggers = {
    aiohttp = {
      level = "INFO";
    };
    mau = {
      level = "DEBUG";
    };
    maubot = {
      level = "DEBUG";
    };
  };
  root = {
    handlers = [
      "file"
      "console"
    ];
    level = "DEBUG";
  };
  version = 1;
}

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.plugin_databases

Plugin database settings

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.plugin_databases.postgres

The connection URL for plugin database. See example config for exact format.

Type: null or string

Default: if isPostgresql config.services.maubot.settings.database then "default" else null

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.plugin_databases.postgres_max_conns_per_plugin

Maximum number of connections per plugin instance.

Type: null or signed integer

Default: 3

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.plugin_databases.postgres_opts

Overrides for the default database_opts when using a non-default postgres connection URL.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.plugin_databases.sqlite

The directory where SQLite plugin databases should be stored.

Type: string

Default: "${config.services.maubot.dataDir}/plugins"

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.plugin_directories

Plugin directory paths

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.plugin_directories.load

The directories from which plugins should be loaded. Duplicate plugin IDs will be moved to the trash.

Type: list of string

Default: [ "${config.services.maubot.dataDir}/plugins" ]

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.plugin_directories.trash

The directory where old plugin versions and conflicting plugins should be moved. Set to null to delete files immediately.

Type: null or string

Default: "${config.services.maubot.dataDir}/trash"

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.plugin_directories.upload

The directory where uploaded new plugins should be stored.

Type: string

Default: "${config.services.maubot.dataDir}/plugins"

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.server

Listener config

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.server.hostname

The IP to listen on

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.server.override_resource_path

Override path from where to load UI resources.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.server.plugin_base_path

The base path for plugin endpoints. The instance ID will be appended directly.

Type: string

Default:

"${config.services.maubot.settings.server.ui_base_path}/plugin/"

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.server.port

The port to listen on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 29316

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.server.public_url

Public base URL where the server is visible.

Type: string

Default: "http://${config.services.maubot.settings.server.hostname}:${toString config.services.maubot.settings.server.port}"

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.maubot.settings.server.ui_base_path

The base path for the UI.

Type: string

Default: "/_matrix/maubot"

Declared by:

<nixpkgs/nixos/modules/services/matrix/maubot.nix>
services.mautrix-facebook.enable

Whether to enable Mautrix-Facebook, a Matrix-Facebook hybrid puppeting/relaybot bridge.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-facebook.nix>
services.mautrix-facebook.configurePostgresql

Enable PostgreSQL and create a user and database for mautrix-facebook. The default settings reference this database, if you disable this option you must provide a database URL.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-facebook.nix>
services.mautrix-facebook.environmentFile

File containing environment variables to be passed to the mautrix-facebook service.

Any config variable can be overridden by setting MAUTRIX_FACEBOOK_SOME_KEY to override the some.key variable.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-facebook.nix>
services.mautrix-facebook.registrationData

Output data for appservice registration. Simply make any desired changes and serialize to JSON. Note that this data contains secrets so think twice before putting it into the nix store.

Currently as_token and hs_token need to be added as they are not known to this module.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-facebook.nix>
services.mautrix-facebook.settings

config.yaml configuration as a Nix attribute set. Configuration options should match those described in example-config.yaml.

Secret tokens should be specified using environmentFile instead of this world-readable attribute set.

Type: JSON value

Default:

{
  appservice = {
    address = "http://localhost:29319";
    bot_username = "facebookbot";
    database = "postgresql://";
    hostname = "localhost";
    id = "facebook";
    port = 29319;
  };
  bridge = {
    encryption = {
      allow = true;
      default = true;
      verification_levels = {
        receive = "cross-signed-tofu";
        send = "cross-signed-tofu";
        share = "cross-signed-tofu";
      };
    };
    username_template = "facebook_{userid}";
  };
  homeserver = {
    address = "http://localhost:8008";
    software = "standard";
  };
  logging = {
    formatters = {
      journal_fmt = {
        format = "%(name)s: %(message)s";
      };
    };
    handlers = {
      journal = {
        SYSLOG_IDENTIFIER = "mautrix-facebook";
        class = "systemd.journal.JournalHandler";
        formatter = "journal_fmt";
      };
    };
    root = {
      handlers = [
        "journal"
      ];
      level = "INFO";
    };
    version = 1;
  };
  manhole = {
    enabled = false;
  };
  metrics = {
    enabled = false;
  };
}

Example:

{
  homeserver = {
    address = "http://localhost:8008";
    domain = "mydomain.example";
  };

  bridge.permissions = {
    "@admin:mydomain.example" = "admin";
    "mydomain.example" = "user";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-facebook.nix>
services.mautrix-meta.package

The mautrix-meta package to use.

Type: package

Default: pkgs.mautrix-meta

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-meta.nix>
services.mautrix-meta.instances

Configuration of multiple mautrix-meta instances. services.mautrix-meta.instances.facebook and services.mautrix-meta.instances.instagram come preconfigured with network.mode, appservice.id, bot username, display name and avatar.

Type: attribute set of (submodule)

Example:

''
  {
    facebook = {
      enable = true;
      settings = {
        homeserver.domain = "example.com";
      };
    };
  
    instagram = {
      enable = true;
      settings = {
        homeserver.domain = "example.com";
      };
    };
  
    messenger = {
      enable = true;
      settings = {
        network.mode = "messenger";
        homeserver.domain = "example.com";
        appservice = {
          id = "messenger";
          bot = {
            username = "messengerbot";
            displayname = "Messenger bridge bot";
            avatar = "mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak";
          };
        };
      };
    };
  }
''

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-meta.nix>
services.mautrix-meta.instances.<name>.enable

Whether to enable Mautrix-Meta, a Matrix <-> Facebook and Matrix <-> Instagram hybrid puppeting/relaybot bridge.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-meta.nix>
services.mautrix-meta.instances.<name>.dataDir

Path to the directory with database, registration, and other data for the bridge service. This path is relative to /var/lib, it cannot start with ../ (it cannot be outside of /var/lib).

Type: string

Default: "mautrix-meta-‹name›"

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-meta.nix>
services.mautrix-meta.instances.<name>.environmentFile

File containing environment variables to substitute when copying the configuration out of Nix store to the services.mautrix-meta.dataDir.

Can be used for storing the secrets without making them available in the Nix store.

For example, you can set services.mautrix-meta.settings.appservice.as_token = "$MAUTRIX_META_APPSERVICE_AS_TOKEN" and then specify MAUTRIX_META_APPSERVICE_AS_TOKEN="{token}" in the environment file. This value will get substituted into the configuration file as as token.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-meta.nix>
services.mautrix-meta.instances.<name>.registerToSynapse

Whether to add registration file to services.matrix-synapse.settings.app_service_config_files and make Synapse wait for registration service.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-meta.nix>
services.mautrix-meta.instances.<name>.registrationFile

Path to the yaml registration file of the appservice.

Type: path (read only)

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-meta.nix>
services.mautrix-meta.instances.<name>.registrationServiceUnit

The registration service that generates the registration file.

Systemd unit (a service or a target) for other services to depend on if they need to be started after mautrix-meta registration service.

This option is useful as the actual parent unit for all matrix-synapse processes changes when configuring workers.

Type: string (read only)

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-meta.nix>
services.mautrix-meta.instances.<name>.serviceDependencies

List of Systemd services to require and wait for when starting the application service.

Type: list of string

Default:

''
  [ config.registrationServiceUnit ] ++
  (lib.lists.optional upperConfig.services.matrix-synapse.enable upperConfig.services.matrix-synapse.serviceUnit) ++
  (lib.lists.optional upperConfig.services.matrix-conduit.enable "matrix-conduit.service") ++
  (lib.lists.optional upperConfig.services.dendrite.enable "dendrite.service");
''

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-meta.nix>
services.mautrix-meta.instances.<name>.serviceUnit

The systemd unit (a service or a target) for other services to depend on if they need to be started after matrix-synapse.

This option is useful as the actual parent unit for all matrix-synapse processes changes when configuring workers.

Type: string (read only)

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-meta.nix>
services.mautrix-meta.instances.<name>.settings

config.yaml configuration as a Nix attribute set. Configuration options should match those described in example-config.yaml.

Secret tokens should be specified using environmentFile instead

Type: YAML value

Default:

''
  {
    homeserver = {
      software = "standard";
      address = "https://''${config.settings.homeserver.domain}";
    };
  
    appservice = {
      database = {
        type = "sqlite3-fk-wal";
        uri = "file:''${fullDataDir config}/mautrix-meta.db?_txlock=immediate";
      };
  
      hostname = "localhost";
      port = 29319;
      address = "http://''${config.settings.appservice.hostname}:''${toString config.settings.appservice.port}";
    };
  
    bridge = {
      # Require encryption by default to make the bridge more secure
      encryption = {
        allow = true;
        default = true;
        require = true;
  
        # Recommended options from mautrix documentation
        # for optimal security.
        delete_keys = {
          dont_store_outbound = true;
          ratchet_on_decrypt = true;
          delete_fully_used_on_decrypt = true;
          delete_prev_on_new_session = true;
          delete_on_device_delete = true;
          periodically_delete_expired = true;
          delete_outdated_inbound = true;
        };
  
        verification_levels = {
          receive = "cross-signed-tofu";
          send = "cross-signed-tofu";
          share = "cross-signed-tofu";
        };
      };
    };
  
    logging = {
      min_level = "info";
      writers = lib.singleton {
        type = "stdout";
        format = "pretty-colored";
        time_format = " ";
      };
    };
  };
''

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-meta.nix>
services.mautrix-signal.enable

Whether to enable mautrix-signal, a Matrix-Signal puppeting bridge.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-signal.nix>
services.mautrix-signal.environmentFile

File containing environment variables to be passed to the mautrix-signal service. If an environment variable MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET is set, then its value will be used in the configuration file for the option double_puppet.secrets without leaking it to the store, using the configured homeserver.domain as key.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-signal.nix>
services.mautrix-signal.registerToSynapse

Whether to add the bridge’s app service registration file to services.matrix-synapse.settings.app_service_config_files.

Type: boolean

Default:

config.services.matrix-synapse.enable

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-signal.nix>
services.mautrix-signal.serviceDependencies

List of systemd units to require and wait for when starting the application service.

Type: list of string

Default:

(optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit)
++ (optional config.services.matrix-conduit.enable "conduit.service")

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-signal.nix>
services.mautrix-signal.settings

config.yaml configuration as a Nix attribute set. Configuration options should match those described in the example configuration. Get an example configuration by executing mautrix-signal -c example.yaml --generate-example-config Secret tokens should be specified using environmentFile instead of this world-readable attribute set.

Type: JSON value

Default:

{
  appservice = {
    as_token = "";
    bot = {
      displayname = "Signal Bridge Bot";
      username = "signalbot";
    };
    hostname = "[::]";
    hs_token = "";
    id = "signal";
    port = 29328;
    username_template = "signal_{{.}}";
  };
  bridge = {
    command_prefix = "!signal";
    permissions = {
      "*" = "relay";
    };
    relay = {
      enabled = true;
    };
  };
  database = {
    type = "sqlite3";
    uri = "file:/var/lib/mautrix-signal/mautrix-signal.db?_txlock=immediate";
  };
  direct_media = {
    server_key = "";
  };
  double_puppet = {
    secrets = { };
    servers = { };
  };
  encryption = {
    pickle_key = "";
  };
  homeserver = {
    address = "http://localhost:8448";
  };
  logging = {
    min_level = "info";
    writers = [
      {
        format = "pretty-colored";
        time_format = " ";
        type = "stdout";
      }
    ];
  };
  network = {
    displayname_template = "{{or .ProfileName .PhoneNumber \"Unknown user\"}}";
  };
  provisioning = {
    shared_secret = "";
  };
  public_media = {
    signing_key = "";
  };
}

Example:

{
  appservice = {
    ephemeral_events = false;
    id = "signal";
  };
  backfill = {
    enabled = true;
  };
  bridge = {
    mute_only_on_create = false;
    permissions = {
      "example.com" = "user";
    };
    private_chat_portal_meta = true;
  };
  database = {
    type = "postgres";
    uri = "postgresql:///mautrix_signal?host=/run/postgresql";
  };
  encryption = {
    allow = true;
    default = true;
    pickle_key = "$ENCRYPTION_PICKLE_KEY";
    require = true;
  };
  homeserver = {
    address = "http://[::1]:8008";
    domain = "my-domain.tld";
  };
  matrix = {
    message_status_events = true;
  };
  provisioning = {
    shared_secret = "disable";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-signal.nix>
services.mautrix-telegram.enable

Whether to enable Mautrix-Telegram, a Matrix-Telegram hybrid puppeting/relaybot bridge.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-telegram.nix>
services.mautrix-telegram.environmentFile

File containing environment variables to be passed to the mautrix-telegram service, in which secret tokens can be specified securely by defining values for e.g. MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN, MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN, MAUTRIX_TELEGRAM_TELEGRAM_API_ID, MAUTRIX_TELEGRAM_TELEGRAM_API_HASH and optionally MAUTRIX_TELEGRAM_TELEGRAM_BOT_TOKEN.

These environment variables can also be used to set other options by replacing hierarchy levels by ., converting the name to uppercase and prepending MAUTRIX_TELEGRAM_. For example, the first value above maps to settings.appservice.as_token.

The environment variable values can be prefixed with json:: to have them be parsed as JSON. For example, login_shared_secret_map can be set as follows: MAUTRIX_TELEGRAM_BRIDGE_LOGIN_SHARED_SECRET_MAP=json::{"example.com":"secret"}.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-telegram.nix>
services.mautrix-telegram.serviceDependencies

List of Systemd services to require and wait for when starting the application service.

Type: list of string

Default:

lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-telegram.nix>
services.mautrix-telegram.settings

config.yaml configuration as a Nix attribute set. Configuration options should match those described in example-config.yaml.

Secret tokens should be specified using environmentFile instead of this world-readable attribute set.

Type: JSON value

Default:

{
  appservice = {
    address = "http://localhost:8080";
    database = "sqlite:////var/lib/mautrix-telegram/mautrix-telegram.db";
    database_opts = { };
    hostname = "0.0.0.0";
    port = 8080;
  };
  bridge = {
    double_puppet_server_map = { };
    login_shared_secret_map = { };
    permissions = {
      "*" = "relaybot";
    };
    relaybot = {
      whitelist = [ ];
    };
  };
  homeserver = {
    software = "standard";
  };
  logging = {
    formatters = {
      precise = {
        format = "[%(levelname)s@%(name)s] %(message)s";
      };
    };
    handlers = {
      console = {
        class = "logging.StreamHandler";
        formatter = "precise";
      };
    };
    loggers = {
      aiohttp = {
        level = "WARNING";
      };
      mau = {
        level = "INFO";
      };
      telethon = {
        level = "INFO";
      };
    };
    root = {
      handlers = [
        "console"
      ];
      level = "INFO";
    };
    version = 1;
  };
}

Example:

{
  homeserver = {
    address = "http://localhost:8008";
    domain = "public-domain.tld";
  };

  appservice.public = {
    prefix = "/public";
    external = "https://public-appservice-address/public";
  };

  bridge.permissions = {
    "example.com" = "full";
    "@admin:example.com" = "admin";
  };
  telegram = {
    connection.use_ipv6 = true;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-telegram.nix>
services.mautrix-whatsapp.enable

Whether to enable mautrix-whatsapp, a puppeting/relaybot bridge between Matrix and WhatsApp.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-whatsapp.nix>
services.mautrix-whatsapp.environmentFile

File containing environment variables to be passed to the mautrix-whatsapp service, in which secret tokens can be specified securely by optionally defining a value for MAUTRIX_WHATSAPP_BRIDGE_LOGIN_SHARED_SECRET.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-whatsapp.nix>
services.mautrix-whatsapp.registerToSynapse

Whether to add the bridge’s app service registration file to services.matrix-synapse.settings.app_service_config_files.

Type: boolean

Default: config.services.matrix-synapse.enable

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-whatsapp.nix>
services.mautrix-whatsapp.serviceDependencies

List of Systemd services to require and wait for when starting the application service.

Type: list of string

Default:

optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnits

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-whatsapp.nix>
services.mautrix-whatsapp.settings

config.yaml configuration as a Nix attribute set. Configuration options should match those described in example-config.yaml. Secret tokens should be specified using environmentFile instead of this world-readable attribute set.

Type: JSON value

Default:

{
  appservice = {
    as_token = "";
    bot = {
      displayname = "WhatsApp Bridge Bot";
      username = "whatsappbot";
    };
    database = {
      type = "sqlite3";
      uri = "/var/lib/mautrix-whatsapp/mautrix-whatsapp.db";
    };
    hostname = "[::]";
    hs_token = "";
    id = "whatsapp";
    port = 29318;
  };
  bridge = {
    command_prefix = "!wa";
    displayname_template = "{{if .BusinessName}}{{.BusinessName}}{{else if .PushName}}{{.PushName}}{{else}}{{.JID}}{{end}} (WA)";
    double_puppet_server_map = { };
    login_shared_secret_map = { };
    permissions = {
      "*" = "relay";
    };
    relay = {
      enabled = true;
    };
    username_template = "whatsapp_{{.}}";
  };
  homeserver = {
    address = "http://localhost:8448";
  };
  logging = {
    min_level = "info";
    writers = [
      {
        format = "pretty-colored";
        time_format = " ";
        type = "stdout";
      }
    ];
  };
}

Example:

{
  appservice = {
    database = {
      type = "postgres";
      uri = "postgresql:///mautrix_whatsapp?host=/run/postgresql";
    };
    ephemeral_events = false;
    id = "whatsapp";
  };
  bridge = {
    encryption = {
      allow = true;
      default = true;
      require = true;
    };
    history_sync = {
      request_full_sync = true;
    };
    mute_bridging = true;
    permissions = {
      "example.com" = "user";
    };
    private_chat_portal_meta = true;
    provisioning = {
      shared_secret = "disable";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/matrix/mautrix-whatsapp.nix>
services.mbpfan.enable

Whether to enable mbpfan, fan controller daemon for Apple Macs and MacBooks.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/mbpfan.nix>
services.mbpfan.package

The mbpfan package to use.

Type: package

Default: pkgs.mbpfan

Declared by:

<nixpkgs/nixos/modules/services/misc/mbpfan.nix>
services.mbpfan.aggressive

If true, favors higher default fan speeds.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/mbpfan.nix>
services.mbpfan.settings

INI configuration for Mbpfan.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/mbpfan.nix>
services.mbpfan.settings.general.high_temp

If temperature is above this, fan speed will gradually increase.

Type: signed integer

Default: 58

Declared by:

<nixpkgs/nixos/modules/services/misc/mbpfan.nix>
services.mbpfan.settings.general.low_temp

If temperature is below this, fans will run at minimum speed.

Type: signed integer

Default: 55

Declared by:

<nixpkgs/nixos/modules/services/misc/mbpfan.nix>
services.mbpfan.settings.general.max_temp

If temperature is above this, fans will run at maximum speed.

Type: signed integer

Default: 78

Declared by:

<nixpkgs/nixos/modules/services/misc/mbpfan.nix>
services.mbpfan.settings.general.polling_interval

The polling interval.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/misc/mbpfan.nix>
services.mbpfan.verbose

If true, sets the log level to verbose.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/mbpfan.nix>
services.mchprs.enable

Whether to enable MCHPRS, a Minecraft server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mchprs.package

The mchprs package to use.

Type: package

Default: pkgs.mchprs

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mchprs.dataDir

Directory to store MCHPRS database and other state/data files.

Type: path

Default: "/var/lib/mchprs"

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mchprs.declarativeSettings

Whether to use a declarative configuration for MCHPRS.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mchprs.declarativeWhitelist

Whether to use a declarative whitelist. The options services.mchprs.whitelist.list will be applied if and only if set to true.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mchprs.maxRuntime

Automatically restart the server after services.mchprs.maxRuntime. The time span format is described here: https://www.freedesktop.org/software/systemd/man/systemd.time.html#Parsing%20Time%20Spans. If null, then the server is not restarted automatically.

Type: string

Default: "infinity"

Example: "7d"

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mchprs.openFirewall

Whether to open ports in the firewall for the server. Only has effect when services.mchprs.declarativeSettings is true.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mchprs.settings

Configuration for MCHPRS via Config.toml. See https://github.com/MCHPR/MCHPRS/blob/master/README.md for documentation.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mchprs.settings.address

Address for the server. Please use enclosing square brackets when using ipv6. Only has effect when services.mchprs.declarativeSettings is true.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mchprs.settings.auto_redpiler

Use redpiler automatically. Only has effect when services.mchprs.declarativeSettings is true.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mchprs.settings.block_in_hitbox

Allow placing blocks inside of players (hitbox logic is simplified). Only has effect when services.mchprs.declarativeSettings is true.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mchprs.settings.bungeecord

Enable compatibility with BungeeCord. Only has effect when services.mchprs.declarativeSettings is true.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mchprs.settings.chat_format

How to format chat message interpolating username and message with curly braces. Only has effect when services.mchprs.declarativeSettings is true.

Type: string

Default: "<{username}> {message}"

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mchprs.settings.max_players

Maximum number of simultaneous players. Only has effect when services.mchprs.declarativeSettings is true.

Type: positive integer, meaning >0

Default: 99999

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mchprs.settings.motd

Message of the day. Only has effect when services.mchprs.declarativeSettings is true.

Type: string

Default: "Minecraft High Performance Redstone Server"

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mchprs.settings.port

Port for the server. Only has effect when services.mchprs.declarativeSettings is true.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 25565

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mchprs.settings.schemati

Mimic the verification and directory layout used by the Open Redstone Engineers Schemati plugin. Only has effect when services.mchprs.declarativeSettings is true.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mchprs.settings.view_distance

Maximal distance (in chunks) between players and loaded chunks. Only has effect when services.mchprs.declarativeSettings is true.

Type: positive integer, meaning >0

Default: 8

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mchprs.whitelist.enable

Whether or not the whitelist (in whitelist.json) shoud be enabled. Only has effect when services.mchprs.declarativeSettings is true.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mchprs.whitelist.list

Whitelisted players, only has an effect when services.mchprs.declarativeWhitelist is true and the whitelist is enabled via services.mchprs.whitelist.enable. This is a mapping from Minecraft usernames to UUIDs. You can use https://mcuuid.net/ to get a Minecraft UUID for a username.

Type: attribute set of Minecraft UUID

Default: { }

Example:

{
  username1 = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
  username2 = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy";
};

Declared by:

<nixpkgs/nixos/modules/services/games/mchprs.nix>
services.mealie.enable

Whether to enable Mealie, a recipe manager and meal planner.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mealie.nix>
services.mealie.package

The mealie package to use.

Type: package

Default: pkgs.mealie

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mealie.nix>
services.mealie.credentialsFile

File containing credentials used in mealie such as POSTGRES_PASSWORD or sensitive LDAP options.

Expects the format of an EnvironmentFile=, as described by systemd.exec(5).

Type: null or path

Default: null

Example: "/run/secrets/mealie-credentials.env"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mealie.nix>
services.mealie.listenAddress

Address on which the service should listen.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mealie.nix>
services.mealie.port

Port on which to serve the Mealie service.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mealie.nix>
services.mealie.settings

Configuration of the Mealie service.

See the mealie documentation for available options and default values.

Type: attribute set of anything

Default: { }

Example:

{
  ALLOW_SIGNUP = "false";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mealie.nix>
services.mediagoblin.enable

Whether to enable MediaGoblin.

After the initial deployment, make sure to add an admin account:

mediagoblin-gmg adduser --username admin --email admin@example.com
mediagoblin-gmg makeadmin admin

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediagoblin.nix>
services.mediagoblin.package

The mediagoblin package to use.

Type: package

Default: pkgs.mediagoblin

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediagoblin.nix>
services.mediagoblin.createDatabaseLocally

Whether to configure a local postgres database and connect to it.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediagoblin.nix>
services.mediagoblin.domain

Domain under which mediagoblin will be served.

Type: string

Example: "mediagoblin.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediagoblin.nix>
services.mediagoblin.paste.port

Port under which paste will listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6543

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediagoblin.nix>
services.mediagoblin.paste.settings

Settings which are written into paste.ini.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediagoblin.nix>
services.mediagoblin.pluginPackages

Plugins to add to the environment of MediaGoblin. They still need to be enabled in the config.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediagoblin.nix>
services.mediagoblin.settings

Settings which are written into mediagoblin.ini.

Type: anything

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediagoblin.nix>
services.mediagoblin.settings.mediagoblin.allow_registration

Whether to enable user self registration. This is generally not recommend due to spammers. See upstream FAQ.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediagoblin.nix>
services.mediagoblin.settings.mediagoblin.email_debug_mode

Disable email debug mode to start sending outgoing mails. This requires configuring SMTP settings, see the upstream docs for details.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediagoblin.nix>
services.mediagoblin.settings.mediagoblin.email_sender_address

Email address which notices are sent from.

Type: string

Example: "noreply@example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediagoblin.nix>
services.mediagoblin.settings.mediagoblin.plugins

Plugins to enable. See upstream docs for details. Extra dependencies are automatically enabled.

Type: unspecified value

Default:

''
  {
    "mediagoblin.plugins.geolocation" = { };
    "mediagoblin.plugins.processing_info" = { };
    "mediagoblin.plugins.basic_auth" = { };
    "mediagoblin.media_types.image" = { };
  }
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediagoblin.nix>
services.mediagoblin.settings.mediagoblin.sql_engine

Database to use.

Type: string

Default: "sqlite:///var/lib/mediagoblin/mediagoblin.db"

Example: "postgresql:///mediagoblin"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediagoblin.nix>
services.mediamtx.enable

Whether to enable MediaMTX.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/video/mediamtx.nix>
services.mediamtx.package

The mediamtx package to use.

Type: package

Default: pkgs.mediamtx

Declared by:

<nixpkgs/nixos/modules/services/video/mediamtx.nix>
services.mediamtx.allowVideoAccess

Whether to enable access to video devices like cameras on the system .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/video/mediamtx.nix>
services.mediamtx.env

Extra environment variables for MediaMTX

Type: attribute set of anything

Default: { }

Example:

{
  MTX_CONFKEY = "mykey";
}

Declared by:

<nixpkgs/nixos/modules/services/video/mediamtx.nix>
services.mediamtx.settings

Settings for MediaMTX. Refer to the defaults at https://github.com/bluenviron/mediamtx/blob/main/mediamtx.yml.

Type: YAML value

Default: { }

Example:

{
  paths = {
    cam = {
      runOnInit = "\${lib.getExe pkgs.ffmpeg} -f v4l2 -i /dev/video0 -f rtsp rtsp://localhost:$RTSP_PORT/$RTSP_PATH";
      runOnInitRestart = true;
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/video/mediamtx.nix>
services.mediatomb.enable

Whether to enable the Gerbera/Mediatomb DLNA server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediatomb.package

The gerbera package to use.

Type: package

Default: pkgs.gerbera

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediatomb.customCfg

Allow the service to create and use its own config file inside the dataDir as configured by services.mediatomb.dataDir. Deactivated by default, the service then runs with the configuration generated from this module. Otherwise, when enabled, no service configuration is generated. Gerbera/Mediatomb then starts using config.xml within the configured dataDir. It’s up to the user to make a correct configuration file.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediatomb.dataDir

The directory where Gerbera/Mediatomb stores its state, data, etc.

Type: path

Default: "/var/lib/${config.services.mediatomb.package.pname}"

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediatomb.dsmSupport

Whether to enable D-Link DSM 320 specific tweaks. WARNING: incompatible with ps3 support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediatomb.group

Group account under which the service runs.

Type: string

Default: "mediatomb"

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediatomb.interface

A specific interface to bind to.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediatomb.mediaDirectories

Declare media directories to index.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    hidden-files = false;
    path = "/data/pictures";
    recursive = false;
  }
  {
    hidden-files = false;
    path = "/data/audio";
    recursive = true;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediatomb.mediaDirectories.*.hidden-files

Whether to index the hidden files or not.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediatomb.mediaDirectories.*.path

Absolute directory path to the media directory to index.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediatomb.mediaDirectories.*.recursive

Whether the indexation must take place recursively or not.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediatomb.openFirewall

If false (the default), this is up to the user to declare the firewall rules. If true, this opens port 1900 (tcp and udp) and the port specified by sercvices.mediatomb.port.

If the option services.mediatomb.interface is set, the firewall rules opened are dedicated to that interface. Otherwise, those rules are opened globally.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediatomb.pcDirectoryHide

Whether to list the top-level directory or not (from upnp client standpoint).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediatomb.port

The network port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 49152

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediatomb.ps3Support

Whether to enable ps3 specific tweaks. WARNING: incompatible with DSM 320 support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediatomb.serverName

How to identify the server on the network.

Type: string

Default: "Gerbera (Mediatomb)"

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediatomb.tg100Support

Whether to enable Telegent TG100 specific tweaks.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediatomb.transcoding

Whether to enable transcoding.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediatomb.user

User account under which the service runs.

Type: string

Default: "mediatomb"

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediatomb.uuid

A unique (on your network) to identify the server by.

Type: string

Default: "fdfc8a4e-a3ad-4c1d-b43d-a2eedb03a687"

Declared by:

<nixpkgs/nixos/modules/services/misc/mediatomb.nix>
services.mediawiki.enable

Whether to enable MediaWiki.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.package

The mediawiki package to use.

Type: package

Default: pkgs.mediawiki

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.database.createLocally

Create the database and database user locally. This currently only applies if database type “mysql” is selected.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.database.host

Database host address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.database.name

Database name.

Type: string

Default: "mediawiki"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.database.passwordFile

A file containing the password corresponding to database.user.

Type: null or path

Default: null

Example: "/run/keys/mediawiki-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.database.port

Database host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3306

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.database.socket

Path to the unix socket file to use for authentication.

Type: null or path

Default: /run/mysqld/mysqld.sock

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.database.tablePrefix

If you only have access to a single database and wish to install more than one version of MediaWiki, or have other applications that also use the database, you can give the table names a unique prefix to stop any naming conflicts or confusion. See https://www.mediawiki.org/wiki/Manual:$wgDBprefix.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.database.type

Database engine to use. MySQL/MariaDB is the database of choice by MediaWiki developers.

Type: one of “mysql”, “postgres”, “mssql”, “oracle”

Default: "mysql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.database.user

Database user.

Type: string

Default: "mediawiki"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.extensions

Attribute set of paths whose content is copied to the extensions subdirectory of the MediaWiki installation and enabled in configuration.

Use null instead of path to enable extensions that are part of MediaWiki.

Type: attribute set of (null or path)

Default: { }

Example:

{
  Matomo = pkgs.fetchzip {
    url = "https://github.com/DaSchTour/matomo-mediawiki-extension/archive/v4.0.1.tar.gz";
    sha256 = "0g5rd3zp0avwlmqagc59cg9bbkn3r7wx7p6yr80s644mj6dlvs1b";
  };
  ParserFunctions = null;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.extraConfig

Any additional text to be appended to MediaWiki’s LocalSettings.php configuration file. For configuration settings, see https://www.mediawiki.org/wiki/Manual:Configuration_settings.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  $wgEnableEmail = false;
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.finalPackage

The final package used by the module. This is the package that will have extensions and skins installed.

Type: package (read only)

Default: pkg

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost

Apache configuration can be done by adapting services.httpd.virtualHosts. See services.httpd.virtualHosts for further information.

Type: submodule

Example:

{
  hostName = "mediawiki.example.org";
  adminAddr = "webmaster@example.org";
  forceSSL = true;
  enableACME = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.enableUserDir

Whether to enable serving ~/public_html as /~«username».

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.acmeRoot

Directory for the acme challenge which is PUBLIC, don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.adminAddr

E-mail address of the server administrator.

Type: null or string

Default: null

Example: "admin@example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.documentRoot

The path of Apache’s document root directory. If left undefined, an empty directory in the Nix store will be used as root.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.extraConfig

These lines go to httpd.conf verbatim. They will go after directories and directory aliases defined by default.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  <Directory /home>
    Options FollowSymlinks
    AllowOverride All
  </Directory>
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.forceSSL

Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.globalRedirect

If set, all requests for this host are redirected permanently to the given URL.

Type: null or string

Default: null

Example: "http://newserver.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.hostName

Canonical hostname for the server.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.http2

Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. However, if you use the prefork mpm, there will be severe restrictions. Refer to https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config for details.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.listen

Listen addresses and ports for this virtual host.

Note

This option overrides addSSL, forceSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    ip = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    ip = "192.154.1.1";
    port = 80;
  }
  {
    ip = "*";
    port = 8080;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.listen.*.ip

IP to listen on. 0.0.0.0 for IPv4 only, * for all.

Type: string

Default: "*"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.listen.*.port

Port to listen on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.listen.*.ssl

Whether to enable SSL (https) support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Type: non-empty (list of string)

Default:

[
  "*"
]

Example:

[
  "127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.locations

Declarative location config. See https://httpd.apache.org/docs/2.4/mod/core.html#location for details.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
  "/foo/bar.png" = {
    alias = "/home/eelco/some-file.png";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.locations.<name>.alias

Alias directory for requests. See https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.locations.<name>.index

Adds DirectoryIndex directive. See https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.locations.<name>.proxyPass

Sets up a simple reverse proxy as described by https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.logFormat

Log format for Apache’s log files. Possible values are: combined, common, referer, agent.

Type: string

Default: "common"

Example: "combined"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.robotsEntries

Specification of pages to be ignored by web crawlers. See http://www.robotstxt.org/ for details.

Type: strings concatenated with “\n”

Default: ""

Example: "Disallow: /foo/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.servedDirs

This option provides a simple way to serve static directories.

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    dir = "/home/eelco/Dev/nix-homepage";
    urlPath = "/nix";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.servedFiles

This option provides a simple way to serve individual, static files.

Note

This option has been deprecated and will be removed in a future version of NixOS. You can achieve the same result by making use of the locations.<name>.alias option.

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    file = "/home/eelco/some-file.png";
    urlPath = "/foo/bar.png";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "www.example.org:8080"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.sslServerCert

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.sslServerChain

Path to server SSL chain file.

Type: null or path

Default: null

Example: "/var/ca.pem"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.sslServerKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.httpd.virtualHost.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.name

Name of the wiki.

Type: string

Default: "MediaWiki"

Example: "Foobar Wiki"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.nginx.hostName

The hostname to use for the nginx virtual host. This is used to generate the nginx configuration.

Type: string

Default: "localhost"

Example: wiki.example.com

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.passwordFile

A file containing the initial password for the administrator account “admin”.

Type: path

Example: "/run/keys/mediawiki-password"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.passwordSender

Contact address for password reset.

Type: string

Default:

if cfg.webserver == "apache" then
  if cfg.httpd.virtualHost.adminAddr != null then
    cfg.httpd.virtualHost.adminAddr
  else
    config.services.httpd.adminAddr else "root@localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.poolConfig

Options for the MediaWiki PHP pool. See the documentation on php-fpm.conf for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = 32;
  "pm.max_requests" = 500;
  "pm.max_spare_servers" = 4;
  "pm.min_spare_servers" = 2;
  "pm.start_servers" = 2;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.skins

Attribute set of paths whose content is copied to the skins subdirectory of the MediaWiki installation in addition to the default skins.

Type: attribute set of path

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.uploadsDir

This directory is used for uploads of pictures. The directory passed here is automatically created and permissions adjusted as required.

Type: null or path

Default: "/var/lib/mediawiki/uploads"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.url

URL of the wiki.

Type: string

Default:

''
  if "mediawiki uses ssl" then "{"https" else "http"}://''${cfg.hostName}" else "http://localhost";
''

Example: "https://wiki.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.mediawiki.webserver

Webserver to use.

Type: one of “apache”, “none”, “nginx”

Default: "apache"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mediawiki.nix>
services.meilisearch.enable

Whether to enable MeiliSearch - a RESTful search API.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/search/meilisearch.nix>
services.meilisearch.package

The meilisearch package to use. Use this if you require specific features to be enabled. The default package has no features.

Type: package

Default: pkgs.meilisearch

Declared by:

<nixpkgs/nixos/modules/services/search/meilisearch.nix>
services.meilisearch.environment

Defines the running environment of MeiliSearch.

Type: one of “development”, “production”

Default: "development"

Declared by:

<nixpkgs/nixos/modules/services/search/meilisearch.nix>
services.meilisearch.listenAddress

MeiliSearch listen address.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/search/meilisearch.nix>
services.meilisearch.listenPort

MeiliSearch port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 7700

Declared by:

<nixpkgs/nixos/modules/services/search/meilisearch.nix>
services.meilisearch.logLevel

Defines how much detail should be present in MeiliSearch’s logs. MeiliSearch currently supports four log levels, listed in order of increasing verbosity:

  • ‘ERROR’: only log unexpected events indicating MeiliSearch is not functioning as expected

  • ‘WARN:’ log all unexpected events, regardless of their severity

  • ‘INFO:’ log all events. This is the default value

  • ‘DEBUG’: log all events and including detailed information on MeiliSearch’s internal processes. Useful when diagnosing issues and debugging

Type: string

Default: "INFO"

Declared by:

<nixpkgs/nixos/modules/services/search/meilisearch.nix>
services.meilisearch.masterKeyEnvironmentFile

Path to file which contains the master key. By doing so, all routes will be protected and will require a key to be accessed. If no master key is provided, all routes can be accessed without requiring any key. The format is the following: MEILI_MASTER_KEY=my_secret_key

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/search/meilisearch.nix>
services.meilisearch.maxIndexSize

Sets the maximum size of the index. Value must be given in bytes or explicitly stating a base unit. For example, the default value can be written as 107374182400, ‘107.7Gb’, or ‘107374 Mb’. Default is 100 GiB

Type: string

Default: "107374182400"

Declared by:

<nixpkgs/nixos/modules/services/search/meilisearch.nix>
services.meilisearch.noAnalytics

Deactivates analytics. Analytics allow MeiliSearch to know how many users are using MeiliSearch, which versions and which platforms are used. This process is entirely anonymous.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/search/meilisearch.nix>
services.meilisearch.payloadSizeLimit

Sets the maximum size of accepted JSON payloads. Value must be given in bytes or explicitly stating a base unit. For example, the default value can be written as 107374182400, ‘107.7Gb’, or ‘107374 Mb’. Default is ~ 100 MB

Type: string

Default: "104857600"

Declared by:

<nixpkgs/nixos/modules/services/search/meilisearch.nix>
services.memcached.enable

Whether to enable Memcached.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/memcached.nix>
services.memcached.enableUnixSocket

Whether to enable Unix Domain Socket at /run/memcached/memcached.sock instead of listening on an IP address and port. The listen and port options are ignored.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/memcached.nix>
services.memcached.extraOptions

A list of extra options that will be added as a suffix when running memcached.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/databases/memcached.nix>
services.memcached.listen

The IP address to bind to.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/databases/memcached.nix>
services.memcached.maxConnections

The maximum number of simultaneous connections.

Type: unsigned integer, meaning >=0

Default: 1024

Declared by:

<nixpkgs/nixos/modules/services/databases/memcached.nix>
services.memcached.maxMemory

The maximum amount of memory to use for storage, in megabytes.

Type: unsigned integer, meaning >=0

Default: 64

Declared by:

<nixpkgs/nixos/modules/services/databases/memcached.nix>
services.memcached.port

The port to bind to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 11211

Declared by:

<nixpkgs/nixos/modules/services/databases/memcached.nix>
services.memcached.user

The user to run Memcached as

Type: string

Default: "memcached"

Declared by:

<nixpkgs/nixos/modules/services/databases/memcached.nix>
services.meme-bingo-web.enable

Whether to enable a web app for the meme bingo, rendered entirely on the web server and made interactive with forms.

Note: The application’s author suppose to run meme-bingo-web behind a reverse proxy for SSL and HTTP/3 .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/meme-bingo-web.nix>
services.meme-bingo-web.package

The meme-bingo-web package to use.

Type: package

Default: pkgs.meme-bingo-web

Declared by:

<nixpkgs/nixos/modules/services/web-apps/meme-bingo-web.nix>
services.meme-bingo-web.baseUrl

URL to be used for the HTML <base> element on all HTML routes.

Type: string

Default: "http://localhost:41678/"

Example: "https://bingo.example.com/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/meme-bingo-web.nix>
services.meme-bingo-web.port

Port to be used for the web server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 41678

Example: 21035

Declared by:

<nixpkgs/nixos/modules/services/web-apps/meme-bingo-web.nix>
services.merecat.enable

Whether to enable Merecat HTTP server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/merecat.nix>
services.merecat.settings

Merecat configuration. Refer to merecat(8) for details on supported values.

Type: attribute set of (atom (null, bool, int, float or string))

Default: { }

Example:

{
  directory = "/srv/www";
  hostname = "localhost";
  port = 8080;
  virtual-host = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-servers/merecat.nix>
services.meshcentral.enable

Whether to enable MeshCentral computer management server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/admin/meshcentral.nix>
services.meshcentral.package

The meshcentral package to use.

Type: package

Default: pkgs.meshcentral

Declared by:

<nixpkgs/nixos/modules/services/admin/meshcentral.nix>
services.meshcentral.settings

Settings for MeshCentral. Refer to upstream documentation for details:

Type: JSON value

Example:

{
  domains = {
    "" = {
      certUrl = "https://meshcentral.example.com/";
    };
  };
  settings = {
    Cert = "meshcentral.example.com";
    Port = 4430;
    TlsOffload = "10.0.0.2,fd42::2";
    WANonly = true;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/admin/meshcentral.nix>
services.metabase.enable

Whether to enable Metabase service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/metabase.nix>
services.metabase.listen.ip

IP address that Metabase should listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/misc/metabase.nix>
services.metabase.listen.port

Listen port for Metabase.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/misc/metabase.nix>
services.metabase.openFirewall

Open ports in the firewall for Metabase.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/metabase.nix>
services.metabase.ssl.enable

Whether to enable SSL (https) support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/metabase.nix>
services.metabase.ssl.keystore

Java KeyStore file containing the certificates.

Type: null or path

Default: "/var/lib/metabase/metabase.jks"

Example: "/etc/secrets/keystore.jks"

Declared by:

<nixpkgs/nixos/modules/services/misc/metabase.nix>
services.metabase.ssl.port

Listen port over SSL (https) for Metabase.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8443

Declared by:

<nixpkgs/nixos/modules/services/misc/metabase.nix>
services.metricbeat.enable

Whether to enable metricbeat.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/metricbeat.nix>
services.metricbeat.package

The metricbeat package to use.

Type: package

Default: pkgs.metricbeat

Example: metricbeat7

Declared by:

<nixpkgs/nixos/modules/services/monitoring/metricbeat.nix>
services.metricbeat.modules

Metricbeat modules are responsible for reading metrics from the various sources.

This is like services.metricbeat.settings.metricbeat.modules, but structured as an attribute set. This has the benefit that multiple NixOS modules can contribute settings to a single metricbeat module.

A module can be specified multiple times by choosing a different <name> for each, but setting services.metricbeat.modules.<name>.module to the same value.

See https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-modules.html.

Type: attribute set of (YAML value)

Default: { }

Example:

{
  system = {
    core = {
      metrics = [
        "percentages"
      ];
    };
    cpu = {
      metrics = [
        "percentages"
        "normalized_percentages"
      ];
    };
    enabled = true;
    metricsets = [
      "cpu"
      "load"
      "memory"
      "network"
      "process"
      "process_summary"
      "uptime"
      "socket_summary"
    ];
    period = "10s";
    processes = [
      ".*"
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/metricbeat.nix>
services.metricbeat.modules.<name>.module

The name of the module.

Look for the value after module: on the individual module pages linked from https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-modules.html.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/metricbeat.nix>
services.metricbeat.settings

Configuration for metricbeat. See https://www.elastic.co/guide/en/beats/metricbeat/current/configuring-howto-metricbeat.html for supported values.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/metricbeat.nix>
services.metricbeat.settings.name

Name of the beat. Defaults to the hostname. See https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-general-options.html#_name.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/metricbeat.nix>
services.metricbeat.settings.tags

Tags to place on the shipped metrics. See https://www.elastic.co/guide/en/beats/metricbeat/current/configuration-general-options.html#_tags_2.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/metricbeat.nix>
services.microbin.enable

Whether to enable MicroBin is a super tiny, feature rich, configurable paste bin web application.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/microbin.nix>
services.microbin.package

The microbin package to use.

Type: package

Default: pkgs.microbin

Declared by:

<nixpkgs/nixos/modules/services/web-apps/microbin.nix>
services.microbin.dataDir

Default data folder for MicroBin.

Type: string

Default: "/var/lib/microbin"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/microbin.nix>
services.microbin.passwordFile

Path to file containing environment variables. Useful for passing down secrets. Variables that can be considered secrets are:

  • MICROBIN_BASIC_AUTH_USERNAME

  • MICROBIN_BASIC_AUTH_PASSWORD

  • MICROBIN_ADMIN_USERNAME

  • MICROBIN_ADMIN_PASSWORD

  • MICROBIN_UPLOADER_PASSWORD

Type: null or path

Default: null

Example: "/run/secrets/microbin.env"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/microbin.nix>
services.microbin.settings

Additional configuration for MicroBin, see https://microbin.eu/docs/installation-and-configuration/configuration/ for supported values.

For secrets use passwordFile option instead.

Type: attribute set of (boolean or signed integer or string)

Default: { }

Example:

{
  MICROBIN_HIDE_LOGO = false;
  MICROBIN_PORT = 8080;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/microbin.nix>
services.microsocks.enable

Whether to enable Tiny, portable SOCKS5 server with very moderate resource usage.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/microsocks.nix>
services.microsocks.package

The microsocks package to use.

Type: package

Default: pkgs.microsocks

Declared by:

<nixpkgs/nixos/modules/services/networking/microsocks.nix>
services.microsocks.authOnce

If true, once a specific ip address authed successfully with user/pass, it is added to a whitelist and may use the proxy without auth.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/microsocks.nix>
services.microsocks.authPasswordFile

Path to a file containing the password for authentication.

Type: null or path

Default: null

Example: "/run/secrets/microsocks-password"

Declared by:

<nixpkgs/nixos/modules/services/networking/microsocks.nix>
services.microsocks.authUsername

Optional username to use for authentication.

Type: null or string

Default: null

Example: "alice"

Declared by:

<nixpkgs/nixos/modules/services/networking/microsocks.nix>
services.microsocks.disableLogging

If true, microsocks will not log any messages to stdout/stderr.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/microsocks.nix>
services.microsocks.execWrapper

An optional command to prepend to the microsocks command (such as proxychains, or a VPN exclude command).

Type: null or string

Default: null

Example:

''
  ''${pkgs.mullvad-vpn}/bin/mullvad-exclude
''

Declared by:

<nixpkgs/nixos/modules/services/networking/microsocks.nix>
services.microsocks.group

Group microsocks runs as.

Type: string

Default: "microsocks"

Declared by:

<nixpkgs/nixos/modules/services/networking/microsocks.nix>
services.microsocks.ip

IP on which microsocks should listen. Defaults to 127.0.0.1 for security reasons.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/microsocks.nix>
services.microsocks.outgoingBindIp

Specifies which ip outgoing connections are bound to

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/microsocks.nix>
services.microsocks.port

Port on which microsocks should listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1080

Declared by:

<nixpkgs/nixos/modules/services/networking/microsocks.nix>
services.microsocks.user

User microsocks runs as.

Type: string

Default: "microsocks"

Declared by:

<nixpkgs/nixos/modules/services/networking/microsocks.nix>
services.mighttpd2.enable

Whether to enable Mighttpd2 web server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/mighttpd2.nix>
services.mighttpd2.config

Verbatim config file to use (see https://kazu-yamamoto.github.io/mighttpd2/config.html)

Type: strings concatenated with “\n”

Default: ""

Example:

''
  # Example configuration for Mighttpd 2
  Port: 80
  # IP address or "*"
  Host: *
  Debug_Mode: Yes # Yes or No
  # If available, "nobody" is much more secure for User:.
  User: root
  # If available, "nobody" is much more secure for Group:.
  Group: root
  Pid_File: /run/mighty.pid
  Logging: Yes # Yes or No
  Log_File: /var/log/mighty # The directory must be writable by User:
  Log_File_Size: 16777216 # bytes
  Log_Backup_Number: 10
  Index_File: index.html
  Index_Cgi: index.cgi
  Status_File_Dir: /usr/local/share/mighty/status
  Connection_Timeout: 30 # seconds
  Fd_Cache_Duration: 10 # seconds
  # Server_Name: Mighttpd/3.x.y
  Tls_Port: 443
  Tls_Cert_File: cert.pem # should change this with an absolute path
  # should change this with comma-separated absolute paths
  Tls_Chain_Files: chain.pem
  # Currently, Tls_Key_File must not be encrypted.
  Tls_Key_File: privkey.pem # should change this with an absolute path
  Service: 0 # 0 is HTTP only, 1 is HTTPS only, 2 is both
''

Declared by:

<nixpkgs/nixos/modules/services/web-servers/mighttpd2.nix>
services.mighttpd2.cores

How many cores to use. If null it will be determined automatically

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/mighttpd2.nix>
services.mighttpd2.routing

Verbatim routing file to use (see https://kazu-yamamoto.github.io/mighttpd2/config.html)

Type: strings concatenated with “\n”

Default: ""

Example:

''
  # Example routing for Mighttpd 2
  
  # Domain lists
  [localhost www.example.com]
  
  # Entries are looked up in the specified order
  # All paths must end with "/"
  
  # A path to CGI scripts should be specified with "=>"
  /~alice/cgi-bin/ => /home/alice/public_html/cgi-bin/
  
  # A path to static files should be specified with "->"
  /~alice/         -> /home/alice/public_html/
  /cgi-bin/        => /export/cgi-bin/
  
  # Reverse proxy rules should be specified with ">>"
  # /path >> host:port/path2
  # Either "host" or ":port" can be committed, but not both.
  /app/cal/        >> example.net/calendar/
  # Yesod app in the same server
  /app/wiki/       >> 127.0.0.1:3000/
  
  /                -> /export/www/
''

Declared by:

<nixpkgs/nixos/modules/services/web-servers/mighttpd2.nix>
services.mihomo.enable

Whether to enable Mihomo, A rule-based proxy in Go.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/mihomo.nix>
services.mihomo.package

The mihomo package to use.

Type: package

Default: pkgs.mihomo

Declared by:

<nixpkgs/nixos/modules/services/networking/mihomo.nix>
services.mihomo.configFile

Configuration file to use.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/mihomo.nix>
services.mihomo.extraOpts

Extra command line options to use.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/mihomo.nix>
services.mihomo.tunMode

Whether to enable necessary permission for Mihomo’s systemd service for TUN mode to function properly.

Keep in mind, that you still need to enable TUN mode manually in Mihomo’s configuration .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/mihomo.nix>
services.mihomo.webui

Local web interface to use.

You can also use the following website:

  • metacubexd:

    • https://d.metacubex.one

    • https://metacubex.github.io/metacubexd

    • https://metacubexd.pages.dev

  • yacd:

    • https://yacd.haishan.me

  • clash-dashboard:

    • https://clash.razord.top

Type: null or path

Default: null

Example: pkgs.metacubexd

Declared by:

<nixpkgs/nixos/modules/services/networking/mihomo.nix>
services.mimir.enable

Whether to enable mimir.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/mimir.nix>
services.mimir.package

The mimir package to use.

Type: package

Default: pkgs.mimir

Declared by:

<nixpkgs/nixos/modules/services/monitoring/mimir.nix>
services.mimir.configFile

Specify a configuration file that Mimir should use.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/mimir.nix>
services.mimir.configuration

Specify the configuration for Mimir in Nix.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/mimir.nix>
services.mimir.extraFlags

Specify a list of additional command line flags, which get escaped and are then passed to Mimir.

Type: list of string

Default: [ ]

Example:

[
  "--config.expand-env=true"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/mimir.nix>
services.minecraft-server.enable

If enabled, start a Minecraft Server. The server data will be loaded from and saved to services.minecraft-server.dataDir.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/minecraft-server.nix>
services.minecraft-server.package

The minecraft-server package to use.

Type: package

Default: pkgs.minecraft-server

Example: minecraft-server_1_12_2

Declared by:

<nixpkgs/nixos/modules/services/games/minecraft-server.nix>
services.minecraft-server.dataDir

Directory to store Minecraft database and other state/data files.

Type: path

Default: "/var/lib/minecraft"

Declared by:

<nixpkgs/nixos/modules/services/games/minecraft-server.nix>
services.minecraft-server.declarative

Whether to use a declarative Minecraft server configuration. Only if set to true, the options services.minecraft-server.whitelist and services.minecraft-server.serverProperties will be applied.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/minecraft-server.nix>
services.minecraft-server.eula

Whether you agree to Mojangs EULA. This option must be set to true to run Minecraft server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/minecraft-server.nix>
services.minecraft-server.jvmOpts

JVM options for the Minecraft server.

Type: strings concatenated with " "

Default: "-Xmx2048M -Xms2048M"

Example: "-Xms4092M -Xmx4092M -XX:+UseG1GC -XX:+CMSIncrementalPacing -XX:+CMSClassUnloadingEnabled -XX:ParallelGCThreads=2 -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10"

Declared by:

<nixpkgs/nixos/modules/services/games/minecraft-server.nix>
services.minecraft-server.openFirewall

Whether to open ports in the firewall for the server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/minecraft-server.nix>
services.minecraft-server.serverProperties

Minecraft server properties for the server.properties file. Only has an effect when services.minecraft-server.declarative is set to true. See https://minecraft.gamepedia.com/Server.properties#Java_Edition_3 for documentation on these values.

Type: attribute set of (boolean or signed integer or string)

Default: { }

Example:

{
  server-port = 43000;
  difficulty = 3;
  gamemode = 1;
  max-players = 5;
  motd = "NixOS Minecraft server!";
  white-list = true;
  enable-rcon = true;
  "rcon.password" = "hunter2";
}

Declared by:

<nixpkgs/nixos/modules/services/games/minecraft-server.nix>
services.minecraft-server.whitelist

Whitelisted players, only has an effect when services.minecraft-server.declarative is true and the whitelist is enabled via services.minecraft-server.serverProperties by setting white-list to true. This is a mapping from Minecraft usernames to UUIDs. You can use https://mcuuid.net/ to get a Minecraft UUID for a username.

Type: attribute set of Minecraft UUID

Default: { }

Example:

{
  username1 = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
  username2 = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy";
};

Declared by:

<nixpkgs/nixos/modules/services/games/minecraft-server.nix>
services.minetest-server.enable

If enabled, starts a Minetest Server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/minetest-server.nix>
services.minetest-server.config

Settings to add to the minetest config file.

This option is ignored if configPath is set.

Type: attribute set of anything

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/games/minetest-server.nix>
services.minetest-server.configPath

Path to the config to use.

If set to null, the config of the running user will be used: ~/.minetest/minetest.conf.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/minetest-server.nix>
services.minetest-server.extraArgs

Additional command line flags to pass to the minetest executable.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/games/minetest-server.nix>
services.minetest-server.gameId

Id of the game to use. To list available games run minetestserver --gameid list.

If only one game exists, this option can be null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/minetest-server.nix>
services.minetest-server.logPath

Path to logfile for logging.

If set to null, logging will be output to stdout which means all output will be caught by systemd.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/minetest-server.nix>
services.minetest-server.port

Port number to bind to.

If set to null, the default 30000 will be used.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/minetest-server.nix>
services.minetest-server.world

Name of the world to use. To list available worlds run minetestserver --world list.

If only one world exists, this option can be null.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/minetest-server.nix>
services.minidlna.enable

Whether to enable MiniDLNA, a simple DLNA server. It serves media files such as video and music to DLNA client devices such as televisions and media players. If you use the firewall, consider adding the following: services.minidlna.openFirewall = true;

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/minidlna.nix>
services.minidlna.package

The minidlna package to use.

Type: package

Default: pkgs.minidlna

Declared by:

<nixpkgs/nixos/modules/services/networking/minidlna.nix>
services.minidlna.openFirewall

Whether to open both HTTP (TCP) and SSDP (UDP) ports in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/minidlna.nix>
services.minidlna.settings

The contents of MiniDLNA’s configuration file. When the service is activated, a basic template is generated from the current options opened here.

Type: attribute set of (atom (null, bool, int, float or string) or a list of them for duplicate keys)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/minidlna.nix>
services.minidlna.settings.enable_tivo

Support for streaming .jpg and .mp3 files to a TiVo supporting HMO.

Type: one of “yes”, “no”

Default: "no"

Declared by:

<nixpkgs/nixos/modules/services/networking/minidlna.nix>
services.minidlna.settings.db_dir

Specify the directory where you want MiniDLNA to store its database and album art cache.

Type: path

Default: "/var/cache/minidlna"

Example: "/tmp/minidlna"

Declared by:

<nixpkgs/nixos/modules/services/networking/minidlna.nix>
services.minidlna.settings.friendly_name

Name that the DLNA server presents to clients.

Type: string

Default: config.networking.hostName

Example: "rpi3"

Declared by:

<nixpkgs/nixos/modules/services/networking/minidlna.nix>
services.minidlna.settings.inotify

Whether to enable inotify monitoring to automatically discover new files.

Type: one of “yes”, “no”

Default: "no"

Declared by:

<nixpkgs/nixos/modules/services/networking/minidlna.nix>
services.minidlna.settings.log_level

Defines the type of messages that should be logged and down to which level of importance.

Type: string

Default: "warn"

Example: "general,artwork,database,inotify,scanner,metadata,http,ssdp,tivo=warn"

Declared by:

<nixpkgs/nixos/modules/services/networking/minidlna.nix>
services.minidlna.settings.media_dir

Directories to be scanned for media files. The A, V, P, prefixes restrict a directory to audio, video or image files. The directories must be accessible to the minidlna user account.

Type: list of string

Default: [ ]

Example:

[
  "/data/media"
  "V,/home/alice/video"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/minidlna.nix>
services.minidlna.settings.notify_interval

The interval between announces (in seconds). Instead of waiting for announces, you should set openFirewall option to use SSDP discovery. Lower values (e.g. 30 seconds) should be used if your network blocks the discovery unicast. Some relevant information can be found here: https://sourceforge.net/p/minidlna/discussion/879957/thread/1389d197/

Type: signed integer

Default: 90000

Declared by:

<nixpkgs/nixos/modules/services/networking/minidlna.nix>
services.minidlna.settings.port

Port number for HTTP traffic (descriptions, SOAP, media transfer).

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8200

Declared by:

<nixpkgs/nixos/modules/services/networking/minidlna.nix>
services.minidlna.settings.root_container

Use a different container as the root of the directory tree presented to clients.

Type: string

Default: "B"

Example: "."

Declared by:

<nixpkgs/nixos/modules/services/networking/minidlna.nix>
services.minidlna.settings.wide_links

Set this to yes to allow symlinks that point outside user-defined media_dir.

Type: one of “yes”, “no”

Default: "no"

Declared by:

<nixpkgs/nixos/modules/services/networking/minidlna.nix>
services.miniflux.enable

Whether to enable miniflux.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/miniflux.nix>
services.miniflux.package

The miniflux package to use.

Type: package

Default: pkgs.miniflux

Declared by:

<nixpkgs/nixos/modules/services/web-apps/miniflux.nix>
services.miniflux.adminCredentialsFile

File containing the ADMIN_USERNAME and ADMIN_PASSWORD (length >= 6) in the format of an EnvironmentFile=, as described by systemd.exec(5).

Type: null or path

Default: null

Example: "/etc/nixos/miniflux-admin-credentials"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/miniflux.nix>
services.miniflux.config

Configuration for Miniflux, refer to https://miniflux.app/docs/configuration.html for documentation on the supported values.

Correct configuration for the database is already provided. By default, listens on localhost:8080.

Type: attribute set of (string or signed integer)

Example:

{
  CLEANUP_FREQUENCY = 48;
  LISTEN_ADDR = "localhost:8080";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/miniflux.nix>
services.miniflux.createDatabaseLocally

Whether a PostgreSQL database should be automatically created and configured on the local host. If set to false, you need provision a database yourself and make sure to create the hstore extension in it.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/miniflux.nix>
services.minio.enable

Whether to enable Minio Object Storage.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/minio.nix>
services.minio.package

The minio package to use.

Type: package

Default: pkgs.minio

Declared by:

<nixpkgs/nixos/modules/services/web-servers/minio.nix>
services.minio.accessKey

Access key of 5 to 20 characters in length that clients use to access the server. This overrides the access key that is generated by minio on first startup and stored inside the configDir directory.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/minio.nix>
services.minio.browser

Enable or disable access to web UI.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/minio.nix>
services.minio.certificatesDir

The directory where TLS certificates are stored.

Type: path

Default: "/var/lib/minio/certs"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/minio.nix>
services.minio.configDir

The config directory, for the access keys and other settings.

Type: path

Default: "/var/lib/minio/config"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/minio.nix>
services.minio.consoleAddress

IP address and port of the web UI (console).

Type: string

Default: ":9001"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/minio.nix>
services.minio.dataDir

The list of data directories or nodes for storing the objects. Use one path for regular operation and the minimum of 4 endpoints for Erasure Code mode.

Type: list of (path or string)

Default:

[
  "/var/lib/minio/data"
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/minio.nix>
services.minio.listenAddress

IP address and port of the server.

Type: string

Default: ":9000"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/minio.nix>
services.minio.region

The physical location of the server. By default it is set to us-east-1, which is same as AWS S3’s and Minio’s default region.

Type: string

Default: "us-east-1"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/minio.nix>
services.minio.rootCredentialsFile

File containing the MINIO_ROOT_USER, default is “minioadmin”, and MINIO_ROOT_PASSWORD (length >= 8), default is “minioadmin”; in the format of an EnvironmentFile=, as described by systemd.exec(5).

Type: null or path

Default: null

Example: "/etc/nixos/minio-root-credentials"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/minio.nix>
services.minio.secretKey

Specify the Secret key of 8 to 40 characters in length that clients use to access the server. This overrides the secret key that is generated by minio on first startup and stored inside the configDir directory.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/minio.nix>
services.miniupnpd.enable

Whether to enable MiniUPnP daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/miniupnpd.nix>
services.miniupnpd.appendConfig

Configuration lines appended to the MiniUPnP config.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/miniupnpd.nix>
services.miniupnpd.externalInterface

Name of the external interface.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/miniupnpd.nix>
services.miniupnpd.internalIPs

The IP address ranges to listen on.

Type: list of string

Example:

[
  "192.168.1.1/24"
  "enp1s0"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/miniupnpd.nix>
services.miniupnpd.natpmp

Whether to enable NAT-PMP support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/miniupnpd.nix>
services.miniupnpd.upnp

Whether to enable UPNP support.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/miniupnpd.nix>
services.mirakurun.enable

Whether to enable the Mirakurun DVR Tuner Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/video/mirakurun.nix>
services.mirakurun.allowSmartCardAccess

Install polkit rules to allow Mirakurun to access smart card readers which is commonly used along with tuner devices.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/video/mirakurun.nix>
services.mirakurun.channelSettings

Options which are added to channels.yml. If none is specified, it will automatically be generated at runtime.

Documentation: https://github.com/Chinachu/Mirakurun/blob/master/doc/Configuration.md

Type: null or YAML value

Default: null

Example:

[
  {
    name = "channel";
    types = "GR";
    channel = "0";
  }
];

Declared by:

<nixpkgs/nixos/modules/services/video/mirakurun.nix>
services.mirakurun.openFirewall

Open ports in the firewall for Mirakurun.

Warning

Exposing Mirakurun to the open internet is generally advised against. Only use it inside a trusted local network, or consider putting it behind a VPN if you want remote access.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/video/mirakurun.nix>
services.mirakurun.port

Port to listen on. If null, it won’t listen on any port.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 40772

Declared by:

<nixpkgs/nixos/modules/services/video/mirakurun.nix>
services.mirakurun.serverSettings

Options for server.yml.

Documentation: https://github.com/Chinachu/Mirakurun/blob/master/doc/Configuration.md

Type: YAML value

Default: { }

Example:

{
  highWaterMark = 25165824;
  overflowTimeLimit = 30000;
};

Declared by:

<nixpkgs/nixos/modules/services/video/mirakurun.nix>
services.mirakurun.tunerSettings

Options which are added to tuners.yml. If none is specified, it will automatically be generated at runtime.

Documentation: https://github.com/Chinachu/Mirakurun/blob/master/doc/Configuration.md

Type: null or YAML value

Default: null

Example:

[
  {
    name = "tuner-name";
    types = [ "GR" "BS" "CS" "SKY" ];
    dvbDevicePath = "/dev/dvb/adapterX/dvrX";
  }
];

Declared by:

<nixpkgs/nixos/modules/services/video/mirakurun.nix>
services.mirakurun.unixSocket

Path to unix socket to listen on. If null, it won’t listen on any unix sockets.

Type: null or path

Default: "/var/run/mirakurun/mirakurun.sock"

Declared by:

<nixpkgs/nixos/modules/services/video/mirakurun.nix>
services.miredo.enable

Whether to enable the Miredo IPv6 tunneling service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/miredo.nix>
services.miredo.package

The miredo package to use.

Type: package

Default: pkgs.miredo

Declared by:

<nixpkgs/nixos/modules/services/networking/miredo.nix>
services.miredo.bindAddress

Depending on the local firewall/NAT rules, you might need to force Miredo to use a fixed UDP port and or IPv4 address.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/miredo.nix>
services.miredo.bindPort

Depending on the local firewall/NAT rules, you might need to force Miredo to use a fixed UDP port and or IPv4 address.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/miredo.nix>
services.miredo.interfaceName

Name of the network tunneling interface.

Type: string

Default: "teredo"

Declared by:

<nixpkgs/nixos/modules/services/networking/miredo.nix>
services.miredo.serverAddress

The hostname or primary IPv4 address of the Teredo server. This setting is required if Miredo runs as a Teredo client. “teredo.remlab.net” is an experimental service for testing only. Please use another server for production and/or large scale deployments.

Type: string

Default: "teredo.remlab.net"

Declared by:

<nixpkgs/nixos/modules/services/networking/miredo.nix>
services.misskey.enable

Whether to enable misskey.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.package

The misskey package to use.

Type: package

Default: pkgs.misskey

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.database.createLocally

Create the PostgreSQL database locally. Sets services.misskey.settings.db.{db,host,port,user,pass}.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.database.passwordFile

The path to a file containing the database password. Sets services.misskey.settings.db.pass.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.meilisearch.createLocally

Create and use a local Meilisearch instance. Sets services.misskey.settings.meilisearch.{host,port,ssl}.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.meilisearch.keyFile

The path to a file containing the Meilisearch API key. Sets services.misskey.settings.meilisearch.apiKey.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.redis.createLocally

Create and use a local Redis instance. Sets services.misskey.settings.redis.host.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.redis.passwordFile

The path to a file containing the Redis password. Sets services.misskey.settings.redis.pass.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.reverseProxy.enable

Whether to enable a HTTP reverse proxy for Misskey.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.reverseProxy.host

The fully qualified domain name to bind to. Sets services.misskey.settings.url.

This is required when using services.misskey.reverseProxy.enable = true.

Type: null or string

Default: null

Example: "misskey.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.reverseProxy.ssl

Whether to enable SSL for the reverse proxy. Sets services.misskey.settings.url.

This is required when using services.misskey.reverseProxy.enable = true.

Type: null or boolean

Default: null

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.reverseProxy.webserver

The webserver to use as the reverse proxy.

Type: attribute-tagged union

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.reverseProxy.webserver.caddy

Extra configuration for the caddy virtual host of Misskey. Set to { } to use the default configuration.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.reverseProxy.webserver.caddy.extraConfig

Additional lines of configuration appended to this virtual host in the automatically generated Caddyfile.

Type: strings concatenated with “\n”

Default: ""

services.misskey.reverseProxy.webserver.caddy.hostName

Canonical hostname for the server.

Type: string

Default: "‹name›"

services.misskey.reverseProxy.webserver.caddy.listenAddresses

A list of host interfaces to bind to for this virtual host.

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "::1"
]
services.misskey.reverseProxy.webserver.caddy.logFormat

Configuration for HTTP request logging (also known as access logs). See https://caddyserver.com/docs/caddyfile/directives/log#log for details.

Type: strings concatenated with “\n”

Default:

''
  output file ''${config.services.caddy.logDir}/access-''${hostName}.log
''

Example:

mkForce ''
  output discard
'';

services.misskey.reverseProxy.webserver.caddy.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]
services.misskey.reverseProxy.webserver.caddy.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is mostly useful if you use DNS challenges but Caddy does not currently support your provider.

Note that this option does not create any certificates, nor does it add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

services.misskey.reverseProxy.webserver.nginx

Extra configuration for the nginx virtual host of Misskey. Set to { } to use the default configuration.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.reverseProxy.webserver.nginx.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

services.misskey.reverseProxy.webserver.nginx.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

services.misskey.reverseProxy.webserver.nginx.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

services.misskey.reverseProxy.webserver.nginx.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

services.misskey.reverseProxy.webserver.nginx.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

services.misskey.reverseProxy.webserver.nginx.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

services.misskey.reverseProxy.webserver.nginx.default

Makes this vhost the default.

Type: boolean

Default: false

services.misskey.reverseProxy.webserver.nginx.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

services.misskey.reverseProxy.webserver.nginx.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

services.misskey.reverseProxy.webserver.nginx.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

services.misskey.reverseProxy.webserver.nginx.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

services.misskey.reverseProxy.webserver.nginx.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

services.misskey.reverseProxy.webserver.nginx.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

services.misskey.reverseProxy.webserver.nginx.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

services.misskey.reverseProxy.webserver.nginx.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]
services.misskey.reverseProxy.webserver.nginx.listen.*.addr

Listen address.

Type: string

services.misskey.reverseProxy.webserver.nginx.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]
services.misskey.reverseProxy.webserver.nginx.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

services.misskey.reverseProxy.webserver.nginx.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

services.misskey.reverseProxy.webserver.nginx.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

services.misskey.reverseProxy.webserver.nginx.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]
services.misskey.reverseProxy.webserver.nginx.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

services.misskey.reverseProxy.webserver.nginx.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

services.misskey.reverseProxy.webserver.nginx.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

services.misskey.reverseProxy.webserver.nginx.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

services.misskey.reverseProxy.webserver.nginx.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

services.misskey.reverseProxy.webserver.nginx.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

services.misskey.reverseProxy.webserver.nginx.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

services.misskey.reverseProxy.webserver.nginx.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

services.misskey.reverseProxy.webserver.nginx.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

services.misskey.reverseProxy.webserver.nginx.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

services.misskey.reverseProxy.webserver.nginx.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

services.misskey.reverseProxy.webserver.nginx.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

services.misskey.reverseProxy.webserver.nginx.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

services.misskey.reverseProxy.webserver.nginx.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

services.misskey.reverseProxy.webserver.nginx.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

services.misskey.reverseProxy.webserver.nginx.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

services.misskey.reverseProxy.webserver.nginx.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

services.misskey.reverseProxy.webserver.nginx.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

services.misskey.reverseProxy.webserver.nginx.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

services.misskey.reverseProxy.webserver.nginx.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

services.misskey.reverseProxy.webserver.nginx.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]
services.misskey.reverseProxy.webserver.nginx.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

services.misskey.reverseProxy.webserver.nginx.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

services.misskey.reverseProxy.webserver.nginx.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

services.misskey.reverseProxy.webserver.nginx.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

services.misskey.reverseProxy.webserver.nginx.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

services.misskey.settings

Configuration for Misskey, see example.yml for all supported options.

Type: attribute set of (YAML value)

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.chmodSocket

The file access mode of the UNIX socket.

Type: null or string

Default: null

Example: "777"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.db

Database settings.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.db.db

The database name.

Type: string

Default: "misskey"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.db.disableCache

Whether to disable caching queries.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.db.extra

Extra connection options.

Type: null or (attribute set of (YAML value))

Default: null

Example:

{
  ssl = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.db.host

The PostgreSQL host.

Type: string

Default: "/var/run/postgresql"

Example: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.db.pass

The password used for database authentication.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.db.port

The PostgreSQL port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5432

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.db.user

The user used for database authentication.

Type: string

Default: "misskey"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.id

The ID generation method to use. Do not change after starting Misskey for the first time.

Type: one of “aid”, “aidx”, “meid”, “ulid”, “objectid”

Default: "aidx"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.meilisearch

Meilisearch connection options.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.meilisearch.apiKey

The Meilisearch API key.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.meilisearch.host

The Meilisearch host.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.meilisearch.index

Meilisearch index to use.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.meilisearch.port

The Meilisearch port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 7700

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.meilisearch.scope

The search scope.

Type: one of “local”, “global”

Default: "local"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.meilisearch.ssl

Whether to connect via SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.port

The port your Misskey server should listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.redis

ioredis options. See README for reference.

Type: attribute set of (YAML value)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.redis.host

The Redis host.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.redis.port

The Redis port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6379

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.redisForJobQueue

ioredis options for the job queue. See README for reference.

Type: null or (attribute set of (YAML value))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.redisForJobQueue.host

The Redis host.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.redisForJobQueue.port

The Redis port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6379

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.redisForPubsub

ioredis options for pubsub. See README for reference.

Type: null or (attribute set of (YAML value))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.redisForPubsub.host

The Redis host.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.redisForPubsub.port

The Redis port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6379

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.redisForTimelines

ioredis options for timelines. See README for reference.

Type: null or (attribute set of (YAML value))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.redisForTimelines.host

The Redis host.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.redisForTimelines.port

The Redis port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6379

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.socket

The UNIX socket your Misskey server should listen on.

Type: null or path

Default: null

Example: "/path/to/misskey.sock"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.misskey.settings.url

The final user-facing URL. Do not change after running Misskey for the first time.

This needs to match up with the configured reverse proxy and is automatically configured when using services.misskey.reverseProxy.

Type: string

Example: "https://example.tld/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/misskey.nix>
services.mjolnir.enable

Whether to enable Mjolnir, a moderation tool for Matrix.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/mjolnir.nix>
services.mjolnir.accessTokenFile

File containing the matrix access token for the mjolnir user.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/matrix/mjolnir.nix>
services.mjolnir.dataPath

The directory the bot should store various bits of information in.

Type: path

Default: "/var/lib/mjolnir"

Declared by:

<nixpkgs/nixos/modules/services/matrix/mjolnir.nix>
services.mjolnir.homeserverUrl

Where the homeserver is located (client-server URL).

If pantalaimon.enable is true, this option will become the homeserver to which pantalaimon connects. The listen address of pantalaimon will then become the homeserverUrl of mjolnir.

Type: string

Default: "https://matrix.org"

Declared by:

<nixpkgs/nixos/modules/services/matrix/mjolnir.nix>
services.mjolnir.managementRoom

The room ID where people can use the bot. The bot has no access controls, so anyone in this room can use the bot - secure your room! This should be a room alias or room ID - not a matrix.to URL. Note: mjolnir is fairly verbose - expect a lot of messages from it.

Type: string

Default: "#moderators:example.org"

Declared by:

<nixpkgs/nixos/modules/services/matrix/mjolnir.nix>
services.mjolnir.pantalaimon

pantalaimon options (enables E2E Encryption support).

This will create a pantalaimon instance with the name “mjolnir”.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/mjolnir.nix>
services.mjolnir.pantalaimon.enable

Whether to enable ignoring the accessToken. If true, accessToken is ignored and the username/password below will be used instead. The access token of the bot will be stored in the dataPath .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/mjolnir.nix>
services.mjolnir.pantalaimon.options

passthrough additional options to the pantalaimon service.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/mjolnir.nix>
services.mjolnir.pantalaimon.options.dataPath

The directory where pantalaimon should store its state such as the database file.

Type: path

Default: "/var/lib/pantalaimon-‹name›"

Declared by:

<nixpkgs/nixos/modules/services/matrix/mjolnir.nix>
services.mjolnir.pantalaimon.options.extraSettings

Extra configuration options. See pantalaimon(5) for available options.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/mjolnir.nix>
services.mjolnir.pantalaimon.options.homeserver

The URI of the homeserver that the pantalaimon proxy should forward requests to, without the matrix API path but including the http(s) schema.

Type: string

Example: "https://matrix.org"

Declared by:

<nixpkgs/nixos/modules/services/matrix/mjolnir.nix>
services.mjolnir.pantalaimon.options.listenAddress

The address where the daemon will listen to client connections for this homeserver.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/matrix/mjolnir.nix>
services.mjolnir.pantalaimon.options.listenPort

The port where the daemon will listen to client connections for this homeserver. Note that the listen address/port combination needs to be lib.unique between different homeservers.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8009

Declared by:

<nixpkgs/nixos/modules/services/matrix/mjolnir.nix>
services.mjolnir.pantalaimon.options.logLevel

Set the log level of the daemon.

Type: one of “info”, “warning”, “error”, “debug”

Default: "warning"

Declared by:

<nixpkgs/nixos/modules/services/matrix/mjolnir.nix>
services.mjolnir.pantalaimon.options.ssl

Whether or not SSL verification should be enabled for outgoing connections to the homeserver.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/mjolnir.nix>
services.mjolnir.pantalaimon.passwordFile

File containing the matrix password for the mjolnir user.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/matrix/mjolnir.nix>
services.mjolnir.pantalaimon.username

The username to login with.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/matrix/mjolnir.nix>
services.mjolnir.protectedRooms

A list of rooms to protect (matrix.to URLs).

Type: list of string

Default: [ ]

Example:

[
  "https://matrix.to/#/#yourroom:example.org"
  "https://matrix.to/#/#anotherroom:example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/matrix/mjolnir.nix>
services.mjolnir.settings

Additional settings (see mjolnir default config for available settings). These settings will override settings made by the module config.

Type: YAML value

Default: { }

Example:

{
  autojoinOnlyIfManager = true;
  automaticallyRedactForReasons = [ "spam" "advertising" ];
}

Declared by:

<nixpkgs/nixos/modules/services/matrix/mjolnir.nix>
services.mjpg-streamer.enable

Whether to enable mjpg-streamer webcam streamer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/mjpg-streamer.nix>
services.mjpg-streamer.group

mjpg-streamer group name.

Type: string

Default: "video"

Declared by:

<nixpkgs/nixos/modules/services/networking/mjpg-streamer.nix>
services.mjpg-streamer.inputPlugin

Input plugin. See plugins documentation for more information.

Type: string

Default: "input_uvc.so"

Declared by:

<nixpkgs/nixos/modules/services/networking/mjpg-streamer.nix>
services.mjpg-streamer.outputPlugin

Output plugin. @www@ is substituted for default mjpg-streamer www directory. See plugins documentation for more information.

Type: string

Default: "output_http.so -w @www@ -n -p 5050"

Declared by:

<nixpkgs/nixos/modules/services/networking/mjpg-streamer.nix>
services.mjpg-streamer.user

mjpg-streamer user name.

Type: string

Default: "mjpg-streamer"

Declared by:

<nixpkgs/nixos/modules/services/networking/mjpg-streamer.nix>
services.mlmmj.enable

Enable mlmmj

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/mlmmj.nix>
services.mlmmj.group

mailinglist local group

Type: string

Default: "mlmmj"

Declared by:

<nixpkgs/nixos/modules/services/mail/mlmmj.nix>
services.mlmmj.listDomain

Set the mailing list domain

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/mail/mlmmj.nix>
services.mlmmj.mailLists

The collection of hosted maillists

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/mlmmj.nix>
services.mlmmj.maintInterval

Time interval between mlmmj-maintd runs, see systemd.time(7) for format information.

Type: string

Default: "20min"

Declared by:

<nixpkgs/nixos/modules/services/mail/mlmmj.nix>
services.mlmmj.user

mailinglist local user

Type: string

Default: "mlmmj"

Declared by:

<nixpkgs/nixos/modules/services/mail/mlmmj.nix>
services.mmsd.enable

Whether to enable Multimedia Messaging Service Daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/mmsd.nix>
services.mmsd.extraArgs

Extra arguments passed to mmsd-tng

Type: list of string

Default: [ ]

Example:

[
  "--debug"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/mmsd.nix>
services.mobilizon.enable

Whether to enable Mobilizon federated organization and mobilization platform.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mobilizon.nix>
services.mobilizon.package

The mobilizon package to use.

Type: package

Default: pkgs.mobilizon

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mobilizon.nix>
services.mobilizon.nginx.enable

Whether an Nginx virtual host should be set up to serve Mobilizon.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mobilizon.nix>
services.mobilizon.settings

Mobilizon Elixir documentation, see https://docs.joinmobilizon.org/administration/configure/reference/ for supported values.

Type: attribute set of attribute set of (Elixir value)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mobilizon.nix>
services.mobilizon.settings.":mobilizon".":instance".email_from

The email for the From: header in emails

Type: string or (raw elixir)

Default:

noreply@${settings.":mobilizon".":instance".hostname}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mobilizon.nix>
services.mobilizon.settings.":mobilizon".":instance".email_reply_to

The email for the Reply-To: header in emails

Type: string or (raw elixir)

Default:

${email_from}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mobilizon.nix>
services.mobilizon.settings.":mobilizon".":instance".hostname

Your instance’s hostname

Type: string or (raw elixir)

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mobilizon.nix>
services.mobilizon.settings.":mobilizon".":instance".name

The fallback instance name if not configured into the admin UI

Type: string or (raw elixir)

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mobilizon.nix>
services.mobilizon.settings.":mobilizon"."Mobilizon.Storage.Repo".database

Name of the database

Type: null or string or (raw elixir)

Default: "mobilizon_prod"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mobilizon.nix>
services.mobilizon.settings.":mobilizon"."Mobilizon.Storage.Repo".socket_dir

Path to the postgres socket directory.

Set this to null if you want to connect to a remote database.

If non-null, the local PostgreSQL server will be configured with the configured database, permissions, and required extensions.

If connecting to a remote database, please follow the instructions on how to setup your database: https://docs.joinmobilizon.org/administration/install/release/#database-setup

Type: null or string or (raw elixir)

Default: "/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mobilizon.nix>
services.mobilizon.settings.":mobilizon"."Mobilizon.Storage.Repo".username

User used to connect to the database

Type: null or string or (raw elixir)

Default: "mobilizon"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mobilizon.nix>
services.mobilizon.settings.":mobilizon"."Mobilizon.Web.Endpoint".has_reverse_proxy

Whether you use a reverse proxy

Type: boolean or (raw elixir)

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mobilizon.nix>
services.mobilizon.settings.":mobilizon"."Mobilizon.Web.Endpoint".http.ip

The IP address to listen on. Defaults to [::1] notated as a byte tuple.

Type: (elixir tuple) or (raw elixir)

Default:

{
  _elixirType = "tuple";
  value = [
    0
    0
    0
    0
    0
    0
    0
    1
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mobilizon.nix>
services.mobilizon.settings.":mobilizon"."Mobilizon.Web.Endpoint".http.port

The port to run the server

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive) or (raw elixir)

Default: 4000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mobilizon.nix>
services.mobilizon.settings.":mobilizon"."Mobilizon.Web.Endpoint".url.host

Your instance’s hostname for generating URLs throughout the app

Type: string or (raw elixir)

Default: ${settings.“:mobilizon”.“:instance”.hostname}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/mobilizon.nix>
services.molly-brown.enable

Whether to enable Molly-Brown Gemini server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/molly-brown.nix>
services.molly-brown.certPath

Path to TLS certificate. An ACME certificate and key may be shared with an HTTP server, but only if molly-brown has permissions allowing it to read such keys.

As an example:

systemd.services.molly-brown.serviceConfig.SupplementaryGroups =
  [ config.security.acme.certs."example.com".group ];

Type: path

Example: "/var/lib/acme/example.com/cert.pem"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/molly-brown.nix>
services.molly-brown.docBase

Base directory for Gemini content.

Type: path

Example: "/var/lib/molly-brown"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/molly-brown.nix>
services.molly-brown.hostName

The hostname to respond to requests for. Requests for URLs with other hosts will result in a status 53 (PROXY REQUEST REFUSED) response.

Type: string

Default: config.networking.hostName

Declared by:

<nixpkgs/nixos/modules/services/web-servers/molly-brown.nix>
services.molly-brown.keyPath

Path to TLS key. See CertPath.

Type: path

Example: "/var/lib/acme/example.com/key.pem"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/molly-brown.nix>
services.molly-brown.port

TCP port for molly-brown to bind to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1965

Declared by:

<nixpkgs/nixos/modules/services/web-servers/molly-brown.nix>
services.molly-brown.settings

molly-brown configuration. Refer to https://tildegit.org/solderpunk/molly-brown/src/branch/master/example.conf for details on supported values.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-servers/molly-brown.nix>
services.mollysocket.enable

Whether to enable MollySocket for getting Signal notifications via UnifiedPush .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/mollysocket.nix>
services.mollysocket.environmentFile

Environment file (see systemd.exec(5) “EnvironmentFile=” section for the syntax) passed to the service. This option can be used to safely include secrets in the configuration.

Type: null or path

Default: null

Example: "/run/secrets/mollysocket"

Declared by:

<nixpkgs/nixos/modules/services/misc/mollysocket.nix>
services.mollysocket.logLevel

Set the RUST_LOG environment variable

Type: string

Default: "info"

Example: "debug"

Declared by:

<nixpkgs/nixos/modules/services/misc/mollysocket.nix>
services.mollysocket.settings

Configuration for MollySocket. Available options are listed here.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/mollysocket.nix>
services.mollysocket.settings.allowed_endpoints

List of UnifiedPush servers

Type: list of string

Default:

[
  "*"
]

Example:

[
  "https://ntfy.sh"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/mollysocket.nix>
services.mollysocket.settings.allowed_uuids

UUIDs of Signal accounts that may use this server

Type: list of string

Default:

[
  "*"
]

Example:

[
  "abcdef-12345-tuxyz-67890"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/mollysocket.nix>
services.mollysocket.settings.host

Listening address of the web server

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/misc/mollysocket.nix>
services.mollysocket.settings.port

Listening port of the web server

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8020

Declared by:

<nixpkgs/nixos/modules/services/misc/mollysocket.nix>
services.monado.enable

Whether to enable Monado user service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/monado.nix>
services.monado.package

The monado package to use.

Type: package

Default: pkgs.monado

Declared by:

<nixpkgs/nixos/modules/services/hardware/monado.nix>
services.monado.defaultRuntime

Whether to enable Monado as the default OpenXR runtime on the system.

Note that applications can bypass this option by setting an active runtime in a writable XDG_CONFIG_DIRS location like ~/.config.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/monado.nix>
services.monado.forceDefaultRuntime

Whether to ensure that Monado is the active runtime set for the current user.

This replaces the file XDG_CONFIG_HOME/openxr/1/active_runtime.json when starting the service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/monado.nix>
services.monado.highPriority

Whether to enable high priority capability for monado-service.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/monado.nix>
services.monero.enable

Whether to enable Monero node daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/monero.nix>
services.monero.dataDir

The directory where Monero stores its data files.

Type: string

Default: "/var/lib/monero"

Declared by:

<nixpkgs/nixos/modules/services/networking/monero.nix>
services.monero.exclusiveNodes

List of peer IP addresses to connect to only. If given the other peer options will be ignored.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/monero.nix>
services.monero.extraConfig

Extra lines to be added verbatim to monerod configuration.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/monero.nix>
services.monero.extraNodes

List of additional peer IP addresses to add to the local list.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/monero.nix>
services.monero.limits.download

Limit of the download rate in kB/s. Set to -1 to leave unlimited.

Type: signed integer

Default: -1

Declared by:

<nixpkgs/nixos/modules/services/networking/monero.nix>
services.monero.limits.syncSize

Maximum number of blocks to sync at once. Set to 0 for adaptive.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/monero.nix>
services.monero.limits.threads

Maximum number of threads used for a parallel job. Set to 0 to leave unlimited.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/monero.nix>
services.monero.limits.upload

Limit of the upload rate in kB/s. Set to -1 to leave unlimited.

Type: signed integer

Default: -1

Declared by:

<nixpkgs/nixos/modules/services/networking/monero.nix>
services.monero.mining.enable

Whether to mine monero.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/monero.nix>
services.monero.mining.address

Monero address where to send mining rewards.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/monero.nix>
services.monero.mining.threads

Number of threads used for mining. Set to 0 to use all available.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/monero.nix>
services.monero.priorityNodes

List of peer IP addresses to connect to and attempt to keep the connection open.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/monero.nix>
services.monero.rpc.address

IP address the RPC server will bind to.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/monero.nix>
services.monero.rpc.password

Password for RPC connections.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/monero.nix>
services.monero.rpc.port

Port the RPC server will bind to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 18081

Declared by:

<nixpkgs/nixos/modules/services/networking/monero.nix>
services.monero.rpc.restricted

Whether to restrict RPC to view only commands.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/monero.nix>
services.monero.rpc.user

User name for RPC connections.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/monero.nix>
services.monetdb.enable

Whether to enable the MonetDB database server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/monetdb.nix>
services.monetdb.package

The monetdb package to use.

Type: package

Default: pkgs.monetdb

Declared by:

<nixpkgs/nixos/modules/services/databases/monetdb.nix>
services.monetdb.dataDir

Data directory for the dbfarm.

Type: path

Default: "/var/lib/monetdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/monetdb.nix>
services.monetdb.group

Group under which MonetDB runs.

Type: string

Default: "monetdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/monetdb.nix>
services.monetdb.listenAddress

Address to listen on.

Type: string

Default: "127.0.0.1"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/databases/monetdb.nix>
services.monetdb.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 50000

Declared by:

<nixpkgs/nixos/modules/services/databases/monetdb.nix>
services.monetdb.user

User account under which MonetDB runs.

Type: string

Default: "monetdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/monetdb.nix>
services.mongodb.enable

Whether to enable the MongoDB server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.mongodb.enableAuth

Enable client authentication. Creates a default superuser with username root!

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.mongodb.package

The mongodb package to use.

Type: package

Default: pkgs.mongodb

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.mongodb.bind_ip

IP to bind to

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.mongodb.dbpath

Location where MongoDB stores its files

Type: string

Default: "/var/db/mongodb"

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.mongodb.extraConfig

MongoDB extra configuration in YAML format

Type: strings concatenated with “\n”

Default: ""

Example:

''
  storage.journal.enabled: false
''

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.mongodb.initialRootPassword

Password for the root user if auth is enabled.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.mongodb.initialScript

A file containing MongoDB statements to execute on first startup.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.mongodb.pidFile

Location of MongoDB pid file

Type: string

Default: "/run/mongodb.pid"

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.mongodb.quiet

quieter output

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.mongodb.replSetName

If this instance is part of a replica set, set its name here. Otherwise, leave empty to run as single node.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.mongodb.user

User account under which MongoDB runs

Type: string

Default: "mongodb"

Declared by:

<nixpkgs/nixos/modules/services/databases/mongodb.nix>
services.monica.enable

Whether to enable monica.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.appKeyFile

A file containing the Laravel APP_KEY - a 32 character long, base64 encoded key used for encryption where needed. Can be generated with <code>head -c 32 /dev/urandom | base64</code>.

Type: path

Example: "/run/keys/monica-appkey"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.appURL

The root URL that you want to host monica on. All URLs in monica will be generated using this value. If you change this in the future you may need to run a command to update stored URLs in the database. Command example: <code>php artisan monica:update-url https://old.example.com https://new.example.com</code>

Type: string

Default: "http\${lib.optionalString tlsEnabled \"s\"}://\${cfg.hostname}"

Example: "https://example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.config

monica configuration options to set in the <filename>.env</filename> file.

Refer to <link xlink:href=“https://github.com/monicahq/monica”/> for details on supported values.

Settings containing secret data should be set to an attribute set containing the attribute <literal>_secret</literal> - a string pointing to a file containing the value the option should be set to. See the example to get a better picture of this: in the resulting <filename>.env</filename> file, the <literal>OIDC_CLIENT_SECRET</literal> key will be set to the contents of the <filename>/run/keys/oidc_secret</filename> file.

Type: attribute set of (null or boolean or signed integer or 16 bit unsigned integer; between 0 and 65535 (both inclusive) or path or string or (submodule))

Default: { }

Example:

''
  {
    ALLOWED_IFRAME_HOSTS = "https://example.com";
    WKHTMLTOPDF = "/home/user/bins/wkhtmltopdf";
    AUTH_METHOD = "oidc";
    OIDC_NAME = "MyLogin";
    OIDC_DISPLAY_NAME_CLAIMS = "name";
    OIDC_CLIENT_ID = "monica";
    OIDC_CLIENT_SECRET = {_secret = "/run/keys/oidc_secret"};
    OIDC_ISSUER = "https://keycloak.example.com/auth/realms/My%20Realm";
    OIDC_ISSUER_DISCOVER = true;
  }
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.dataDir

monica data directory

Type: path

Default: "/var/lib/monica"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.database.createLocally

Create the database and database user locally.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.database.host

Database host address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.database.name

Database name.

Type: string

Default: "monica"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.database.passwordFile

A file containing the password corresponding to <option>database.user</option>.

Type: null or path

Default: null

Example: "/run/keys/monica-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.database.port

Database host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3306

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.database.user

Database username.

Type: string

Default: user

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.group

Group monica runs as.

Type: string

Default: "monica"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.hostname

The hostname to serve monica on.

Type: string

Default: config.networking.fqdn

Example: "monica.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.mail.driver

Mail driver to use.

Type: one of “smtp”, “sendmail”

Default: "smtp"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.mail.encryption

SMTP encryption mechanism to use.

Type: null or value “tls” (singular enum)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.mail.from

Mail “from” email.

Type: string

Default: "mail@monica.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.mail.fromName

Mail “from” name.

Type: string

Default: "monica"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.mail.host

Mail host address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.mail.passwordFile

A file containing the password corresponding to <option>mail.user</option>.

Type: null or path

Default: null

Example: "/run/keys/monica-mailpassword"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.mail.port

Mail host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1025

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.mail.user

Mail username.

Type: null or string

Default: null

Example: "monica"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.maxUploadSize

The maximum size for uploads (e.g. images).

Type: string

Default: "18M"

Example: "1G"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx

With this option, you can customize the nginx virtualHost settings.

Type: submodule

Default: { }

Example:

''
  {
    serverAliases = [
      "monica.''${config.networking.domain}"
    ];
    # To enable encryption and let let's encrypt take care of certificate
    forceSSL = true;
    enableACME = true;
  }
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.nginx.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.poolConfig

Options for the monica PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = 32;
  "pm.max_requests" = 500;
  "pm.max_spare_servers" = 4;
  "pm.min_spare_servers" = 2;
  "pm.start_servers" = 2;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monica.user

User monica runs as.

Type: string

Default: "monica"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/monica.nix>
services.monit.enable

Whether to enable Monit.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/monit.nix>
services.monit.config

monitrc content

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/monit.nix>
services.moodle.enable

Whether to enable Moodle web application.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.package

The moodle package to use.

Type: package

Default: pkgs.moodle

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.database.createLocally

Create the database and database user locally.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.database.host

Database host address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.database.name

Database name.

Type: string

Default: "moodle"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.database.passwordFile

A file containing the password corresponding to database.user.

Type: null or path

Default: null

Example: "/run/keys/moodle-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.database.port

Database host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3306

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.database.socket

Path to the unix socket file to use for authentication.

Type: null or path

Default: /run/mysqld/mysqld.sock

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.database.type

Database engine to use.

Type: one of “mysql”, “pgsql”

Default: "mysql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.database.user

Database user.

Type: string

Default: "moodle"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.extraConfig

Any additional text to be appended to the config.php configuration file. This is a PHP script. For configuration details, see https://docs.moodle.org/37/en/Configuration_file.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  $CFG->disableupdatenotifications = true;
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.initialPassword

Specifies the initial password for the admin, i.e. the password assigned if the user does not already exist. The password specified here is world-readable in the Nix store, so it should be changed promptly.

Type: string

Example: "correcthorsebatterystaple"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.poolConfig

Options for the Moodle PHP pool. See the documentation on php-fpm.conf for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = 32;
  "pm.max_requests" = 500;
  "pm.max_spare_servers" = 4;
  "pm.min_spare_servers" = 2;
  "pm.start_servers" = 2;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost

Apache configuration can be done by adapting services.httpd.virtualHosts. See services.httpd.virtualHosts for further information.

Type: submodule

Example:

{
  hostName = "moodle.example.org";
  adminAddr = "webmaster@example.org";
  forceSSL = true;
  enableACME = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.enableUserDir

Whether to enable serving ~/public_html as /~«username».

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.acmeRoot

Directory for the acme challenge which is PUBLIC, don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.adminAddr

E-mail address of the server administrator.

Type: null or string

Default: null

Example: "admin@example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.documentRoot

The path of Apache’s document root directory. If left undefined, an empty directory in the Nix store will be used as root.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.extraConfig

These lines go to httpd.conf verbatim. They will go after directories and directory aliases defined by default.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  <Directory /home>
    Options FollowSymlinks
    AllowOverride All
  </Directory>
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.forceSSL

Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.globalRedirect

If set, all requests for this host are redirected permanently to the given URL.

Type: null or string

Default: null

Example: "http://newserver.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.hostName

Canonical hostname for the server.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.http2

Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. However, if you use the prefork mpm, there will be severe restrictions. Refer to https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config for details.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.listen

Listen addresses and ports for this virtual host.

Note

This option overrides addSSL, forceSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    ip = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    ip = "192.154.1.1";
    port = 80;
  }
  {
    ip = "*";
    port = 8080;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.listen.*.ip

IP to listen on. 0.0.0.0 for IPv4 only, * for all.

Type: string

Default: "*"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.listen.*.port

Port to listen on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.listen.*.ssl

Whether to enable SSL (https) support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Type: non-empty (list of string)

Default:

[
  "*"
]

Example:

[
  "127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.locations

Declarative location config. See https://httpd.apache.org/docs/2.4/mod/core.html#location for details.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
  "/foo/bar.png" = {
    alias = "/home/eelco/some-file.png";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.locations.<name>.alias

Alias directory for requests. See https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.locations.<name>.index

Adds DirectoryIndex directive. See https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.locations.<name>.proxyPass

Sets up a simple reverse proxy as described by https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.logFormat

Log format for Apache’s log files. Possible values are: combined, common, referer, agent.

Type: string

Default: "common"

Example: "combined"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.robotsEntries

Specification of pages to be ignored by web crawlers. See http://www.robotstxt.org/ for details.

Type: strings concatenated with “\n”

Default: ""

Example: "Disallow: /foo/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.servedDirs

This option provides a simple way to serve static directories.

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    dir = "/home/eelco/Dev/nix-homepage";
    urlPath = "/nix";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.servedFiles

This option provides a simple way to serve individual, static files.

Note

This option has been deprecated and will be removed in a future version of NixOS. You can achieve the same result by making use of the locations.<name>.alias option.

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    file = "/home/eelco/some-file.png";
    urlPath = "/foo/bar.png";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "www.example.org:8080"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.sslServerCert

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.sslServerChain

Path to server SSL chain file.

Type: null or path

Default: null

Example: "/var/ca.pem"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.sslServerKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moodle.virtualHost.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/moodle.nix>
services.moonraker.enable

Whether to enable Moonraker, an API web server for Klipper.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/moonraker.nix>
services.moonraker.package

The moonraker package to use.

Type: null or package

Default: pkgs.moonraker

Example: moonraker.override { useGpiod = true; }

Declared by:

<nixpkgs/nixos/modules/services/misc/moonraker.nix>
services.moonraker.address

The IP or host to listen on.

Type: string

Default: "127.0.0.1"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/misc/moonraker.nix>
services.moonraker.allowSystemControl

Whether to allow Moonraker to perform system-level operations.

Moonraker exposes APIs to perform system-level operations, such as reboot, shutdown, and management of systemd units. See the documentation for details on what clients are able to do.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/moonraker.nix>
services.moonraker.configDir

Deprecated directory containing client-writable configuration files.

Clients will be able to edit files in this directory via the API. This directory must be writable.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/moonraker.nix>
services.moonraker.group

Group account under which Moonraker runs.

Type: string

Default: "moonraker"

Declared by:

<nixpkgs/nixos/modules/services/misc/moonraker.nix>
services.moonraker.klipperSocket

Path to Klipper’s API socket.

Type: path

Default: config.services.klipper.apiSocket

Declared by:

<nixpkgs/nixos/modules/services/misc/moonraker.nix>
services.moonraker.port

The port to listen on.

Type: unsigned integer, meaning >=0

Default: 7125

Declared by:

<nixpkgs/nixos/modules/services/misc/moonraker.nix>
services.moonraker.settings

Configuration for Moonraker. See the documentation for supported values.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string) or a non-empty list of them)

Default: { }

Example:

{
  authorization = {
    cors_domains = [
      "https://app.fluidd.xyz"
      "https://my.mainsail.xyz"
    ];
    trusted_clients = [
      "10.0.0.0/24"
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/moonraker.nix>
services.moonraker.stateDir

The directory containing the Moonraker databases.

Type: path

Default: "/var/lib/moonraker"

Declared by:

<nixpkgs/nixos/modules/services/misc/moonraker.nix>
services.moonraker.user

User account under which Moonraker runs.

Type: string

Default: "moonraker"

Declared by:

<nixpkgs/nixos/modules/services/misc/moonraker.nix>
services.moosefs.chunkserver.enable

Whether to enable Moosefs chunkserver daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/moosefs.nix>
services.moosefs.chunkserver.hdds

Mount points to be used by chunkserver for storage (see mfshdd.cfg).

Type: list of string

Default: null

Example:

[
  "/mnt/hdd1"
]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/moosefs.nix>
services.moosefs.chunkserver.openFirewall

Whether to automatically open the necessary ports in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/moosefs.nix>
services.moosefs.chunkserver.settings

Contents of chunkserver config file (mfschunkserver.cfg).

Type: attribute set of (Flat key-value file)

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/moosefs.nix>
services.moosefs.chunkserver.settings.DATA_PATH

Directory for lock file.

Type: string

Default: "/var/lib/mfs"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/moosefs.nix>
services.moosefs.client.enable

Whether to enable Moosefs client.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/moosefs.nix>
services.moosefs.master.enable

Enable Moosefs master daemon.

You need to run mfsmaster-init on a freshly installed master server to initialize the DATA_PATH directory.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/moosefs.nix>
services.moosefs.master.exports

Paths to export (see mfsexports.cfg).

Type: list of string

Default: null

Example:

[
  "* / rw,alldirs,admin,maproot=0:0"
  "* . rw"
]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/moosefs.nix>
services.moosefs.master.openFirewall

Whether to automatically open the necessary ports in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/moosefs.nix>
services.moosefs.master.settings

Contents of config file (mfsmaster.cfg).

Type: attribute set of (Flat key-value file)

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/moosefs.nix>
services.moosefs.master.settings.DATA_PATH

Data storage directory.

Type: string

Default: "/var/lib/mfs"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/moosefs.nix>
services.moosefs.masterHost

IP or DNS name of master host.

Type: string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/moosefs.nix>
services.moosefs.metalogger.enable

Whether to enable Moosefs metalogger daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/moosefs.nix>
services.moosefs.metalogger.settings

Contents of metalogger config file (mfsmetalogger.cfg).

Type: attribute set of (Flat key-value file)

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/moosefs.nix>
services.moosefs.metalogger.settings.DATA_PATH

Data storage directory

Type: string

Default: "/var/lib/mfs"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/moosefs.nix>
services.moosefs.runAsUser

Run daemons as user moosefs instead of root.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/moosefs.nix>
services.mopidy.enable

Whether to enable Mopidy, a music player daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/mopidy.nix>
services.mopidy.configuration

The configuration that Mopidy should use.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/audio/mopidy.nix>
services.mopidy.dataDir

The directory where Mopidy stores its state.

Type: string

Default: "/var/lib/mopidy"

Declared by:

<nixpkgs/nixos/modules/services/audio/mopidy.nix>
services.mopidy.extensionPackages

Mopidy extensions that should be loaded by the service.

Type: list of package

Default: [ ]

Example: [ pkgs.mopidy-spotify ]

Declared by:

<nixpkgs/nixos/modules/services/audio/mopidy.nix>
services.mopidy.extraConfigFiles

Extra config file read by Mopidy when the service starts. Later files in the list overrides earlier configuration.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/audio/mopidy.nix>
services.morty.enable

Whether to enable Morty proxy server. See https://github.com/asciimoo/morty.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/morty.nix>
services.morty.package

The morty package to use.

Type: package

Default: pkgs.morty

Declared by:

<nixpkgs/nixos/modules/services/networking/morty.nix>
services.morty.ipv6

Allow IPv6 HTTP requests?

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/morty.nix>
services.morty.key

HMAC url validation key (hexadecimal encoded). Leave blank to disable. Without validation key, anyone can submit proxy requests. Leave blank to disable. Generate with printf %s somevalue | openssl dgst -sha1 -hmac somekey

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/morty.nix>
services.morty.listenAddress

The address on which the service listens

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/morty.nix>
services.morty.port

Listing port

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/networking/morty.nix>
services.morty.timeout

Request timeout in seconds.

Type: signed integer

Default: 2

Declared by:

<nixpkgs/nixos/modules/services/networking/morty.nix>
services.mosquitto.enable

Whether to enable the MQTT Mosquitto broker.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.package

The mosquitto package to use.

Type: package

Default: pkgs.mosquitto

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.bridges

Bridges to build to other MQTT brokers.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.bridges.<name>.addresses

Remote endpoints for the bridge.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.bridges.<name>.addresses.*.address

Address of the remote MQTT broker.

Type: single-line string

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.bridges.<name>.addresses.*.port

Port of the remote MQTT broker.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1883

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.bridges.<name>.settings

Additional settings for this bridge.

Type: attribute set of (string, path, bool, or integer)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.bridges.<name>.topics

Topic patterns to be shared between the two brokers. Refer to the mosquitto.conf documentation for details on the format.

Type: list of single-line string

Default: [ ]

Example:

[
  "# both 2 local/topic/ remote/topic/"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.dataDir

The data directory.

Type: path

Default: "/var/lib/mosquitto"

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.includeDirs

Directories to be scanned for further config files to include. Directories will processed in the order given, *.conf files in the directory will be read in case-sensitive alphabetical order.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.listeners

Listeners to configure on this broker.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.listeners.*.acl

Additional ACL items to prepend to the generated ACL file.

Type: list of single-line string

Default: [ ]

Example:

[
  "pattern read #"
  "topic readwrite anon/report/#"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.listeners.*.address

Address to listen on. Listen on 0.0.0.0/:: when unset.

Type: null or single-line string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.listeners.*.authPlugins

Authentication plugin to attach to this listener. Refer to the mosquitto.conf documentation for details on authentication plugins.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.listeners.*.authPlugins.*.denySpecialChars

Automatically disallow all clients using # or + in their name/id.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.listeners.*.authPlugins.*.options

Options for the auth plugin. Each key turns into a auth_opt_* line in the config.

Type: attribute set of (string, path, bool, or integer)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.listeners.*.authPlugins.*.plugin

Plugin path to load, should be a .so file.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.listeners.*.omitPasswordAuth

Omits password checking, allowing anyone to log in with any user name unless other mandatory authentication methods (eg TLS client certificates) are configured.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.listeners.*.port

Port to listen on. Must be set to 0 to listen on a unix domain socket.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1883

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.listeners.*.settings

Additional settings for this listener.

Type: attribute set of (string, path, bool, or integer)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.listeners.*.users

A set of users and their passwords and ACLs.

Type: attribute set of (submodule)

Default: { }

Example:

{
  john = {
    acl = [
      "readwrite john/#"
    ];
    password = "123456";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.listeners.*.users.<name>.acl

Control client access to topics on the broker.

Type: list of single-line string

Default: [ ]

Example:

[
  "read A/B"
  "readwrite A/#"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.listeners.*.users.<name>.hashedPassword

Specifies the hashed password for the MQTT User. To generate hashed password install the mosquitto package and use mosquitto_passwd, then extract the second field (after the :) from the generated file.

Type: null or single-line string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.listeners.*.users.<name>.hashedPasswordFile

Specifies the path to a file containing the hashed password for the MQTT user. To generate hashed password install the mosquitto package and use mosquitto_passwd, then remove the username: prefix from the generated file. The file is securely passed to mosquitto by leveraging systemd credentials. No special permissions need to be set on this file.

Type: null or path

Default: null

Example: "/path/to/file"

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.listeners.*.users.<name>.password

Specifies the (clear text) password for the MQTT User.

Type: null or single-line string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.listeners.*.users.<name>.passwordFile

Specifies the path to a file containing the clear text password for the MQTT user. The file is securely passed to mosquitto by leveraging systemd credentials. No special permissions need to be set on this file.

Type: null or path

Default: null

Example: "/path/to/file"

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.logDest

Destinations to send log messages to.

Type: list of (path or one of “stdout”, “stderr”, “syslog”, “topic”, “dlt”)

Default:

[
  "stderr"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.logType

Types of messages to log.

Type: list of (one of “debug”, “error”, “warning”, “notice”, “information”, “subscribe”, “unsubscribe”, “websockets”, “none”, “all”)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.persistence

Enable persistent storage of subscriptions and messages.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.mosquitto.settings

Global configuration options for the mosquitto broker.

Type: attribute set of (string, path, bool, or integer)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/mosquitto.nix>
services.movim.enable

Whether to enable a Movim instance.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.package

The movim package to use.

Type: package

Default: pkgs.movim

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.dataDir

State directory of the movim user which holds the application’s state & data.

Type: non-empty string

Default: "/var/lib/movim"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.database.createLocally

local database using UNIX socket authentication

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.database.name

Database name.

Type: string

Default: "movim"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.database.type

Database engine to use.

Type: one of “mysql”, “postgresql”

Default: "postgresql"

Example: "mysql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.database.user

Database username.

Type: string

Default: "movim"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.debug

Debugging logs.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.domain

Fully-qualified domain name (FQDN) for the Movim instance.

Type: non-empty string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.group

Group running Movim service

Type: non-empty string

Default: "movim"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.logDir

Log directory of the movim user which holds the application’s logs.

Type: non-empty string

Default: "/var/log/movim"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.minifyStaticFiles

Do minification on public static files

Type: boolean or (submodule)

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx

With this option, you can customize an nginx virtual host which already has sensible defaults for Movim. Set to { } if you do not need any customization to the virtual host. If enabled, then by default, the serverName is ${domain}, If this is set to null (the default), no nginx virtualHost will be configured.

Type: null or (submodule)

Default: null

Example:

{
  serverAliases = [
    "pics.${config.networking.domain}"
  ];
  enableACME = true;
  forceHttps = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.nginx.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.phpCfg

Extra PHP INI options such as memory_limit, max_execution_time, etc.

Type: attribute set of (signed integer or string or boolean)

Default:

{
  error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
  "opcache.enable_cli" = 1;
  "opcache.fast_shutdown" = 1;
  "opcache.interned_strings_buffer" = 8;
  "opcache.max_accelerated_files" = 6144;
  "opcache.memory_consumption" = 128;
  "opcache.revalidate_freq" = 2;
  output_buffering = 0;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.phpPackage

The php package to use.

Type: package

Default: pkgs.php

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.podConfig

Pod configuration (values from php daemon.php config --help). Note that these values will now be disabled in the admin panel.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.podConfig.chatonly

Disable all the social feature (Communities, Blog…) and keep only the chat ones

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.podConfig.description

General description of the instance

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.podConfig.disableregistration

Remove the XMPP registration flow and buttons from the interface

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.podConfig.info

Content of the info box on the login page

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.podConfig.locale

The server main locale

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.podConfig.loglevel

The server loglevel

Type: null or integer between 0 and 3 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.podConfig.restrictsuggestions

Only suggest chatrooms, Communities and other contents that are available on the user XMPP server and related services

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.podConfig.timezone

The server timezone

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.podConfig.xmppdescription

The default XMPP server description

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.podConfig.xmppdomain

The default XMPP server domain

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.podConfig.xmppwhitelist

The allowlisted XMPP servers

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.poolConfig

Options for Movim’s PHP-FPM pool.

Type: attribute set of (signed integer or string or boolean)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.port

Movim daemon port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.precompressStaticFiles

Aggressively precompress static files

Type: submodule

Default:

{
  brotli = {
    enable = true;
  };
  gzip = {
    enable = false;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.precompressStaticFiles.brotli.enable

Whether to enable Brotli precompression.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.precompressStaticFiles.brotli.package

The brotli package to use.

Type: package

Default: pkgs.brotli

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.precompressStaticFiles.brotli.compressionLevel

Brotli compression level

Type: integer between 0 and 11 (both inclusive)

Default: 11

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.precompressStaticFiles.gzip.enable

Whether to enable Gzip precompression.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.precompressStaticFiles.gzip.package

The gzip package to use.

Type: package

Default: pkgs.gzip

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.precompressStaticFiles.gzip.compressionLevel

Gzip compression level

Type: integer between 1 and 9 (both inclusive)

Default: 9

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.runtimeDir

Runtime directory of the movim user which holds the application’s caches & temporary files.

Type: non-empty string

Default: "/run/movim"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.secretFile

The secret file to be sourced for the .env settings.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.settings

.env settings for Movim. Secrets should use secretFile option instead. nulls will be culled.

Type: attribute set of (null or signed integer or string or boolean)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.user

User running Movim service

Type: non-empty string

Default: "movim"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.movim.verbose

Verbose logs.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/movim.nix>
services.mozillavpn.enable

Whether to enable Mozilla VPN daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/mozillavpn.nix>
services.mpd.enable

Whether to enable MPD, the music player daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/audio/mpd.nix>
services.mpd.credentials

Credentials and permissions for accessing the mpd server.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    passwordFile = "/var/lib/secrets/mpd_readonly_password";
    permissions = [
      "read"
    ];
  }
  {
    passwordFile = "/var/lib/secrets/mpd_admin_password";
    permissions = [
      "read"
      "add"
      "control"
      "admin"
    ];
  }
]

Declared by:

<nixpkgs/nixos/modules/services/audio/mpd.nix>
services.mpd.credentials.*.passwordFile

Path to file containing the password.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/audio/mpd.nix>
services.mpd.credentials.*.permissions

List of permissions that are granted with this password. Permissions can be “read”, “add”, “control”, “admin”.

Type: list of (one of “read”, “add”, “control”, “admin”)

Default:

[
  "read"
]

Declared by:

<nixpkgs/nixos/modules/services/audio/mpd.nix>
services.mpd.dataDir

The directory where MPD stores its state, tag cache, playlists etc. If left as the default value this directory will automatically be created before the MPD server starts, otherwise the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions.

Type: path

Default: "/var/lib/mpd"

Declared by:

<nixpkgs/nixos/modules/services/audio/mpd.nix>
services.mpd.dbFile

The path to MPD’s database. If set to null the parameter is omitted from the configuration.

Type: null or string

Default: "${dataDir}/tag_cache"

Declared by:

<nixpkgs/nixos/modules/services/audio/mpd.nix>
services.mpd.extraConfig

Extra directives added to to the end of MPD’s configuration file, mpd.conf. Basic configuration like file location and uid/gid is added automatically to the beginning of the file. For available options see mpd.conf(5).

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/audio/mpd.nix>
services.mpd.fluidsynth

If set, add fluidsynth soundfont and configure the plugin.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/audio/mpd.nix>
services.mpd.group

Group account under which MPD runs.

Type: string

Default: "mpd"

Declared by:

<nixpkgs/nixos/modules/services/audio/mpd.nix>
services.mpd.musicDirectory

The directory or NFS/SMB network share where MPD reads music from. If left as the default value this directory will automatically be created before the MPD server starts, otherwise the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions.

Type: path or string matching the pattern (http|https|nfs|smb)://.+

Default: "${dataDir}/music"

Declared by:

<nixpkgs/nixos/modules/services/audio/mpd.nix>
services.mpd.network.listenAddress

The address for the daemon to listen on. Use any to listen on all addresses.

Type: string

Default: "127.0.0.1"

Example: "any"

Declared by:

<nixpkgs/nixos/modules/services/audio/mpd.nix>
services.mpd.network.port

This setting is the TCP port that is desired for the daemon to get assigned to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6600

Declared by:

<nixpkgs/nixos/modules/services/audio/mpd.nix>
services.mpd.playlistDirectory

The directory where MPD stores playlists. If left as the default value this directory will automatically be created before the MPD server starts, otherwise the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions.

Type: path

Default: "${dataDir}/playlists"

Declared by:

<nixpkgs/nixos/modules/services/audio/mpd.nix>
services.mpd.startWhenNeeded

If set, mpd is socket-activated; that is, instead of having it permanently running as a daemon, systemd will start it on the first incoming connection.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/audio/mpd.nix>
services.mpd.user

User account under which MPD runs.

Type: string

Default: "mpd"

Declared by:

<nixpkgs/nixos/modules/services/audio/mpd.nix>
services.mpdscribble.enable

Whether to enable mpdscribble, an MPD client which submits info about tracks being played to Last.fm (formerly AudioScrobbler).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/mpdscribble.nix>
services.mpdscribble.endpoints

Endpoints to scrobble to. If the endpoint is one of “jamendo”, “last.fm”, “libre.fm”, “listenbrainz” the url is set automatically.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "last.fm" = {
    passwordFile = "/run/secrets/lastfm_password";
    username = "foo";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/audio/mpdscribble.nix>
services.mpdscribble.endpoints.<name>.passwordFile

File containing the password, either as MD5SUM or cleartext.

Type: null or string

Declared by:

<nixpkgs/nixos/modules/services/audio/mpdscribble.nix>
services.mpdscribble.endpoints.<name>.url

The url endpoint where the scrobble API is listening.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/audio/mpdscribble.nix>
services.mpdscribble.endpoints.<name>.username

Username for the scrobble service.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/audio/mpdscribble.nix>
services.mpdscribble.host

Host for the mpdscribble daemon to search for a mpd daemon on.

Type: string

Default:

if config.services.mpd.network.listenAddress != "any"
then config.services.mpd.network.listenAddress
else "localhost"

Declared by:

<nixpkgs/nixos/modules/services/audio/mpdscribble.nix>
services.mpdscribble.journalInterval

How often should mpdscribble save the journal file? [seconds]

Type: signed integer

Default: 600

Example: 60

Declared by:

<nixpkgs/nixos/modules/services/audio/mpdscribble.nix>
services.mpdscribble.passwordFile

File containing the password for the mpd daemon. If there is a local mpd configured using services.mpd.credentials the default is automatically set to a matching passwordFile of the local mpd.

Type: null or string

Default: The first password file with read access configured for MPD when using a local instance, otherwise null.

Declared by:

<nixpkgs/nixos/modules/services/audio/mpdscribble.nix>
services.mpdscribble.port

Port for the mpdscribble daemon to search for a mpd daemon on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: config.services.mpd.network.port

Declared by:

<nixpkgs/nixos/modules/services/audio/mpdscribble.nix>
services.mpdscribble.proxy

HTTP proxy URL.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/audio/mpdscribble.nix>
services.mpdscribble.verbose

Log level for the mpdscribble daemon.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/audio/mpdscribble.nix>
services.mqtt2influxdb.enable

Whether to enable BigClown MQTT to InfluxDB bridge.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.package

The mqtt2influxdb package to use.

Type: package

Default: pkgs.python3Packages.mqtt2influxdb

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.environmentFiles

File to load as environment file. Environment variables from this file will be interpolated into the config file using envsubst with this syntax: $ENVIRONMENT or ${VARIABLE}. This is useful to avoid putting secrets into the nix store.

Type: list of path

Default: [ ]

Example:

[
  "/run/keys/mqtt2influxdb.env"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.influxdb.database

Name of the InfluxDB database.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.influxdb.host

Host where InfluxDB server is running.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.influxdb.password

Password for InfluxDB login.

It is highly suggested to use here replacement through environmentFiles as otherwise the password is put world readable to the store.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.influxdb.port

InfluxDB server port

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8086

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.influxdb.ssl

Use SSL to connect to the InfluxDB server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.influxdb.username

Username for InfluxDB login.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.influxdb.verify_ssl

Verify SSL certificate when connecting to the InfluxDB server.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.mqtt.cafile

Certification Authority file for MQTT

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.mqtt.certfile

Certificate file for MQTT

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.mqtt.host

Host where MQTT server is running.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.mqtt.keyfile

Key file for MQTT

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.mqtt.password

MQTT password.

It is highly suggested to use here replacement through environmentFiles as otherwise the password is put world readable to the store.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.mqtt.port

MQTT server port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1883

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.mqtt.username

Username used to connect to the MQTT server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.points

Points to bridge from MQTT to InfluxDB.

Type: list of (submodule)

Default:

[
  {
    fields = {
      value = "$.payload";
    };
    measurement = "temperature";
    tags = {
      channel = "$.topic[3]";
      id = "$.topic[1]";
    };
    topic = "node/+/thermometer/+/temperature";
  }
  {
    fields = {
      value = "$.payload";
    };
    measurement = "relative-humidity";
    tags = {
      channel = "$.topic[3]";
      id = "$.topic[1]";
    };
    topic = "node/+/hygrometer/+/relative-humidity";
  }
  {
    fields = {
      value = "$.payload";
    };
    measurement = "illuminance";
    tags = {
      id = "$.topic[1]";
    };
    topic = "node/+/lux-meter/0:0/illuminance";
  }
  {
    fields = {
      value = "$.payload";
    };
    measurement = "pressure";
    tags = {
      id = "$.topic[1]";
    };
    topic = "node/+/barometer/0:0/pressure";
  }
  {
    fields = {
      value = "$.payload";
    };
    measurement = "co2";
    tags = {
      id = "$.topic[1]";
    };
    topic = "node/+/co2-meter/-/concentration";
  }
  {
    fields = {
      value = "$.payload";
    };
    measurement = "voltage";
    tags = {
      id = "$.topic[1]";
    };
    topic = "node/+/battery/+/voltage";
  }
  {
    fields = {
      value = "$.payload";
    };
    measurement = "button";
    tags = {
      channel = "$.topic[3]";
      id = "$.topic[1]";
    };
    topic = "node/+/push-button/+/event-count";
  }
  {
    fields = {
      value = "$.payload";
    };
    measurement = "tvoc";
    tags = {
      id = "$.topic[1]";
    };
    topic = "node/+/voc-lp-sensor/0:0/tvoc";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.points.*.fields

Field selector.

Type: submodule

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.points.*.fields.type

Type to be picked up

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.points.*.fields.value

Value to be picked up

Type: string

Default: "$.payload"

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.points.*.measurement

Name of the measurement

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.points.*.tags

Tags applied

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mqtt2influxdb.points.*.topic

MQTT topic to subscribe to.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/mqtt2influxdb.nix>
services.mstpd.enable

Whether to enable the multiple spanning tree protocol daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/mstpd.nix>
services.mtprotoproxy.enable

Whether to enable mtprotoproxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/mtprotoproxy.nix>
services.mtprotoproxy.adTag

Tag for advertising that can be obtained from @MTProxybot.

Type: null or string

Default: null

Example: "3c09c680b76ee91a4c25ad51f742267d"

Declared by:

<nixpkgs/nixos/modules/services/networking/mtprotoproxy.nix>
services.mtprotoproxy.extraConfig

Extra configuration options for mtprotoproxy.

Type: attribute set

Default: { }

Example:

{
  STATS_PRINT_PERIOD = 600;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/mtprotoproxy.nix>
services.mtprotoproxy.port

TCP port to accept mtproto connections on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3256

Declared by:

<nixpkgs/nixos/modules/services/networking/mtprotoproxy.nix>
services.mtprotoproxy.secureOnly

Don’t allow users to connect in non-secure mode (without random padding).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/mtprotoproxy.nix>
services.mtprotoproxy.users

Allowed users and their secrets. A secret is a 32 characters long hex string.

Type: attribute set of string

Example:

{
  tg = "00000000000000000000000000000000";
  tg2 = "0123456789abcdef0123456789abcdef";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/mtprotoproxy.nix>
services.mtr-exporter.enable

Whether to enable a Prometheus exporter for MTR.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/mtr-exporter.nix>
services.mtr-exporter.package

The mtr-exporter package to use.

Type: package

Default: pkgs.mtr-exporter

Declared by:

<nixpkgs/nixos/modules/services/networking/mtr-exporter.nix>
services.mtr-exporter.address

Listen address for MTR exporter.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/mtr-exporter.nix>
services.mtr-exporter.extraFlags

Extra command line options to pass to MTR exporter.

Type: list of string

Default: [ ]

Example:

[
  "-flag.deprecatedMetrics"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/mtr-exporter.nix>
services.mtr-exporter.jobs

List of MTR jobs. Will be added to /etc/mtr-exporter.conf

Type: non-empty (list of (submodule))

Declared by:

<nixpkgs/nixos/modules/services/networking/mtr-exporter.nix>
services.mtr-exporter.jobs.*.address

Target address for MTR client.

Type: string

Example: "host.example.org:1234"

Declared by:

<nixpkgs/nixos/modules/services/networking/mtr-exporter.nix>
services.mtr-exporter.jobs.*.flags

Additional flags to pass to MTR.

Type: list of string

Default: [ ]

Example:

[
  "-G1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/mtr-exporter.nix>
services.mtr-exporter.jobs.*.name

Name of ICMP pinging job.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/mtr-exporter.nix>
services.mtr-exporter.jobs.*.schedule

Schedule of MTR checks. Also accepts Cron format.

Type: string

Default: "@every 60s"

Example: "@hourly"

Declared by:

<nixpkgs/nixos/modules/services/networking/mtr-exporter.nix>
services.mtr-exporter.mtrPackage

The mtr package to use.

Type: package

Default: pkgs.mtr

Declared by:

<nixpkgs/nixos/modules/services/networking/mtr-exporter.nix>
services.mtr-exporter.port

Listen port for MTR exporter.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/networking/mtr-exporter.nix>
services.mullvad-vpn.enable

This option enables Mullvad VPN daemon. This sets networking.firewall.checkReversePath to “loose”, which might be undesirable for security.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/mullvad-vpn.nix>
services.mullvad-vpn.enableExcludeWrapper

This option activates the wrapper that allows the use of mullvad-exclude. Might have minor security impact, so consider disabling if you do not use the feature.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/mullvad-vpn.nix>
services.mullvad-vpn.package

The mullvad package to use. pkgs.mullvad only provides the CLI tool, pkgs.mullvad-vpn provides both the CLI and the GUI.

Type: package

Default: pkgs.mullvad

Example: mullvad-vpn

Declared by:

<nixpkgs/nixos/modules/services/networking/mullvad-vpn.nix>
services.multipath.enable

Whether to enable the device mapper multipath (DM-MP) daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.package

The multipath-tools package to use.

Type: package

Default: pkgs.multipath-tools

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.blacklist

This section defines which devices should be excluded from the multipath topology discovery.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.blacklist_exceptions

This section defines which devices should be included in the multipath topology discovery, despite being listed in the blacklist section.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.defaults

This section defines default values for attributes which are used whenever no values are given in the appropriate device or multipath sections.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices

This option allows you to define arrays for use in multipath groups.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    vendor = "\"COMPELNT\"";
    product = "\"Compellent Vol\"";
    path_checker = "tur";
    no_path_retry = "queue";
    max_sectors_kb = 256;
  }, ...
]

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.alias_prefix

The user_friendly_names prefix to use for this device type, instead of the default mpath

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.all_tg_pt

Set the ‘all targets ports’ flag when registering keys with mpathpersist

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.deferred_remove

If set to “yes”, multipathd will do a deferred remove instead of a regular remove when the last path device has been deleted. This means that if the multipath device is still in use, it will be freed when the last user closes it. If path is added to the multipath device before the last user closes it, the deferred remove will be canceled.

Type: null or one of “yes”, “no”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.delay_wait_checks

This option is deprecated, and mapped to san_path_err_recovery_time

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.delay_watch_checks

This option is deprecated, and mapped to san_path_err_forget_rate

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.detect_checker

If set to “yes”, multipath will try to detect if the device supports SCSI-3 ALUA. If so, the device will automatically use the tur checker. If set to “no”, the checker will be selected as usual.

Type: null or one of “yes”, “no”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.detect_prio

If set to “yes”, multipath will try to detect if the device supports SCSI-3 ALUA. If so, the device will automatically use the sysfs prioritizer if the required sysf attributes access_state and preferred_path are supported, or the alua prioritizer if not. If set to “no”, the prioritizer will be selected as usual.

Type: null or one of “yes”, “no”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.dev_loss_tmo

Specify the number of seconds the SCSI layer will wait after a problem has been detected on a FC remote port before removing it from the system. This can be set to “infinity” which sets it to the max value of 2147483647 seconds, or 68 years. It will be automatically adjusted to the overall retry interval no_path_retry * polling_interval if a number of retries is given with no_path_retry and the overall retry interval is longer than the specified dev_loss_tmo value. The Linux kernel will cap this value to 600 if fast_io_fail_tmo is not set.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.failback

Tell multipathd how to manage path group failback. Quote integers as strings

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.fast_io_fail_tmo

Specify the number of seconds the SCSI layer will wait after a problem has been detected on a FC remote port before failing I/O to devices on that remote port. This should be smaller than dev_loss_tmo. Setting this to “off” will disable the timeout. Quote integers as strings.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.features

Specify any device-mapper features to be used

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.flush_on_last_del

If set to “yes” multipathd will disable queueing when the last path to a device has been deleted.

Type: null or one of “yes”, “no”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.getuid_callout

(Superseded by uid_attribute) The default program and args to callout to obtain a unique path identifier. Should be specified with an absolute path.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.ghost_delay

Sets the number of seconds that multipath will wait after creating a device with only ghost paths before marking it ready for use in systemd

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.hardware_handler

The hardware handler to use for this device type

Type: null or one of “emc”, “rdac”, “hp_sw”, “alua”, “ana”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.marginal_path_double_failed_time

One of the four parameters of supporting path check based on accounting IO error such as intermittent error

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.marginal_path_err_rate_threshold

The error rate threshold as a permillage (1/1000)

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.marginal_path_err_recheck_gap_time

One of the four parameters of supporting path check based on accounting IO error such as intermittent error

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.marginal_path_err_sample_time

One of the four parameters of supporting path check based on accounting IO error such as intermittent error

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.max_sectors_kb

Sets the max_sectors_kb device parameter on all path devices and the multipath device to the specified value

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.no_path_retry

Specify what to do when all paths are down. Quote integers as strings

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.path_checker

The default method used to determine the paths state

Type: one of “readsector0”, “tur”, “emc_clariion”, “hp_sw”, “rdac”, “directio”, “cciss_tur”, “none”

Default: "tur"

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.path_grouping_policy

The default path grouping policy to apply to unspecified multipaths

Type: null or one of “failover”, “multibus”, “group_by_serial”, “group_by_prio”, “group_by_node_name”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.path_selector

The default path selector algorithm to use; they are offered by the kernel multipath target

Type: null or one of "“round-robin 0"”, "“queue-length 0"”, "“service-time 0"”, "“historical-service-time 0"”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.prio

The name of the path priority routine

Type: null or one of “none”, “const”, “sysfs”, “emc”, “alua”, “ontap”, “rdac”, “hp_sw”, “hds”, “random”, “weightedpath”, “path_latency”, “ana”, “datacore”, “iet”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.prio_args

Arguments to pass to to the prio function

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.product

Regular expression to match the product name

Type: string

Example: "Compellent Vol"

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.product_blacklist

Products with the given vendor matching this string are blacklisted

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.revision

Regular expression to match the product revision

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.rr_min_io

Number of I/O requests to route to a path before switching to the next in the same path group. This is only for Block I/O (BIO) based multipath and only apply to round-robin path_selector.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.rr_min_io_rq

Number of I/O requests to route to a path before switching to the next in the same path group. This is only for Request based multipath and only apply to round-robin path_selector.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.rr_weight

If set to priorities the multipath configurator will assign path weights as “path prio * rr_min_io”.

Type: null or one of “priorities”, “uniform”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.san_path_err_forget_rate

If set to a value greater than 0, multipathd will check whether the path failures has exceeded the san_path_err_threshold within this many checks i.e san_path_err_forget_rate. If so we will not reinstante the path till san_path_err_recovery_time.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.san_path_err_recovery_time

If set to a value greater than 0, multipathd will make sure that when path failures has exceeded the san_path_err_threshold within san_path_err_forget_rate then the path will be placed in failed state for san_path_err_recovery_time duration. Once san_path_err_recovery_time has timeout we will reinstante the failed path. san_path_err_recovery_time value should be in secs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.san_path_err_threshold

If set to a value greater than 0, multipathd will watch paths and check how many times a path has been failed due to errors.If the number of failures on a particular path is greater then the san_path_err_threshold, then the path will not reinstate till san_path_err_recovery_time. These path failures should occur within a san_path_err_forget_rate checks, if not we will consider the path is good enough to reinstantate.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.skip_kpartx

If set to yes, kpartx will not automatically create partitions on the device

Type: null or one of “yes”, “no”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.uid_attribute

The udev attribute providing a unique path identifier (WWID)

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.user_friendly_names

If set to “yes”, using the bindings file /etc/multipath/bindings to assign a persistent and unique alias to the multipath, in the form of mpath. If set to “no” use the WWID as the alias. In either case this be will be overridden by any specific aliases in the multipaths section.

Type: null or one of “yes”, “no”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.vendor

Regular expression to match the vendor name

Type: string

Example: "COMPELNT"

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.devices.*.vpd_vendor

The vendor specific vpd page information, using the vpd page abbreviation

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.extraConfig

Lines to append to default multipath.conf

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.extraConfigFile

Append an additional file’s contents to /etc/multipath.conf

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.overrides

This section defines values for attributes that should override the device-specific settings for all devices.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.pathGroups

This option allows you to define multipath groups as described in http://christophe.varoqui.free.fr/usage.html.

Type: list of (submodule)

Example:

[
  {
    wwid = "360080e500043b35c0123456789abcdef";
    alias = 10001234;
    array = "bigarray.example.com";
    fsType = "zfs"; # optional
    options = "ro"; # optional
  }, ...
]

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.pathGroups.*.alias

The name of the multipath device

Type: signed integer

Example: 1001234

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.pathGroups.*.array

The DNS name of the storage array

Type: string

Default: null

Example: "bigarray.example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.pathGroups.*.fsType

Type of the filesystem

Type: null or string

Default: null

Example: "zfs"

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.pathGroups.*.options

Options used to mount the file system

Type: null or string

Default: null

Example: "ro"

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.multipath.pathGroups.*.wwid

The identifier for the multipath device

Type: string (with check: hexadecimal string)

Example: "360080e500043b35c0123456789abcdef"

Declared by:

<nixpkgs/nixos/modules/services/networking/multipath.nix>
services.munge.enable

Whether to enable munge service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/munge.nix>
services.munge.password

The path to a daemon’s secret key.

Type: path

Default: "/etc/munge/munge.key"

Declared by:

<nixpkgs/nixos/modules/services/security/munge.nix>
services.munin-cron.enable

Enable munin-cron. Takes care of all heavy lifting to collect data from nodes and draws graphs to html. Runs munin-update, munin-limits, munin-graphs and munin-html in that order.

HTML output is in /var/www/munin/, configure your favourite webserver to serve static files.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/munin.nix>
services.munin-cron.extraCSS

Custom styling for the HTML that munin-cron generates. This will be appended to the CSS files used by munin-cron and will thus take precedence over the builtin styles.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  /* A simple dark theme. */
  html, body { background: #222222; }
  #header, #footer { background: #333333; }
  img.i, img.iwarn, img.icrit, img.iunkn {
    filter: invert(100%) hue-rotate(-30deg);
  }
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/munin.nix>
services.munin-cron.extraGlobalConfig

munin.conf extra global configuration. See https://guide.munin-monitoring.org/en/latest/reference/munin.conf.html. Useful to setup notifications, see https://guide.munin-monitoring.org/en/latest/tutorial/alert.html

Type: strings concatenated with “\n”

Default: ""

Example:

''
  contact.email.command mail -s "Munin notification for ''${var:host}" someone@example.com
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/munin.nix>
services.munin-cron.hosts

Definitions of hosts of nodes to collect data from. Needs at least one host for cron to succeed. See https://guide.munin-monitoring.org/en/latest/reference/munin.conf.html

Type: strings concatenated with “\n”

Default: ""

Example:

''
  [${config.networking.hostName}]
  address localhost
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/munin.nix>
services.munin-node.enable

Enable Munin Node agent. Munin node listens on 0.0.0.0 and by default accepts connections only from 127.0.0.1 for security reasons.

See https://guide.munin-monitoring.org/en/latest/architecture/index.html.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/munin.nix>
services.munin-node.disabledPlugins

Munin plugins to disable, even if munin-node-configure --suggest tries to enable them. To disable a wildcard plugin, use an actual wildcard, as in the example.

munin_stats is disabled by default as it tries to read /var/log/munin/munin-update.log for timing information, and the NixOS build of Munin does not write this file.

Type: list of string

Default:

[
  "munin_stats"
]

Example:

[
  "diskstats"
  "zfs_usage_*"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/munin.nix>
services.munin-node.extraAutoPlugins

Additional Munin plugins to autoconfigure, using munin-node-configure --suggest. These should be the actual paths to the plugin files (or directories containing them), not just their names.

If you want to manually enable individual plugins instead, use services.munin-node.extraPlugins.

Note that only plugins that have the ‘autoconfig’ capability will do anything if listed here, since plugins that cannot autoconfigure won’t be automatically enabled by munin-node-configure.

Plugins will be copied into the Nix store, and it will attempt to modify them to run properly by fixing hardcoded references to /bin, /usr/bin, /sbin, and /usr/sbin.

Type: list of path

Default: [ ]

Example:

[
  /src/munin-contrib/plugins/zfs
  /src/munin-contrib/plugins/ssh
];

Declared by:

<nixpkgs/nixos/modules/services/monitoring/munin.nix>
services.munin-node.extraConfig

munin-node.conf extra configuration. See https://guide.munin-monitoring.org/en/latest/reference/munin-node.conf.html

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/munin.nix>
services.munin-node.extraPluginConfig

plugin-conf.d extra plugin configuration. See https://guide.munin-monitoring.org/en/latest/plugin/use.html

Type: strings concatenated with “\n”

Default: ""

Example:

''
  [fail2ban_*]
  user root
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/munin.nix>
services.munin-node.extraPlugins

Additional Munin plugins to activate. Keys are the name of the plugin symlink, values are the path to the underlying plugin script. You can use the same plugin script multiple times (e.g. for wildcard plugins).

Note that these plugins do not participate in autoconfiguration. If you want to autoconfigure additional plugins, use services.munin-node.extraAutoPlugins.

Plugins enabled in this manner take precedence over autoconfigured plugins.

Plugins will be copied into the Nix store, and it will attempt to modify them to run properly by fixing hardcoded references to /bin, /usr/bin, /sbin, and /usr/sbin.

Type: attribute set of path

Default: { }

Example:

{
  zfs_usage_bigpool = /src/munin-contrib/plugins/zfs/zfs_usage_;
  zfs_usage_smallpool = /src/munin-contrib/plugins/zfs/zfs_usage_;
  zfs_list = /src/munin-contrib/plugins/zfs/zfs_list;
};

Declared by:

<nixpkgs/nixos/modules/services/monitoring/munin.nix>
services.murmur.enable

If enabled, start the Murmur Mumble server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.package

The murmur package to use.

Type: package

Default: pkgs.murmur

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.allowHtml

Allow HTML in client messages, comments, and channel descriptions.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.autobanAttempts

Number of attempts a client is allowed to make in autobanTimeframe seconds, before being banned for autobanTime.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.autobanTime

The amount of time an IP ban lasts (in seconds).

Type: signed integer

Default: 300

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.autobanTimeframe

Timeframe in which a client can connect without being banned for repeated attempts (in seconds).

Type: signed integer

Default: 120

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.bandwidth

Maximum bandwidth (in bits per second) that clients may send speech at.

Type: signed integer

Default: 72000

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.bonjour

Enable Bonjour auto-discovery, which allows clients over your LAN to automatically discover Murmur servers.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.clientCertRequired

Require clients to authenticate via certificates.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.dbus

Enable D-Bus remote control. Set to the bus you want Murmur to connect to.

Type: one of <null>, “session”, “system”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.environmentFile

Environment file as defined in systemd.exec(5).

Secrets may be passed to the service without adding them to the world-readable Nix store, by specifying placeholder variables as the option value in Nix and setting these variables accordingly in the environment file.

  # snippet of murmur-related config
  services.murmur.password = "$MURMURD_PASSWORD";
  # content of the environment file
  MURMURD_PASSWORD=verysecretpassword

Note that this file needs to be available on the host on which murmur is running.

Type: null or path

Default: null

Example: "${config.services.murmur.stateDir}/murmurd.env"

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.extraConfig

Extra configuration to put into murmur.ini.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.group

The name of an existing group to use to run the service. If not specified, the default group will be created.

Type: string

Default: "murmur"

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.hostName

Host to bind to. Defaults binding on all addresses.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.imgMsgLength

Max length of image messages. Set 0 for no limit.

Type: signed integer

Default: 131072

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.logDays

How long to store RPC logs for in the database. Set 0 to keep logs forever, or -1 to disable DB logging.

Type: signed integer

Default: 31

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.logFile

Path to the log file for Murmur daemon. Empty means log to journald.

Type: null or path

Default: null

Example: "/var/log/murmur/murmurd.log"

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.openFirewall

Open ports in the firewall for the Murmur Mumble server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.password

Required password to join server, if specified.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.port

Ports to bind to (UDP and TCP).

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 64738

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.registerHostname

DNS hostname where your server can be reached. This is only needed if you want your server to be accessed by its hostname and not IP - but the name must resolve on the internet properly.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.registerName

Public server registration name, and also the name of the Root channel. Even if you don’t publicly register your server, you probably still want to set this.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.registerPassword

Public server registry password, used authenticate your server to the registry to prevent impersonation; required for subsequent registry updates.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.registerUrl

URL website for your server.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.sendVersion

Send Murmur version in UDP response.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.sslCa

Path to your SSL CA certificate.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.sslCert

Path to your SSL certificate.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.sslKey

Path to your SSL key.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.stateDir

Directory to store data for the server.

Type: path

Default: "/var/lib/murmur"

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.textMsgLength

Max length of text messages. Set 0 for no limit.

Type: signed integer

Default: 5000

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.user

The name of an existing user to use to run the service. If not specified, the default user will be created.

Type: string

Default: "murmur"

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.users

Maximum number of concurrent clients allowed.

Type: signed integer

Default: 100

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.murmur.welcometext

Welcome message for connected clients.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/murmur.nix>
services.music-assistant.enable

Whether to enable Music Assistant.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/music-assistant.nix>
services.music-assistant.package

The music-assistant package to use.

Type: package

Default: pkgs.music-assistant

Declared by:

<nixpkgs/nixos/modules/services/audio/music-assistant.nix>
services.music-assistant.extraOptions

List of extra options to pass to the music-assistant executable.

Type: list of string

Default:

[
  "--config"
  "/var/lib/music-assistant"
]

Example:

[
  "--log-level"
  "DEBUG"
]

Declared by:

<nixpkgs/nixos/modules/services/audio/music-assistant.nix>
services.music-assistant.providers

List of provider names for which dependencies will be installed.

Type: list of (one of “airplay”, “apple_music”, “bluesound”, “builtin”, “chromecast”, “deezer”, “dlna”, “fanarttv”, “filesystem_local”, “filesystem_smb”, “fully_kiosk”, “hass”, “hass_players”, “jellyfin”, “musicbrainz”, “opensubsonic”, “player_group”, “plex”, “qobuz”, “radiobrowser”, “siriusxm”, “slimproto”, “snapcast”, “sonos”, “sonos_s1”, “soundcloud”, “spotify”, “template_player_provider”, “test”, “theaudiodb”, “tidal”, “tunein”, “ytmusic”)

Default: [ ]

Example:

[
  "opensubsonic"
  "snapcast"
]

Declared by:

<nixpkgs/nixos/modules/services/audio/music-assistant.nix>
services.mx-puppet-discord.enable

Whether to enable mx-puppet-discord is a discord puppeting bridge for matrix. It handles bridging private and group DMs, as well as Guilds (servers) .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/mx-puppet-discord.nix>
services.mx-puppet-discord.serviceDependencies

List of Systemd services to require and wait for when starting the application service.

Type: list of string

Default:

lib.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit

Declared by:

<nixpkgs/nixos/modules/services/matrix/mx-puppet-discord.nix>
services.mx-puppet-discord.settings

config.yaml configuration as a Nix attribute set. Configuration options should match those described in sample.config.yaml.

Type: JSON value

Default:

{
  bridge = {
    port = 8434;
  };
  database = {
    filename = "/var/lib/mx-puppet-discord/database.db";
  };
  logging = {
    console = "info";
    lineDateFormat = "MMM-D HH:mm:ss.SSS";
  };
  namePatterns = {
    group = ":name";
    room = ":name";
    user = ":name";
    userOverride = ":displayname";
  };
  presence = {
    enabled = true;
    interval = 500;
  };
  provisioning = {
    whitelist = [ ];
  };
  relay = {
    whitelist = [ ];
  };
}

Example:

{
  bridge = {
    bindAddress = "localhost";
    domain = "example.com";
    homeserverUrl = "https://example.com";
  };

  provisioning.whitelist = [ "@admin:example.com" ];
  relay.whitelist = [ "@.*:example.com" ];
}

Declared by:

<nixpkgs/nixos/modules/services/matrix/mx-puppet-discord.nix>
services.mycelium.enable

Whether to enable mycelium network.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/mycelium.nix>
services.mycelium.package

The mycelium package to use

Type: package

Default: "${pkgs.mycelium}"

Declared by:

<nixpkgs/nixos/modules/services/networking/mycelium.nix>
services.mycelium.addHostedPublicNodes

Adds the hosted peers from https://github.com/threefoldtech/mycelium#hosted-public-nodes.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/mycelium.nix>
services.mycelium.extraArgs

Extra command-line arguments to pass to mycelium.

See mycelium --help for all available options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/mycelium.nix>
services.mycelium.keyFile

Optional path to a file containing the mycelium key material. If unset, the default location (/var/lib/mycelium/key.bin) will be used. If no key exist at this location, it will be generated on startup.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/mycelium.nix>
services.mycelium.openFirewall

Open the firewall for mycelium

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/mycelium.nix>
services.mycelium.peers

List of peers to connect to, in the formats:

  • quic://[2001:0db8::1]:9651

  • quic://192.0.2.1:9651

  • tcp://[2001:0db8::1]:9651

  • tcp://192.0.2.1:9651

If addHostedPublicNodes is set to true, the hosted public nodes will also be added.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/mycelium.nix>
services.mympd.enable

Whether to enable MyMPD server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/mympd.nix>
services.mympd.package

The mympd package to use.

Type: package

Default: pkgs.mympd

Declared by:

<nixpkgs/nixos/modules/services/audio/mympd.nix>
services.mympd.extraGroups

Additional groups for the systemd service.

Type: list of string

Default: [ ]

Example:

[
  "music"
]

Declared by:

<nixpkgs/nixos/modules/services/audio/mympd.nix>
services.mympd.openFirewall

Open ports needed for the functionality of the program.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/audio/mympd.nix>
services.mympd.settings

Manages the configuration files declaratively. For all the configuration options, see https://jcorporation.github.io/myMPD/configuration/configuration-files.

Each key represents the “File” column from the upstream configuration table, and the value is the content of that file.

Type: attribute set of (null or string or boolean or signed integer)

Declared by:

<nixpkgs/nixos/modules/services/audio/mympd.nix>
services.mympd.settings.http_port

The HTTP port where mympd’s web interface will be available.

The HTTPS/SSL port can be configured via config.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Example: "8080"

Declared by:

<nixpkgs/nixos/modules/services/audio/mympd.nix>
services.mympd.settings.ssl

Whether to enable listening on the SSL port.

Refer to https://jcorporation.github.io/myMPD/configuration/configuration-files#ssl-options for more information.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/audio/mympd.nix>
services.mysql.enable

Whether to enable MySQL server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.package

Which MySQL derivation to use. MariaDB packages are supported too.

Type: package

Example: pkgs.mariadb

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.configFile

Override the configuration file used by MySQL. By default, NixOS generates one automatically from services.mysql.settings.

Type: path

Default:

''
  A configuration file automatically generated by NixOS.
''

Example:

pkgs.writeText "my.cnf" ''
  [mysqld]
  datadir = /var/lib/mysql
  bind-address = 127.0.0.1
  port = 3336

  !includedir /etc/mysql/conf.d/
'';

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.dataDir

The data directory for MySQL.

Note

If left as the default value of /var/lib/mysql this directory will automatically be created before the MySQL server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions.

Type: path

Example: "/var/lib/mysql"

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.ensureDatabases

Ensures that the specified databases exist. This option will never delete existing databases, especially not when the value of this option is changed. This means that databases created once through this option or otherwise have to be removed manually.

Type: list of string

Default: [ ]

Example:

[
  "nextcloud"
  "matomo"
]

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.ensureUsers

Ensures that the specified users exist and have at least the ensured permissions. The MySQL users will be identified using Unix socket authentication. This authenticates the Unix user with the same name only, and that without the need for a password. This option will never delete existing users or remove permissions, especially not when the value of this option is changed. This means that users created and permissions assigned once through this option or otherwise have to be removed manually.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    name = "nextcloud";
    ensurePermissions = {
      "nextcloud.*" = "ALL PRIVILEGES";
    };
  }
  {
    name = "backup";
    ensurePermissions = {
      "*.*" = "SELECT, LOCK TABLES";
    };
  }
]

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.ensureUsers.*.ensurePermissions

Permissions to ensure for the user, specified as attribute set. The attribute names specify the database and tables to grant the permissions for, separated by a dot. You may use wildcards here. The attribute values specfiy the permissions to grant. You may specify one or multiple comma-separated SQL privileges here.

For more information on how to specify the target and on which privileges exist, see the GRANT syntax. The attributes are used as GRANT ${attrName} ON ${attrValue}.

Type: attribute set of string

Default: { }

Example:

{
  "database.*" = "ALL PRIVILEGES";
  "*.*" = "SELECT, LOCK TABLES";
}

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.ensureUsers.*.name

Name of the user to ensure.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.group

Group account under which MySQL runs.

Note

If left as the default value this group will automatically be created on system activation, otherwise you are responsible for ensuring the user exists before the MySQL service starts.

Type: string

Default: "mysql"

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.initialDatabases

List of database names and their initial schemas that should be used to create databases on the first startup of MySQL. The schema attribute is optional: If not specified, an empty database is created.

Type: list of (submodule)

Default: [ ]

Example:

[
  { name = "foodatabase"; schema = ./foodatabase.sql; }
  { name = "bardatabase"; }
]

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.initialDatabases.*.name

The name of the database to create.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.initialDatabases.*.schema

The initial schema of the database; if null (the default), an empty database is created.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.initialScript

A file containing SQL statements to be executed on the first startup. Can be used for granting certain permissions on the database.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.replication.masterHost

Hostname of the MySQL master server.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.replication.masterPassword

Password of the MySQL replication user.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.replication.masterPort

Port number on which the MySQL master server runs.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3306

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.replication.masterUser

Username of the MySQL replication user.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.replication.role

Role of the MySQL server instance.

Type: one of “master”, “slave”, “none”

Default: "none"

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.replication.serverId

Id of the MySQL server instance. This number must be unique for each instance.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.replication.slaveHost

Hostname of the MySQL slave server.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.settings

MySQL configuration. Refer to https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html, https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html, and https://mariadb.com/kb/en/server-system-variables/ for details on supported values.

Note

MySQL configuration options such as --quick should be treated as boolean options and provided values such as true, false, 1, or 0. See the provided example below.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string) or a list of them for duplicate keys)

Default: { }

Example:

{
  mysqld = {
    key_buffer_size = "6G";
    table_cache = 1600;
    log-error = "/var/log/mysql_err.log";
    plugin-load-add = [ "server_audit" "ed25519=auth_ed25519" ];
  };
  mysqldump = {
    quick = true;
    max_allowed_packet = "16M";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysql.user

User account under which MySQL runs.

Note

If left as the default value this user will automatically be created on system activation, otherwise you are responsible for ensuring the user exists before the MySQL service starts.

Type: string

Default: "mysql"

Declared by:

<nixpkgs/nixos/modules/services/databases/mysql.nix>
services.mysqlBackup.enable

Whether to enable MySQL backups.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/mysql-backup.nix>
services.mysqlBackup.calendar

Configured when to run the backup service systemd unit (DayOfWeek Year-Month-Day Hour:Minute:Second).

Type: string

Default: "01:15:00"

Declared by:

<nixpkgs/nixos/modules/services/backup/mysql-backup.nix>
services.mysqlBackup.databases

List of database names to dump.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/backup/mysql-backup.nix>
services.mysqlBackup.gzipOptions

Command line options to use when invoking gzip.

Type: string

Default: "--no-name --rsyncable"

Declared by:

<nixpkgs/nixos/modules/services/backup/mysql-backup.nix>
services.mysqlBackup.location

Location to put the gzipped MySQL database dumps.

Type: path

Default: "/var/backup/mysql"

Declared by:

<nixpkgs/nixos/modules/services/backup/mysql-backup.nix>
services.mysqlBackup.singleTransaction

Whether to create database dump in a single transaction

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/mysql-backup.nix>
services.mysqlBackup.user

User to be used to perform backup.

Type: string

Default: "mysqlbackup"

Declared by:

<nixpkgs/nixos/modules/services/backup/mysql-backup.nix>
services.n8n.enable

Whether to enable n8n server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/n8n.nix>
services.n8n.openFirewall

Open ports in the firewall for the n8n web interface.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/n8n.nix>
services.n8n.settings

Configuration for n8n, see https://docs.n8n.io/hosting/environment-variables/configuration-methods/ for supported values.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/n8n.nix>
services.n8n.webhookUrl

WEBHOOK_URL for n8n, in case we’re running behind a reverse proxy. This cannot be set through configuration and must reside in an environment variable.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/n8n.nix>
services.nagios.enable

Whether to enable Nagios to monitor your system or network.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.enableWebInterface

Whether to enable the Nagios web interface. You should also enable Apache (services.httpd.enable).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.cgiConfigFile

Derivation for the configuration file of Nagios CGI scripts that can be used in web servers for running the Nagios web interface.

Type: package

Default: nagiosCGICfgFile

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.extraConfig

Configuration to add to /etc/nagios.cfg

Type: attribute set of string

Default: { }

Example:

{
  debug_file = "/var/log/nagios/debug.log";
  debug_level = "-1";
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.mainConfigFile

If non-null, overrides the main configuration file of Nagios.

Type: null or package

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.objectDefs

A list of Nagios object configuration files that must define the hosts, host groups, services and contacts for the network that you want Nagios to monitor.

Type: list of path

Example: [ ./objects.cfg ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.plugins

Packages to be added to the Nagios PATH. Typically used to add plugins, but can be anything.

Type: list of package

Default: [pkgs.monitoring-plugins pkgs.msmtp pkgs.mailutils]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.validateConfig

if true, the syntax of the nagios configuration file is checked at build time

Type: boolean

Default: pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost

Apache configuration can be done by adapting services.httpd.virtualHosts. See services.httpd.virtualHosts for further information.

Type: submodule

Example:

{ hostName = "example.org";
  adminAddr = "webmaster@example.org";
  enableSSL = true;
  sslServerCert = "/var/lib/acme/example.org/full.pem";
  sslServerKey = "/var/lib/acme/example.org/key.pem";
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.enableUserDir

Whether to enable serving ~/public_html as /~«username».

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.acmeRoot

Directory for the acme challenge which is PUBLIC, don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.adminAddr

E-mail address of the server administrator.

Type: null or string

Default: null

Example: "admin@example.org"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.documentRoot

The path of Apache’s document root directory. If left undefined, an empty directory in the Nix store will be used as root.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.extraConfig

These lines go to httpd.conf verbatim. They will go after directories and directory aliases defined by default.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  <Directory /home>
    Options FollowSymlinks
    AllowOverride All
  </Directory>
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.forceSSL

Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.globalRedirect

If set, all requests for this host are redirected permanently to the given URL.

Type: null or string

Default: null

Example: "http://newserver.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.hostName

Canonical hostname for the server.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.http2

Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. However, if you use the prefork mpm, there will be severe restrictions. Refer to https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config for details.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.listen

Listen addresses and ports for this virtual host.

Note

This option overrides addSSL, forceSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    ip = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    ip = "192.154.1.1";
    port = 80;
  }
  {
    ip = "*";
    port = 8080;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.listen.*.ip

IP to listen on. 0.0.0.0 for IPv4 only, * for all.

Type: string

Default: "*"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.listen.*.port

Port to listen on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.listen.*.ssl

Whether to enable SSL (https) support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Type: non-empty (list of string)

Default:

[
  "*"
]

Example:

[
  "127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.locations

Declarative location config. See https://httpd.apache.org/docs/2.4/mod/core.html#location for details.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
  "/foo/bar.png" = {
    alias = "/home/eelco/some-file.png";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.locations.<name>.alias

Alias directory for requests. See https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.locations.<name>.index

Adds DirectoryIndex directive. See https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.locations.<name>.proxyPass

Sets up a simple reverse proxy as described by https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.logFormat

Log format for Apache’s log files. Possible values are: combined, common, referer, agent.

Type: string

Default: "common"

Example: "combined"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.robotsEntries

Specification of pages to be ignored by web crawlers. See http://www.robotstxt.org/ for details.

Type: strings concatenated with “\n”

Default: ""

Example: "Disallow: /foo/"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.servedDirs

This option provides a simple way to serve static directories.

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    dir = "/home/eelco/Dev/nix-homepage";
    urlPath = "/nix";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.servedFiles

This option provides a simple way to serve individual, static files.

Note

This option has been deprecated and will be removed in a future version of NixOS. You can achieve the same result by making use of the locations.<name>.alias option.

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    file = "/home/eelco/some-file.png";
    urlPath = "/foo/bar.png";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "www.example.org:8080"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.sslServerCert

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.sslServerChain

Path to server SSL chain file.

Type: null or path

Default: null

Example: "/var/ca.pem"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.sslServerKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.nagios.virtualHost.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nagios.nix>
services.namecoind.enable

Whether to enable namecoind, Namecoin client.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/namecoind.nix>
services.namecoind.extraNodes

List of additional peer IP addresses to connect to.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/namecoind.nix>
services.namecoind.generate

Whether to generate (mine) Namecoins.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/namecoind.nix>
services.namecoind.rpc.address

IP address the RPC server will bind to.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/namecoind.nix>
services.namecoind.rpc.allowFrom

List of IP address ranges allowed to use the RPC API. Wiledcards (*) can be user to specify a range.

Type: list of string

Default:

[
  "127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/namecoind.nix>
services.namecoind.rpc.certificate

Certificate file for securing RPC connections.

Type: null or path

Default: null

Example: "/var/lib/namecoind/server.cert"

Declared by:

<nixpkgs/nixos/modules/services/networking/namecoind.nix>
services.namecoind.rpc.key

Key file for securing RPC connections.

Type: null or path

Default: null

Example: "/var/lib/namecoind/server.pem"

Declared by:

<nixpkgs/nixos/modules/services/networking/namecoind.nix>
services.namecoind.rpc.password

Password for RPC connections.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/namecoind.nix>
services.namecoind.rpc.port

Port the RPC server will bind to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8332

Declared by:

<nixpkgs/nixos/modules/services/networking/namecoind.nix>
services.namecoind.rpc.user

User name for RPC connections.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/namecoind.nix>
services.namecoind.trustedNodes

List of the only peer IP addresses to connect to. If specified no other connection will be made.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/namecoind.nix>
services.namecoind.wallet

Wallet file. The ownership of the file has to be namecoin:namecoin, and the permissions must be 0640.

Type: path

Default: "/var/lib/namecoind/wallet.dat"

Declared by:

<nixpkgs/nixos/modules/services/networking/namecoind.nix>
services.nar-serve.enable

Whether to enable serving NAR file contents via HTTP.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nar-serve.nix>
services.nar-serve.package

The nar-serve package to use.

Type: package

Default: pkgs.nar-serve

Declared by:

<nixpkgs/nixos/modules/services/networking/nar-serve.nix>
services.nar-serve.cacheURL

Binary cache URL to connect to.

The URL format is compatible with the nix remote url style, such as:

  • http://, https:// for binary caches via HTTP or HTTPS

  • s3:// for binary caches stored in Amazon S3

  • gs:// for binary caches stored in Google Cloud Storage

Type: string

Default: "https://cache.nixos.org/"

Declared by:

<nixpkgs/nixos/modules/services/networking/nar-serve.nix>
services.nar-serve.domain

When set, enables the feature of serving <nar-hash>.<domain> on top of <domain>/nix/store/<nar-hash>-<pname>.

Useful to preview static websites where paths are absolute.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/nar-serve.nix>
services.nar-serve.port

Port number where nar-serve will listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8383

Declared by:

<nixpkgs/nixos/modules/services/networking/nar-serve.nix>
services.nats.enable

Whether to enable NATS messaging system.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nats.nix>
services.nats.dataDir

The NATS data directory. Only used if JetStream is enabled, for storing stream metadata and messages.

If left as the default value this directory will automatically be created before the NATS server starts, otherwise the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions.

Type: path

Default: "/var/lib/nats"

Declared by:

<nixpkgs/nixos/modules/services/networking/nats.nix>
services.nats.group

Group under which NATS runs.

Type: string

Default: "nats"

Declared by:

<nixpkgs/nixos/modules/services/networking/nats.nix>
services.nats.jetstream

Whether to enable JetStream.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nats.nix>
services.nats.port

Port on which to listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 4222

Declared by:

<nixpkgs/nixos/modules/services/networking/nats.nix>
services.nats.serverName

Name of the NATS server, must be unique if clustered.

Type: string

Default: "nats"

Example: "n1-c3"

Declared by:

<nixpkgs/nixos/modules/services/networking/nats.nix>
services.nats.settings

Declarative NATS configuration. See the NATS documentation for a list of options.

Type: JSON value

Default: { }

Example:

{
  jetstream = {
    max_mem = "1G";
    max_file = "10G";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/networking/nats.nix>
services.nats.user

User account under which NATS runs.

Type: string

Default: "nats"

Declared by:

<nixpkgs/nixos/modules/services/networking/nats.nix>
services.navidrome.enable

Whether to enable Navidrome music server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/navidrome.nix>
services.navidrome.package

The navidrome package to use.

Type: package

Default: pkgs.navidrome

Declared by:

<nixpkgs/nixos/modules/services/audio/navidrome.nix>
services.navidrome.group

Group under which Navidrome runs.

Type: string

Default: "navidrome"

Declared by:

<nixpkgs/nixos/modules/services/audio/navidrome.nix>
services.navidrome.openFirewall

Whether to open the TCP port in the firewall

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/audio/navidrome.nix>
services.navidrome.settings

Configuration for Navidrome, see https://www.navidrome.org/docs/usage/configuration-options/ for supported values.

Type: JSON value

Default: { }

Example:

{
  MusicFolder = "/mnt/music";
}

Declared by:

<nixpkgs/nixos/modules/services/audio/navidrome.nix>
services.navidrome.settings.Address

Address to run Navidrome on.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/audio/navidrome.nix>
services.navidrome.settings.Port

Port to run Navidrome on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 4533

Declared by:

<nixpkgs/nixos/modules/services/audio/navidrome.nix>
services.navidrome.user

User under which Navidrome runs.

Type: string

Default: "navidrome"

Declared by:

<nixpkgs/nixos/modules/services/audio/navidrome.nix>
services.nbd.server.enable

Whether to enable the Network Block Device (nbd) server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nbd.nix>
services.nbd.server.exports

Files or block devices to make available over the network.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/nbd.nix>
services.nbd.server.exports.<name>.allowAddresses

IPs and subnets that are authorized to connect for this device. If not specified, the server will allow all connections.

Type: null or (list of string)

Default: null

Example:

[
  "10.10.0.0/24"
  "127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nbd.nix>
services.nbd.server.exports.<name>.extraOptions

Extra options for this export. See nbd-server(5).

Type: attribute set of (boolean or signed integer or floating point number or string)

Default:

{
  flush = true;
  fua = true;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/nbd.nix>
services.nbd.server.exports.<name>.path

File or block device to export.

Type: string

Example: "/dev/sdb1"

Declared by:

<nixpkgs/nixos/modules/services/networking/nbd.nix>
services.nbd.server.extraOptions

Extra options for the server. See nbd-server(5).

Type: attribute set of (boolean or signed integer or floating point number or string)

Default:

{
  allowlist = false;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/nbd.nix>
services.nbd.server.listenAddress

Address to listen on. If not specified, the server will listen on all interfaces.

Type: null or string

Default: null

Example: "10.10.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/nbd.nix>
services.nbd.server.listenPort

Port to listen on. The port is NOT automatically opened in the firewall.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 10809

Declared by:

<nixpkgs/nixos/modules/services/networking/nbd.nix>
services.ncdns.enable

Whether to enable ncdns, a Go daemon to bridge Namecoin to DNS. To resolve .bit domains set services.namecoind.enable = true; and an RPC username/password .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ncdns.nix>
services.ncdns.address

The IP address the ncdns resolver will bind to. Leave this unchanged if you do not wish to directly expose the resolver.

Type: string

Default: "[::1]"

Declared by:

<nixpkgs/nixos/modules/services/networking/ncdns.nix>
services.ncdns.dnssec.enable

Whether to enable DNSSEC support in ncdns. This will generate KSK and ZSK keypairs (unless provided via the options services.ncdns.dnssec.publicKey, services.ncdns.dnssec.privateKey etc.) and add a trust anchor to recursive resolvers .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ncdns.nix>
services.ncdns.dnssec.keys.private

Path to the file containing the KSK private key.

Type: path

Default: "/var/lib/ncdns/bit.private"

Declared by:

<nixpkgs/nixos/modules/services/networking/ncdns.nix>
services.ncdns.dnssec.keys.public

Path to the file containing the KSK public key. The key can be generated using the dnssec-keygen command, provided by the package bind as follows:

$ dnssec-keygen -a RSASHA256 -3 -b 2048 -f KSK bit

Type: path

Default: "/var/lib/ncdns/bit.key"

Declared by:

<nixpkgs/nixos/modules/services/networking/ncdns.nix>
services.ncdns.dnssec.keys.zonePrivate

Path to the file containing the ZSK private key.

Type: path

Default: "/var/lib/ncdns/bit-zone.private"

Declared by:

<nixpkgs/nixos/modules/services/networking/ncdns.nix>
services.ncdns.dnssec.keys.zonePublic

Path to the file containing the ZSK public key. The key can be generated using the dnssec-keygen command, provided by the package bind as follows:

$ dnssec-keygen -a RSASHA256 -3 -b 2048 bit

Type: path

Default: "/var/lib/ncdns/bit-zone.key"

Declared by:

<nixpkgs/nixos/modules/services/networking/ncdns.nix>
services.ncdns.identity.address

The IP address the hostname specified in services.ncdns.identity.hostname should resolve to. If you are only using ncdns locally you can ignore this.

Type: string

Default: "127.127.127.127"

Declared by:

<nixpkgs/nixos/modules/services/networking/ncdns.nix>
services.ncdns.identity.hostmaster

An email address for the SOA record at the bit zone. If you are only using ncdns locally you can ignore this.

Type: string

Default: ""

Example: "root@example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/ncdns.nix>
services.ncdns.identity.hostname

The hostname of this ncdns instance, which defaults to the machine hostname. If specified, ncdns lists the hostname as an NS record at the zone apex:

bit. IN NS ns1.example.com.

If unset ncdns will generate an internal pseudo-hostname under the zone, which will resolve to the value of services.ncdns.identity.address. If you are only using ncdns locally you can ignore this.

Type: string

Default: config.networking.hostName

Example: "example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/ncdns.nix>
services.ncdns.port

The port the ncdns resolver will bind to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5333

Declared by:

<nixpkgs/nixos/modules/services/networking/ncdns.nix>
services.ncdns.settings

ncdns settings. Use this option to configure ncds settings not exposed in a NixOS option or to bypass one. See the example ncdns.conf file at https://github.com/namecoin/ncdns/blob/master/_doc/ncdns.conf.example for the available options.

Type: ncdns.conf configuration type. The format consists of an attribute set of settings. Each setting can be either `null`, a value or an attribute set. The allowed values are integers, strings, booleans or paths.

Default: { }

Example:

{ # enable webserver
  ncdns.httplistenaddr = ":8202";

  # synchronize TLS certs
  certstore.nss = true;
  # note: all paths are relative to the config file
  certstore.nsscertdir =  "../../var/lib/ncdns";
  certstore.nssdbdir = "../../home/alice/.pki/nssdb";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/ncdns.nix>
services.ndppd.enable

Whether to enable daemon that proxies NDP (Neighbor Discovery Protocol) messages between interfaces.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ndppd.nix>
services.ndppd.configFile

Path to configuration file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ndppd.nix>
services.ndppd.interface

Interface which is on link-level with router. (Legacy option, use services.ndppd.proxies.<interface>.rules.<network> instead)

Type: null or string

Default: null

Example: "eth0"

Declared by:

<nixpkgs/nixos/modules/services/networking/ndppd.nix>
services.ndppd.network

Network that we proxy. (Legacy option, use services.ndppd.proxies.<interface>.rules.<network> instead)

Type: null or string

Default: null

Example: "1111::/64"

Declared by:

<nixpkgs/nixos/modules/services/networking/ndppd.nix>
services.ndppd.proxies

This sets up a listener, that will listen for any Neighbor Solicitation messages, and respond to them according to a set of rules.

Type: attribute set of (submodule)

Default: { }

Example:

{
  eth0.rules."1111::/64" = {};
}

Declared by:

<nixpkgs/nixos/modules/services/networking/ndppd.nix>
services.ndppd.proxies.<name>.interface

Listen for any Neighbor Solicitation messages on this interface, and respond to them according to a set of rules. Defaults to the name of the attrset.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ndppd.nix>
services.ndppd.proxies.<name>.router

Turns on or off the router flag for Neighbor Advertisement Messages.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ndppd.nix>
services.ndppd.proxies.<name>.rules

This is a rule that the target address is to match against. If no netmask is provided, /128 is assumed. You may have several rule sections, and the addresses may or may not overlap.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/ndppd.nix>
services.ndppd.proxies.<name>.rules.<name>.interface

Interface to use when method is iface.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ndppd.nix>
services.ndppd.proxies.<name>.rules.<name>.method

static: Immediately answer any Neighbor Solicitation Messages (if they match the IP rule). iface: Forward the Neighbor Solicitation Message through the specified interface and only respond if a matching Neighbor Advertisement Message is received. auto: Same as iface, but instead of manually specifying the outgoing interface, check for a matching route in /proc/net/ipv6_route.

Type: one of “static”, “iface”, “auto”

Default: "auto"

Declared by:

<nixpkgs/nixos/modules/services/networking/ndppd.nix>
services.ndppd.proxies.<name>.rules.<name>.network

This is the target address is to match against. If no netmask is provided, /128 is assumed. The addresses of several rules may or may not overlap. Defaults to the name of the attrset.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ndppd.nix>
services.ndppd.proxies.<name>.timeout

Controls how long to wait for a Neighbor Advertisement Message before invalidating the entry, in milliseconds.

Type: signed integer

Default: 500

Declared by:

<nixpkgs/nixos/modules/services/networking/ndppd.nix>
services.ndppd.proxies.<name>.ttl

Controls how long a valid or invalid entry remains in the cache, in milliseconds.

Type: signed integer

Default: 30000

Declared by:

<nixpkgs/nixos/modules/services/networking/ndppd.nix>
services.ndppd.routeTTL

This tells ‘ndppd’ how often to reload the route file /proc/net/ipv6_route, in milliseconds.

Type: signed integer

Default: 30000

Declared by:

<nixpkgs/nixos/modules/services/networking/ndppd.nix>
services.neard.enable

Whether to enable neard, an NFC daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/neard.nix>
services.neard.settings

Neard INI-style configuration file as a Nix attribute set.

See the upstream configuration file.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/desktops/neard.nix>
services.neard.settings.General.ConstantPoll

Enable constant polling. Constant polling will automatically trigger a new polling loop whenever a tag or a device is no longer in the RF field.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/neard.nix>
services.neard.settings.General.DefaultPowered

Automatically turn an adapter on when being discovered.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/neard.nix>
services.neard.settings.General.ResetOnError

Power cycle the adapter when getting a driver error from the kernel.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/neard.nix>
services.nebula.networks

Nebula network definitions.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/nebula.nix>
services.nebula.networks.<name>.enable

Enable or disable this network.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nebula.nix>
services.nebula.networks.<name>.package

The nebula package to use.

Type: package

Default: pkgs.nebula

Declared by:

<nixpkgs/nixos/modules/services/networking/nebula.nix>
services.nebula.networks.<name>.ca

Path to the certificate authority certificate.

Type: path

Example: "/etc/nebula/ca.crt"

Declared by:

<nixpkgs/nixos/modules/services/networking/nebula.nix>
services.nebula.networks.<name>.cert

Path to the host certificate.

Type: path

Example: "/etc/nebula/host.crt"

Declared by:

<nixpkgs/nixos/modules/services/networking/nebula.nix>
services.nebula.networks.<name>.firewall.inbound

Firewall rules for inbound traffic.

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    host = "any";
    port = "any";
    proto = "any";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nebula.nix>
services.nebula.networks.<name>.firewall.outbound

Firewall rules for outbound traffic.

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    host = "any";
    port = "any";
    proto = "any";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nebula.nix>
services.nebula.networks.<name>.isLighthouse

Whether this node is a lighthouse.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nebula.nix>
services.nebula.networks.<name>.isRelay

Whether this node is a relay.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nebula.nix>
services.nebula.networks.<name>.key

Path or reference to the host key.

Type: non-empty string or path

Example: "/etc/nebula/host.key"

Declared by:

<nixpkgs/nixos/modules/services/networking/nebula.nix>
services.nebula.networks.<name>.lighthouses

List of IPs of lighthouse hosts this node should report to and query from. This should be empty on lighthouse nodes. The IPs should be the lighthouse’s Nebula IPs, not their external IPs.

Type: list of string

Default: [ ]

Example:

[
  "192.168.100.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nebula.nix>
services.nebula.networks.<name>.listen.host

IP address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/nebula.nix>
services.nebula.networks.<name>.listen.port

Port number to listen on.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

if (config.services.nebula.networks.${name}.isLighthouse ||
    config.services.nebula.networks.${name}.isRelay) then
  4242
else
  0;

Declared by:

<nixpkgs/nixos/modules/services/networking/nebula.nix>
services.nebula.networks.<name>.relays

List of IPs of relays that this node should allow traffic from.

Type: list of string

Default: [ ]

Example:

[
  "192.168.100.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nebula.nix>
services.nebula.networks.<name>.settings

Nebula configuration. Refer to https://github.com/slackhq/nebula/blob/master/examples/config.yml for details on supported values.

Type: YAML value

Default: { }

Example:

{
  lighthouse.dns = {
    host = "0.0.0.0";
    port = 53;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/nebula.nix>
services.nebula.networks.<name>.staticHostMap

The static host map defines a set of hosts with fixed IP addresses on the internet (or any network). A host can have multiple fixed IP addresses defined here, and nebula will try each when establishing a tunnel.

Type: attribute set of list of string

Default: { }

Example:

{
  "192.168.100.1" = [
    "100.64.22.11:4242"
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/networking/nebula.nix>
services.nebula.networks.<name>.tun.device

Name of the tun device. Defaults to nebula.${networkName}.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/nebula.nix>
services.nebula.networks.<name>.tun.disable

When tun is disabled, a lighthouse can be started without a local tun interface (and therefore without root).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nebula.nix>
services.neo4j.enable

Whether to enable Neo4j Community Edition.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.package

The neo4j package to use.

Type: package

Default: pkgs.neo4j

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.bolt.enable

Enable the BOLT connector for Neo4j. Setting this option to false will stop Neo4j from listening for incoming connections on the BOLT port (7687 by default).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.bolt.listenAddress

Neo4j listen address for BOLT traffic. The listen address is expressed in the format <ip-address>:<port-number>.

Type: string

Default: ":7687"

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.bolt.sslPolicy

Neo4j SSL policy for BOLT traffic.

The legacy policy is a special policy which is not defined in the policy configuration section, but rather derives from directories.certificates and associated files (by default: neo4j.key and neo4j.cert). Its use will be deprecated.

Note: This connector must be configured to support/require SSL/TLS for the legacy policy to actually be utilized. See bolt.tlsLevel.

Type: string

Default: "legacy"

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.bolt.tlsLevel

SSL/TSL requirement level for BOLT traffic.

Type: one of “REQUIRED”, “OPTIONAL”, “DISABLED”

Default: "OPTIONAL"

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.constrainLoadCsv

Sets the root directory for file URLs used with the Cypher LOAD CSV clause to be that defined by directories.imports. It restricts access to only those files within that directory and its subdirectories.

Setting this option to false introduces possible security problems.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.defaultListenAddress

Default network interface to listen for incoming connections. To listen for connections on all interfaces, use “0.0.0.0”.

Specifies the default IP address and address part of connector specific listenAddress options. To bind specific connectors to a specific network interfaces, specify the entire listenAddress option for that connector.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.directories.certificates

Directory for storing certificates to be used by Neo4j for TLS connections.

When setting this directory to something other than its default, ensure the directory’s existence, and that read/write permissions are given to the Neo4j daemon user neo4j.

Note that changing this directory from its default will prevent the directory structure required for each SSL policy from being automatically generated. A policy’s directory structure as defined by its baseDirectory,revokedDir and trustedDir must then be setup manually. The existence of these directories is mandatory, as well as the presence of the certificate file and the private key. Ensure the correct permissions are set on these directories and files.

Type: path

Default: "${config.services.neo4j.directories.home}/certificates"

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.directories.data

Path of the data directory. You must not configure more than one Neo4j installation to use the same data directory.

When setting this directory to something other than its default, ensure the directory’s existence, and that read/write permissions are given to the Neo4j daemon user neo4j.

Type: path

Default: "${config.services.neo4j.directories.home}/data"

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.directories.home

Path of the Neo4j home directory. Other default directories are subdirectories of this path. This directory will be created if non-existent, and its ownership will be chown to the Neo4j daemon user neo4j.

Type: path

Default: "/var/lib/neo4j"

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.directories.imports

The root directory for file URLs used with the Cypher LOAD CSV clause. Only meaningful when constrainLoadCvs is set to true.

When setting this directory to something other than its default, ensure the directory’s existence, and that read permission is given to the Neo4j daemon user neo4j.

Type: path

Default: "${config.services.neo4j.directories.home}/import"

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.directories.plugins

Path of the database plugin directory. Compiled Java JAR files that contain database procedures will be loaded if they are placed in this directory.

When setting this directory to something other than its default, ensure the directory’s existence, and that read permission is given to the Neo4j daemon user neo4j.

Type: path

Default: "${config.services.neo4j.directories.home}/plugins"

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.extraServerConfig

Extra configuration for Neo4j Community server. Refer to the complete reference of Neo4j configuration settings.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.http.enable

Enable the HTTP connector for Neo4j. Setting this option to false will stop Neo4j from listening for incoming connections on the HTTPS port (7474 by default).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.http.listenAddress

Neo4j listen address for HTTP traffic. The listen address is expressed in the format <ip-address>:<port-number>.

Type: string

Default: ":7474"

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.https.enable

Enable the HTTPS connector for Neo4j. Setting this option to false will stop Neo4j from listening for incoming connections on the HTTPS port (7473 by default).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.https.listenAddress

Neo4j listen address for HTTPS traffic. The listen address is expressed in the format <ip-address>:<port-number>.

Type: string

Default: ":7473"

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.https.sslPolicy

Neo4j SSL policy for HTTPS traffic.

The legacy policy is a special policy which is not defined in the policy configuration section, but rather derives from directories.certificates and associated files (by default: neo4j.key and neo4j.cert). Its use will be deprecated.

Type: string

Default: "legacy"

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.readOnly

Only allow read operations from this Neo4j instance.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.shell.enable

Enable a remote shell server which Neo4j Shell clients can log in to. Only applicable to neo4j-shell.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.ssl.policies

Defines the SSL policies for use with Neo4j connectors. Each attribute of this set defines a policy, with the attribute name defining the name of the policy and its namespace. Refer to the operations manual section on Neo4j’s SSL Framework for further details.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.ssl.policies.<name>.allowKeyGeneration

Allows the generation of a private key and associated self-signed certificate. Only performed when both objects cannot be found for this policy. It is recommended to turn this off again after keys have been generated.

The public certificate is required to be duplicated to the directory holding trusted certificates as defined by the trustedDir option.

Keys should in general be generated and distributed offline by a trusted certificate authority and not by utilizing this mode.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.ssl.policies.<name>.baseDirectory

The mandatory base directory for cryptographic objects of this policy. This path is only automatically generated when this option as well as directories.certificates are left at their default. Ensure read/write permissions are given to the Neo4j daemon user neo4j.

It is also possible to override each individual configuration with absolute paths. See the privateKey and publicCertificate policy options.

Type: path

Default: "${config.services.neo4j.directories.certificates}/${name}"

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.ssl.policies.<name>.ciphers

Restrict the allowed ciphers of this policy to those defined here. The default ciphers are those of the JVM platform.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.ssl.policies.<name>.clientAuth

The client authentication stance for this policy.

Type: one of “NONE”, “OPTIONAL”, “REQUIRE”

Default: "REQUIRE"

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.ssl.policies.<name>.privateKey

The name of private PKCS #8 key file for this policy to be found in the baseDirectory, or the absolute path to the key file. It is mandatory that a key can be found or generated.

Type: string

Default: "private.key"

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.ssl.policies.<name>.publicCertificate

The name of public X.509 certificate (chain) file in PEM format for this policy to be found in the baseDirectory, or the absolute path to the certificate file. It is mandatory that a certificate can be found or generated.

The public certificate is required to be duplicated to the directory holding trusted certificates as defined by the trustedDir option.

Type: string

Default: "public.crt"

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.ssl.policies.<name>.revokedDir

Path to directory of CRLs (Certificate Revocation Lists) in PEM format. Must be an absolute path. The existence of this directory is mandatory and will need to be created manually when: setting this option to something other than its default; setting either this policy’s baseDirectory or directories.certificates to something other than their default. Ensure read/write permissions are given to the Neo4j daemon user neo4j.

Type: path

Default: "${config.services.neo4j.ssl.policies.<name>.baseDirectory}/revoked"

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.ssl.policies.<name>.tlsVersions

Restrict the TLS protocol versions of this policy to those defined here.

Type: list of string

Default:

[
  "TLSv1.2"
]

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.ssl.policies.<name>.trustAll

Makes this policy trust all remote parties. Enabling this is not recommended and the policy’s trusted directory will be ignored. Use of this mode is discouraged. It would offer encryption but no security.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.ssl.policies.<name>.trustedDir

Path to directory of X.509 certificates in PEM format for trusted parties. Must be an absolute path. The existence of this directory is mandatory and will need to be created manually when: setting this option to something other than its default; setting either this policy’s baseDirectory or directories.certificates to something other than their default. Ensure read/write permissions are given to the Neo4j daemon user neo4j.

The public certificate as defined by publicCertificate is required to be duplicated to this directory.

Type: path

Default: "${config.services.neo4j.ssl.policies.<name>.baseDirectory}/trusted"

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.neo4j.workerCount

Number of Neo4j worker threads, where the default of 0 indicates a worker count equal to the number of available processors.

Type: integer between 0 and 44738 (both inclusive)

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/databases/neo4j.nix>
services.netatalk.enable

Whether to enable the Netatalk AFP fileserver.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/netatalk.nix>
services.netatalk.extmap

File name extension mappings. See extmap.conf(5). for more information.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/netatalk.nix>
services.netatalk.port

TCP port to be used for AFP.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 548

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/netatalk.nix>
services.netatalk.settings

Configuration for Netatalk. See afp.conf(5).

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  Global = {
    "uam list" = "uams_guest.so";
  };
  Homes = {
    "basedir regex" = "/home";
    path = "afp-data";
  };
  example-volume = {
    path = "/srv/volume";
    "read only" = true;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/netatalk.nix>
services.netbird.enable

Whether to enable Netbird daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird.nix>
services.netbird.package

The netbird package to use.

Type: package

Default: pkgs.netbird

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird.nix>
services.netbird.server.enable

Whether to enable Netbird Server stack, comprising the dashboard, management API and signal service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/server.nix>
services.netbird.server.enableNginx

Whether to enable Nginx reverse-proxy for the netbird server services.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/server.nix>
services.netbird.server.coturn.enable

Whether to enable a Coturn server for Netbird, will also open the firewall on the configured range.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/coturn.nix>
services.netbird.server.coturn.domain

The domain under which the coturn server runs.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/coturn.nix>
services.netbird.server.coturn.openPorts

The list of ports used by coturn for listening to open in the firewall.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

with config.services.coturn; [
  listening-port
  alt-listening-port
  tls-listening-port
  alt-tls-listening-port
];

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/coturn.nix>
services.netbird.server.coturn.password

The password of the user used by netbird to connect to the coturn server. Be advised this will be world readable in the nix store.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/coturn.nix>
services.netbird.server.coturn.passwordFile

The path to a file containing the password of the user used by netbird to connect to the coturn server.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/coturn.nix>
services.netbird.server.coturn.useAcmeCertificates

Whether to use ACME certificates corresponding to the given domain for the server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/coturn.nix>
services.netbird.server.coturn.user

The username used by netbird to connect to the coturn server.

Type: string

Default: "netbird"

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/coturn.nix>
services.netbird.server.dashboard.enable

Whether to enable the static netbird dashboard frontend.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/dashboard.nix>
services.netbird.server.dashboard.enableNginx

Whether to enable Nginx reverse-proxy to serve the dashboard.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/dashboard.nix>
services.netbird.server.dashboard.package

The netbird-dashboard package to use.

Type: package

Default: pkgs.netbird-dashboard

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/dashboard.nix>
services.netbird.server.dashboard.domain

The domain under which the dashboard runs.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/dashboard.nix>
services.netbird.server.dashboard.finalDrv

The derivation containing the final templated dashboard.

Type: package (read only)

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/dashboard.nix>
services.netbird.server.dashboard.managementServer

The address of the management server, used for the API endpoints.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/dashboard.nix>
services.netbird.server.dashboard.settings

An attribute set that will be used to substitute variables when building the dashboard. Any values set here will be templated into the frontend and be public for anyone that can reach your website. The exact values sadly aren’t documented anywhere. A starting point when searching for valid values is this script The only mandatory value is ‘AUTH_AUTHORITY’ as we cannot set a default value here.

Type: attribute set of (string or boolean)

Default:

''
  {
    AUTH_AUDIENCE = "netbird";
    AUTH_CLIENT_ID = "netbird";
    AUTH_SUPPORTED_SCOPES = "openid profile email";
    NETBIRD_TOKEN_SOURCE = "idToken";
    USE_AUTH0 = false;
  }
''

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/dashboard.nix>
services.netbird.server.domain

The domain under which the netbird server runs.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/server.nix>
services.netbird.server.management.enable

Whether to enable Netbird Management Service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/management.nix>
services.netbird.server.management.enableNginx

Whether to enable Nginx reverse-proxy for the netbird management service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/management.nix>
services.netbird.server.management.package

The netbird package to use.

Type: package

Default: pkgs.netbird

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/management.nix>
services.netbird.server.management.disableAnonymousMetrics

Disables push of anonymous usage metrics to NetBird.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/management.nix>
services.netbird.server.management.disableSingleAccountMode

If set to true, disables single account mode. The singleAccountModeDomain property will be ignored and every new user will have a separate NetBird account.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/management.nix>
services.netbird.server.management.dnsDomain

Domain used for peer resolution.

Type: string

Default: "netbird.selfhosted"

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/management.nix>
services.netbird.server.management.domain

The domain under which the management API runs.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/management.nix>
services.netbird.server.management.extraOptions

Additional options given to netbird-mgmt as commandline arguments.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/management.nix>
services.netbird.server.management.logLevel

Log level of the netbird services.

Type: one of “ERROR”, “WARN”, “INFO”, “DEBUG”

Default: "INFO"

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/management.nix>
services.netbird.server.management.metricsPort

Internal port of the metrics server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9090

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/management.nix>
services.netbird.server.management.oidcConfigEndpoint

The oidc discovery endpoint.

Type: string

Example: "https://example.eu.auth0.com/.well-known/openid-configuration"

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/management.nix>
services.netbird.server.management.port

Internal port of the management server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8011

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/management.nix>
services.netbird.server.management.settings

Configuration of the netbird management server. Options containing secret data should be set to an attribute set containing the attribute _secret

  • a string pointing to a file containing the value the option should be set to. See the example to get a better picture of this: in the resulting management.json file, the DataStoreEncryptionKey key will be set to the contents of the /run/agenix/netbird_mgmt-data_store_encryption_key file.

Type: JSON value

Default:

defaultSettings = {
  Stuns = [
    {
      Proto = "udp";
      URI = "stun:${cfg.turnDomain}:3478";
      Username = "";
      Password = null;
    }
  ];

  TURNConfig = {
    Turns = [
      {
        Proto = "udp";
        URI = "turn:${cfg.turnDomain}:3478";
        Username = "netbird";
        Password = "netbird";
      }
    ];

    CredentialsTTL = "12h";
    Secret = "not-secure-secret";
    TimeBasedCredentials = false;
  };

  Signal = {
    Proto = "https";
    URI = "${cfg.domain}:443";
    Username = "";
    Password = null;
  };

  ReverseProxy = {
    TrustedHTTPProxies = [ ];
    TrustedHTTPProxiesCount = 0;
    TrustedPeers = [ "0.0.0.0/0" ];
  };

  Datadir = "${stateDir}/data";
  DataStoreEncryptionKey = "genEVP6j/Yp2EeVujm0zgqXrRos29dQkpvX0hHdEUlQ=";
  StoreConfig = { Engine = "sqlite"; };

  HttpConfig = {
    Address = "127.0.0.1:${builtins.toString cfg.port}";
    IdpSignKeyRefreshEnabled = true;
    OIDCConfigEndpoint = cfg.oidcConfigEndpoint;
  };

  IdpManagerConfig = {
    ManagerType = "none";
    ClientConfig = {
      Issuer = "";
      TokenEndpoint = "";
      ClientID = "netbird";
      ClientSecret = "";
      GrantType = "client_credentials";
    };

    ExtraConfig = { };
    Auth0ClientCredentials = null;
    AzureClientCredentials = null;
    KeycloakClientCredentials = null;
    ZitadelClientCredentials = null;
  };

  DeviceAuthorizationFlow = {
    Provider = "none";
    ProviderConfig = {
      Audience = "netbird";
      Domain = null;
      ClientID = "netbird";
      TokenEndpoint = null;
      DeviceAuthEndpoint = "";
      Scope = "openid profile email offline_access api";
      UseIDToken = false;
    };
  };

  PKCEAuthorizationFlow = {
    ProviderConfig = {
      Audience = "netbird";
      ClientID = "netbird";
      ClientSecret = "";
      AuthorizationEndpoint = "";
      TokenEndpoint = "";
      Scope = "openid profile email offline_access api";
      RedirectURLs = "http://localhost:53000";
      UseIDToken = false;
    };
  };
};

Example:

{
  DataStoreEncryptionKey = {
    _secret = "/run/agenix/netbird_mgmt-data_store_encryption_key";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/management.nix>
services.netbird.server.management.singleAccountModeDomain

Enables single account mode. This means that all the users will be under the same account grouped by the specified domain. If the installation has more than one account, the property is ineffective.

Type: string

Default: "netbird.selfhosted"

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/management.nix>
services.netbird.server.management.turnDomain

The domain of the TURN server to use.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/management.nix>
services.netbird.server.management.turnPort

The port of the TURN server to use.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3478

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/management.nix>
services.netbird.server.signal.enable

Whether to enable Netbird’s Signal Service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/signal.nix>
services.netbird.server.signal.enableNginx

Whether to enable Nginx reverse-proxy for the netbird signal service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/signal.nix>
services.netbird.server.signal.package

The netbird package to use.

Type: package

Default: pkgs.netbird

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/signal.nix>
services.netbird.server.signal.domain

The domain name for the signal service.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/signal.nix>
services.netbird.server.signal.extraOptions

Additional options given to netbird-signal as commandline arguments.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/signal.nix>
services.netbird.server.signal.logLevel

Log level of the netbird signal service.

Type: one of “ERROR”, “WARN”, “INFO”, “DEBUG”

Default: "INFO"

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/signal.nix>
services.netbird.server.signal.metricsPort

Internal port of the metrics server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9091

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/signal.nix>
services.netbird.server.signal.port

Internal port of the signal server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8012

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird/signal.nix>
services.netbird.tunnels

Attribute set of Netbird tunnels, each one will spawn a daemon listening on …

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird.nix>
services.netbird.tunnels.<name>.environment

Environment for the netbird service, used to pass configuration options.

Type: attribute set of string

Default:

{
  NB_CONFIG = "/var/lib/${stateDir}/config.json";
  NB_LOG_FILE = "console";
  NB_WIREGUARD_PORT = builtins.toString port;
  NB_INTERFACE_NAME = name;
  NB_DAMEON_ADDR = "/var/run/${stateDir}"
}

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird.nix>
services.netbird.tunnels.<name>.port

Port for the ‹name› netbird interface.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 51820

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird.nix>
services.netbird.tunnels.<name>.stateDir

Directory storing the netbird configuration.

Type: string

Default: "netbird-‹name›"

Declared by:

<nixpkgs/nixos/modules/services/networking/netbird.nix>
services.netbox.enable

Enable Netbox.

This module requires a reverse proxy that serves /static separately. See this example on how to configure this.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/netbox.nix>
services.netbox.enableLdap

Enable LDAP-Authentication for Netbox.

This requires a configuration file being pass through ldapConfigPath.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/netbox.nix>
services.netbox.package

NetBox package to use.

Type: package

Default:

if lib.versionAtLeast config.system.stateVersion "24.11"
then pkgs.netbox_4_1
else if lib.versionAtLeast config.system.stateVersion "24.05"
then pkgs.netbox_3_7
else pkgs.netbox_3_6;

Declared by:

<nixpkgs/nixos/modules/services/web-apps/netbox.nix>
services.netbox.dataDir

Storage path of netbox.

Type: string

Default: "/var/lib/netbox"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/netbox.nix>
services.netbox.extraConfig

Additional lines of configuration appended to the configuration.py. See the documentation for more possible options.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/netbox.nix>
services.netbox.keycloakClientSecret

File that contains the keycloak client secret.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/netbox.nix>
services.netbox.ldapConfigPath

Path to the Configuration-File for LDAP-Authentication, will be loaded as ldap_config.py. See the documentation for possible options.

Type: path

Default: ""

Example:

''
  import ldap
  from django_auth_ldap.config import LDAPSearch, PosixGroupType
  
  AUTH_LDAP_SERVER_URI = "ldaps://ldap.example.com/"
  
  AUTH_LDAP_USER_SEARCH = LDAPSearch(
      "ou=accounts,ou=posix,dc=example,dc=com",
      ldap.SCOPE_SUBTREE,
      "(uid=%(user)s)",
  )
  
  AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
      "ou=groups,ou=posix,dc=example,dc=com",
      ldap.SCOPE_SUBTREE,
      "(objectClass=posixGroup)",
  )
  AUTH_LDAP_GROUP_TYPE = PosixGroupType()
  
  # Mirror LDAP group assignments.
  AUTH_LDAP_MIRROR_GROUPS = True
  
  # For more granular permissions, we can map LDAP groups to Django groups.
  AUTH_LDAP_FIND_GROUP_PERMS = True
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/netbox.nix>
services.netbox.listenAddress

Address the server will listen on.

Type: string

Default: "[::1]"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/netbox.nix>
services.netbox.plugins

List of plugin packages to install.

Type: function that evaluates to a(n) list of package

Default:

python3Packages: with python3Packages; [];

Declared by:

<nixpkgs/nixos/modules/services/web-apps/netbox.nix>
services.netbox.port

Port the server will listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8001

Declared by:

<nixpkgs/nixos/modules/services/web-apps/netbox.nix>
services.netbox.secretKeyFile

Path to a file containing the secret key.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-apps/netbox.nix>
services.netbox.settings

Configuration options to set in configuration.py. See the documentation for more possible options.

Type: attribute set of (Python value)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/netbox.nix>
services.netbox.settings.ALLOWED_HOSTS

A list of valid fully-qualified domain names (FQDNs) and/or IP addresses that can be used to reach the NetBox service.

Type: list of string

Default:

[
  "*"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/netbox.nix>
services.netclient.enable

Whether to enable Netclient Daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/netclient.nix>
services.netclient.package

The netclient package to use.

Type: package

Default: pkgs.netclient

Declared by:

<nixpkgs/nixos/modules/services/networking/netclient.nix>
services.netdata.enable

Whether to enable netdata.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/netdata.nix>
services.netdata.enableAnalyticsReporting

Enable reporting of anonymous usage statistics to Netdata Inc. via either Google Analytics (in versions prior to 1.29.4), or Netdata Inc.'s self-hosted PostHog (in versions 1.29.4 and later). See: https://learn.netdata.cloud/docs/agent/anonymous-statistics

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/netdata.nix>
services.netdata.package

The netdata package to use.

Type: package

Default: pkgs.netdata

Declared by:

<nixpkgs/nixos/modules/services/monitoring/netdata.nix>
services.netdata.claimTokenFile

If set, automatically registers the agent using the given claim token file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/netdata.nix>
services.netdata.config

netdata.conf configuration as nix attributes. cannot be combined with configText.

Type: attribute set of (attribute set)

Default: { }

Example:

global = {
  "debug log" = "syslog";
  "access log" = "syslog";
  "error log" = "syslog";
};

Declared by:

<nixpkgs/nixos/modules/services/monitoring/netdata.nix>
services.netdata.configDir

Complete netdata config directory except netdata.conf. The default configuration is merged with changes defined in this option. Each top-level attribute denotes a path in the configuration directory as in environment.etc. Its value is the absolute path and must be readable by netdata. Cannot be combined with configText.

Type: attribute set of path

Default: { }

Example:

"health_alarm_notify.conf" = pkgs.writeText "health_alarm_notify.conf" ''
  sendmail="/path/to/sendmail"
'';
"health.d" = "/run/secrets/netdata/health.d";

Declared by:

<nixpkgs/nixos/modules/services/monitoring/netdata.nix>
services.netdata.configText

Verbatim netdata.conf, cannot be combined with config.

Type: null or strings concatenated with “\n”

Default: null

Example:

''
  [global]
  debug log = syslog
  access log = syslog
  error log = syslog
''

Declared by:

<nixpkgs/nixos/modules/services/monitoring/netdata.nix>
services.netdata.deadlineBeforeStopSec

In order to detect when netdata is misbehaving, we run a concurrent task pinging netdata (wait-for-netdata-up) in the systemd unit.

If after a while, this task does not succeed, we stop the unit and mark it as failed.

You can control this deadline in seconds with this option, it’s useful to bump it if you have (1) a lot of data (2) doing upgrades (3) have low IOPS/throughput.

Type: signed integer

Default: 120

Declared by:

<nixpkgs/nixos/modules/services/monitoring/netdata.nix>
services.netdata.extraPluginPaths

Extra paths to add to the netdata global “plugins directory” option. Useful for when you want to include your own collection scripts.

Details about writing a custom netdata plugin are available at: https://docs.netdata.cloud/collectors/plugins.d/

Cannot be combined with configText.

Type: list of path

Default: [ ]

Example:

[ "/path/to/plugins.d" ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/netdata.nix>
services.netdata.group

Group under which netdata runs.

Type: string

Default: "netdata"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/netdata.nix>
services.netdata.python.enable

Whether to enable python-based plugins

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/netdata.nix>
services.netdata.python.extraPackages

Extra python packages available at runtime to enable additional python plugins.

Type: function that evaluates to a(n) list of package

Default: ps: []

Example:

ps: [
  ps.psycopg2
  ps.docker
  ps.dnspython
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/netdata.nix>
services.netdata.python.recommendedPythonPackages

Whether to enable a set of recommended Python plugins by installing extra Python packages.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/netdata.nix>
services.netdata.user

User account under which netdata runs.

Type: string

Default: "netdata"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/netdata.nix>
services.networkaudiod.enable

Whether to enable Networkaudiod (NAA).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/networkaudiod.nix>
services.networkd-dispatcher.enable

Whether to enable Networkd-dispatcher service for systemd-networkd connection status change. See upstream instructions for usage .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/networkd-dispatcher.nix>
services.networkd-dispatcher.extraArgs

Extra arguments to pass to the networkd-dispatcher command.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/networkd-dispatcher.nix>
services.networkd-dispatcher.rules

Declarative configuration of networkd-dispatcher rules. See upstream instructions for an introduction and example scripts.

Type: attribute set of (submodule)

Default: { }

Example:

{ "restart-tor" = {
    onState = ["routable" "off"];
    script = ''
      #!${pkgs.runtimeShell}
      if [[ $IFACE == "wlan0" && $AdministrativeState == "configured" ]]; then
        echo "Restarting Tor ..."
        systemctl restart tor
      fi
      exit 0
    '';
  };
};

Declared by:

<nixpkgs/nixos/modules/services/networking/networkd-dispatcher.nix>
services.networkd-dispatcher.rules.<name>.onState

List of names of the systemd-networkd operational states which should trigger the script. See https://www.freedesktop.org/software/systemd/man/networkctl.html for a description of the specific state type.

Type: list of (one of “routable”, “dormant”, “no-carrier”, “off”, “carrier”, “degraded”, “configuring”, “configured”)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/networkd-dispatcher.nix>
services.networkd-dispatcher.rules.<name>.script

Shell commands executed on specified operational states.

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/networking/networkd-dispatcher.nix>
services.networking.websockify.enable

Whether to enable websockify to forward websocket connections to TCP connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/websockify.nix>
services.networking.websockify.portMap

Ports to map by default.

Type: attribute set of signed integer

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/websockify.nix>
services.networking.websockify.sslCert

Path to the SSL certificate.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/websockify.nix>
services.networking.websockify.sslKey

Path to the SSL key.

Type: path

Default: config.services.networking.websockify.sslCert

Declared by:

<nixpkgs/nixos/modules/services/networking/websockify.nix>
services.nextcloud.enable

Whether to enable nextcloud.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.enableImagemagick

Whether to enable the ImageMagick module for PHP. This is used by the theming app and for generating previews of certain images (e.g. SVG and HEIF). You may want to disable it for increased security. In that case, previews will still be available for some images (e.g. JPEG and PNG). See https://github.com/nextcloud/server/issues/13099 .

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.package

Which package to use for the Nextcloud instance.

Type: package

Related packages:

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.appstoreEnable

Allow the installation and updating of apps from the Nextcloud appstore. Enabled by default unless there are packages in services.nextcloud.extraApps. Set this to true to force enable the store even if services.nextcloud.extraApps is used. Set this to false to disable the installation of apps from the global appstore. App management is always enabled regardless of this setting.

Type: null or boolean

Default: null

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.autoUpdateApps.enable

Run a regular auto-update of all apps installed from the Nextcloud app store.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.autoUpdateApps.startAt

When to run the update. See systemd.services.<name>.startAt.

Type: string or list of string

Default: "05:00:00"

Example: "Sun 14:00:00"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.caching.apcu

Whether to load the APCu module into PHP.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.caching.memcached

Whether to load the Memcached module into PHP. You still need to enable Memcached in your config.php. See https://docs.nextcloud.com/server/14/admin_manual/configuration_server/caching_configuration.html

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.caching.redis

Whether to load the Redis module into PHP. You still need to enable Redis in your config.php. See https://docs.nextcloud.com/server/14/admin_manual/configuration_server/caching_configuration.html

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.cli.memoryLimit

The memory_limit of PHP is equal to services.nextcloud.maxUploadSize. The value can be customized for nextcloud-cron.service using this option.

Type: null or string

Default: null

Example: "1G"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.config.adminpassFile

The full path to a file that contains the admin’s password. Must be readable by user nextcloud. The password is set only in the initial setup of Nextcloud by the systemd service nextcloud-setup.service.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.config.adminuser

Username for the admin account. The username is only set during the initial setup of Nextcloud! Since the username also acts as unique ID internally, it cannot be changed later!

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.config.dbhost

Database host (+port) or socket path. If services.nextcloud.database.createLocally is true and services.nextcloud.config.dbtype is either pgsql or mysql, defaults to the correct Unix socket instead.

Type: null or string

Default: "localhost"

Example: "localhost:5000"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.config.dbname

Database name.

Type: null or string

Default: "nextcloud"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.config.dbpassFile

The full path to a file that contains the database password.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.config.dbtableprefix

Table prefix in Nextcloud’s database.

Note: since Nextcloud 20 it’s not an option anymore to create a database schema with a custom table prefix. This option only exists for backwards compatibility with installations that were originally provisioned with Nextcloud <20.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.config.dbtype

Database type.

Type: one of “sqlite”, “pgsql”, “mysql”

Default: "sqlite"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.config.dbuser

Database user.

Type: null or string

Default: "nextcloud"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.config.objectstore.s3.enable

Whether to enable S3 object storage as primary storage.

This mounts a bucket on an Amazon S3 object storage or compatible implementation into the virtual filesystem.

Further details about this feature can be found in the upstream documentation .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.config.objectstore.s3.autocreate

Create the objectstore if it does not exist.

Type: boolean

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.config.objectstore.s3.bucket

The name of the S3 bucket.

Type: string

Example: "nextcloud"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.config.objectstore.s3.hostname

Required for some non-Amazon implementations.

Type: null or string

Default: null

Example: "example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.config.objectstore.s3.key

The access key for the S3 bucket.

Type: string

Example: "EJ39ITYZEUH5BGWDRUFY"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.config.objectstore.s3.port

Required for some non-Amazon implementations.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.config.objectstore.s3.region

Required for some non-Amazon implementations.

Type: null or string

Default: null

Example: "REGION"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.config.objectstore.s3.secretFile

The full path to a file that contains the access secret. Must be readable by user nextcloud.

Type: string

Example: "/var/nextcloud-objectstore-s3-secret"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.config.objectstore.s3.sseCKeyFile

If provided this is the full path to a file that contains the key to enable server-side encryption with customer-provided keys (SSE-C).

The file must contain a random 32-byte key encoded as a base64 string, e.g. generated with the command

openssl rand 32 | base64

Must be readable by user nextcloud.

Type: null or path

Default: null

Example: "/var/nextcloud-objectstore-s3-sse-c-key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.config.objectstore.s3.usePathStyle

Required for some non-Amazon S3 implementations.

Ordinarily, requests will be made with http://bucket.hostname.domain/, but with path style enabled requests are made with http://hostname.domain/bucket instead.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.config.objectstore.s3.useSsl

Use SSL for objectstore access.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.configureRedis

Whether to configure Nextcloud to use the recommended Redis settings for small instances.

Note

The notify_push app requires Redis to be configured. If this option is turned off, this must be configured manually.

Type: boolean

Default: config.services.nextcloud.notify_push.enable

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.database.createLocally

Whether to create the database and database user locally.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.datadir

Nextcloud’s data storage path. Will be services.nextcloud.home by default. This folder will be populated with a config.php file and a data folder which contains the state of the instance (excluding the database).";

Type: string

Default: config.services.nextcloud.home

Example: "/mnt/nextcloud-file"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.extraApps

Extra apps to install. Should be an attrSet of appid to packages generated by fetchNextcloudApp. The appid must be identical to the “id” value in the apps appinfo/info.xml. Using this will disable the appstore to prevent Nextcloud from updating these apps (see services.nextcloud.appstoreEnable).

Type: attribute set of package

Default: { }

Example:

{
  inherit (pkgs.nextcloud25Packages.apps) mail calendar contact;
  phonetrack = pkgs.fetchNextcloudApp {
    name = "phonetrack";
    sha256 = "0qf366vbahyl27p9mshfma1as4nvql6w75zy2zk5xwwbp343vsbc";
    url = "https://gitlab.com/eneiluj/phonetrack-oc/-/wikis/uploads/931aaaf8dca24bf31a7e169a83c17235/phonetrack-0.6.9.tar.gz";
    version = "0.6.9";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.extraAppsEnable

Automatically enable the apps in services.nextcloud.extraApps every time Nextcloud starts. If set to false, apps need to be enabled in the Nextcloud web user interface or with nextcloud-occ app:enable.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.fastcgiTimeout

FastCGI timeout for database connection in seconds.

Type: signed integer

Default: 120

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.home

Storage path of nextcloud.

Type: string

Default: "/var/lib/nextcloud"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.hostName

FQDN for the nextcloud instance.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.https

Use HTTPS for generated links.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.maxUploadSize

The upload limit for files. This changes the relevant options in php.ini and nginx if enabled.

Type: string

Default: "512M"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.nginx.hstsMaxAge

Value for the max-age directive of the HTTP Strict-Transport-Security header.

See section 6.1.1 of IETF RFC 6797 for detailed information on this directive and header.

Type: positive integer, meaning >0

Default: 15552000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.nginx.recommendedHttpHeaders

Enable additional recommended HTTP response headers

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.notify_push.enable

Whether to enable Notify push.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud-notify_push.nix>
services.nextcloud.notify_push.package

Which package to use for notify_push

Type: package

Default: pkgs.nextcloud-notify_push

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud-notify_push.nix>
services.nextcloud.notify_push.bendDomainToLocalhost

Whether to add an entry to /etc/hosts for the configured nextcloud domain to point to localhost and add localhost to nextcloud’s trusted_proxies config option.

This is useful when nextcloud’s domain is not a static IP address and when the reverse proxy cannot be bypassed because the backend connection is done via unix socket.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud-notify_push.nix>
services.nextcloud.notify_push.dbhost

Database host (+port) or socket path. If services.nextcloud.database.createLocally is true and services.nextcloud.config.dbtype is either pgsql or mysql, defaults to the correct Unix socket instead.

Type: null or string

Default: config.services.nextcloud.config.dbhost

Example: "localhost:5000"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud-notify_push.nix>
services.nextcloud.notify_push.dbname

Database name.

Type: null or string

Default: config.services.nextcloud.config.dbname

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud-notify_push.nix>
services.nextcloud.notify_push.dbpassFile

The full path to a file that contains the database password.

Type: null or string

Default: config.services.nextcloud.config.dbpassFile

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud-notify_push.nix>
services.nextcloud.notify_push.dbtableprefix

Table prefix in Nextcloud’s database.

Note: since Nextcloud 20 it’s not an option anymore to create a database schema with a custom table prefix. This option only exists for backwards compatibility with installations that were originally provisioned with Nextcloud <20.

Type: null or string

Default: config.services.nextcloud.config.dbtableprefix

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud-notify_push.nix>
services.nextcloud.notify_push.dbtype

Database type.

Type: one of “sqlite”, “pgsql”, “mysql”

Default: config.services.nextcloud.config.dbtype

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud-notify_push.nix>
services.nextcloud.notify_push.dbuser

Database user.

Type: null or string

Default: config.services.nextcloud.config.dbuser

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud-notify_push.nix>
services.nextcloud.notify_push.logLevel

Log level

Type: one of “error”, “warn”, “info”, “debug”, “trace”

Default: "error"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud-notify_push.nix>
services.nextcloud.notify_push.socketPath

Socket path to use for notify_push

Type: string

Default: "/run/nextcloud-notify_push/sock"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud-notify_push.nix>
services.nextcloud.occ

The nextcloud-occ program preconfigured to target this Nextcloud instance.

Type: package

Default: generated script

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.phpExtraExtensions

Additional PHP extensions to use for Nextcloud. By default, only extensions necessary for a vanilla Nextcloud installation are enabled, but you may choose from the list of available extensions and add further ones. This is sometimes necessary to be able to install a certain Nextcloud app that has additional requirements.

Type: function that evaluates to a(n) list of package

Default: all: []

Example:

all: [ all.pdlib all.bz2 ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.phpOptions

Options for PHP’s php.ini file for nextcloud.

Please note that this option is additive on purpose while the attribute values inside the default are option defaults: that means that

{
  services.nextcloud.phpOptions."opcache.interned_strings_buffer" = "23";
}

will override the php.ini option opcache.interned_strings_buffer without discarding the rest of the defaults.

Overriding all of phpOptions (including upload_max_filesize, post_max_size and memory_limit which all point to services.nextcloud.maxUploadSize by default) can be done like this:

{
  services.nextcloud.phpOptions = lib.mkForce {
    /* ... */
  };
}

Type: attribute set of (string or signed integer)

Default:

{
  catch_workers_output = "yes";
  display_errors = "stderr";
  error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
  expose_php = "Off";
  "opcache.fast_shutdown" = "1";
  "opcache.interned_strings_buffer" = "8";
  "opcache.max_accelerated_files" = "10000";
  "opcache.memory_consumption" = "128";
  "opcache.revalidate_freq" = "1";
  "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
  output_buffering = "0";
  short_open_tag = "Off";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.phpPackage

The php package to use.

Type: package

Default: pkgs.php

Example: php82

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.poolConfig

Options for Nextcloud’s PHP pool. See the documentation on php-fpm.conf for details on configuration directives.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.poolSettings

Options for nextcloud’s PHP pool. See the documentation on php-fpm.conf for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = "32";
  "pm.max_requests" = "500";
  "pm.max_spare_servers" = "4";
  "pm.min_spare_servers" = "2";
  "pm.start_servers" = "2";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.secretFile

Secret options which will be appended to Nextcloud’s config.php file (written as JSON, in the same form as the services.nextcloud.settings option), for example {"redis":{"password":"secret"}}.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.settings

Extra options which should be appended to Nextcloud’s config.php file.

Type: JSON value

Default: { }

Example:

{
       redis = {
         host = "/run/redis/redis.sock";
         port = 0;
         dbindex = 0;
         password = "secret";
         timeout = 1.5;
       };
     } 

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.settings.default_phone_region

An ISO 3166-1 country code which replaces automatic phone-number detection without a country code.

As an example, with DE set as the default phone region, the +49 prefix can be omitted for phone numbers.

Type: string

Default: ""

Example: "DE"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.settings.log_type

Logging backend to use. systemd requires the php-systemd package to be added to services.nextcloud.phpExtraExtensions. See the nextcloud documentation for details.

Type: one of “errorlog”, “file”, “syslog”, “systemd”

Default: "syslog"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.settings.loglevel

Log level value between 0 (DEBUG) and 4 (FATAL).

  • 0 (debug): Log all activity.

  • 1 (info): Log activity such as user logins and file activities, plus warnings, errors, and fatal errors.

  • 2 (warn): Log successful operations, as well as warnings of potential problems, errors and fatal errors.

  • 3 (error): Log failed operations and fatal errors.

  • 4 (fatal): Log only fatal errors that cause the server to stop.

Type: integer between 0 and 4 (both inclusive)

Default: 2

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.settings.overwriteprotocol

Force Nextcloud to always use HTTP or HTTPS i.e. for link generation. Nextcloud uses the currently used protocol by default, but when behind a reverse-proxy, it may use http for everything although Nextcloud may be served via HTTPS.

Type: one of “”, “http”, “https”

Default: ""

Example: "https"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.settings."profile.enabled"

Makes user-profiles globally available under nextcloud.tld/u/user.name. Even though it’s enabled by default in Nextcloud, it must be explicitly enabled here because it has the side-effect that personal information is even accessible to unauthenticated users by default. By default, the following properties are set to “Show to everyone” if this flag is enabled:

  • About

  • Full name

  • Headline

  • Organisation

  • Profile picture

  • Role

  • Twitter

  • Website Only has an effect in Nextcloud 23 and later.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.settings.skeletondirectory

The directory where the skeleton files are located. These files will be copied to the data directory of new users. Leave empty to not copy any skeleton files.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.settings.trusted_domains

Trusted domains, from which the nextcloud installation will be accessible. You don’t need to add services.nextcloud.hostname here.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.settings.trusted_proxies

Trusted proxies, to provide if the nextcloud installation is being proxied to secure against e.g. spoofing.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud.webfinger

Enable this option if you plan on using the webfinger plugin. The appropriate nginx rewrite rules will be added to your configuration.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud.nix>
services.nextcloud-whiteboard-server.enable

Whether to enable Nextcloud backend server for the Whiteboard app.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud-whiteboard-server.nix>
services.nextcloud-whiteboard-server.secrets

A list of files containing the various secrets. Should be in the format expected by systemd’s EnvironmentFile directory.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud-whiteboard-server.nix>
services.nextcloud-whiteboard-server.settings

Settings to configure backend server. Especially the Nextcloud host url has to be set. The required environment variable JWT_SECRET_KEY should be set via the secrets option.

Type: attribute set of string

Default: { }

Example:

{
  NEXTCLOUD_URL = "https://nextcloud.example.org";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextcloud-whiteboard-server.nix>
services.nextdns.enable

Whether to enable the NextDNS DNS/53 to DoH Proxy service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nextdns.nix>
services.nextdns.arguments

Additional arguments to be passed to nextdns run.

Type: list of string

Default: [ ]

Example:

[
  "-config"
  "10.0.3.0/24=abcdef"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nextdns.nix>
services.nextjs-ollama-llm-ui.enable

Whether to enable Simple Ollama web UI service; an easy to use web frontend for a Ollama backend service. Run state-of-the-art AI large language models (LLM) similar to ChatGPT locally with privacy on your personal computer. This service is stateless and doesn’t store any data on the server; all data is kept locally in your web browser. See https://github.com/jakobhoeg/nextjs-ollama-llm-ui.

Required: You need the Ollama backend service running by having “services.nextjs-ollama-llm-ui.ollamaUrl” point to the correct url. You can host such a backend service with NixOS through “services.ollama”. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextjs-ollama-llm-ui.nix>
services.nextjs-ollama-llm-ui.package

The nextjs-ollama-llm-ui package to use.

Type: package

Default: pkgs.nextjs-ollama-llm-ui

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextjs-ollama-llm-ui.nix>
services.nextjs-ollama-llm-ui.hostname

The hostname under which the Ollama UI interface should be accessible. By default it uses localhost/127.0.0.1 to be accessible only from the local machine. Change to “0.0.0.0” to make it directly accessible from the local network.

Note: You should keep it at 127.0.0.1 and only serve to the local network or internet from a (home) server behind a reverse-proxy and secured encryption. See https://wiki.nixos.org/wiki/Nginx for instructions on how to set up a reverse-proxy.

Type: string

Default: "127.0.0.1"

Example: "ui.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextjs-ollama-llm-ui.nix>
services.nextjs-ollama-llm-ui.ollamaUrl

The address (including host and port) under which we can access the Ollama backend server. !Note that if the the UI service is running under a domain “https://ui.example.org”, the Ollama backend service must allow “CORS” requests from this domain, e.g. by adding “services.ollama.environment.OLLAMA_ORIGINS = [ … “https://ui.example.org” ];”!

Type: string

Default: "http://127.0.0.1:11434"

Example: "https://ollama.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextjs-ollama-llm-ui.nix>
services.nextjs-ollama-llm-ui.port

The port under which the Ollama UI interface should be accessible.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Example: 3000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nextjs-ollama-llm-ui.nix>
services.nexus.enable

Whether to enable Sonatype Nexus3 OSS service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nexus.nix>
services.nexus.package

The nexus package to use.

Type: package

Default: pkgs.nexus

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nexus.nix>
services.nexus.group

Group which runs Nexus3.

Type: string

Default: "nexus"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nexus.nix>
services.nexus.home

Home directory of the Nexus3 instance.

Type: string

Default: "/var/lib/sonatype-work"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nexus.nix>
services.nexus.jdkPackage

The openjdk8 package to use.

Type: package

Default: pkgs.openjdk8

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nexus.nix>
services.nexus.jvmOpts

Options for the JVM written to nexus.jvmopts. Please refer to the docs (https://help.sonatype.com/repomanager3/installation/configuring-the-runtime-environment) for further information.

Type: strings concatenated with “\n”

Default:

''
  -Xms1200M
  -Xmx1200M
  -XX:MaxDirectMemorySize=2G
  -XX:+UnlockDiagnosticVMOptions
  -XX:+UnsyncloadClass
  -XX:+LogVMOutput
  -XX:LogFile=${home}/nexus3/log/jvm.log
  -XX:-OmitStackTraceInFastThrow
  -Djava.net.preferIPv4Stack=true
  -Dkaraf.home=${package}
  -Dkaraf.base=${package}
  -Dkaraf.etc=${package}/etc/karaf
  -Djava.util.logging.config.file=${package}/etc/karaf/java.util.logging.properties
  -Dkaraf.data=${home}/nexus3
  -Djava.io.tmpdir=${home}/nexus3/tmp
  -Dkaraf.startLocalConsole=false
  -Djava.endorsed.dirs=${package}/lib/endorsed
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nexus.nix>
services.nexus.listenAddress

Address to listen on.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nexus.nix>
services.nexus.listenPort

Port to listen on.

Type: signed integer

Default: 8081

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nexus.nix>
services.nexus.user

User which runs Nexus3.

Type: string

Default: "nexus"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nexus.nix>
services.nezha-agent.enable

Whether to enable Agent of Nezha Monitoring.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nezha-agent.nix>
services.nezha-agent.package

The nezha-agent package to use.

Type: package

Default: pkgs.nezha-agent

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nezha-agent.nix>
services.nezha-agent.debug

Whether to enable verbose log.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nezha-agent.nix>
services.nezha-agent.disableCommandExecute

Disable executing the command from dashboard.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nezha-agent.nix>
services.nezha-agent.disableNat

Disable NAT penetration.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nezha-agent.nix>
services.nezha-agent.disableSendQuery

Disable sending TCP/ICMP/HTTP requests.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nezha-agent.nix>
services.nezha-agent.extraFlags

Extra command-line flags passed to nezha-agent.

Type: list of string

Default: [ ]

Example:

[
  "--gpu"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nezha-agent.nix>
services.nezha-agent.gpu

Enable GPU monitoring.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nezha-agent.nix>
services.nezha-agent.passwordFile

Path to the file contained the password from dashboard.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nezha-agent.nix>
services.nezha-agent.reportDelay

The interval between system status reportings. The value must be an integer from 1 to 4

Type: one of 1, 2, 3, 4

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nezha-agent.nix>
services.nezha-agent.server

Address to the dashboard

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nezha-agent.nix>
services.nezha-agent.skipConnection

Do not monitor the number of connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nezha-agent.nix>
services.nezha-agent.skipProcess

Do not monitor the number of processes.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nezha-agent.nix>
services.nezha-agent.temperature

Enable temperature monitoring.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nezha-agent.nix>
services.nezha-agent.tls

Enable SSL/TLS encryption.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nezha-agent.nix>
services.nezha-agent.useIPv6CountryCode

Use ipv6 countrycode to report location.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/nezha-agent.nix>
services.nfs.extraConfig

Extra nfs-utils configuration.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/nfs.nix>
services.nfs.idmapd.settings

libnfsidmap configuration. Refer to https://linux.die.net/man/5/idmapd.conf for details.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  Translation = {
    GSS-Methods = "static,nsswitch";
  };
  Static = {
    "root/hostname.domain.com@REALM.COM" = "root";
  };
}

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/nfs.nix>
services.nfs.server.enable

Whether to enable the kernel’s NFS server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/nfsd.nix>
services.nfs.server.createMountPoints

Whether to create the mount points in the exports file at startup time.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/nfsd.nix>
services.nfs.server.exports

Contents of the /etc/exports file. See exports(5) for the format.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/nfsd.nix>
services.nfs.server.extraNfsdConfig

Extra configuration options for the [nfsd] section of /etc/nfs.conf.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/nfsd.nix>
services.nfs.server.hostName

Hostname or address on which NFS requests will be accepted. Default is all. See the -H option in nfsd(8).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/nfsd.nix>
services.nfs.server.lockdPort

Use a fixed port for the NFS lock manager kernel module (lockd/nlockmgr). This is useful if the NFS server is behind a firewall.

Type: null or signed integer

Default: null

Example: 4001

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/nfsd.nix>
services.nfs.server.mountdPort

Use fixed port for rpc.mountd, useful if server is behind firewall.

Type: null or signed integer

Default: null

Example: 4002

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/nfsd.nix>
services.nfs.server.nproc

Number of NFS server threads. Defaults to the recommended value of 8.

Type: signed integer

Default: 8

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/nfsd.nix>
services.nfs.server.statdPort

Use a fixed port for rpc.statd. This is useful if the NFS server is behind a firewall.

Type: null or signed integer

Default: null

Example: 4000

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/nfsd.nix>
services.nfs.settings

General configuration for NFS daemons and tools. See nfs.conf(5) and related man pages for details.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  mountd.manage-gids = true;
}

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/nfs.nix>
services.nghttpx.enable

Whether to enable nghttpx.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.backend-address-family

Specify address family of backend connections. If “auto” is given, both IPv4 and IPv6 are considered. If “IPv4” is given, only IPv4 address is considered. If “IPv6” is given, only IPv6 address is considered.

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx–backend-address-family

Type: one of “auto”, “IPv4”, “IPv6”

Default: "auto"

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.backends

A list of backend specifications.

Type: list of (submodule)

Example:

[
  {
    params = {
      proto = "http/1.1";
      redirect-if-not-tls = true;
    };
    patterns = [
      "/"
    ];
    server = {
      host = "172.16.0.22";
      port = 8443;
    };
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.backends.*.params

Parameters to configure a backend.

Type: null or (submodule)

Default: null

Example:

{
  proto = "h2";
  tls = true;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.backends.*.params.affinity

If “ip” is given, client IP based session affinity is enabled. If “none” is given, session affinity is disabled.

Session affinity is enabled (by nghttpx) per-backend pattern. If at least one backend has a non-“none” affinity, then session affinity is enabled for all backend servers sharing the same pattern.

It is advised to set affinity on all backends explicitly if session affinity is desired. The session affinity may break if one of the backend gets unreachable, or backend settings are reloaded or replaced by API.

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b for more detail.

Type: one of “ip”, “none”

Default: "none"

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.backends.*.params.dns

Name resolution of a backends host name is done at start up, or configuration reload. If “dns” is true, name resolution takes place dynamically.

This is useful if a backends address changes frequently. If “dns” is true, name resolution of a backend’s host name at start up, or configuration reload is skipped.

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b for more detail.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.backends.*.params.fall

If nghttpx cannot connect to the backend N times in a row, the backend is assumed to be offline and is excluded from load balancing. If N is 0 the backend is never excluded from load balancing.

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b for more detail.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.backends.*.params.proto

This option configures the protocol the backend server expects to use.

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b for more detail.

Type: one of “h2”, “http/1.1”

Default: "http/1.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.backends.*.params.redirect-if-not-tls

If true, a backend match requires the frontend connection be TLS encrypted. If it is not, nghttpx responds to the request with a 308 status code and https URI the client should use instead in the Location header.

The port number in the redirect URI is 443 by default and can be changed using ‘services.nghttpx.redirect-https-port’ option.

If at least one backend has “redirect-if-not-tls” set to true, this feature is enabled for all backend servers with the same pattern. It is advised to set “redirect-if-no-tls” parameter to all backends explicitly if this feature is desired.

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b for more detail.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.backends.*.params.rise

If the backend is excluded from load balancing, nghttpx will periodically attempt to make a connection to the backend. If the connection is successful N times in a row the backend is re-included in load balancing. If N is 0 a backend is never reconsidered for load balancing once it falls.

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b for more detail.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.backends.*.params.sni

Override the TLS SNI field value. This value (in nghttpx) defaults to the host value of the backend configuration.

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b for more detail.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.backends.*.params.tls

This option determines whether nghttpx will negotiate its connection with a backend server using TLS or not. The burden is on the backend server to provide the TLS certificate!

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b for more detail.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.backends.*.patterns

List of nghttpx backend patterns.

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-b for more information on the pattern syntax and nghttpxs behavior.

Type: list of string

Default: [ ]

Example:

[
  "*.host.net/v1/"
  "host.org/v2/mypath"
  "/somepath"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.backends.*.server

Backend server location specified as either a host:port pair or a unix domain docket.

Type: (submodule) or path

Default:

{
  host = "127.0.0.1";
  port = 80;
}

Example:

{
  host = "127.0.0.1";
  port = 8888;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.backlog

Listen backlog size.

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx–backlog

Type: signed integer

Default: 65536

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.extraConfig

Extra configuration options to be appended to the generated configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.frontends

A list of frontend listener specifications.

Type: list of (submodule)

Example:

[
  {
    params = {
      tls = "no-tls";
    };
    server = {
      host = "*";
      port = 80;
    };
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.frontends.*.params

Parameters to configure a backend.

Type: null or (submodule)

Default: null

Example:

{
  tls = "tls";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.frontends.*.params.api

Enable API access for this frontend. This enables you to dynamically modify nghttpx at run-time therefore this feature is disabled by default and should be turned on with care.

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-f for more detail.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.frontends.*.params.healthmon

Make this frontend a health monitor endpoint. Any request received on this frontend is responded to with a 200 OK.

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-f for more detail.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.frontends.*.params.proxyproto

Accept PROXY protocol version 1 on frontend connection.

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-f for more detail.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.frontends.*.params.sni-fwd

When performing a match to select a backend server, SNI host name received from the client is used instead of the request host. See --backend option about the pattern match.

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-f for more detail.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.frontends.*.params.tls

Enable or disable TLS. If true (enabled) the key and certificate must be configured for nghttpx.

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-f for more detail.

Type: one of “tls”, “no-tls”

Default: "tls"

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.frontends.*.server

Frontend server interface binding specification as either a host:port pair or a unix domain docket.

NB: a host of “*” listens on all interfaces and includes IPv6 addresses.

Type: (submodule) or path

Default:

{
  host = "127.0.0.1";
  port = 80;
}

Example:

{
  host = "127.0.0.1";
  port = 8888;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.rlimit-nofile

Set maximum number of open files (RLIMIT_NOFILE) to <N>. If 0 is given, nghttpx does not set the limit.

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx–rlimit-nofile

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.single-process

Run this program in a single process mode for debugging purpose. Without this option, nghttpx creates at least 2 processes: master and worker processes. If this option is used, master and worker are unified into a single process. nghttpx still spawns additional process if neverbleed is used. In the single process mode, the signal handling feature is disabled.

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx–single-process

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.single-thread

Run everything in one thread inside the worker process. This feature is provided for better debugging experience, or for the platforms which lack thread support. If threading is disabled, this option is always enabled.

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx–single-thread

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.tls

TLS certificate and key paths. Note that this does not enable TLS for a frontend listener, to do so, a frontend specification must set params.tls to true.

Type: null or (submodule)

Default: null

Example:

{
  crt = "/etc/ssl/certs/server.crt";
  key = "/etc/ssl/keys/server.key";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.tls.crt

Path to the TLS certificate file.

Type: string

Default: "/etc/ssl/certs/server.crt"

Example: "/etc/ssl/certs/mycert.crt"

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.tls.key

Path to the TLS key file.

Type: string

Default: "/etc/ssl/keys/server.key"

Example: "/etc/ssl/keys/mykeyfile.key"

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nghttpx.workers

Set the number of worker threads.

Please see https://nghttp2.org/documentation/nghttpx.1.html#cmdoption-nghttpx-n

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/networking/nghttpx/nghttpx-options.nix>
services.nginx.enable

Whether to enable Nginx Web Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.enableQuicBPF

Enables routing of QUIC packets using eBPF. When enabled, this allows to support QUIC connection migration. The directive is only supported on Linux 5.7+. Note that enabling this option will make nginx run with extended capabilities that are usually limited to processes running as root namely CAP_SYS_ADMIN and CAP_NET_ADMIN.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.enableReload

Reload nginx when configuration file changes (instead of restart). The configuration file is exposed at /etc/nginx/nginx.conf. See also systemd.services.*.restartIfChanged.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.package

Nginx package to use. This defaults to the stable version. Note that the nginx team recommends to use the mainline version which available in nixpkgs as nginxMainline. Supported Nginx forks include angie, openresty and tengine. For HTTP/3 support use nginxQuic or angieQuic.

Type: package

Default: pkgs.nginxStable

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.additionalModules

Additional third-party nginx modules to install. Packaged modules are available in pkgs.nginxModules.

Type: list of attribute set of anything

Default: [ ]

Example: [ pkgs.nginxModules.echo ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.appendConfig

Configuration lines appended to the generated Nginx configuration file. Commonly used by different modules providing http snippets. appendConfig can be specified more than once and its value will be concatenated (contrary to config which can be set only once).

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.appendHttpConfig

Configuration lines to be appended to the generated http block. This is mutually exclusive with using config and httpConfig for specifying the whole http block verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.clientMaxBodySize

Set nginx global client_max_body_size.

Type: string

Default: "10m"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.commonHttpConfig

With nginx you must provide common http context definitions before they are used, e.g. log_format, resolver, etc. inside of server or location contexts. Use this attribute to set these definitions at the appropriate location.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  resolver 127.0.0.1 valid=5s;
  
  log_format myformat '$remote_addr - $remote_user [$time_local] '
                      '"$request" $status $body_bytes_sent '
                      '"$http_referer" "$http_user_agent"';
''

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.config

Verbatim nginx.conf configuration. This is mutually exclusive to any other config option for nginx.conf except for

If additional verbatim config in addition to other options is needed, services.nginx.appendConfig should be used instead.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.defaultHTTPListenPort

If vhosts do not specify listen.port, use these ports for HTTP by default.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 80

Example: 8080

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.defaultListen

If vhosts do not specify listen, use these addresses by default. This option takes precedence over defaultListenAddresses and other listen-related defaults options.

Type: list of (submodule)

Default: [ ]

Example:

[
  { addr = "10.0.0.12"; proxyProtocol = true; ssl = true; }
  { addr = "0.0.0.0"; }
  { addr = "[::0]"; }
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.defaultListen.*.addr

IP address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.defaultListen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.defaultListen.*.port

Port number.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.defaultListen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.defaultListen.*.ssl

Enable SSL.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.defaultListenAddresses

If vhosts do not specify listenAddresses, use these addresses by default. This is akin to writing defaultListen = [ { addr = "0.0.0.0" } ].

Type: list of string

Default: [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]"

Example: [ "10.0.0.12" "[2002:a00:1::]" ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.defaultMimeTypes

Default MIME types for NGINX, as MIME types definitions from NGINX are very incomplete, we use by default the ones bundled in the mailcap package, used by most of the other Linux distributions.

Type: path

Default: $''{pkgs.mailcap}/etc/nginx/mime.types

Example: $''{pkgs.nginx}/conf/mime.types

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.defaultSSLListenPort

If vhosts do not specify listen.port, use these ports for SSL by default.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 443

Example: 8443

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.eventsConfig

Configuration lines to be set inside the events block.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.gitweb.enable

If true, enable gitweb in nginx.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/gitweb.nix>
services.nginx.gitweb.group

Group that the CGI process will belong to. (Set to config.services.gitolite.group if you are using gitolite.)

Type: string

Default: "nginx"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/gitweb.nix>
services.nginx.gitweb.location

Location to serve gitweb on.

Type: string

Default: "/gitweb"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/gitweb.nix>
services.nginx.gitweb.user

Existing user that the CGI process will belong to. (Default almost surely will do.)

Type: string

Default: "nginx"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/gitweb.nix>
services.nginx.gitweb.virtualHost

VirtualHost to serve gitweb on. Default is catch-all.

Type: string

Default: "_"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/gitweb.nix>
services.nginx.group

Group account under which nginx runs.

Type: string

Default: "nginx"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.httpConfig

Configuration lines to be set inside the http block. This is mutually exclusive with the structured configuration via virtualHosts and the recommendedXyzSettings configuration options. See appendHttpConfig for appending to the generated http block.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.logError

Configures logging. The first parameter defines a file that will store the log. The special value stderr selects the standard error file. Logging to syslog can be configured by specifying the “syslog:” prefix. The second parameter determines the level of logging, and can be one of the following: debug, info, notice, warn, error, crit, alert, or emerg. Log levels above are listed in the order of increasing severity. Setting a certain log level will cause all messages of the specified and more severe log levels to be logged. If this parameter is omitted then error is used.

Type: string

Default: "stderr"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.mapHashBucketSize

Sets the bucket size for the map variables hash tables. Default value depends on the processor’s cache line size.

Type: null or one of 32, 64, 128

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.mapHashMaxSize

Sets the maximum size of the map variables hash tables.

Type: null or (positive integer, meaning >0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.preStart

Shell commands executed before the service’s nginx is started.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.proxyCachePath

Configure a proxy cache path entry. See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path for documentation.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.proxyCachePath.<name>.enable

Whether to enable this proxy cache path entry.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.proxyCachePath.<name>.inactive

Cached data that has not been accessed for the time specified by the inactive parameter is removed from the cache, regardless of its freshness.

Type: string

Default: "10m"

Example: "1d"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.proxyCachePath.<name>.keysZoneName

Set name to shared memory zone.

Type: string

Default: "cache"

Example: "my_cache"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.proxyCachePath.<name>.keysZoneSize

Set size to shared memory zone.

Type: string

Default: "10m"

Example: "32m"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.proxyCachePath.<name>.levels

The levels parameter defines structure of subdirectories in cache: from 1 to 3, each level accepts values 1 or 2. Сan be used any combination of 1 and 2 in these formats: x, x:x and x:x:x.

Type: string

Default: "1:2"

Example: "1:2:2"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.proxyCachePath.<name>.maxSize

Set maximum cache size

Type: string

Default: "1g"

Example: "2048m"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.proxyCachePath.<name>.useTempPath

Nginx first writes files that are destined for the cache to a temporary storage area, and the use_temp_path=off directive instructs Nginx to write them to the same directories where they will be cached. Recommended that you set this parameter to off to avoid unnecessary copying of data between file systems.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.proxyResolveWhileRunning

Resolves domains of proxyPass targets at runtime and not only at startup. This can be used as a workaround if nginx fails to start because of not-yet-working DNS.

:::{.warn} services.nginx.resolver must be set for this option to work. :::

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.proxyTimeout

Change the proxy related timeouts in recommendedProxySettings.

Type: string

Default: "60s"

Example: "20s"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.recommendedBrotliSettings

Enable recommended brotli settings. Learn more about compression in Brotli format here.

This adds pkgs.nginxModules.brotli to services.nginx.additionalModules.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.recommendedGzipSettings

Enable recommended gzip settings. Learn more about compression in Gzip format here.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.recommendedOptimisation

Enable recommended optimisation settings.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.recommendedProxySettings

Whether to enable recommended proxy settings if a vhost does not specify the option manually.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.recommendedTlsSettings

Enable recommended TLS settings.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.recommendedZstdSettings

Enable recommended zstd settings. Learn more about compression in Zstd format here.

This adds pkgs.nginxModules.zstd to services.nginx.additionalModules.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.resolver

Configures name servers used to resolve names of upstream servers into addresses

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.resolver.addresses

List of resolvers to use

Type: list of string

Default: [ ]

Example: [ "[::1]" "127.0.0.1:5353" ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.resolver.ipv4

By default, nginx will look up both IPv4 and IPv6 addresses while resolving. If looking up of IPv4 addresses is not desired, the ipv4=off parameter can be specified.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.resolver.ipv6

By default, nginx will look up both IPv4 and IPv6 addresses while resolving. If looking up of IPv6 addresses is not desired, the ipv6=off parameter can be specified.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.resolver.valid

By default, nginx caches answers using the TTL value of a response. An optional valid parameter allows overriding it

Type: string

Default: ""

Example: "30s"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.serverNamesHashBucketSize

Sets the bucket size for the server names hash tables. Default value depends on the processor’s cache line size.

Type: null or (positive integer, meaning >0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.serverNamesHashMaxSize

Sets the maximum size of the server names hash tables.

Type: null or (positive integer, meaning >0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.serverTokens

Show nginx version in headers and error pages.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.sslCiphers

Ciphers to choose from when negotiating TLS handshakes.

Type: null or string

Default: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.sslDhparam

Path to DH parameters file.

Type: null or path

Default: null

Example: "/path/to/dhparams.pem"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.sslProtocols

Allowed TLS protocol versions.

Type: string

Default: "TLSv1.2 TLSv1.3"

Example: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.sso.enable

Whether to enable nginx-sso service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/nginx-sso.nix>
services.nginx.sso.package

The nginx-sso package to use.

Type: package

Default: pkgs.nginx-sso

Declared by:

<nixpkgs/nixos/modules/services/security/nginx-sso.nix>
services.nginx.sso.configuration

nginx-sso configuration (documentation) as a Nix attribute set.

Type: attribute set of unspecified value

Default: { }

Example:

{
  listen = { addr = "127.0.0.1"; port = 8080; };

  providers.token.tokens = {
    myuser = "MyToken";
  };

  acl = {
    rule_sets = [
      {
        rules = [ { field = "x-application"; equals = "MyApp"; } ];
        allow = [ "myuser" ];
      }
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/security/nginx-sso.nix>
services.nginx.statusPage

Enable status page reachable from localhost on http://127.0.0.1/nginx_status.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.streamConfig

Configuration lines to be set inside the stream block.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  server {
    listen 127.0.0.1:53 udp reuseport;
    proxy_timeout 20s;
    proxy_pass 192.168.0.1:53535;
  }
''

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.tailscaleAuth.enable

Whether to enable tailscale.nginx-auth, to authenticate nginx users via tailscale.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/tailscale-auth.nix>
services.nginx.tailscaleAuth.package

Alias of services.tailscaleAuth.package.

Type: package

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/tailscale-auth.nix>
services.nginx.tailscaleAuth.expectedTailnet

If you want to prevent node sharing from allowing users to access services across tailnets, declare your expected tailnets domain here.

Type: null or string

Default: ""

Example: "tailnet012345.ts.net"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/tailscale-auth.nix>
services.nginx.tailscaleAuth.group

Alias of services.tailscaleAuth.group.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/tailscale-auth.nix>
services.nginx.tailscaleAuth.socketPath

Alias of services.tailscaleAuth.socketPath.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/tailscale-auth.nix>
services.nginx.tailscaleAuth.user

Alias of services.tailscaleAuth.user.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/tailscale-auth.nix>
services.nginx.tailscaleAuth.virtualHosts

A list of nginx virtual hosts to put behind tailscale.nginx-auth

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/tailscale-auth.nix>
services.nginx.typesHashMaxSize

Sets the maximum size of the types hash tables (types_hash_max_size). It is recommended that the minimum size possible size is used. If recommendedOptimisation is disabled, nginx would otherwise fail to start since the mailmap mime.types database has more entries than the nginx default value 1024.

Type: positive integer, meaning >0

Default: if config.services.nginx.defaultMimeTypes == "${pkgs.mailcap}/etc/nginx/mime.types" then 2688 else 1024

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.upstreams

Defines a group of servers to use as proxy target.

Type: attribute set of (submodule)

Default: { }

Example:

{
  backend = {
    extraConfig = ''
      keepalive 16;
    '';
    servers = {
      "backend1.example.com:8080" = {
        weight = 5;
      };
      "backend2.example.com" = {
        fail_timeout = "30s";
        max_fails = 3;
      };
      "backend3.example.com" = { };
      "backup1.example.com" = {
        backup = true;
      };
      "backup2.example.com" = {
        backup = true;
      };
    };
  };
  memcached = {
    servers = {
      "unix:/run/memcached/memcached.sock" = { };
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.upstreams.<name>.extraConfig

These lines go to the end of the upstream verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.upstreams.<name>.servers

Defines the address and other parameters of the upstream servers. See the documentation for the available parameters.

Type: attribute set of (attribute set of (boolean or signed integer or string))

Default: { }

Example: see services.nginx.upstreams

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.upstreams.<name>.servers.<name>.backup

Marks the server as a backup server. It will be passed requests when the primary servers are unavailable.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.user

User account under which nginx runs.

Type: string

Default: "nginx"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.validateConfigFile

Whether to enable validating configuration with pkgs.writeNginxConfig.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts

Declarative vhost config

Type: attribute set of (submodule)

Default:

{
  localhost = { };
}

Example:

{
  "hydra.example.com" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://localhost:3000";
    };
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.nginx.virtualHosts.<name>.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/nginx/default.nix>
services.ngircd.enable

Whether to enable the ngircd IRC server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ngircd.nix>
services.ngircd.package

The ngircd package to use.

Type: package

Default: pkgs.ngircd

Declared by:

<nixpkgs/nixos/modules/services/networking/ngircd.nix>
services.ngircd.config

The ngircd configuration (see ngircd.conf(5)).

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/networking/ngircd.nix>
services.nifi.enable

Whether to enable Apache NiFi.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nifi.nix>
services.nifi.enableHTTPS

Enable HTTPS protocol. Don`t use in production.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nifi.nix>
services.nifi.package

Apache NiFi package to use.

Type: package

Default: pkgs.nifi

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nifi.nix>
services.nifi.group

Group account where Apache NiFi runs.

Type: string

Default: "nifi"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nifi.nix>
services.nifi.initJavaHeapSize

Set the initial heap size for the JVM in MB.

Type: null or signed integer

Default: null

Example: 1024

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nifi.nix>
services.nifi.initPasswordFile

nitial password for Apache NiFi. Password must be at least 12 characters.

Type: null or path

Default: null

Example: "/run/keys/nifi/password-nifi"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nifi.nix>
services.nifi.initUser

Initial user account for Apache NiFi. Username must be at least 4 characters.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nifi.nix>
services.nifi.listenHost

Bind to an ip for Apache NiFi web-ui.

Type: string

Default:

if config.services.nifi.enableHTTPS
then "0.0.0.0"
else "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nifi.nix>
services.nifi.listenPort

Bind to a port for Apache NiFi web-ui.

Type: signed integer

Default:

if config.services.nifi.enableHTTPS
then "8443"
else "8000"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nifi.nix>
services.nifi.maxJavaHeapSize

Set the initial heap size for the JVM in MB.

Type: null or signed integer

Default: null

Example: 2048

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nifi.nix>
services.nifi.proxyHost

Allow requests from a specific host.

Type: null or string

Default:

if config.services.nifi.enableHTTPS
then "0.0.0.0"
else null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nifi.nix>
services.nifi.proxyPort

Allow requests from a specific port.

Type: null or signed integer

Default:

if config.services.nifi.enableHTTPS
then "8443"
else null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nifi.nix>
services.nifi.user

User account where Apache NiFi runs.

Type: string

Default: "nifi"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nifi.nix>
services.nitter.enable

Whether to enable Nitter, an alternative Twitter front-end.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.package

The nitter package to use.

Type: package

Default: pkgs.nitter

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.cache.listMinutes

How long to cache list info (not the tweets, so keep it high).

Type: signed integer

Default: 240

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.cache.redisConnections

Redis connection pool size.

Type: signed integer

Default: 20

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.cache.redisHost

Redis host.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.cache.redisMaxConnections

Maximum number of connections to Redis.

New connections are opened when none are available, but if the pool size goes above this, they are closed when released, do not worry about this unless you receive tons of requests per second.

Type: signed integer

Default: 30

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.cache.redisPort

Redis port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6379

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.cache.rssMinutes

How long to cache RSS queries.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.config.enableDebug

Whether to enable request logs and debug endpoints.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.config.enableRSS

Whether to enable RSS feeds.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.config.base64Media

Use base64 encoding for proxied media URLs.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.config.proxy

URL to a HTTP/HTTPS proxy.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.config.proxyAuth

Credentials for proxy.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.config.tokenCount

Minimum amount of usable tokens.

Tokens are used to authorize API requests, but they expire after ~1 hour, and have a limit of 187 requests. The limit gets reset every 15 minutes, and the pool is filled up so there is always at least tokenCount usable tokens. Only increase this if you receive major bursts all the time.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.guestAccounts

Path to the guest accounts file.

This file contains a list of guest accounts that can be used to access the instance without logging in. The file is in JSONL format, where each line is a JSON object with the following fields:

{“oauth_token”:“some_token”,“oauth_token_secret”:“some_secret_key”}

See https://github.com/zedeus/nitter/wiki/Guest-Account-Branch-Deployment for more information on guest accounts and how to generate them.

Type: path

Default: "/var/lib/nitter/guest_accounts.jsonl"

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.openFirewall

Open ports in the firewall for Nitter web interface.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.preferences.autoplayGifs

Autoplay GIFs.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.preferences.bidiSupport

Support bidirectional text (makes clicking on tweets harder).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.preferences.hideBanner

Hide profile banner.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.preferences.hidePins

Hide pinned tweets.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.preferences.hideReplies

Hide tweet replies.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.preferences.hideTweetStats

Hide tweet stats (replies, retweets, likes).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.preferences.hlsPlayback

Enable HLS video streaming (requires JavaScript).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.preferences.infiniteScroll

Infinite scrolling (requires JavaScript, experimental!).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.preferences.mp4Playback

Enable MP4 video playback.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.preferences.muteVideos

Mute videos by default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.preferences.proxyVideos

Proxy video streaming through the server (might be slow).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.preferences.replaceReddit

Replace Reddit links with links to this instance (blank to disable).

Type: string

Default: ""

Example: "teddit.net"

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.preferences.replaceTwitter

Replace Twitter links with links to this instance (blank to disable).

Type: string

Default: ""

Example: "nitter.net"

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.preferences.replaceYouTube

Replace YouTube links with links to this instance (blank to disable).

Type: string

Default: ""

Example: "piped.kavin.rocks"

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.preferences.squareAvatars

Square profile pictures.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.preferences.stickyProfile

Make profile sidebar stick to top.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.preferences.theme

Instance theme.

Type: string

Default: "Nitter"

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.redisCreateLocally

Configure local Redis server for Nitter.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.server.address

The address to listen on.

Type: string

Default: "0.0.0.0"

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.server.hostname

Hostname of the instance.

Type: string

Default: "localhost"

Example: "nitter.net"

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.server.httpMaxConnections

Maximum number of HTTP connections.

Type: signed integer

Default: 100

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.server.https

Set secure attribute on cookies. Keep it disabled to enable cookies when not using HTTPS.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.server.port

The port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Example: 8000

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.server.staticDir

Path to the static files directory.

Type: path

Default: "${config.services.nitter.package}/share/nitter/public"

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.server.title

Title of the instance.

Type: string

Default: "nitter"

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nitter.settings

Add settings here to override NixOS module generated settings.

Check the official repository for the available settings: https://github.com/zedeus/nitter/blob/master/nitter.example.conf

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/nitter.nix>
services.nix-serve.enable

Whether to enable nix-serve, the standalone Nix binary cache server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nix-serve.nix>
services.nix-serve.package

The nix-serve package to use.

Type: package

Default: pkgs.nix-serve

Declared by:

<nixpkgs/nixos/modules/services/networking/nix-serve.nix>
services.nix-serve.bindAddress

IP address where nix-serve will bind its listening socket.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/nix-serve.nix>
services.nix-serve.extraParams

Extra command line parameters for nix-serve.

Type: strings concatenated with " "

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/nix-serve.nix>
services.nix-serve.openFirewall

Open ports in the firewall for nix-serve.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nix-serve.nix>
services.nix-serve.port

Port number where nix-serve will listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5000

Declared by:

<nixpkgs/nixos/modules/services/networking/nix-serve.nix>
services.nix-serve.secretKeyFile

The path to the file used for signing derivation data. Generate with:

nix-store --generate-binary-cache-key key-name secret-key-file public-key-file

For more details see nix-store(1).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/nix-serve.nix>
services.nix-store-gcs-proxy

An attribute set describing an HTTP to GCS proxy that allows us to use GCS bucket via HTTP protocol.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/nix-store-gcs-proxy.nix>
services.nix-store-gcs-proxy.<name>.enable

Whether to enable proxy for this bucket

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nix-store-gcs-proxy.nix>
services.nix-store-gcs-proxy.<name>.address

The address of the proxy.

Type: string

Example: "localhost:3000"

Declared by:

<nixpkgs/nixos/modules/services/networking/nix-store-gcs-proxy.nix>
services.nix-store-gcs-proxy.<name>.bucketName

Name of Google storage bucket

Type: string

Default: "‹name›"

Example: "my-bucket-name"

Declared by:

<nixpkgs/nixos/modules/services/networking/nix-store-gcs-proxy.nix>
services.nixops-dns.enable

Whether to enable the nixops-dns resolution of NixOps virtual machines via dnsmasq and fake domain name.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nixops-dns.nix>
services.nixops-dns.dnsmasq

Enable dnsmasq forwarding to nixops-dns. This allows to use nixops-dns for services.nixops-dns.domain resolution while forwarding the rest of the queries to original resolvers.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nixops-dns.nix>
services.nixops-dns.domain

Fake domain name to resolve to NixOps virtual machines.

For example “ops” will resolve “vm.ops”.

Type: string

Default: "ops"

Declared by:

<nixpkgs/nixos/modules/services/networking/nixops-dns.nix>
services.nixops-dns.user

The user the nixops-dns daemon should run as. This should be the user, which is also used for nixops and have the .nixops directory in its home.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/nixops-dns.nix>
services.nixseparatedebuginfod.enable

Whether to enable separatedebuginfod, a debuginfod server providing source and debuginfo for nix packages.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/development/nixseparatedebuginfod.nix>
services.nixseparatedebuginfod.allowOldNix

Do not fail evaluation when services.nixseparatedebuginfod.nixPackage is older than nix 2.18.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/development/nixseparatedebuginfod.nix>
services.nixseparatedebuginfod.nixPackage

The version of nix that nixseparatedebuginfod should use as client for the nix daemon. It is strongly advised to use nix version >= 2.18, otherwise some debug info may go missing.

Type: package

Default: pkgs.nix

Declared by:

<nixpkgs/nixos/modules/services/development/nixseparatedebuginfod.nix>
services.nixseparatedebuginfod.port

port to listen

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1949

Declared by:

<nixpkgs/nixos/modules/services/development/nixseparatedebuginfod.nix>
services.nncp.caller.enable

Whether to enable cron’ed NNCP TCP daemon caller. The daemon will take configuration from programs.nncp.settings .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nncp.nix>
services.nncp.caller.extraArgs

Extra command-line arguments to pass to caller.

Type: list of string

Default: [ ]

Example:

[
  "-autotoss"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nncp.nix>
services.nncp.daemon.enable

Whether to enable NNCP TCP synronization daemon. The daemon will take configuration from programs.nncp.settings .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nncp.nix>
services.nncp.daemon.extraArgs

Extra command-line arguments to pass to daemon.

Type: list of string

Default: [ ]

Example:

[
  "-autotoss"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nncp.nix>
services.nncp.daemon.socketActivation.enable

Whether to enable socket activation for nncp-daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nncp.nix>
services.nncp.daemon.socketActivation.listenStreams

TCP sockets to bind to. See systemd.sockets.<name>.listenStreams.

Type: list of string

Default:

[
  "5400"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nncp.nix>
services.nntp-proxy.enable

Whether to enable NNTP-Proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nntp-proxy.nix>
services.nntp-proxy.listenAddress

Proxy listen address (IPv6 literal addresses need to be enclosed in “[” and “]” characters)

Type: string

Default: "127.0.0.1"

Example: "[::]"

Declared by:

<nixpkgs/nixos/modules/services/networking/nntp-proxy.nix>
services.nntp-proxy.port

Proxy listen port

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5555

Declared by:

<nixpkgs/nixos/modules/services/networking/nntp-proxy.nix>
services.nntp-proxy.prohibitPosting

Whether to prohibit posting to the upstream server

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nntp-proxy.nix>
services.nntp-proxy.sslCert

Proxy ssl certificate path

Type: string

Default: "cert.pem"

Example: "/path/to/your/cert.file"

Declared by:

<nixpkgs/nixos/modules/services/networking/nntp-proxy.nix>
services.nntp-proxy.sslKey

Proxy ssl key path

Type: string

Default: "key.pem"

Example: "/path/to/your/key.file"

Declared by:

<nixpkgs/nixos/modules/services/networking/nntp-proxy.nix>
services.nntp-proxy.upstreamMaxConnections

Upstream server maximum allowed concurrent connections

Type: signed integer

Default: 20

Declared by:

<nixpkgs/nixos/modules/services/networking/nntp-proxy.nix>
services.nntp-proxy.upstreamPassword

Upstream server password

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/nntp-proxy.nix>
services.nntp-proxy.upstreamPort

Upstream server port

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 563

Declared by:

<nixpkgs/nixos/modules/services/networking/nntp-proxy.nix>
services.nntp-proxy.upstreamServer

Upstream server address

Type: string

Default: ""

Example: "ssl-eu.astraweb.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/nntp-proxy.nix>
services.nntp-proxy.upstreamUser

Upstream server username

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/nntp-proxy.nix>
services.nntp-proxy.users

NNTP-Proxy user configuration

Type: attribute set of (submodule)

Default: { }

Example:

{
  "user1" = {
    passwordHash = "$6$1l0t5Kn2Dk$appzivc./9l/kjq57eg5UCsBKlcfyCr0zNWYNerKoPsI1d7eAwiT0SVsOVx/CTgaBNT/u4fi2vN.iGlPfv1ek0";
    maxConnections = 5;
  };
  "anotheruser" = {
    passwordHash = "$6$6lwEsWB.TmsS$W7m1riUx4QrA8pKJz8hvff0dnF1NwtZXgdjmGqA1Dx2MDPj07tI9GNcb0SWlMglE.2/hBgynDdAd/XqqtRqVQ0";
    maxConnections = 7;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/nntp-proxy.nix>
services.nntp-proxy.users.<name>.maxConnections

Maximum number of concurrent connections to the proxy for this user

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/networking/nntp-proxy.nix>
services.nntp-proxy.users.<name>.passwordHash

SHA-512 password hash (can be generated by mkpasswd -m sha-512 <password>)

Type: string

Example: "$6$GtzE7FrpE$wwuVgFYU.TZH4Rz.Snjxk9XGua89IeVwPQ/fEUD8eujr40q5Y021yhn0aNcsQ2Ifw.BLclyzvzgegopgKcneL0"

Declared by:

<nixpkgs/nixos/modules/services/networking/nntp-proxy.nix>
services.nntp-proxy.users.<name>.username

Username

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/nntp-proxy.nix>
services.nntp-proxy.verbosity

Verbosity level

Type: one of “error”, “warning”, “notice”, “info”, “debug”

Default: "info"

Example: "error"

Declared by:

<nixpkgs/nixos/modules/services/networking/nntp-proxy.nix>
services.node-red.enable

Whether to enable the Node-RED service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/node-red.nix>
services.node-red.package

The node-red package to use.

Type: package

Default: pkgs.node-red

Declared by:

<nixpkgs/nixos/modules/services/web-apps/node-red.nix>
services.node-red.configFile

Path to the JavaScript configuration file. See https://github.com/node-red/node-red/blob/master/packages/node_modules/node-red/settings.js for a configuration example.

Type: path

Default: "${package}/lib/node_modules/node-red/packages/node_modules/node-red/settings.js"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/node-red.nix>
services.node-red.define

List of settings.js overrides to pass via -D to Node-RED.

Type: attribute set

Default: { }

Example:

{
  "logging.console.level" = "trace";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/node-red.nix>
services.node-red.group

Group under which Node-RED runs.If left as the default value this group will automatically be created on system activation, otherwise the sysadmin is responsible for ensuring the group exists.

Type: string

Default: "node-red"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/node-red.nix>
services.node-red.openFirewall

Open ports in the firewall for the server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/node-red.nix>
services.node-red.port

Listening port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1880

Declared by:

<nixpkgs/nixos/modules/services/web-apps/node-red.nix>
services.node-red.safe

Whether to launch Node-RED in --safe mode.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/node-red.nix>
services.node-red.user

User under which Node-RED runs.If left as the default value this user will automatically be created on system activation, otherwise the sysadmin is responsible for ensuring the user exists.

Type: string

Default: "node-red"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/node-red.nix>
services.node-red.userDir

The directory to store all user data, such as flow and credential files and all library data. If left as the default value this directory will automatically be created before the node-red service starts, otherwise the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions.

Type: path

Default: "/var/lib/node-red"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/node-red.nix>
services.node-red.withNpmAndGcc

Give Node-RED access to NPM and GCC at runtime, so ‘Nodes’ can be downloaded and managed imperatively via the ‘Palette Manager’.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/node-red.nix>
services.nomad.enable

Whether to enable Nomad, a distributed, highly available, datacenter-aware scheduler.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nomad.nix>
services.nomad.enableDocker

Enable Docker support. Needed for Nomad’s docker driver.

Note that the docker group membership is effectively equivalent to being root, see https://github.com/moby/moby/issues/9976.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nomad.nix>
services.nomad.package

The nomad package to use.

Type: package

Default: pkgs.nomad

Declared by:

<nixpkgs/nixos/modules/services/networking/nomad.nix>
services.nomad.credentials

Credentials envs used to configure nomad secrets.

Type: attribute set of string

Default: { }

Example:

{
  logs_remote_write_password = "/run/keys/nomad_write_password";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/nomad.nix>
services.nomad.dropPrivileges

Whether the nomad agent should be run as a non-root nomad user.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nomad.nix>
services.nomad.extraPackages

Extra packages to add to PATH for the Nomad agent process.

Type: list of package

Default: [ ]

Example:

with pkgs; [ cni-plugins ]

Declared by:

<nixpkgs/nixos/modules/services/networking/nomad.nix>
services.nomad.extraSettingsPaths

Additional settings paths used to configure nomad. These can be files or directories.

Type: list of path

Default: [ ]

Example:

[ "/etc/nomad-mutable.json" "/run/keys/nomad-with-secrets.json" "/etc/nomad/config.d" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/nomad.nix>
services.nomad.extraSettingsPlugins

Additional plugins dir used to configure nomad.

Type: list of (package or path)

Default: [ ]

Example:

[ "<pluginDir>" pkgs.nomad-driver-nix pkgs.nomad-driver-podman  ]

Declared by:

<nixpkgs/nixos/modules/services/networking/nomad.nix>
services.nomad.settings

Configuration for Nomad. See the documentation for supported values.

Notes about data_dir:

If data_dir is set to a value other than the default value of "/var/lib/nomad" it is the Nomad cluster manager’s responsibility to make sure that this directory exists and has the appropriate permissions.

Additionally, if dropPrivileges is true then data_dir cannot be customized. Setting dropPrivileges to true enables the DynamicUser feature of systemd which directly manages and operates on StateDirectory.

Type: JSON value

Default: { }

Example:

{
  # A minimal config example:
  server = {
    enabled = true;
    bootstrap_expect = 1; # for demo; no fault tolerance
  };
  client = {
    enabled = true;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/nomad.nix>
services.nostr-rs-relay.enable

Whether to enable nostr-rs-relay.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nostr-rs-relay.nix>
services.nostr-rs-relay.package

The nostr-rs-relay package to use.

Type: package

Default: pkgs.nostr-rs-relay

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nostr-rs-relay.nix>
services.nostr-rs-relay.dataDir

Directory for SQLite files.

Type: path

Default: "/var/lib/nostr-rs-relay"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nostr-rs-relay.nix>
services.nostr-rs-relay.port

Listen on this port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 12849

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nostr-rs-relay.nix>
services.nostr-rs-relay.settings

See https://git.sr.ht/~gheartsfield/nostr-rs-relay/#configuration for documentation.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/nostr-rs-relay.nix>
services.novacomd.enable

Whether to enable Novacom service for connecting to WebOS devices.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/novacomd.nix>
services.nscd.enable

Whether to enable the Name Service Cache Daemon. Disabling this is strongly discouraged, as this effectively disables NSS Lookups from all non-glibc NSS modules, including the ones provided by systemd.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/system/nscd.nix>
services.nscd.enableNsncd

Whether to use nsncd instead of nscd from glibc. This is a nscd-compatible daemon, that proxies lookups, without any caching. Using nscd from glibc is discouraged.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/system/nscd.nix>
services.nscd.package

package containing the nscd binary to be used by the service. Ignored when enableNsncd is set to true.

Type: package

Default:

if pkgs.stdenv.hostPlatform.libc == "glibc"
  then pkgs.stdenv.cc.libc.bin
  else pkgs.glibc.bin;

Declared by:

<nixpkgs/nixos/modules/services/system/nscd.nix>
services.nscd.config

Configuration to use for Name Service Cache Daemon. Only used in case glibc-nscd is used.

Type: strings concatenated with “\n”

Default:

''
  # We basically use nscd as a proxy for forwarding nss requests to appropriate
  # nss modules, as we run nscd with LD_LIBRARY_PATH set to the directory
  # containing all such modules
  # Note that we can not use `enable-cache no` As this will actually cause nscd
  # to just reject the nss requests it receives, which then causes glibc to
  # fallback to trying to handle the request by itself. Which won't work as glibc
  # is not aware of the path in which the nss modules live.  As a workaround, we
  # have `enable-cache yes` with an explicit ttl of 0
  server-user             nscd
  
  enable-cache            passwd          yes
  positive-time-to-live   passwd          0
  negative-time-to-live   passwd          0
  shared                  passwd          yes
  
  enable-cache            group           yes
  positive-time-to-live   group           0
  negative-time-to-live   group           0
  shared                  group           yes
  
  enable-cache            netgroup        yes
  positive-time-to-live   netgroup        0
  negative-time-to-live   netgroup        0
  shared                  netgroup        yes
  
  enable-cache            hosts           yes
  positive-time-to-live   hosts           0
  negative-time-to-live   hosts           0
  shared                  hosts           yes
  
  enable-cache            services        yes
  positive-time-to-live   services        0
  negative-time-to-live   services        0
  shared                  services        yes
''

Declared by:

<nixpkgs/nixos/modules/services/system/nscd.nix>
services.nscd.group

User group under which nscd runs.

Type: string

Default: "nscd"

Declared by:

<nixpkgs/nixos/modules/services/system/nscd.nix>
services.nscd.user

User account under which nscd runs.

Type: string

Default: "nscd"

Declared by:

<nixpkgs/nixos/modules/services/system/nscd.nix>
services.nsd.enable

Whether to enable NSD authoritative DNS server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.bind8Stats

Whether to enable BIND8 like statistics.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.dnssecInterval

How often to check whether dnssec key rollover is required

Type: string

Default: "1h"

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.extraConfig

Extra nsd config.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.hideVersion

Whether NSD should answer VERSION.BIND and VERSION.SERVER CHAOS class queries.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.identity

Identify the server (CH TXT ID.SERVER entry).

Type: string

Default: "unidentified server"

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.interfaces

What addresses the server should listen to.

Type: list of string

Default:

[
  "127.0.0.0"
  "::1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.ipFreebind

Whether to bind to nonlocal addresses and interfaces that are down. Similar to ip-transparent.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.ipTransparent

Allow binding to non local addresses.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.ipv4

Whether to listen on IPv4 connections.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.ipv4EDNSSize

Preferred EDNS buffer size for IPv4.

Type: signed integer

Default: 4096

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.ipv6

Whether to listen on IPv6 connections.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.ipv6EDNSSize

Preferred EDNS buffer size for IPv6.

Type: signed integer

Default: 4096

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.keys

Define your TSIG keys here.

Type: attribute set of (submodule)

Default: { }

Example:

{ "tsig.example.org" = {
    algorithm = "hmac-md5";
    keyFile = "/path/to/my/key";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.keys.<name>.algorithm

Authentication algorithm for this key.

Type: string

Default: "hmac-sha256"

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.keys.<name>.keyFile

Path to the file which contains the actual base64 encoded key. The key will be copied into “/var/lib/nsd/private” before NSD starts. The copied file is only accessibly by the NSD user.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.logTimeAscii

Log time in ascii, if false then in unix epoch seconds.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.nsid

NSID identity (hex string, or “ascii_somestring”).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.port

Port the service should bind do.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 53

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.ratelimit.enable

Whether to enable ratelimit capabilities.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.ratelimit.ipv4PrefixLength

IPv4 prefix length. Addresses are grouped by netblock.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.ratelimit.ipv6PrefixLength

IPv6 prefix length. Addresses are grouped by netblock.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.ratelimit.ratelimit

Max qps allowed from any query source. 0 means unlimited. With an verbosity of 2 blocked and unblocked subnets will be logged.

Type: signed integer

Default: 200

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.ratelimit.size

Size of the hashtable. More buckets use more memory but lower the chance of hash hash collisions.

Type: signed integer

Default: 1000000

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.ratelimit.slip

Number of packets that get discarded before replying a SLIP response. 0 disables SLIP responses. 1 will make every response a SLIP response.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.ratelimit.whitelistRatelimit

Max qps allowed from whitelisted sources. 0 means unlimited. Set the rrl-whitelist option for specific queries to apply this limit instead of the default to them.

Type: signed integer

Default: 2000

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.remoteControl.enable

Whether to enable remote control via nsd-control.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.remoteControl.controlCertFile

Path to the client certificate signed with the server certificate. This file is used by nsd-control and generated by nsd-control-setup.

Type: path

Default: "/etc/nsd/nsd_control.pem"

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.remoteControl.controlKeyFile

Path to the client private key, which is used by nsd-control but not by the server. This file is generated by nsd-control-setup.

Type: path

Default: "/etc/nsd/nsd_control.key"

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.remoteControl.interfaces

Which interfaces NSD should bind to for remote control.

Type: list of string

Default:

[
  "127.0.0.1"
  "::1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.remoteControl.port

Port number for remote control operations (uses TLS over TCP).

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8952

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.remoteControl.serverCertFile

Path to the server self signed certificate, which is used by the server but and by nsd-control. This file is generated by nsd-control-setup.

Type: path

Default: "/etc/nsd/nsd_server.pem"

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.remoteControl.serverKeyFile

Path to the server private key, which is used by the server but not by nsd-control. This file is generated by nsd-control-setup.

Type: path

Default: "/etc/nsd/nsd_server.key"

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.reuseport

Whether to enable SO_REUSEPORT on all used sockets. This lets multiple processes bind to the same port. This speeds up operation especially if the server count is greater than one and makes fast restarts less prone to fail

Type: boolean

Default: pkgs.stdenv.hostPlatform.isLinux

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.rootServer

Whether this server will be a root server (a DNS root server, you usually don’t want that).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.roundRobin

Whether to enable round robin rotation of records.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.serverCount

Number of NSD servers to fork. Put the number of CPUs to use here.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.statistics

Statistics are produced every number of seconds. Prints to log. If null no statistics are logged.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.tcpCount

Maximum number of concurrent TCP connections per server.

Type: signed integer

Default: 100

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.tcpQueryCount

Maximum number of queries served on a single TCP connection. 0 means no maximum.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.tcpTimeout

TCP timeout in seconds.

Type: signed integer

Default: 120

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.verbosity

Verbosity level.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.version

The version string replied for CH TXT version.server and version.bind queries. Will use the compiled package version on null. See hideVersion for enabling/disabling this responses.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.xfrdReloadTimeout

Number of seconds between reloads triggered by xfrd.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zonefilesCheck

Whether to check mtime of all zone files on start and sighup.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zonefilesWrite

Write changed secondary zones to their zonefile every N seconds. If the zone (pattern) configuration has “” zonefile, it is not written. Zones that have received zone transfer updates are written to their zonefile. 0 disables writing to zone files.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones

Define your zones here. Zones can cascade other zones and therefore inherit settings from parent zones. Look at the definition of children to learn about inheritance and child zones. The given example will define 3 zones (example.(com|org|net).). Both example.com. and example.org. inherit their configuration from serverGroup1.

Type: attribute set of (submodule)

Default: { }

Example:

{ "serverGroup1" = {
    provideXFR = [ "10.1.2.3 NOKEY" ];
    children = {
      "example.com." = {
        data = ''
          $ORIGIN example.com.
          $TTL    86400
          @ IN SOA a.ns.example.com. admin.example.com. (
          ...
        '';
      };
      "example.org." = {
        data = ''
          $ORIGIN example.org.
          $TTL    86400
          @ IN SOA a.ns.example.com. admin.example.com. (
          ...
        '';
      };
    };
  };

  "example.net." = {
    provideXFR = [ "10.3.2.1 NOKEY" ];
    data = ''
      ...
    '';
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.allowAXFRFallback

If NSD as secondary server should be allowed to AXFR if the primary server does not allow IXFR.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.allowNotify

Listed primary servers are allowed to notify this secondary server.

Format: <ip> <key-name | NOKEY | BLOCKED>

<ip> either a plain IPv4/IPv6 address or range. Valid patters for ranges:

  • 10.0.0.0/24: via subnet size

  • 10.0.0.0&255.255.255.0: via subnet mask

  • 10.0.0.1-10.0.0.254: via range

A optional port number could be added with a ‘@’:

  • 2001:1234::1@1234

<key-name | NOKEY | BLOCKED>

  • <key-name> will use the specified TSIG key

  • NOKEY no TSIG signature is required

  • BLOCKEDnotifies from non-listed or blocked IPs will be ignored

Type: list of string

Default: [ ]

Example:

[
  "192.0.2.0/24 NOKEY"
  "10.0.0.1-10.0.0.5 my_tsig_key_name"
  "10.0.3.4&255.255.0.0 BLOCKED"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.children

Children zones inherit all options of their parents. Attributes defined in a child will overwrite the ones of its parent. Only leaf zones will be actually served. This way it’s possible to define maybe zones which share most attributes without duplicating everything. This mechanism replaces nsd’s patterns in a save and functional way.

Type: attribute set of anything

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.data

The actual zone data. This is the content of your zone file. Use imports or pkgs.lib.readFile if you don’t want this data in your config file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.dnssec

Whether to enable DNSSEC.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.dnssecPolicy.algorithm

Which algorithm to use for DNSSEC

Type: string

Default: "RSASHA256"

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.dnssecPolicy.coverage

The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time.

Type: string

Default: "1y"

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.dnssecPolicy.keyttl

TTL for dnssec records

Type: string

Default: "1h"

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.dnssecPolicy.ksk

Key policy for key signing keys

Type: submodule

Default:

{
  keySize = 4096;
  postPublish = "1mo";
  prePublish = "1mo";
  rollPeriod = "0";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.dnssecPolicy.ksk.keySize

Key size in bits

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.dnssecPolicy.ksk.postPublish

How long after deactivation to keep a key in the zone

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.dnssecPolicy.ksk.prePublish

How long in advance to publish new keys

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.dnssecPolicy.ksk.rollPeriod

How frequently to change keys

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.dnssecPolicy.zsk

Key policy for zone signing keys

Type: submodule

Default:

{
  keySize = 2048;
  postPublish = "1w";
  prePublish = "1w";
  rollPeriod = "1mo";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.dnssecPolicy.zsk.keySize

Key size in bits

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.dnssecPolicy.zsk.postPublish

How long after deactivation to keep a key in the zone

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.dnssecPolicy.zsk.prePublish

How long in advance to publish new keys

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.dnssecPolicy.zsk.rollPeriod

How frequently to change keys

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.maxRefreshSecs

Limit refresh time for secondary zones. This is the timer which checks to see if the zone has to be refetched when it expires. Normally the value from the SOA record is used, but this option restricts that value.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.maxRetrySecs

Limit retry time for secondary zones. This is the timeout after a failed fetch attempt for the zone. Normally the value from the SOA record is used, but this option restricts that value.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.minRefreshSecs

Limit refresh time for secondary zones.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.minRetrySecs

Limit retry time for secondary zones.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.multiMasterCheck

If enabled, checks all masters for the last zone version. It uses the higher version from all configured masters. Useful if you have multiple masters that have different version numbers served.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.notify

This primary server will notify all given secondary servers about zone changes.

Format: <ip> <key-name | NOKEY>

<ip> a plain IPv4/IPv6 address with on optional port number (ip@port)

<key-name | NOKEY>

  • <key-name> sign notifies with the specified key

  • NOKEY don’t sign notifies

Type: list of string

Default: [ ]

Example:

[
  "10.0.0.1@3721 my_key"
  "::5 NOKEY"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.notifyRetry

Specifies the number of retries for failed notifies. Set this along with notify.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.outgoingInterface

This address will be used for zone-transfer requests if configured as a secondary server or notifications in case of a primary server. Supply either a plain IPv4 or IPv6 address with an optional port number (ip@port).

Type: null or string

Default: null

Example: "2000::1@1234"

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.provideXFR

Allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40

Type: list of string

Default: [ ]

Example:

[
  "192.0.2.0/24 NOKEY"
  "192.0.2.0/24 my_tsig_key_name"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.requestXFR

Format: [AXFR|UDP] <ip-address> <key-name | NOKEY>

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.rrlWhitelist

Whitelists the given rrl-types.

Type: list of (one of “nxdomain”, “error”, “referral”, “any”, “rrsig”, “wildcard”, “nodata”, “dnskey”, “positive”, “all”)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.nsd.zones.<name>.zoneStats

When set to something distinct to null NSD is able to collect statistics per zone. All statistics of this zone(s) will be added to the group specified by this given name. Use “%s” to use the zones name as the group. The groups are output from nsd-control stats and stats_noreset.

Type: null or string

Default: null

Example: "%s"

Declared by:

<nixpkgs/nixos/modules/services/networking/nsd.nix>
services.ntfy-sh.enable

Whether to enable ntfy-sh, a push notification service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/ntfy-sh.nix>
services.ntfy-sh.package

The ntfy-sh package to use.

Type: package

Default: pkgs.ntfy-sh

Declared by:

<nixpkgs/nixos/modules/services/misc/ntfy-sh.nix>
services.ntfy-sh.group

Primary group of ntfy-sh user.

Type: string

Default: "ntfy-sh"

Declared by:

<nixpkgs/nixos/modules/services/misc/ntfy-sh.nix>
services.ntfy-sh.settings

Configuration for ntfy.sh, supported values are here.

Type: YAML value

Default: { }

Example:

{
  listen-http = ":8080";
}

Declared by:

<nixpkgs/nixos/modules/services/misc/ntfy-sh.nix>
services.ntfy-sh.settings.base-url

Public facing base URL of the service

This setting is required for any of the following features:

  • attachments (to return a download URL)

  • e-mail sending (for the topic URL in the email footer)

  • iOS push notifications for self-hosted servers (to calculate the Firebase poll_request topic)

  • Matrix Push Gateway (to validate that the pushkey is correct)

Type: string

Example: "https://ntfy.example"

Declared by:

<nixpkgs/nixos/modules/services/misc/ntfy-sh.nix>
services.ntfy-sh.user

User the ntfy-sh server runs under.

Type: string

Default: "ntfy-sh"

Declared by:

<nixpkgs/nixos/modules/services/misc/ntfy-sh.nix>
services.ntopng.enable

Enable ntopng, a high-speed web-based traffic analysis and flow collection tool.

With the default configuration, ntopng monitors all network interfaces and displays its findings at http://localhost:${toString config.services.ntopng.http-port}. Default username and password is admin/admin.

See the ntopng(8) manual page and http://www.ntop.org/products/ntop/ for more info.

Note that enabling ntopng will also enable redis (key-value database server) for persistent data storage.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ntopng.nix>
services.ntopng.configText

Overridable configuration file contents to use for ntopng. By default, use the contents automatically generated by NixOS.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  --interface=any
  --http-port=3000
  --disable-login
''

Declared by:

<nixpkgs/nixos/modules/services/networking/ntopng.nix>
services.ntopng.extraConfig

Configuration lines that will be appended to the generated ntopng configuration file. Note that this mechanism does not work when the manual configText option is used.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/ntopng.nix>
services.ntopng.httpPort

Sets the HTTP port of the embedded web server.

Type: signed integer

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/networking/ntopng.nix>
services.ntopng.interfaces

List of interfaces to monitor. Use “any” to monitor all interfaces.

Type: list of string

Default:

[
  "any"
]

Example:

[
  "eth0"
  "wlan0"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/ntopng.nix>
services.ntopng.redis.address

Redis address - may be a Unix socket or a network host and port.

Type: string

Example: config.services.redis.ntopng.unixSocket

Declared by:

<nixpkgs/nixos/modules/services/networking/ntopng.nix>
services.ntopng.redis.createInstance

Local Redis instance name. Set to null to disable local Redis instance. Defaults to "" for system.stateVersion older than 22.05.

Type: null or string

Default: "ntopng"

Declared by:

<nixpkgs/nixos/modules/services/networking/ntopng.nix>
services.ntp.enable

Whether to synchronise your machine’s time using ntpd, as a peer in the NTP network.

Disables systemd.timesyncd if enabled.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix>
services.ntp.extraConfig

Additional text appended to ntp.conf.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  fudge 127.127.1.0 stratum 10
''

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix>
services.ntp.extraFlags

Extra flags passed to the ntpd command.

Type: list of string

Default: [ ]

Example: [ "--interface=eth0" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix>
services.ntp.restrictDefault

The restriction flags to be set by default.

The default flags prevent external hosts from using ntpd as a DDoS reflector, setting system time, and querying OS/ntpd version. As recommended in section 6.5.1.1.3, answer “No” of https://support.ntp.org/Support/AccessRestrictions

Type: list of string

Default:

[
  "limited"
  "kod"
  "nomodify"
  "notrap"
  "noquery"
  "nopeer"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix>
services.ntp.restrictSource

The restriction flags to be set on source.

The default flags allow peers to be added by ntpd from configured pool(s), but not by other means.

Type: list of string

Default:

[
  "limited"
  "kod"
  "nomodify"
  "notrap"
  "noquery"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix>
services.ntp.servers

The set of NTP servers from which to synchronise.

Type: list of string

Default: config.networking.timeServers

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/ntpd.nix>
services.ntpd-rs.enable

Whether to enable Network Time Service (ntpd-rs).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/ntpd-rs.nix>
services.ntpd-rs.package

The ntpd-rs package to use.

Type: package

Default: pkgs.ntpd-rs

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/ntpd-rs.nix>
services.ntpd-rs.metrics.enable

Whether to enable ntpd-rs Prometheus Metrics Exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/ntpd-rs.nix>
services.ntpd-rs.settings

Settings to write to ntp.toml

See https://docs.ntpd-rs.pendulum-project.org/man/ntp.toml.5 for more information about available options.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/ntpd-rs.nix>
services.ntpd-rs.useNetworkingTimeServers

Use source time servers from networking.timeServers in config.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/ntpd-rs.nix>
services.nullidentdmod.enable

Whether to enable the nullidentdmod identd daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/nullidentdmod.nix>
services.nullidentdmod.userid

User ID to return. Set to null to return a random string each time.

Type: null or string

Default: null

Example: "alice"

Declared by:

<nixpkgs/nixos/modules/services/networking/nullidentdmod.nix>
services.nullmailer.enable

Whether to enable nullmailer daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/nullmailer.nix>
services.nullmailer.config.adminaddr

If set, all recipients to users at either “localhost” (the literal string) or the canonical host name (from the me control attribute) are remapped to this address. This is provided to allow local daemons to be able to send email to “somebody@localhost” and have it go somewhere sensible instead of being bounced by your relay host. To send to multiple addresses, put them all on one line separated by a comma.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/nullmailer.nix>
services.nullmailer.config.allmailfrom

If set, content will override the envelope sender on all messages.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/nullmailer.nix>
services.nullmailer.config.defaultdomain

The content of this attribute is appended to any host name that does not contain a period (except localhost), including defaulthost and idhost. Defaults to the value of the me attribute, if it exists, otherwise the literal name defauldomain.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/nullmailer.nix>
services.nullmailer.config.defaulthost

The content of this attribute is appended to any address that is missing a host name. Defaults to the value of the me control attribute, if it exists, otherwise the literal name defaulthost.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/nullmailer.nix>
services.nullmailer.config.doublebounceto

If the original sender was empty (the original message was a delivery status or disposition notification), the double bounce is sent to the address in this attribute.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/nullmailer.nix>
services.nullmailer.config.helohost

Sets the environment variable $HELOHOST which is used by the SMTP protocol module to set the parameter given to the HELO command. Defaults to the value of the me configuration attribute.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/nullmailer.nix>
services.nullmailer.config.idhost

The content of this attribute is used when building the message-id string for the message. Defaults to the canonicalized value of defaulthost.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/nullmailer.nix>
services.nullmailer.config.maxpause

The maximum time to pause between successive queue runs, in seconds. Defaults to 24 hours (86400).

Type: null or string or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/nullmailer.nix>
services.nullmailer.config.me

The fully-qualifiled host name of the computer running nullmailer. Defaults to the literal name me.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/nullmailer.nix>
services.nullmailer.config.pausetime

The minimum time to pause between successive queue runs when there are messages in the queue, in seconds. Defaults to 1 minute (60). Each time this timeout is reached, the timeout is doubled to a maximum of maxpause. After new messages are injected, the timeout is reset. If this is set to 0, nullmailer-send will exit immediately after going through the queue once (one-shot mode).

Type: null or string or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/nullmailer.nix>
services.nullmailer.config.remotes

A list of remote servers to which to send each message. Each line contains a remote host name or address followed by an optional protocol string, separated by white space.

See man 8 nullmailer-send for syntax and available options.

WARNING: This is stored world-readable in the nix store. If you need to specify any secret credentials here, consider using the remotesFile option instead.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/nullmailer.nix>
services.nullmailer.config.sendtimeout

The time to wait for a remote module listed above to complete sending a message before killing it and trying again, in seconds. Defaults to 1 hour (3600). If this is set to 0, nullmailer-send will wait forever for messages to complete sending.

Type: null or string or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/nullmailer.nix>
services.nullmailer.group

Group to use to run nullmailer-send.

Type: string

Default: "nullmailer"

Declared by:

<nixpkgs/nixos/modules/services/mail/nullmailer.nix>
services.nullmailer.remotesFile

Path to the remotes control file. This file contains a list of remote servers to which to send each message.

See man 8 nullmailer-send for syntax and available options.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/nullmailer.nix>
services.nullmailer.setSendmail

Whether to set the system sendmail to nullmailer’s.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/mail/nullmailer.nix>
services.nullmailer.user

User to use to run nullmailer-send.

Type: string

Default: "nullmailer"

Declared by:

<nixpkgs/nixos/modules/services/mail/nullmailer.nix>
services.nylon.<name>.enable

Enables nylon as a running service upon activation.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nylon.nix>
services.nylon.<name>.acceptInterface

Tell nylon which interface to listen for client requests on, default is “lo”.

Type: string

Default: "lo"

Declared by:

<nixpkgs/nixos/modules/services/networking/nylon.nix>
services.nylon.<name>.allowedIPRanges

Allowed client IP ranges are evaluated first, defaults to ARIN IPv4 private ranges: [ “192.168.0.0/16” “127.0.0.0/8” “172.16.0.0/12” “10.0.0.0/8” ]

Type: list of string

Default:

[
  "192.168.0.0/16"
  "127.0.0.1/8"
  "172.16.0.1/12"
  "10.0.0.0/8"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nylon.nix>
services.nylon.<name>.bindInterface

Tell nylon which interface to use as an uplink, default is “enp3s0f0”.

Type: string

Default: "enp3s0f0"

Declared by:

<nixpkgs/nixos/modules/services/networking/nylon.nix>
services.nylon.<name>.deniedIPRanges

Denied client IP ranges, these gets evaluated after the allowed IP ranges, defaults to all IPv4 addresses: [ “0.0.0.0/0” ] To block all other access than the allowed.

Type: list of string

Default:

[
  "0.0.0.0/0"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/nylon.nix>
services.nylon.<name>.logging

Enable logging, default is no logging.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nylon.nix>
services.nylon.<name>.name

The name of this nylon instance.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/nylon.nix>
services.nylon.<name>.nrConnections

The number of allowed simultaneous connections to the daemon, default 10.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/networking/nylon.nix>
services.nylon.<name>.port

What port to listen for client requests, default is 1080.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1080

Declared by:

<nixpkgs/nixos/modules/services/networking/nylon.nix>
services.nylon.<name>.verbosity

Enable verbose output, default is to not be verbose.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/nylon.nix>
services.nzbget.enable

Whether to enable NZBGet, for downloading files from news servers.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/nzbget.nix>
services.nzbget.package

The nzbget package to use.

Type: package

Default: pkgs.nzbget

Declared by:

<nixpkgs/nixos/modules/services/misc/nzbget.nix>
services.nzbget.group

Group under which NZBGet runs

Type: string

Default: "nzbget"

Declared by:

<nixpkgs/nixos/modules/services/misc/nzbget.nix>
services.nzbget.settings

NZBGet configuration, passed via command line using switch -o. Refer to https://github.com/nzbget/nzbget/blob/master/nzbget.conf for details on supported values.

Type: attribute set of (boolean or signed integer or string)

Default: { }

Example:

{
  MainDir = "/data";
}

Declared by:

<nixpkgs/nixos/modules/services/misc/nzbget.nix>
services.nzbget.user

User account under which NZBGet runs

Type: string

Default: "nzbget"

Declared by:

<nixpkgs/nixos/modules/services/misc/nzbget.nix>
services.nzbhydra2.enable

Whether to enable NZBHydra2, Usenet meta search.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/nzbhydra2.nix>
services.nzbhydra2.package

The nzbhydra2 package to use.

Type: package

Default: pkgs.nzbhydra2

Declared by:

<nixpkgs/nixos/modules/services/misc/nzbhydra2.nix>
services.nzbhydra2.dataDir

The directory where NZBHydra2 stores its data files.

Type: string

Default: "/var/lib/nzbhydra2"

Declared by:

<nixpkgs/nixos/modules/services/misc/nzbhydra2.nix>
services.nzbhydra2.openFirewall

Open ports in the firewall for the NZBHydra2 web interface.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/nzbhydra2.nix>
services.oauth2-proxy.enable

Whether to enable oauth2-proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.package

The oauth2-proxy package to use.

Type: package

Default: pkgs.oauth2-proxy

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.approvalPrompt

OAuth approval_prompt.

Type: one of “force”, “auto”

Default: "force"

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.azure.resource

The resource that is protected.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.azure.tenant

Go to a tenant-specific or common (tenant-independent) endpoint.

Type: string

Default: "common"

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.basicAuthPassword

The password to set when passing the HTTP Basic Auth header.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.clientID

The OAuth Client ID.

Type: null or string

Example: "123456.apps.googleusercontent.com"

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.clientSecret

The OAuth Client Secret.

Type: null or string

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.cookie.domain

Optional cookie domains to force cookies to (ie: .yourcompany.com). The longest domain matching the request’s host will be used (or the shortest cookie domain if there is no match).

Type: null or string

Default: null

Example: ".yourcompany.com"

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.cookie.expire

Expire timeframe for cookie.

Type: string

Default: "168h0m0s"

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.cookie.httpOnly

Set HttpOnly cookie flag.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.cookie.name

The name of the cookie that the oauth_proxy creates.

Type: string

Default: "_oauth2_proxy"

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.cookie.refresh

Refresh the cookie after this duration; 0 to disable.

Type: null or string

Default: null

Example: "168h0m0s"

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.cookie.secret

The seed string for secure cookies.

Type: null or string

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.cookie.secure

Set secure (HTTPS) cookie flag.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.customTemplatesDir

Path to custom HTML templates.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.email.addresses

Line-separated email addresses that are allowed to authenticate.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.email.domains

Authenticate emails with the specified domains. Use * to authenticate any email.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.extraConfig

Extra config to pass to oauth2-proxy.

Type: attribute set of anything

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.github.org

Restrict logins to members of this organisation.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.github.team

Restrict logins to members of this team.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.google.adminEmail

The Google Admin to impersonate for API calls.

Only users with access to the Admin APIs can access the Admin SDK Directory API, thus the service account needs to impersonate one of those users to access the Admin SDK Directory API.

See https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.google.groups

Restrict logins to members of these Google groups.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.google.serviceAccountJSON

The path to the service account JSON credentials.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.htpasswd.displayForm

Display username / password login form if an htpasswd file is provided.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.htpasswd.file

Additionally authenticate against a htpasswd file. Entries must be created with htpasswd -s for SHA encryption.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.httpAddress

HTTPS listening address. This module does not expose the port by default. If you want this URL to be accessible to other machines, please add the port to networking.firewall.allowedTCPPorts.

Type: string

Default: "http://127.0.0.1:4180"

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.keyFile

oauth2-proxy allows passing sensitive configuration via environment variables. Make a file that contains lines like OAUTH2_PROXY_CLIENT_SECRET=asdfasdfasdf.apps.googleuserscontent.com and specify the path here.

Type: null or path

Default: null

Example: "/run/keys/oauth2-proxy"

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.loginURL

Authentication endpoint.

You only need to set this if you are using a self-hosted provider (e.g. Github Enterprise). If you’re using a publicly hosted provider (e.g github.com), then the default works.

Type: null or string

Default: null

Example: "https://provider.example.com/oauth/authorize"

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.nginx.domain

The domain under which the oauth2-proxy will be accesible and the path of cookies are set to. This setting must be set to ensure back-redirects are working properly if oauth2-proxy is configured with services.oauth2-proxy.cookie.domain or multiple services.oauth2-proxy.nginx.virtualHosts that are not on the same domain.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy-nginx.nix>
services.oauth2-proxy.nginx.proxy

The address of the reverse proxy endpoint for oauth2-proxy

Type: string

Default: config.services.oauth2-proxy.httpAddress

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy-nginx.nix>
services.oauth2-proxy.nginx.virtualHosts

Nginx virtual hosts to put behind the oauth2 proxy. You can exclude specific locations by setting auth_request off; in the locations extraConfig setting.

Type: (attribute set of (submodule)) or (list of string) convertible to it

Default: { }

Example:

{
  "protected.foo.com" = {
    allowed_emails = [
      "boss@foo.com"
    ];
    allowed_groups = [
      "admins"
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy-nginx.nix>
services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_email_domains

List of email domains to allow access to this vhost, or null to allow all.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy-nginx.nix>
services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_emails

List of emails to allow access to this vhost, or null to allow all.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy-nginx.nix>
services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_groups

List of groups to allow access to this vhost, or null to allow all.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy-nginx.nix>
services.oauth2-proxy.oidcIssuerUrl

The OAuth issuer URL.

Type: null or string

Default: null

Example: "https://login.microsoftonline.com/{TENANT_ID}/v2.0"

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.passAccessToken

Pass OAuth access_token to upstream via X-Forwarded-Access-Token header.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.passBasicAuth

Pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.passHostHeader

Pass the request Host Header to upstream.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.profileURL

Profile access endpoint.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.provider

OAuth provider.

Type: one of “adfs”, “azure”, “bitbucket”, “digitalocean”, “facebook”, “github”, “gitlab”, “google”, “keycloak”, “keycloak-oidc”, “linkedin”, “login.gov”, “nextcloud”, “oidc”

Default: "google"

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.proxyPrefix

The url root path that this proxy should be nested under.

Type: string

Default: "/oauth2"

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.redeemURL

Token redemption endpoint.

You only need to set this if you are using a self-hosted provider (e.g. Github Enterprise). If you’re using a publicly hosted provider (e.g github.com), then the default works.

Type: null or string

Default: null

Example: "https://provider.example.com/oauth/token"

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.redirectURL

The OAuth2 redirect URL.

Type: null or string

Default: null

Example: "https://internalapp.yourcompany.com/oauth2/callback"

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.requestLogging

Log requests to stdout.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.reverseProxy

In case when running behind a reverse proxy, controls whether headers like X-Real-Ip are accepted. Usage behind a reverse proxy will require this flag to be set to avoid logging the reverse proxy IP address.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.scope

OAuth scope specification.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.setXauthrequest

Set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode). Setting this to ‘null’ means using the upstream default (false).

Type: null or boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.signatureKey

GAP-Signature request signature key.

Type: null or string

Default: null

Example: "sha1:secret0"

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.skipAuthRegexes

Skip authentication for requests matching any of these regular expressions.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.tls.enable

Whether to serve over TLS.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.tls.certificate

Path to certificate file.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.tls.httpsAddress

addr:port to listen on for HTTPS clients.

Remember to add port to allowedTCPPorts if you want other machines to be able to connect to it.

Type: string

Default: ":443"

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.tls.key

Path to private key file.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.upstream

The http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path.

Type: (list of string) or string convertible to it

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.oauth2-proxy.validateURL

Access token validation endpoint.

You only need to set this if you are using a self-hosted provider (e.g. Github Enterprise). If you’re using a publicly hosted provider (e.g github.com), then the default works.

Type: null or string

Default: null

Example: "https://provider.example.com/user/emails"

Declared by:

<nixpkgs/nixos/modules/services/security/oauth2-proxy.nix>
services.ocis.enable

Whether to enable ownCloud Infinite Scale.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ocis.nix>
services.ocis.package

The ocis-bin package to use.

Type: package

Default: pkgs.ocis-bin

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ocis.nix>
services.ocis.address

Web interface address.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ocis.nix>
services.ocis.configDir

Path to directory containing oCIS config file.

Example config can be generated by ocis init --config-path fileName --admin-password "adminPass". Add --insecure true if SSL certificates are generated and managed externally (e.g. using oCIS behind reverse proxy).

Note: This directory must contain at least a ocis.yaml. Ensure user has read/write access to it. In some circumstances you may need to add additional oCIS configuration files (e.g., proxy.yaml) to this directory.

Type: null or path

Default: null

Example: "/var/lib/ocis/config"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ocis.nix>
services.ocis.environment

Extra config options.

See the documentation for available options. See notes for environment variables for more information.

Note that all the attributes here will be copied to /nix/store/ and will be world readable. Options like *_PASSWORD or *_SECRET should be part of environmentFile instead, and are only provided here for illustrative purpose.

Configuration here will override those from environmentFile and will have highest precedence, at the cost of security. Do NOT put security sensitive stuff here.

Type: attribute set of string

Default: { }

Example:

{
  CS3_ALLOW_INSECURE = "true";
  GATEWAY_STORAGE_USERS_MOUNT_ID = "123";
  GRAPH_APPLICATION_ID = "1234";
  IDM_IDPSVC_PASSWORD = "password";
  IDM_REVASVC_PASSWORD = "password";
  IDM_SVC_PASSWORD = "password";
  IDP_ISS = "https://localhost:9200";
  IDP_TLS = "false";
  OCIS_INSECURE = "false";
  OCIS_INSECURE_BACKENDS = "true";
  OCIS_JWT_SECRET = "super_secret";
  OCIS_LDAP_BIND_PASSWORD = "password";
  OCIS_LOG_LEVEL = "error";
  OCIS_MACHINE_AUTH_API_KEY = "foo";
  OCIS_MOUNT_ID = "123";
  OCIS_SERVICE_ACCOUNT_ID = "foo";
  OCIS_SERVICE_ACCOUNT_SECRET = "foo";
  OCIS_STORAGE_USERS_MOUNT_ID = "123";
  OCIS_SYSTEM_USER_API_KEY = "foo";
  OCIS_SYSTEM_USER_ID = "123";
  OCIS_TRANSFER_SECRET = "foo";
  STORAGE_USERS_MOUNT_ID = "123";
  TLS_INSECURE = "true";
  TLS_SKIP_VERIFY_CLIENT_CERT = "true";
  WEBDAV_ALLOW_INSECURE = "true";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ocis.nix>
services.ocis.environmentFile

An environment file as defined in systemd.exec(5).

Configuration provided in this file will override those from configDir/ocis.yaml.

Type: null or path

Default: null

Example: "/run/keys/ocis.env"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ocis.nix>
services.ocis.group

The group to run oCIS under. By default, a group named ocis will be created.

Type: string

Default: "ocis"

Example: "yourGroup"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ocis.nix>
services.ocis.port

Web interface port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9200

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ocis.nix>
services.ocis.stateDir

ownCloud data directory.

Type: string

Default: "/var/lib/ocis"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ocis.nix>
services.ocis.url

Web interface address.

Type: string

Default: "https://localhost:9200"

Example: "https://some-hostname-or-ip:9200"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ocis.nix>
services.ocis.user

The user to run oCIS as. By default, a user named ocis will be created whose home directory is stateDir.

Type: string

Default: "ocis"

Example: "yourUser"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/ocis.nix>
services.ocserv.enable

Whether to enable ocserv.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ocserv.nix>
services.ocserv.config

Configuration content to start an OCServ server.

For a full configuration reference,please refer to the online documentation (https://ocserv.gitlab.io/www/manual.html), the openconnect recipes (https://github.com/openconnect/recipes) or man ocserv.

Type: strings concatenated with “\n”

Example:

''
  # configuration examples from $out/doc without explanatory comments.
  # for a full reference please look at the installed man pages.
  auth = "plain[passwd=./sample.passwd]"
  tcp-port = 443
  udp-port = 443
  run-as-user = nobody
  run-as-group = nogroup
  socket-file = /run/ocserv-socket
  server-cert = certs/server-cert.pem
  server-key = certs/server-key.pem
  keepalive = 32400
  dpd = 90
  mobile-dpd = 1800
  switch-to-tcp-timeout = 25
  try-mtu-discovery = false
  cert-user-oid = 0.9.2342.19200300.100.1.1
  tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
  auth-timeout = 240
  min-reauth-time = 300
  max-ban-score = 80
  ban-reset-time = 1200
  cookie-timeout = 300
  deny-roaming = false
  rekey-time = 172800
  rekey-method = ssl
  use-occtl = true
  pid-file = /run/ocserv.pid
  device = vpns
  predictable-ips = true
  default-domain = example.com
  ipv4-network = 192.168.1.0
  ipv4-netmask = 255.255.255.0
  dns = 192.168.1.2
  ping-leases = false
  route = 10.10.10.0/255.255.255.0
  route = 192.168.0.0/255.255.0.0
  no-route = 192.168.5.0/255.255.255.0
  cisco-client-compat = true
  dtls-legacy = true
  
  [vhost:www.example.com]
  auth = "certificate"
  ca-cert = certs/ca.pem
  server-cert = certs/server-cert-secp521r1.pem
  server-key = cersts/certs/server-key-secp521r1.pem
  ipv4-network = 192.168.2.0
  ipv4-netmask = 255.255.255.0
  cert-user-oid = 0.9.2342.19200300.100.1.1
''

Declared by:

<nixpkgs/nixos/modules/services/networking/ocserv.nix>
services.ocsinventory-agent.enable

Whether to enable OCS Inventory Agent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ocsinventory-agent.nix>
services.ocsinventory-agent.package

The ocsinventory-agent package to use.

Type: package

Default: pkgs.ocsinventory-agent

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ocsinventory-agent.nix>
services.ocsinventory-agent.interval

How often we run the ocsinventory-agent service. Runs by default every daily.

The format is described in systemd.time(7).

Type: string

Default: "daily"

Example: "06:00"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ocsinventory-agent.nix>
services.ocsinventory-agent.settings

Configuration for /etc/ocsinventory-agent/ocsinventory-agent.cfg.

Refer to ocsinventory-agent(1) for available options.

Type: atom (null, bool, int, float or string)

Default: { }

Example:

{
  ca = "/etc/ssl/certs/ca-certificates.crt";
  debug = true;
  server = "https://ocsinventory.localhost:8080/ocsinventory";
  tag = "01234567890123";
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ocsinventory-agent.nix>
services.ocsinventory-agent.settings.ca

Path to CA certificates file in PEM format, for server SSL certificate validation.

Type: path

Default: "/etc/ssl/certs/ca-certificates.crt"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ocsinventory-agent.nix>
services.ocsinventory-agent.settings.debug

Whether to enable debug mode.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ocsinventory-agent.nix>
services.ocsinventory-agent.settings.local

If specified, the OCS Inventory Agent will run in offline mode and the resulting inventory file will be stored in the specified path.

Type: null or path

Default: null

Example: "/var/lib/ocsinventory-agent/reports"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ocsinventory-agent.nix>
services.ocsinventory-agent.settings.server

The URI of the OCS Inventory server where to send the inventory file.

This option is ignored if services.ocsinventory-agent.settings.local is set.

Type: null or string

Default: null

Example: "https://ocsinventory.localhost:8080/ocsinventory"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ocsinventory-agent.nix>
services.ocsinventory-agent.settings.tag

Tag for the generated inventory.

Type: null or string

Default: null

Example: "01234567890123"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/ocsinventory-agent.nix>
services.octoprint.enable

Whether to enable OctoPrint, web interface for 3D printers.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/octoprint.nix>
services.octoprint.extraConfig

Extra options which are added to OctoPrint’s YAML configuration file.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/octoprint.nix>
services.octoprint.group

Group for the daemon.

Type: string

Default: "octoprint"

Declared by:

<nixpkgs/nixos/modules/services/misc/octoprint.nix>
services.octoprint.host

Host to bind OctoPrint to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/octoprint.nix>
services.octoprint.openFirewall

Open ports in the firewall for OctoPrint.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/octoprint.nix>
services.octoprint.plugins

Additional plugins to be used. Available plugins are passed through the plugins input.

Type: function that evaluates to a(n) list of package

Default: plugins: []

Example: plugins: with plugins; [ themeify stlviewer ]

Declared by:

<nixpkgs/nixos/modules/services/misc/octoprint.nix>
services.octoprint.port

Port to bind OctoPrint to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5000

Declared by:

<nixpkgs/nixos/modules/services/misc/octoprint.nix>
services.octoprint.stateDir

State directory of the daemon.

Type: path

Default: "/var/lib/octoprint"

Declared by:

<nixpkgs/nixos/modules/services/misc/octoprint.nix>
services.octoprint.user

User for the daemon.

Type: string

Default: "octoprint"

Declared by:

<nixpkgs/nixos/modules/services/misc/octoprint.nix>
services.odoo.enable

Whether to enable odoo, an open source ERP and CRM system.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/finance/odoo.nix>
services.odoo.package

The odoo package to use.

Type: package

Default: pkgs.odoo

Declared by:

<nixpkgs/nixos/modules/services/finance/odoo.nix>
services.odoo.addons

Odoo addons.

Type: list of package

Default: [ ]

Example: [ pkgs.odoo_enterprise ]

Declared by:

<nixpkgs/nixos/modules/services/finance/odoo.nix>
services.odoo.autoInit

Whether to enable automatically initialize the DB.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/finance/odoo.nix>
services.odoo.autoInitExtraFlags

Extra flags passed to odoo when run for the first time by autoInit

Type: list of string

Default: [ ]

Example:

[ "--without-demo=all" ]

Declared by:

<nixpkgs/nixos/modules/services/finance/odoo.nix>
services.odoo.domain

Domain to host Odoo with nginx

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/finance/odoo.nix>
services.odoo.settings

Odoo configuration settings. For more details see https://www.odoo.com/documentation/15.0/administration/install/deploy.html

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

options = {
  db_user = "odoo";
  db_password="odoo";
};

Declared by:

<nixpkgs/nixos/modules/services/finance/odoo.nix>
services.offlineimap.enable

Whether to enable OfflineIMAP, a software to dispose your mailbox(es) as a local Maildir(s).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/offlineimap.nix>
services.offlineimap.package

The offlineimap package to use.

Type: package

Default: pkgs.offlineimap

Declared by:

<nixpkgs/nixos/modules/services/mail/offlineimap.nix>
services.offlineimap.install

Whether to install a user service for Offlineimap. Once the service is started, emails will be fetched automatically.

The service must be manually started for each user with “systemctl --user start offlineimap” or globally through services.offlineimap.enable.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/offlineimap.nix>
services.offlineimap.onCalendar

How often is offlineimap started. Default is ‘*:0/3’ meaning every 3 minutes. See systemd.time(7) for more information about the format.

Type: string

Default: "*:0/3"

Declared by:

<nixpkgs/nixos/modules/services/mail/offlineimap.nix>
services.offlineimap.path

List of derivations to put in Offlineimap’s path.

Type: list of path

Default: [ ]

Example: [ pkgs.pass pkgs.bash pkgs.notmuch ]

Declared by:

<nixpkgs/nixos/modules/services/mail/offlineimap.nix>
services.offlineimap.timeoutStartSec

How long waiting for offlineimap before killing it. Default is ‘120sec’ meaning every 2 minutes. See systemd.time(7) for more information about the format.

Type: string

Default: "120sec"

Declared by:

<nixpkgs/nixos/modules/services/mail/offlineimap.nix>
services.ofono.enable

Whether to enable Ofono.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ofono.nix>
services.ofono.plugins

The list of plugins to install.

Type: list of package

Default: [ ]

Example: [ pkgs.modem-manager-gui ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ofono.nix>
services.oidentd.enable

Whether to enable ‘oidentd’, an implementation of the Ident protocol (RFC 1413). It allows remote systems to identify the name of the user associated with a TCP connection.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/oidentd.nix>
services.oink.enable

Whether to enable Oink, a dynamic DNS client for Porkbun.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/oink.nix>
services.oink.package

The oink package to use.

Type: package

Default: pkgs.oink

Declared by:

<nixpkgs/nixos/modules/services/networking/oink.nix>
services.oink.domains

List of attribute sets containing configuration for each domain.

Each attribute set must have two attributes, one named domain and another named subdomain. The domain attribute must specify the root domain that you want to configure, and the subdomain attribute must specify its subdomain if any. If you want to configure the root domain rather than a subdomain, leave the subdomain attribute as an empty string.

Additionally, you can use attributes from services.oink.settings to override settings per-domain.

Every domain listed here must have API access enabled in Porkbun’s control panel.

Type: list of attribute set of anything

Default: [ ]

Example:

[
  {
    domain = "nixos.org";
    subdomain = "";
    ttl = 1200;
  }
  {
    domain = "nixos.org";
    subdomain = "hydra";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/oink.nix>
services.oink.settings.apiKey

API key to use when modifying DNS records.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/oink.nix>
services.oink.settings.interval

Seconds to wait before sending another request.

Type: integer between 60 and 172800 (both inclusive)

Default: 900

Declared by:

<nixpkgs/nixos/modules/services/networking/oink.nix>
services.oink.settings.secretApiKey

Secret API key to use when modifying DNS records.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/oink.nix>
services.oink.settings.ttl

The TTL (“Time to Live”) value to set for your DNS records.

The TTL controls how long in seconds your records will be cached for. A smaller value will allow the record to update quicker.

Type: integer between 600 and 172800 (both inclusive)

Default: 600

Declared by:

<nixpkgs/nixos/modules/services/networking/oink.nix>
services.ollama.enable

Whether to enable ollama server for local large language models.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/ollama.nix>
services.ollama.package

The ollama package to use.

Type: package

Default: pkgs.ollama

Declared by:

<nixpkgs/nixos/modules/services/misc/ollama.nix>
services.ollama.acceleration

What interface to use for hardware acceleration.

  • null: default behavior

    • if nixpkgs.config.rocmSupport is enabled, uses "rocm"

    • if nixpkgs.config.cudaSupport is enabled, uses "cuda"

    • otherwise defaults to false

  • false: disable GPU, only use CPU

  • "rocm": supported by most modern AMD GPUs

    • may require overriding gpu type with services.ollama.rocmOverrideGfx if rocm doesn’t detect your AMD gpu

  • "cuda": supported by most modern NVIDIA GPUs

Type: null or one of false, “rocm”, “cuda”

Default: null

Example: "rocm"

Declared by:

<nixpkgs/nixos/modules/services/misc/ollama.nix>
services.ollama.environmentVariables

Set arbitrary environment variables for the ollama service.

Be aware that these are only seen by the ollama server (systemd service), not normal invocations like ollama run. Since ollama run is mostly a shell around the ollama server, this is usually sufficient.

Type: attribute set of string

Default: { }

Example:

{
  HIP_VISIBLE_DEVICES = "0,1";
  OLLAMA_LLM_LIBRARY = "cpu";
}

Declared by:

<nixpkgs/nixos/modules/services/misc/ollama.nix>
services.ollama.group

Group under which to run ollama. Only used when services.ollama.user is set.

The group will automatically be created, if this option is set to a non-null value.

Type: null or string

Default: config.services.ollama.user

Example: "ollama"

Declared by:

<nixpkgs/nixos/modules/services/misc/ollama.nix>
services.ollama.home

The home directory that the ollama service is started in.

Type: string

Default: "/var/lib/ollama"

Example: "/home/foo"

Declared by:

<nixpkgs/nixos/modules/services/misc/ollama.nix>
services.ollama.host

The host address which the ollama server HTTP interface listens to.

Type: string

Default: "127.0.0.1"

Example: "[::]"

Declared by:

<nixpkgs/nixos/modules/services/misc/ollama.nix>
services.ollama.loadModels

Download these models using ollama pull as soon as ollama.service has started.

This creates a systemd unit ollama-model-loader.service.

Search for models of your choice from: https://ollama.com/library

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/ollama.nix>
services.ollama.models

The directory that the ollama service will read models from and download new models to.

Type: string

Default: "\${config.services.ollama.home}/models"

Example: "/path/to/ollama/models"

Declared by:

<nixpkgs/nixos/modules/services/misc/ollama.nix>
services.ollama.openFirewall

Whether to open the firewall for ollama.

This adds services.ollama.port to networking.firewall.allowedTCPPorts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/ollama.nix>
services.ollama.port

Which port the ollama server listens to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 11434

Example: 11111

Declared by:

<nixpkgs/nixos/modules/services/misc/ollama.nix>
services.ollama.rocmOverrideGfx

Override what rocm will detect your gpu model as. For example, if you have an RX 5700 XT, try setting this to "10.1.0" (gfx 1010).

This sets the value of HSA_OVERRIDE_GFX_VERSION. See ollama’s docs for details.

Type: null or string

Default: null

Example: "10.3.0"

Declared by:

<nixpkgs/nixos/modules/services/misc/ollama.nix>
services.ollama.user

User account under which to run ollama. Defaults to DynamicUser when set to null.

The user will automatically be created, if this option is set to a non-null value.

Type: null or string

Default: null

Example: "ollama"

Declared by:

<nixpkgs/nixos/modules/services/misc/ollama.nix>
services.ombi.enable

Whether to enable Ombi, a web application that automatically gives your shared Plex or Emby users the ability to request content by themselves!

Optionally see https://docs.ombi.app/info/reverse-proxy on how to set up a reverse proxy .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/ombi.nix>
services.ombi.package

The ombi package to use.

Type: package

Default: pkgs.ombi

Declared by:

<nixpkgs/nixos/modules/services/misc/ombi.nix>
services.ombi.dataDir

The directory where Ombi stores its data files.

Type: string

Default: "/var/lib/ombi"

Declared by:

<nixpkgs/nixos/modules/services/misc/ombi.nix>
services.ombi.group

Group under which Ombi runs.

Type: string

Default: "ombi"

Declared by:

<nixpkgs/nixos/modules/services/misc/ombi.nix>
services.ombi.openFirewall

Open ports in the firewall for the Ombi web interface.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/ombi.nix>
services.ombi.port

The port for the Ombi web interface.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5000

Declared by:

<nixpkgs/nixos/modules/services/misc/ombi.nix>
services.ombi.user

User account under which Ombi runs.

Type: string

Default: "ombi"

Declared by:

<nixpkgs/nixos/modules/services/misc/ombi.nix>
services.omnom.enable

Whether to enable Omnom, a webpage bookmarking and snapshotting service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.package

The omnom package to use.

Type: package

Default: pkgs.omnom

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.dataDir

The directory where Omnom stores its data files.

Type: path

Default: "/var/lib/omnom"

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.group

The Omnom service group.

Type: non-empty string

Default: "omnom"

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.openFirewall

Whether to open ports in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.passwordFile

File containing the password for the SMTP user.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.port

The Omnom service port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 7331

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.settings

Configuration options for the /etc/omnom/config.yml file.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.settings.app.debug

Whether to enable debug mode.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.settings.app.disable_signup

Whether to enable restricting user creation.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.settings.app.results_per_page

Number of results per page.

Type: signed integer

Default: 20

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.settings.db.connection

Database connection URI.

Type: string

Default:

"${config.services.omnom.dataDir}/db.sqlite3"

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.settings.db.type

Database type.

Type: value “sqlite” (singular enum)

Default: "sqlite"

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.settings.server.address

Server address.

Type: string

Default:

"127.0.0.1:${config.services.omnom.port}"

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.settings.server.secure_cookie

Whether to limit cookies to a secure channel.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.settings.smtp.connection_timeout

Connection timeout duration in seconds.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.settings.smtp.host

SMTP server hostname.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.settings.smtp.port

SMTP server port address.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 25

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.settings.smtp.send_timeout

Send timeout duration in seconds.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.settings.smtp.sender

Omnom sender e-mail.

Type: string

Default: "Omnom <omnom@127.0.0.1>"

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.settings.smtp.tls

Whether to enable Whether TLS encryption should be used…

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.settings.smtp.tls_allow_insecure

Whether to enable Whether to allow insecure TLS…

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.settings.storage.root

Where the snapshots are saved.

Type: path

Default:

"${config.services.omnom.dataDir}/static/data"

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.settings.storage.type

Storage type.

Type: string

Default: "fs"

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.omnom.user

The Omnom service user.

Type: non-empty string

Default: "omnom"

Declared by:

<nixpkgs/nixos/modules/services/misc/omnom.nix>
services.onedrive.enable

Whether to enable OneDrive service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/onedrive.nix>
services.onedrive.package

OneDrive package to use.

Type: package

Default: pkgs.onedrive

Declared by:

<nixpkgs/nixos/modules/services/networking/onedrive.nix>
services.onlyoffice.enable

Whether to enable OnlyOffice DocumentServer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/onlyoffice.nix>
services.onlyoffice.enableExampleServer

Whether to enable OnlyOffice example server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/onlyoffice.nix>
services.onlyoffice.package

The onlyoffice-documentserver package to use.

Type: package

Default: pkgs.onlyoffice-documentserver

Declared by:

<nixpkgs/nixos/modules/services/web-apps/onlyoffice.nix>
services.onlyoffice.examplePort

Port the OnlyOffice example server should listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/onlyoffice.nix>
services.onlyoffice.hostname

FQDN for the OnlyOffice instance.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/onlyoffice.nix>
services.onlyoffice.jwtSecretFile

Path to a file that contains the secret to sign web requests using JSON Web Tokens. If left at the default value null signing is disabled.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/onlyoffice.nix>
services.onlyoffice.port

Port the OnlyOffice document server should listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/onlyoffice.nix>
services.onlyoffice.postgresHost

The Postgresql hostname or socket path OnlyOffice should connect to.

Type: string

Default: "/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/onlyoffice.nix>
services.onlyoffice.postgresName

The name of database OnlyOffice should use.

Type: string

Default: "onlyoffice"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/onlyoffice.nix>
services.onlyoffice.postgresPasswordFile

Path to a file that contains the password OnlyOffice should use to connect to Postgresql. Unused when using socket authentication.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/onlyoffice.nix>
services.onlyoffice.postgresUser

The username OnlyOffice should use to connect to Postgresql. Unused when using socket authentication.

Type: string

Default: "onlyoffice"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/onlyoffice.nix>
services.onlyoffice.rabbitmqUrl

The Rabbitmq in amqp URI style OnlyOffice should connect to.

Type: string

Default: "amqp://guest:guest@localhost:5672"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/onlyoffice.nix>
services.open-web-calendar.enable

Whether to enable OpenWebCalendar service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/open-web-calendar.nix>
services.open-web-calendar.package

The open-web-calendar package to use.

Type: package

Default: pkgs.open-web-calendar

Declared by:

<nixpkgs/nixos/modules/services/web-apps/open-web-calendar.nix>
services.open-web-calendar.calendarSettings

Configure the default calendar.

See the documentation options in https://open-web-calendar.quelltext.eu/host/configure/#configuring-the-default-calendar and https://github.com/niccokunzmann/open-web-calendar/blob/master/open_web_calendar/default_specification.yml.

Individual calendar instances can be further configured outside this module, by specifying the specification_url parameter.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/open-web-calendar.nix>
services.open-web-calendar.domain

The domain under which open-web-calendar is made available

Type: string

Example: "open-web-calendar.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/open-web-calendar.nix>
services.open-web-calendar.settings

Configuration for the server. These are set as environment variables to the gunicorn/flask service.

See the documentation options in https://open-web-calendar.quelltext.eu/host/configure/#configuring-the-server.

Type: attribute set of (atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/open-web-calendar.nix>
services.open-web-calendar.settings.ALLOWED_HOSTS

The hosts that the Open Web Calendar permits. This is required to mitigate the Host Header Injection vulnerability.

We always set this to the empty list, as Nginx already checks the Host header.

Type: string (read only)

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/open-web-calendar.nix>
services.open-webui.enable

Whether to enable Open-WebUI server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/open-webui.nix>
services.open-webui.package

The open-webui package to use.

Type: package

Default: pkgs.open-webui

Declared by:

<nixpkgs/nixos/modules/services/misc/open-webui.nix>
services.open-webui.environment

Extra environment variables for Open-WebUI. For more details see https://docs.openwebui.com/getting-started/advanced-topics/env-configuration/

Type: attribute set of string

Default:

{
  ANONYMIZED_TELEMETRY = "False";
  DO_NOT_TRACK = "True";
  SCARF_NO_ANALYTICS = "True";
}

Example:

''
  {
    OLLAMA_API_BASE_URL = "http://127.0.0.1:11434";
    # Disable authentication
    WEBUI_AUTH = "False";
  }
''

Declared by:

<nixpkgs/nixos/modules/services/misc/open-webui.nix>
services.open-webui.environmentFile

Environment file to be passed to the systemd service. Useful for passing secrets to the service to prevent them from being world-readable in the Nix store.

Type: null or path

Default: null

Example: "/var/lib/secrets/openWebuiSecrets"

Declared by:

<nixpkgs/nixos/modules/services/misc/open-webui.nix>
services.open-webui.host

The host address which the Open-WebUI server HTTP interface listens to.

Type: string

Default: "127.0.0.1"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/misc/open-webui.nix>
services.open-webui.openFirewall

Whether to open the firewall for Open-WebUI. This adds services.open-webui.port to networking.firewall.allowedTCPPorts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/open-webui.nix>
services.open-webui.port

Which port the Open-WebUI server listens to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Example: 11111

Declared by:

<nixpkgs/nixos/modules/services/misc/open-webui.nix>
services.open-webui.stateDir

State directory of Open-WebUI.

Type: path

Default: "/var/lib/open-webui"

Example: "/home/foo"

Declared by:

<nixpkgs/nixos/modules/services/misc/open-webui.nix>
services.openafsClient.enable

Whether to enable the OpenAFS client.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix>
services.openafsClient.packages.module

OpenAFS kernel module package. MUST match the userland package!

Type: package

Default: config.boot.kernelPackages.openafs

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix>
services.openafsClient.packages.programs

OpenAFS programs package. MUST match the kernel module package!

Type: package

Default: getBin pkgs.openafs

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix>
services.openafsClient.afsdb

Resolve cells via AFSDB DNS records.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix>
services.openafsClient.cache.blocks

Cache size in 1KB blocks.

Type: signed integer

Default: 100000

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix>
services.openafsClient.cache.chunksize

Size of each cache chunk given in powers of 2. 0 resets the chunk size to its default values (13 (8 KB) for memcache, 18-20 (256 KB to 1 MB) for diskcache). Maximum value is 30. Important performance parameter. Set to higher values when dealing with large files.

Type: integer between 0 and 30 (both inclusive)

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix>
services.openafsClient.cache.directory

Cache directory.

Type: string

Default: "/var/cache/openafs"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix>
services.openafsClient.cache.diskless

Use in-memory cache for diskless machines. Has no real performance benefit anymore.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix>
services.openafsClient.cellName

Cell name.

Type: string

Default: ""

Example: "grand.central.org"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix>
services.openafsClient.cellServDB

This cell’s database server records, added to the global CellServDB. See CellServDB(5) man page for syntax. Ignored when afsdb is set to true.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    dnsname = "first.afsdb.server.dns.fqdn.org";
    ip = "1.2.3.4";
  }
  {
    dnsname = "second.afsdb.server.dns.fqdn.org";
    ip = "2.3.4.5";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix>
services.openafsClient.cellServDB.*.dnsname

DNS full-qualified domain name of a database server

Type: string

Default: ""

Example: "afs.example.org"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix>
services.openafsClient.cellServDB.*.ip

IP Address of a database server

Type: string

Default: ""

Example: "1.2.3.4"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix>
services.openafsClient.crypt

Whether to enable (weak) protocol encryption.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix>
services.openafsClient.daemons

Number of daemons to serve user requests. Numbers higher than 6 usually do no increase performance. Default is sufficient for up to five concurrent users.

Type: signed integer

Default: 2

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix>
services.openafsClient.fakestat

Return fake data on stat() calls. If true, always do so. If false, only do so for cross-cell mounts (as these are potentially expensive).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix>
services.openafsClient.inumcalc

Inode calculation method. compat is computationally less expensive, but md5 greatly reduces the likelihood of inode collisions in larger scenarios involving multiple cells mounted into one AFS space.

Type: string matching the pattern compat|md5

Default: "compat"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix>
services.openafsClient.mountPoint

Mountpoint of the AFS file tree, conventionally /afs. When set to a different value, only cross-cells that use the same value can be accessed.

Type: string

Default: "/afs"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix>
services.openafsClient.sparse

Minimal cell list in /afs.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix>
services.openafsClient.startDisconnected

Start up in disconnected mode. You need to execute fs disco online (as root) to switch to connected mode. Useful for roaming devices.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/client.nix>
services.openafsServer.enable

Whether to enable the OpenAFS server. An OpenAFS server needs a complex setup. So, be aware that enabling this service and setting some options does not give you a turn-key-ready solution. You need at least a running Kerberos 5 setup, as OpenAFS relies on it for authentication. See the Guide “QuickStartUnix” coming with pkgs.openafs.doc for complete setup instructions.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.package

The openafs package to use.

Type: package

Default: pkgs.openafs

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.advertisedAddresses

List of IP addresses this server is advertised under. See NetInfo(5)

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.cellName

Cell name, this server will serve.

Type: string

Default: ""

Example: "grand.central.org"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.cellServDB

Definition of all cell-local database server machines.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.cellServDB.*.dnsname

DNS full-qualified domain name of a database server

Type: string

Default: ""

Example: "afs.example.org"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.cellServDB.*.ip

IP Address of a database server

Type: string

Default: ""

Example: "1.2.3.4"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.dottedPrincipals

If enabled, allow principal names containing (.) dots. Enabling this has security implications!

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.roles.backup.enable

Whether to enable the backup server role. When using OpenAFS built-in buserver, use in conjunction with the database role to maintain the Backup Database. Normally only used in conjunction with tape storage or IBM’s Tivoli Storage Manager.

For a modern backup server, enable this role and see enableFabs .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.roles.backup.enableFabs

Whether to enable FABS, the flexible AFS backup system. It stores volumes as dump files, relying on other pre-existing backup solutions for handling them .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.roles.backup.buserverArgs

Arguments to the buserver process. See its man page.

Type: string

Default: ""

Example: "-p 8"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.roles.backup.cellServDB

Definition of all cell-local backup database server machines. Use this when your cell uses less backup database servers than other database server machines.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.roles.backup.cellServDB.*.dnsname

DNS full-qualified domain name of a database server

Type: string

Default: ""

Example: "afs.example.org"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.roles.backup.cellServDB.*.ip

IP Address of a database server

Type: string

Default: ""

Example: "1.2.3.4"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.roles.backup.fabsArgs

Arguments to the fabsys process. See fabsys_server(1) and fabsys_config(1).

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.roles.backup.fabsExtraConfig

Additional configuration parameters for the FABS backup server.

Type: attribute set

Default: { }

Example:

{
  afs.localauth = true;
  afs.keytab = config.sops.secrets.fabsKeytab.path;
}

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.roles.database.enable

Database server role, maintains the Volume Location Database, Protection Database (and Backup Database, see backup role). There can be multiple servers in the database role for replication, which then need reliable network connection to each other.

Servers in this role appear in AFSDB DNS records or the CellServDB.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.roles.database.ptserverArgs

Arguments to the ptserver process. See its man page.

Type: string

Default: ""

Example: "-restricted -default_access S---- S-M---"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.roles.database.vlserverArgs

Arguments to the vlserver process. See its man page.

Type: string

Default: ""

Example: "-rxbind"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.roles.fileserver.enable

Fileserver role, serves files and volumes from its local storage.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.roles.fileserver.fileserverArgs

Arguments to the dafileserver process. See its man page.

Type: string

Default: "-vattachpar 128 -vhashsize 11 -L -rxpck 400 -cb 1000000"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.roles.fileserver.salvagerArgs

Arguments to the dasalvager process. See its man page.

Type: string

Default: ""

Example: "-showlog -showmounts"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.roles.fileserver.salvageserverArgs

Arguments to the salvageserver process. See its man page.

Type: string

Default: ""

Example: "-showlog"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.roles.fileserver.volserverArgs

Arguments to the davolserver process. See its man page.

Type: string

Default: ""

Example: "-sync never"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openafsServer.udpPacketSize

UDP packet size to use in Bytes. Higher values can speed up communications. The default of 1 MB is a sufficient in most cases. Make sure to increase the kernel’s UDP buffer size accordingly via net.core(w|r|opt)mem_max sysctl.

Type: signed integer

Default: 1310720

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/openafs/server.nix>
services.openarena.enable

Whether to enable OpenArena game server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/games/openarena.nix>
services.openarena.package

The openarena package to use.

Type: package

Default: pkgs.openarena

Declared by:

<nixpkgs/nixos/modules/services/games/openarena.nix>
services.openarena.extraFlags

Extra flags to pass to oa_ded

Type: list of string

Default: [ ]

Example:

[
  "+set dedicated 2"
  "+set sv_hostname 'My NixOS OpenArena Server'"
  "+map oa_dm1"
]

Declared by:

<nixpkgs/nixos/modules/services/games/openarena.nix>
services.openarena.openPorts

Whether to open firewall ports for OpenArena

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/openarena.nix>
services.opendkim.enable

Whether to enable OpenDKIM sender authentication system.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/opendkim.nix>
services.opendkim.configFile

Additional opendkim configuration as a file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/opendkim.nix>
services.opendkim.domains

Local domains set (see opendkim(8) for more information on datasets). Messages from them are signed, not verified.

Type: string

Default: "csl:${config.networking.hostName}"

Example: "csl:example.com,mydomain.net"

Declared by:

<nixpkgs/nixos/modules/services/mail/opendkim.nix>
services.opendkim.group

Group for the daemon.

Type: string

Default: "opendkim"

Declared by:

<nixpkgs/nixos/modules/services/mail/opendkim.nix>
services.opendkim.keyPath

The path that opendkim should put its generated private keys into. The DNS settings will be found in this directory with the name selector.txt.

Type: path

Default: "/var/lib/opendkim/keys"

Declared by:

<nixpkgs/nixos/modules/services/mail/opendkim.nix>
services.opendkim.selector

Selector to use when signing.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/mail/opendkim.nix>
services.opendkim.settings

Additional opendkim configuration

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/mail/opendkim.nix>
services.opendkim.socket

Socket which is used for communication with OpenDKIM.

Type: string

Default: "local:/run/opendkim/opendkim.sock"

Declared by:

<nixpkgs/nixos/modules/services/mail/opendkim.nix>
services.opendkim.user

User for the daemon.

Type: string

Default: "opendkim"

Declared by:

<nixpkgs/nixos/modules/services/mail/opendkim.nix>
services.opengfw.enable

Whether to enable OpenGFW, A flexible, easy-to-use, open source implementation of GFW on Linux .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.package

The opengfw package to use.

Type: package

Default: pkgs.opengfw

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.dir

Working directory of the OpenGFW service and home of opengfw.user.

Type: (optionally newline-terminated) single-line string

Default: "/var/lib/opengfw"

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.logFile

File to write the output to instead of systemd.

Type: null or path

Default: null

Example: "/var/lib/opengfw/opengfw.log"

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.logFormat

Format of the logs. logFormatMap

Type: one of “json”, “console”

Default: "json"

Example: "console"

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.logLevel

Level of the logs. logLevelMap

Type: one of “debug”, “info”, “warn”, “error”

Default: "info"

Example: "warn"

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.pcapReplay

Path to PCAP replay file. In pcap mode, none of the actions in the rules have any effect. This mode is mainly for debugging.

Type: null or path

Default: null

Example: "./opengfw.pcap"

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.rules

Rules passed to OpenGFW. Example rules

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    action = "block";
    expr = "string(http?.req?.headers?.host) endsWith \"v2ex.com\"";
    name = "block v2ex http";
  }
  {
    action = "block";
    expr = "string(socks?.req?.addr) endsWith \"google.com\" && socks?.req?.port == 80";
    name = "block google socks";
  }
  {
    action = "modify";
    expr = "dns != nil && dns.qr && any(dns.questions, {.name endsWith \"v2ex.com\"})";
    modifier = {
      args = {
        a = "0.0.0.0";
        aaaa = "::";
      };
      name = "dns";
    };
    name = "v2ex dns poisoning";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.rules.*.action

Action of the rule. Supported actions

Type: one of “allow”, “block”, “drop”, “modify”

Default: "allow"

Example: "block"

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.rules.*.expr

Expr Language expression using analyzers and functions.

Type: string

Example: "dns != nil && dns.qr && any(dns.questions, {.name endsWith \"google.com\"})"

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.rules.*.log

Whether to enable logging for the rule.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.rules.*.modifier

Modification of specified packets when using the modify action. Available modifiers

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.rules.*.modifier.args

Arguments passed to the modifier.

Type: attribute set

Example:

{
  a = "0.0.0.0";
  aaaa = "::";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.rules.*.modifier.name

Name of the modifier.

Type: (optionally newline-terminated) single-line string

Example: "dns"

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.rules.*.name

Name of the rule.

Type: (optionally newline-terminated) single-line string

Example: "block google dns"

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.rulesFile

Path to file containing OpenGFW rules.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settings

Settings passed to OpenGFW. Example config

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settings.io

IO settings.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settings.io.local

Set to false if you want to run OpenGFW on FORWARD chain. (e.g. on a router)

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settings.io.queueSize

IO queue size.

Type: signed integer

Default: 1024

Example: 2048

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settings.io.rcvBuf

Netlink receive buffer size.

Type: signed integer

Default: 4194304

Example: 2097152

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settings.io.rst

Set to true if you want to send RST for blocked TCP connections, needs local = false.

Type: boolean

Default: "`!config.services.opengfw.settings.io.local`"

Example: false

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settings.io.sndBuf

Netlink send buffer size.

Type: signed integer

Default: 4194304

Example: 2097152

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settings.replay

PCAP replay settings.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settings.replay.realtime

Whether the packets in the PCAP file should be replayed in “real time” (instead of as fast as possible).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settings.ruleset

The path to load specific local geoip/geosite db files. If not set, they will be automatically downloaded from (Loyalsoldier/v2ray-rules-dat)[https://github.com/Loyalsoldier/v2ray-rules-dat].

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settings.ruleset.geoip

Path to geoip.dat.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settings.ruleset.geosite

Path to geosite.dat.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settings.workers

Worker settings.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settings.workers.count

Number of workers. Recommended to be no more than the number of CPU cores

Type: signed integer

Default: 4

Example: 8

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settings.workers.queueSize

Worker queue size.

Type: signed integer

Default: 16

Example: 32

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settings.workers.tcpMaxBufferedPagesPerConn

TCP max total bufferd pages per connection.

Type: signed integer

Default: 64

Example: 128

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settings.workers.tcpMaxBufferedPagesTotal

TCP max total buffered pages.

Type: signed integer

Default: 4096

Example: 8192

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settings.workers.tcpTimeout

How long a connection is considered dead when no data is being transferred. Dead connections are purged from TCP reassembly pools once per minute.

Type: string

Default: "10m"

Example: "5m"

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settings.workers.udpMaxStreams

UDP max streams.

Type: signed integer

Default: 4096

Example: 8192

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.settingsFile

Path to file containing OpenGFW settings.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.opengfw.user

Username of the OpenGFW user.

Type: (optionally newline-terminated) single-line string

Default: "opengfw"

Declared by:

<nixpkgs/nixos/modules/services/networking/opengfw.nix>
services.openiscsi.enable

Whether to enable the openiscsi iscsi daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/iscsi/initiator.nix>
services.openiscsi.enableAutoLoginOut

Whether to enable automatic login and logout of all automatic targets. You probably do not want this .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/iscsi/initiator.nix>
services.openiscsi.package

The openiscsi package to use.

Type: package

Default: pkgs.openiscsi

Declared by:

<nixpkgs/nixos/modules/services/networking/iscsi/initiator.nix>
services.openiscsi.discoverPortal

Portal to discover targets on

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/iscsi/initiator.nix>
services.openiscsi.extraConfig

Lines to append to default iscsid.conf

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/iscsi/initiator.nix>
services.openiscsi.extraConfigFile

Append an additional file’s contents to /etc/iscsid.conf. Use a non-store path and store passwords in this file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/iscsi/initiator.nix>
services.openiscsi.name

Name of this iscsi initiator

Type: string

Example: "iqn.2020-08.org.linux-iscsi.initiatorhost:example"

Declared by:

<nixpkgs/nixos/modules/services/networking/iscsi/initiator.nix>
services.openldap.enable

Whether to enable the ldap server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/openldap.nix>
services.openldap.package

The openldap package to use. This can be used to, for example, set an OpenLDAP package with custom overrides to enable modules or other functionality.

Type: package

Default: pkgs.openldap

Declared by:

<nixpkgs/nixos/modules/services/databases/openldap.nix>
services.openldap.configDir

Use this config directory instead of generating one from the settings option. Overrides all NixOS settings.

Type: null or path

Default: null

Example: "/var/lib/openldap/slapd.d"

Declared by:

<nixpkgs/nixos/modules/services/databases/openldap.nix>
services.openldap.declarativeContents

Declarative contents for the LDAP database, in LDIF format by suffix.

All data will be erased when starting the LDAP server. Modifications to the database are not prevented, they are just dropped on the next reboot of the server. Performance-wise the database and indexes are rebuilt on each server startup, so this will slow down server startup, especially with large databases.

Note that the root of the DB must be defined in services.openldap.settings and the olcDbDirectory must begin with "/var/lib/openldap".

Type: attribute set of strings concatenated with “\n”

Default: { }

Example:

{
  "dc=example,dc=org" = ''
    dn= dn: dc=example,dc=org
    objectClass: domain
    dc: example

    dn: ou=users,dc=example,dc=org
    objectClass = organizationalUnit
    ou: users

    # ...
  '';
}

Declared by:

<nixpkgs/nixos/modules/services/databases/openldap.nix>
services.openldap.group

Group account under which slapd runs.

Type: string

Default: "openldap"

Declared by:

<nixpkgs/nixos/modules/services/databases/openldap.nix>
services.openldap.mutableConfig

Whether to allow writable on-line configuration. If true, the NixOS settings will only be used to initialize the OpenLDAP configuration if it does not exist, and are subsequently ignored.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/openldap.nix>
services.openldap.settings

Configuration for OpenLDAP, in OLC format

Type: submodule

Example:

{
  attrs.olcLogLevel = [ "stats" ];
  children = {
    "cn=schema".includes = [
       "${pkgs.openldap}/etc/schema/core.ldif"
       "${pkgs.openldap}/etc/schema/cosine.ldif"
       "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
    ];
    "olcDatabase={-1}frontend" = {
      attrs = {
        objectClass = "olcDatabaseConfig";
        olcDatabase = "{-1}frontend";
        olcAccess = [ "{0}to * by dn.exact=uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth manage stop by * none stop" ];
      };
    };
    "olcDatabase={0}config" = {
      attrs = {
        objectClass = "olcDatabaseConfig";
        olcDatabase = "{0}config";
        olcAccess = [ "{0}to * by * none break" ];
      };
    };
    "olcDatabase={1}mdb" = {
      attrs = {
        objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
        olcDatabase = "{1}mdb";
        olcDbDirectory = "/var/lib/openldap/ldap";
        olcDbIndex = [
          "objectClass eq"
          "cn pres,eq"
          "uid pres,eq"
          "sn pres,eq,subany"
        ];
        olcSuffix = "dc=example,dc=com";
        olcAccess = [ "{0}to * by * read break" ];
      };
    };
  };
};

Declared by:

<nixpkgs/nixos/modules/services/databases/openldap.nix>
services.openldap.settings.attrs

Attributes of the parent entry.

Type: attribute set of ((LDAP value - either a string, or an attrset containing `path` or `base64` for included values or base-64 encoded values respectively. ) or list of (LDAP value - either a string, or an attrset containing `path` or `base64` for included values or base-64 encoded values respectively. ))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/databases/openldap.nix>
services.openldap.settings.children

Child entries of the current entry, with recursively the same structure.

Type: attribute set of (submodule)

Default: { }

Example:

{
    "cn=schema" = {
    # The attribute used in the DN must be defined
    attrs = { cn = "schema"; };
    children = {
        # This entry's DN is expanded to "cn=foo,cn=schema"
        "cn=foo" = { ... };
    };
    # These includes are inserted after "cn=schema", but before "cn=foo,cn=schema"
    includes = [ ... ];
    };
}

Declared by:

<nixpkgs/nixos/modules/services/databases/openldap.nix>
services.openldap.settings.includes

LDIF files to include after the parent’s attributes but before its children.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/databases/openldap.nix>
services.openldap.urlList

URL list slapd should listen on.

Type: list of string

Default:

[
  "ldap:///"
]

Example:

[
  "ldaps:///"
]

Declared by:

<nixpkgs/nixos/modules/services/databases/openldap.nix>
services.openldap.user

User account under which slapd runs.

Type: string

Default: "openldap"

Declared by:

<nixpkgs/nixos/modules/services/databases/openldap.nix>
services.openntpd.enable

Whether to enable OpenNTP time synchronization server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/openntpd.nix>
services.openntpd.extraConfig

Additional text appended to openntpd.conf.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  listen on 127.0.0.1
  listen on ::1
''

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/openntpd.nix>
services.openntpd.extraOptions

Extra options used when launching openntpd.

Type: strings concatenated with " "

Default: ""

Example: "-s"

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/openntpd.nix>
services.openntpd.servers

The set of NTP servers from which to synchronise.

Type: list of string

Default: config.services.ntp.servers

Declared by:

<nixpkgs/nixos/modules/services/networking/ntp/openntpd.nix>
services.opensearch.enable

Whether to enable OpenSearch.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/search/opensearch.nix>
services.opensearch.package

The OpenSearch package to use.

Type: package

Default: pkgs.opensearch

Declared by:

<nixpkgs/nixos/modules/services/search/opensearch.nix>
services.opensearch.dataDir

Data directory for OpenSearch. If you change this, you need to manually create the directory. You also need to create the opensearch user and group, or change services.opensearch.user and services.opensearch.group to existing ones with access to the directory.

Type: path

Default: "/var/lib/opensearch"

Declared by:

<nixpkgs/nixos/modules/services/search/opensearch.nix>
services.opensearch.extraCmdLineOptions

Extra command line options for the OpenSearch launcher.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/search/opensearch.nix>
services.opensearch.extraJavaOptions

Extra command line options for Java.

Type: list of string

Default: [ ]

Example:

[
  "-Djava.net.preferIPv4Stack=true"
]

Declared by:

<nixpkgs/nixos/modules/services/search/opensearch.nix>
services.opensearch.group

The group OpenSearch runs as. Should be left at default unless you have very specific needs.

Type: string

Default: "opensearch"

Declared by:

<nixpkgs/nixos/modules/services/search/opensearch.nix>
services.opensearch.logging

opensearch logging configuration.

Type: string

Default:

''
  logger.action.name = org.opensearch.action
  logger.action.level = info
  
  appender.console.type = Console
  appender.console.name = console
  appender.console.layout.type = PatternLayout
  appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n
  
  rootLogger.level = info
  rootLogger.appenderRef.console.ref = console
''

Declared by:

<nixpkgs/nixos/modules/services/search/opensearch.nix>
services.opensearch.restartIfChanged

Automatically restart the service on config change. This can be set to false to defer restarts on a server or cluster. Please consider the security implications of inadvertently running an older version, and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/search/opensearch.nix>
services.opensearch.settings

OpenSearch configuration.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/search/opensearch.nix>
services.opensearch.settings."cluster.name"

The name of the cluster.

Type: string

Default: "opensearch"

Declared by:

<nixpkgs/nixos/modules/services/search/opensearch.nix>
services.opensearch.settings."discovery.type"

The type of discovery to use.

Type: string

Default: "single-node"

Declared by:

<nixpkgs/nixos/modules/services/search/opensearch.nix>
services.opensearch.settings."http.port"

The port to listen on for HTTP traffic.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9200

Declared by:

<nixpkgs/nixos/modules/services/search/opensearch.nix>
services.opensearch.settings."network.host"

Which port this service should listen on.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/search/opensearch.nix>
services.opensearch.settings."plugins.security.disabled"

Whether to enable the security plugin, plugins.security.ssl.transport.keystore_filepath or plugins.security.ssl.transport.server.pemcert_filepath and plugins.security.ssl.transport.client.pemcert_filepath must be set for this plugin to be enabled.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/search/opensearch.nix>
services.opensearch.settings."transport.port"

The port to listen on for transport traffic.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9300

Declared by:

<nixpkgs/nixos/modules/services/search/opensearch.nix>
services.opensearch.user

The user OpenSearch runs as. Should be left at default unless you have very specific needs.

Type: string

Default: "opensearch"

Declared by:

<nixpkgs/nixos/modules/services/search/opensearch.nix>
services.opensmtpd.enable

Whether to enable the OpenSMTPD server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/opensmtpd.nix>
services.opensmtpd.package

The opensmtpd package to use.

Type: package

Default: pkgs.opensmtpd

Declared by:

<nixpkgs/nixos/modules/services/mail/opensmtpd.nix>
services.opensmtpd.extraServerArgs

Extra command line arguments provided when the smtpd process is started.

Type: list of string

Default: [ ]

Example:

[
  "-v"
  "-P mta"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/opensmtpd.nix>
services.opensmtpd.procPackages

Packages to search for filters, tables, queues, and schedulers.

Add OpenSMTPD-extras here if you want to use the filters, etc. from that package.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/opensmtpd.nix>
services.opensmtpd.serverConfiguration

The contents of the smtpd.conf configuration file. See the OpenSMTPD documentation for syntax information.

Type: strings concatenated with “\n”

Example:

''
  listen on lo
  accept for any deliver to lmtp localhost:24
''

Declared by:

<nixpkgs/nixos/modules/services/mail/opensmtpd.nix>
services.opensmtpd.setSendmail

Whether to set the system sendmail to OpenSMTPD’s.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/mail/opensmtpd.nix>
services.opensnitch.enable

Whether to enable Opensnitch application firewall.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/opensnitch.nix>
services.opensnitch.rules

Declarative configuration of firewall rules. All rules will be stored in /var/lib/opensnitch/rules by default. Rules path can be configured with settings.Rules.Path. See upstream documentation for available options.

Type: JSON value

Default: { }

Example:

{
  "tor" = {
    "name" = "tor";
    "enabled" = true;
    "action" = "allow";
    "duration" = "always";
    "operator" = {
      "type" ="simple";
      "sensitive" = false;
      "operand" = "process.path";
      "data" = "${lib.getBin pkgs.tor}/bin/tor";
    };
  };
};

Declared by:

<nixpkgs/nixos/modules/services/security/opensnitch.nix>
services.opensnitch.settings

opensnitchd configuration. Refer to upstream documentation for details on supported values.

Type: JSON value

Declared by:

<nixpkgs/nixos/modules/services/security/opensnitch.nix>
services.opensnitch.settings.DefaultAction

Default action whether to block or allow application internet access.

Type: one of “allow”, “deny”

Declared by:

<nixpkgs/nixos/modules/services/security/opensnitch.nix>
services.opensnitch.settings.Ebpf.ModulesPath

Configure eBPF modules path. Used when settings.ProcMonitorMethod is set to ebpf.

Type: path

Default:

if cfg.settings.ProcMonitorMethod == "ebpf" then
  "\\$\\{config.boot.kernelPackages.opensnitch-ebpf\\}/etc/opensnitchd"
else null;

Declared by:

<nixpkgs/nixos/modules/services/security/opensnitch.nix>
services.opensnitch.settings.Firewall

Which firewall backend to use.

Type: one of “iptables”, “nftables”

Declared by:

<nixpkgs/nixos/modules/services/security/opensnitch.nix>
services.opensnitch.settings.InterceptUnknown

Whether to intercept spare connections.

Type: boolean

Declared by:

<nixpkgs/nixos/modules/services/security/opensnitch.nix>
services.opensnitch.settings.LogLevel

Default log level from 0 to 4 (debug, info, important, warning, error).

Type: one of 0, 1, 2, 3, 4

Declared by:

<nixpkgs/nixos/modules/services/security/opensnitch.nix>
services.opensnitch.settings.ProcMonitorMethod

Which process monitoring method to use.

Type: one of “ebpf”, “proc”, “ftrace”, “audit”

Declared by:

<nixpkgs/nixos/modules/services/security/opensnitch.nix>
services.opensnitch.settings.Rules.Path

Path to the directory where firewall rules can be found and will get stored by the NixOS module.

Type: path

Default: "/var/lib/opensnitch/rules"

Declared by:

<nixpkgs/nixos/modules/services/security/opensnitch.nix>
services.opensnitch.settings.Server.Address

Unix socket path (unix:///tmp/osui.sock, the “unix:///” part is mandatory) or TCP socket (192.168.1.100:50051).

Type: string

Declared by:

<nixpkgs/nixos/modules/services/security/opensnitch.nix>
services.opensnitch.settings.Server.LogFile

File to write logs to (use /dev/stdout to write logs to standard output).

Type: path

Declared by:

<nixpkgs/nixos/modules/services/security/opensnitch.nix>
services.opensnitch.settings.Stats.MaxEvents

Max events to send to the GUI.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/services/security/opensnitch.nix>
services.opensnitch.settings.Stats.MaxStats

Max stats per item to keep in backlog.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/services/security/opensnitch.nix>
services.openssh.enable

Whether to enable the OpenSSH secure shell daemon, which allows secure remote logins.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.package

OpenSSH package to use for sshd.

Type: package

Default: programs.ssh.package

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.allowSFTP

Whether to enable the SFTP subsystem in the SSH daemon. This enables the use of commands such as sftp and sshfs.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.authorizedKeysCommand

Specifies a program to be used to look up the user’s public keys. The program must be owned by root, not writable by group or others and specified by an absolute path.

Type: string

Default: "none"

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.authorizedKeysCommandUser

Specifies the user under whose account the AuthorizedKeysCommand is run. It is recommended to use a dedicated user that has no other role on the host than running authorized keys commands.

Type: string

Default: "nobody"

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.authorizedKeysFiles

Specify the rules for which files to read on the host.

This is an advanced option. If you’re looking to configure user keys, you can generally use users.users.<name>.openssh.authorizedKeys.keys or users.users.<name>.openssh.authorizedKeys.keyFiles.

These are paths relative to the host root file system or home directories and they are subject to certain token expansion rules. See AuthorizedKeysFile in man sshd_config for details.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.authorizedKeysInHomedir

Enables the use of the ~/.ssh/authorized_keys file.

Otherwise, the only files trusted by default are those in /etc/ssh/authorized_keys.d, i.e. SSH keys from users.users.<name>.openssh.authorizedKeys.keys.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.banner

Message to display to the remote user before authentication is allowed.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.extraConfig

Verbatim contents of sshd_config.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.hostKeys

NixOS can automatically generate SSH host keys. This option specifies the path, type and size of each key. See ssh-keygen(1) for supported types and sizes.

Type: list of (attribute set)

Default:

[
  {
    bits = 4096;
    path = "/etc/ssh/ssh_host_rsa_key";
    type = "rsa";
  }
  {
    path = "/etc/ssh/ssh_host_ed25519_key";
    type = "ed25519";
  }
]

Example:

[
  {
    bits = 4096;
    openSSHFormat = true;
    path = "/etc/ssh/ssh_host_rsa_key";
    rounds = 100;
    type = "rsa";
  }
  {
    comment = "key comment";
    path = "/etc/ssh/ssh_host_ed25519_key";
    rounds = 100;
    type = "ed25519";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.knownHosts

Alias of programs.ssh.knownHosts.

Type: attribute set of (submodule)

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.knownHosts.<name>.certAuthority

This public key is an SSH certificate authority, rather than an individual host’s key.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
services.openssh.knownHosts.<name>.extraHostNames

A list of additional host names and/or IP numbers used for accessing the host’s ssh service. This list is ignored if hostNames is set explicitly.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
services.openssh.knownHosts.<name>.hostNames

A list of host names and/or IP numbers used for accessing the host’s ssh service. This list includes the name of the containing knownHosts attribute by default for convenience. If you wish to configure multiple host keys for the same host use multiple knownHosts entries with different attribute names and the same hostNames list.

Type: list of string

Default: [ ‹name› ] ++ config.services.openssh.knownHosts.<name>.extraHostNames

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
services.openssh.knownHosts.<name>.publicKey

The public key data for the host. You can fetch a public key from a running SSH server with the ssh-keyscan command. The public key should not include any host names, only the key type and the key itself.

Type: null or string

Default: null

Example: "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg=="

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
services.openssh.knownHosts.<name>.publicKeyFile

The path to the public key file for the host. The public key file is read at build time and saved in the Nix store. You can fetch a public key file from a running SSH server with the ssh-keyscan command. The content of the file should follow the same format as described for the publicKey option. Only a single key is supported. If a host has multiple keys, use programs.ssh.knownHostsFiles instead.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/programs/ssh.nix>
services.openssh.listenAddresses

List of addresses and ports to listen on (ListenAddress directive in config). If port is not specified for address sshd will listen on all ports specified by ports option. NOTE: this will override default listening on all local addresses and port 22. NOTE: setting this option won’t automatically enable given ports in firewall configuration.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "192.168.3.1";
    port = 22;
  }
  {
    addr = "0.0.0.0";
    port = 64022;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.listenAddresses.*.addr

Host, IPv4 or IPv6 address to listen to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.listenAddresses.*.port

Port to listen to.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.moduliFile

Path to moduli file to install in /etc/ssh/moduli. If this option is unset, then the moduli file shipped with OpenSSH will be used.

Type: path

Example: "/etc/my-local-ssh-moduli;"

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.openFirewall

Whether to automatically open the specified ports in the firewall.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.ports

Specifies on which ports the SSH daemon listens.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

[
  22
]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.settings

Configuration for sshd_config(5).

Type: attribute set of (atom (null, bool, int, float or string))

Default: { }

Example:

{
  UseDns = true;
  PasswordAuthentication = false;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.settings.AllowGroups

If specified, login is allowed only for users part of the listed groups. See sshd_config(5) for details.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.settings.AllowUsers

If specified, login is allowed only for the listed users. See sshd_config(5) for details.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.settings.AuthorizedPrincipalsFile

Specifies a file that lists principal names that are accepted for certificate authentication. The default is "none", i.e. not to use a principals file.

Type: null or string

Default: "none"

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.settings.Ciphers

Allowed ciphers

Defaults to recommended settings from both https://stribika.github.io/2015/01/04/secure-secure-shell.html and https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67

Type: null or (list of string)

Default:

[
  "chacha20-poly1305@openssh.com"
  "aes256-gcm@openssh.com"
  "aes128-gcm@openssh.com"
  "aes256-ctr"
  "aes192-ctr"
  "aes128-ctr"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.settings.DenyGroups

If specified, login is denied for all users part of the listed groups. Takes precedence over services.openssh.settings.AllowGroups. See sshd_config(5) for details.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.settings.DenyUsers

If specified, login is denied for all listed users. Takes precedence over services.openssh.settings.AllowUsers. See sshd_config(5) for details.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.settings.GatewayPorts

Specifies whether remote hosts are allowed to connect to ports forwarded for the client. See sshd_config(5).

Type: null or string

Default: "no"

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.settings.KbdInteractiveAuthentication

Specifies whether keyboard-interactive authentication is allowed.

Type: null or boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.settings.KexAlgorithms

Allowed key exchange algorithms

Uses the lower bound recommended in both https://stribika.github.io/2015/01/04/secure-secure-shell.html and https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67

Type: null or (list of string)

Default:

[
  "sntrup761x25519-sha512@openssh.com"
  "curve25519-sha256"
  "curve25519-sha256@libssh.org"
  "diffie-hellman-group-exchange-sha256"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.settings.LogLevel

Gives the verbosity level that is used when logging messages from sshd(8). Logging with a DEBUG level violates the privacy of users and is not recommended.

Type: null or one of “QUIET”, “FATAL”, “ERROR”, “INFO”, “VERBOSE”, “DEBUG”, “DEBUG1”, “DEBUG2”, “DEBUG3”

Default: "INFO"

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.settings.Macs

Allowed MACs

Defaults to recommended settings from both https://stribika.github.io/2015/01/04/secure-secure-shell.html and https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67

Type: null or (list of string)

Default:

[
  "hmac-sha2-512-etm@openssh.com"
  "hmac-sha2-256-etm@openssh.com"
  "umac-128-etm@openssh.com"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.settings.PasswordAuthentication

Specifies whether password authentication is allowed.

Type: null or boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.settings.PermitRootLogin

Whether the root user can login using ssh.

Type: null or one of “yes”, “without-password”, “prohibit-password”, “forced-commands-only”, “no”

Default: "prohibit-password"

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.settings.PrintMotd

Whether to enable printing /etc/motd when a user logs in interactively.

Type: null or boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.settings.StrictModes

Whether sshd should check file modes and ownership of directories

Type: null or boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.settings.UseDns

Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. If this option is set to no (the default) then only addresses and not host names may be used in ~/.ssh/authorized_keys from and sshd_config Match Host directives.

Type: null or boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.settings.UsePAM

Whether to enable PAM authentication.

Type: null or boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.settings.X11Forwarding

Whether to allow X11 connections to be forwarded.

Type: null or boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.sftpFlags

Commandline flags to add to sftp-server.

Type: list of string

Default: [ ]

Example:

[
  "-f AUTHPRIV"
  "-l INFO"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.sftpServerExecutable

The sftp server executable. Can be a path or “internal-sftp” to use the sftp server built into the sshd binary.

Type: string

Example: "internal-sftp"

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.openssh.startWhenNeeded

If set, sshd is socket-activated; that is, instead of having it permanently running as a daemon, systemd will start an instance for each incoming connection.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.opentelemetry-collector.enable

Whether to enable Opentelemetry Collector.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/opentelemetry-collector.nix>
services.opentelemetry-collector.package

The opentelemetry-collector package to use.

Type: package

Default: pkgs.opentelemetry-collector

Declared by:

<nixpkgs/nixos/modules/services/monitoring/opentelemetry-collector.nix>
services.opentelemetry-collector.configFile

Specify a path to a configuration file that Opentelemetry Collector should use.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/opentelemetry-collector.nix>
services.opentelemetry-collector.settings

Specify the configuration for Opentelemetry Collector in Nix.

See https://opentelemetry.io/docs/collector/configuration/ for available options.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/opentelemetry-collector.nix>
services.opentracker.enable

Whether to enable opentracker.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/torrent/opentracker.nix>
services.opentracker.package

The opentracker package to use.

Type: package

Default: pkgs.opentracker

Declared by:

<nixpkgs/nixos/modules/services/torrent/opentracker.nix>
services.opentracker.extraOptions

Configuration Arguments for opentracker See https://erdgeist.org/arts/software/opentracker/ for all params

Type: strings concatenated with " "

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/torrent/opentracker.nix>
services.opentsdb.enable

Whether to enable OpenTSDB.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/opentsdb.nix>
services.opentsdb.package

The opentsdb package to use.

Type: package

Default: pkgs.opentsdb

Declared by:

<nixpkgs/nixos/modules/services/databases/opentsdb.nix>
services.opentsdb.config

The contents of OpenTSDB’s configuration file

Type: strings concatenated with “\n”

Default:

''
  tsd.core.auto_create_metrics = true
  tsd.http.request.enable_chunked  = true
''

Declared by:

<nixpkgs/nixos/modules/services/databases/opentsdb.nix>
services.opentsdb.group

Group account under which OpenTSDB runs.

Type: string

Default: "opentsdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/opentsdb.nix>
services.opentsdb.port

Which port OpenTSDB listens on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 4242

Declared by:

<nixpkgs/nixos/modules/services/databases/opentsdb.nix>
services.opentsdb.user

User account under which OpenTSDB runs.

Type: string

Default: "opentsdb"

Declared by:

<nixpkgs/nixos/modules/services/databases/opentsdb.nix>
services.openvpn.restartAfterSleep

Whether OpenVPN client should be restarted after sleep.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/openvpn.nix>
services.openvpn.servers

Each attribute of this option defines a systemd service that runs an OpenVPN instance. These can be OpenVPN servers or clients. The name of each systemd service is openvpn-«name».service, where «name» is the corresponding attribute name.

Type: attribute set of (submodule)

Default: { }

Example:

{
  server = {
    config = ''
      # Simplest server configuration: https://community.openvpn.net/openvpn/wiki/StaticKeyMiniHowto
      # server :
      dev tun
      ifconfig 10.8.0.1 10.8.0.2
      secret /root/static.key
    '';
    up = "ip route add ...";
    down = "ip route del ...";
  };

  client = {
    config = ''
      client
      remote vpn.example.org
      dev tun
      proto tcp-client
      port 8080
      ca /root/.vpn/ca.crt
      cert /root/.vpn/alice.crt
      key /root/.vpn/alice.key
    '';
    up = "echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
    down = "${pkgs.openresolv}/sbin/resolvconf -d $dev";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/openvpn.nix>
services.openvpn.servers.<name>.authUserPass

This option can be used to store the username / password credentials with the “auth-user-pass” authentication method.

WARNING: Using this option will put the credentials WORLD-READABLE in the Nix store!

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/openvpn.nix>
services.openvpn.servers.<name>.authUserPass.password

The password to store inside the credentials file.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/openvpn.nix>
services.openvpn.servers.<name>.authUserPass.username

The username to store inside the credentials file.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/openvpn.nix>
services.openvpn.servers.<name>.autoStart

Whether this OpenVPN instance should be started automatically.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/openvpn.nix>
services.openvpn.servers.<name>.config

Configuration of this OpenVPN instance. See openvpn(8) for details.

To import an external config file, use the following definition: config = "config /path/to/config.ovpn"

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/networking/openvpn.nix>
services.openvpn.servers.<name>.down

Shell commands executed when the instance is shutting down.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/openvpn.nix>
services.openvpn.servers.<name>.up

Shell commands executed when the instance is starting.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/openvpn.nix>
services.openvpn.servers.<name>.updateResolvConf

Use the script from the update-resolv-conf package to automatically update resolv.conf with the DNS information provided by openvpn. The script will be run after the “up” commands and before the “down” commands.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/openvpn.nix>
services.openvscode-server.enable

Whether to enable openvscode-server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openvscode-server.nix>
services.openvscode-server.package

The openvscode-server package to use.

Type: package

Default: pkgs.openvscode-server

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openvscode-server.nix>
services.openvscode-server.connectionToken

A secret that must be included with all requests.

Type: null or string

Default: null

Example: "secret-token"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openvscode-server.nix>
services.openvscode-server.connectionTokenFile

Path to a file that contains the connection token.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openvscode-server.nix>
services.openvscode-server.extensionsDir

Set the root path for extensions.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openvscode-server.nix>
services.openvscode-server.extraArguments

Additional arguments to pass to openvscode-server.

Type: list of string

Default: [ ]

Example: [ "--log=info" ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openvscode-server.nix>
services.openvscode-server.extraEnvironment

Additional environment variables to pass to openvscode-server.

Type: attribute set of string

Default: { }

Example:

{
  PKG_CONFIG_PATH = "/run/current-system/sw/lib/pkgconfig";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openvscode-server.nix>
services.openvscode-server.extraGroups

An array of additional groups for the openvscode-server user.

Type: list of string

Default: [ ]

Example:

[
  "docker"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openvscode-server.nix>
services.openvscode-server.extraPackages

Additional packages to add to the openvscode-server PATH.

Type: list of package

Default: [ ]

Example: [ pkgs.go ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openvscode-server.nix>
services.openvscode-server.group

The group to run openvscode-server under. By default, a group named openvscode-server will be created.

Type: string

Default: "openvscode-server"

Example: "yourGroup"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openvscode-server.nix>
services.openvscode-server.host

The host name or IP address the server should listen to.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openvscode-server.nix>
services.openvscode-server.port

The port the server should listen to. If 0 is passed a random free port is picked. If a range in the format num-num is passed, a free port from the range (end inclusive) is selected.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openvscode-server.nix>
services.openvscode-server.serverDataDir

Specifies the directory that server data is kept in.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openvscode-server.nix>
services.openvscode-server.socketPath

The path to a socket file for the server to listen to.

Type: null or string

Default: null

Example: "/run/openvscode/socket"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openvscode-server.nix>
services.openvscode-server.telemetryLevel

Sets the initial telemetry level. Valid levels are: ‘off’, ‘crash’, ‘error’ and ‘all’.

Type: null or one of “off”, “crash”, “error”, “all”

Default: null

Example: "crash"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openvscode-server.nix>
services.openvscode-server.user

The user to run openvscode-server as. By default, a user named openvscode-server will be created.

Type: string

Default: "openvscode-server"

Example: "yourUser"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openvscode-server.nix>
services.openvscode-server.userDataDir

Specifies the directory that user data is kept in. Can be used to open multiple distinct instances of Code.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openvscode-server.nix>
services.openvscode-server.withoutConnectionToken

Run without a connection token. Only use this if the connection is secured by other means.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openvscode-server.nix>
services.openwebrx.enable

Whether to enable OpenWebRX Web interface for Software-Defined Radios on http://localhost:8073.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openwebrx.nix>
services.openwebrx.package

The openwebrx package to use.

Type: package

Default: pkgs.openwebrx

Declared by:

<nixpkgs/nixos/modules/services/web-apps/openwebrx.nix>
services.orangefs.client.enable

Whether to enable OrangeFS client daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/client.nix>
services.orangefs.client.extraOptions

Extra command line options for pvfs2-client.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/client.nix>
services.orangefs.client.fileSystems

The orangefs file systems to be mounted. This option is preferred over using fileSystems directly since the pvfs client service needs to be running for it to be mounted.

Type: list of (submodule)

Example:

[
  {
    mountPoint = "/orangefs";
    target = "tcp://server:3334/orangefs";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/client.nix>
services.orangefs.client.fileSystems.*.mountPoint

Mount point.

Type: string

Default: "/orangefs"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/client.nix>
services.orangefs.client.fileSystems.*.options

Mount options

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/client.nix>
services.orangefs.client.fileSystems.*.target

Target URL

Type: string

Example: "tcp://server:3334/orangefs"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/client.nix>
services.orangefs.server.enable

Whether to enable OrangeFS server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix>
services.orangefs.server.BMIModules

List of BMI modules to load.

Type: list of string

Default:

[
  "bmi_tcp"
]

Example:

[
  "bmi_tcp"
  "bmi_ib"
]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix>
services.orangefs.server.dataStorageSpace

Directory for data storage.

Type: null or string

Default: null

Example: "/data/storage"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix>
services.orangefs.server.extraConfig

Extra config for the global section.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix>
services.orangefs.server.extraDefaults

Extra config for <Defaults> section.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix>
services.orangefs.server.fileSystems

These options will create the <FileSystem> sections of config file.

Type: attribute set of (submodule)

Default:

{
  orangefs = { };
}

Example:

{
  fs1 = {
    id = 101;
  };

  fs2 = {
    id = 102;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix>
services.orangefs.server.fileSystems.<name>.extraConfig

Extra config for <FileSystem> section.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix>
services.orangefs.server.fileSystems.<name>.extraStorageHints

Extra config for <StorageHints> section.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix>
services.orangefs.server.fileSystems.<name>.id

File system ID (must be unique within configuration).

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix>
services.orangefs.server.fileSystems.<name>.rootHandle

File system root ID.

Type: signed integer

Default: 3

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix>
services.orangefs.server.fileSystems.<name>.troveSyncData

Sync data.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix>
services.orangefs.server.fileSystems.<name>.troveSyncMeta

Sync meta data.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix>
services.orangefs.server.logType

Destination for log messages.

Type: one of “file”, “syslog”

Default: "syslog"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix>
services.orangefs.server.metadataStorageSpace

Directory for meta data storage.

Type: null or string

Default: null

Example: "/data/meta"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix>
services.orangefs.server.servers

URLs for storage server including port. The attribute names define the server alias.

Type: attribute set of string

Default: { }

Example:

{
  node1 = "tcp://node1:3334";
  node2 = "tcp://node2:3334";
}

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/orangefs/server.nix>
services.orca.enable

Whether to enable Orca screen reader.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/accessibility/orca.nix>
services.orca.package

The orca package to use.

Type: package

Default: pkgs.orca

Declared by:

<nixpkgs/nixos/modules/services/accessibility/orca.nix>
services.osquery.enable

Whether to enable osqueryd daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/osquery.nix>
services.osquery.flags

Attribute set of flag names and values to be written to the osqueryd flagfile. For more information, refer to https://osquery.readthedocs.io/en/stable/installation/cli-flags.

Type: attribute set of string

Default: { }

Example:

{
  config_refresh = "10";
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/osquery.nix>
services.osquery.flags.database_path

Path used for the database file.

Type: path (read only)

Default: "/var/lib/osquery/osquery.db"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/osquery.nix>
services.osquery.flags.logger_path

Base directory used for logging.

Type: path (read only)

Default: "/var/log/osquery"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/osquery.nix>
services.osquery.flags.pidfile

Path used for pid file.

Type: path (read only)

Default: "/run/osquery/osqueryd.pid"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/osquery.nix>
services.osquery.settings

Configuration to be written to the osqueryd JSON configuration file. To understand the configuration format, refer to https://osquery.readthedocs.io/en/stable/deployment/configuration/#configuration-components.

Type: attribute set

Default: { }

Example:

{
  options = {
    utc = false;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/osquery.nix>
services.osrm.enable

Enable the OSRM service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/osrm.nix>
services.osrm.address

IP address on which the web server will listen.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/misc/osrm.nix>
services.osrm.algorithm

Algorithm to use for the data. Must be one of CH, CoreCH, MLD

Type: one of “CH”, “CoreCH”, “MLD”

Default: "MLD"

Declared by:

<nixpkgs/nixos/modules/services/misc/osrm.nix>
services.osrm.dataFile

Data file location

Type: path

Example: "/var/lib/osrm/berlin-latest.osrm"

Declared by:

<nixpkgs/nixos/modules/services/misc/osrm.nix>
services.osrm.extraFlags

Extra command line arguments passed to osrm-routed

Type: list of string

Default: [ ]

Example:

[
  "--max-table-size 1000"
  "--max-matching-size 1000"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/osrm.nix>
services.osrm.port

Port on which the web server will run.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5000

Declared by:

<nixpkgs/nixos/modules/services/misc/osrm.nix>
services.osrm.threads

Number of threads to use.

Type: signed integer

Default: 4

Declared by:

<nixpkgs/nixos/modules/services/misc/osrm.nix>
services.ostinato.enable

Whether to enable Ostinato agent-controller (Drone).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/ostinato.nix>
services.ostinato.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 7878

Declared by:

<nixpkgs/nixos/modules/services/networking/ostinato.nix>
services.ostinato.portList.exclude

A list of ports does not appear on the port list managed by drone.

Type: list of string

Default: [ ]

Example:

[
  "usbmon*"
  "eth0"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/ostinato.nix>
services.ostinato.portList.include

For a port to pass the filter and appear on the port list managed by drone, it be allowed by this include list.

Type: list of string

Default: [ ]

Example:

[
  "eth*"
  "lo*"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/ostinato.nix>
services.ostinato.rateAccuracy

To ensure that the actual transmit rate is as close as possible to the configured transmit rate, Drone runs a busy-wait loop. While this provides the maximum accuracy possible, the CPU utilization is 100% while the transmit is on. You can however, sacrifice the accuracy to reduce the CPU load.

Type: one of “High”, “Low”

Default: "High"

Declared by:

<nixpkgs/nixos/modules/services/networking/ostinato.nix>
services.ostinato.rpcServer.address

By default, the Drone RPC server will listen on all interfaces and local IPv4 addresses for incoming connections from clients. Specify a single IPv4 or IPv6 address if you want to restrict that. To listen on any IPv6 address, use ::

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/ostinato.nix>
services.outline.enable

Whether to enable outline.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.enableUpdateCheck

Have the installation check for updates by sending anonymized statistics to the maintainers.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.package

Outline package to use.

Type: package

Default: pkgs.outline

Example:

pkgs.outline.overrideAttrs (super: {
  # Ignore the domain part in emails that come from OIDC. This is might
  # be helpful if you want multiple users with different email providers
  # to still land in the same team. Note that this effectively makes
  # Outline a single-team instance.
  patchPhase = ''
    sed -i 's/const domain = parts\.length && parts\[1\];/const domain = "example.com";/g' plugins/oidc/server/auth/oidc.ts
  '';
})

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.azureAuthentication

To configure Microsoft/Azure auth, you’ll need to create an OAuth Client. See the guide for details on setting up your Azure App.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.azureAuthentication.clientId

Authentication client identifier.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.azureAuthentication.clientSecretFile

File path containing the authentication secret.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.azureAuthentication.resourceAppId

Authentication application resource ID.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.cdnUrl

If using a Cloudfront/Cloudflare distribution or similar it can be set using this option. This will cause paths to JavaScript files, stylesheets and images to be updated to the hostname defined here. In your CDN configuration the origin server should be set to public URL.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.concurrency

How many processes should be spawned. For a rough estimate, divide your server’s available memory by 512.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.databaseUrl

URI to use for the main PostgreSQL database. If this needs to include credentials that shouldn’t be world-readable in the Nix store, set an environment file on the systemd service and override the DATABASE_URL entry. Pass the string local to setup a database on the local server.

Type: string

Default: "local"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.debugOutput

Set this to http log HTTP requests.

Type: null or value “http” (singular enum)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.defaultLanguage

The default interface language. See translate.getoutline.com for a list of available language codes and their rough percentage translated.

Type: one of “da_DK”, “de_DE”, “en_US”, “es_ES”, “fa_IR”, “fr_FR”, “it_IT”, “ja_JP”, “ko_KR”, “nl_NL”, “pl_PL”, “pt_BR”, “pt_PT”, “ru_RU”, “sv_SE”, “th_TH”, “vi_VN”, “zh_CN”, “zh_TW”

Default: "en_US"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.forceHttps

Auto-redirect to HTTPS in production. The default is true but you may set this to false if you can be sure that SSL is terminated at an external loadbalancer.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.googleAnalyticsId

Optionally enable Google Analytics to track page views in the knowledge base.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.googleAuthentication

To configure Google auth, you’ll need to create an OAuth Client ID at https://console.cloud.google.com/apis/credentials

When configuring the Client ID, add an Authorized redirect URI to https://[publicUrl]/auth/google.callback.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.googleAuthentication.clientId

Authentication client identifier.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.googleAuthentication.clientSecretFile

File path containing the authentication secret.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.group

Group under which the service should run. If this is the default value, the group will be created.

Type: string

Default: "outline"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.logo

Custom logo displayed on the authentication screen. This will be scaled to a height of 60px.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.maximumImportSize

The maximum size of document imports. Overriding this could be required if you have especially large Word documents with embedded imagery.

Type: signed integer

Default: 5120000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.oidcAuthentication

To configure generic OIDC auth, you’ll need some kind of identity provider. See the documentation for whichever IdP you use to fill out all the fields. The redirect URL is https://[publicUrl]/auth/oidc.callback.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.oidcAuthentication.authUrl

OIDC authentication URL endpoint.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.oidcAuthentication.clientId

Authentication client identifier.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.oidcAuthentication.clientSecretFile

File path containing the authentication secret.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.oidcAuthentication.displayName

Display name for OIDC authentication.

Type: string

Default: "OpenID"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.oidcAuthentication.scopes

OpenID authentication scopes.

Type: list of string

Default:

[
  "openid"
  "profile"
  "email"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.oidcAuthentication.tokenUrl

OIDC token URL endpoint.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.oidcAuthentication.userinfoUrl

OIDC userinfo URL endpoint.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.oidcAuthentication.usernameClaim

Specify which claims to derive user information from. Supports any valid JSON path with the JWT payload

Type: string

Default: "preferred_username"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.port

Listening port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.publicUrl

The fully qualified, publicly accessible URL

Type: string

Default: "http://localhost:3000"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.rateLimiter.enable

Whether to enable rate limiter for the application web server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.rateLimiter.durationWindow

Length of a throttling window.

Type: signed integer

Default: 60

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.rateLimiter.requests

Maximum number of requests in a throttling window.

Type: signed integer

Default: 5000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.redisUrl

Connection to a redis server. If this needs to include credentials that shouldn’t be world-readable in the Nix store, set an environment file on the systemd service and override the REDIS_URL entry. Pass the string local to setup a local Redis database.

Type: string

Default: "local"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.secretKeyFile

File path that contains the application secret key. It must be 32 bytes long and hex-encoded. If the file does not exist, a new key will be generated and saved here.

Type: string

Default: "/var/lib/outline/secret_key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.sentryDsn

Optionally enable Sentry to track errors and performance.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.sentryTunnel

Optionally add a Sentry proxy tunnel for bypassing ad blockers in the UI.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.slackAuthentication

To configure Slack auth, you’ll need to create an Application at https://api.slack.com/apps

When configuring the Client ID, add a redirect URL under “OAuth & Permissions” to https://[publicUrl]/auth/slack.callback.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.slackAuthentication.clientId

Authentication key.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.slackAuthentication.secretFile

File path containing the authentication secret.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.slackIntegration

For a complete Slack integration with search and posting to channels this configuration is also needed. See here for details: https://wiki.generaloutline.com/share/be25efd1-b3ef-4450-b8e5-c4a4fc11e02a

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.slackIntegration.appId

Application ID.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.slackIntegration.messageActions

Whether to enable message actions.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.slackIntegration.verificationTokenFile

File path containing the verification token.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.smtp

To support sending outgoing transactional emails such as “document updated” or “you’ve been invited” you’ll need to provide authentication for an SMTP server.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.smtp.fromEmail

Sender email in outgoing mail.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.smtp.host

Host name or IP address of the SMTP server.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.smtp.passwordFile

File path containing the password to authenticate with.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.smtp.port

TCP port of the SMTP server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.smtp.replyEmail

Reply address in outgoing mail.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.smtp.secure

Use a secure SMTP connection.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.smtp.tlsCiphers

Override SMTP cipher configuration.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.smtp.username

Username to authenticate with.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.sslCertFile

File path that contains the Base64-encoded certificate for HTTPS termination. This is only required if you do not use an external reverse proxy. See the documentation.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.sslKeyFile

File path that contains the Base64-encoded private key for HTTPS termination. This is only required if you do not use an external reverse proxy. See the documentation.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.storage

To support uploading of images for avatars and document attachments an s3-compatible storage can be provided. AWS S3 is recommended for redundancy however if you want to keep all file storage local an alternative such as minio can be used. Local filesystem storage can also be used.

A more detailed guide on setting up storage is available here.

Type: submodule

Example:

{
  accessKey = "...";
  secretKeyFile = "/somewhere";
  uploadBucketUrl = "https://minio.example.com";
  uploadBucketName = "outline";
  region = "us-east-1";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.storage.accessKey

S3 access key.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.storage.acl

ACL setting.

Type: string

Default: "private"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.storage.forcePathStyle

Force S3 path style.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.storage.localRootDir

If storageType is local, this sets the parent directory under which all attachments/images go.

Type: string

Default: "/var/lib/outline/data"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.storage.region

AWS S3 region name.

Type: string

Default: "xx-xxxx-x"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.storage.secretKeyFile

File path that contains the S3 secret key.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.storage.storageType

File storage type, it can be local or s3.

Type: one of “local”, “s3”

Default: "s3"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.storage.uploadBucketName

Name of the bucket where uploads should be stored.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.storage.uploadBucketUrl

URL endpoint of an S3-compatible API where uploads should be stored.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.storage.uploadMaxSize

Maxmium file size for uploads.

Type: signed integer

Default: 26214400

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.user

User under which the service should run. If this is the default value, the user will be created, with the specified group as the primary group.

Type: string

Default: "outline"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.outline.utilsSecretFile

File path that contains the utility secret key. If the file does not exist, a new key will be generated and saved here.

Type: string

Default: "/var/lib/outline/utils_secret"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/outline.nix>
services.owamp.enable

Whether to enable OWAMP server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/owamp.nix>
services.owncast.enable

Whether to enable owncast, a video live streaming solution.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/owncast.nix>
services.owncast.dataDir

The directory where owncast stores its data files. If left as the default value this directory will automatically be created before the owncast server starts, otherwise the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions.

Type: string

Default: "/var/lib/owncast"

Declared by:

<nixpkgs/nixos/modules/services/misc/owncast.nix>
services.owncast.group

Group under which owncast runs.

Type: string

Default: "owncast"

Declared by:

<nixpkgs/nixos/modules/services/misc/owncast.nix>
services.owncast.listen

The IP address to bind the owncast web server to.

Type: string

Default: "127.0.0.1"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/misc/owncast.nix>
services.owncast.openFirewall

Open the appropriate ports in the firewall for owncast.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/owncast.nix>
services.owncast.port

TCP port where owncast web-gui listens.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/misc/owncast.nix>
services.owncast.rtmp-port

TCP port where owncast rtmp service listens.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1935

Declared by:

<nixpkgs/nixos/modules/services/misc/owncast.nix>
services.owncast.user

User account under which owncast runs.

Type: string

Default: "owncast"

Declared by:

<nixpkgs/nixos/modules/services/misc/owncast.nix>
services.oxidized.enable

Whether to enable the oxidized configuration backup service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/admin/oxidized.nix>
services.oxidized.configFile

Path to the oxidized configuration file.

Type: path

Example:

pkgs.writeText "oxidized-config.yml" ''
  ---
  debug: true
  use_syslog: true
  input:
    default: ssh
    ssh:
      secure: true
  interval: 3600
  model_map:
    dell: powerconnect
    hp: procurve
  source:
    default: csv
    csv:
      delimiter: !ruby/regexp /:/
      file: "/var/lib/oxidized/.config/oxidized/router.db"
      map:
        name: 0
        model: 1
        username: 2
        password: 3
  pid: "/var/lib/oxidized/.config/oxidized/pid"
  rest: 127.0.0.1:8888
  retries: 3
  # ... additional config
'';

Declared by:

<nixpkgs/nixos/modules/services/admin/oxidized.nix>
services.oxidized.dataDir

State directory for the oxidized service.

Type: path

Default: "/var/lib/oxidized"

Declared by:

<nixpkgs/nixos/modules/services/admin/oxidized.nix>
services.oxidized.group

Group under which the oxidized service runs.

Type: string

Default: "oxidized"

Declared by:

<nixpkgs/nixos/modules/services/admin/oxidized.nix>
services.oxidized.routerDB

Path to the file/database which contains the targets for oxidized.

Type: path

Example:

pkgs.writeText "oxidized-router.db" ''
  hostname-sw1:powerconnect:username1:password2
  hostname-sw2:procurve:username2:password2
  # ... additional hosts
''

Declared by:

<nixpkgs/nixos/modules/services/admin/oxidized.nix>
services.oxidized.user

User under which the oxidized service runs.

Type: string

Default: "oxidized"

Declared by:

<nixpkgs/nixos/modules/services/admin/oxidized.nix>
services.pacemaker.enable

Whether to enable pacemaker.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/pacemaker/default.nix>
services.pacemaker.package

The pacemaker package to use.

Type: package

Default: pkgs.pacemaker

Declared by:

<nixpkgs/nixos/modules/services/cluster/pacemaker/default.nix>
services.pantalaimon-headless.instances

Declarative instance config.

Note: to use pantalaimon interactively, e.g. for a Matrix client which does not support End-to-end encryption (like fractal), refer to the home-manager module.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/pantalaimon.nix>
services.pantalaimon-headless.instances.<name>.dataPath

The directory where pantalaimon should store its state such as the database file.

Type: path

Default: "/var/lib/pantalaimon-‹name›"

Declared by:

<nixpkgs/nixos/modules/services/matrix/pantalaimon.nix>
services.pantalaimon-headless.instances.<name>.extraSettings

Extra configuration options. See pantalaimon(5) for available options.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/matrix/pantalaimon.nix>
services.pantalaimon-headless.instances.<name>.homeserver

The URI of the homeserver that the pantalaimon proxy should forward requests to, without the matrix API path but including the http(s) schema.

Type: string

Example: "https://matrix.org"

Declared by:

<nixpkgs/nixos/modules/services/matrix/pantalaimon.nix>
services.pantalaimon-headless.instances.<name>.listenAddress

The address where the daemon will listen to client connections for this homeserver.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/matrix/pantalaimon.nix>
services.pantalaimon-headless.instances.<name>.listenPort

The port where the daemon will listen to client connections for this homeserver. Note that the listen address/port combination needs to be lib.unique between different homeservers.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8009

Declared by:

<nixpkgs/nixos/modules/services/matrix/pantalaimon.nix>
services.pantalaimon-headless.instances.<name>.logLevel

Set the log level of the daemon.

Type: one of “info”, “warning”, “error”, “debug”

Default: "warning"

Declared by:

<nixpkgs/nixos/modules/services/matrix/pantalaimon.nix>
services.pantalaimon-headless.instances.<name>.ssl

Whether or not SSL verification should be enabled for outgoing connections to the homeserver.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/matrix/pantalaimon.nix>
services.pantheon.apps.enable

Whether to enable Pantheon default applications.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix>
services.pantheon.contractor.enable

Whether to enable contractor, a desktop-wide extension service used by Pantheon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix>
services.paperless.enable

Enable Paperless.

When started, the Paperless database is automatically created if it doesn’t exist and updated if the Paperless package has changed. Both tasks are achieved by running a Django migration.

A script to manage the Paperless instance (by wrapping Django’s manage.py) is linked to ${dataDir}/paperless-manage.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/paperless.nix>
services.paperless.package

The paperless-ngx package to use.

Type: package

Default: pkgs.paperless-ngx

Declared by:

<nixpkgs/nixos/modules/services/misc/paperless.nix>
services.paperless.address

Web interface address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/misc/paperless.nix>
services.paperless.consumptionDir

Directory from which new documents are imported.

Type: string

Default: "${dataDir}/consume"

Declared by:

<nixpkgs/nixos/modules/services/misc/paperless.nix>
services.paperless.consumptionDirIsPublic

Whether all users can write to the consumption dir.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/paperless.nix>
services.paperless.dataDir

Directory to store the Paperless data.

Type: string

Default: "/var/lib/paperless"

Declared by:

<nixpkgs/nixos/modules/services/misc/paperless.nix>
services.paperless.database.createLocally

Configure local PostgreSQL database server for Paperless.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/paperless.nix>
services.paperless.environmentFile

Path to a file containing extra paperless config options in the systemd EnvironmentFile format. Refer to the documentation for config options.

This can be used to pass secrets to paperless without putting them in the Nix store.

To set a database password, point environmentFile at a file containing:

PAPERLESS_DBPASS=<pass>

Type: null or path

Default: null

Example: "/run/secrets/paperless"

Declared by:

<nixpkgs/nixos/modules/services/misc/paperless.nix>
services.paperless.mediaDir

Directory to store the Paperless documents.

Type: string

Default: "${dataDir}/media"

Declared by:

<nixpkgs/nixos/modules/services/misc/paperless.nix>
services.paperless.openMPThreadingWorkaround

Whether to enable a workaround for document classifier timeouts.

Paperless uses OpenBLAS via scikit-learn for document classification.

The default is to use threading for OpenMP but this would cause the document classifier to spin on one core seemingly indefinitely if there are large amounts of classes per classification; causing it to effectively never complete due to running into timeouts.

This sets OMP_NUM_THREADS to 1 in order to mitigate the issue. See https://github.com/NixOS/nixpkgs/issues/240591 for more information .

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/paperless.nix>
services.paperless.passwordFile

A file containing the superuser password.

A superuser is required to access the web interface. If unset, you can create a superuser manually by running ${dataDir}/paperless-manage createsuperuser.

The default superuser name is admin. To change it, set option settings.PAPERLESS_ADMIN_USER. WARNING: When changing the superuser name after the initial setup, the old superuser will continue to exist.

To disable login for the web interface, set the following: settings.PAPERLESS_AUTO_LOGIN_USERNAME = "admin";. WARNING: Only use this on a trusted system without internet access to Paperless.

Type: null or path

Default: null

Example: "/run/keys/paperless-password"

Declared by:

<nixpkgs/nixos/modules/services/misc/paperless.nix>
services.paperless.port

Web interface port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 28981

Declared by:

<nixpkgs/nixos/modules/services/misc/paperless.nix>
services.paperless.settings

Extra paperless config options.

See the documentation for available options.

Note that some settings such as PAPERLESS_CONSUMER_IGNORE_PATTERN expect JSON values. Settings declared as lists or attrsets will automatically be serialised into JSON strings for your convenience.

Type: attribute set of (boolean or floating point number or signed integer or string or path or package or list of (boolean or floating point number or signed integer or string or path or package) or attribute set of (boolean or floating point number or signed integer or string or path or package))

Default: { }

Example:

{
  PAPERLESS_CONSUMER_IGNORE_PATTERN = [
    ".DS_STORE/*"
    "desktop.ini"
  ];
  PAPERLESS_OCR_LANGUAGE = "deu+eng";
  PAPERLESS_OCR_USER_ARGS = {
    optimize = 1;
    pdfa_image_compression = "lossless";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/paperless.nix>
services.paperless.user

User under which Paperless runs.

Type: string

Default: "paperless"

Declared by:

<nixpkgs/nixos/modules/services/misc/paperless.nix>
services.parsedmarc.enable

Whether to enable parsedmarc, a DMARC report monitoring service .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.provision.elasticsearch

Whether to set up and use a local instance of Elasticsearch.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.provision.geoIp

Whether to enable and configure the geoipupdate service to automatically fetch GeoIP databases. Not crucial, but recommended for full functionality.

To finish the setup, you need to manually set the services.geoipupdate.settings.AccountID and services.geoipupdate.settings.LicenseKey options.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.provision.grafana.dashboard

Whether the official parsedmarc grafana dashboard should be provisioned to the local grafana instance.

Type: boolean

Default: config.services.grafana.enable

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.provision.grafana.datasource

Whether the automatically provisioned Elasticsearch instance should be added as a grafana datasource. Has no effect unless services.parsedmarc.provision.elasticsearch is also enabled.

Type: boolean

Default:

config.services.parsedmarc.provision.elasticsearch && config.services.grafana.enable

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.provision.localMail.enable

Whether Postfix and Dovecot should be set up to receive mail locally. parsedmarc will be configured to watch the local inbox as the automatically created user specified in services.parsedmarc.provision.localMail.recipientName

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.provision.localMail.hostname

The hostname to use when configuring Postfix.

Should correspond to the host’s fully qualified domain name and the domain part of the email address which receives DMARC reports. You also have to set up an MX record pointing to this domain name.

Type: string

Default: config.networking.fqdn

Example: "monitoring.example.com"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.provision.localMail.recipientName

The DMARC mail recipient name, i.e. the name part of the email address which receives DMARC reports.

A local user with this name will be set up and assigned a randomized password on service start.

Type: string

Default: "dmarc"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings

Configuration parameters to set in parsedmarc.ini. For a full list of available parameters, see https://domainaware.github.io/parsedmarc/#configuration-file.

Settings containing secret data should be set to an attribute set containing the attribute _secret - a string pointing to a file containing the value the option should be set to. See the example to get a better picture of this: in the resulting parsedmarc.ini file, the splunk_hec.token key will be set to the contents of the /run/keys/splunk_token file.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Example:

{
  imap = {
    host = "imap.example.com";
    user = "alice@example.com";
    password = { _secret = "/run/keys/imap_password" };
  };
  mailbox = {
    watch = true;
    batch_size = 30;
  };
  splunk_hec = {
    url = "https://splunkhec.example.com";
    token = { _secret = "/run/keys/splunk_token" };
    index = "email";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.elasticsearch.cert_path

The path to a TLS certificate bundle used to verify the server’s certificate.

Type: path

Default: "/etc/ssl/certs/ca-certificates.crt"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.elasticsearch.hosts

A list of Elasticsearch hosts to push parsed reports to.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.elasticsearch.password

The password to use when connecting to Elasticsearch, if required.

Always handled as a secret whether the value is wrapped in a { _secret = ...; } attrset or not (refer to services.parsedmarc.settings for details).

Type: null or path or attribute set of path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.elasticsearch.ssl

Whether to use an encrypted SSL/TLS connection.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.elasticsearch.user

Username to use when connecting to Elasticsearch, if required.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.general.save_aggregate

Save aggregate report data to Elasticsearch and/or Splunk.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.general.save_forensic

Save forensic report data to Elasticsearch and/or Splunk.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.imap.host

The IMAP server hostname or IP address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.imap.password

The IMAP server password.

Always handled as a secret whether the value is wrapped in a { _secret = ...; } attrset or not (refer to services.parsedmarc.settings for details).

Type: null or path or attribute set of path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.imap.port

The IMAP server port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 993

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.imap.ssl

Use an encrypted SSL/TLS connection.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.imap.user

The IMAP server username.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.mailbox.delete

Delete messages after processing them, instead of archiving them.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.mailbox.watch

Use the IMAP IDLE command to process messages as they arrive.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.smtp.from

The From address to use for the outgoing mail.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.smtp.host

The SMTP server hostname or IP address.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.smtp.password

The SMTP server password.

Always handled as a secret whether the value is wrapped in a { _secret = ...; } attrset or not (refer to services.parsedmarc.settings for details).

Type: null or path or attribute set of path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.smtp.port

The SMTP server port.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.smtp.ssl

Use an encrypted SSL/TLS connection.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.smtp.to

The addresses to send outgoing mail to.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsedmarc.settings.smtp.user

The SMTP server username.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/parsedmarc.nix>
services.parsoid.enable

Whether to enable Parsoid – bidirectional wikitext parser.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/parsoid.nix>
services.parsoid.extraConfig

Extra configuration to add to parsoid configuration.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/parsoid.nix>
services.parsoid.interface

Interface to listen on.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/misc/parsoid.nix>
services.parsoid.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8000

Declared by:

<nixpkgs/nixos/modules/services/misc/parsoid.nix>
services.parsoid.wikis

Used MediaWiki API endpoints.

Type: list of (string or (attribute set))

Example:

[
  "http://localhost/api.php"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/parsoid.nix>
services.parsoid.workers

Number of Parsoid workers.

Type: signed integer

Default: 2

Declared by:

<nixpkgs/nixos/modules/services/misc/parsoid.nix>
services.passSecretService.enable

Whether to enable pass secret service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/pass-secret-service.nix>
services.passSecretService.package

The pass-secret-service package to use.

Type: package

Default: pkgs.pass-secret-service

Example: pass-secret-service.override { python3 = pkgs.python310 }

Declared by:

<nixpkgs/nixos/modules/services/security/pass-secret-service.nix>
services.patroni.enable

Whether to enable Patroni.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/patroni/default.nix>
services.patroni.dataDir

Folder where Patroni data will be written, this is where the pgpass password file will be written.

Type: path

Default: "/var/lib/patroni"

Declared by:

<nixpkgs/nixos/modules/services/cluster/patroni/default.nix>
services.patroni.environmentFiles

Environment variables made available to Patroni as files content, useful for providing secrets from files.

Type: attribute set of (null or string or path or package)

Default: { }

Example:

{
  PATRONI_REPLICATION_PASSWORD = "/secret/file";
  PATRONI_SUPERUSER_PASSWORD = "/secret/file";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/patroni/default.nix>
services.patroni.group

The group for the service. If left as the default value this group will automatically be created, otherwise the sysadmin is responsible for ensuring the group exists.

Type: string

Default: "patroni"

Example: "postgres"

Declared by:

<nixpkgs/nixos/modules/services/cluster/patroni/default.nix>
services.patroni.name

The name of the host. Must be unique for the cluster.

Type: string

Example: "node1"

Declared by:

<nixpkgs/nixos/modules/services/cluster/patroni/default.nix>
services.patroni.namespace

Path within the configuration store where Patroni will keep information about the cluster.

Type: string

Default: "/service"

Declared by:

<nixpkgs/nixos/modules/services/cluster/patroni/default.nix>
services.patroni.nodeIp

IP address of this node.

Type: string

Example: "192.168.1.1"

Declared by:

<nixpkgs/nixos/modules/services/cluster/patroni/default.nix>
services.patroni.otherNodesIps

IP addresses of the other nodes.

Type: list of string

Example:

[
  "192.168.1.2"
  "192.168.1.3"
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/patroni/default.nix>
services.patroni.postgresqlDataDir

The data directory for PostgreSQL. If left as the default value this directory will automatically be created before the PostgreSQL server starts, otherwise the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions.

Type: path

Default: "/var/lib/postgresql/${config.services.patroni.postgresqlPackage.psqlSchema}"

Example: "/var/lib/postgresql/14"

Declared by:

<nixpkgs/nixos/modules/services/cluster/patroni/default.nix>
services.patroni.postgresqlPackage

PostgreSQL package to use. Plugins can be enabled like this pkgs.postgresql_14.withPackages (p: [ p.pg_safeupdate p.postgis ]).

Type: package

Example: pkgs.postgresql_14

Declared by:

<nixpkgs/nixos/modules/services/cluster/patroni/default.nix>
services.patroni.postgresqlPort

The port on which PostgreSQL listens.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5432

Declared by:

<nixpkgs/nixos/modules/services/cluster/patroni/default.nix>
services.patroni.restApiPort

The port on Patroni’s REST api listens.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8008

Declared by:

<nixpkgs/nixos/modules/services/cluster/patroni/default.nix>
services.patroni.scope

Cluster name.

Type: string

Example: "cluster1"

Declared by:

<nixpkgs/nixos/modules/services/cluster/patroni/default.nix>
services.patroni.settings

The primary patroni configuration. See the documentation for possible values. Secrets should be passed in by using the environmentFiles option.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/cluster/patroni/default.nix>
services.patroni.softwareWatchdog

This will configure Patroni to use the software watchdog built into the Linux kernel as described in the documentation.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/patroni/default.nix>
services.patroni.user

The user for the service. If left as the default value this user will automatically be created, otherwise the sysadmin is responsible for ensuring the user exists.

Type: string

Default: "patroni"

Example: "postgres"

Declared by:

<nixpkgs/nixos/modules/services/cluster/patroni/default.nix>
services.pcscd.enable

Whether to enable PCSC-Lite daemon, to access smart cards using SCard API (PC/SC).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/pcscd.nix>
services.pcscd.extraArgs

Extra command line arguments to be passed to the PCSC daemon.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/hardware/pcscd.nix>
services.pcscd.plugins

Plugin packages to be used for PCSC-Lite.

Type: list of package

Default: [ pkgs.ccid ]

Example: [ pkgs.pcsc-cyberjack ]

Declared by:

<nixpkgs/nixos/modules/services/hardware/pcscd.nix>
services.pcscd.readerConfig

Configuration for devices that aren’t hotpluggable.

See reader.conf(5) for valid options.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  FRIENDLYNAME      "Some serial reader"
  DEVICENAME        /dev/ttyS0
  LIBPATH           /path/to/serial_reader.so
  CHANNELID         1
''

Declared by:

<nixpkgs/nixos/modules/services/hardware/pcscd.nix>
services.pdns-recursor.enable

Whether to enable PowerDNS Recursor, a recursive DNS server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/pdns-recursor.nix>
services.pdns-recursor.api.address

IP address Recursor REST API server will bind to.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/pdns-recursor.nix>
services.pdns-recursor.api.allowFrom

IP address ranges of clients allowed to make API requests.

Type: list of string

Default:

[
  "127.0.0.1"
  "::1"
]

Example:

[
  "0.0.0.0/0"
  "::/0"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/pdns-recursor.nix>
services.pdns-recursor.api.port

Port number Recursor REST API server will bind to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8082

Declared by:

<nixpkgs/nixos/modules/services/networking/pdns-recursor.nix>
services.pdns-recursor.dns.address

IP addresses Recursor DNS server will bind to.

Type: string or list of string

Default:

[
  "::"
  "0.0.0.0"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/pdns-recursor.nix>
services.pdns-recursor.dns.allowFrom

IP address ranges of clients allowed to make DNS queries.

Type: list of string

Default:

[
  "127.0.0.0/8"
  "10.0.0.0/8"
  "100.64.0.0/10"
  "169.254.0.0/16"
  "192.168.0.0/16"
  "172.16.0.0/12"
  "::1/128"
  "fc00::/7"
  "fe80::/10"
]

Example:

[
  "0.0.0.0/0"
  "::/0"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/pdns-recursor.nix>
services.pdns-recursor.dns.port

Port number Recursor DNS server will bind to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 53

Declared by:

<nixpkgs/nixos/modules/services/networking/pdns-recursor.nix>
services.pdns-recursor.dnssecValidation

Controls the level of DNSSEC processing done by the PowerDNS Recursor. See https://doc.powerdns.com/md/recursor/dnssec/ for a detailed explanation.

Type: one of “off”, “process-no-validate”, “process”, “log-fail”, “validate”

Default: "validate"

Declared by:

<nixpkgs/nixos/modules/services/networking/pdns-recursor.nix>
services.pdns-recursor.exportHosts

Whether to export names and IP addresses defined in /etc/hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/pdns-recursor.nix>
services.pdns-recursor.forwardZones

DNS zones to be forwarded to other authoritative servers.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/pdns-recursor.nix>
services.pdns-recursor.forwardZonesRecurse

DNS zones to be forwarded to other recursive servers.

Type: attribute set

Default: { }

Example:

{
  eth = "[::1]:5353";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/pdns-recursor.nix>
services.pdns-recursor.luaConfig

The content Lua configuration file for PowerDNS Recursor. See https://doc.powerdns.com/recursor/lua-config/index.html.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/pdns-recursor.nix>
services.pdns-recursor.resolveNamecoin

Resolve .bit top-level domains using ncdns and namecoin.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/ncdns.nix>
services.pdns-recursor.serveRFC1918

Whether to directly resolve the RFC1918 reverse-mapping domains: 10.in-addr.arpa, 168.192.in-addr.arpa, 16-31.172.in-addr.arpa This saves load on the AS112 servers.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/pdns-recursor.nix>
services.pdns-recursor.settings

PowerDNS Recursor settings. Use this option to configure Recursor settings not exposed in a NixOS option or to bypass one. See the full documentation at https://doc.powerdns.com/recursor/settings.html for the available options.

Type: attribute set of (null or signed integer or string or boolean or path or list of (signed integer or string or boolean or path))

Default: { }

Example:

{
  loglevel = 8;
  log-common-errors = true;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/pdns-recursor.nix>
services.pdnsd.enable

Whether to enable pdnsd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/pdnsd.nix>
services.pdnsd.cacheDir

Directory holding the pdnsd cache

Type: string

Default: "/var/cache/pdnsd"

Declared by:

<nixpkgs/nixos/modules/services/networking/pdnsd.nix>
services.pdnsd.extraConfig

Extra configuration directives that should be added to pdnsd.conf.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/pdnsd.nix>
services.pdnsd.globalConfig

Global configuration that should be added to the global directory of pdnsd.conf.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/pdnsd.nix>
services.pdnsd.serverConfig

Server configuration that should be added to the server directory of pdnsd.conf.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/pdnsd.nix>
services.peerflix.enable

Whether to enable peerflix service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/torrent/peerflix.nix>
services.peerflix.downloadDir

Peerflix temporary download directory.

Type: path

Default: "${config.services.peerflix.stateDir}/torrents"

Declared by:

<nixpkgs/nixos/modules/services/torrent/peerflix.nix>
services.peerflix.stateDir

Peerflix state directory.

Type: path

Default: "/var/lib/peerflix"

Declared by:

<nixpkgs/nixos/modules/services/torrent/peerflix.nix>
services.peering-manager.enable

Enable Peering Manager.

This module requires a reverse proxy that serves /static separately. See this [example](https://github.com/peering-manager/contrib/blob/main/nginx.conf on how to configure this.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peering-manager.nix>
services.peering-manager.enableLdap

Enable LDAP-Authentication for Peering Manager.

This requires a configuration file being pass through ldapConfigPath.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peering-manager.nix>
services.peering-manager.enableOidc

Enable OIDC-Authentication for Peering Manager.

This requires a configuration file being pass through oidcConfigPath.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peering-manager.nix>
services.peering-manager.enableScheduledTasks

Set up scheduled tasks

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peering-manager.nix>
services.peering-manager.extraConfig

Additional lines of configuration appended to the configuration.py. See the documentation for more possible options.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peering-manager.nix>
services.peering-manager.ldapConfigPath

Path to the Configuration-File for LDAP-Authentication, will be loaded as ldap_config.py. See the documentation for possible options.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peering-manager.nix>
services.peering-manager.listenAddress

Address the server will listen on.

Type: string

Default: "[::1]"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peering-manager.nix>
services.peering-manager.oidcConfigPath

Path to the Configuration-File for OIDC-Authentication, will be loaded as oidc_config.py. See the documentation for possible options.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peering-manager.nix>
services.peering-manager.peeringdbApiKeyFile

Path to a file containing the PeeringDB API key.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peering-manager.nix>
services.peering-manager.plugins

List of plugin packages to install.

Type: function that evaluates to a(n) list of package

Default:

python3Packages: with python3Packages; [];

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peering-manager.nix>
services.peering-manager.port

Port the server will listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8001

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peering-manager.nix>
services.peering-manager.secretKeyFile

Path to a file containing the secret key.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peering-manager.nix>
services.peering-manager.settings

Configuration options to set in configuration.py. See the documentation for more possible options.

Type: attribute set of (Python value)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peering-manager.nix>
services.peering-manager.settings.ALLOWED_HOSTS

A list of valid fully-qualified domain names (FQDNs) and/or IP addresses that can be used to reach the peering manager service.

Type: list of string

Default:

[
  "*"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peering-manager.nix>
services.peertube.enable

Whether to enable Peertube.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.enableWebHttps

Whether clients will access your PeerTube instance with HTTPS. Does NOT configure the PeerTube webserver itself to listen for incoming HTTPS connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.package

PeerTube package to use.

Type: package

Default: pkgs.peertube

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.configureNginx

Configure nginx as a reverse proxy for peertube.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.dataDirs

Allow access to custom data locations.

Type: list of path

Default: [ ]

Example:

[
  "/opt/peertube/storage"
  "/var/cache/peertube"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.database.createLocally

Configure local PostgreSQL database server for PeerTube.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.database.host

Database host address or unix socket.

Type: string

Default:

if config.services.peertube.database.createLocally
then "/run/postgresql"
else null

Example: "192.168.15.47"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.database.name

Database name.

Type: string

Default: "peertube"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.database.passwordFile

Password for PostgreSQL database.

Type: null or path

Default: null

Example: "/run/keys/peertube/password-postgresql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.database.port

Database host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5432

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.database.user

Database user.

Type: string

Default: "peertube"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.group

Group under which Peertube runs.

Type: string

Default: "peertube"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.listenHttp

The port that the local PeerTube web server will listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.listenWeb

The public-facing port that PeerTube will be accessible at (likely 80 or 443 if running behind a reverse proxy). Clients will try to access PeerTube at this port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.localDomain

The domain serving your PeerTube instance.

Type: string

Example: "peertube.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.redis.enableUnixSocket

Use Unix socket.

Type: boolean

Default: config.services.peertube.redis.createLocally

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.redis.createLocally

Configure local Redis server for PeerTube.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.redis.host

Redis host.

Type: null or string

Default:

if config.services.peertube.redis.createLocally && !config.services.peertube.redis.enableUnixSocket
then "127.0.0.1"
else null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.redis.passwordFile

Password for redis database.

Type: null or path

Default: null

Example: "/run/keys/peertube/password-redis-db"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.redis.port

Redis port.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

if config.services.peertube.redis.createLocally && config.services.peertube.redis.enableUnixSocket
then null
else 6379

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.secrets.secretsFile

Secrets to run PeerTube. Generate one using openssl rand -hex 32

Type: null or path

Default: null

Example: "/run/secrets/peertube"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.serviceEnvironmentFile

Set environment variables for the service. Mainly useful for setting the initial root password. For example write to file: PT_INITIAL_ROOT_PASSWORD=changeme

Type: null or path

Default: null

Example: "/run/keys/peertube/password-init-root"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.settings

Configuration for peertube.

Type: JSON value

Example:

{
  listen = {
    hostname = "0.0.0.0";
  };
  log = {
    level = "debug";
  };
  storage = {
    tmp = "/opt/data/peertube/storage/tmp/";
    logs = "/opt/data/peertube/storage/logs/";
    cache = "/opt/data/peertube/storage/cache/";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.smtp.createLocally

Configure local Postfix SMTP server for PeerTube.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.smtp.passwordFile

Password for smtp server.

Type: null or path

Default: null

Example: "/run/keys/peertube/password-smtp"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peertube.user

User account under which Peertube runs.

Type: string

Default: "peertube"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/peertube.nix>
services.peroxide.enable

Whether to enable peroxide.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/peroxide.nix>
services.peroxide.package

The peroxide package to use.

Type: package

Default: pkgs.peroxide

Declared by:

<nixpkgs/nixos/modules/services/networking/peroxide.nix>
services.peroxide.logLevel

Only log messages of this priority or higher.

Type: one of “Panic”, “Fatal”, “Error”, “Warning”, “Info”, “Debug”, “Trace”

Default: "Warning"

Example: "Info"

Declared by:

<nixpkgs/nixos/modules/services/networking/peroxide.nix>
services.peroxide.settings

Configuration for peroxide. See config.example.yaml for an example configuration.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/peroxide.nix>
services.peroxide.settings.ServerAddress

The address on which to listen for connections.

Type: string

Default: "[::0]"

Example: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/networking/peroxide.nix>
services.peroxide.settings.UserPortImap

The port on which to listen for IMAP connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1143

Declared by:

<nixpkgs/nixos/modules/services/networking/peroxide.nix>
services.peroxide.settings.UserPortSmtp

The port on which to listen for SMTP connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1025

Declared by:

<nixpkgs/nixos/modules/services/networking/peroxide.nix>
services.persistent-evdev.enable

Whether to enable virtual input devices that persist even if the backing device is hotplugged.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/persistent-evdev.nix>
services.persistent-evdev.devices

A set of virtual proxy device labels with backing physical device ids.

Physical devices should already exist in /dev/input/by-id/. Proxy devices will be automatically given a uinput- prefix.

See the project page for example configuration of virtual devices with libvirt and remember to add uinput-* devices to the qemu cgroup_device_acl list (see virtualisation.libvirtd.qemu.verbatimConfig).

Type: attribute set of string

Default: { }

Example:

{
  persist-mouse0 = "usb-Logitech_G403_Prodigy_Gaming_Mouse_078738533531-event-if01";
  persist-mouse1 = "usb-Logitech_G403_Prodigy_Gaming_Mouse_078738533531-event-mouse";
  persist-mouse2 = "usb-Logitech_G403_Prodigy_Gaming_Mouse_078738533531-if01-event-kbd";
  persist-keyboard0 = "usb-Microsoft_Natural®_Ergonomic_Keyboard_4000-event-kbd";
  persist-keyboard1 = "usb-Microsoft_Natural®_Ergonomic_Keyboard_4000-if01-event-kbd";
}

Declared by:

<nixpkgs/nixos/modules/services/misc/persistent-evdev.nix>
services.pfix-srsd.enable

Whether to run the postfix sender rewriting scheme daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/pfix-srsd.nix>
services.pfix-srsd.domain

The domain for which to enable srs

Type: string

Example: "example.com"

Declared by:

<nixpkgs/nixos/modules/services/mail/pfix-srsd.nix>
services.pfix-srsd.secretsFile

The secret data used to encode the SRS address. to generate, use a command like: for n in $(seq 5); do dd if=/dev/urandom count=1 bs=1024 status=none | sha256sum | sed 's/ -$//' | sed 's/^/ /'; done

Type: path

Default: "/var/lib/pfix-srsd/secrets"

Declared by:

<nixpkgs/nixos/modules/services/mail/pfix-srsd.nix>
services.pgadmin.enable

Whether to enable PostgreSQL Admin 4.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/admin/pgadmin.nix>
services.pgadmin.package

The pgadmin4 package to use.

Type: package

Default: pkgs.pgadmin4

Declared by:

<nixpkgs/nixos/modules/services/admin/pgadmin.nix>
services.pgadmin.emailServer.enable

Enable SMTP email server. This is necessary, if you want to use password recovery or change your own password

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/admin/pgadmin.nix>
services.pgadmin.emailServer.address

SMTP server for email delivery

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/admin/pgadmin.nix>
services.pgadmin.emailServer.passwordFile

Password for SMTP email account. NOTE: Should be string not a store path, to prevent the password from being world readable

Type: path

Declared by:

<nixpkgs/nixos/modules/services/admin/pgadmin.nix>
services.pgadmin.emailServer.port

SMTP server port for email delivery

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 25

Declared by:

<nixpkgs/nixos/modules/services/admin/pgadmin.nix>
services.pgadmin.emailServer.sender

SMTP server sender email for email delivery. Some servers require this to be a valid email address from that server

Type: string

Example: "noreply@example.com"

Declared by:

<nixpkgs/nixos/modules/services/admin/pgadmin.nix>
services.pgadmin.emailServer.useSSL

SMTP server should use SSL

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/admin/pgadmin.nix>
services.pgadmin.emailServer.useTLS

SMTP server should use TLS

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/admin/pgadmin.nix>
services.pgadmin.emailServer.username

SMTP server username for email delivery

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/admin/pgadmin.nix>
services.pgadmin.initialEmail

Initial email for the pgAdmin account

Type: string

Declared by:

<nixpkgs/nixos/modules/services/admin/pgadmin.nix>
services.pgadmin.initialPasswordFile

Initial password file for the pgAdmin account. Minimum length by default is 6. Please see services.pgadmin.minimumPasswordLength. NOTE: Should be string not a store path, to prevent the password from being world readable

Type: path

Declared by:

<nixpkgs/nixos/modules/services/admin/pgadmin.nix>
services.pgadmin.minimumPasswordLength

Minimum length of the password

Type: signed integer

Default: 6

Declared by:

<nixpkgs/nixos/modules/services/admin/pgadmin.nix>
services.pgadmin.openFirewall

Whether to enable firewall passthrough for pgadmin4.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/admin/pgadmin.nix>
services.pgadmin.port

Port for pgadmin4 to run on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5050

Declared by:

<nixpkgs/nixos/modules/services/admin/pgadmin.nix>
services.pgadmin.settings

Settings for pgadmin4. Documentation

Type: attribute set of ((attribute set of ((list of (signed integer or boolean or string)) or attribute set of (signed integer or boolean or string) or signed integer or boolean or string)) or list of ((list of (signed integer or boolean or string)) or attribute set of (signed integer or boolean or string) or signed integer or boolean or string) or (list of (signed integer or boolean or string)) or attribute set of (signed integer or boolean or string) or signed integer or boolean or string)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/admin/pgadmin.nix>
services.pgbouncer.enable

Whether to enable PostgreSQL connection pooler.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/pgbouncer.nix>
services.pgbouncer.package

The pgbouncer package to use.

Type: package

Default: pkgs.pgbouncer

Declared by:

<nixpkgs/nixos/modules/services/databases/pgbouncer.nix>
services.pgbouncer.group

The group pgbouncer is run as.

Type: string

Default: "pgbouncer"

Declared by:

<nixpkgs/nixos/modules/services/databases/pgbouncer.nix>
services.pgbouncer.homeDir

Specifies the home directory.

Type: path

Default: "/var/lib/pgbouncer"

Declared by:

<nixpkgs/nixos/modules/services/databases/pgbouncer.nix>
services.pgbouncer.openFilesLimit

Maximum number of open files.

Type: signed integer

Default: 65536

Declared by:

<nixpkgs/nixos/modules/services/databases/pgbouncer.nix>
services.pgbouncer.openFirewall

Whether to automatically open the specified TCP port in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/pgbouncer.nix>
services.pgbouncer.settings

Configuration for PgBouncer, see https://www.pgbouncer.org/config.html for supported values.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/databases/pgbouncer.nix>
services.pgbouncer.settings.databases

Detailed information about PostgreSQL database definitions: https://www.pgbouncer.org/config.html#section-databases

Type: attribute set of string

Default: { }

Example:

{
  bardb = "host=localhost dbname=bazdb";
  exampledb = "host=/run/postgresql/ port=5432 auth_user=exampleuser dbname=exampledb sslmode=require";
  foodb = "host=host1.example.com port=5432";
}

Declared by:

<nixpkgs/nixos/modules/services/databases/pgbouncer.nix>
services.pgbouncer.settings.peers

Optional.

Detailed information about PostgreSQL database definitions: https://www.pgbouncer.org/config.html#section-peers

Type: attribute set of string

Default: { }

Example:

{
  "1" = "host=host1.example.com";
  "2" = "host=/tmp/pgbouncer-2 port=5555";
}

Declared by:

<nixpkgs/nixos/modules/services/databases/pgbouncer.nix>
services.pgbouncer.settings.pgbouncer.default_pool_size

How many server connections to allow per user/database pair. Can be overridden in the per-database configuration.

Type: signed integer

Default: 20

Declared by:

<nixpkgs/nixos/modules/services/databases/pgbouncer.nix>
services.pgbouncer.settings.pgbouncer.ignore_startup_parameters

By default, PgBouncer allows only parameters it can keep track of in startup packets: client_encoding, datestyle, timezone and standard_conforming_strings.

All others parameters will raise an error. To allow others parameters, they can be specified here, so that PgBouncer knows that they are handled by the admin and it can ignore them.

If you need to specify multiple values, use a comma-separated list.

IMPORTANT: When using prometheus-pgbouncer-exporter, you need: extra_float_digits https://github.com/prometheus-community/pgbouncer_exporter#pgbouncer-configuration

Type: null or strings concatenated with “,”

Default: null

Example: "extra_float_digits"

Declared by:

<nixpkgs/nixos/modules/services/databases/pgbouncer.nix>
services.pgbouncer.settings.pgbouncer.listen_addr

Specifies a list (comma-separated) of addresses where to listen for TCP connections. You may also use * meaning “listen on all addresses”. When not set, only Unix socket connections are accepted.

Addresses can be specified numerically (IPv4/IPv6) or by name.

Type: null or strings concatenated with “,”

Default: null

Example: "*"

Declared by:

<nixpkgs/nixos/modules/services/databases/pgbouncer.nix>
services.pgbouncer.settings.pgbouncer.listen_port

Which port to listen on. Applies to both TCP and Unix sockets.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6432

Declared by:

<nixpkgs/nixos/modules/services/databases/pgbouncer.nix>
services.pgbouncer.settings.pgbouncer.max_client_conn

Maximum number of client connections allowed.

When this setting is increased, then the file descriptor limits in the operating system might also have to be increased. Note that the number of file descriptors potentially used is more than maxClientConn. If each user connects under its own user name to the server, the theoretical maximum used is: maxClientConn + (max pool_size * total databases * total users)

If a database user is specified in the connection string (all users connect under the same user name), the theoretical maximum is: maxClientConn + (max pool_size * total databases)

The theoretical maximum should never be reached, unless somebody deliberately crafts a special load for it. Still, it means you should set the number of file descriptors to a safely high number.

Type: signed integer

Default: 100

Declared by:

<nixpkgs/nixos/modules/services/databases/pgbouncer.nix>
services.pgbouncer.settings.pgbouncer.max_db_connections

Do not allow more than this many server connections per database (regardless of user). This considers the PgBouncer database that the client has connected to, not the PostgreSQL database of the outgoing connection.

This can also be set per database in the [databases] section.

Note that when you hit the limit, closing a client connection to one pool will not immediately allow a server connection to be established for another pool, because the server connection for the first pool is still open. Once the server connection closes (due to idle timeout), a new server connection will immediately be opened for the waiting pool.

0 = unlimited

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/databases/pgbouncer.nix>
services.pgbouncer.settings.pgbouncer.max_user_connections

Do not allow more than this many server connections per user (regardless of database). This considers the PgBouncer user that is associated with a pool, which is either the user specified for the server connection or in absence of that the user the client has connected as.

This can also be set per user in the [users] section.

Note that when you hit the limit, closing a client connection to one pool will not immediately allow a server connection to be established for another pool, because the server connection for the first pool is still open. Once the server connection closes (due to idle timeout), a new server connection will immediately be opened for the waiting pool.

0 = unlimited

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/databases/pgbouncer.nix>
services.pgbouncer.settings.pgbouncer.pool_mode

Specifies when a server connection can be reused by other clients.

session Server is released back to pool after client disconnects. Default. transaction Server is released back to pool after transaction finishes. statement Server is released back to pool after query finishes. Transactions spanning multiple statements are disallowed in this mode.

Type: one of “session”, “transaction”, “statement”

Default: "session"

Declared by:

<nixpkgs/nixos/modules/services/databases/pgbouncer.nix>
services.pgbouncer.settings.users

Optional.

Detailed information about PostgreSQL user definitions: https://www.pgbouncer.org/config.html#section-users

Type: attribute set of string

Default: { }

Example:

{
  user1 = "pool_mode=session";
}

Declared by:

<nixpkgs/nixos/modules/services/databases/pgbouncer.nix>
services.pgbouncer.user

The user pgbouncer is run as.

Type: string

Default: "pgbouncer"

Declared by:

<nixpkgs/nixos/modules/services/databases/pgbouncer.nix>
services.pghero.enable

Whether to enable PgHero service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/pghero.nix>
services.pghero.package

The pghero package to use.

Type: package

Default: pkgs.pghero

Declared by:

<nixpkgs/nixos/modules/services/misc/pghero.nix>
services.pghero.environment

Environment variables to set for the service. Secrets should be specified using environmentFile.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/pghero.nix>
services.pghero.environmentFiles

File to load environment variables from. Loaded variables override values set in environment.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/pghero.nix>
services.pghero.extraArgs

Additional command-line arguments for the systemd service.

Refer to the Puma web server documentation for available arguments.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/pghero.nix>
services.pghero.extraGroups

Additional groups for the systemd service.

Type: list of string

Default: [ ]

Example:

[
  "tlskeys"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/pghero.nix>
services.pghero.listenAddress

hostname:port to listen for HTTP traffic.

This is bound using the systemd socket activation.

Type: string

Example: "[::1]:3000"

Declared by:

<nixpkgs/nixos/modules/services/misc/pghero.nix>
services.pghero.settings

PgHero configuration. Refer to the PgHero documentation for more details.

Type: YAML value

Default: { }

Example:

{
  databases = {
    primary = {
      url = "<%= ENV['PRIMARY_DATABASE_URL'] %>";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/pghero.nix>
services.pgmanage.enable

Whether to enable PostgreSQL Administration for the web.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/pgmanage.nix>
services.pgmanage.package

The pgmanage package to use.

Type: package

Default: pkgs.pgmanage

Declared by:

<nixpkgs/nixos/modules/services/databases/pgmanage.nix>
services.pgmanage.allowCustomConnections

This tells pgmanage whether or not to allow anyone to use a custom connection from the login screen.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/pgmanage.nix>
services.pgmanage.connections

pgmanage requires at least one PostgreSQL server be defined.

Detailed information about PostgreSQL connection strings is available at: https://www.postgresql.org/docs/current/libpq-connect.html

Note that you should not specify your user name or password. That information will be entered on the login screen. If you specify a username or password, it will be removed by pgmanage before attempting to connect to a database.

Type: attribute set of string

Default: { }

Example:

{
  mini-server = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require";
  nuc-server = "hostaddr=192.168.0.100 port=5432 dbname=postgres";
}

Declared by:

<nixpkgs/nixos/modules/services/databases/pgmanage.nix>
services.pgmanage.localOnly

This tells pgmanage whether or not to set the listening socket to local addresses only.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/databases/pgmanage.nix>
services.pgmanage.logLevel

Verbosity of logs

Type: one of “error”, “warn”, “notice”, “info”

Default: "error"

Declared by:

<nixpkgs/nixos/modules/services/databases/pgmanage.nix>
services.pgmanage.loginGroup

This tells pgmanage to only allow users in a certain PostgreSQL group to login to pgmanage. Note that a connection will be made to PostgreSQL in order to test if the user is a member of the login group.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/pgmanage.nix>
services.pgmanage.loginTimeout

Number of seconds of inactivity before user is automatically logged out.

Type: signed integer

Default: 3600

Declared by:

<nixpkgs/nixos/modules/services/databases/pgmanage.nix>
services.pgmanage.port

This tells pgmanage what port to listen on for browser requests.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/databases/pgmanage.nix>
services.pgmanage.sqlRoot

This tells pgmanage where to put the SQL file history. All tabs are saved to this location so that if you get disconnected from pgmanage you don’t lose your work.

Type: string

Default: "/var/lib/pgmanage"

Declared by:

<nixpkgs/nixos/modules/services/databases/pgmanage.nix>
services.pgmanage.superOnly

This tells pgmanage whether or not to only allow super users to login. The recommended value is true and will restrict users who are not super users from logging in to any PostgreSQL instance through pgmanage. Note that a connection will be made to PostgreSQL in order to test if the user is a superuser.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/databases/pgmanage.nix>
services.pgmanage.tls

These options tell pgmanage where the TLS Certificate and Key files reside. If you use these options then you’ll only be able to access pgmanage through a secure TLS connection. These options are only necessary if you wish to connect directly to pgmanage using a secure TLS connection. As an alternative, you can set up pgmanage in a reverse proxy configuration. This allows your web server to terminate the secure connection and pass on the request to pgmanage. You can find help to set up this configuration in: https://github.com/pgManage/pgManage/blob/master/INSTALL_NGINX.md

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/pgmanage.nix>
services.pgmanage.tls.cert

TLS certificate

Type: string

Declared by:

<nixpkgs/nixos/modules/services/databases/pgmanage.nix>
services.pgmanage.tls.key

TLS key

Type: string

Declared by:

<nixpkgs/nixos/modules/services/databases/pgmanage.nix>
services.pgpkeyserver-lite.enable

Whether to enable pgpkeyserver-lite on a nginx vHost proxying to a gpg keyserver.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pgpkeyserver-lite.nix>
services.pgpkeyserver-lite.package

The pgpkeyserver-lite package to use.

Type: package

Default: pkgs.pgpkeyserver-lite

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pgpkeyserver-lite.nix>
services.pgpkeyserver-lite.hkpAddress

Which IP address the sks-keyserver is listening on.

Type: string

Default: head config.services.sks.hkpAddress

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pgpkeyserver-lite.nix>
services.pgpkeyserver-lite.hkpPort

Which port the sks-keyserver is listening on.

Type: signed integer

Default: config.services.sks.hkpPort

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pgpkeyserver-lite.nix>
services.pgpkeyserver-lite.hostname

Which hostname to set the vHost to that is proxying to sks.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pgpkeyserver-lite.nix>
services.photonvision.enable

Whether to enable PhotonVision.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/video/photonvision.nix>
services.photonvision.package

The photonvision package to use.

Type: package

Default: pkgs.photonvision

Declared by:

<nixpkgs/nixos/modules/services/video/photonvision.nix>
services.photonvision.openFirewall

Whether to open the required ports in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/video/photonvision.nix>
services.photoprism.enable

Whether to enable Photoprism web server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/photoprism.nix>
services.photoprism.package

The photoprism package to use.

Type: package

Default: pkgs.photoprism

Declared by:

<nixpkgs/nixos/modules/services/web-apps/photoprism.nix>
services.photoprism.address

Web interface address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/photoprism.nix>
services.photoprism.importPath

Relative or absolute to the originalsPath from where the files should be imported.

Type: string

Default: "import"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/photoprism.nix>
services.photoprism.originalsPath

Storage path of your original media files (photos and videos).

Type: path

Default: null

Example: "/data/photos"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/photoprism.nix>
services.photoprism.passwordFile

Admin password file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/photoprism.nix>
services.photoprism.port

Web interface port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 2342

Declared by:

<nixpkgs/nixos/modules/services/web-apps/photoprism.nix>
services.photoprism.settings

See the getting-started guide for available options.

Type: attribute set of string

Default: { }

Example:

{
  PHOTOPRISM_ADMIN_USER = "root";
  PHOTOPRISM_DEFAULT_LOCALE = "de";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/photoprism.nix>
services.photoprism.storagePath

Location for sidecar, cache, and database files.

Type: path

Default: "/var/lib/photoprism"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/photoprism.nix>
services.phpfpm.extraConfig

Extra configuration that should be put in the global section of the PHP-FPM configuration file. Do not specify the options error_log or daemonize here, since they are generated by NixOS.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix>
services.phpfpm.phpOptions

Options appended to the PHP configuration file php.ini.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  date.timezone = "CET"
''

Declared by:

<nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix>
services.phpfpm.phpPackage

The php package to use.

Type: package

Default: pkgs.php

Declared by:

<nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix>
services.phpfpm.pools

PHP-FPM pools. If no pools are defined, the PHP-FPM service is disabled.

Type: attribute set of (submodule)

Default: { }

Example:

{
  mypool = {
    user = "php";
    group = "php";
    phpPackage = pkgs.php;
    settings = {
      "pm" = "dynamic";
      "pm.max_children" = 75;
      "pm.start_servers" = 10;
      "pm.min_spare_servers" = 5;
      "pm.max_spare_servers" = 20;
      "pm.max_requests" = 500;
    };
  }
}

Declared by:

<nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix>
services.phpfpm.pools.<name>.extraConfig

Extra lines that go into the pool configuration. See the documentation on php-fpm.conf for details on configuration directives.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix>
services.phpfpm.pools.<name>.group

Group account under which this pool runs.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix>
services.phpfpm.pools.<name>.listen

The address on which to accept FastCGI requests.

Type: string

Default: ""

Example: "/path/to/unix/socket"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix>
services.phpfpm.pools.<name>.phpEnv

Environment variables used for this PHP-FPM pool.

Type: attribute set of string

Default: { }

Example:

{
  HOSTNAME = "$HOSTNAME";
  TMP = "/tmp";
  TMPDIR = "/tmp";
  TEMP = "/tmp";
}

Declared by:

<nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix>
services.phpfpm.pools.<name>.phpOptions

“Options appended to the PHP configuration file php.ini used for this PHP-FPM pool.”

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix>
services.phpfpm.pools.<name>.phpPackage

The PHP package to use for running this PHP-FPM pool.

Type: package

Default: config.services.phpfpm.phpPackage

Declared by:

<nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix>
services.phpfpm.pools.<name>.settings

PHP-FPM pool directives. Refer to the “List of pool directives” section of https://www.php.net/manual/en/install.fpm.configuration.php for details. Note that settings names must be enclosed in quotes (e.g. "pm.max_children" instead of pm.max_children).

Type: attribute set of (string or signed integer or boolean)

Default: { }

Example:

{
  "pm" = "dynamic";
  "pm.max_children" = 75;
  "pm.start_servers" = 10;
  "pm.min_spare_servers" = 5;
  "pm.max_spare_servers" = 20;
  "pm.max_requests" = 500;
}

Declared by:

<nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix>
services.phpfpm.pools.<name>.socket

Path to the unix socket file on which to accept FastCGI requests.

Note

This option is read-only and managed by NixOS.

Type: string (read only)

Example: "/run/phpfpm/<name>.sock"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix>
services.phpfpm.pools.<name>.user

User account under which this pool runs.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix>
services.phpfpm.settings

PHP-FPM global directives. Refer to the “List of global php-fpm.conf directives” section of https://www.php.net/manual/en/install.fpm.configuration.php for details. Note that settings names must be enclosed in quotes (e.g. "pm.max_children" instead of pm.max_children). You need not specify the options error_log or daemonize here, since they are generated by NixOS.

Type: attribute set of (string or signed integer or boolean)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-servers/phpfpm/default.nix>
services.phylactery.enable

Whether to enable Phylactery server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/phylactery.nix>
services.phylactery.package

The phylactery package to use.

Type: package

Default: pkgs.phylactery

Declared by:

<nixpkgs/nixos/modules/services/web-apps/phylactery.nix>
services.phylactery.host

Listen host for Phylactery

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/phylactery.nix>
services.phylactery.library

Path to CBZ library

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-apps/phylactery.nix>
services.phylactery.port

Listen port for Phylactery

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/services/web-apps/phylactery.nix>
services.physlock.enable

Whether to enable the physlock screen locking mechanism.

Enable this and then run systemctl start physlock to securely lock the screen.

This will switch to a new virtual terminal, turn off console switching and disable SysRq mechanism (when services.physlock.disableSysRq is set) until the root or user password is given.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/physlock.nix>
services.physlock.allowAnyUser

Whether to allow any user to lock the screen. This will install a setuid wrapper to allow any user to start physlock as root, which is a minor security risk. Call the physlock binary to use this instead of using the systemd service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/physlock.nix>
services.physlock.disableSysRq

Whether to disable SysRq when locked with physlock.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/security/physlock.nix>
services.physlock.lockMessage

Message to show on physlock login terminal.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/security/physlock.nix>
services.physlock.lockOn.extraTargets

Other targets to lock the screen just before.

Useful if you want to e.g. both autologin to X11 so that your ~/.xsession gets executed and still to have the screen locked so that the system can be booted relatively unattended.

Type: list of string

Default: [ ]

Example:

[
  "display-manager.service"
]

Declared by:

<nixpkgs/nixos/modules/services/security/physlock.nix>
services.physlock.lockOn.hibernate

Whether to lock screen with physlock just before hibernate.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/security/physlock.nix>
services.physlock.lockOn.suspend

Whether to lock screen with physlock just before suspend.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/security/physlock.nix>
services.physlock.muteKernelMessages

Disable kernel messages on console while physlock is running.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/physlock.nix>
services.picom.enable

Whether or not to enable Picom as the X.org composite manager.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/picom.nix>
services.picom.package

The picom package to use.

Type: package

Default: pkgs.picom

Declared by:

<nixpkgs/nixos/modules/services/x11/picom.nix>
services.picom.activeOpacity

Opacity of active windows.

Type: integer or floating point number between 0 and 1 (both inclusive)

Default: 1.0

Example: 0.8

Declared by:

<nixpkgs/nixos/modules/services/x11/picom.nix>
services.picom.backend

Backend to use: egl, glx, xrender or xr_glx_hybrid.

Type: one of “egl”, “glx”, “xrender”, “xr_glx_hybrid”

Default: "xrender"

Declared by:

<nixpkgs/nixos/modules/services/x11/picom.nix>
services.picom.fade

Fade windows in and out.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/picom.nix>
services.picom.fadeDelta

Time between fade animation step (in ms).

Type: positive integer, meaning >0

Default: 10

Example: 5

Declared by:

<nixpkgs/nixos/modules/services/x11/picom.nix>
services.picom.fadeExclude

List of conditions of windows that should not be faded. See picom(1) man page for more examples.

Type: list of string

Default: [ ]

Example:

[
  "window_type *= 'menu'"
  "name ~= 'Firefox$'"
  "focused = 1"
]

Declared by:

<nixpkgs/nixos/modules/services/x11/picom.nix>
services.picom.fadeSteps

Opacity change between fade steps (in and out).

Type: pair of integer or floating point number between 0.01 and 1 (both inclusive)

Default:

[
  0.028
  0.03
]

Example:

[
  0.04
  0.04
]

Declared by:

<nixpkgs/nixos/modules/services/x11/picom.nix>
services.picom.inactiveOpacity

Opacity of inactive windows.

Type: integer or floating point number between 0.1 and 1 (both inclusive)

Default: 1.0

Example: 0.8

Declared by:

<nixpkgs/nixos/modules/services/x11/picom.nix>
services.picom.menuOpacity

Opacity of dropdown and popup menu.

Type: integer or floating point number between 0 and 1 (both inclusive)

Default: 1.0

Example: 0.8

Declared by:

<nixpkgs/nixos/modules/services/x11/picom.nix>
services.picom.opacityRules

Rules that control the opacity of windows, in format PERCENT:PATTERN.

Type: list of string

Default: [ ]

Example:

[
  "95:class_g = 'URxvt' && !_NET_WM_STATE@:32a"
  "0:_NET_WM_STATE@:32a *= '_NET_WM_STATE_HIDDEN'"
]

Declared by:

<nixpkgs/nixos/modules/services/x11/picom.nix>
services.picom.settings

Picom settings. Use this option to configure Picom settings not exposed in a NixOS option or to bypass one. For the available options see the CONFIGURATION FILES section at picom(1).

Type: libconfig configuration. The format consists of an attributes set (called a group) of settings. Each setting can be a scalar type (boolean, integer, floating point number or string), a list of scalars or a group itself

Default: { }

Example:

blur =
  { method = "gaussian";
    size = 10;
    deviation = 5.0;
  };

Declared by:

<nixpkgs/nixos/modules/services/x11/picom.nix>
services.picom.shadow

Draw window shadows.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/picom.nix>
services.picom.shadowExclude

List of conditions of windows that should have no shadow. See picom(1) man page for more examples.

Type: list of string

Default: [ ]

Example:

[
  "window_type *= 'menu'"
  "name ~= 'Firefox$'"
  "focused = 1"
]

Declared by:

<nixpkgs/nixos/modules/services/x11/picom.nix>
services.picom.shadowOffsets

Left and right offset for shadows (in pixels).

Type: pair of signed integer

Default:

[
  -15
  -15
]

Example:

[
  -10
  -15
]

Declared by:

<nixpkgs/nixos/modules/services/x11/picom.nix>
services.picom.shadowOpacity

Window shadows opacity.

Type: integer or floating point number between 0 and 1 (both inclusive)

Default: 0.75

Example: 0.8

Declared by:

<nixpkgs/nixos/modules/services/x11/picom.nix>
services.picom.vSync

Enable vertical synchronization. Chooses the best method (drm, opengl, opengl-oml, opengl-swc, opengl-mswc) automatically. The bool value should be used, the others are just for backwards compatibility.

Type: boolean or one of “none”, “drm”, “opengl”, “opengl-oml”, “opengl-swc”, “opengl-mswc”

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/picom.nix>
services.picom.wintypes

Rules for specific window types.

Type: attribute set

Default:

{
  popup_menu = { opacity = config.services.picom.menuOpacity; };
  dropdown_menu = { opacity = config.services.picom.menuOpacity; };
}

Example: { }

Declared by:

<nixpkgs/nixos/modules/services/x11/picom.nix>
services.picosnitch.enable

Whether to enable picosnitch daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/picosnitch.nix>
services.pict-rs.enable

Whether to enable pict-rs server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pict-rs.nix>
services.pict-rs.package

The pict-rs package to use.

Type: package

Default: pkgs.pict-rs

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pict-rs.nix>
services.pict-rs.address

The IPv4 address to deploy the service to.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pict-rs.nix>
services.pict-rs.dataDir

The directory where to store the uploaded images & database.

Type: path

Default: "/var/lib/pict-rs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pict-rs.nix>
services.pict-rs.port

The port which to bind the service to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pict-rs.nix>
services.pict-rs.repoPath

The directory where to store the database. This option takes precedence over dataDir.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pict-rs.nix>
services.pict-rs.storePath

The directory where to store the uploaded images. This option takes precedence over dataDir.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pict-rs.nix>
services.pingvin-share.enable

Whether to enable Pingvin Share, a self-hosted file sharing platform.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pingvin-share.nix>
services.pingvin-share.backend.package

The backend package to use.

Type: package

Default: pkgs.pingvin-share.backend

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pingvin-share.nix>
services.pingvin-share.backend.port

The port that the backend service of Pingvin Share will listen to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Example: 9000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pingvin-share.nix>
services.pingvin-share.dataDir

The path to the data directory in which Pingvin Share will store its data.

Type: path

Default: "/var/lib/pingvin-share"

Example: "/var/lib/pingvin"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pingvin-share.nix>
services.pingvin-share.frontend.package

The frontend package to use.

Type: package

Default: pkgs.pingvin-share.frontend

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pingvin-share.nix>
services.pingvin-share.frontend.port

The port that the frontend service of Pingvin Share will listen to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Example: 8000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pingvin-share.nix>
services.pingvin-share.group

Group under which Pingvin Share runs.

Type: string

Default: "pingvin"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pingvin-share.nix>
services.pingvin-share.hostname

The domain name of your instance. If null, the redirections will be made to localhost.

Type: string

Default: localhost:${options.services.pingvin-share.backend.port}

Example: "pingvin-share.domain.tdl"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pingvin-share.nix>
services.pingvin-share.https

Whether to enable HTTPS for the domain.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pingvin-share.nix>
services.pingvin-share.nginx.enable

Whether to enable a Nginx reverse proxy for Pingvin Share…

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pingvin-share.nix>
services.pingvin-share.openFirewall

Whether to open the firewall for the port in services.pingvin-share.frontend.port.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pingvin-share.nix>
services.pingvin-share.user

User account under which Pingvin Share runs.

Type: string

Default: "pingvin"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pingvin-share.nix>
services.pinnwand.enable

Whether to enable Pinnwand, a pastebin.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/pinnwand.nix>
services.pinnwand.port

The port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8000

Declared by:

<nixpkgs/nixos/modules/services/misc/pinnwand.nix>
services.pinnwand.settings

Your pinnwand.toml as a Nix attribute set. Look up possible options in the documentation.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/pinnwand.nix>
services.pinnwand.settings.database_uri

Database URI compatible with [SQLAlchemyhttps://docs.sqlalchemy.org/en/14/core/engines.html#database-urls].

Additional packages may need to be introduced into the environment for certain databases.

Type: string

Default: "sqlite:////var/lib/pinnwand/pinnwand.db"

Example: "sqlite:///:memory"

Declared by:

<nixpkgs/nixos/modules/services/misc/pinnwand.nix>
services.pinnwand.settings.footer

The footer in raw HTML.

Type: string

Default:

''
  View <a href="//github.com/supakeen/pinnwand" target="_BLANK">source code</a>, the <a href="/removal">removal</a> or <a href="/expiry">expiry</a> stories, or read the <a href="/about">about</a> page.
''

Declared by:

<nixpkgs/nixos/modules/services/misc/pinnwand.nix>
services.pinnwand.settings.paste_help

Raw HTML help text shown in the header area.

Type: string

Default:

''
  <p>Welcome to pinnwand, this site is a pastebin. It allows you to share code with others. If you write code in the text area below and press the paste button you will be given a link you can share with others so they can view your code as well.</p><p>People with the link can view your pasted code, only you can remove your paste and it expires automatically. Note that anyone could guess the URI to your paste so don't rely on it being private.</p>
''

Declared by:

<nixpkgs/nixos/modules/services/misc/pinnwand.nix>
services.pinnwand.settings.paste_size

Maximum size of a paste in bytes.

Type: positive integer, meaning >0

Default: 262144

Example: 524288

Declared by:

<nixpkgs/nixos/modules/services/misc/pinnwand.nix>
services.pipewire.enable

Whether to enable PipeWire service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix>
services.pipewire.package

The pipewire package to use.

Type: package

Default: pkgs.pipewire

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix>
services.pipewire.alsa.enable

Whether to enable ALSA support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix>
services.pipewire.alsa.support32Bit

Whether to enable 32-bit ALSA support on 64-bit systems.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix>
services.pipewire.audio.enable

Whether to use PipeWire as the primary sound server

Type: boolean

Default: config.services.pipewire.alsa.enable || config.services.pipewire.jack.enable || config.services.pipewire.pulse.enable

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix>
services.pipewire.configPackages

List of packages that provide PipeWire configuration, in the form of share/pipewire/*/*.conf files.

LV2 dependencies will be picked up from config packages automatically via passthru.requiredLv2Packages.

Type: list of package

Default: [ ]

Example:

[
          (pkgs.writeTextDir "share/pipewire/pipewire.conf.d/10-loopback.conf" ''
            context.modules = [
            {   name = libpipewire-module-loopback
                args = {
                  node.description = "Scarlett Focusrite Line 1"
                  capture.props = {
                      audio.position = [ FL ]
                      stream.dont-remix = true
                      node.target = "alsa_input.usb-Focusrite_Scarlett_Solo_USB_Y7ZD17C24495BC-00.analog-stereo"
                      node.passive = true
                  }
                  playback.props = {
                      node.name = "SF_mono_in_1"
                      media.class = "Audio/Source"
                      audio.position = [ MONO ]
                  }
                }
            }
            ]
          '')
        ]

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix>
services.pipewire.extraConfig.client

Additional configuration for the PipeWire client library, used by most applications.

Every item in this attrset becomes a separate drop-in file in /etc/pipewire/client.conf.d.

See the PipeWire wiki for examples.

Type: attribute set of (JSON value)

Default: { }

Example:

{
  "10-no-resample" = {
    "stream.properties" = {
      "resample.disable" = true;
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix>
services.pipewire.extraConfig.client-rt

Additional configuration for the PipeWire client library, used by real-time applications and legacy ALSA clients.

Every item in this attrset becomes a separate drop-in file in /etc/pipewire/client-rt.conf.d.

See the PipeWire wiki for examples of general configuration, and PipeWire wiki - ALSA for ALSA clients.

Type: attribute set of (JSON value)

Default: { }

Example:

{
  "10-alsa-linear-volume" = {
    "alsa.properties" = {
      "alsa.volume-method" = "linear";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix>
services.pipewire.extraConfig.jack

Additional configuration for the PipeWire JACK server and client library.

Every item in this attrset becomes a separate drop-in file in /etc/pipewire/jack.conf.d.

See the PipeWire wiki for examples.

Type: attribute set of (JSON value)

Default: { }

Example:

{
  "20-hide-midi" = {
    "jack.properties" = {
      "jack.show-midi" = false;
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix>
services.pipewire.extraConfig.pipewire

Additional configuration for the PipeWire server.

Every item in this attrset becomes a separate drop-in file in /etc/pipewire/pipewire.conf.d.

See man pipewire.conf for details, and the PipeWire wiki for examples.

See also:

Type: attribute set of (JSON value)

Default: { }

Example:

{
  "10-clock-rate" = {
    "context.properties" = {
      "default.clock.rate" = 44100;
    };
  };
  "11-no-upmixing" = {
    "stream.properties" = {
      "channelmix.upmix" = false;
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix>
services.pipewire.extraConfig.pipewire-pulse

Additional configuration for the PipeWire PulseAudio server.

Every item in this attrset becomes a separate drop-in file in /etc/pipewire/pipewire-pulse.conf.d.

See man pipewire-pulse.conf for details, and the PipeWire wiki for examples.

See also:

Type: attribute set of (JSON value)

Default: { }

Example:

{
  "15-force-s16-info" = {
    "pulse.rules" = [
      {
        actions = {
          quirks = [
            "force-s16-info"
          ];
        };
        matches = [
          {
            "application.process.binary" = "my-broken-app";
          }
        ];
      }
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix>
services.pipewire.extraLv2Packages

List of packages that provide LV2 plugins in lib/lv2 that should be made available to PipeWire for filter chains.

Config packages have their required LV2 plugins added automatically, so they don’t need to be specified here. Config packages need to set passthru.requiredLv2Packages for this to work.

Type: list of package

Default: [ ]

Example: [ pkgs.lsp-plugins ]

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix>
services.pipewire.jack.enable

Whether to enable JACK audio emulation.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix>
services.pipewire.pulse.enable

Whether to enable PulseAudio server emulation.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix>
services.pipewire.raopOpenFirewall

Opens UDP/6001-6002, required by RAOP/Airplay for timing and control data.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix>
services.pipewire.socketActivation

Automatically run PipeWire when connections are made to the PipeWire socket.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix>
services.pipewire.systemWide

If true, a system-wide PipeWire service and socket is enabled allowing all users in the “pipewire” group to use it simultaneously. If false, then user units are used instead, restricting access to only one user.

Enabling system-wide PipeWire is however not recommended and disabled by default according to https://github.com/PipeWire/pipewire/blob/master/NEWS

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix>
services.pipewire.wireplumber.enable

Whether to enable WirePlumber, a modular session / policy manager for PipeWire

Type: boolean

Default: config.services.pipewire.enable

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/wireplumber.nix>
services.pipewire.wireplumber.package

The WirePlumber derivation to use.

Type: package

Default: pkgs.wireplumber

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/wireplumber.nix>
services.pipewire.wireplumber.configPackages

List of packages that provide WirePlumber configuration, in the form of share/wireplumber/*/*.conf files.

LV2 dependencies will be picked up from config packages automatically via passthru.requiredLv2Packages.

Type: list of package

Default: [ ]

Example:

[
          (pkgs.writeTextDir "share/wireplumber/wireplumber.conf.d/10-bluez.conf" ''
            monitor.bluez.properties = {
              bluez5.roles = [ a2dp_sink a2dp_source bap_sink bap_source hsp_hs hsp_ag hfp_hf hfp_ag ]
              bluez5.codecs = [ sbc sbc_xq aac ]
              bluez5.enable-sbc-xq = true
              bluez5.hfphsp-backend = "native"
            }
          '')
        ]

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/wireplumber.nix>
services.pipewire.wireplumber.extraConfig

Additional configuration for the WirePlumber daemon when run in single-instance mode (the default in nixpkgs and currently the only supported way to run WirePlumber configured via extraConfig).

See also:

Note that WirePlumber (and PipeWire) use dotted attribute names like device.product.id. These are not nested, but flat objects for WirePlumber/PipeWire, so to write these in nix expressions, remember to quote them like "device.product.id". Have a look at the example for this.

Type: attribute set of attribute set of (JSON value)

Default: { }

Example:

{
          "log-level-debug" = {
            "context.properties" = {
              # Output Debug log messages as opposed to only the default level (Notice)
              "log.level" = "D";
            };
          };
          "wh-1000xm3-ldac-hq" = {
            "monitor.bluez.rules" = [
              {
                matches = [
                  {
                    # Match any bluetooth device with ids equal to that of a WH-1000XM3
                    "device.name" = "~bluez_card.*";
                    "device.product.id" = "0x0cd3";
                    "device.vendor.id" = "usb:054c";
                  }
                ];
                actions = {
                  update-props = {
                    # Set quality to high quality instead of the default of auto
                    "bluez5.a2dp.ldac.quality" = "hq";
                  };
                };
              }
            ];
          };
        }

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/wireplumber.nix>
services.pipewire.wireplumber.extraLv2Packages

List of packages that provide LV2 plugins in lib/lv2 that should be made available to WirePlumber for filter chains.

Config packages have their required LV2 plugins added automatically, so they don’t need to be specified here. Config packages need to set passthru.requiredLv2Packages for this to work.

Type: list of package

Default: [ ]

Example: [ pkgs.lsp-plugins ]

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/wireplumber.nix>
services.pipewire.wireplumber.extraScripts

Additional scripts for WirePlumber to be used by configuration files.

Every item in this attrset becomes a separate lua file with the path relative to the scripts directory specified in the name of the item. The scripts get passed to the WirePlumber service via the XDG_DATA_DIRS variable. Scripts specified here are preferred over those shipped with WirePlumber if they occupy the same relative path.

For a script to be loaded, it needs to be specified as part of a component, and that component needs to be required by an active profile (e.g. main). Components can be defined in config files either via extraConfig or configPackages.

For the hello-world example, you’d have to add the following extraConfig:

  services.pipewire.wireplumber.extraConfig."99-hello-world" = {
    "wireplumber.components" = [
      {
        name = "test/hello-world.lua";
        type = "script/lua";
        provides = "custom.hello-world";
      }
    ];

    "wireplumber.profiles" = {
      main = {
        "custom.hello-world" = "required";
      };
    };
  };

See also:

Type: attribute set of strings concatenated with “\n”

Default: { }

Example:

{
  "test/hello-world.lua" = ''
    print("Hello, world!")
  '';
}

Declared by:

<nixpkgs/nixos/modules/services/desktops/pipewire/wireplumber.nix>
services.pixelfed.enable

Whether to enable a Pixelfed instance.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.package

The pixelfed package to use.

Type: package

Default: pkgs.pixelfed

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.dataDir

State directory of the pixelfed user which holds the application’s state and data.

Type: string

Default: "/var/lib/pixelfed"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.database.automaticMigrations

Whether to enable automatic migrations for database schema and data.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.database.createLocally

Whether to enable a local database using UNIX socket authentication.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.database.name

Database name.

Type: string

Default: "pixelfed"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.database.type

Database engine to use. Note that PGSQL is not well supported: https://github.com/pixelfed/pixelfed/issues/2727

Type: one of “mysql”, “pgsql”

Default: "mysql"

Example: "pgsql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.domain

FQDN for the Pixelfed instance.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.group

Group account under which pixelfed runs.

Note

If left as the default value this group will automatically be created on system activation, otherwise you are responsible for ensuring the group exists before the pixelfed application starts.

Type: string

Default: "pixelfed"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.maxUploadSize

Max upload size with units.

Type: string

Default: "8M"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx

With this option, you can customize an nginx virtual host which already has sensible defaults for Dolibarr. Set to {} if you do not need any customization to the virtual host. If enabled, then by default, the serverName is ${domain}, If this is set to null (the default), no nginx virtualHost will be configured.

Type: null or (submodule)

Default: null

Example:

{
  serverAliases = [
    "pics.${config.networking.domain}"
  ];
  enableACME = true;
  forceHttps = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.nginx.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.phpPackage

The php82 package to use.

Type: package

Default: pkgs.php82

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.poolConfig

Options for Pixelfed’s PHP-FPM pool.

Type: attribute set of (signed integer or string or boolean)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.redis.createLocally

Whether to enable a local Redis database using UNIX socket authentication.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.runtimeDir

Ruutime directory of the pixelfed user which holds the application’s caches and temporary files.

Type: string

Default: "/run/pixelfed"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.schedulerInterval

How often the Pixelfed cron task should run

Type: string

Default: "1d"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.secretFile

A secret file to be sourced for the .env settings. Place APP_KEY and other settings that should not end up in the Nix store here.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.settings

.env settings for Pixelfed. Secrets should use secretFile option instead.

Type: attribute set of (boolean or signed integer or string)

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixelfed.user

User account under which pixelfed runs.

Note

If left as the default value this user will automatically be created on system activation, otherwise you are responsible for ensuring the user exists before the pixelfed application starts.

Type: string

Default: "pixelfed"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pixelfed.nix>
services.pixiecore.enable

Whether to enable Pixiecore.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/pixiecore.nix>
services.pixiecore.apiServer

URI to connect to the API. Ignored unless mode is set to ‘api’

Type: string

Example: "http://localhost:8080"

Declared by:

<nixpkgs/nixos/modules/services/networking/pixiecore.nix>
services.pixiecore.cmdLine

Kernel commandline arguments. Ignored unless mode is set to ‘boot’

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/pixiecore.nix>
services.pixiecore.debug

Log more things that aren’t directly related to booting a recognized client

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/pixiecore.nix>
services.pixiecore.dhcpNoBind

Handle DHCP traffic without binding to the DHCP server port

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/pixiecore.nix>
services.pixiecore.extraArguments

Additional command line arguments to pass to Pixiecore

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/pixiecore.nix>
services.pixiecore.initrd

Initrd path. Ignored unless mode is set to ‘boot’

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/pixiecore.nix>
services.pixiecore.kernel

Kernel path. Ignored unless mode is set to ‘boot’

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/pixiecore.nix>
services.pixiecore.listen

IPv4 address to listen on

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/pixiecore.nix>
services.pixiecore.mode

Which mode to use

Type: one of “api”, “boot”, “quick”

Default: "boot"

Declared by:

<nixpkgs/nixos/modules/services/networking/pixiecore.nix>
services.pixiecore.openFirewall

Open ports (67, 69, 4011 UDP and ‘port’, ‘statusPort’ TCP) in the firewall for Pixiecore.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/pixiecore.nix>
services.pixiecore.port

Port to listen on for HTTP

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 80

Declared by:

<nixpkgs/nixos/modules/services/networking/pixiecore.nix>
services.pixiecore.quick

Which quick option to use

Type: one of “arch”, “centos”, “coreos”, “debian”, “fedora”, “ubuntu”, “xyz”

Default: "xyz"

Declared by:

<nixpkgs/nixos/modules/services/networking/pixiecore.nix>
services.pixiecore.statusPort

HTTP port for status information (can be the same as --port)

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 80

Declared by:

<nixpkgs/nixos/modules/services/networking/pixiecore.nix>
services.plantuml-server.enable

Whether to enable PlantUML server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plantuml-server.nix>
services.plantuml-server.package

The plantuml-server package to use.

Type: package

Default: pkgs.plantuml-server

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plantuml-server.nix>
services.plantuml-server.packages.jdk

The jdk package to use.

Type: package

Default: pkgs.jdk

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plantuml-server.nix>
services.plantuml-server.packages.jetty

The jetty package to use. At the time of writing (v1.2023.12), PlantUML Server does not support Jetty versions higher than 12.x.

Jetty 12.x has introduced major breaking changes, see https://github.com/jetty/jetty.project/releases/tag/jetty-12.0.0 and https://eclipse.dev/jetty/documentation/jetty-12/programming-guide/index.html#pg-migration-11-to-12

Type: package

Default: pkgs.jetty_11

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plantuml-server.nix>
services.plantuml-server.graphvizPackage

The graphviz package to use.

Type: package

Default: pkgs.graphviz

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plantuml-server.nix>
services.plantuml-server.group

Group which runs PlantUML server.

Type: string

Default: "plantuml"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plantuml-server.nix>
services.plantuml-server.home

Home directory of the PlantUML server instance.

Type: path

Default: "/var/lib/plantuml"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plantuml-server.nix>
services.plantuml-server.httpAuthorization

When calling the proxy endpoint, the value of HTTP_AUTHORIZATION will be used to set the HTTP Authorization header.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plantuml-server.nix>
services.plantuml-server.listenHost

Host to listen on.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plantuml-server.nix>
services.plantuml-server.listenPort

Port to listen on.

Type: signed integer

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plantuml-server.nix>
services.plantuml-server.plantumlLimitSize

Limits image width and height.

Type: signed integer

Default: 4096

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plantuml-server.nix>
services.plantuml-server.plantumlStats

Set it to on to enable statistics report (https://plantuml.com/statistics-report).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plantuml-server.nix>
services.plantuml-server.user

User which runs PlantUML server.

Type: string

Default: "plantuml"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plantuml-server.nix>
services.plausible.enable

Whether to enable plausible.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plausible.nix>
services.plausible.package

The plausible package to use.

Type: package

Default: pkgs.plausible

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plausible.nix>
services.plausible.database.clickhouse.setup

Whether to enable creating a clickhouse instance.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plausible.nix>
services.plausible.database.clickhouse.url

The URL to be used to connect to clickhouse.

Type: string

Default: "http://localhost:8123/default"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plausible.nix>
services.plausible.database.postgres.dbname

Name of the database to use.

Type: string

Default: "plausible"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plausible.nix>
services.plausible.database.postgres.setup

Whether to enable creating a postgresql instance.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plausible.nix>
services.plausible.database.postgres.socket

Path to the UNIX domain-socket to communicate with postgres.

Type: string

Default: "/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plausible.nix>
services.plausible.mail.email

The email id to use for as from address of all communications from Plausible.

Type: string

Default: "hello@plausible.local"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plausible.nix>
services.plausible.mail.smtp.enableSSL

Whether to enable SSL when connecting to the SMTP server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plausible.nix>
services.plausible.mail.smtp.hostAddr

The host address of your smtp server.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plausible.nix>
services.plausible.mail.smtp.hostPort

The port of your smtp server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 25

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plausible.nix>
services.plausible.mail.smtp.passwordFile

The path to the file with the password in case SMTP auth is enabled.

Type: null or string or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plausible.nix>
services.plausible.mail.smtp.retries

Number of retries to make until mailer gives up.

Type: unsigned integer, meaning >=0

Default: 2

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plausible.nix>
services.plausible.mail.smtp.user

The username/email in case SMTP auth is enabled.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plausible.nix>
services.plausible.server.baseUrl

Public URL where plausible is available.

Note that /path components are currently ignored: https://github.com/plausible/analytics/issues/1182 .

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plausible.nix>
services.plausible.server.disableRegistration

Whether to prohibit creating an account in plausible’s UI or allow on invite_only.

Type: one of true, false, “invite_only”

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plausible.nix>
services.plausible.server.listenAddress

The IP address on which the server is listening.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plausible.nix>
services.plausible.server.port

Port where the service should be available.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plausible.nix>
services.plausible.server.secretKeybaseFile

Path to the secret used by the phoenix-framework. Instructions how to generate one are documented in the framework docs.

Type: path or string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/plausible.nix>
services.playerctld.enable

Whether to enable the playerctld daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/playerctld.nix>
services.playerctld.package

The playerctl package to use.

Type: package

Default: pkgs.playerctl

Declared by:

<nixpkgs/nixos/modules/services/desktops/playerctld.nix>
services.pleroma.enable

Whether to enable pleroma.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/pleroma.nix>
services.pleroma.package

The pleroma package to use.

Type: package

Default: pkgs.pleroma

Declared by:

<nixpkgs/nixos/modules/services/networking/pleroma.nix>
services.pleroma.configs

Pleroma public configuration.

This list gets appended from left to right into /etc/pleroma/config.exs. Elixir evaluates its configuration imperatively, meaning you can override a setting by appending a new str to this NixOS option list.

DO NOT STORE ANY PLEROMA SECRET HERE, use services.pleroma.secretConfigFile instead.

This setting is going to be stored in a file part of the Nix store. The Nix store being world-readable, it’s not the right place to store any secret

Have a look to Pleroma section in the NixOS manual for more information.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/networking/pleroma.nix>
services.pleroma.group

Group account under which pleroma runs.

Type: string

Default: "pleroma"

Declared by:

<nixpkgs/nixos/modules/services/networking/pleroma.nix>
services.pleroma.secretConfigFile

Path to the file containing your secret pleroma configuration.

DO NOT POINT THIS OPTION TO THE NIX STORE, the store being world-readable, it’ll compromise all your secrets.

Type: string

Default: "/var/lib/pleroma/secrets.exs"

Declared by:

<nixpkgs/nixos/modules/services/networking/pleroma.nix>
services.pleroma.stateDir

Directory where the pleroma service will save the uploads and static files.

Type: string (read only)

Default: "/var/lib/pleroma"

Declared by:

<nixpkgs/nixos/modules/services/networking/pleroma.nix>
services.pleroma.user

User account under which pleroma runs.

Type: string

Default: "pleroma"

Declared by:

<nixpkgs/nixos/modules/services/networking/pleroma.nix>
services.plex.enable

Whether to enable Plex Media Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/plex.nix>
services.plex.package

The plex package to use. Plex subscribers may wish to use their own package here, pointing to subscriber-only server versions.

Type: package

Default: pkgs.plex

Declared by:

<nixpkgs/nixos/modules/services/misc/plex.nix>
services.plex.accelerationDevices

A list of device paths to hardware acceleration devices that Plex should have access to. This is useful when transcoding media files. The special value "*" will allow all devices.

Type: list of string

Default:

[
  "*"
]

Example:

[
  "/dev/dri/renderD128"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/plex.nix>
services.plex.dataDir

The directory where Plex stores its data files.

Type: string

Default: "/var/lib/plex"

Declared by:

<nixpkgs/nixos/modules/services/misc/plex.nix>
services.plex.extraPlugins

A list of paths to extra plugin bundles to install in Plex’s plugin directory. Every time the systemd unit for Plex starts up, all of the symlinks in Plex’s plugin directory will be cleared and this module will symlink all of the paths specified here to that directory.

Type: list of path

Default: [ ]

Example:

[
  (builtins.path {
    name = "Audnexus.bundle";
    path = pkgs.fetchFromGitHub {
      owner = "djdembeck";
      repo = "Audnexus.bundle";
      rev = "v0.2.8";
      sha256 = "sha256-IWOSz3vYL7zhdHan468xNc6C/eQ2C2BukQlaJNLXh7E=";
    };
  })
]

Declared by:

<nixpkgs/nixos/modules/services/misc/plex.nix>
services.plex.extraScanners

A list of paths to extra scanners to install in Plex’s scanners directory.

Every time the systemd unit for Plex starts up, all of the symlinks in Plex’s scanners directory will be cleared and this module will symlink all of the paths specified here to that directory.

Type: list of path

Default: [ ]

Example:

[
  (fetchFromGitHub {
    owner = "ZeroQI";
    repo = "Absolute-Series-Scanner";
    rev = "773a39f502a1204b0b0255903cee4ed02c46fde0";
    sha256 = "4l+vpiDdC8L/EeJowUgYyB3JPNTZ1sauN8liFAcK+PY=";
  })
]

Declared by:

<nixpkgs/nixos/modules/services/misc/plex.nix>
services.plex.group

Group under which Plex runs.

Type: string

Default: "plex"

Declared by:

<nixpkgs/nixos/modules/services/misc/plex.nix>
services.plex.openFirewall

Open ports in the firewall for the media server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/plex.nix>
services.plex.user

User account under which Plex runs.

Type: string

Default: "plex"

Declared by:

<nixpkgs/nixos/modules/services/misc/plex.nix>
services.plikd.enable

Whether to enable plikd, a temporary file upload system.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/plikd.nix>
services.plikd.openFirewall

Open ports in the firewall for the plikd.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/plikd.nix>
services.plikd.settings

Configuration for plikd, see https://github.com/root-gg/plik/blob/master/server/plikd.cfg for supported values.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/plikd.nix>
services.podgrab.enable

Whether to enable Podgrab, a self-hosted podcast manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/podgrab.nix>
services.podgrab.dataDirectory

Directory to store downloads.

Type: path

Default: "/var/lib/podgrab/data"

Example: "/mnt/podcasts"

Declared by:

<nixpkgs/nixos/modules/services/misc/podgrab.nix>
services.podgrab.group

Group under which Podgrab runs, and which owns the download directory.

Type: string

Default: "podgrab"

Declared by:

<nixpkgs/nixos/modules/services/misc/podgrab.nix>
services.podgrab.passwordFile

The path to a file containing the PASSWORD environment variable definition for Podgrab’s authentication.

Type: null or string

Default: null

Example: "/run/secrets/password.env"

Declared by:

<nixpkgs/nixos/modules/services/misc/podgrab.nix>
services.podgrab.port

The port on which Podgrab will listen for incoming HTTP traffic.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Example: 4242

Declared by:

<nixpkgs/nixos/modules/services/misc/podgrab.nix>
services.podgrab.user

User under which Podgrab runs, and which owns the download directory.

Type: string

Default: "podgrab"

Declared by:

<nixpkgs/nixos/modules/services/misc/podgrab.nix>
services.polaris.enable

Whether to enable Polaris Music Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/polaris.nix>
services.polaris.package

The polaris package to use.

Type: package

Default: pkgs.polaris

Declared by:

<nixpkgs/nixos/modules/services/misc/polaris.nix>
services.polaris.extraGroups

Polaris’ auxiliary groups.

Type: list of string

Default: [ ]

Example: ["media" "music"]

Declared by:

<nixpkgs/nixos/modules/services/misc/polaris.nix>
services.polaris.group

Group under which Polaris is run.

Type: string

Default: "polaris"

Declared by:

<nixpkgs/nixos/modules/services/misc/polaris.nix>
services.polaris.openFirewall

Open the configured port in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/polaris.nix>
services.polaris.port

The port which the Polaris REST api and web UI should listen to. Note: polaris is hardcoded to listen to the hostname “0.0.0.0”.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5050

Declared by:

<nixpkgs/nixos/modules/services/misc/polaris.nix>
services.polaris.settings

Contents for the TOML Polaris config, applied each start. Although poorly documented, an example may be found here: test-config.toml

Type: TOML value

Default: { }

Example:

{
  settings.reindex_every_n_seconds = 7*24*60*60; # weekly, default is 1800
  settings.album_art_pattern =
    "(cover|front|folder)\.(jpeg|jpg|png|bmp|gif)";
  mount_dirs = [
    {
      name = "NAS";
      source = "/mnt/nas/music";
    }
    {
      name = "Local";
      source = "/home/my_user/Music";
    }
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/misc/polaris.nix>
services.polaris.user

User account under which Polaris runs.

Type: string

Default: "polaris"

Declared by:

<nixpkgs/nixos/modules/services/misc/polaris.nix>
services.polipo.enable

Whether to enable polipo caching web proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/polipo.nix>
services.polipo.allowedClients

List of IP addresses or network addresses that may connect to Polipo.

Type: list of string

Default:

[
  "127.0.0.1"
  "::1"
]

Example:

[
  "127.0.0.1"
  "::1"
  "134.157.168.0/24"
  "2001:660:116::/48"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/polipo.nix>
services.polipo.extraConfig

Polio configuration. Contents will be added verbatim to the configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/polipo.nix>
services.polipo.parentProxy

Hostname and port number of an HTTP parent proxy; it should have the form ‘host:port’.

Type: string

Default: ""

Example: "localhost:8124"

Declared by:

<nixpkgs/nixos/modules/services/networking/polipo.nix>
services.polipo.proxyAddress

IP address on which Polipo will listen.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/polipo.nix>
services.polipo.proxyPort

TCP port on which Polipo will listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8123

Declared by:

<nixpkgs/nixos/modules/services/networking/polipo.nix>
services.polipo.socksParentProxy

Hostname and port number of an SOCKS parent proxy; it should have the form ‘host:port’.

Type: string

Default: ""

Example: "localhost:9050"

Declared by:

<nixpkgs/nixos/modules/services/networking/polipo.nix>
services.pomerium.enable

Whether to enable the Pomerium authenticating reverse proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/pomerium.nix>
services.pomerium.configFile

Path to Pomerium config YAML. If set, overrides services.pomerium.settings.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/pomerium.nix>
services.pomerium.secretsFile

Path to file containing secrets for Pomerium, in systemd EnvironmentFile format. See the systemd.exec(5) man page.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/pomerium.nix>
services.pomerium.settings

The contents of Pomerium’s config.yaml, in Nix expressions.

Specifying configFile will override this in its entirety.

See the Pomerium configuration reference for more information about what to put here.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-servers/pomerium.nix>
services.pomerium.useACMEHost

If set, use a NixOS-generated ACME certificate with the specified name.

Note that this will require you to use a non-HTTP-based challenge, or disable Pomerium’s in-built HTTP redirect server by setting http_redirect_addr to null and use a different HTTP server for serving the challenge response.

If you’re using an HTTP-based challenge, you should use the Pomerium-native autocert option instead.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/pomerium.nix>
services.porn-vault.enable

Whether to enable Porn-Vault.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/porn-vault/default.nix>
services.porn-vault.package

The porn-vault package to use.

Type: package

Default: pkgs.porn-vault

Declared by:

<nixpkgs/nixos/modules/services/web-apps/porn-vault/default.nix>
services.porn-vault.autoStart

Whether to start porn-vault automatically.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/porn-vault/default.nix>
services.porn-vault.openFirewall

Whether to open the Porn-Vault port in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/porn-vault/default.nix>
services.porn-vault.port

Which port Porn-Vault will use.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/porn-vault/default.nix>
services.porn-vault.settings

Configuration for Porn-Vault. The attributes are serialized to JSON in config.json.

See https://gitlab.com/porn-vault/porn-vault/-/blob/dev/config.example.json

Type: JSON value

Default:

{
  auth = {
    password = null;
  };
  binaries = {
    ffmpeg = "ffmpeg";
    ffprobe = "ffprobe";
    imagemagick = {
      convertPath = "convert";
      identifyPath = "identify";
      montagePath = "montage";
    };
    izzyPort = 8000;
  };
  import = {
    images = [
      {
        enable = true;
        exclude = [ ];
        extensions = [
          ".jpg"
          ".jpeg"
          ".png"
          ".gif"
        ];
        include = [ ];
        path = "/media/porn-vault/images";
      }
    ];
    scanInterval = 10800000;
    videos = [
      {
        enable = true;
        exclude = [ ];
        extensions = [
          ".mp4"
          ".mov"
          ".webm"
        ];
        include = [ ];
        path = "/media/porn-vault/videos";
      }
    ];
  };
  log = {
    level = "debug";
    maxFiles = "5";
    maxSize = "20m";
    writeFile = [
      {
        level = "debug";
        prefix = "errors-";
        silent = false;
      }
    ];
  };
  matching = {
    applyActorLabels = [
      "event:actor:create"
      "event:actor:find-unmatched-scenes"
      "plugin:actor:create"
      "event:scene:create"
      "plugin:scene:create"
      "event:image:create"
      "plugin:marker:create"
      "event:marker:create"
    ];
    applySceneLabels = true;
    applyStudioLabels = [
      "event:studio:create"
      "event:studio:find-unmatched-scenes"
      "plugin:studio:create"
      "event:scene:create"
      "plugin:scene:create"
    ];
    extractSceneActorsFromFilepath = true;
    extractSceneLabelsFromFilepath = true;
    extractSceneMoviesFromFilepath = true;
    extractSceneStudiosFromFilepath = true;
    matchCreatedActors = true;
    matchCreatedLabels = true;
    matchCreatedStudios = true;
    matcher = {
      options = {
        camelCaseWordGroups = true;
        enableWordGroups = true;
        filepathSeparators = [
          "[/\\\\&]"
        ];
        groupSeparators = [
          "[\\s',()[\\]{}*\\.]"
        ];
        ignoreDiacritics = true;
        ignoreSingleNames = false;
        overlappingMatchPreference = "longest";
        wordSeparatorFallback = true;
        wordSeparators = [
          "[-_]"
        ];
      };
      type = "word";
    };
  };
  persistence = {
    backup = {
      enable = true;
      maxAmount = 10;
    };
    libraryPath = "/media/porn-vault/lib";
  };
  plugins = {
    allowActorThumbnailOverwrite = false;
    allowMovieThumbnailOverwrite = false;
    allowSceneThumbnailOverwrite = false;
    allowStudioThumbnailOverwrite = false;
    createMissingActors = false;
    createMissingLabels = false;
    createMissingMovies = false;
    createMissingStudios = false;
    events = {
      actorCreated = [ ];
      actorCustom = [ ];
      movieCustom = [ ];
      sceneCreated = [ ];
      sceneCustom = [ ];
      studioCreated = [ ];
      studioCustom = [ ];
    };
    markerDeduplicationThreshold = 5;
    register = { };
  };
  processing = {
    generateImageThumbnails = true;
    generatePreviews = true;
    readImagesOnImport = false;
  };
  server = {
    https = {
      certificate = "";
      enable = false;
      key = "";
    };
  };
  transcode = {
    h264 = {
      crf = 23;
      preset = "veryfast";
    };
    hwaDriver = null;
    vaapiDevice = "/dev/dri/renderD128";
    webm = {
      cpuUsed = 3;
      crf = 31;
      deadline = "realtime";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/porn-vault/default.nix>
services.portunus.enable

Whether to enable Portunus, a self-contained user/group management and authentication service for LDAP.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.portunus.package

The portunus package to use.

Type: package

Default: pkgs.portunus

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.portunus.dex.enable

Whether to enable Dex ldap connector.

To activate dex, first a search user must be created in the Portunus web ui and then the password must to be set as the DEX_SEARCH_USER_PASSWORD environment variable in the services.dex.environmentFile setting .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.portunus.dex.oidcClients

List of OIDC clients.

The OIDC secret must be set as the DEX_CLIENT_${id} environment variable in the services.dex.environmentFile setting.

Note

Make sure the id only contains characters that are allowed in an environment variable name, e.g. no -.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    callbackURL = "https://example.com/client/oidc/callback";
    id = "service";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.portunus.dex.oidcClients.*.callbackURL

URL where the OIDC client should redirect

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.portunus.dex.oidcClients.*.id

ID of the OIDC client

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.portunus.dex.port

Port where dex should listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5556

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.portunus.domain

Subdomain which gets reverse proxied to Portunus webserver.

Type: string

Example: "sso.example.com"

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.portunus.group

Group account under which Portunus runs its webserver.

Type: string

Default: "portunus"

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.portunus.ldap.package

The OpenLDAP package to use.

Type: package

Default: pkgs.openldap

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.portunus.ldap.group

Group account under which Portunus runs its LDAP server.

Type: string

Default: "openldap"

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.portunus.ldap.searchUserName

The login name of the search user. This user account must be configured in Portunus either manually or via seeding.

Type: string

Default: ""

Example: "admin"

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.portunus.ldap.suffix

The DN of the topmost entry in your LDAP directory. Please refer to the Portunus documentation for more information on how this impacts the structure of the LDAP directory.

Type: string

Example: "dc=example,dc=org"

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.portunus.ldap.tls

Whether to enable LDAPS protocol. This also adds two entries to the /etc/hosts file to point services.portunus.domain to localhost, so that CLIs and programs can use ldaps protocol and verify the certificate without opening the firewall port for the protocol.

This requires a TLS certificate for services.portunus.domain to be configured via security.acme.certs.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.portunus.ldap.user

User account under which Portunus runs its LDAP server.

Type: string

Default: "openldap"

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.portunus.port

Port where the Portunus webserver should listen on.

This must be put behind a TLS-capable reverse proxy because Portunus only listens on localhost.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.portunus.seedPath

Path to a portunus seed file in json format. See https://github.com/majewsky/portunus#seeding-users-and-groups-from-static-configuration for available options.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.portunus.seedSettings

Seed settings for users and groups. See upstream for format https://github.com/majewsky/portunus#seeding-users-and-groups-from-static-configuration

Type: null or (attribute set of list of attribute set of anything)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.portunus.stateDir

Path where Portunus stores its state.

Type: path

Default: "/var/lib/portunus"

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.portunus.user

User account under which Portunus runs its webserver.

Type: string

Default: "portunus"

Declared by:

<nixpkgs/nixos/modules/services/misc/portunus.nix>
services.postfix.enable

Whether to run the Postfix mail server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.enableHeaderChecks

Whether to enable postfix header checks

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.enableSmtp

Whether to enable smtp in master.cf.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.enableSubmission

Whether to enable smtp submission.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.enableSubmissions

Whether to enable smtp submission via smtps.

According to RFC 8314 this should be preferred over STARTTLS for submission of messages by end user clients.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.aliasFiles

Aliases’ tables to be compiled and placed into /var/lib/postfix/conf.

Type: attribute set of path

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.aliasMapType

The format the alias map should have. Use regexp if you want to use regular expressions.

Type: one of “hash”, “regexp”, “pcre”

Default: "hash"

Example: "regexp"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.canonical

Entries for the canonical(5) table.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.config

The main.cf configuration file as key value set.

Type: attribute set of (boolean or signed integer or string or list of string)

Example:

{
  mail_owner = "postfix";
  smtp_tls_security_level = "may";
}

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.destination

Full (!) list of domains we deliver locally. Leave blank for acceptable Postfix default.

Type: null or (list of string)

Default: null

Example:

[
  "localhost"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.dnsBlacklistOverrides

contents of check_client_access for overriding dnsBlacklists

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.dnsBlacklists

dns blacklist servers to use with smtpd_client_restrictions

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.domain

Domain to use. Leave blank to use hostname minus first component.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.extraAliases

Additional entries to put verbatim into aliases file, cf. man-page aliases(8).

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.extraConfig

Extra lines to be added verbatim to the main.cf configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.extraHeaderChecks

Extra lines to /etc/postfix/header_checks file.

Type: strings concatenated with “\n”

Default: ""

Example: "/^X-Spam-Flag:/ REDIRECT spam@example.com"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.extraMasterConf

Extra lines to append to the generated master.cf file.

Type: strings concatenated with “\n”

Default: ""

Example: "submission inet n - n - - smtpd"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.group

What to call the Postfix group (must be used only for postfix).

Type: string

Default: "postfix"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.headerChecks

Postfix header checks.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    action = "REDIRECT spam@example.com";
    pattern = "/^X-Spam-Flag:/";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.headerChecks.*.action

The action to be executed when the pattern is matched

Type: string

Default: "DUNNO"

Example: "BCC mail@example.com"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.headerChecks.*.pattern

A regexp pattern matching the header

Type: string

Default: "/^.*/"

Example: "/^X-Mailer:/"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.hostname

Hostname to use. Leave blank to use just the hostname of machine. It should be FQDN.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.localRecipients

List of accepted local users. Specify a bare username, an "@domain.tld" wild-card, or a complete "user@domain.tld" address. If set, these names end up in the local recipient map – see the local(8) man-page – and effectively replace the system user database lookup that’s otherwise used by default.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.lookupMX

Whether relay specified is just domain whose MX must be used.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.mapFiles

Maps to be compiled and placed into /var/lib/postfix/conf.

Type: attribute set of path

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.masterConfig

An attribute set of service options, which correspond to the service definitions usually done within the Postfix master.cf file.

Type: attribute set of (submodule)

Default: { }

Example:

{
  submission = {
    args = [
      "-o"
      "smtpd_tls_security_level=encrypt"
    ];
    type = "inet";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.masterConfig.<name>.args

Arguments to pass to the command. There is no shell processing involved and shell syntax is passed verbatim to the process.

Type: list of string

Default: [ ]

Example:

[
  "-o"
  "smtp_helo_timeout=5"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.masterConfig.<name>.chroot

Whether the service is chrooted to have only access to the services.postfix.queueDir and the closure of store paths specified by the program option.

Type: boolean

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.masterConfig.<name>.command

A program name specifying a Postfix service/daemon process. By default it’s the attribute name.

Type: string

Default: "‹name›"

Example: "smtpd"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.masterConfig.<name>.maxproc

The maximum number of processes to spawn for this service. If the value is 0 it doesn’t have any limit. If null is given it uses the postfix default of 100.

Type: signed integer

Example: 1

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.masterConfig.<name>.name

The name of the service to run. Defaults to the attribute set key.

Type: string

Default: "‹name›"

Example: "smtp"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.masterConfig.<name>.private

Whether the service’s sockets and storage directory is restricted to be only available via the mail system. If null is given it uses the postfix default true.

Type: boolean

Example: false

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.masterConfig.<name>.privileged

Type: boolean

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.masterConfig.<name>.type

The type of the service

Type: one of “inet”, “unix”, “unix-dgram”, “fifo”, “pass”

Default: "unix"

Example: "inet"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.masterConfig.<name>.wakeup

Automatically wake up the service after the specified number of seconds. If 0 is given, never wake the service up.

Type: signed integer

Example: 60

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.masterConfig.<name>.wakeupUnusedComponent

If set to false the component will only be woken up if it is used. This is equivalent to postfix’ notion of adding a question mark behind the wakeup time in master.cf

Type: boolean

Example: false

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.networks

Net masks for trusted - allowed to relay mail to third parties - hosts. Leave empty to use mynetworks_style configuration or use default (localhost-only).

Type: null or (list of string)

Default: null

Example:

[
  "192.168.0.1/24"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.networksStyle

Name of standard way of trusted network specification to use, leave blank if you specify it explicitly or if you want to use default (localhost-only).

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.origin

Origin to use in outgoing e-mail. Leave blank to use hostname.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.postmasterAlias

Who should receive postmaster e-mail. Multiple values can be added by separating values with comma.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.recipientDelimiter

Delimiter for address extension: so mail to user+test can be handled by ~user/.forward+test

Type: string

Default: ""

Example: "+"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.relayDomains

List of domains we agree to relay to. Default is empty.

Type: null or (list of string)

Default: null

Example:

[
  "localdomain"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.relayHost

Mail relay for outbound mail.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.relayPort

SMTP port for relay mail relay.

Type: signed integer

Default: 25

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.rootAlias

Who should receive root e-mail. Blank for no redirection. Multiple values can be added by separating values with comma.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.setSendmail

Whether to set the system sendmail to postfix’s.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.setgidGroup

How to call postfix setgid group (for postdrop). Should be uniquely used group.

Type: string

Default: "postdrop"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.sslCert

SSL certificate to use.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.sslKey

SSL key to use.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.submissionOptions

Options for the submission config in master.cf

Type: attribute set of string

Default:

{
  milter_macro_daemon_name = "ORIGINATING";
  smtpd_client_restrictions = "permit_sasl_authenticated,reject";
  smtpd_sasl_auth_enable = "yes";
  smtpd_tls_security_level = "encrypt";
}

Example:

{
  milter_macro_daemon_name = "ORIGINATING";
  smtpd_client_restrictions = "permit_sasl_authenticated,reject";
  smtpd_sasl_auth_enable = "yes";
  smtpd_sasl_type = "dovecot";
  smtpd_tls_security_level = "encrypt";
}

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.submissionsOptions

Options for the submission config via smtps in master.cf.

smtpd_tls_security_level will be set to encrypt, if it is missing or has one of the values “may” or “none”.

smtpd_tls_wrappermode with value “yes” will be added automatically.

Type: attribute set of string

Default:

{
  milter_macro_daemon_name = "ORIGINATING";
  smtpd_client_restrictions = "permit_sasl_authenticated,reject";
  smtpd_sasl_auth_enable = "yes";
}

Example:

{
  milter_macro_daemon_name = "ORIGINATING";
  smtpd_client_restrictions = "permit_sasl_authenticated,reject";
  smtpd_sasl_auth_enable = "yes";
  smtpd_sasl_type = "dovecot";
}

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.tlsTrustedAuthorities

File containing trusted certification authorities (CA) to verify certificates of mailservers contacted for mail delivery. This basically sets smtp_tls_CAfile and enables opportunistic tls. Defaults to NixOS trusted certification authorities.

Type: string

Default: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.transport

Entries for the transport map, cf. man-page transport(8).

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.useSrs

Whether to enable sender rewriting scheme

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.user

What to call the Postfix user (must be used only for postfix).

Type: string

Default: "postfix"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.virtual

Entries for the virtual alias map, cf. man-page virtual(5).

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfix.virtualMapType

What type of virtual alias map file to use. Use "regexp" for regular expressions.

Type: one of “hash”, “regexp”, “pcre”

Default: "hash"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfix.nix>
services.postfixadmin.enable

Whether to enable postfixadmin.

Also enables nginx virtual host management. Further nginx configuration can be done by adapting services.nginx.virtualHosts.<name>. See services.nginx.virtualHosts for further information.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/postfixadmin.nix>
services.postfixadmin.adminEmail

Defines the Site Admin’s email address. This will be used to send emails from to create mailboxes and from Send Email / Broadcast message pages.

Type: string

Example: "postmaster@example.com"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfixadmin.nix>
services.postfixadmin.database.dbname

Name of the postgresql database

Type: string

Default: "postfixadmin"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfixadmin.nix>
services.postfixadmin.database.host

Host of the postgresql server. If this is not set to localhost, you have to create the postgresql user and database yourself, with appropriate permissions.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfixadmin.nix>
services.postfixadmin.database.passwordFile

Password file for the postgresql connection. Must be readable by user nginx.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/mail/postfixadmin.nix>
services.postfixadmin.database.username

Username for the postgresql connection. If database.host is set to localhost, a unix user and group of the same name will be created as well.

Type: string

Default: "postfixadmin"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfixadmin.nix>
services.postfixadmin.extraConfig

Extra configuration for the postfixadmin instance, see postfixadmin’s config.inc.php for available options.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/postfixadmin.nix>
services.postfixadmin.hostName

Hostname to use for the nginx vhost

Type: string

Example: "postfixadmin.example.com"

Declared by:

<nixpkgs/nixos/modules/services/mail/postfixadmin.nix>
services.postfixadmin.setupPasswordFile

Password file for the admin. Generate with php -r "echo password_hash('some password here', PASSWORD_DEFAULT);"

Type: path

Declared by:

<nixpkgs/nixos/modules/services/mail/postfixadmin.nix>
services.postgresql.enable

Whether to enable PostgreSQL Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.enableJIT

Whether to enable JIT support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.enableTCPIP

Whether PostgreSQL should listen on all network interfaces. If disabled, the database can only be accessed via its Unix domain socket or via TCP connections to localhost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.package

The postgresql package to use.

Type: package

Default: pkgs.postgresql

Example: postgresql_15

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.authentication

Defines how users authenticate themselves to the server. See the PostgreSQL documentation for pg_hba.conf for details on the expected format of this option. By default, peer based authentication will be used for users connecting via the Unix socket, and md5 password authentication will be used for users connecting via TCP. Any added rules will be inserted above the default rules. If you’d like to replace the default rules entirely, you can use lib.mkForce in your module.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.checkConfig

Check the syntax of the configuration file at compile time

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.dataDir

The data directory for PostgreSQL. If left as the default value this directory will automatically be created before the PostgreSQL server starts, otherwise the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions.

Type: path

Default: "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"

Example: "/var/lib/postgresql/15"

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.ensureDatabases

Ensures that the specified databases exist. This option will never delete existing databases, especially not when the value of this option is changed. This means that databases created once through this option or otherwise have to be removed manually.

Type: list of string

Default: [ ]

Example:

[
  "gitea"
  "nextcloud"
]

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.ensureUsers

Ensures that the specified users exist. The PostgreSQL users will be identified using peer authentication. This authenticates the Unix user with the same name only, and that without the need for a password. This option will never delete existing users or remove DB ownership of databases once granted with ensureDBOwnership = true;. This means that this must be cleaned up manually when changing after changing the config in here.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    name = "nextcloud";
  }
  {
    name = "superuser";
    ensureDBOwnership = true;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.ensureUsers.*.ensureClauses

An attrset of clauses to grant to the user. Under the hood this uses the ALTER USER syntax for each attrName where the attrValue is true in the attrSet: ALTER USER user.name WITH attrName

Type: submodule

Default: The default, null, means that the user created will have the default permissions assigned by PostgreSQL. Subsequent server starts will not set or unset the clause, so imperative changes are preserved.

Example:

{
  superuser = true;
  createrole = true;
  createdb = true;
}

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.ensureUsers.*.ensureClauses.bypassrls

Grants the user, created by the ensureUser attr, replication permissions. From the postgres docs:

A role must be explicitly given permission to bypass every row-level security (RLS) policy (except for superusers, since those bypass all permission checks). To create such a role, use CREATE ROLE name BYPASSRLS as a superuser.

More information on postgres roles can be found here

Type: null or boolean

Default: null: do not set. For newly created roles, use PostgreSQL’s default. For existing roles, do not touch this clause.

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.ensureUsers.*.ensureClauses.createdb

Grants the user, created by the ensureUser attr, createdb permissions. From the postgres docs:

A role must be explicitly given permission to create databases (except for superusers, since those bypass all permission checks). To create such a role, use CREATE ROLE name CREATEDB.

More information on postgres roles can be found here

Type: null or boolean

Default: null: do not set. For newly created roles, use PostgreSQL’s default. For existing roles, do not touch this clause.

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.ensureUsers.*.ensureClauses.createrole

Grants the user, created by the ensureUser attr, createrole permissions. From the postgres docs:

A role must be explicitly given permission to create more roles (except for superusers, since those bypass all permission checks). To create such a role, use CREATE ROLE name CREATEROLE. A role with CREATEROLE privilege can alter and drop other roles, too, as well as grant or revoke membership in them. However, to create, alter, drop, or change membership of a superuser role, superuser status is required; CREATEROLE is insufficient for that.

More information on postgres roles can be found here

Type: null or boolean

Default: null: do not set. For newly created roles, use PostgreSQL’s default. For existing roles, do not touch this clause.

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.ensureUsers.*.ensureClauses.inherit

Grants the user created inherit permissions. From the postgres docs:

A role is given permission to inherit the privileges of roles it is a member of, by default. However, to create a role without the permission, use CREATE ROLE name NOINHERIT.

More information on postgres roles can be found here

Type: null or boolean

Default: null: do not set. For newly created roles, use PostgreSQL’s default. For existing roles, do not touch this clause.

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.ensureUsers.*.ensureClauses.login

Grants the user, created by the ensureUser attr, login permissions. From the postgres docs:

Only roles that have the LOGIN attribute can be used as the initial role name for a database connection. A role with the LOGIN attribute can be considered the same as a “database user”. To create a role with login privilege, use either:

CREATE ROLE name LOGIN; CREATE USER name;

(CREATE USER is equivalent to CREATE ROLE except that CREATE USER includes LOGIN by default, while CREATE ROLE does not.)

More information on postgres roles can be found here

Type: null or boolean

Default: null: do not set. For newly created roles, use PostgreSQL’s default. For existing roles, do not touch this clause.

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.ensureUsers.*.ensureClauses.replication

Grants the user, created by the ensureUser attr, replication permissions. From the postgres docs:

A role must explicitly be given permission to initiate streaming replication (except for superusers, since those bypass all permission checks). A role used for streaming replication must have LOGIN permission as well. To create such a role, use CREATE ROLE name REPLICATION LOGIN.

More information on postgres roles can be found here

Type: null or boolean

Default: null: do not set. For newly created roles, use PostgreSQL’s default. For existing roles, do not touch this clause.

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.ensureUsers.*.ensureClauses.superuser

Grants the user, created by the ensureUser attr, superuser permissions. From the postgres docs:

A database superuser bypasses all permission checks, except the right to log in. This is a dangerous privilege and should not be used carelessly; it is best to do most of your work as a role that is not a superuser. To create a new database superuser, use CREATE ROLE name SUPERUSER. You must do this as a role that is already a superuser.

More information on postgres roles can be found here

Type: null or boolean

Default: null: do not set. For newly created roles, use PostgreSQL’s default. For existing roles, do not touch this clause.

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.ensureUsers.*.ensureDBOwnership

Grants the user ownership to a database with the same name. This database must be defined manually in services.postgresql.ensureDatabases.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.ensureUsers.*.name

Name of the user to ensure.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.extensions

List of PostgreSQL extensions to install.

Type: (function that evaluates to a(n) list of path) or (list of path) convertible to it

Default: <function>

Example: ps: with ps; [ postgis pg_repack ]

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.finalPackage

The postgresql package that will effectively be used in the system. It consists of the base package with plugins applied to it.

Type: package (read only)

Default: "with config.services.postgresql; package.withPackages extensions"

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.identMap

Defines the mapping from system users to database users.

See the auth doc.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  map-name-0 system-username-0 database-username-0
  map-name-1 system-username-1 database-username-1
''

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.initdbArgs

Additional arguments passed to initdb during data dir initialisation.

Type: list of string

Default: [ ]

Example:

[
  "--data-checksums"
  "--allow-group-access"
]

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.initialScript

A file containing SQL statements to execute on first startup.

Type: null or path

Default: null

Example:

pkgs.writeText "init-sql-script" ''
  alter user postgres with password 'myPassword';
'';

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.recoveryConfig

Contents of the recovery.conf file.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.settings

PostgreSQL configuration. Refer to https://www.postgresql.org/docs/current/config-setting.html#CONFIG-SETTING-CONFIGURATION-FILE for an overview of postgresql.conf.

Note

String values will automatically be enclosed in single quotes. Single quotes will be escaped with two single quotes as described by the upstream documentation linked above.

Type: attribute set of (boolean or floating point number or signed integer or string)

Default: { }

Example:

{
  log_connections = true;
  log_statement = "all";
  logging_collector = true;
  log_disconnections = true;
  log_destination = lib.mkForce "syslog";
}

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.settings.log_line_prefix

A printf-style string that is output at the beginning of each log line. Upstream default is '%m [%p] ', i.e. it includes the timestamp. We do not include the timestamp, because journal has it anyway.

Type: string

Default: "[%p] "

Example: "%m [%p] "

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.settings.port

The port on which PostgreSQL listens.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5432

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresql.settings.shared_preload_libraries

List of libraries to be preloaded.

Type: null or (string or (list of string) convertible to it)

Default: null

Example: [ "auto_explain" "anon" ]

Declared by:

<nixpkgs/nixos/modules/services/databases/postgresql.nix>
services.postgresqlBackup.enable

Whether to enable PostgreSQL dumps.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/postgresql-backup.nix>
services.postgresqlBackup.backupAll

Backup all databases using pg_dumpall. This option is mutual exclusive to services.postgresqlBackup.databases. The resulting backup dump will have the name all.sql.gz. This option is the default if no databases are specified.

Type: boolean

Default: services.postgresqlBackup.databases == []

Declared by:

<nixpkgs/nixos/modules/services/backup/postgresql-backup.nix>
services.postgresqlBackup.compression

The type of compression to use on the generated database dump.

Type: one of “none”, “gzip”, “zstd”

Default: "gzip"

Declared by:

<nixpkgs/nixos/modules/services/backup/postgresql-backup.nix>
services.postgresqlBackup.compressionLevel

The compression level used when compression is enabled. gzip accepts levels 1 to 9. zstd accepts levels 1 to 19.

Type: integer between 1 and 19 (both inclusive)

Default: 6

Declared by:

<nixpkgs/nixos/modules/services/backup/postgresql-backup.nix>
services.postgresqlBackup.databases

List of database names to dump.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/backup/postgresql-backup.nix>
services.postgresqlBackup.location

Path of directory where the PostgreSQL database dumps will be placed.

Type: path

Default: "/var/backup/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/backup/postgresql-backup.nix>
services.postgresqlBackup.pgdumpOptions

Command line options for pg_dump. This options is not used if config.services.postgresqlBackup.backupAll is enabled. Note that config.services.postgresqlBackup.backupAll is also active, when no databases where specified.

Type: strings concatenated with " "

Default: "-C"

Declared by:

<nixpkgs/nixos/modules/services/backup/postgresql-backup.nix>
services.postgresqlBackup.startAt

This option defines (see systemd.time for format) when the databases should be dumped. The default is to update at 01:15 (at night) every day.

Type: (list of string) or string

Default: "*-*-* 01:15:00"

Declared by:

<nixpkgs/nixos/modules/services/backup/postgresql-backup.nix>
services.postgresqlWalReceiver.receivers

PostgreSQL WAL receivers. Stream write-ahead logs from a PostgreSQL server using pg_receivewal (formerly pg_receivexlog). See the man page for more information.

Type: attribute set of (submodule)

Default: { }

Example:

{
  main = {
    postgresqlPackage = pkgs.postgresql_15;
    directory = /mnt/pg_wal/main/;
    slot = "main_wal_receiver";
    connection = "postgresql://user@somehost";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/backup/postgresql-wal-receiver.nix>
services.postgresqlWalReceiver.receivers.<name>.compress

Enables gzip compression of write-ahead logs, and specifies the compression level (0 through 9, 0 being no compression and 9 being best compression). The suffix .gz will automatically be added to all filenames.

This option requires PostgreSQL >= 10.

Type: integer between 0 and 9 (both inclusive)

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/backup/postgresql-wal-receiver.nix>
services.postgresqlWalReceiver.receivers.<name>.connection

Specifies parameters used to connect to the server, as a connection string. See Section 34.1.1 of the PostgreSQL manual for more information.

Because pg_receivewal doesn’t connect to any particular database in the cluster, database name in the connection string will be ignored.

Type: string

Example: "postgresql://user@somehost"

Declared by:

<nixpkgs/nixos/modules/services/backup/postgresql-wal-receiver.nix>
services.postgresqlWalReceiver.receivers.<name>.directory

Directory to write the output to.

Type: path

Example: /mnt/pg_wal/main/

Declared by:

<nixpkgs/nixos/modules/services/backup/postgresql-wal-receiver.nix>
services.postgresqlWalReceiver.receivers.<name>.environment

Environment variables passed to the service. Usable parameters are listed in Section 34.14 of the PostgreSQL manual.

Type: attribute set of string

Default: { }

Example:

{
  PGPASSFILE = "/private/passfile";
  PGSSLMODE = "require";
}

Declared by:

<nixpkgs/nixos/modules/services/backup/postgresql-wal-receiver.nix>
services.postgresqlWalReceiver.receivers.<name>.extraArgs

A list of extra arguments to pass to the pg_receivewal command.

Type: list of string

Default: [ ]

Example:

[
  "--no-sync"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/postgresql-wal-receiver.nix>
services.postgresqlWalReceiver.receivers.<name>.postgresqlPackage

The postgresql package to use.

Type: package

Default: pkgs.postgresql

Example: postgresql_15

Declared by:

<nixpkgs/nixos/modules/services/backup/postgresql-wal-receiver.nix>
services.postgresqlWalReceiver.receivers.<name>.slot

Require pg_receivewal to use an existing replication slot (see Section 26.2.6 of the PostgreSQL manual). When this option is used, pg_receivewal will report a flush position to the server, indicating when each segment has been synchronized to disk so that the server can remove that segment if it is not otherwise needed.

When the replication client of pg_receivewal is configured on the server as a synchronous standby, then using a replication slot will report the flush position to the server, but only when a WAL file is closed. Therefore, that configuration will cause transactions on the primary to wait for a long time and effectively not work satisfactorily. The option synchronous must be specified in addition to make this work correctly.

Type: string

Default: ""

Example: "some_slot_name"

Declared by:

<nixpkgs/nixos/modules/services/backup/postgresql-wal-receiver.nix>
services.postgresqlWalReceiver.receivers.<name>.statusInterval

Specifies the number of seconds between status packets sent back to the server. This allows for easier monitoring of the progress from server. A value of zero disables the periodic status updates completely, although an update will still be sent when requested by the server, to avoid timeout disconnect.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/backup/postgresql-wal-receiver.nix>
services.postgresqlWalReceiver.receivers.<name>.synchronous

Flush the WAL data to disk immediately after it has been received. Also send a status packet back to the server immediately after flushing, regardless of statusInterval.

This option should be specified if the replication client of pg_receivewal is configured on the server as a synchronous standby, to ensure that timely feedback is sent to the server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/postgresql-wal-receiver.nix>
services.postgrey.enable

Whether to run the Postgrey daemon

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/postgrey.nix>
services.postgrey.IPv4CIDR

Strip N bits from IPv4 addresses if lookupBySubnet is true

Type: signed integer

Default: 24

Declared by:

<nixpkgs/nixos/modules/services/mail/postgrey.nix>
services.postgrey.IPv6CIDR

Strip N bits from IPv6 addresses if lookupBySubnet is true

Type: signed integer

Default: 64

Declared by:

<nixpkgs/nixos/modules/services/mail/postgrey.nix>
services.postgrey.autoWhitelist

Whitelist clients after successful delivery of N messages

Type: null or signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/mail/postgrey.nix>
services.postgrey.delay

Greylist for N seconds

Type: signed integer

Default: 300

Declared by:

<nixpkgs/nixos/modules/services/mail/postgrey.nix>
services.postgrey.greylistAction

Response status for greylisted messages (see access(5))

Type: string

Default: "DEFER_IF_PERMIT"

Declared by:

<nixpkgs/nixos/modules/services/mail/postgrey.nix>
services.postgrey.greylistHeader

Prepend header to greylisted mails; use %%t for seconds delayed due to greylisting, %%v for the version of postgrey, %%d for the date, and %%h for the host

Type: string

Default: "X-Greylist: delayed %%t seconds by postgrey-%%v at %%h; %%d"

Declared by:

<nixpkgs/nixos/modules/services/mail/postgrey.nix>
services.postgrey.greylistText

Response status text for greylisted messages; use %%s for seconds left until greylisting is over and %%r for mail domain of recipient

Type: string

Default: "Greylisted for %%s seconds"

Declared by:

<nixpkgs/nixos/modules/services/mail/postgrey.nix>
services.postgrey.lookupBySubnet

Strip the last N bits from IP addresses, determined by IPv4CIDR and IPv6CIDR

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/mail/postgrey.nix>
services.postgrey.maxAge

Delete entries from whitelist if they haven’t been seen for N days

Type: signed integer

Default: 35

Declared by:

<nixpkgs/nixos/modules/services/mail/postgrey.nix>
services.postgrey.privacy

Store data using one-way hash functions (SHA1)

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/mail/postgrey.nix>
services.postgrey.retryWindow

Allow N days for the first retry. Use string with appended ‘h’ to specify time in hours

Type: string or signed integer

Default: 2

Example: "12h"

Declared by:

<nixpkgs/nixos/modules/services/mail/postgrey.nix>
services.postgrey.socket

Socket to bind to

Type: (submodule) or (submodule)

Default:

{
  mode = "0777";
  path = "/run/postgrey.sock";
}

Example:

{
  addr = "127.0.0.1";
  port = 10030;
}

Declared by:

<nixpkgs/nixos/modules/services/mail/postgrey.nix>
services.postgrey.whitelistClients

Client address whitelist files (see postgrey(8))

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/postgrey.nix>
services.postgrey.whitelistRecipients

Recipient address whitelist files (see postgrey(8))

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/postgrey.nix>
services.postsrsd.enable

Whether to enable the postsrsd SRS server for Postfix.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/postsrsd.nix>
services.postsrsd.domain

Domain name for rewrite

Type: string

Declared by:

<nixpkgs/nixos/modules/services/mail/postsrsd.nix>
services.postsrsd.excludeDomains

Origin domains to exclude from rewriting in addition to primary domain

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/postsrsd.nix>
services.postsrsd.forwardPort

Port for the forward SRS lookup

Type: signed integer

Default: 10001

Declared by:

<nixpkgs/nixos/modules/services/mail/postsrsd.nix>
services.postsrsd.group

Group for the daemon

Type: string

Default: "postsrsd"

Declared by:

<nixpkgs/nixos/modules/services/mail/postsrsd.nix>
services.postsrsd.reversePort

Port for the reverse SRS lookup

Type: signed integer

Default: 10002

Declared by:

<nixpkgs/nixos/modules/services/mail/postsrsd.nix>
services.postsrsd.secretsFile

Secret keys used for signing and verification

Type: path

Default: "/var/lib/postsrsd/postsrsd.secret"

Declared by:

<nixpkgs/nixos/modules/services/mail/postsrsd.nix>
services.postsrsd.separator

First separator character in generated addresses

Type: one of “-”, “=”, “+”

Default: "="

Declared by:

<nixpkgs/nixos/modules/services/mail/postsrsd.nix>
services.postsrsd.timeout

Timeout for idle client connections in seconds

Type: signed integer

Default: 1800

Declared by:

<nixpkgs/nixos/modules/services/mail/postsrsd.nix>
services.postsrsd.user

User for the daemon

Type: string

Default: "postsrsd"

Declared by:

<nixpkgs/nixos/modules/services/mail/postsrsd.nix>
services.power-profiles-daemon.enable

Whether to enable power-profiles-daemon, a DBus daemon that allows changing system behavior based upon user-selected power profiles.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/power-profiles-daemon.nix>
services.power-profiles-daemon.package

The power-profiles-daemon package to use.

Type: package

Default: pkgs.power-profiles-daemon

Declared by:

<nixpkgs/nixos/modules/services/hardware/power-profiles-daemon.nix>
services.powerdns.enable

Whether to enable PowerDNS domain name server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/powerdns.nix>
services.powerdns.extraConfig

PowerDNS configuration. Refer to https://doc.powerdns.com/authoritative/settings.html for details on supported values.

Type: strings concatenated with “\n”

Default: "launch=bind"

Declared by:

<nixpkgs/nixos/modules/services/networking/powerdns.nix>
services.powerdns.secretFile

Environment variables from this file will be interpolated into the final config file using envsubst with this syntax: $ENVIRONMENT or ${VARIABLE}. The file should contain lines formatted as SECRET_VAR=SECRET_VALUE. This is useful to avoid putting secrets into the nix store.

Type: null or path

Default: null

Example: "/run/keys/powerdns.env"

Declared by:

<nixpkgs/nixos/modules/services/networking/powerdns.nix>
services.powerdns-admin.enable

Whether to enable the PowerDNS web interface.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/powerdns-admin.nix>
services.powerdns-admin.config

Configuration python file. See the example configuration for options.

Type: string

Default: ""

Example:

''
  BIND_ADDRESS = '127.0.0.1'
  PORT = 8000
  SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/powerdnsadmin?host=/run/postgresql'
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/powerdns-admin.nix>
services.powerdns-admin.extraArgs

Extra arguments passed to powerdns-admin.

Type: list of string

Default: [ ]

Example:

[ "-b" "127.0.0.1:8000" ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/powerdns-admin.nix>
services.powerdns-admin.saltFile

The salt used for serialization. This should be set, otherwise the default is used. Set this to null to ignore this setting and configure it through another way.

Type: null or path

Example: "/etc/powerdns-admin/salt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/powerdns-admin.nix>
services.powerdns-admin.secretKeyFile

The secret used to create cookies. This needs to be set, otherwise the default is used and everyone can forge valid login cookies. Set this to null to ignore this setting and configure it through another way.

Type: null or path

Example: "/etc/powerdns-admin/secret"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/powerdns-admin.nix>
services.pppd.enable

Whether to enable pppd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/pppd.nix>
services.pppd.package

The ppp package to use.

Type: package

Default: pkgs.ppp

Declared by:

<nixpkgs/nixos/modules/services/networking/pppd.nix>
services.pppd.peers

pppd peers.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/pppd.nix>
services.pppd.peers.<name>.enable

Whether to enable this PPP peer.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/networking/pppd.nix>
services.pppd.peers.<name>.autostart

Whether the PPP session is automatically started at boot time.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/networking/pppd.nix>
services.pppd.peers.<name>.config

pppd configuration for this peer, see the pppd(8) man page.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/pppd.nix>
services.pppd.peers.<name>.name

Name of the PPP peer.

Type: string

Default: "‹name›"

Example: "dialup"

Declared by:

<nixpkgs/nixos/modules/services/networking/pppd.nix>
services.pptpd.enable

Whether to enable pptpd, the Point-to-Point Tunneling Protocol daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/pptpd.nix>
services.pptpd.clientIpRange

The range from which client IPs are drawn.

Type: string

Default: "10.124.124.2-11"

Declared by:

<nixpkgs/nixos/modules/services/networking/pptpd.nix>
services.pptpd.extraPppdOptions

Adds extra lines to the pppd options file.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  ms-dns 8.8.8.8
  ms-dns 8.8.4.4
''

Declared by:

<nixpkgs/nixos/modules/services/networking/pptpd.nix>
services.pptpd.extraPptpdOptions

Adds extra lines to the pptpd configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/pptpd.nix>
services.pptpd.maxClients

The maximum number of simultaneous connections.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/networking/pptpd.nix>
services.pptpd.serverIp

The server-side IP address.

Type: string

Default: "10.124.124.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/pptpd.nix>
services.preload.enable

Whether to enable preload.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/preload.nix>
services.preload.package

The preload package to use.

Type: package

Default: pkgs.preload

Declared by:

<nixpkgs/nixos/modules/services/misc/preload.nix>
services.pretalx.enable

Whether to enable pretalx.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.package

The pretalx package to use.

Type: package

Default: pkgs.pretalx

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.celery.enable

Whether to set up celery as an asynchronous task runner.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.celery.extraArgs

Extra arguments to pass to celery.

See https://docs.celeryq.dev/en/stable/reference/cli.html#celery-worker for more info.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.database.createLocally

Whether to automatically set up the database on the local DBMS instance.

Currently only supported for PostgreSQL. Not required for sqlite.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.group

Group under which pretalx should run.

Type: string

Default: "pretalx"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.gunicorn.extraArgs

Extra arguments to pass to gunicorn. See https://docs.pretalx.org/administrator/installation.html#step-6-starting-pretalx-as-a-service for details.

Type: list of string

Default:

[
  "--name=pretalx"
]

Example:

[
  "--name=pretalx"
  "--workers=4"
  "--max-requests=1200"
  "--max-requests-jitter=50"
  "--log-level=info"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.nginx.enable

Whether to set up an nginx virtual host.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.nginx.domain

The domain name under which to set up the virtual host.

Type: string

Example: "talks.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.plugins

Pretalx plugins to install into the Python environment.

Type: list of package

Default: [ ]

Example:

with config.services.pretalx.package.plugins; [
  pages
  youtube
];

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.settings

pretalx configuration as a Nix attribute set. All settings can also be passed from the environment.

See https://docs.pretalx.org/administrator/configure.html for possible options.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.settings.celery.backend

URI to the celery backend used for the asynchronous job queue.

Type: null or string

Default:

optionalString config.services.pretalx.celery.enable "redis+socket://${config.services.redis.servers.pretalx.unixSocket}?virtual_host=1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.settings.celery.broker

URI to the celery broker used for the asynchronous job queue.

Type: null or string

Default:

optionalString config.services.pretalx.celery.enable "redis+socket://${config.services.redis.servers.pretalx.unixSocket}?virtual_host=2"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.settings.database.backend

Database backend to use.

Currently only PostgreSQL gets tested, and as such we don’t support any other DBMS.

Type: value “postgresql” (singular enum) (read only)

Default: "postgresql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.settings.database.host

Database host or socket path.

Type: null or path

Default:

if config.services.pretalx.settings..database.backend == "postgresql" then "/run/postgresql"
else if config.services.pretalx.settings.database.backend == "mysql" then "/run/mysqld/mysqld.sock"
else null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.settings.database.name

Database name.

Type: string

Default: "pretalx"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.settings.database.user

Database username.

Type: string

Default: "pretalx"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.settings.files.upload_limit

Maximum file upload size in MiB.

Type: positive integer, meaning >0

Default: 10

Example: 50

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.settings.filesystem.data

Base path for all other storage paths.

Type: path

Default: "/var/lib/pretalx"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.settings.filesystem.logs

Path to the log directory, that pretalx logs message to.

Type: path

Default: "/var/log/pretalx"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.settings.filesystem.static

Path to the directory that contains static files.

Type: path (read only)

Default: ${config.services.pretalx.package}.static}/

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.settings.redis.location

URI to the redis server, used to speed up locking, caching and session storage.

Type: null or string

Default:

"unix://${config.services.redis.servers.pretalx.unixSocket}?db=0"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.settings.redis.session

Whether to use redis as the session storage.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.settings.site.url

The base URI below which your pretalx instance will be reachable.

Type: string

Default: https://${config.services.pretalx.nginx.domain}

Example: "https://talks.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretalx.user

User under which pretalx should run.

Type: string

Default: "pretalx"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretalx.nix>
services.pretix.enable

Whether to enable Pretix, a ticket shop application for conferences, festivals, concerts, etc.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.package

The pretix package to use.

Type: package

Default: pkgs.pretix

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.celery.extraArgs

Extra arguments to pass to celery.

See https://docs.celeryq.dev/en/stable/reference/cli.html#celery-worker for more info.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.database.createLocally

Whether to automatically set up the database on the local DBMS instance.

Only supported for PostgreSQL. Not required for sqlite.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.environmentFile

Environment file to pass secret configuration values.

Each line must follow the PRETIX_SECTION_KEY=value pattern.

Type: null or path

Default: null

Example: "/run/keys/pretix-secrets.env"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.group

Group under which pretix should run.

Type: string

Default: "pretix"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.gunicorn.extraArgs

Extra arguments to pass to gunicorn. See https://docs.pretix.eu/en/latest/admin/installation/manual_smallscale.html#start-pretix-as-a-service for details.

Type: list of string

Default:

[
  "--name=pretix"
]

Example:

[
  "--name=pretix"
  "--workers=4"
  "--max-requests=1200"
  "--max-requests-jitter=50"
  "--log-level=info"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.nginx.enable

Whether to set up an nginx virtual host.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.nginx.domain

The domain name under which to set up the virtual host.

Type: string

Example: "talks.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.plugins

Pretix plugins to install into the Python environment.

Type: list of package

Default: [ ]

Example:

with config.services.pretix.package.plugins; [
  passbook
  pages
];

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings

pretix configuration as a Nix attribute set. All settings can also be passed from the environment.

See https://docs.pretix.eu/en/latest/admin/config.html for possible options.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.celery.backend

URI to the celery backend used for the asynchronous job queue.

Type: string

Default:

redis+socket://${config.services.redis.servers.pretix.unixSocket}?virtual_host=1

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.celery.broker

URI to the celery broker used for the asynchronous job queue.

Type: string

Default:

redis+socket://${config.services.redis.servers.pretix.unixSocket}?virtual_host=2

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.database.backend

Database backend to use.

Only postgresql is recommended for production setups.

Type: one of “sqlite3”, “postgresql”

Default: "postgresql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.database.host

Database host or socket path.

Type: null or string

Default:

if config.services.pretix.settings..database.backend == "postgresql" then "/run/postgresql"
else null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.database.name

Database name.

Type: string

Default: "pretix"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.database.user

Database username.

Type: string

Default: "pretix"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.mail.from

E-Mail address used in the FROM header of outgoing mails.

Type: string

Example: "tickets@example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.mail.host

Hostname of the SMTP server use for mail delivery.

Type: string

Default: "localhost"

Example: "mail.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.mail.port

Port of the SMTP server to use for mail delivery.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 25

Example: 587

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.memcached.location

The host:port combination or the path to the UNIX socket of a memcached instance.

Can be used instead of Redis for caching.

Type: null or string

Default: null

Example: "127.0.0.1:11211"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.pretix.cachedir

Directory for storing temporary files.

Type: path

Default: "/var/cache/pretix"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.pretix.currency

Default currency for events in its ISO 4217 three-letter code.

Type: string

Default: "EUR"

Example: "USD"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.pretix.datadir

Directory for storing user uploads and similar data.

Type: path

Default: "/var/lib/pretix"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.pretix.instance_name

The name of this installation.

Type: string

Example: "tickets.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.pretix.logdir

Directory for storing log files.

Type: path

Default: "/var/log/pretix"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.pretix.registration

Whether to allow registration of new admin users.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.pretix.url

The installation’s full URL, without a trailing slash.

Type: string

Example: "https://tickets.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.redis.location

URI to the redis server, used to speed up locking, caching and session storage.

Type: null or string

Default:

"unix://${config.services.redis.servers.pretix.unixSocket}?db=0"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.redis.sessions

Whether to use redis as the session storage.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.settings.tools.pdftk

Path to the pdftk executable.

Type: path

Default:

lib.getExe pkgs.pdftk

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.pretix.user

User under which pretix should run.

Type: string

Default: "pretix"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/pretix.nix>
services.printing.enable

Whether to enable printing support through the CUPS daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.printing.package

The cups package to use.

Type: package

Default: pkgs.cups

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.printing.allowFrom

From which hosts to allow unconditional access.

Type: list of string

Default:

[
  "localhost"
]

Example:

[
  "all"
]

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.printing.browsed.enable

Whether to enable the CUPS Remote Printer Discovery (browsed) daemon.

Type: boolean

Default: config.services.avahi.enable

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.printing.browsed.package

The cups-browsed package to use.

Type: package

Default: pkgs.cups-browsed

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.printing.browsedConf

The contents of the configuration. file of the CUPS Browsed daemon (cups-browsed.conf)

Type: strings concatenated with “\n”

Default: ""

Example:

''
  BrowsePoll cups.example.com
''

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.printing.browsing

Specifies whether shared printers are advertised.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.printing.clientConf

The contents of the client configuration. (client.conf)

Type: strings concatenated with “\n”

Default: ""

Example:

''
  ServerName server.example.com
  Encryption Never
''

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.printing.cups-pdf.enable

Whether to enable the cups-pdf virtual pdf printer backend. By default, this will install a single printer pdf. but this can be changed/extended with services.printing.cups-pdf.instances .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/printing/cups-pdf.nix>
services.printing.cups-pdf.instances

Permits to raise one or more cups-pdf instances. Each instance is named by an attribute name, and the attribute’s values control the instance’ configuration.

Type: attribute set of (submodule)

Default:

{
  pdf = { };
}

Example:

{
  pdf = {
    settings = {
      Out = "\${HOME}/cups-pdf";
      UserUMask = "0033";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/printing/cups-pdf.nix>
services.printing.cups-pdf.instances.<name>.enable

Whether to enable this cups-pdf instance.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/printing/cups-pdf.nix>
services.printing.cups-pdf.instances.<name>.confFileText

This will contain the contents of cups-pdf.conf for this instance, derived from settings. You can use this option to append text to the file.

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/printing/cups-pdf.nix>
services.printing.cups-pdf.instances.<name>.installPrinter

Whether to enable a CUPS printer queue for this instance. The queue will be named after the instance and will use the CUPS-PDF_opt.ppd ppd file. If this is disabled, you need to add the queue yourself to use the instance .

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/printing/cups-pdf.nix>
services.printing.cups-pdf.instances.<name>.settings

Settings for a cups-pdf instance, see the descriptions in the template config file in the cups-pdf package. The key value pairs declared here will be translated into proper key value pairs for cups-pdf.conf. Setting a value to null disables the option and removes it from the file.

Type: null or signed integer or string or path or package

Default: { }

Example:

{
  Out = "\${HOME}/cups-pdf";
  UserUMask = "0033";
}

Declared by:

<nixpkgs/nixos/modules/services/printing/cups-pdf.nix>
services.printing.cups-pdf.instances.<name>.settings.AnonDirName

path for anonymously created PDF files

Type: null or (optionally newline-terminated) single-line string

Default: "/var/spool/cups-pdf-{instance-name}/anonymous"

Example: "/var/lib/cups-pdf"

Declared by:

<nixpkgs/nixos/modules/services/printing/cups-pdf.nix>
services.printing.cups-pdf.instances.<name>.settings.Anonuser

User for anonymous PDF creation. An empty string disables this feature.

Type: (optionally newline-terminated) single-line string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/printing/cups-pdf.nix>
services.printing.cups-pdf.instances.<name>.settings.GhostScript

location of GhostScript binary

Type: null or path

Default: lib.getExe pkgs.ghostscript

Example: ${pkgs.ghostscript}/bin/ps2pdf

Declared by:

<nixpkgs/nixos/modules/services/printing/cups-pdf.nix>
services.printing.cups-pdf.instances.<name>.settings.Out

output directory; ${HOME} will be expanded to the user’s home directory, ${USER} will be expanded to the user name.

Type: null or (optionally newline-terminated) single-line string

Default: "/var/spool/cups-pdf-{instance-name}/users/\${USER}"

Example: "\${HOME}/cups-pdf"

Declared by:

<nixpkgs/nixos/modules/services/printing/cups-pdf.nix>
services.printing.cups-pdf.instances.<name>.settings.Spool

spool directory

Type: null or (optionally newline-terminated) single-line string

Default: "/var/spool/cups-pdf-{instance-name}/spool"

Example: "/var/lib/cups-pdf"

Declared by:

<nixpkgs/nixos/modules/services/printing/cups-pdf.nix>
services.printing.defaultShared

Specifies whether local printers are shared by default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.printing.drivers

CUPS drivers to use. Drivers provided by CUPS, cups-filters, Ghostscript and Samba are added unconditionally. If this list contains Gutenprint (i.e. a derivation with meta.isGutenprint = true) the PPD files in /var/lib/cups/ppd will be updated automatically to avoid errors due to incompatible versions.

Type: list of path

Default: [ ]

Example: with pkgs; [ gutenprint hplip splix ]

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.printing.extraConf

Extra contents of the configuration file of the CUPS daemon (cupsd.conf).

Type: strings concatenated with “\n”

Default: ""

Example:

''
  BrowsePoll cups.example.com
  MaxCopies 42
''

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.printing.extraFilesConf

Extra contents of the configuration file of the CUPS daemon (cups-files.conf).

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.printing.listenAddresses

A list of addresses and ports on which to listen.

Type: list of string

Default:

[
  "localhost:631"
]

Example:

[
  "*:631"
]

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.printing.logLevel

Specifies the cupsd logging verbosity.

Type: string

Default: "info"

Example: "debug"

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.printing.openFirewall

Whether to open the firewall for TCP ports specified in listenAddresses option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.printing.snmpConf

The contents of /etc/cups/snmp.conf. See “man cups-snmp.conf” for a complete description.

Type: strings concatenated with “\n”

Default:

''
  Address @LOCAL
''

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.printing.startWhenNeeded

If set, CUPS is socket-activated; that is, instead of having it permanently running as a daemon, systemd will start it on the first incoming connection.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.printing.stateless

If set, all state directories relating to CUPS will be removed on startup of the service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.printing.tempDir

CUPSd temporary directory.

Type: path

Default: "/tmp"

Example: "/tmp/cups"

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.printing.webInterface

Specifies whether the web interface is enabled.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/printing/cupsd.nix>
services.private-gpt.enable

Whether to enable private-gpt for local large language models.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/private-gpt.nix>
services.private-gpt.package

The private-gpt package to use.

Type: package

Default: pkgs.private-gpt

Declared by:

<nixpkgs/nixos/modules/services/misc/private-gpt.nix>
services.private-gpt.settings

settings-local.yaml for private-gpt

Type: YAML value

Default:

{
  azopenai = { };
  data = {
    local_data_folder = "/var/lib/private-gpt";
  };
  embedding = {
    mode = "ollama";
  };
  llm = {
    mode = "ollama";
    tokenizer = "";
  };
  ollama = {
    api_base = "http://localhost:11434";
    embedding_api_base = "http://localhost:11434";
    embedding_model = "nomic-embed-text";
    keep_alive = "5m";
    llm_model = "llama3";
    repeat_last_n = 64;
    repeat_penalty = 1.2;
    request_timeout = 120;
    tfs_z = 1;
    top_k = 40;
    top_p = 0.9;
  };
  openai = { };
  qdrant = {
    path = "/var/lib/private-gpt/vectorstore/qdrant";
  };
  vectorstore = {
    database = "qdrant";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/private-gpt.nix>
services.private-gpt.stateDir

State directory of private-gpt.

Type: path

Default: "/var/lib/private-gpt"

Declared by:

<nixpkgs/nixos/modules/services/misc/private-gpt.nix>
services.privatebin.enable

Whether to enable Privatebin: A minimalist, open source online pastebin where the server has zero knowledge of pasted data…

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/privatebin.nix>
services.privatebin.enableNginx

Whether to enable nginx or not. If enabled, an nginx virtual host will be created for access to privatebin. If not enabled, then you may use ${config.services.privatebin.package} as your document root in whichever webserver you wish to setup.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/privatebin.nix>
services.privatebin.package

The privatebin package to use.

Type: package

Default: pkgs.privatebin

Declared by:

<nixpkgs/nixos/modules/services/web-apps/privatebin.nix>
services.privatebin.dataDir

The place where privatebin stores its state.

Type: path

Default: "/var/lib/privatebin"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/privatebin.nix>
services.privatebin.group

Group under which privatebin runs. It is best to set this to the group of whatever webserver is being used as the frontend.

Type: string

Default: "If `services.privatebin.enableNginx` is true then `nginx` else privatebin"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/privatebin.nix>
services.privatebin.poolConfig

Options for the PrivateBin PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  "pm" = "dynamic";
  "pm.max_children" = 32;
  "pm.start_servers" = 2;
  "pm.min_spare_servers" = 2;
  "pm.max_spare_servers" = 4;
  "pm.max_requests" = 500;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/privatebin.nix>
services.privatebin.settings

Options for privatebin configuration. Refer to https://github.com/PrivateBin/PrivateBin/wiki/Configuration for details on supported values.

Type: attribute set of anything

Default: { }

Example:

{
  main = {
    name = "NixOS Based Privatebin";
    discussion = false;
    defaultformatter = "plalib.types.intext";
    qrcode = true
  };
  model.class = "Filesystem";
  model_options.dir = "/var/lib/privatebin/data";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/privatebin.nix>
services.privatebin.user

User account under which privatebin runs.

Type: string

Default: "privatebin"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/privatebin.nix>
services.privatebin.virtualHost

The hostname at which you wish privatebin to be served. If you have enabled nginx using services.privatebin.enableNginx then this will be used.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/privatebin.nix>
services.privoxy.enable

Whether to enable Privoxy, non-caching filtering proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/privoxy.nix>
services.privoxy.enableTor

Whether to configure Privoxy to use Tor’s faster SOCKS port, suitable for HTTP.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/privoxy.nix>
services.privoxy.certsLifetime

If inspectHttps is enabled, the time generated HTTPS certificates will be stored in a temporary directory for reuse. Once the lifetime has expired the directory will cleared and the certificate will have to be generated again, on-demand.

Depending on the traffic, you may want to reduce the lifetime to limit the disk usage, since Privoxy itself never deletes the certificates.

Note

The format is that of the tmpfiles.d(5) Age parameter.

Type: tmpfiles.d(5) age format

Default: "10d"

Example: "12h"

Declared by:

<nixpkgs/nixos/modules/services/networking/privoxy.nix>
services.privoxy.inspectHttps

Whether to configure Privoxy to inspect HTTPS requests, meaning all encrypted traffic will be filtered as well. This works by decrypting and re-encrypting the requests using a per-domain generated certificate.

To issue per-domain certificates, Privoxy must be provided with a CA certificate, using the ca-cert-file, ca-key-file settings.

Warning

The CA certificate must also be added to the system trust roots, otherwise browsers will reject all Privoxy certificates as invalid. You can do so by using the option security.pki.certificateFiles.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/privoxy.nix>
services.privoxy.settings

This option is mapped to the main Privoxy configuration file. Check out the Privoxy user manual at https://www.privoxy.org/user-manual/config.html for available settings and documentation.

Note

Repeated settings can be represented by using a list.

Type: privoxy configuration type. The format consists of an attribute set of settings. Each setting can be either a value (integer, string, boolean or path) or a list of such values.

Default: { }

Example:

{ # Listen on IPv6 only
  listen-address = "[::]:8118";

  # Forward .onion requests to Tor
  forward-socks5 = ".onion localhost:9050 .";

  # Log redirects and filters
  debug = [ 128 64 ];
  # This is equivalent to writing these lines
  # in the Privoxy configuration file:
  # debug 128
  # debug 64
}

Declared by:

<nixpkgs/nixos/modules/services/networking/privoxy.nix>
services.privoxy.settings.enable-edit-actions

Whether the web-based actions file editor may be used.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/privoxy.nix>
services.privoxy.settings.actionsfile

List of paths to Privoxy action files. These paths may either be absolute or relative to the privoxy configuration directory.

Type: list of string

Default:

[
  "match-all.action"
  "default.action"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/privoxy.nix>
services.privoxy.settings.filterfile

List of paths to Privoxy filter files. These paths may either be absolute or relative to the privoxy configuration directory.

Type: list of string

Default:

[
  "default.filter"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/privoxy.nix>
services.privoxy.settings.listen-address

Pair of address:port the proxy server is listening to.

Type: string

Default: "127.0.0.1:8118"

Declared by:

<nixpkgs/nixos/modules/services/networking/privoxy.nix>
services.privoxy.userActions

Actions to be included in a user.action file. This will have a higher priority and can be used to override all other actions.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/privoxy.nix>
services.privoxy.userFilters

Filters to be included in a user.filter file. This will have a higher priority and can be used to override all other filters definitions.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/privoxy.nix>
services.prometheus.enable

Whether to enable Prometheus monitoring daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.enableAgentMode

Whether to enable agent mode.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.enableReload

Reload prometheus when configuration file changes (instead of restart).

The following property holds: switching to a configuration (switch-to-configuration) that changes the prometheus configuration only finishes successfully when prometheus has finished loading the new configuration.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.package

The prometheus package to use.

Type: package

Default: pkgs.prometheus

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.alertmanager.enable

Whether to enable Prometheus Alertmanager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix>
services.prometheus.alertmanager.package

The prometheus-alertmanager package to use.

Type: package

Default: pkgs.prometheus-alertmanager

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix>
services.prometheus.alertmanager.checkConfig

Check configuration with amtool check-config. The call to amtool is subject to sandboxing by Nix.

If you use credentials stored in external files (environmentFile, etc), they will not be visible to amtool and it will report errors, despite a correct configuration.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix>
services.prometheus.alertmanager.clusterPeers

Initial peers for HA cluster.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix>
services.prometheus.alertmanager.configText

Alertmanager configuration as YAML text. If non-null, this option defines the text that is written to alertmanager.yml. If null, the contents of alertmanager.yml is generated from the structured config options.

The contents of the resulting config file are processed using envsubst. $ needs to be escaped as $$ to be preserved.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix>
services.prometheus.alertmanager.configuration

Alertmanager configuration as nix attribute set.

The contents of the resulting config file are processed using envsubst. $ needs to be escaped as $$ to be preserved.

Type: null or (attribute set)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix>
services.prometheus.alertmanager.environmentFile

File to load as environment file. Environment variables from this file will be interpolated into the config file using envsubst with this syntax: $ENVIRONMENT ${VARIABLE}

Type: null or path

Default: null

Example: "/root/alertmanager.env"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix>
services.prometheus.alertmanager.extraFlags

Extra commandline options when launching the Alertmanager.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix>
services.prometheus.alertmanager.listenAddress

Address to listen on for the web interface and API. Empty string will listen on all interfaces. “localhost” will listen on 127.0.0.1 (but not ::1).

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix>
services.prometheus.alertmanager.logFormat

If set use a syslog logger or JSON logging.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix>
services.prometheus.alertmanager.logLevel

Only log messages with the given severity or above.

Type: one of “debug”, “info”, “warn”, “error”, “fatal”

Default: "warn"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix>
services.prometheus.alertmanager.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix>
services.prometheus.alertmanager.port

Port to listen on for the web interface and API.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9093

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix>
services.prometheus.alertmanager.webExternalUrl

The URL under which Alertmanager is externally reachable (for example, if Alertmanager is served via a reverse proxy). Used for generating relative and absolute links back to Alertmanager itself. If the URL has a path portion, it will be used to prefix all HTTP endoints served by Alertmanager. If omitted, relevant URL components will be derived automatically.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager.nix>
services.prometheus.alertmanagerIrcRelay.enable

Whether to enable Alertmanager IRC Relay.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager-irc-relay.nix>
services.prometheus.alertmanagerIrcRelay.package

The alertmanager-irc-relay package to use.

Type: package

Default: pkgs.alertmanager-irc-relay

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager-irc-relay.nix>
services.prometheus.alertmanagerIrcRelay.extraFlags

Extra command line options to pass to alertmanager-irc-relay.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager-irc-relay.nix>
services.prometheus.alertmanagerIrcRelay.settings

Configuration for Alertmanager IRC Relay as a Nix attribute set. For a reference, check out the example configuration and the source code.

Note: The webhook’s URL MUST point to the IRC channel where the message should be posted. For #mychannel from the example, this would be http://localhost:8080/mychannel.

Type: YAML value

Example:

{
  http_host = "localhost";
  http_port = 8000;

  irc_host = "irc.example.com";
  irc_port = 7000;
  irc_nickname = "myalertbot";

  irc_channels = [
    { name = "#mychannel"; }
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager-irc-relay.nix>
services.prometheus.alertmanagerNotificationQueueCapacity

The capacity of the queue for pending alert manager notifications.

Type: signed integer

Default: 10000

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.alertmanagerWebhookLogger.enable

Whether to enable Alertmanager Webhook Logger.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix>
services.prometheus.alertmanagerWebhookLogger.package

The alertmanager-webhook-logger package to use.

Type: package

Default: pkgs.alertmanager-webhook-logger

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix>
services.prometheus.alertmanagerWebhookLogger.extraFlags

Extra command line options to pass to alertmanager-webhook-logger.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/alertmanager-webhook-logger.nix>
services.prometheus.alertmanagers

A list of alertmanagers to send alerts to. See the official documentation for more information.

Type: list of (attribute set)

Default: [ ]

Example:

[ {
  scheme = "https";
  path_prefix = "/alertmanager";
  static_configs = [ {
    targets = [
      "prometheus.domain.tld"
    ];
  } ];
} ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.checkConfig

Check configuration with promtool check. The call to promtool is subject to sandboxing by Nix.

If you use credentials stored in external files (password_file, bearer_token_file, etc), they will not be visible to promtool and it will report errors, despite a correct configuration. To resolve this, you may set this option to "syntax-only" in order to only syntax check the Prometheus configuration.

Type: boolean or value “syntax-only” (singular enum)

Default: true

Example: "syntax-only"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.configText

If non-null, this option defines the text that is written to prometheus.yml. If null, the contents of prometheus.yml is generated from the structured config options.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.exporters

Prometheus exporter configuration

Type: submodule

Default: { }

Example:

{
  node = {
    enable = true;
    enabledCollectors = [ "systemd" ];
  };
  varnish.enable = true;
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.apcupsd.enable

Whether to enable the prometheus apcupsd exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.apcupsd.apcupsdAddress

Address of the apcupsd Network Information Server (NIS).

Type: string

Default: ":3551"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.apcupsd.apcupsdNetwork

Network of the apcupsd Network Information Server (NIS): one of “tcp”, “tcp4”, or “tcp6”.

Type: one of “tcp”, “tcp4”, “tcp6”

Default: "tcp"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.apcupsd.extraFlags

Extra commandline options to pass to the apcupsd exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.apcupsd.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.apcupsd.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9162"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.apcupsd.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.apcupsd.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9162 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.apcupsd.group

Group under which the apcupsd exporter shall be run.

Type: string

Default: "apcupsd-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.apcupsd.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.apcupsd.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.apcupsd.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9162

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.apcupsd.user

User name under which the apcupsd exporter shall be run.

Type: string

Default: "apcupsd-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.artifactory.enable

Whether to enable the prometheus artifactory exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.artifactory.artiAccessToken

Access token for authentication against JFrog Artifactory API. One of the password or access token needs to be set.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.artifactory.artiPassword

Password for authentication against JFrog Artifactory API. One of the password or access token needs to be set.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.artifactory.artiUsername

Username for authentication against JFrog Artifactory API.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.artifactory.extraFlags

Extra commandline options to pass to the artifactory exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.artifactory.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.artifactory.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9531"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.artifactory.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.artifactory.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9531 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.artifactory.group

Group under which the artifactory exporter shall be run.

Type: string

Default: "artifactory-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.artifactory.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.artifactory.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.artifactory.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9531

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.artifactory.scrapeUri

URI on which to scrape JFrog Artifactory.

Type: string

Default: "http://localhost:8081/artifactory"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.artifactory.user

User name under which the artifactory exporter shall be run.

Type: string

Default: "artifactory-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bind.enable

Whether to enable the prometheus bind exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bind.bindGroups

List of statistics to collect. Available: [server, view, tasks]

Type: list of (one of “server”, “view”, “tasks”)

Default:

[
  "server"
  "view"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bind.bindTimeout

Timeout for trying to get stats from Bind.

Type: string

Default: "10s"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bind.bindURI

HTTP XML API address of an Bind server.

Type: string

Default: "http://localhost:8053/"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bind.bindVersion

BIND statistics version. Can be detected automatically.

Type: one of “xml.v2”, “xml.v3”, “auto”

Default: "auto"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bind.extraFlags

Extra commandline options to pass to the bind exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bind.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.bind.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9119"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bind.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.bind.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9119 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bind.group

Group under which the bind exporter shall be run.

Type: string

Default: "bind-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bind.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bind.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bind.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9119

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bind.user

User name under which the bind exporter shall be run.

Type: string

Default: "bind-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bird.enable

Whether to enable the prometheus bird exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bird.birdSocket

Path to BIRD2 (or BIRD1 v4) socket.

Type: path

Default: "/run/bird/bird.ctl"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bird.birdVersion

Specifies whether BIRD1 or BIRD2 is in use.

Type: one of 1, 2

Default: 2

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bird.extraFlags

Extra commandline options to pass to the bird exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bird.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.bird.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9324"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bird.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.bird.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9324 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bird.group

Group under which the bird exporter shall be run.

Type: string

Default: "bird-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bird.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bird.newMetricFormat

Enable the new more-generic metric format.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bird.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bird.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9324

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bird.user

User name under which the bird exporter shall be run.

Type: string

Default: "bird-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bitcoin.enable

Whether to enable the prometheus bitcoin exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bitcoin.package

The prometheus-bitcoin-exporter package to use.

Type: package

Default: pkgs.prometheus-bitcoin-exporter

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bitcoin.extraEnv

Extra environment variables for the exporter.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bitcoin.extraFlags

Extra commandline options to pass to the bitcoin exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bitcoin.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.bitcoin.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9332"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bitcoin.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.bitcoin.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9332 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bitcoin.group

Group under which the bitcoin exporter shall be run.

Type: string

Default: "bitcoin-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bitcoin.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bitcoin.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bitcoin.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9332

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bitcoin.refreshSeconds

How often to ask bitcoind for metrics.

Type: unsigned integer, meaning >=0

Default: 300

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bitcoin.rpcHost

RPC host.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bitcoin.rpcPasswordFile

File containing RPC password.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bitcoin.rpcPort

RPC port number.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8332

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bitcoin.rpcScheme

Whether to connect to bitcoind over http or https.

Type: one of “http”, “https”

Default: "http"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bitcoin.rpcUser

RPC user name.

Type: string

Default: "bitcoinrpc"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.bitcoin.user

User name under which the bitcoin exporter shall be run.

Type: string

Default: "bitcoin-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.blackbox.enable

Whether to enable the prometheus blackbox exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.blackbox.enableConfigCheck

Whether to run a correctness check for the configuration file. This depends on the configuration file residing in the nix-store. Paths passed as string will be copied to the store.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.blackbox.configFile

Path to configuration file.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.blackbox.extraFlags

Extra commandline options to pass to the blackbox exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.blackbox.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.blackbox.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9115"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.blackbox.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.blackbox.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9115 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.blackbox.group

Group under which the blackbox exporter shall be run.

Type: string

Default: "blackbox-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.blackbox.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.blackbox.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.blackbox.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9115

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.blackbox.user

User name under which the blackbox exporter shall be run.

Type: string

Default: "blackbox-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.borgmatic.enable

Whether to enable the prometheus borgmatic exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.borgmatic.configFile

The path to the borgmatic config file

Type: path

Default: "/etc/borgmatic/config.yaml"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.borgmatic.extraFlags

Extra commandline options to pass to the borgmatic exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.borgmatic.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.borgmatic.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9996"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.borgmatic.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.borgmatic.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9996 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.borgmatic.group

Group under which the borgmatic exporter shall be run.

Type: string

Default: "borgmatic-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.borgmatic.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.borgmatic.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.borgmatic.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9996

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.borgmatic.user

User name under which the borgmatic exporter shall be run.

Type: string

Default: "borgmatic-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.buildkite-agent.enable

Whether to enable the prometheus buildkite-agent exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.buildkite-agent.endpoint

The Buildkite Agent API endpoint.

Type: string

Default: "https://agent.buildkite.com/v3"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.buildkite-agent.extraFlags

Extra commandline options to pass to the buildkite-agent exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.buildkite-agent.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.buildkite-agent.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9876"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.buildkite-agent.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.buildkite-agent.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9876 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.buildkite-agent.group

Group under which the buildkite-agent exporter shall be run.

Type: string

Default: "buildkite-agent-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.buildkite-agent.interval

How often to update metrics.

Type: string

Default: "30s"

Example: "1min"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.buildkite-agent.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.buildkite-agent.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.buildkite-agent.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9876

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.buildkite-agent.queues

Which specific queues to process.

Type: null or (list of string)

Default: null

Example: [ "my-queue1" "my-queue2" ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.buildkite-agent.tokenPath

The token from your Buildkite “Agents” page.

A run-time path to the token file, which is supposed to be provisioned outside of Nix store.

Type: null or path

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.buildkite-agent.user

User name under which the buildkite-agent exporter shall be run.

Type: string

Default: "buildkite-agent-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.collectd.enable

Whether to enable the prometheus collectd exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.collectd.collectdBinary.enable

Whether to enable collectd binary protocol receiver.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.collectd.collectdBinary.authFile

File mapping user names to pre-shared keys (passwords).

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.collectd.collectdBinary.listenAddress

Address to listen on for binary network packets.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.collectd.collectdBinary.port

Network address on which to accept collectd binary network packets.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 25826

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.collectd.collectdBinary.securityLevel

Minimum required security level for accepted packets.

Type: one of “None”, “Sign”, “Encrypt”

Default: "None"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.collectd.extraFlags

Extra commandline options to pass to the collectd exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.collectd.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.collectd.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9103"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.collectd.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.collectd.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9103 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.collectd.group

Group under which the collectd exporter shall be run.

Type: string

Default: "collectd-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.collectd.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.collectd.logFormat

Set the log format.

Type: one of “logfmt”, “json”

Default: "logfmt"

Example: "json"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.collectd.logLevel

Only log messages with the given severity or above.

Type: one of “debug”, “info”, “warn”, “error”, “fatal”

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.collectd.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.collectd.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9103

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.collectd.user

User name under which the collectd exporter shall be run.

Type: string

Default: "collectd-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.deluge.enable

Whether to enable the prometheus deluge exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.deluge.delugeHost

Hostname where deluge server is running.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.deluge.delugePassword

Password to connect to deluge server.

This stores the password unencrypted in the nix store and is thus considered unsafe. Prefer using the delugePasswordFile option.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.deluge.delugePasswordFile

File containing the password to connect to deluge server.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.deluge.delugePort

Port where deluge server is listening.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 58846

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.deluge.delugeUser

User to connect to deluge server.

Type: string

Default: "localclient"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.deluge.exportPerTorrentMetrics

Enable per-torrent metrics.

This may significantly increase the number of time series depending on the number of torrents in your Deluge instance.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.deluge.extraFlags

Extra commandline options to pass to the deluge exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.deluge.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.deluge.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9354"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.deluge.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.deluge.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9354 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.deluge.group

Group under which the deluge exporter shall be run.

Type: string

Default: "deluge-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.deluge.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.deluge.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.deluge.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9354

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.deluge.user

User name under which the deluge exporter shall be run.

Type: string

Default: "deluge-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dmarc.enable

Whether to enable the prometheus dmarc exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dmarc.debug

Whether to declare enable --debug.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dmarc.deduplicationMaxSeconds

How long individual report IDs will be remembered to avoid counting double delivered reports twice.

Type: unsigned integer, meaning >=0

Default: "7 days (in seconds)"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dmarc.extraFlags

Extra commandline options to pass to the dmarc exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dmarc.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.dmarc.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9797"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dmarc.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.dmarc.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9797 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dmarc.folders.done

IMAP mailbox that successfully processed reports are moved to.

Type: string

Default: "Archive"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dmarc.folders.error

IMAP mailbox that emails are moved to that could not be processed.

Type: string

Default: "Invalid"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dmarc.folders.inbox

IMAP mailbox that is checked for incoming DMARC aggregate reports

Type: string

Default: "INBOX"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dmarc.group

Group under which the dmarc exporter shall be run.

Type: string

Default: "dmarc-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dmarc.imap.host

Hostname of IMAP server to connect to.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dmarc.imap.passwordFile

File containing the login password for the IMAP connection.

Type: string

Example: "/run/secrets/dovecot_pw"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dmarc.imap.port

Port of the IMAP server to connect to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 993

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dmarc.imap.username

Login username for the IMAP connection.

Type: string

Example: "postmaster@example.org"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dmarc.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dmarc.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dmarc.pollIntervalSeconds

How often to poll the IMAP server in seconds.

Type: unsigned integer, meaning >=0

Default: 60

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dmarc.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9797

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dmarc.user

User name under which the dmarc exporter shall be run.

Type: string

Default: "dmarc-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnsmasq.enable

Whether to enable the prometheus dnsmasq exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnsmasq.dnsmasqListenAddress

Address on which dnsmasq listens.

Type: string

Default: "localhost:53"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnsmasq.extraFlags

Extra commandline options to pass to the dnsmasq exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnsmasq.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.dnsmasq.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9153"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnsmasq.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.dnsmasq.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9153 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnsmasq.group

Group under which the dnsmasq exporter shall be run.

Type: string

Default: "dnsmasq-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnsmasq.leasesPath

Path to the dnsmasq.leases file.

Type: path

Default: "/var/lib/dnsmasq/dnsmasq.leases"

Example: "/var/lib/misc/dnsmasq.leases"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnsmasq.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnsmasq.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnsmasq.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9153

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnsmasq.user

User name under which the dnsmasq exporter shall be run.

Type: string

Default: "dnsmasq-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnssec.enable

Whether to enable the prometheus dnssec exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnssec.configuration

dnssec exporter configuration as nix attribute set.

See https://github.com/chrj/prometheus-dnssec-exporter/blob/master/README.md for the description of the configuration file format.

Type: null or (attribute set)

Default: null

Example:

{
  records = [
    {
      zone = "ietf.org";
      record = "@";
      type = "SOA";
    }
    {
      zone = "verisigninc.com";
      record = "@";
      type = "SOA";
    }
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnssec.extraFlags

Extra commandline options when launching Prometheus.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnssec.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.dnssec.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9204"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnssec.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.dnssec.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9204 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnssec.group

Group under which the dnssec exporter shall be run.

Type: string

Default: "dnssec-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnssec.listenAddress

Listen address as host IP and port definition.

Type: null or string

Default: null

Example: ":9204"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnssec.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnssec.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9204

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnssec.resolvers

DNSSEC capable resolver to be used for the check.

Type: list of string

Default: [ ]

Example:

[
  "0.0.0.0:53"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnssec.timeout

DNS request timeout duration.

Type: null or string

Default: null

Example: "10s"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dnssec.user

User name under which the dnssec exporter shall be run.

Type: string

Default: "dnssec-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.domain.enable

Whether to enable the prometheus domain exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.domain.extraFlags

Extra commandline options to pass to the domain exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.domain.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.domain.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9222"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.domain.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.domain.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9222 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.domain.group

Group under which the domain exporter shall be run.

Type: string

Default: "domain-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.domain.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.domain.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.domain.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9222

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.domain.user

User name under which the domain exporter shall be run.

Type: string

Default: "domain-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dovecot.enable

Whether to enable the prometheus dovecot exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dovecot.extraFlags

Extra commandline options to pass to the dovecot exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dovecot.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.dovecot.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9166"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dovecot.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.dovecot.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9166 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dovecot.group

Group under which the dovecot exporter shall be run.

Type: string

Default: "dovecot-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dovecot.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dovecot.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dovecot.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9166

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dovecot.scopes

Stats scopes to query.

Type: list of string

Default:

[
  "user"
]

Example:

[
  "user"
  "global"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dovecot.socketPath

Path under which the stats socket is placed. The user/group under which the exporter runs, should be able to access the socket in order to scrape the metrics successfully.

Please keep in mind that the stats module has changed in Dovecot 2.3+ which is not compatible with this exporter.

The following extra config has to be passed to Dovecot to ensure that recent versions work with this exporter:

{
  services.prometheus.exporters.dovecot.enable = true;
  services.prometheus.exporters.dovecot.socketPath = "/var/run/dovecot2/old-stats";
  services.dovecot2.mailPlugins.globally.enable = [ "old_stats" ];
  services.dovecot2.extraConfig = ''
    service old-stats {
      unix_listener old-stats {
        user = dovecot-exporter
        group = dovecot-exporter
        mode = 0660
      }
      fifo_listener old-stats-mail {
        mode = 0660
        user = dovecot
        group = dovecot
      }
      fifo_listener old-stats-user {
        mode = 0660
        user = dovecot
        group = dovecot
      }
    }
    plugin {
      old_stats_refresh = 30 secs
      old_stats_track_cmds = yes
    }
  '';
}

Type: path

Default: "/var/run/dovecot/stats"

Example: "/var/run/dovecot2/old-stats"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dovecot.telemetryPath

Path under which to expose metrics.

Type: string

Default: "/metrics"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.dovecot.user

User name under which the dovecot exporter shall be run.

Type: string

Default: "dovecot-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-bazarr.enable

Whether to enable the prometheus exportarr-bazarr exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-bazarr.package

The exportarr package to use.

Type: package

Default: pkgs.exportarr

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-bazarr.apiKeyFile

File containing the api-key.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-bazarr.environment

See the configuration guide for available options.

Type: attribute set of string

Default: { }

Example:

{
  PROWLARR__BACKFILL = true;
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-bazarr.extraFlags

Extra commandline options to pass to the exportarr-bazarr exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-bazarr.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.exportarr-bazarr.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9708"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-bazarr.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.exportarr-bazarr.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9708 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-bazarr.group

Group under which the exportarr-bazarr exporter shall be run.

Type: string

Default: "exportarr-bazarr-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-bazarr.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-bazarr.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-bazarr.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9708

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-bazarr.url

The full URL to Sonarr, Radarr, or Lidarr.

Type: string

Default: "http://127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-bazarr.user

User name under which the exportarr-bazarr exporter shall be run.

Type: string

Default: "exportarr-bazarr-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-lidarr.enable

Whether to enable the prometheus exportarr-lidarr exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-lidarr.package

The exportarr package to use.

Type: package

Default: pkgs.exportarr

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-lidarr.apiKeyFile

File containing the api-key.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-lidarr.environment

See the configuration guide for available options.

Type: attribute set of string

Default: { }

Example:

{
  PROWLARR__BACKFILL = true;
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-lidarr.extraFlags

Extra commandline options to pass to the exportarr-lidarr exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-lidarr.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.exportarr-lidarr.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9708"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-lidarr.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.exportarr-lidarr.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9708 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-lidarr.group

Group under which the exportarr-lidarr exporter shall be run.

Type: string

Default: "exportarr-lidarr-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-lidarr.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-lidarr.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-lidarr.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9708

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-lidarr.url

The full URL to Sonarr, Radarr, or Lidarr.

Type: string

Default: "http://127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-lidarr.user

User name under which the exportarr-lidarr exporter shall be run.

Type: string

Default: "exportarr-lidarr-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-prowlarr.enable

Whether to enable the prometheus exportarr-prowlarr exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-prowlarr.package

The exportarr package to use.

Type: package

Default: pkgs.exportarr

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-prowlarr.apiKeyFile

File containing the api-key.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-prowlarr.environment

See the configuration guide for available options.

Type: attribute set of string

Default: { }

Example:

{
  PROWLARR__BACKFILL = true;
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-prowlarr.extraFlags

Extra commandline options to pass to the exportarr-prowlarr exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-prowlarr.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.exportarr-prowlarr.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9708"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-prowlarr.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.exportarr-prowlarr.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9708 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-prowlarr.group

Group under which the exportarr-prowlarr exporter shall be run.

Type: string

Default: "exportarr-prowlarr-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-prowlarr.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-prowlarr.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-prowlarr.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9708

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-prowlarr.url

The full URL to Sonarr, Radarr, or Lidarr.

Type: string

Default: "http://127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-prowlarr.user

User name under which the exportarr-prowlarr exporter shall be run.

Type: string

Default: "exportarr-prowlarr-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-radarr.enable

Whether to enable the prometheus exportarr-radarr exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-radarr.package

The exportarr package to use.

Type: package

Default: pkgs.exportarr

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-radarr.apiKeyFile

File containing the api-key.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-radarr.environment

See the configuration guide for available options.

Type: attribute set of string

Default: { }

Example:

{
  PROWLARR__BACKFILL = true;
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-radarr.extraFlags

Extra commandline options to pass to the exportarr-radarr exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-radarr.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.exportarr-radarr.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9708"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-radarr.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.exportarr-radarr.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9708 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-radarr.group

Group under which the exportarr-radarr exporter shall be run.

Type: string

Default: "exportarr-radarr-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-radarr.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-radarr.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-radarr.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9708

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-radarr.url

The full URL to Sonarr, Radarr, or Lidarr.

Type: string

Default: "http://127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-radarr.user

User name under which the exportarr-radarr exporter shall be run.

Type: string

Default: "exportarr-radarr-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-readarr.enable

Whether to enable the prometheus exportarr-readarr exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-readarr.package

The exportarr package to use.

Type: package

Default: pkgs.exportarr

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-readarr.apiKeyFile

File containing the api-key.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-readarr.environment

See the configuration guide for available options.

Type: attribute set of string

Default: { }

Example:

{
  PROWLARR__BACKFILL = true;
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-readarr.extraFlags

Extra commandline options to pass to the exportarr-readarr exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-readarr.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.exportarr-readarr.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9708"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-readarr.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.exportarr-readarr.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9708 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-readarr.group

Group under which the exportarr-readarr exporter shall be run.

Type: string

Default: "exportarr-readarr-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-readarr.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-readarr.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-readarr.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9708

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-readarr.url

The full URL to Sonarr, Radarr, or Lidarr.

Type: string

Default: "http://127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-readarr.user

User name under which the exportarr-readarr exporter shall be run.

Type: string

Default: "exportarr-readarr-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-sonarr.enable

Whether to enable the prometheus exportarr-sonarr exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-sonarr.package

The exportarr package to use.

Type: package

Default: pkgs.exportarr

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-sonarr.apiKeyFile

File containing the api-key.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-sonarr.environment

See the configuration guide for available options.

Type: attribute set of string

Default: { }

Example:

{
  PROWLARR__BACKFILL = true;
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-sonarr.extraFlags

Extra commandline options to pass to the exportarr-sonarr exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-sonarr.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.exportarr-sonarr.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9708"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-sonarr.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.exportarr-sonarr.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9708 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-sonarr.group

Group under which the exportarr-sonarr exporter shall be run.

Type: string

Default: "exportarr-sonarr-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-sonarr.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-sonarr.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-sonarr.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9708

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-sonarr.url

The full URL to Sonarr, Radarr, or Lidarr.

Type: string

Default: "http://127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.exportarr-sonarr.user

User name under which the exportarr-sonarr exporter shall be run.

Type: string

Default: "exportarr-sonarr-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fastly.enable

Whether to enable the prometheus fastly exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fastly.configFile

Path to a fastly-exporter configuration file. Example one can be generated with fastly-exporter --config-file-example.

Type: null or path

Default: null

Example: "./fastly-exporter-config.txt"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fastly.extraFlags

Extra commandline options to pass to the fastly exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fastly.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.fastly.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9118"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fastly.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.fastly.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9118 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fastly.group

Group under which the fastly exporter shall be run.

Type: string

Default: "fastly-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fastly.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fastly.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fastly.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9118

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fastly.tokenPath

A run-time path to the token file, which is supposed to be provisioned outside of Nix store.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fastly.user

User name under which the fastly exporter shall be run.

Type: string

Default: "fastly-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.flow.enable

Whether to enable the prometheus flow exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.flow.asn

The ASN being monitored.

Type: positive integer, meaning >0

Example: 65542

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.flow.brokers

List of Kafka brokers to connect to.

Type: list of string

Example: [ "kafka.example.org:19092" ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.flow.extraFlags

Extra commandline options to pass to the flow exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.flow.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.flow.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9590"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.flow.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.flow.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9590 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.flow.group

Group under which the flow exporter shall be run.

Type: string

Default: "flow-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.flow.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.flow.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.flow.partitions

The number of the partitions to consume, none means all.

Type: list of signed integer

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.flow.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9590

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.flow.topic

The Kafka topic to consume from.

Type: string

Example: "pmacct.acct"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.flow.user

User name under which the flow exporter shall be run.

Type: string

Default: "flow-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritz.enable

Whether to enable the prometheus fritz exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritz.extraFlags

Extra commandline options to pass to the fritz exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritz.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.fritz.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9787"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritz.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.fritz.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9787 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritz.group

Group under which the fritz exporter shall be run.

Type: string

Default: "fritz-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritz.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritz.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritz.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9787

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritz.settings

Configuration settings for fritz-exporter.

Type: YAML value

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritz.settings.devices

Fritz!-devices to monitor using the exporter.

Type: list of (YAML value)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritz.settings.devices.*.host_info

Enable extended host info for this device. Warning: This will heavily increase scrape time.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritz.settings.devices.*.hostname

Hostname under which the target device is reachable.

Type: string

Default: "fritz.box"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritz.settings.devices.*.name

Name to use for the device.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritz.settings.devices.*.password_file

Path to a file which contains the password to authenticate with the target device. Needs to be readable by the user the exporter runs under.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritz.settings.devices.*.username

Username to authenticate with the target device.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritz.settings.log_level

Log level to use for the exporter.

Type: one of “DEBUG”, “INFO”, “WARNING”, “ERROR”, “CRITICAL”

Default: "INFO"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritz.user

User name under which the fritz exporter shall be run.

Type: string

Default: "fritz-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritzbox.enable

Whether to enable the prometheus fritzbox exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritzbox.extraFlags

Extra commandline options to pass to the fritzbox exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritzbox.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.fritzbox.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9133"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritzbox.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.fritzbox.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9133 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritzbox.gatewayAddress

The hostname or IP of the FRITZ!Box.

Type: string

Default: "fritz.box"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritzbox.gatewayPort

The port of the FRITZ!Box UPnP service.

Type: signed integer

Default: 49000

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritzbox.group

Group under which the fritzbox exporter shall be run.

Type: string

Default: "fritzbox-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritzbox.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritzbox.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritzbox.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9133

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.fritzbox.user

User name under which the fritzbox exporter shall be run.

Type: string

Default: "fritzbox-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.graphite.enable

Whether to enable the prometheus graphite exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.graphite.extraFlags

Extra commandline options to pass to the graphite exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.graphite.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.graphite.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9108"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.graphite.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.graphite.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9108 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.graphite.graphitePort

Port to use for the graphite server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9109

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.graphite.group

Group under which the graphite exporter shall be run.

Type: string

Default: "graphite-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.graphite.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.graphite.mappingSettings

Mapping configuration for the exporter, see https://github.com/prometheus/graphite_exporter#yaml-config for available options.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.graphite.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.graphite.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9108

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.graphite.user

User name under which the graphite exporter shall be run.

Type: string

Default: "graphite-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.idrac.enable

Whether to enable the prometheus idrac exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.idrac.configuration

Configuration for iDRAC exporter, as a nix attribute set.

Configuration reference: https://github.com/mrlhansen/idrac_exporter/#configuration

Mutually exclusive with configurationPath option.

Type: null or (attribute set)

Default: null

Example:

{
  hosts = {
    default = {
      password = "password";
      username = "username";
    };
  };
  metrics = {
    memory = true;
    power = true;
    sel = true;
    sensors = true;
    storage = true;
    system = true;
  };
  retries = 1;
  timeout = 10;
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.idrac.configurationPath

Path to the service’s config file. This path can either be a computed path in /nix/store or a path in the local filesystem.

The config file should NOT be stored in /nix/store as it will contain passwords and/or keys in plain text.

Mutually exclusive with configuration option.

Configuration reference: https://github.com/mrlhansen/idrac_exporter/#configuration

Type: null or path

Default: null

Example: "/etc/prometheus-idrac-exporter/idrac.yml"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.idrac.extraFlags

Extra commandline options to pass to the idrac exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.idrac.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.idrac.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9348"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.idrac.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.idrac.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9348 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.idrac.group

Group under which the idrac exporter shall be run.

Type: string

Default: "idrac-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.idrac.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.idrac.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.idrac.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9348

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.idrac.user

User name under which the idrac exporter shall be run.

Type: string

Default: "idrac-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.imap-mailstat.enable

Whether to enable the prometheus imap-mailstat exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.imap-mailstat.accounts

Accounts to monitor

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.imap-mailstat.accounts.<name>.mailaddress

Your email address (at the moment used as login name)

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.imap-mailstat.accounts.<name>.password

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.imap-mailstat.accounts.<name>.serveraddress

mailserver name or address

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.imap-mailstat.accounts.<name>.serverport

imap port number (at the moment only tls connection is supported)

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.imap-mailstat.accounts.<name>.starttls

set to true for using STARTTLS to start a TLS connection

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.imap-mailstat.accounts.<name>.username

If empty string mailaddress value is used

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.imap-mailstat.configurationFile

File containing the configuration

Type: path

Example: "/path/to/config-file"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.imap-mailstat.extraFlags

Extra commandline options to pass to the imap-mailstat exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.imap-mailstat.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.imap-mailstat.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 8081"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.imap-mailstat.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.imap-mailstat.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 8081 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.imap-mailstat.group

Group under which the imap-mailstat exporter shall be run.

Type: string

Default: "imap-mailstat-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.imap-mailstat.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.imap-mailstat.oldestUnseenDate

Enable metric with timestamp of oldest unseen mail

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.imap-mailstat.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.imap-mailstat.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8081

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.imap-mailstat.user

User name under which the imap-mailstat exporter shall be run.

Type: string

Default: "imap-mailstat-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.influxdb.enable

Whether to enable the prometheus influxdb exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.influxdb.extraFlags

Extra commandline options to pass to the influxdb exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.influxdb.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.influxdb.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9122"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.influxdb.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.influxdb.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9122 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.influxdb.group

Group under which the influxdb exporter shall be run.

Type: string

Default: "influxdb-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.influxdb.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.influxdb.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.influxdb.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9122

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.influxdb.sampleExpiry

How long a sample is valid for

Type: string

Default: "5m"

Example: "10m"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.influxdb.udpBindAddress

Address on which to listen for udp packets

Type: string

Default: ":9122"

Example: "192.0.2.1:9122"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.influxdb.user

User name under which the influxdb exporter shall be run.

Type: string

Default: "influxdb-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ipmi.enable

Whether to enable the prometheus ipmi exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ipmi.configFile

Path to configuration file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ipmi.extraFlags

Extra commandline options to pass to the ipmi exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ipmi.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.ipmi.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9290"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ipmi.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.ipmi.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9290 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ipmi.group

Group under which the ipmi exporter shall be run.

Type: string

Default: "ipmi-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ipmi.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ipmi.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ipmi.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9290

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ipmi.user

User name under which the ipmi exporter shall be run.

Type: string

Default: "ipmi-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ipmi.webConfigFile

Path to configuration file that can enable TLS or authentication.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.jitsi.enable

Whether to enable the prometheus jitsi exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.jitsi.extraFlags

Extra commandline options to pass to the jitsi exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.jitsi.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.jitsi.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9700"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.jitsi.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.jitsi.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9700 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.jitsi.group

Group under which the jitsi exporter shall be run.

Type: string

Default: "jitsi-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.jitsi.interval

How often to scrape new data

Type: string

Default: "30s"

Example: "1min"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.jitsi.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.jitsi.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.jitsi.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9700

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.jitsi.url

Jitsi Videobridge metrics URL to monitor. This is usually /colibri/stats on port 8080 of the jitsi videobridge host.

Type: string

Default: "http://localhost:8080/colibri/stats"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.jitsi.user

User name under which the jitsi exporter shall be run.

Type: string

Default: "jitsi-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.json.enable

Whether to enable the prometheus json exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.json.configFile

Path to configuration file.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.json.extraFlags

Extra commandline options to pass to the json exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.json.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.json.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 7979"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.json.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.json.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 7979 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.json.group

Group under which the json exporter shall be run.

Type: string

Default: "json-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.json.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.json.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.json.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 7979

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.json.user

User name under which the json exporter shall be run.

Type: string

Default: "json-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.junos-czerwonk.enable

Whether to enable the prometheus junos-czerwonk exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.junos-czerwonk.configuration

JunOS exporter configuration as nix attribute set. Mutually exclusive with the configurationFile option.

Type: null or (attribute set)

Default: null

Example:

{
  devices = [
    {
      host = "router1";
      key_file = "/path/to/key";
    }
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.junos-czerwonk.configurationFile

Specify the JunOS exporter configuration file to use.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.junos-czerwonk.environmentFile

File containing env-vars to be substituted into the exporter’s config.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.junos-czerwonk.extraFlags

Extra commandline options to pass to the junos-czerwonk exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.junos-czerwonk.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.junos-czerwonk.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9326"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.junos-czerwonk.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.junos-czerwonk.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9326 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.junos-czerwonk.group

Group under which the junos-czerwonk exporter shall be run.

Type: string

Default: "junos-czerwonk-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.junos-czerwonk.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.junos-czerwonk.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.junos-czerwonk.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9326

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.junos-czerwonk.telemetryPath

Path under which to expose metrics.

Type: string

Default: "/metrics"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.junos-czerwonk.user

User name under which the junos-czerwonk exporter shall be run.

Type: string

Default: "junos-czerwonk-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.kea.enable

Whether to enable the prometheus kea exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.kea.extraFlags

Extra commandline options to pass to the kea exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.kea.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.kea.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9547"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.kea.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.kea.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9547 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.kea.group

Group under which the kea exporter shall be run.

Type: string

Default: "kea-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.kea.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.kea.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.kea.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9547

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.kea.targets

Paths or URLs to the Kea control socket.

Type: list of string

Example:

[
  "/run/kea/kea-dhcp4.socket"
  "/run/kea/kea-dhcp6.socket"
  "http://127.0.0.1:8547"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.kea.user

User name under which the kea exporter shall be run.

Type: string

Default: "kea-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.keylight.enable

Whether to enable the prometheus keylight exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.keylight.extraFlags

Extra commandline options to pass to the keylight exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.keylight.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.keylight.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9288"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.keylight.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.keylight.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9288 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.keylight.group

Group under which the keylight exporter shall be run.

Type: string

Default: "keylight-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.keylight.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.keylight.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.keylight.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9288

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.keylight.user

User name under which the keylight exporter shall be run.

Type: string

Default: "keylight-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.klipper.enable

Whether to enable the prometheus klipper exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.klipper.package

The prometheus-klipper-exporter package to use.

Type: package

Default: pkgs.prometheus-klipper-exporter

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.klipper.extraFlags

Extra commandline options to pass to the klipper exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.klipper.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.klipper.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9101"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.klipper.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.klipper.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9101 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.klipper.group

Group under which the klipper exporter shall be run.

Type: string

Default: "klipper-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.klipper.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.klipper.moonrakerApiKey

API Key to authenticate with the Moonraker APIs. Only needed if the host running the exporter is not a trusted client to Moonraker.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.klipper.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.klipper.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9101

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.klipper.user

User name under which the klipper exporter shall be run.

Type: string

Default: "klipper-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.knot.enable

Whether to enable the prometheus knot exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.knot.extraFlags

Extra commandline options to pass to the knot exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.knot.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.knot.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9433"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.knot.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.knot.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9433 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.knot.group

Group under which the knot exporter shall be run.

Type: string

Default: "knot-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.knot.knotLibraryPath

Path to the library of knot-dns.

Type: null or string

Default: null

Example: "${pkgs.knot-dns.out}/lib/libknot.so"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.knot.knotSocketPath

Socket path of knotd(8).

Type: string

Default: "/run/knot/knot.sock"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.knot.knotSocketTimeout

Timeout in seconds.

Type: positive integer, meaning >0

Default: 2000

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.knot.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.knot.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.knot.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9433

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.knot.user

User name under which the knot exporter shall be run.

Type: string

Default: "knot-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.libvirt.enable

Whether to enable the prometheus libvirt exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.libvirt.extraFlags

Extra commandline options to pass to the libvirt exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.libvirt.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.libvirt.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9177"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.libvirt.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.libvirt.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9177 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.libvirt.group

Group under which the libvirt exporter shall be run.

Type: string

Default: "libvirt-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.libvirt.libvirtUri

Libvirt URI from which to extract metrics

Type: string

Default: "qemu:///system"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.libvirt.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.libvirt.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.libvirt.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9177

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.libvirt.user

User name under which the libvirt exporter shall be run.

Type: string

Default: "libvirt-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.lnd.enable

Whether to enable the prometheus lnd exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.lnd.extraFlags

Extra commandline options to pass to the lnd exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.lnd.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.lnd.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9092"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.lnd.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.lnd.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9092 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.lnd.group

Group under which the lnd exporter shall be run.

Type: string

Default: "lnd-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.lnd.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.lnd.lndHost

lnd instance gRPC address:port.

Type: string

Default: "localhost:10009"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.lnd.lndMacaroonDir

Path to lnd macaroons.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.lnd.lndTlsPath

Path to lnd TLS certificate.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.lnd.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.lnd.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9092

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.lnd.user

User name under which the lnd exporter shall be run.

Type: string

Default: "lnd-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.enable

Whether to enable the prometheus mail exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.configFile

Specify the mailexporter configuration file to use.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.configuration

Specify the mailexporter configuration file to use.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.configuration.disableFileDeletion

Disables the exporter’s function to delete probing mails.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.configuration.mailCheckTimeout

Timeout until mails are considered “didn’t make it”.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.configuration.monitoringInterval

Time interval between two probe attempts.

Type: string

Example: "10s"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.configuration.servers

List of servers that should be probed.

Note: if your mailserver has rspamd(8) configured, it can happen that emails from this exporter are marked as spam.

It’s possible to work around the issue with a config like this:

{
  services.rspamd.locals."multimap.conf".text = ''
    ALLOWLIST_PROMETHEUS {
      filter = "email:domain:tld";
      type = "from";
      map = "${pkgs.writeText "allowmap" "domain.tld"}";
      score = -100.0;
    }
  '';
}

Type: list of (submodule)

Default: [ ]

Example:

[ {
  name = "testserver";
  server = "smtp.domain.tld";
  port = 587;
  from = "exporteruser@domain.tld";
  to = "exporteruser@domain.tld";
  detectionDir = "/path/to/Maildir/new";
} ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.configuration.servers.*.detectionDir

Directory in which new mails for the exporter user are placed. Note that this needs to exist when the exporter starts.

Type: path

Example: "/var/spool/mail/exporteruser/new"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.configuration.servers.*.from

Content of ‘From’ Header for probing mails.

Type: string

Example: "exporteruser@domain.tld"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.configuration.servers.*.login

Username to use for SMTP authentication.

Type: null or string

Default: null

Example: "exporteruser@domain.tld"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.configuration.servers.*.name

Value for label ‘configname’ which will be added to all metrics.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.configuration.servers.*.passphrase

Password to use for SMTP authentication.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.configuration.servers.*.port

Port to use for SMTP.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Example: 587

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.configuration.servers.*.server

Hostname of the server that should be probed.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.configuration.servers.*.to

Content of ‘To’ Header for probing mails.

Type: string

Example: "exporteruser@domain.tld"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.environmentFile

File containing env-vars to be substituted into the exporter’s config.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.extraFlags

Extra commandline options to pass to the mail exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.mail.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9225"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.mail.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9225 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.group

Group under which the mail exporter shall be run.

Type: string

Default: "mail-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9225

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.telemetryPath

Path under which to expose metrics.

Type: string

Default: "/metrics"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mail.user

User name under which the mail exporter shall be run.

Type: string

Default: "mail-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mikrotik.enable

Whether to enable the prometheus mikrotik exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mikrotik.configFile

Path to a mikrotik exporter configuration file. Mutually exclusive with configuration option.

Type: null or path

Default: null

Example: ./mikrotik.yml

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mikrotik.configuration

Mikrotik exporter configuration as nix attribute set. Mutually exclusive with configFile option.

See https://github.com/nshttpd/mikrotik-exporter/blob/master/README.md for the description of the configuration file format.

Type: null or (attribute set)

Default: null

Example:

{
  devices = [
    {
      name = "my_router";
      address = "10.10.0.1";
      user = "prometheus";
      password = "changeme";
    }
  ];
  features = {
    bgp = true;
    dhcp = true;
    routes = true;
    optics = true;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mikrotik.extraFlags

Extra commandline options to pass to the mikrotik exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mikrotik.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.mikrotik.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9436"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mikrotik.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.mikrotik.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9436 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mikrotik.group

Group under which the mikrotik exporter shall be run.

Type: string

Default: "mikrotik-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mikrotik.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mikrotik.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mikrotik.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9436

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mikrotik.user

User name under which the mikrotik exporter shall be run.

Type: string

Default: "mikrotik-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.modemmanager.enable

Whether to enable the prometheus modemmanager exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.modemmanager.extraFlags

Extra commandline options to pass to the modemmanager exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.modemmanager.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.modemmanager.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9539"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.modemmanager.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.modemmanager.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9539 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.modemmanager.group

Group under which the modemmanager exporter shall be run.

Type: string

Default: "modemmanager-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.modemmanager.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.modemmanager.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.modemmanager.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9539

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.modemmanager.refreshRate

How frequently ModemManager will refresh the extended signal quality information for each modem. The duration should be specified in seconds (“5s”), minutes (“1m”), or hours (“1h”).

Type: string

Default: "5s"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.modemmanager.user

User name under which the modemmanager exporter shall be run.

Type: string

Default: "modemmanager-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mongodb.enable

Whether to enable the prometheus mongodb exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mongodb.collStats

List of comma separared databases.collections to get $collStats

Type: list of string

Default: [ ]

Example:

[
  "db1.coll1"
  "db2"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mongodb.collectAll

Enable all collectors. Same as specifying all --collector.<name>

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mongodb.collector

Enabled collectors

Type: list of string

Default: [ ]

Example:

[
  "diagnosticdata"
  "replicasetstatus"
  "dbstats"
  "topmetrics"
  "currentopmetrics"
  "indexstats"
  "dbstats"
  "profile"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mongodb.extraFlags

Extra commandline options to pass to the mongodb exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mongodb.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.mongodb.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9216"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mongodb.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.mongodb.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9216 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mongodb.group

Group under which the mongodb exporter shall be run.

Type: string

Default: "mongodb-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mongodb.indexStats

List of comma separared databases.collections to get $indexStats

Type: list of string

Default: [ ]

Example:

[
  "db1.coll1"
  "db2"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mongodb.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mongodb.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mongodb.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9216

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mongodb.telemetryPath

Metrics expose path

Type: string

Default: "/metrics"

Example: "/metrics"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mongodb.uri

MongoDB URI to connect to.

Type: string

Default: "mongodb://localhost:27017/test"

Example: "mongodb://localhost:27017/test"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mongodb.user

User name under which the mongodb exporter shall be run.

Type: string

Default: "mongodb-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.enable

Whether to enable the prometheus mqtt exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.environmentFile

File to load as environment file. Useful for e.g. setting MQTT_PASSWORD without putting any secrets into the Nix store.

Type: null or path

Default: null

Example:

[
  "/run/secrets/mqtt-exporter"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.esphomeTopicPrefixes

MQTT topic used for ESPHome messages.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.extraFlags

Extra commandline options to pass to the mqtt exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.mqtt.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9000"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.mqtt.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9000 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.group

Group under which the mqtt exporter shall be run.

Type: string

Default: "mqtt-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.hubitatTopicPrefixes

MQTT topic used for Hubitat messages.

Type: list of string

Default:

[
  "hubitat/"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.keepFullTopic

Whether to enable Keep entire topic instead of the first two elements only. Usecase: Shelly 3EM.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.logLevel

Logging level

Type: one of “CRITICAL”, “ERROR”, “WARNING”, “INFO”, “DEBUG”

Default: "INFO"

Example: "DEBUG"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.logMqttMessage

Whether to enable Log MQTT original message, only if LOG_LEVEL is set to DEBUG…

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.mqttAddress

IP or hostname of MQTT broker.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.mqttClientId

Set client ID manually for MQTT connection

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.mqttExposeClientId

Whether to enable Expose the client ID as a label in Prometheus metrics…

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.mqttIgnoredTopics

Lists of topics to ignore. Accepts wildcards.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.mqttKeepAlive

Keep alive interval to maintain connection with MQTT broker.

Type: signed integer

Default: 60

Example: 30

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.mqttPort

TCP port of MQTT broker.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1883

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.mqttTopic

Topic path to subscribe to.

Type: string

Default: "#"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.mqttUsername

Username which should be used to authenticate against the MQTT broker.

Type: null or string

Default: null

Example: "mqttexporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.mqttV5Protocol

Whether to enable Force to use MQTT protocol v5 instead of 3.1.1…

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9000

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.prometheusPrefix

Prefix added to the metric name.

Type: string

Default: "mqtt_"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.topicLabel

Define the Prometheus label for the topic.

Type: string

Default: "topic"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.user

User name under which the mqtt exporter shall be run.

Type: string

Default: "mqtt-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.zigbee2MqttAvailability

Whether to enable Normalize sensor name for device availability metric added by Zigbee2MQTT…

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mqtt.zwaveTopicPrefix

MQTT topic used for Zwavejs2Mqtt messages.

Type: string

Default: "zwave/"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mysqld.enable

Whether to enable the prometheus mysqld exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mysqld.configFile

Path to the services config file.

See https://github.com/prometheus/mysqld_exporter#running for more information about the available options.

::: {.warn} Please do not store this file in the nix store if you choose to include any credentials here, as it would be world-readable. :::

Type: path

Example: "/var/lib/prometheus-mysqld-exporter.cnf"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mysqld.extraFlags

Extra commandline options to pass to the mysqld exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mysqld.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.mysqld.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9104"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mysqld.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.mysqld.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9104 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mysqld.group

Group under which the mysqld exporter shall be run.

Type: string

Default: "mysqld-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mysqld.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mysqld.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mysqld.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9104

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mysqld.runAsLocalSuperUser

Whether to run the exporter as services.mysql.user.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mysqld.telemetryPath

Path under which to expose metrics.

Type: string

Default: "/metrics"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.mysqld.user

User name under which the mysqld exporter shall be run.

Type: string

Default: "mysqld-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nats.enable

Whether to enable the prometheus nats exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nats.extraFlags

Extra commandline options to pass to the nats exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nats.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.nats.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 7777"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nats.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.nats.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 7777 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nats.group

Group under which the nats exporter shall be run.

Type: string

Default: "nats-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nats.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nats.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nats.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 7777

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nats.url

NATS monitor endpoint to query.

Type: string

Default: "http://127.0.0.1:8222"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nats.user

User name under which the nats exporter shall be run.

Type: string

Default: "nats-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nextcloud.enable

Whether to enable the prometheus nextcloud exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nextcloud.extraFlags

Extra commandline options to pass to the nextcloud exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nextcloud.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.nextcloud.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9205"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nextcloud.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.nextcloud.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9205 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nextcloud.group

Group under which the nextcloud exporter shall be run.

Type: string

Default: "nextcloud-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nextcloud.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nextcloud.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nextcloud.passwordFile

File containing the password for connecting to Nextcloud. Make sure that this file is readable by the exporter user.

Type: null or path

Default: null

Example: "/path/to/password-file"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nextcloud.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9205

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nextcloud.timeout

Timeout for getting server info document.

Type: string

Default: "5s"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nextcloud.tokenFile

File containing the token for connecting to Nextcloud. Make sure that this file is readable by the exporter user.

Type: null or path

Default: null

Example: "/path/to/token-file"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nextcloud.url

URL to the Nextcloud serverinfo page. Adding the path to the serverinfo API is optional, it defaults to /ocs/v2.php/apps/serverinfo/api/v1/info.

Type: string

Example: "https://domain.tld"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nextcloud.user

User name under which the nextcloud exporter shall be run.

Type: string

Default: "nextcloud-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nextcloud.username

Username for connecting to Nextcloud. Note that this account needs to have admin privileges in Nextcloud. Unused when using token authentication.

Type: string

Default: "nextcloud-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginx.enable

Whether to enable the prometheus nginx exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginx.constLabels

A list of constant labels that will be used in every metric.

Type: list of string

Default: [ ]

Example:

[
  "label1=value1"
  "label2=value2"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginx.extraFlags

Extra commandline options to pass to the nginx exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginx.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.nginx.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9113"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginx.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.nginx.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9113 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginx.group

Group under which the nginx exporter shall be run.

Type: string

Default: "nginx-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginx.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginx.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginx.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9113

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginx.scrapeUri

Address to access the nginx status page. Can be enabled with services.nginx.statusPage = true.

Type: string

Default: "http://localhost/nginx_status"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginx.sslVerify

Whether to perform certificate verification for https.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginx.telemetryPath

Path under which to expose metrics.

Type: string

Default: "/metrics"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginx.user

User name under which the nginx exporter shall be run.

Type: string

Default: "nginx-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginxlog.enable

Whether to enable the prometheus nginxlog exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginxlog.extraFlags

Extra commandline options to pass to the nginxlog exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginxlog.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.nginxlog.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9117"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginxlog.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.nginxlog.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9117 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginxlog.group

Group under which the nginxlog exporter shall be run.

Type: string

Default: "nginxlog-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginxlog.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginxlog.metricsEndpoint

Path under which to expose metrics.

Type: string

Default: "/metrics"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginxlog.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginxlog.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9117

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginxlog.settings

All settings of nginxlog expressed as an Nix attrset.

Check the official documentation for the corresponding YAML settings that can all be used here: https://github.com/martin-helmich/prometheus-nginxlog-exporter

The listen object is already generated by port, listenAddress and metricsEndpoint and will be merged with the value of settings before writing it as JSON.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginxlog.settings.consul

Consul integration options. For more information see the example config.

This is disabled by default.

Type: null or (attribute set of anything)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginxlog.settings.namespaces

Namespaces to collect the metrics for. For more information see the example config.

Type: list of attribute set of anything

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nginxlog.user

User name under which the nginxlog exporter shall be run.

Type: string

Default: "nginxlog-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.node.enable

Whether to enable the prometheus node exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.node.enabledCollectors

Collectors to enable. The collectors listed here are enabled in addition to the default ones.

Type: list of string

Default: [ ]

Example:

[
  "systemd"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.node.disabledCollectors

Collectors to disable which are enabled by default.

Type: list of string

Default: [ ]

Example:

[
  "timex"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.node.extraFlags

Extra commandline options to pass to the node exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.node.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.node.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9100"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.node.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.node.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9100 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.node.group

Group under which the node exporter shall be run.

Type: string

Default: "node-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.node.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.node.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.node.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9100

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.node.user

User name under which the node exporter shall be run.

Type: string

Default: "node-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nut.enable

Whether to enable the prometheus nut exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nut.extraFlags

Extra commandline options to pass to the nut exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nut.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.nut.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9199"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nut.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.nut.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9199 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nut.group

Group under which the nut exporter shall be run.

Type: string

Default: "nut-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nut.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nut.nutServer

Hostname or address of the NUT server

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nut.nutUser

The user to log in into NUT server. If set, passwordPath should also be set.

Default NUT configs usually permit reading variables without authentication.

Type: string

Default: ""

Example: "nut"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nut.nutVariables

List of NUT variable names to monitor.

If no variables are set, all numeric variables will be exported automatically. See the upstream docs for more information.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nut.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nut.passwordPath

A run-time path to the nutUser password file, which should be provisioned outside of Nix store.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nut.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9199

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nut.user

User name under which the nut exporter shall be run.

Type: string

Default: "nut-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nvidia-gpu.enable

Whether to enable the prometheus nvidia-gpu exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nvidia-gpu.extraFlags

Extra commandline options to pass to the nvidia-gpu exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nvidia-gpu.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.nvidia-gpu.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9835"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nvidia-gpu.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.nvidia-gpu.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9835 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nvidia-gpu.group

Group under which the nvidia-gpu exporter shall be run.

Type: string

Default: "nvidia-gpu-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nvidia-gpu.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nvidia-gpu.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nvidia-gpu.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9835

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.nvidia-gpu.user

User name under which the nvidia-gpu exporter shall be run.

Type: string

Default: "nvidia-gpu-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pgbouncer.enable

Whether to enable the prometheus pgbouncer exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pgbouncer.package

The prometheus-pgbouncer-exporter package to use.

Type: package

Default: pkgs.prometheus-pgbouncer-exporter

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pgbouncer.connectionEnvFile

File that must contain the environment variable PGBOUNCER_EXPORTER_CONNECTION_STRING which is set to the connection string used by pgbouncer. I.e. the format is supposed to look like this:

PGBOUNCER_EXPORTER_CONNECTION_STRING="postgres://admin@localhost:6432/pgbouncer?sslmode=require"

NOTE: You MUST keep pgbouncer as database name (special internal db)! NOTE: services.pgbouncer.settings.pgbouncer.ignore_startup_parameters MUST contain “extra_float_digits”.

Mutually exclusive with services.prometheus.exporters.pgbouncer.connectionString.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pgbouncer.connectionString

Connection string for accessing pgBouncer.

NOTE: You MUST keep pgbouncer as database name (special internal db)!!!

NOTE: ignore_startup_parameters MUST contain “extra_float_digits”.

NOTE: Admin user (with password or passwordless) MUST exist in the auth_file if auth_type other than “any” is used.

WARNING: this secret is stored in the world-readable Nix store! Use services.prometheus.exporters.pgbouncer.connectionEnvFile if the URL contains a secret.

Type: null or string

Default: null

Example: "postgres://admin:@localhost:6432/pgbouncer?sslmode=require"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pgbouncer.extraFlags

Extra commandline options when launching Prometheus.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pgbouncer.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.pgbouncer.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9127"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pgbouncer.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.pgbouncer.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9127 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pgbouncer.group

Group under which the pgbouncer exporter shall be run.

Type: string

Default: "pgbouncer-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pgbouncer.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pgbouncer.logFormat

Output format of log messages. One of: [logfmt, json]

Type: one of “logfmt”, “json”

Default: "logfmt"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pgbouncer.logLevel

Only log messages with the given severity or above.

Type: one of “debug”, “info”, “warn”, “error”

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pgbouncer.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pgbouncer.pidFile

Path to PgBouncer pid file.

If provided, the standard process metrics get exported for the PgBouncer process, prefixed with ‘pgbouncer_process_…’. The pgbouncer_process exporter needs to have read access to files owned by the PgBouncer process. Depends on the availability of /proc.

https://prometheus.io/docs/instrumenting/writing_clientlibs/#process-metrics.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pgbouncer.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9127

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pgbouncer.telemetryPath

Path under which to expose metrics.

Type: string

Default: "/metrics"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pgbouncer.user

User name under which the pgbouncer exporter shall be run.

Type: string

Default: "pgbouncer-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pgbouncer.webConfigFile

Path to configuration file that can enable TLS or authentication.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pgbouncer.webSystemdSocket

Use systemd socket activation listeners instead of port listeners (Linux only).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.php-fpm.enable

Whether to enable the prometheus php-fpm exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.php-fpm.package

The prometheus-php-fpm-exporter package to use.

Type: package

Default: pkgs.prometheus-php-fpm-exporter

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.php-fpm.environmentFile

Environment file as defined in systemd.exec(5).

Secrets may be passed to the service without adding them to the world-readable Nix store, by specifying placeholder variables as the option value in Nix and setting these variables accordingly in the environment file.

Environment variables from this file will be interpolated into the config file using envsubst with this syntax: $ENVIRONMENT ${VARIABLE}

For variables to use see options and defaults.

The main use is to set the PHP_FPM_SCRAPE_URI that indicate how to connect to PHP-FPM process.

  # Content of the environment file
  PHP_FPM_SCRAPE_URI="unix:///tmp/php.sock;/status"

Note that this file needs to be available on the host on which this exporter is running.

Type: null or path

Default: null

Example: "/root/prometheus-php-fpm-exporter.env"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.php-fpm.extraFlags

Extra commandline options to pass to the php-fpm exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.php-fpm.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.php-fpm.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9253"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.php-fpm.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.php-fpm.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9253 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.php-fpm.group

Group under which the php-fpm exporter shall be run.

Type: string

Default: "php-fpm-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.php-fpm.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.php-fpm.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.php-fpm.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9253

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.php-fpm.telemetryPath

Path under which to expose metrics.

Type: string

Default: "/metrics"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.php-fpm.user

User name under which the php-fpm exporter shall be run.

Type: string

Default: "php-fpm-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pihole.enable

Whether to enable the prometheus pihole exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pihole.apiToken

Pi-Hole API token which can be used instead of a password

Type: string

Default: ""

Example: "580a770cb40511eb85290242ac130003580a770cb40511eb85290242ac130003"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pihole.extraFlags

Extra commandline options to pass to the pihole exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pihole.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.pihole.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9617"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pihole.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.pihole.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9617 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pihole.group

Group under which the pihole exporter shall be run.

Type: string

Default: "pihole-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pihole.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pihole.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pihole.password

The password to login into Pi-Hole. An api token can be used instead.

Type: string

Default: ""

Example: "password"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pihole.piholeHostname

Hostname or address where to find the Pi-Hole webinterface

Type: string

Default: "pihole"

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pihole.piholePort

The port Pi-Hole webinterface is reachable on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 80

Example: 443

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pihole.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9617

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pihole.protocol

The protocol which is used to connect to Pi-Hole

Type: one of “http”, “https”

Default: "http"

Example: "https"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pihole.timeout

Controls the timeout to connect to a Pi-Hole instance

Type: string

Default: "5s"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pihole.user

User name under which the pihole exporter shall be run.

Type: string

Default: "pihole-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ping.enable

Whether to enable the prometheus ping exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ping.extraFlags

Extra commandline options to pass to the ping exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ping.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.ping.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9427"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ping.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.ping.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9427 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ping.group

Group under which the ping exporter shall be run.

Type: string

Default: "ping-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ping.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ping.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ping.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9427

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ping.settings

Configuration for ping_exporter, see https://github.com/czerwonk/ping_exporter for supported values.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ping.telemetryPath

Path under which to expose metrics.

Type: string

Default: "/metrics"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.ping.user

User name under which the ping exporter shall be run.

Type: string

Default: "ping-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postfix.enable

Whether to enable the prometheus postfix exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postfix.package

The prometheus-postfix-exporter package to use.

Type: package

Default: pkgs.prometheus-postfix-exporter

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postfix.extraFlags

Extra commandline options to pass to the postfix exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postfix.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.postfix.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9154"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postfix.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.postfix.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9154 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postfix.group

Group under which the postfix exporter shall be run. It should match the group that is allowed to access the showq socket in the queue/public/ directory. Defaults to services.postfix.setgidGroup when postfix is enabled.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postfix.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postfix.logfilePath

Path where Postfix writes log entries. This file will be truncated by this exporter!

Type: path

Default: "/var/log/postfix_exporter_input.log"

Example: "/var/log/mail.log"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postfix.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postfix.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9154

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postfix.showqPath

Path where Postfix places its showq socket.

Type: path

Default: "/var/lib/postfix/queue/public/showq"

Example: "/var/spool/postfix/public/showq"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postfix.systemd.enable

Whether to enable reading metrics from the systemd journal instead of from a logfile

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postfix.systemd.journalPath

Path to the systemd journal.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postfix.systemd.slice

Name of the postfix systemd slice. This overrides the systemd.unit.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postfix.systemd.unit

Name of the postfix systemd unit.

Type: string

Default: "postfix.service"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postfix.telemetryPath

Path under which to expose metrics.

Type: string

Default: "/metrics"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postfix.user

User name under which the postfix exporter shall be run.

Type: string

Default: "postfix-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postgres.enable

Whether to enable the prometheus postgres exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postgres.dataSourceName

Accepts PostgreSQL URI form and key=value form arguments.

Type: string

Default: "user=postgres database=postgres host=/run/postgresql sslmode=disable"

Example: "postgresql://username:password@localhost:5432/postgres?sslmode=disable"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postgres.environmentFile

Environment file as defined in systemd.exec(5).

Secrets may be passed to the service without adding them to the world-readable Nix store, by specifying placeholder variables as the option value in Nix and setting these variables accordingly in the environment file.

Environment variables from this file will be interpolated into the config file using envsubst with this syntax: $ENVIRONMENT ${VARIABLE}

The main use is to set the DATA_SOURCE_NAME that contains the postgres password

note that contents from this file will override dataSourceName if you have set it from nix.

  # Content of the environment file
  DATA_SOURCE_NAME=postgresql://username:password@localhost:5432/postgres?sslmode=disable

Note that this file needs to be available on the host on which this exporter is running.

Type: null or path

Default: null

Example: "/root/prometheus-postgres-exporter.env"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postgres.extraFlags

Extra commandline options to pass to the postgres exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postgres.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.postgres.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9187"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postgres.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.postgres.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9187 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postgres.group

Group under which the postgres exporter shall be run.

Type: string

Default: "postgres-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postgres.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postgres.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postgres.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9187

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postgres.runAsLocalSuperUser

Whether to run the exporter as the local ‘postgres’ super user.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postgres.telemetryPath

Path under which to expose metrics.

Type: string

Default: "/metrics"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.postgres.user

User name under which the postgres exporter shall be run.

Type: string

Default: "postgres-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.process.enable

Whether to enable the prometheus process exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.process.extraFlags

Extra commandline options to pass to the process exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.process.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.process.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9256"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.process.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.process.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9256 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.process.group

Group under which the process exporter shall be run.

Type: string

Default: "process-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.process.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.process.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.process.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9256

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.process.settings.process_names

All settings expressed as an Nix attrset.

Check the official documentation for the corresponding YAML settings that can all be used here: https://github.com/ncabatoff/process-exporter

Type: list of anything

Default: [ ]

Example:

[
  # Remove nix store path from process name
  { name = "{{.Matches.Wrapped}} {{ .Matches.Args }}"; cmdline = [ "^/nix/store[^ ]*/(?P<Wrapped>[^ /]*) (?P<Args>.*)" ]; }
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.process.user

User name under which the process exporter shall be run.

Type: string

Default: "process-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.enable

Whether to enable the prometheus pve exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.package

The prometheus-pve-exporter package to use.

Type: package

Default: pkgs.prometheus-pve-exporter

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.collectors.cluster

Collect PVE cluster info

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.collectors.config

Collect PVE onboot status

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.collectors.node

Collect PVE node info

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.collectors.replication

Collect PVE replication info

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.collectors.resources

Collect PVE resources info

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.collectors.status

Collect Node/VM/CT status

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.collectors.version

Collect PVE version info

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.configFile

Path to the service’s config file. This path can either be a computed path in /nix/store or a path in the local filesystem.

The config file should NOT be stored in /nix/store as it will contain passwords and/or keys in plain text.

If both configFile and environmentFile are provided, the configFile option will be ignored.

Configuration reference: https://github.com/prometheus-pve/prometheus-pve-exporter/#authentication

Type: null or path

Default: null

Example: "/etc/prometheus-pve-exporter/pve.yml"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.environmentFile

Path to the service’s environment file. This path can either be a computed path in /nix/store or a path in the local filesystem.

The environment file should NOT be stored in /nix/store as it contains passwords and/or keys in plain text.

Environment reference: https://github.com/prometheus-pve/prometheus-pve-exporter#authentication

Type: null or path

Default: null

Example: "/etc/prometheus-pve-exporter/pve.env"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.extraFlags

Extra commandline options to pass to the pve exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.pve.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9221"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.pve.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9221 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.group

Group under which the pve exporter shall be run.

Type: string

Default: "pve-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9221

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.server.certFile

Path to a SSL certificate file for the server

Type: null or path

Default: null

Example: "/var/lib/prometheus-pve-exporter/full-chain.pem"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.server.keyFile

Path to a SSL private key file for the server

Type: null or path

Default: null

Example: "/var/lib/prometheus-pve-exporter/privkey.key"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.pve.user

User name under which the pve exporter shall be run.

Type: string

Default: "pve-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.py-air-control.enable

Whether to enable the prometheus py-air-control exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.py-air-control.deviceHostname

The hostname of the air purification device from which to scrape the metrics.

Type: string

Example: "192.168.1.123"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.py-air-control.extraFlags

Extra commandline options to pass to the py-air-control exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.py-air-control.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.py-air-control.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9896"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.py-air-control.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.py-air-control.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9896 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.py-air-control.group

Group under which the py-air-control exporter shall be run.

Type: string

Default: "py-air-control-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.py-air-control.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.py-air-control.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.py-air-control.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9896

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.py-air-control.protocol

The protocol to use when communicating with the air purification device. Available: [http, coap, plain_coap]

Type: string

Default: "http"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.py-air-control.stateDir

Directory below /var/lib to store runtime data. This directory will be created automatically using systemd’s StateDirectory mechanism.

Type: string

Default: "prometheus-py-air-control-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.py-air-control.user

User name under which the py-air-control exporter shall be run.

Type: string

Default: "py-air-control-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.redis.enable

Whether to enable the prometheus redis exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.redis.extraFlags

Extra commandline options to pass to the redis exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.redis.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.redis.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9121"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.redis.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.redis.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9121 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.redis.group

Group under which the redis exporter shall be run.

Type: string

Default: "redis-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.redis.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.redis.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.redis.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9121

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.redis.user

User name under which the redis exporter shall be run.

Type: string

Default: "redis-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.restic.enable

Whether to enable the prometheus restic exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.restic.environmentFile

File containing the credentials to access the repository, in the format of an EnvironmentFile as described by systemd.exec(5)

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.restic.extraFlags

Extra commandline options to pass to the restic exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.restic.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.restic.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9753"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.restic.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.restic.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9753 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.restic.group

Group under which the restic exporter shall be run.

Type: string

Default: "restic-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.restic.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.restic.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.restic.passwordFile

File containing the password to the repository.

Type: path

Example: "/etc/nixos/restic-password"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.restic.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9753

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.restic.rcloneConfig

Configuration for the rclone remote being used for backup. See the remote’s specific options under rclone’s docs at https://rclone.org/docs/. When specifying option names, use the “config” name specified in the docs. For example, to set --b2-hard-delete for a B2 remote, use hard_delete = true in the attribute set.

Warning

Secrets set in here will be world-readable in the Nix store! Consider using the rcloneConfigFile option instead to specify secret values separately. Note that options set here will override those set in the config file.

Type: attribute set of (string or boolean)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.restic.rcloneConfigFile

Path to the file containing rclone configuration. This file must contain configuration for the remote specified in this backup set and also must be readable by root.

Caution

Options set in rcloneConfig will override those set in this file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.restic.rcloneOptions

Options to pass to rclone to control its behavior. See https://rclone.org/docs/#options for available options. When specifying option names, strip the leading --. To set a flag such as --drive-use-trash, which does not take a value, set the value to the Boolean true.

Type: attribute set of (string or boolean)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.restic.refreshInterval

Refresh interval for the metrics in seconds. Computing the metrics is an expensive task, keep this value as high as possible.

Type: unsigned integer, meaning >=0

Default: 60

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.restic.repository

URI pointing to the repository to monitor.

Type: null or string

Default: null

Example: "sftp:backup@192.168.1.100:/backups/example"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.restic.repositoryFile

Path to the file containing the URI for the repository to monitor.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.restic.user

User name under which the restic exporter shall be run.

Type: string

Default: "restic-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rspamd.enable

Whether to enable the prometheus rspamd exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rspamd.extraFlags

Extra commandline options to pass to the rspamd exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rspamd.extraLabels

Set of labels added to each metric.

Type: attribute set of string

Default: { host = config.networking.hostName; }

Example:

{
  host = config.networking.hostName;
  custom_label = "some_value";
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rspamd.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.rspamd.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 7980"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rspamd.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.rspamd.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 7980 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rspamd.group

Group under which the rspamd exporter shall be run.

Type: string

Default: "rspamd-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rspamd.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rspamd.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rspamd.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 7980

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rspamd.user

User name under which the rspamd exporter shall be run.

Type: string

Default: "rspamd-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rtl_433.enable

Whether to enable the prometheus rtl_433 exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rtl_433.channels

List of channel matchers to export.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    channel = 6543;
    location = "Kitchen";
    name = "Acurite";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rtl_433.channels.*.channel

Channel to match.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rtl_433.channels.*.location

Location to match.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rtl_433.channels.*.name

Name to match.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rtl_433.extraFlags

Extra commandline options to pass to the rtl_433 exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rtl_433.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.rtl_433.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9550"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rtl_433.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.rtl_433.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9550 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rtl_433.group

Group under which the rtl_433 exporter shall be run.

Type: string

Default: "rtl_433-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rtl_433.ids

List of ID matchers to export.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    id = 1;
    location = "Bedroom";
    name = "Nexus";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rtl_433.ids.*.id

ID to match.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rtl_433.ids.*.location

Location to match.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rtl_433.ids.*.name

Name to match.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rtl_433.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rtl_433.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rtl_433.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9550

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rtl_433.rtl433Flags

Flags passed verbatim to rtl_433 binary. Having -C si (the default) is recommended since only Celsius temperatures are parsed.

Type: string

Default: "-C si"

Example: "-C si -R 19"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.rtl_433.user

User name under which the rtl_433 exporter shall be run.

Type: string

Default: "rtl_433-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sabnzbd.enable

Whether to enable the prometheus sabnzbd exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sabnzbd.extraFlags

Extra commandline options to pass to the sabnzbd exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sabnzbd.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.sabnzbd.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9387"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sabnzbd.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.sabnzbd.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9387 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sabnzbd.group

Group under which the sabnzbd exporter shall be run.

Type: string

Default: "sabnzbd-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sabnzbd.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sabnzbd.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sabnzbd.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9387

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sabnzbd.servers

List of sabnzbd servers to connect to.

Type: list of (submodule)

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sabnzbd.servers.*.apiKeyFile

The path to a file containing the API key. The file is securely passed to the service by leveraging systemd credentials. No special permissions need to be set on this file.

Type: string

Example: "/run/secrets/sabnzbd_apikey"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sabnzbd.servers.*.baseUrl

Base URL of the sabnzbd server.

Type: string

Example: "http://localhost:8080/sabnzbd"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sabnzbd.user

User name under which the sabnzbd exporter shall be run.

Type: string

Default: "sabnzbd-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.scaphandre.enable

Whether to enable the prometheus scaphandre exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.scaphandre.extraFlags

Extra commandline options to pass to the scaphandre exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.scaphandre.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.scaphandre.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 8080"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.scaphandre.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.scaphandre.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 8080 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.scaphandre.group

Group under which the scaphandre exporter shall be run.

Type: string

Default: "scaphandre-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.scaphandre.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.scaphandre.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.scaphandre.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.scaphandre.telemetryPath

Path under which to expose metrics.

Type: string

Default: "/metrics"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.scaphandre.user

User name under which the scaphandre exporter shall be run.

Type: string

Default: "scaphandre-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.script.enable

Whether to enable the prometheus script exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.script.extraFlags

Extra commandline options to pass to the script exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.script.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.script.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9172"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.script.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.script.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9172 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.script.group

Group under which the script exporter shall be run.

Type: string

Default: "script-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.script.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.script.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.script.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9172

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.script.settings.scripts

All settings expressed as an Nix attrset.

Check the official documentation for the corresponding YAML settings that can all be used here: https://github.com/adhocteam/script_exporter#sample-configuration

Type: list of (submodule)

Example:

{
  scripts = [
    { name = "sleep"; script = "sleep 5"; }
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.script.settings.scripts.*.name

Name of the script.

Type: string

Example: "sleep"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.script.settings.scripts.*.script

Shell script to execute when metrics are requested.

Type: string

Example: "sleep 5"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.script.settings.scripts.*.timeout

Optional timeout for the script in seconds.

Type: null or signed integer

Default: null

Example: 60

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.script.user

User name under which the script exporter shall be run.

Type: string

Default: "script-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.shelly.enable

Whether to enable the prometheus shelly exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.shelly.extraFlags

Extra commandline options to pass to the shelly exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.shelly.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.shelly.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9784"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.shelly.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.shelly.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9784 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.shelly.group

Group under which the shelly exporter shall be run.

Type: string

Default: "shelly-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.shelly.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.shelly.metrics-file

Path to the JSON file with the metric definitions

Type: path

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.shelly.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.shelly.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9784

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.shelly.user

User name under which the shelly exporter shall be run.

Type: string

Default: "shelly-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smartctl.enable

Whether to enable the prometheus smartctl exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smartctl.devices

Paths to the disks that will be monitored. Will autodiscover all disks if none given.

Type: list of string

Default: [ ]

Example:

[ "/dev/sda", "/dev/nvme0n1" ];

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smartctl.extraFlags

Extra commandline options to pass to the smartctl exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smartctl.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.smartctl.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9633"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smartctl.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.smartctl.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9633 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smartctl.group

Group under which the smartctl exporter shall be run.

Type: string

Default: "smartctl-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smartctl.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smartctl.maxInterval

Interval that limits how often a disk can be queried.

Type: string

Default: "60s"

Example: "2m"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smartctl.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smartctl.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9633

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smartctl.user

User name under which the smartctl exporter shall be run.

Type: string

Default: "smartctl-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smokeping.enable

Whether to enable the prometheus smokeping exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smokeping.buckets

List of buckets to use for the response duration histogram.

Type: strings concatenated with “,”

Default: "5e-05,0.0001,0.0002,0.0004,0.0008,0.0016,0.0032,0.0064,0.0128,0.0256,0.0512,0.1024,0.2048,0.4096,0.8192,1.6384,3.2768,6.5536,13.1072,26.2144"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smokeping.extraFlags

Extra commandline options to pass to the smokeping exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smokeping.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.smokeping.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9374"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smokeping.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.smokeping.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9374 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smokeping.group

Group under which the smokeping exporter shall be run.

Type: string

Default: "smokeping-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smokeping.hosts

List of endpoints to probe.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smokeping.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smokeping.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smokeping.pingInterval

Interval between pings.

Type: Go duration (https://golang.org/pkg/time/#ParseDuration)

Default: "1s"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smokeping.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9374

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smokeping.telemetryPath

Path under which to expose metrics.

Type: string

Default: "/metrics"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.smokeping.user

User name under which the smokeping exporter shall be run.

Type: string

Default: "smokeping-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.snmp.enable

Whether to enable the prometheus snmp exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.snmp.enableConfigCheck

Whether to run a correctness check for the configuration file. This depends on the configuration file residing in the nix-store. Paths passed as string will be copied to the store.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.snmp.configuration

Snmp exporter configuration as nix attribute set. Mutually exclusive with ‘configurationPath’ option.

Type: null or (attribute set)

Default: null

Example:

{
  auths = {
    public_v2 = {
      community = "public";
      version = 2;
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.snmp.configurationPath

Path to a snmp exporter configuration file. Mutually exclusive with ‘configuration’ option.

Type: null or path

Default: null

Example: ./snmp.yml

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.snmp.environmentFile

EnvironmentFile as defined in systemd.exec(5).

Secrets may be passed to the service without adding them to the world-readable Nix store, by specifying placeholder variables as the option value in Nix and setting these variables accordingly in the environment file.

Environment variables from this file will be interpolated into the config file using envsubst with this syntax: $ENVIRONMENT ${VARIABLE}

For variables to use see Prometheus Configuration.

If the file path is set to this option, the parameter --config.expand-environment-variables is implicitly added to ExecStart.

Note that this file needs to be available on the host on which this exporter is running.

Type: null or path

Default: null

Example: "/root/prometheus-snmp-exporter.env"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.snmp.extraFlags

Extra commandline options to pass to the snmp exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.snmp.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.snmp.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9116"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.snmp.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.snmp.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9116 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.snmp.group

Group under which the snmp exporter shall be run.

Type: string

Default: "snmp-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.snmp.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.snmp.logFormat

Output format of log messages.

Type: one of “logfmt”, “json”

Default: "logfmt"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.snmp.logLevel

Only log messages with the given severity or above.

Type: one of “debug”, “info”, “warn”, “error”

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.snmp.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.snmp.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9116

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.snmp.user

User name under which the snmp exporter shall be run.

Type: string

Default: "snmp-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.enable

Whether to enable the prometheus sql exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.configFile

Path to configuration file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.configuration

Exporter configuration as nix attribute set. Mutually exclusive with ‘configFile’ option.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.configuration.jobs

An attrset of metrics scraping jobs to run.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.configuration.jobs.<name>.connections

A list of connection strings of the SQL servers to scrape metrics from

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.configuration.jobs.<name>.interval

How often to run this job, specified in Go duration format.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.configuration.jobs.<name>.queries

SQL queries to run.

Type: attribute set of (submodule)

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.configuration.jobs.<name>.queries.<name>.help

A human-readable description of this metric.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.configuration.jobs.<name>.queries.<name>.labels

A set of columns that will be used as Prometheus labels.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.configuration.jobs.<name>.queries.<name>.query

The SQL query to run.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.configuration.jobs.<name>.queries.<name>.values

A set of columns that will be used as values of this metric.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.configuration.jobs.<name>.startupSql

A list of SQL statements to execute once after making a connection.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.extraFlags

Extra commandline options to pass to the sql exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.sql.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9237"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.sql.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9237 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.group

Group under which the sql exporter shall be run.

Type: string

Default: "sql-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9237

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.sql.user

User name under which the sql exporter shall be run.

Type: string

Default: "sql-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.statsd.enable

Whether to enable the prometheus statsd exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.statsd.extraFlags

Extra commandline options to pass to the statsd exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.statsd.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.statsd.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9102"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.statsd.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.statsd.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9102 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.statsd.group

Group under which the statsd exporter shall be run.

Type: string

Default: "statsd-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.statsd.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.statsd.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.statsd.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9102

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.statsd.user

User name under which the statsd exporter shall be run.

Type: string

Default: "statsd-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.surfboard.enable

Whether to enable the prometheus surfboard exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.surfboard.extraFlags

Extra commandline options to pass to the surfboard exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.surfboard.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.surfboard.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9239"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.surfboard.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.surfboard.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9239 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.surfboard.group

Group under which the surfboard exporter shall be run.

Type: string

Default: "surfboard-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.surfboard.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.surfboard.modemAddress

The hostname or IP of the cable modem.

Type: string

Default: "192.168.100.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.surfboard.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.surfboard.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9239

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.surfboard.user

User name under which the surfboard exporter shall be run.

Type: string

Default: "surfboard-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.systemd.enable

Whether to enable the prometheus systemd exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.systemd.extraFlags

Extra commandline options to pass to the systemd exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.systemd.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.systemd.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9558"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.systemd.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.systemd.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9558 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.systemd.group

Group under which the systemd exporter shall be run.

Type: string

Default: "systemd-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.systemd.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.systemd.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.systemd.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9558

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.systemd.user

User name under which the systemd exporter shall be run.

Type: string

Default: "systemd-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unbound.enable

Whether to enable the prometheus unbound exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unbound.extraFlags

Extra commandline options to pass to the unbound exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unbound.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.unbound.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9167"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unbound.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.unbound.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9167 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unbound.group

Group under which the unbound exporter shall be run.

Type: string

Default: "unbound-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unbound.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unbound.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unbound.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9167

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unbound.telemetryPath

Path under which to expose metrics.

Type: string

Default: "/metrics"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unbound.unbound.ca

Path to the Unbound server certificate authority

Type: null or path

Default: "/var/lib/unbound/unbound_server.pem"

Example: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unbound.unbound.certificate

Path to the Unbound control socket certificate

Type: null or path

Default: "/var/lib/unbound/unbound_control.pem"

Example: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unbound.unbound.host

Path to the unbound control socket. Supports unix domain sockets, as well as the TCP interface.

Type: string

Default: "tcp://127.0.0.1:8953"

Example: "unix:///run/unbound/unbound.socket"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unbound.unbound.key

Path to the Unbound control socket key.

Type: null or path

Default: "/var/lib/unbound/unbound_control.key"

Example: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unbound.user

User name under which the unbound exporter shall be run.

Type: string

Default: "unbound-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.enable

Whether to enable the prometheus unpoller exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.controllers

List of Unifi controllers to poll. Use defaults if empty.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.controllers.*.hash_pii

Hash, with md5, client names and MAC addresses. This attempts to protect personally identifiable information.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.prometheus.exporters.unpoller.controllers.*.pass

Path of a file containing the password for the unifi service user. This file needs to be readable by the unifi-poller user.

Type: path

Default: unpoller-unifi-default.password

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.prometheus.exporters.unpoller.controllers.*.save_alarms

Collect and save data from UniFi alarms to influxdb and Loki.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.prometheus.exporters.unpoller.controllers.*.save_anomalies

Collect and save data from UniFi anomalies to influxdb and Loki.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.prometheus.exporters.unpoller.controllers.*.save_dpi

Collect and save data from deep packet inspection. Adds around 150 data points and impacts performance.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.prometheus.exporters.unpoller.controllers.*.save_events

Collect and save data from UniFi events to influxdb and Loki.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.prometheus.exporters.unpoller.controllers.*.save_ids

Collect and save data from the intrusion detection system to influxdb and Loki.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.prometheus.exporters.unpoller.controllers.*.save_sites

Collect and save site data.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.prometheus.exporters.unpoller.controllers.*.sites

List of site names for which statistics should be exported. Or the string “default” for the default site or the string “all” for all sites.

Type: one of “default”, “all” or list of string

Default: "all"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.prometheus.exporters.unpoller.controllers.*.url

URL of the Unifi controller.

Type: string

Default: "https://unifi:8443"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.prometheus.exporters.unpoller.controllers.*.user

Unifi service user name.

Type: string

Default: "unifi"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.prometheus.exporters.unpoller.controllers.*.verify_ssl

Verify the Unifi controller’s certificate.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.prometheus.exporters.unpoller.extraFlags

Extra commandline options to pass to the unpoller exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.unpoller.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9130"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.unpoller.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9130 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.group

Group under which the unpoller exporter shall be run.

Type: string

Default: "unpoller-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.log.debug

Whether to enable debug logging including line numbers, high resolution timestamps, per-device logs.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.log.prometheusErrors

Whether to enable emitting errors to prometheus.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.log.quiet

Whether to enable startup and error logs only.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.loki.interval

How often the events are polled and pushed to Loki.

Type: string

Default: "2m"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.loki.pass

Path of a file containing the password for Loki. This file needs to be readable by the unifi-poller user.

Type: path

Default: "unpoller-influxdb-default.password"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.loki.tenant_id

Tenant ID to use in Loki.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.loki.timeout

Should be increased in case of timeout errors.

Type: string

Default: "10s"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.loki.url

URL of the Loki host.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.loki.user

Username for Loki.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.loki.verify_ssl

Verify Loki’s certificate.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9130

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.unpoller.user

User name under which the unpoller exporter shall be run.

Type: string

Default: "unpoller-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.v2ray.enable

Whether to enable the prometheus v2ray exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.v2ray.extraFlags

Extra commandline options to pass to the v2ray exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.v2ray.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.v2ray.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9299"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.v2ray.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.v2ray.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9299 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.v2ray.group

Group under which the v2ray exporter shall be run.

Type: string

Default: "v2ray-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.v2ray.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.v2ray.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.v2ray.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9299

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.v2ray.user

User name under which the v2ray exporter shall be run.

Type: string

Default: "v2ray-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.v2ray.v2rayEndpoint

v2ray grpc api endpoint

Type: string

Default: "127.0.0.1:54321"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.varnish.enable

Whether to enable the prometheus varnish exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.varnish.extraFlags

Extra commandline options to pass to the varnish exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.varnish.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.varnish.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9131"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.varnish.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.varnish.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9131 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.varnish.group

Group under which the varnish exporter shall be run.

Type: string

Default: "varnish-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.varnish.healthPath

Path under which to expose healthcheck. Disabled unless configured.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.varnish.instance

varnishstat -n value.

Type: null or string

Default: config.services.varnish.stateDir

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.varnish.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.varnish.noExit

Do not exit server on Varnish scrape errors.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.varnish.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.varnish.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9131

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.varnish.raw

Enable raw stdout logging without timestamps.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.varnish.telemetryPath

Path under which to expose metrics.

Type: string

Default: "/metrics"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.varnish.user

User name under which the varnish exporter shall be run.

Type: string

Default: "varnish-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.varnish.varnishStatPath

Path to varnishstat.

Type: string

Default: "varnishstat"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.varnish.verbose

Enable verbose logging.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.varnish.withGoMetrics

Export go runtime and http handler metrics.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.wireguard.enable

Whether to enable the prometheus wireguard exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.wireguard.extraFlags

Extra commandline options to pass to the wireguard exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.wireguard.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.wireguard.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9586"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.wireguard.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.wireguard.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9586 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.wireguard.group

Group under which the wireguard exporter shall be run.

Type: string

Default: "wireguard-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.wireguard.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.wireguard.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.wireguard.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9586

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.wireguard.singleSubnetPerField

By default, all allowed IPs and subnets are comma-separated in the allowed_ips field. With this option enabled, a single IP and subnet will be listed in fields like allowed_ip_0, allowed_ip_1 and so on.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.wireguard.user

User name under which the wireguard exporter shall be run.

Type: string

Default: "wireguard-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.wireguard.verbose

Whether to enable verbose logging mode for prometheus-wireguard-exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.wireguard.wireguardConfig

Path to the Wireguard Config to add the peer’s name to the stats of a peer.

Please note that networking.wg-quick is required for this feature as networking.wireguard uses wg(8) to set the peers up.

Type: null or path or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.wireguard.withRemoteIp

Whether or not the remote IP of a WireGuard peer should be exposed via prometheus.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.zfs.enable

Whether to enable the prometheus zfs exporter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.zfs.extraFlags

Extra commandline options to pass to the zfs exporter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.zfs.firewallFilter

Specify a filter for iptables to use when services.prometheus.exporters.zfs.openFirewall is true. It is used as ip46tables -I nixos-fw firewallFilter -j nixos-fw-accept.

Type: null or string

Default: null

Example:

"-i eth0 -p tcp -m tcp --dport 9134"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.zfs.firewallRules

Specify rules for nftables to add to the input chain when services.prometheus.exporters.zfs.openFirewall is true.

Type: null or strings concatenated with “\n”

Default: null

Example:

iifname "eth0" tcp dport 9134 counter accept

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.zfs.group

Group under which the zfs exporter shall be run.

Type: string

Default: "zfs-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.zfs.listenAddress

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.zfs.openFirewall

Open port in firewall for incoming connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.zfs.pools

Name of the pool(s) to collect, repeat for multiple pools (default: all pools).

Type: null or (list of string)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.zfs.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9134

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.zfs.telemetryPath

Path under which to expose metrics.

Type: string

Default: "/metrics"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.exporters.zfs.user

User name under which the zfs exporter shall be run.

Type: string

Default: "zfs-exporter"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/exporters.nix>
services.prometheus.extraFlags

Extra commandline options when launching Prometheus.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.globalConfig

Parameters that are valid in all configuration contexts. They also serve as defaults for other configuration sections

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.globalConfig.evaluation_interval

How frequently to evaluate rules by default.

Defaults to 1m in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.globalConfig.external_labels

The labels to add to any time series or alerts when communicating with external systems (federation, remote storage, Alertmanager).

Type: null or (attribute set of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.globalConfig.query_log_file

Path to the file prometheus should write its query log to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.globalConfig.scrape_interval

How frequently to scrape targets by default.

Defaults to 1m in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.globalConfig.scrape_timeout

How long until a scrape request times out.

Defaults to 10s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.listenAddress

Address to listen on for the web interface, API, and telemetry.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.port

Port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9090

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.pushgateway.enable

Whether to enable Prometheus Pushgateway.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/pushgateway.nix>
services.prometheus.pushgateway.package

The prometheus-pushgateway package to use.

Type: package

Default: pkgs.prometheus-pushgateway

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/pushgateway.nix>
services.prometheus.pushgateway.extraFlags

Extra commandline options when launching the Pushgateway.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/pushgateway.nix>
services.prometheus.pushgateway.log.format

Set the log target and format.

null will default to logger:stderr.

Type: null or string

Default: null

Example: "logger:syslog?appname=bob&local=7"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/pushgateway.nix>
services.prometheus.pushgateway.log.level

Only log messages with the given severity or above.

null will default to info.

Type: null or one of “debug”, “info”, “warn”, “error”, “fatal”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/pushgateway.nix>
services.prometheus.pushgateway.persistMetrics

Whether to persist metrics to a file.

When enabled metrics will be saved to a file called metrics in the directory /var/lib/pushgateway. The directory below /var/lib can be set using services.prometheus.pushgateway.stateDir.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/pushgateway.nix>
services.prometheus.pushgateway.persistence.interval

The minimum interval at which to write out the persistence file.

null will default to 5m.

Type: null or string

Default: null

Example: "10m"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/pushgateway.nix>
services.prometheus.pushgateway.stateDir

Directory below /var/lib to store metrics.

This directory will be created automatically using systemd’s StateDirectory mechanism when services.prometheus.pushgateway.persistMetrics is enabled.

Type: string

Default: "pushgateway"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/pushgateway.nix>
services.prometheus.pushgateway.web.external-url

The URL under which Pushgateway is externally reachable.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/pushgateway.nix>
services.prometheus.pushgateway.web.listen-address

Address to listen on for the web interface, API and telemetry.

null will default to :9091.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/pushgateway.nix>
services.prometheus.pushgateway.web.route-prefix

Prefix for the internal routes of web endpoints.

Defaults to the path of services.prometheus.pushgateway.web.external-url.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/pushgateway.nix>
services.prometheus.pushgateway.web.telemetry-path

Path under which to expose metrics.

null will default to /metrics.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/pushgateway.nix>
services.prometheus.remoteRead

Parameters of the endpoints to query from. See the official documentation for more information.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteRead.*.basic_auth

Sets the Authorization header on every remote read request with the configured username and password. password and password_file are mutually exclusive.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteRead.*.basic_auth.password

HTTP password

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteRead.*.basic_auth.password_file

HTTP password file

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteRead.*.basic_auth.username

HTTP username

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteRead.*.bearer_token

Sets the Authorization header on every remote read request with the configured bearer token. It is mutually exclusive with bearer_token_file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteRead.*.bearer_token_file

Sets the Authorization header on every remote read request with the bearer token read from the configured file. It is mutually exclusive with bearer_token.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteRead.*.headers

Custom HTTP headers to be sent along with each remote read request. Be aware that headers that are set by Prometheus itself can’t be overwritten.

Type: null or (attribute set of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteRead.*.name

Name of the remote read config, which if specified must be unique among remote read configs. The name will be used in metrics and logging in place of a generated value to help users distinguish between remote read configs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteRead.*.proxy_url

Optional Proxy URL.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteRead.*.read_recent

Whether reads should be made for queries for time ranges that the local storage should have complete data for.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteRead.*.remote_timeout

Timeout for requests to the remote read endpoint.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteRead.*.required_matchers

An optional list of equality matchers which have to be present in a selector to query the remote read endpoint.

Type: null or (attribute set of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteRead.*.tls_config

Configures the remote read request’s TLS settings.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteRead.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteRead.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteRead.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteRead.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteRead.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteRead.*.url

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite

Parameters of the endpoints to send samples to. See the official documentation for more information.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.basic_auth

Sets the Authorization header on every remote write request with the configured username and password. password and password_file are mutually exclusive.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.basic_auth.password

HTTP password

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.basic_auth.password_file

HTTP password file

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.basic_auth.username

HTTP username

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.bearer_token

Sets the Authorization header on every remote write request with the configured bearer token. It is mutually exclusive with bearer_token_file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.bearer_token_file

Sets the Authorization header on every remote write request with the bearer token read from the configured file. It is mutually exclusive with bearer_token.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.headers

Custom HTTP headers to be sent along with each remote write request. Be aware that headers that are set by Prometheus itself can’t be overwritten.

Type: null or (attribute set of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.metadata_config

Configures the sending of series metadata to remote storage. Metadata configuration is subject to change at any point or be removed in future releases.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.metadata_config.send

Whether metric metadata is sent to remote storage or not.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.metadata_config.send_interval

How frequently metric metadata is sent to remote storage.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.name

Name of the remote write config, which if specified must be unique among remote write configs. The name will be used in metrics and logging in place of a generated value to help users distinguish between remote write configs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.proxy_url

Optional Proxy URL.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.queue_config

Configures the queue used to write to remote storage.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.queue_config.batch_send_deadline

Maximum time a sample will wait in buffer.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.queue_config.capacity

Number of samples to buffer per shard before we block reading of more samples from the WAL. It is recommended to have enough capacity in each shard to buffer several requests to keep throughput up while processing occasional slow remote requests.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.queue_config.max_backoff

Maximum retry delay.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.queue_config.max_samples_per_send

Maximum number of samples per send.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.queue_config.max_shards

Maximum number of shards, i.e. amount of concurrency.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.queue_config.min_backoff

Initial retry delay. Gets doubled for every retry.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.queue_config.min_shards

Minimum number of shards, i.e. amount of concurrency.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.remote_timeout

Timeout for requests to the remote write endpoint.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.sigv4

Configures AWS Signature Version 4 settings.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.sigv4.access_key

The Access Key ID.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.sigv4.profile

The named AWS profile used to authenticate.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.sigv4.region

The AWS region.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.sigv4.role_arn

The AWS role ARN.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.sigv4.secret_key

The Secret Access Key.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.tls_config

Configures the remote write request’s TLS settings.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.url

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.write_relabel_configs

List of remote write relabel configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.write_relabel_configs.*.action

Action to perform based on regex matching.

Defaults to replace in prometheus when set to null.

Type: null or one of “replace”, “lowercase”, “uppercase”, “keep”, “drop”, “hashmod”, “labelmap”, “labeldrop”, “labelkeep”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.write_relabel_configs.*.modulus

Modulus to take of the hash of the source label values.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.write_relabel_configs.*.regex

Regular expression against which the extracted value is matched.

Defaults to (.*) in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.write_relabel_configs.*.replacement

Replacement value against which a regex replace is performed if the regular expression matches.

Defaults to $1 in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.write_relabel_configs.*.separator

Separator placed between concatenated source label values.

Defaults to ; in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.write_relabel_configs.*.source_labels

The source labels select values from existing labels. Their content is concatenated using the configured separator and matched against the configured regular expression.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.remoteWrite.*.write_relabel_configs.*.target_label

Label to which the resulting value is written in a replace action. It is mandatory for replace actions.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.retentionTime

How long to retain samples in storage.

Type: null or string

Default: null

Example: "15d"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.ruleFiles

Any additional rules files to include in this configuration.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.rules

Alerting and/or Recording rules to evaluate at runtime.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.sachet.enable

Whether to enable Sachet, an SMS alerting tool for the Prometheus Alertmanager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/sachet.nix>
services.prometheus.sachet.address

The address Sachet will listen to.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/sachet.nix>
services.prometheus.sachet.configuration

Sachet’s configuration as a nix attribute set.

Type: null or (attribute set)

Default: null

Example:

{
  providers = {
    twilio = {
      # environment variables gets expanded at runtime
      account_sid = "$TWILIO_ACCOUNT";
      auth_token = "$TWILIO_TOKEN";
    };
  };
  templates = [ ./some-template.tmpl ];
  receivers = [{
    name = "pager";
    provider = "twilio";
    to = [ "+33123456789" ];
    text = "{{ template \"message\" . }}";
  }];
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/sachet.nix>
services.prometheus.sachet.port

The port Sachet will listen to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9876

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/sachet.nix>
services.prometheus.scrapeConfigs

A list of scrape configurations.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.authorization

Sets the Authorization header on every scrape request with the configured credentials.

Type: null or (attribute set)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.azure_sd_configs

List of Azure service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.azure_sd_configs.*.authentication_method

The authentication method, either OAuth or ManagedIdentity. See https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

Defaults to OAuth in prometheus when set to null.

Type: null or one of “OAuth”, “ManagedIdentity”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.azure_sd_configs.*.client_id

Optional client ID. Only required with authentication_method OAuth.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.azure_sd_configs.*.client_secret

Optional client secret. Only required with authentication_method OAuth.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.azure_sd_configs.*.environment

The Azure environment.

Defaults to AzurePublicCloud in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.azure_sd_configs.*.follow_redirects

Configure whether HTTP requests follow HTTP 3xx redirects.

Defaults to true in prometheus when set to null.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.azure_sd_configs.*.port

The port to scrape metrics from. If using the public IP address, this must instead be specified in the relabeling rule.

Defaults to 80 in prometheus when set to null.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.azure_sd_configs.*.proxy_url

Optional proxy URL.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.azure_sd_configs.*.refresh_interval

Refresh interval to re-read the instance list.

Defaults to 300s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.azure_sd_configs.*.subscription_id

The subscription ID.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.azure_sd_configs.*.tenant_id

Optional tenant ID. Only required with authentication_method OAuth.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.azure_sd_configs.*.tls_config

TLS configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.azure_sd_configs.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.azure_sd_configs.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.azure_sd_configs.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.azure_sd_configs.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.azure_sd_configs.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.basic_auth

Sets the Authorization header on every scrape request with the configured username and password. password and password_file are mutually exclusive.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.basic_auth.password

HTTP password

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.basic_auth.password_file

HTTP password file

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.basic_auth.username

HTTP username

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.bearer_token

Sets the Authorization header on every scrape request with the configured bearer token. It is mutually exclusive with bearer_token_file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.bearer_token_file

Sets the Authorization header on every scrape request with the bearer token read from the configured file. It is mutually exclusive with bearer_token.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.body_size_limit

An uncompressed response body larger than this many bytes will cause the scrape to fail. 0 means no limit. Example: 100MB. This is an experimental feature, this behaviour could change or be removed in the future.

Defaults to 0 in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs

List of Consul service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.allow_stale

Allow stale Consul results (see https://www.consul.io/api/index.html#consistency-modes).

Will reduce load on Consul.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.authorization

Optional Authorization header configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.authorization.credentials

Sets the credentials. It is mutually exclusive with credentials_file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.authorization.credentials_file

Sets the credentials to the credentials read from the configured file. It is mutually exclusive with credentials.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.authorization.type

Sets the authentication type.

Defaults to Bearer in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.basic_auth

Optional HTTP basic authentication information.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.basic_auth.password

HTTP password

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.basic_auth.password_file

HTTP password file

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.basic_auth.username

HTTP username

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.datacenter

Consul datacenter

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.follow_redirects

Configure whether HTTP requests follow HTTP 3xx redirects.

Defaults to true in prometheus when set to null.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.node_meta

Node metadata used to filter nodes for a given service.

Type: null or (attribute set of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.oauth2

Optional OAuth 2.0 configuration. Cannot be used at the same time as basic_auth or authorization.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.oauth2.client_id

OAuth client ID.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.oauth2.client_secret

OAuth client secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.oauth2.client_secret_file

Read the client secret from a file. It is mutually exclusive with client_secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.oauth2.endpoint_params

Optional parameters to append to the token URL.

Type: null or (attribute set of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.oauth2.scopes

Scopes for the token request.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.oauth2.token_url

The URL to fetch the token from.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.password

Consul password

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.proxy_url

Optional proxy URL.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.refresh_interval

The time after which the provided names are refreshed.

On large setup it might be a good idea to increase this value because the catalog will change all the time.

Defaults to 30s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.scheme

Consul scheme Defaults to http in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.server

Consul server to query.

Defaults to localhost:8500 in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.services

A list of services for which targets are retrieved.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tag_separator

The string by which Consul tags are joined into the tag label.

Defaults to , in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tags

An optional list of tags used to filter nodes for a given service. Services must contain all tags in the list.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tls_config

Configures the Consul request’s TLS settings.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.token

Consul token

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.consul_sd_configs.*.username

Consul username

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs

List of DigitalOcean service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.authorization

Optional Authorization header configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.authorization.credentials

Sets the credentials. It is mutually exclusive with credentials_file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.authorization.credentials_file

Sets the credentials to the credentials read from the configured file. It is mutually exclusive with credentials.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.authorization.type

Sets the authentication type.

Defaults to Bearer in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.basic_auth

Optional HTTP basic authentication information.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.basic_auth.password

HTTP password

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.basic_auth.password_file

HTTP password file

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.basic_auth.username

HTTP username

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.follow_redirects

Configure whether HTTP requests follow HTTP 3xx redirects.

Defaults to true in prometheus when set to null.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.oauth2

Optional OAuth 2.0 configuration. Cannot be used at the same time as basic_auth or authorization.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.oauth2.client_id

OAuth client ID.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.oauth2.client_secret

OAuth client secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.oauth2.client_secret_file

Read the client secret from a file. It is mutually exclusive with client_secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.oauth2.endpoint_params

Optional parameters to append to the token URL.

Type: null or (attribute set of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.oauth2.scopes

Scopes for the token request.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.oauth2.token_url

The URL to fetch the token from.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.port

The port to scrape metrics from.

Defaults to 80 in prometheus when set to null.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.proxy_url

Optional proxy URL.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.refresh_interval

The time after which the droplets are refreshed.

Defaults to 60s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.tls_config

TLS configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dns_sd_configs

List of DNS service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dns_sd_configs.*.names

A list of DNS SRV record names to be queried.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dns_sd_configs.*.port

The port number used if the query type is not SRV.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dns_sd_configs.*.refresh_interval

The time after which the provided names are refreshed.

Defaults to 30s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dns_sd_configs.*.type

The type of DNS query to perform. One of SRV, A, or AAAA.

Defaults to SRV in prometheus when set to null.

Type: null or one of “SRV”, “A”, “AAAA”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs

List of Docker service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.authorization

Optional Authorization header configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.authorization.credentials

Sets the credentials. It is mutually exclusive with credentials_file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.authorization.credentials_file

Sets the credentials to the credentials read from the configured file. It is mutually exclusive with credentials.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.authorization.type

Sets the authentication type.

Defaults to Bearer in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.basic_auth

Optional HTTP basic authentication information.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.basic_auth.password

HTTP password

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.basic_auth.password_file

HTTP password file

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.basic_auth.username

HTTP username

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.filters

Optional filters to limit the discovery process to a subset of available resources.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.filters.*.name

Name of the filter. The available filters are listed in the upstream documentation: Services: https://docs.docker.com/engine/api/v1.40/#operation/ServiceList Tasks: https://docs.docker.com/engine/api/v1.40/#operation/TaskList Nodes: https://docs.docker.com/engine/api/v1.40/#operation/NodeList

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.filters.*.values

Value for the filter.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.follow_redirects

Configure whether HTTP requests follow HTTP 3xx redirects.

Defaults to true in prometheus when set to null.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.host

Address of the Docker daemon.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.host_networking_host

The host to use if the container is in host networking mode.

Defaults to localhost in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.oauth2

Optional OAuth 2.0 configuration. Cannot be used at the same time as basic_auth or authorization.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.oauth2.client_id

OAuth client ID.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.oauth2.client_secret

OAuth client secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.oauth2.client_secret_file

Read the client secret from a file. It is mutually exclusive with client_secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.oauth2.endpoint_params

Optional parameters to append to the token URL.

Type: null or (attribute set of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.oauth2.scopes

Scopes for the token request.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.oauth2.token_url

The URL to fetch the token from.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.port

The port to scrape metrics from, when role is nodes, and for discovered tasks and services that don’t have published ports.

Defaults to 80 in prometheus when set to null.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.proxy_url

Optional proxy URL.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.refresh_interval

The time after which the containers are refreshed.

Defaults to 60s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.tls_config

TLS configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.docker_sd_configs.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs

List of Docker Swarm service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.authorization

Optional Authorization header configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.authorization.credentials

Sets the credentials. It is mutually exclusive with credentials_file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.authorization.credentials_file

Sets the credentials to the credentials read from the configured file. It is mutually exclusive with credentials.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.authorization.type

Sets the authentication type.

Defaults to Bearer in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.basic_auth

Optional HTTP basic authentication information.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.basic_auth.password

HTTP password

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.basic_auth.password_file

HTTP password file

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.basic_auth.username

HTTP username

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.filters

Optional filters to limit the discovery process to a subset of available resources.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.filters.*.name

Name of the filter. The available filters are listed in the upstream documentation: Services: https://docs.docker.com/engine/api/v1.40/#operation/ServiceList Tasks: https://docs.docker.com/engine/api/v1.40/#operation/TaskList Nodes: https://docs.docker.com/engine/api/v1.40/#operation/NodeList

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.filters.*.values

Value for the filter.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.follow_redirects

Configure whether HTTP requests follow HTTP 3xx redirects.

Defaults to true in prometheus when set to null.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.host

Address of the Docker daemon.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.oauth2

Optional OAuth 2.0 configuration. Cannot be used at the same time as basic_auth or authorization.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.oauth2.client_id

OAuth client ID.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.oauth2.client_secret

OAuth client secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.oauth2.client_secret_file

Read the client secret from a file. It is mutually exclusive with client_secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.oauth2.endpoint_params

Optional parameters to append to the token URL.

Type: null or (attribute set of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.oauth2.scopes

Scopes for the token request.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.oauth2.token_url

The URL to fetch the token from.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.port

The port to scrape metrics from, when role is nodes, and for discovered tasks and services that don’t have published ports.

Defaults to 80 in prometheus when set to null.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.proxy_url

Optional proxy URL.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.refresh_interval

The time after which the containers are refreshed.

Defaults to 60s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.role

Role of the targets to retrieve. Must be services, tasks, or nodes.

Type: one of “services”, “tasks”, “nodes”

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.tls_config

TLS configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.ec2_sd_configs

List of EC2 service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.access_key

The AWS API key id. If blank, the environment variable AWS_ACCESS_KEY_ID is used.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.endpoint

Custom endpoint to be used.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.filters

Filters can be used optionally to filter the instance list by other criteria.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.filters.*.name

See this list for the available filters.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.filters.*.values

Value of the filter.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.port

The port to scrape metrics from. If using the public IP address, this must instead be specified in the relabeling rule.

Defaults to 80 in prometheus when set to null.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.profile

Named AWS profile used to connect to the API.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.refresh_interval

Refresh interval to re-read the instance list.

Defaults to 60s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.region

The AWS Region. If blank, the region from the instance metadata is used.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.role_arn

AWS Role ARN, an alternative to using AWS API keys.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.secret_key

The AWS API key secret. If blank, the environment variable AWS_SECRET_ACCESS_KEY is used.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs

List of Eureka service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.authorization

Optional Authorization header configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.authorization.credentials

Sets the credentials. It is mutually exclusive with credentials_file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.authorization.credentials_file

Sets the credentials to the credentials read from the configured file. It is mutually exclusive with credentials.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.authorization.type

Sets the authentication type.

Defaults to Bearer in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.basic_auth

Optional HTTP basic authentication information.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.basic_auth.password

HTTP password

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.basic_auth.password_file

HTTP password file

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.basic_auth.username

HTTP username

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.follow_redirects

Configure whether HTTP requests follow HTTP 3xx redirects.

Defaults to true in prometheus when set to null.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.oauth2

Optional OAuth 2.0 configuration. Cannot be used at the same time as basic_auth or authorization.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.oauth2.client_id

OAuth client ID.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.oauth2.client_secret

OAuth client secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.oauth2.client_secret_file

Read the client secret from a file. It is mutually exclusive with client_secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.oauth2.endpoint_params

Optional parameters to append to the token URL.

Type: null or (attribute set of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.oauth2.scopes

Scopes for the token request.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.oauth2.token_url

The URL to fetch the token from.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.proxy_url

Optional proxy URL.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.server

The URL to connect to the Eureka server.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.tls_config

TLS configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.fallback_scrape_protocol

Fallback protocol to use if a scrape returns blank, unparseable, or otherwise invalid Content-Type.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.file_sd_configs

List of file service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.file_sd_configs.*.files

Patterns for files from which target groups are extracted. Refer to the Prometheus documentation for permitted filename patterns and formats.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.file_sd_configs.*.refresh_interval

Refresh interval to re-read the files.

Defaults to 5m in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.gce_sd_configs

List of Google Compute Engine service discovery configurations.

See the relevant Prometheus configuration docs for more detail.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.gce_sd_configs.*.filter

Filter can be used optionally to filter the instance list by other criteria Syntax of this filter string is described here in the filter query parameter section: https://cloud.google.com/compute/docs/reference/latest/instances/list.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.gce_sd_configs.*.port

The port to scrape metrics from. If using the public IP address, this must instead be specified in the relabeling rule.

Defaults to 80 in prometheus when set to null.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.gce_sd_configs.*.project

The GCP Project.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.gce_sd_configs.*.refresh_interval

Refresh interval to re-read the cloud instance list.

Defaults to 60s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.gce_sd_configs.*.tag_separator

The tag separator used to separate concatenated GCE instance network tags.

See the GCP documentation on network tags for more information: https://cloud.google.com/vpc/docs/add-remove-network-tags

Defaults to , in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.gce_sd_configs.*.zone

The zone of the scrape targets. If you need multiple zones use multiple gce_sd_configs.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs

List of Hetzner service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.authorization

Optional Authorization header configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.authorization.credentials

Sets the credentials. It is mutually exclusive with credentials_file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.authorization.credentials_file

Sets the credentials to the credentials read from the configured file. It is mutually exclusive with credentials.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.authorization.type

Sets the authentication type.

Defaults to Bearer in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.basic_auth

Optional HTTP basic authentication information.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.basic_auth.password

HTTP password

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.basic_auth.password_file

HTTP password file

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.basic_auth.username

HTTP username

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.follow_redirects

Configure whether HTTP requests follow HTTP 3xx redirects.

Defaults to true in prometheus when set to null.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.oauth2

Optional OAuth 2.0 configuration. Cannot be used at the same time as basic_auth or authorization.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.oauth2.client_id

OAuth client ID.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.oauth2.client_secret

OAuth client secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.oauth2.client_secret_file

Read the client secret from a file. It is mutually exclusive with client_secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.oauth2.endpoint_params

Optional parameters to append to the token URL.

Type: null or (attribute set of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.oauth2.scopes

Scopes for the token request.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.oauth2.token_url

The URL to fetch the token from.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.port

The port to scrape metrics from.

Defaults to 80 in prometheus when set to null.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.proxy_url

Optional proxy URL.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.refresh_interval

The time after which the servers are refreshed.

Defaults to 60s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.role

The Hetzner role of entities that should be discovered. One of robot or hcloud.

Type: one of “robot”, “hcloud”

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.tls_config

TLS configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.honor_labels

Controls how Prometheus handles conflicts between labels that are already present in scraped data and labels that Prometheus would attach server-side (“job” and “instance” labels, manually configured target labels, and labels generated by service discovery implementations).

If honor_labels is set to “true”, label conflicts are resolved by keeping label values from the scraped data and ignoring the conflicting server-side labels.

If honor_labels is set to “false”, label conflicts are resolved by renaming conflicting labels in the scraped data to “exported_<original-label>” (for example “exported_instance”, “exported_job”) and then attaching server-side labels. This is useful for use cases such as federation, where all labels specified in the target should be preserved.

Defaults to false in prometheus when set to null.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.honor_timestamps

honor_timestamps controls whether Prometheus respects the timestamps present in scraped data.

If honor_timestamps is set to true, the timestamps of the metrics exposed by the target will be used.

If honor_timestamps is set to false, the timestamps of the metrics exposed by the target will be ignored.

Defaults to true in prometheus when set to null.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.http_sd_configs

List of HTTP service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.http_sd_configs.*.basic_auth

Authentication information used to authenticate to the API server. password and password_file are mutually exclusive.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.http_sd_configs.*.basic_auth.password

HTTP password

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.http_sd_configs.*.basic_auth.password_file

HTTP password file

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.http_sd_configs.*.basic_auth.username

HTTP username

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.http_sd_configs.*.follow_redirects

Configure whether HTTP requests follow HTTP 3xx redirects.

Defaults to true in prometheus when set to null.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.http_sd_configs.*.proxy_url

Optional proxy URL.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.http_sd_configs.*.refresh_interval

Refresh interval to re-query the endpoint.

Defaults to 60s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.http_sd_configs.*.tls_config

Configures the scrape request’s TLS settings.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.http_sd_configs.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.http_sd_configs.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.http_sd_configs.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.http_sd_configs.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.http_sd_configs.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.http_sd_configs.*.url

URL from which the targets are fetched.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.job_name

The job name assigned to scraped metrics by default.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs

List of Kubernetes service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.api_server

The API server addresses. If left empty, Prometheus is assumed to run inside of the cluster and will discover API servers automatically and use the pod’s CA certificate and bearer token file at /var/run/secrets/kubernetes.io/serviceaccount/.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.authorization

Optional Authorization header configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.authorization.credentials

Sets the credentials. It is mutually exclusive with credentials_file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.authorization.credentials_file

Sets the credentials to the credentials read from the configured file. It is mutually exclusive with credentials.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.authorization.type

Sets the authentication type.

Defaults to Bearer in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.basic_auth

Optional HTTP basic authentication information.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.basic_auth.password

HTTP password

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.basic_auth.password_file

HTTP password file

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.basic_auth.username

HTTP username

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.follow_redirects

Configure whether HTTP requests follow HTTP 3xx redirects.

Defaults to true in prometheus when set to null.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.kubeconfig_file

Optional path to a kubeconfig file. Note that api_server and kube_config are mutually exclusive.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.namespaces

Optional namespace discovery. If omitted, all namespaces are used.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.namespaces.names

Namespace name.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.oauth2

Optional OAuth 2.0 configuration. Cannot be used at the same time as basic_auth or authorization.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.oauth2.client_id

OAuth client ID.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.oauth2.client_secret

OAuth client secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.oauth2.client_secret_file

Read the client secret from a file. It is mutually exclusive with client_secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.oauth2.endpoint_params

Optional parameters to append to the token URL.

Type: null or (attribute set of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.oauth2.scopes

Scopes for the token request.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.oauth2.token_url

The URL to fetch the token from.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.proxy_url

Optional proxy URL.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.role

The Kubernetes role of entities that should be discovered. One of endpoints, service, pod, node, or ingress.

Type: one of “endpoints”, “service”, “pod”, “node”, “ingress”

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.selectors

Optional label and field selectors to limit the discovery process to a subset of available resources. See https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors/ and https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ to learn more about the possible filters that can be used. Endpoints role supports pod, service and endpoints selectors, other roles only support selectors matching the role itself (e.g. node role can only contain node selectors).

Note: When making decision about using field/label selector make sure that this is the best approach - it will prevent Prometheus from reusing single list/watch for all scrape configs. This might result in a bigger load on the Kubernetes API, because per each selector combination there will be additional LIST/WATCH. On the other hand, if you just want to monitor small subset of pods in large cluster it’s recommended to use selectors. Decision, if selectors should be used or not depends on the particular situation.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.selectors.*.field

Selector field

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.selectors.*.label

Selector label

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.selectors.*.role

Selector role

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.tls_config

TLS configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs

List of Kuma service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.authorization

Optional Authorization header configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.authorization.credentials

Sets the credentials. It is mutually exclusive with credentials_file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.authorization.credentials_file

Sets the credentials to the credentials read from the configured file. It is mutually exclusive with credentials.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.authorization.type

Sets the authentication type.

Defaults to Bearer in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.basic_auth

Optional HTTP basic authentication information.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.basic_auth.password

HTTP password

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.basic_auth.password_file

HTTP password file

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.basic_auth.username

HTTP username

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.fetch_timeout

The time after which the monitoring assignments are refreshed.

Defaults to 2m in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.follow_redirects

Configure whether HTTP requests follow HTTP 3xx redirects.

Defaults to true in prometheus when set to null.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.oauth2

Optional OAuth 2.0 configuration. Cannot be used at the same time as basic_auth or authorization.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.oauth2.client_id

OAuth client ID.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.oauth2.client_secret

OAuth client secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.oauth2.client_secret_file

Read the client secret from a file. It is mutually exclusive with client_secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.oauth2.endpoint_params

Optional parameters to append to the token URL.

Type: null or (attribute set of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.oauth2.scopes

Scopes for the token request.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.oauth2.token_url

The URL to fetch the token from.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.proxy_url

Optional proxy URL.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.refresh_interval

The time to wait between polling update requests.

Defaults to 30s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.server

Address of the Kuma Control Plane’s MADS xDS server.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.tls_config

TLS configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.label_limit

Per-scrape limit on number of labels that will be accepted for a sample. If more than this number of labels are present post metric-relabeling, the entire scrape will be treated as failed. 0 means no limit.

Defaults to 0 in prometheus when set to null.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.label_name_length_limit

Per-scrape limit on length of labels name that will be accepted for a sample. If a label name is longer than this number post metric-relabeling, the entire scrape will be treated as failed. 0 means no limit.

Defaults to 0 in prometheus when set to null.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.label_value_length_limit

Per-scrape limit on length of labels value that will be accepted for a sample. If a label value is longer than this number post metric-relabeling, the entire scrape will be treated as failed. 0 means no limit.

Defaults to 0 in prometheus when set to null.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.lightsail_sd_configs

List of Lightsail service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.lightsail_sd_configs.*.access_key

The AWS API keys. If blank, the environment variable AWS_ACCESS_KEY_ID is used.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.lightsail_sd_configs.*.endpoint

Custom endpoint to be used.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.lightsail_sd_configs.*.port

The port to scrape metrics from. If using the public IP address, this must instead be specified in the relabeling rule.

Defaults to 80 in prometheus when set to null.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.lightsail_sd_configs.*.profile

Named AWS profile used to connect to the API.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.lightsail_sd_configs.*.refresh_interval

Refresh interval to re-read the instance list.

Defaults to 60s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.lightsail_sd_configs.*.region

The AWS region. If blank, the region from the instance metadata is used.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.lightsail_sd_configs.*.role_arn

AWS Role ARN, an alternative to using AWS API keys.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.lightsail_sd_configs.*.secret_key

The AWS API keys. If blank, the environment variable AWS_SECRET_ACCESS_KEY is used.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs

List of Linode service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.authorization

Optional Authorization header configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.authorization.credentials

Sets the credentials. It is mutually exclusive with credentials_file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.authorization.credentials_file

Sets the credentials to the credentials read from the configured file. It is mutually exclusive with credentials.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.authorization.type

Sets the authentication type.

Defaults to Bearer in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.basic_auth

Optional HTTP basic authentication information.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.basic_auth.password

HTTP password

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.basic_auth.password_file

HTTP password file

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.basic_auth.username

HTTP username

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.follow_redirects

Configure whether HTTP requests follow HTTP 3xx redirects.

Defaults to true in prometheus when set to null.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.oauth2

Optional OAuth 2.0 configuration. Cannot be used at the same time as basic_auth or authorization.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.oauth2.client_id

OAuth client ID.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.oauth2.client_secret

OAuth client secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.oauth2.client_secret_file

Read the client secret from a file. It is mutually exclusive with client_secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.oauth2.endpoint_params

Optional parameters to append to the token URL.

Type: null or (attribute set of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.oauth2.scopes

Scopes for the token request.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.oauth2.token_url

The URL to fetch the token from.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.port

The port to scrape metrics from.

Defaults to 80 in prometheus when set to null.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.proxy_url

Optional proxy URL.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.refresh_interval

The time after which the linode instances are refreshed.

Defaults to 60s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.tag_separator

The string by which Linode Instance tags are joined into the tag label.

Defaults to , in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.tls_config

TLS configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.linode_sd_configs.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs

List of Marathon service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.auth_token

Optional authentication information for token-based authentication: https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token It is mutually exclusive with auth_token_file and other authentication mechanisms.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.auth_token_file

Optional authentication information for token-based authentication: https://docs.mesosphere.com/1.11/security/ent/iam-api/#passing-an-authentication-token It is mutually exclusive with auth_token and other authentication mechanisms.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.authorization

Optional Authorization header configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.authorization.credentials

Sets the credentials. It is mutually exclusive with credentials_file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.authorization.credentials_file

Sets the credentials to the credentials read from the configured file. It is mutually exclusive with credentials.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.authorization.type

Sets the authentication type.

Defaults to Bearer in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.basic_auth

Optional HTTP basic authentication information.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.basic_auth.password

HTTP password

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.basic_auth.password_file

HTTP password file

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.basic_auth.username

HTTP username

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.follow_redirects

Configure whether HTTP requests follow HTTP 3xx redirects.

Defaults to true in prometheus when set to null.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.oauth2

Optional OAuth 2.0 configuration. Cannot be used at the same time as basic_auth or authorization.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.oauth2.client_id

OAuth client ID.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.oauth2.client_secret

OAuth client secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.oauth2.client_secret_file

Read the client secret from a file. It is mutually exclusive with client_secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.oauth2.endpoint_params

Optional parameters to append to the token URL.

Type: null or (attribute set of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.oauth2.scopes

Scopes for the token request.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.oauth2.token_url

The URL to fetch the token from.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.proxy_url

Optional proxy URL.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.refresh_interval

Polling interval.

Defaults to 30s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.servers

List of URLs to be used to contact Marathon servers. You need to provide at least one server URL.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.tls_config

TLS configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.metric_relabel_configs

List of metric relabel configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.metric_relabel_configs.*.action

Action to perform based on regex matching.

Defaults to replace in prometheus when set to null.

Type: null or one of “replace”, “lowercase”, “uppercase”, “keep”, “drop”, “hashmod”, “labelmap”, “labeldrop”, “labelkeep”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.metric_relabel_configs.*.modulus

Modulus to take of the hash of the source label values.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.metric_relabel_configs.*.regex

Regular expression against which the extracted value is matched.

Defaults to (.*) in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.metric_relabel_configs.*.replacement

Replacement value against which a regex replace is performed if the regular expression matches.

Defaults to $1 in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.metric_relabel_configs.*.separator

Separator placed between concatenated source label values.

Defaults to ; in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.metric_relabel_configs.*.source_labels

The source labels select values from existing labels. Their content is concatenated using the configured separator and matched against the configured regular expression.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.metric_relabel_configs.*.target_label

Label to which the resulting value is written in a replace action. It is mandatory for replace actions.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.metrics_path

The HTTP resource path on which to fetch metrics from targets.

Defaults to /metrics in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.nerve_sd_configs

List of AirBnB’s Nerve service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.nerve_sd_configs.*.paths

Paths can point to a single service, or the root of a tree of services.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.nerve_sd_configs.*.servers

The Zookeeper servers.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.nerve_sd_configs.*.timeout

Timeout value.

Defaults to 10s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs

List of OpenStack service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.all_tenants

Whether the service discovery should list all instances for all projects. It is only relevant for the ‘instance’ role and usually requires admin permissions.

Defaults to false in prometheus when set to null.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.application_credential_id

The application_credential_id or application_credential_name fields are required if using an application credential to authenticate. Some providers allow you to create an application credential to authenticate rather than a password.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.application_credential_name

The application_credential_id or application_credential_name fields are required if using an application credential to authenticate. Some providers allow you to create an application credential to authenticate rather than a password.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.application_credential_secret

The application_credential_secret field is required if using an application credential to authenticate.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.availability

The availability of the endpoint to connect to. Must be one of public, admin or internal.

Defaults to public in prometheus when set to null.

Type: null or one of “public”, “admin”, “internal”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.domain_id

At most one of domain_id and domain_name must be provided if using username with Identity V3. Otherwise, either are optional.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.domain_name

At most one of domain_id and domain_name must be provided if using username with Identity V3. Otherwise, either are optional.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.identity_endpoint

identity_endpoint specifies the HTTP endpoint that is required to work with the Identity API of the appropriate version. While it’s ultimately needed by all of the identity services, it will often be populated by a provider-level function.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.password

password for the Identity V2 and V3 APIs. Consult with your provider’s control panel to discover your account’s preferred method of authentication.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.port

The port to scrape metrics from. If using the public IP address, this must instead be specified in the relabeling rule.

Defaults to 80 in prometheus when set to null.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.project_id

The project_id and project_name fields are optional for the Identity V2 API. Some providers allow you to specify a project_name instead of the project_id. Some require both. Your provider’s authentication policies will determine how these fields influence authentication.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.project_name

The project_id and project_name fields are optional for the Identity V2 API. Some providers allow you to specify a project_name instead of the project_id. Some require both. Your provider’s authentication policies will determine how these fields influence authentication.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.refresh_interval

Refresh interval to re-read the instance list.

Defaults to 60s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.region

The OpenStack Region.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.role

The OpenStack role of entities that should be discovered.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.tls_config

TLS configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.userid

username is required if using Identity V2 API. Consult with your provider’s control panel to discover your account’s username. In Identity V3, either userid or a combination of username and domain_id or domain_name are needed.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.username

username is required if using Identity V2 API. Consult with your provider’s control panel to discover your account’s username. In Identity V3, either userid or a combination of username and domain_id or domain_name are needed.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.params

Optional HTTP URL parameters.

Type: null or (attribute set of list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.proxy_url

Optional proxy URL.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs

List of PuppetDB service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.authorization

Optional Authorization header configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.authorization.credentials

Sets the credentials. It is mutually exclusive with credentials_file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.authorization.credentials_file

Sets the credentials to the credentials read from the configured file. It is mutually exclusive with credentials.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.authorization.type

Sets the authentication type.

Defaults to Bearer in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.basic_auth

Optional HTTP basic authentication information.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.basic_auth.password

HTTP password

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.basic_auth.password_file

HTTP password file

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.basic_auth.username

HTTP username

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.follow_redirects

Configure whether HTTP requests follow HTTP 3xx redirects.

Defaults to true in prometheus when set to null.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.include_parameters

Whether to include the parameters as meta labels. Due to the differences between parameter types and Prometheus labels, some parameters might not be rendered. The format of the parameters might also change in future releases.

Note: Enabling this exposes parameters in the Prometheus UI and API. Make sure that you don’t have secrets exposed as parameters if you enable this.

Defaults to false in prometheus when set to null.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.oauth2

Optional OAuth 2.0 configuration. Cannot be used at the same time as basic_auth or authorization.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.oauth2.client_id

OAuth client ID.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.oauth2.client_secret

OAuth client secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.oauth2.client_secret_file

Read the client secret from a file. It is mutually exclusive with client_secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.oauth2.endpoint_params

Optional parameters to append to the token URL.

Type: null or (attribute set of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.oauth2.scopes

Scopes for the token request.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.oauth2.token_url

The URL to fetch the token from.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.port

The port to scrape metrics from.

Defaults to 80 in prometheus when set to null.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.proxy_url

Optional proxy URL.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.query

Puppet Query Language (PQL) query. Only resources are supported. https://puppet.com/docs/puppetdb/latest/api/query/v4/pql.html

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.refresh_interval

Refresh interval to re-read the resources list.

Defaults to 60s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.tls_config

TLS configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.url

The URL of the PuppetDB root query endpoint.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.relabel_configs

List of relabel configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.relabel_configs.*.action

Action to perform based on regex matching.

Defaults to replace in prometheus when set to null.

Type: null or one of “replace”, “lowercase”, “uppercase”, “keep”, “drop”, “hashmod”, “labelmap”, “labeldrop”, “labelkeep”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.relabel_configs.*.modulus

Modulus to take of the hash of the source label values.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.relabel_configs.*.regex

Regular expression against which the extracted value is matched.

Defaults to (.*) in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.relabel_configs.*.replacement

Replacement value against which a regex replace is performed if the regular expression matches.

Defaults to $1 in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.relabel_configs.*.separator

Separator placed between concatenated source label values.

Defaults to ; in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.relabel_configs.*.source_labels

The source labels select values from existing labels. Their content is concatenated using the configured separator and matched against the configured regular expression.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.relabel_configs.*.target_label

Label to which the resulting value is written in a replace action. It is mandatory for replace actions.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.sample_limit

Per-scrape limit on number of scraped samples that will be accepted. If more than this number of samples are present after metric relabelling the entire scrape will be treated as failed. 0 means no limit.

Defaults to 0 in prometheus when set to null.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs

List of Scaleway service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.access_key

Access key to use. https://console.scaleway.com/project/credentials

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.api_url

API URL to use when doing the server listing requests.

Defaults to https://api.scaleway.com in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.follow_redirects

Configure whether HTTP requests follow HTTP 3xx redirects.

Defaults to true in prometheus when set to null.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.name_filter

Specify a name filter (works as a LIKE) to apply on the server listing request.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.port

The port to scrape metrics from.

Defaults to 80 in prometheus when set to null.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.project_id

Project ID of the targets.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.proxy_url

Optional proxy URL.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.refresh_interval

Refresh interval to re-read the managed targets list.

Defaults to 60s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.role

Role of the targets to retrieve. Must be instance or baremetal.

Type: one of “instance”, “baremetal”

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.secret_key

Secret key to use when listing targets. https://console.scaleway.com/project/credentials It is mutually exclusive with secret_key_file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.secret_key_file

Sets the secret key with the credentials read from the configured file. It is mutually exclusive with secret_key.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.tags_filter

Specify a tag filter (a server needs to have all defined tags to be listed) to apply on the server listing request.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.tls_config

TLS configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.zone

Zone is the availability zone of your targets (e.g. fr-par-1).

Defaults to fr-par-1 in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scheme

The URL scheme with which to fetch metrics from targets.

Defaults to http in prometheus when set to null.

Type: null or one of “http”, “https”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scrape_interval

How frequently to scrape targets from this job. Defaults to the globally configured default.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scrape_protocols

The protocols to negotiate during a scrape with the client.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.scrape_timeout

Per-target timeout when scraping this job. Defaults to the globally configured default.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.serverset_sd_configs

List of Zookeeper Serverset service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.serverset_sd_configs.*.paths

Paths can point to a single service, or the root of a tree of services.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.serverset_sd_configs.*.servers

The Zookeeper servers.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.serverset_sd_configs.*.timeout

Timeout value.

Defaults to 10s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.static_configs

List of labeled target groups for this job.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.static_configs.*.labels

Labels assigned to all metrics scraped from the targets.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.static_configs.*.targets

The targets specified by the target group.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.target_limit

Per-scrape config limit on number of unique targets that will be accepted. If more than this number of targets are present after target relabeling, Prometheus will mark the targets as failed without scraping them. 0 means no limit. This is an experimental feature, this behaviour could change in the future.

Defaults to 0 in prometheus when set to null.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.tls_config

Configures the scrape request’s TLS settings.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.triton_sd_configs

List of Triton Serverset service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.triton_sd_configs.*.account

The account to use for discovering new targets.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.triton_sd_configs.*.dns_suffix

The DNS suffix which should be applied to target.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.triton_sd_configs.*.endpoint

The Triton discovery endpoint (e.g. cmon.us-east-3b.triton.zone). This is often the same value as dns_suffix.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.triton_sd_configs.*.groups

A list of groups for which targets are retrieved, only supported when targeting the container role. If omitted all containers owned by the requesting account are scraped.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.triton_sd_configs.*.port

The port to use for discovery and metric scraping.

Defaults to 9163 in prometheus when set to null.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.triton_sd_configs.*.refresh_interval

The interval which should be used for refreshing targets.

Defaults to 60s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.triton_sd_configs.*.role

The type of targets to discover, can be set to:

  • “container” to discover virtual machines (SmartOS zones, lx/KVM/bhyve branded zones) running on Triton

  • “cn” to discover compute nodes (servers/global zones) making up the Triton infrastructure

Defaults to container in prometheus when set to null.

Type: null or one of “container”, “cn”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.triton_sd_configs.*.tls_config

TLS configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.triton_sd_configs.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.triton_sd_configs.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.triton_sd_configs.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.triton_sd_configs.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.triton_sd_configs.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.triton_sd_configs.*.version

The Triton discovery API version.

Defaults to 1 in prometheus when set to null.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs

List of Uyuni Serverset service discovery configurations.

Type: null or (list of (submodule))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.authorization

Optional Authorization header configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.authorization.credentials

Sets the credentials. It is mutually exclusive with credentials_file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.authorization.credentials_file

Sets the credentials to the credentials read from the configured file. It is mutually exclusive with credentials.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.authorization.type

Sets the authentication type.

Defaults to Bearer in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.basic_auth

Optional HTTP basic authentication information.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.basic_auth.password

HTTP password

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.basic_auth.password_file

HTTP password file

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.basic_auth.username

HTTP username

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.entitlement

The entitlement string to filter eligible systems.

Defaults to monitoring_entitled in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.follow_redirects

Configure whether HTTP requests follow HTTP 3xx redirects.

Defaults to true in prometheus when set to null.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.oauth2

Optional OAuth 2.0 configuration. Cannot be used at the same time as basic_auth or authorization.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.oauth2.client_id

OAuth client ID.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.oauth2.client_secret

OAuth client secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.oauth2.client_secret_file

Read the client secret from a file. It is mutually exclusive with client_secret.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.oauth2.endpoint_params

Optional parameters to append to the token URL.

Type: null or (attribute set of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.oauth2.scopes

Scopes for the token request.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.oauth2.token_url

The URL to fetch the token from.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.password

Credentials are used to authenticate the requests to Uyuni API.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.proxy_url

Optional proxy URL.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.refresh_interval

Refresh interval to re-read the managed targets list.

Defaults to 60s in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.separator

The string by which Uyuni group names are joined into the groups label

Defaults to , in prometheus when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.server

The URL to connect to the Uyuni server.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.tls_config

TLS configuration.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.tls_config.ca_file

CA certificate to validate API server certificate with.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.tls_config.cert_file

Certificate file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.tls_config.insecure_skip_verify

Disable validation of the server certificate.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.tls_config.key_file

Key file for client cert authentication to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.tls_config.server_name

ServerName extension to indicate the name of the server. http://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.username

Credentials are used to authenticate the requests to Uyuni API.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.stateDir

Directory below /var/lib to store Prometheus metrics data. This directory will be created automatically using systemd’s StateDirectory mechanism.

Type: string

Default: "prometheus2"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.webConfigFile

Specifies which file should be used as web.config.file and be passed on startup. See https://prometheus.io/docs/prometheus/latest/configuration/https/ for valid options.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.webExternalUrl

The URL under which Prometheus is externally reachable (for example, if Prometheus is served via a reverse proxy).

Type: null or string

Default: null

Example: "https://example.com/"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix>
services.prometheus.xmpp-alerts.enable

Whether to enable XMPP Web hook service for Alertmanager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/xmpp-alerts.nix>
services.prometheus.xmpp-alerts.settings

Configuration for prometheus xmpp-alerts, see https://github.com/jelmer/prometheus-xmpp-alerts/blob/master/xmpp-alerts.yml.example for supported values.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/prometheus/xmpp-alerts.nix>
services.promtail.enable

Whether to enable the Promtail ingresser.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/logging/promtail.nix>
services.promtail.configFile

Config file path for Promtail. If this option is defined, the value of services.promtail.configuration will be ignored.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/logging/promtail.nix>
services.promtail.configuration

Specify the configuration for Promtail in Nix. This option will be ignored if services.promtail.configFile is defined.

Type: JSON value

Declared by:

<nixpkgs/nixos/modules/services/logging/promtail.nix>
services.promtail.extraFlags

Specify a list of additional command line flags, which get escaped and are then passed to Loki.

Type: list of string

Default: [ ]

Example:

[
  "--server.http-listen-port=3101"
]

Declared by:

<nixpkgs/nixos/modules/services/logging/promtail.nix>
services.prosody.enable

Whether to enable the prosody server

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.package

The prosody package to use.

Type: package

Default: pkgs.prosody

Example:

pkgs.prosody.override {
  withExtraLibs = [ pkgs.luaPackages.lpty ];
  withCommunityModules = [ "auth_external" ];
};

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.admins

List of administrators of the current host

Type: list of string

Default: [ ]

Example:

[
  "admin1@example.com"
  "admin2@example.com"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.allowRegistration

Allow account creation

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.authentication

Authentication mechanism used for logins.

Type: one of “internal_plain”, “internal_hashed”, “cyrus”, “anonymous”

Default: "internal_hashed"

Example: "internal_plain"

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.c2sRequireEncryption

Force clients to use encrypted connections? This option will prevent clients from authenticating unless they are using encryption.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.dataDir

The prosody home directory used to store all data. If left as the default value this directory will automatically be created before the prosody server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions.

Type: path

Default: "/var/lib/prosody"

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.disco_items

List of discoverable items you want to advertise.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.disco_items.*.description

A short description of the endpoint you want to advertise

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.disco_items.*.url

URL of the endpoint you want to make discoverable

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.extraConfig

Additional prosody configuration

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.extraModules

Enable custom modules

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.extraPluginPaths

Additional path in which to look find plugins/modules

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.group

Group account under which prosody runs.

Note

If left as the default value this group will automatically be created on system activation, otherwise you are responsible for ensuring the group exists before the prosody service starts.

Type: string

Default: "prosody"

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.httpFileShare

Configures the http_file_share module to handle user uploads.

Type: null or (int, bool, string or list of them)

Default: null

Example:

{
  domain = "uploads.my-xmpp-example-host.org";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.httpFileShare.domain

Domain name for a http_file_share service.

Type: null or string

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.httpInterfaces

Interfaces on which the HTTP server will listen on.

Type: list of string

Default:

[
  "*"
  "::"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.httpPorts

Listening HTTP ports list for this service.

Type: list of signed integer

Default:

[
  5280
]

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.httpsInterfaces

Interfaces on which the HTTPS server will listen on.

Type: list of string

Default:

[
  "*"
  "::"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.httpsPorts

Listening HTTPS ports list for this service.

Type: list of signed integer

Default:

[
  5281
]

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.log

Logging configuration. See for more details

Type: strings concatenated with “\n”

Default: "\"*syslog\""

Example:

''
  {
    { min = "warn"; to = "*syslog"; };
  }
''

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.admin_adhoc

Allows administration via an XMPP client that supports ad-hoc commands

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.admin_telnet

Opens telnet console interface on localhost port 5582

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.announce

Send announcement to all online users

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.blocklist

Allow users to block communications with other users

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.bookmarks

Allows interop between older clients that use XEP-0048: Bookmarks in its 1.0 version and recent clients which use it in PEP

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.bosh

Enable BOSH clients, aka ‘Jabber over HTTP’

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.carbons

Keep multiple clients in sync

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.cloud_notify

Push notifications to inform users of new messages or other pertinent information even when they have no XMPP clients online

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.csi

Implements the CSI protocol that allows clients to report their active/inactive state to the server

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.dialback

s2s dialback support

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.disco

Service discovery

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.groups

Shared roster support

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.http_files

Serve static files from a directory over HTTP

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.legacyauth

Legacy authentication. Only used by some old clients and bots

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.limits

Enable bandwidth limiting for XMPP connections

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.mam

Store messages in an archive and allow users to access it

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.motd

Send a message to users when they log in

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.pep

Enables users to publish their mood, activity, playing music and more

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.ping

Replies to XMPP pings with pongs

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.private

Private XML storage (for room bookmarks, etc.)

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.proxy65

Enables a file transfer proxy service which clients behind NAT can use

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.register

Allow users to register on this server using a client and change passwords

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.roster

Allow users to have a roster

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.saslauth

Authentication for clients and servers. Recommended if you want to log in.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.server_contact_info

Publish contact information for this service

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.smacks

Allow a client to resume a disconnected session, and prevent message loss

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.time

Let others know the time here on this server

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.tls

Add support for secure TLS on c2s/s2s connections

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.uptime

Report how long server has been running

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.vcard

Allow users to set vCards

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.vcard_legacy

Converts users profiles and Avatars between old and new formats

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.version

Replies to server version requests

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.watchregistrations

Alert admins of registrations

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.websocket

Enable WebSocket support

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.modules.welcome

Welcome users who register accounts

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.muc

Multi User Chat (MUC) configuration

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    domain = "conference.my-xmpp-example-host.org";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.muc.*.domain

Domain name of the MUC

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.muc.*.extraConfig

Additional MUC specific configuration

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.muc.*.maxHistoryMessages

Specifies a limit on what each room can be configured to keep

Type: signed integer

Default: 20

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.muc.*.name

The name to return in service discovery responses for the MUC service itself

Type: string

Default: "Prosody Chatrooms"

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.muc.*.restrictRoomCreation

Restrict room creation to server admins

Type: one of true, false, “admin”, “local”

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.muc.*.roomDefaultChangeSubject

If set, the rooms will display the public JIDs by default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.muc.*.roomDefaultHistoryLength

Number of history message sent to participants by default.

Type: signed integer

Default: 20

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.muc.*.roomDefaultLanguage

Default room language.

Type: string

Default: "en"

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.muc.*.roomDefaultMembersOnly

If set, the MUC rooms will only be accessible to the members by default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.muc.*.roomDefaultModerated

If set, the MUC rooms will be moderated by default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.muc.*.roomDefaultPublic

If set, the MUC rooms will be public by default.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.muc.*.roomDefaultPublicJids

If set, the MUC rooms will display the public JIDs by default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.muc.*.roomLockTimeout

Timeout after which the room is destroyed or unlocked if not configured, in seconds

Type: signed integer

Default: 300

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.muc.*.roomLocking

Enables room locking, which means that a room must be configured before it can be used. Locked rooms are invisible and cannot be entered by anyone but the creator

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.muc.*.tombstoneExpiry

This settings controls how long a tombstone is considered valid. It defaults to 31 days. After this time, the room in question can be created again.

Type: signed integer

Default: 2678400

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.muc.*.tombstones

When a room is destroyed, it leaves behind a tombstone which prevents the room being entered or recreated. It also allows anyone who was not in the room at the time it was destroyed to learn about it, and to update their bookmarks. Tombstones prevents the case where someone could recreate a previously semi-anonymous room in order to learn the real JIDs of those who often join there.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.muc.*.vcard_muc

Adds the ability to set vCard for Multi User Chat rooms

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.s2sInsecureDomains

Some servers have invalid or self-signed certificates. You can list remote domains here that will not be required to authenticate using certificates. They will be authenticated using DNS instead, even when s2s_secure_auth is enabled.

Type: list of string

Default: [ ]

Example:

[
  "insecure.example.com"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.s2sRequireEncryption

Force servers to use encrypted connections? This option will prevent servers from authenticating unless they are using encryption. Note that this is different from authentication.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.s2sSecureAuth

Force certificate authentication for server-to-server connections? This provides ideal security, but requires servers you communicate with to support encryption AND present valid, trusted certificates. For more information see https://prosody.im/doc/s2s#security

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.s2sSecureDomains

Even if you leave s2s_secure_auth disabled, you can still require valid certificates for some domains by specifying a list here.

Type: list of string

Default: [ ]

Example:

[
  "jabber.org"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.ssl

Paths to SSL files

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.ssl.cert

Path to the certificate file.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.ssl.extraOptions

Extra SSL configuration options.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.ssl.key

Path to the key file.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.uploadHttp

Configures the old Prosody builtin HTTP server to handle user uploads.

Type: null or (submodule)

Default: null

Example:

{
  domain = "uploads.my-xmpp-example-host.org";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.uploadHttp.domain

Domain name for the http-upload service

Type: null or string

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.uploadHttp.httpUploadPath

Directory where the uploaded files will be stored when the http_upload module is used. By default, uploaded files are put in a sub-directory of the default Prosody storage path (usually /var/lib/prosody).

Type: string

Default: "/var/lib/prosody"

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.uploadHttp.uploadExpireAfter

Max age of a file before it gets deleted, in seconds.

Type: string

Default: "60 * 60 * 24 * 7"

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.uploadHttp.uploadFileSizeLimit

Maximum file size, in bytes. Defaults to 50MB.

Type: string

Default: "50 * 1024 * 1024"

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.uploadHttp.userQuota

Maximum size of all uploaded files per user, in bytes. There will be no quota if this option is set to null.

Type: null or signed integer

Default: null

Example: 1234

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.user

User account under which prosody runs.

Note

If left as the default value this user will automatically be created on system activation, otherwise you are responsible for ensuring the user exists before the prosody service starts.

Type: string

Default: "prosody"

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.virtualHosts

Define the virtual hosts

Type: attribute set of (submodule)

Default:

{
  localhost = {
    domain = "localhost";
    enabled = true;
  };
}

Example:

{
  myhost = {
    domain = "my-xmpp-example-host.org";
    enabled = true;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.virtualHosts.<name>.enabled

Whether to enable the virtual host

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.virtualHosts.<name>.domain

Domain name

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.virtualHosts.<name>.extraConfig

Additional virtual host specific configuration

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.virtualHosts.<name>.ssl

Paths to SSL files

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.virtualHosts.<name>.ssl.cert

Path to the certificate file.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.virtualHosts.<name>.ssl.extraOptions

Extra SSL configuration options.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.virtualHosts.<name>.ssl.key

Path to the key file.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody.xmppComplianceSuite

The XEP-0423 defines a set of recommended XEPs to implement for a server. It’s generally a good idea to implement this set of extensions if you want to provide your users with a good XMPP experience.

This NixOS module aims to provide a “advanced server” experience as per defined in the XEP-0423[1] specification.

Setting this option to true will prevent you from building a NixOS configuration which won’t comply with this standard. You can explicitly decide to ignore this standard if you know what you are doing by setting this option to false.

[1] https://xmpp.org/extensions/xep-0423.html

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/prosody.nix>
services.prosody-filer.enable

Whether to enable Prosody Filer XMPP upload file server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/prosody-filer.nix>
services.prosody-filer.settings

Configuration for Prosody Filer. Refer to https://github.com/ThomasLeister/prosody-filer#configure-prosody-filer for details on supported values.

Type: TOML value

Default:

{
  listenport = mkDefault "127.0.0.1:5050";
  uploadSubDir = mkDefault "upload/";
}

Example:

{
  secret = "mysecret";
  storeDir = "/srv/http/nginx/prosody-upload";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/prosody-filer.nix>
services.protonmail-bridge.enable

Whether to enable protonmail bridge.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/protonmail-bridge.nix>
services.protonmail-bridge.package

The protonmail-bridge package to use.

Type: package

Default: pkgs.protonmail-bridge

Declared by:

<nixpkgs/nixos/modules/services/mail/protonmail-bridge.nix>
services.protonmail-bridge.logLevel

Log level of the Proton Mail Bridge service. If set to null then the service uses it’s default log level.

Type: null or one of “panic”, “fatal”, “error”, “warn”, “info”, “debug”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/protonmail-bridge.nix>
services.protonmail-bridge.path

List of derivations to put in protonmail-bridge’s path.

Type: list of path

Default: [ ]

Example: with pkgs; [ pass gnome-keyring ]

Declared by:

<nixpkgs/nixos/modules/services/mail/protonmail-bridge.nix>
services.prowlarr.enable

Whether to enable Prowlarr, an indexer manager/proxy for Torrent trackers and Usenet indexers.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/prowlarr.nix>
services.prowlarr.package

The prowlarr package to use.

Type: package

Default: pkgs.prowlarr

Declared by:

<nixpkgs/nixos/modules/services/misc/prowlarr.nix>
services.prowlarr.openFirewall

Open ports in the firewall for the Prowlarr web interface.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/prowlarr.nix>
services.psd.enable

Whether to enable the Profile Sync daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/profile-sync-daemon.nix>
services.psd.resyncTimer

The amount of time to wait before syncing browser profiles back to the disk.

Takes a systemd.unit time span. The time unit defaults to seconds if omitted.

Type: string

Default: "1h"

Example: "1h 30min"

Declared by:

<nixpkgs/nixos/modules/services/desktops/profile-sync-daemon.nix>
services.public-inbox.enable

Whether to enable the public-inbox mail archiver.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.package

The public-inbox package to use.

Type: package

Default: pkgs.public-inbox

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.http.enable

Whether to enable the public-inbox HTTP server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.http.args

Command-line arguments to pass to public-inbox-httpd(1).

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.http.mounts

Root paths or URLs that public-inbox will be served on. If domain parts are present, only requests to those domains will be accepted.

Type: list of string

Default:

[
  "/"
]

Example:

[
  "/lists/archives"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.http.port

Listening port or systemd’s ListenStream= entry to be used as a reverse proxy, eg. in nginx: locations."/inbox".proxyPass = "http://unix:${config.services.public-inbox.http.port}:/inbox"; Set to null and use systemd.sockets.public-inbox-httpd.listenStreams if you need a more advanced listening.

Type: null or string or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 80

Example: "/run/public-inbox-httpd.sock"

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.imap.enable

Whether to enable the public-inbox IMAP server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.imap.args

Command-line arguments to pass to public-inbox-imapd(1).

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.imap.cert

Path to TLS certificate to use for connections to public-inbox-imapd(1).

Type: null or string

Default: null

Example: "/path/to/fullchain.pem"

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.imap.key

Path to TLS key to use for connections to public-inbox-imapd(1).

Type: null or string

Default: null

Example: "/path/to/key.pem"

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.imap.port

Listening port. Beware that public-inbox uses well-known ports number to decide whether to enable TLS or not. Set to null and use systemd.sockets.public-inbox-imapd.listenStreams if you need a more advanced listening.

Type: null or string or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 993

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.inboxes

Inboxes to configure, where attribute names are inbox names.

Type: attribute set of (attribute set of (INI atom (null, bool, int, float or string) or a list of them for duplicate keys))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.inboxes.<name>.address

The email addresses of the public-inbox.

Type: list of string

Example: "example-discuss@example.org"

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.inboxes.<name>.coderepo

Nicknames of a ‘coderepo’ section associated with the inbox.

Type: list of coderepo names

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.inboxes.<name>.description

User-visible description for the repository.

Type: string

Example: "user/dev discussion of public-inbox itself"

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.inboxes.<name>.inboxdir

The absolute path to the directory which hosts the public-inbox.

Type: string

Default: "/var/lib/public-inbox/inboxes/‹name›"

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.inboxes.<name>.newsgroup

NNTP group name for the inbox.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.inboxes.<name>.url

URL where this inbox can be accessed over HTTP.

Type: non-empty string

Example: "https://example.org/lists/example-discuss"

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.inboxes.<name>.watch

Paths for public-inbox-watch(1) to monitor for new mail.

Type: list of string

Default: [ ]

Example:

[
  "maildir:/path/to/test.example.com.git"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.inboxes.<name>.watchheader

If specified, public-inbox-watch(1) will only process mail containing a matching header.

Type: null or string

Default: null

Example: "List-Id:<test@example.com>"

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.mda.enable

Whether to enable the public-inbox Mail Delivery Agent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.mda.args

Command-line arguments to pass to public-inbox-mda(1).

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.nntp.enable

Whether to enable the public-inbox NNTP server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.nntp.args

Command-line arguments to pass to public-inbox-nntpd(1).

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.nntp.cert

Path to TLS certificate to use for connections to public-inbox-nntpd(1).

Type: null or string

Default: null

Example: "/path/to/fullchain.pem"

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.nntp.key

Path to TLS key to use for connections to public-inbox-nntpd(1).

Type: null or string

Default: null

Example: "/path/to/key.pem"

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.nntp.port

Listening port. Beware that public-inbox uses well-known ports number to decide whether to enable TLS or not. Set to null and use systemd.sockets.public-inbox-nntpd.listenStreams if you need a more advanced listening.

Type: null or string or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 563

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.openFirewall

Whether to enable opening the firewall when using a port option.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.path

Additional packages to place in the path of public-inbox-mda, public-inbox-watch, etc.

Type: list of package

Default: [ ]

Example: with pkgs; [ spamassassin ]

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.postfix.enable

Whether to enable the integration into Postfix.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.settings

Settings for the public-inbox config file.

Type: attribute set of attribute set of (INI atom (null, bool, int, float or string) or a list of them for duplicate keys or attribute set of (INI atom (null, bool, int, float or string) or a list of them for duplicate keys))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.settings.coderepo

code repositories

Type: attribute set of (attribute set of (INI atom (null, bool, int, float or string) or a list of them for duplicate keys))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.settings.coderepo.<name>.cgitUrl

URL of a cgit instance

Type: string

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.settings.coderepo.<name>.dir

Path to a git repository

Type: string

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.settings.publicinbox

public inboxes

Type: attribute set of (INI atom (null, bool, int, float or string) or a list of them for duplicate keys or attribute set of (INI atom (null, bool, int, float or string) or a list of them for duplicate keys))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.settings.publicinbox.css

The local path name of a CSS file for the PSGI web interface.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.settings.publicinbox.imapserver

IMAP URLs to this public-inbox instance

Type: list of string

Default: [ ]

Example:

[
  "imap.public-inbox.org"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.settings.publicinbox.nntpserver

NNTP URLs to this public-inbox instance

Type: list of string

Default: [ ]

Example:

[
  "nntp://news.public-inbox.org"
  "nntps://news.public-inbox.org"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.settings.publicinbox.pop3server

POP3 URLs to this public-inbox instance

Type: list of string

Default: [ ]

Example:

[
  "pop.public-inbox.org"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.settings.publicinbox.wwwlisting

Controls which lists (if any) are listed for when the root public-inbox URL is accessed over HTTP.

Type: one of “all”, “404”, “match=domain”

Default: "404"

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.settings.publicinboxmda.spamcheck

If set to spamc, public-inbox-watch(1) will filter spam using SpamAssassin.

Type: one of “spamc”, “none”

Default: "none"

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.settings.publicinboxwatch.spamcheck

If set to spamc, public-inbox-watch(1) will filter spam using SpamAssassin.

Type: one of “spamc”, “none”

Default: "none"

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.settings.publicinboxwatch.watchspam

If set, mail in this maildir will be trained as spam and deleted from all watched inboxes

Type: null or string

Default: null

Example: "maildir:/path/to/spam"

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.public-inbox.spamAssassinRules

SpamAssassin configuration specific to public-inbox.

Type: null or path

Default: ${cfg.package.sa_config}/user/.spamassassin/user_prefs

Declared by:

<nixpkgs/nixos/modules/services/mail/public-inbox.nix>
services.pufferpanel.enable

Whether to enable PufferPanel game management server.

Note that PufferPanel templates and binaries downloaded by PufferPanel expect FHS environment. It is possible to set package option to use PufferPanel wrapper with FHS environment. For example, to use Download Game from Steam and Download Java template operations:

{ lib, pkgs, ... }: {
  services.pufferpanel = {
    enable = true;
    extraPackages = with pkgs; [ bash curl gawk gnutar gzip ];
    package = pkgs.buildFHSEnv {
      name = "pufferpanel-fhs";
      runScript = lib.getExe pkgs.pufferpanel;
      targetPkgs = pkgs': with pkgs'; [ icu openssl zlib ];
    };
  };
}

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/pufferpanel.nix>
services.pufferpanel.package

The pufferpanel package to use.

Type: package

Default: pkgs.pufferpanel

Declared by:

<nixpkgs/nixos/modules/services/misc/pufferpanel.nix>
services.pufferpanel.environment

Environment variables to set for the service. Secrets should be specified using environmentFile.

Refer to the PufferPanel source code for the list of available configuration options. Variable name is an upper-cased configuration entry name with underscores instead of dots, prefixed with PUFFER_. For example, panel.settings.companyName entry can be set using PUFFER_PANEL_SETTINGS_COMPANYNAME.

When running with panel enabled (configured with PUFFER_PANEL_ENABLE environment variable), it is recommended disable registration using PUFFER_PANEL_REGISTRATIONENABLED environment variable (registration is enabled by default). To create the initial administrator user, run pufferpanel --workDir /var/lib/pufferpanel user add --admin.

Some options override corresponding settings set via web interface (e.g. PUFFER_PANEL_REGISTRATIONENABLED). Those options can be temporarily toggled or set in settings but do not persist between restarts.

Type: attribute set of string

Default: { }

Example:

{
  PUFFER_WEB_HOST = ":8080";
  PUFFER_DAEMON_SFTP_HOST = ":5657";
  PUFFER_DAEMON_CONSOLE_BUFFER = "1000";
  PUFFER_DAEMON_CONSOLE_FORWARD = "true";
  PUFFER_PANEL_REGISTRATIONENABLED = "false";
}

Declared by:

<nixpkgs/nixos/modules/services/misc/pufferpanel.nix>
services.pufferpanel.environmentFile

File to load environment variables from. Loaded variables override values set in environment.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/pufferpanel.nix>
services.pufferpanel.extraGroups

Additional groups for the systemd service.

Type: list of string

Default: [ ]

Example:

[
  "podman"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/pufferpanel.nix>
services.pufferpanel.extraPackages

Packages to add to the PATH environment variable. Both the bin and sbin subdirectories of each package are added.

Type: list of package

Default: [ ]

Example: [ pkgs.jre ]

Declared by:

<nixpkgs/nixos/modules/services/misc/pufferpanel.nix>
services.pykms.enable

Whether to enable the PyKMS service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/pykms.nix>
services.pykms.extraArgs

Additional arguments

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/pykms.nix>
services.pykms.listenAddress

The IP address on which to listen.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/misc/pykms.nix>
services.pykms.logLevel

How much to log

Type: one of “CRITICAL”, “ERROR”, “WARNING”, “INFO”, “DEBUG”, “MININFO”

Default: "INFO"

Declared by:

<nixpkgs/nixos/modules/services/misc/pykms.nix>
services.pykms.memoryLimit

How much memory to use at most.

Type: string

Default: "64M"

Declared by:

<nixpkgs/nixos/modules/services/misc/pykms.nix>
services.pykms.openFirewallPort

Whether the listening port should be opened automatically.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/pykms.nix>
services.pykms.port

The port on which to listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1688

Declared by:

<nixpkgs/nixos/modules/services/misc/pykms.nix>
services.pyload.enable

Whether to enable pyLoad download manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/pyload.nix>
services.pyload.package

The pyLoad package to use.

Type: package

Default: pkgs.pyload-ng

Declared by:

<nixpkgs/nixos/modules/services/networking/pyload.nix>
services.pyload.credentialsFile

File containing PYLOAD_DEFAULT_USERNAME and PYLOAD_DEFAULT_PASSWORD in the format of an EnvironmentFile=, as described by systemd.exec(5).

If not given, they default to the username/password combo of pyload/pyload.

Type: null or path

Default: null

Example: "/run/secrets/pyload-credentials.env"

Declared by:

<nixpkgs/nixos/modules/services/networking/pyload.nix>
services.pyload.downloadDirectory

Directory to store downloads.

Type: path

Default: "/var/lib/pyload/downloads"

Example: "/mnt/downloads"

Declared by:

<nixpkgs/nixos/modules/services/networking/pyload.nix>
services.pyload.group

Group under which pyLoad runs, and which owns the download directory.

Type: string

Default: "pyload"

Declared by:

<nixpkgs/nixos/modules/services/networking/pyload.nix>
services.pyload.listenAddress

Address to listen on for the web UI.

Type: string

Default: "localhost"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/pyload.nix>
services.pyload.port

Port to listen on for the web UI.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8000

Example: 9876

Declared by:

<nixpkgs/nixos/modules/services/networking/pyload.nix>
services.pyload.user

User under which pyLoad runs, and which owns the download directory.

Type: string

Default: "pyload"

Declared by:

<nixpkgs/nixos/modules/services/networking/pyload.nix>
services.qdrant.enable

Whether to enable Vector Search Engine for the next generation of AI applications.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/search/qdrant.nix>
services.qdrant.settings

Configuration for Qdrant Refer to https://github.com/qdrant/qdrant/blob/master/config/config.yaml for details on supported values.

Type: YAML value

Default:

{
  storage = {
    storage_path = "/var/lib/qdrant/storage";
    snapshots_path = "/var/lib/qdrant/snapshots";
  };
  hsnw_index = {
    on_disk = true;
  };
  service = {
    host = "127.0.0.1";
    http_port = 6333;
    grpc_port = 6334;
  };
  telemetry_disabled = true;
}

Example:

{
  hsnw_index = {
    on_disk = true;
  };
  service = {
    grpc_port = 6334;
    host = "127.0.0.1";
    http_port = 6333;
  };
  storage = {
    snapshots_path = "/var/lib/qdrant/snapshots";
    storage_path = "/var/lib/qdrant/storage";
  };
  telemetry_disabled = true;
}

Declared by:

<nixpkgs/nixos/modules/services/search/qdrant.nix>
services.qemuGuest.enable

Whether to enable the qemu guest agent.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-guest-agent.nix>
services.qemuGuest.package

The ga package to use.

Type: package

Default: pkgs.qemu_kvm.ga

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-guest-agent.nix>
services.quake3-server.enable

Whether to enable Quake 3 dedicated server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/games/quake3-server.nix>
services.quake3-server.package

The ioquake3 package to use.

Type: package

Default: pkgs.ioquake3

Declared by:

<nixpkgs/nixos/modules/services/games/quake3-server.nix>
services.quake3-server.baseq3

Path to the baseq3 files (pak*.pk3). If this is on the nix store (type = package) all .pk3 files should be saved in the top-level directory. If this is on another filesystem (e.g /var/lib/baseq3) the .pk3 files are searched in $baseq3/.q3a/baseq3/

Type: package or path

Default: Manually downloaded Quake 3 installation directory.

Example: "/var/lib/q3ds"

Declared by:

<nixpkgs/nixos/modules/services/games/quake3-server.nix>
services.quake3-server.extraConfig

Extra configuration options. Note that options changed via RCON will not be persisted. To list all possible options, use “cvarlist 1” via RCON.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  seta rconPassword "superSecret"      // sets RCON password for remote console
  seta sv_hostname "My Quake 3 server"      // name that appears in server list
''

Declared by:

<nixpkgs/nixos/modules/services/games/quake3-server.nix>
services.quake3-server.openFirewall

Open the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/quake3-server.nix>
services.quake3-server.port

UDP Port the server should listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 27960

Declared by:

<nixpkgs/nixos/modules/services/games/quake3-server.nix>
services.quassel.enable

Whether to enable the Quassel IRC client daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/quassel.nix>
services.quassel.package

The quasselDaemon package to use.

Type: package

Default: pkgs.quasselDaemon

Declared by:

<nixpkgs/nixos/modules/services/networking/quassel.nix>
services.quassel.certificateFile

Path to the certificate used for SSL connections with clients.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/quassel.nix>
services.quassel.dataDir

The directory holding configuration files, the SQlite database and the SSL Cert.

Type: string

Default:

"/home/${config.services.quassel.user}/.config/quassel-irc.org"

Declared by:

<nixpkgs/nixos/modules/services/networking/quassel.nix>
services.quassel.interfaces

The interfaces the Quassel daemon will be listening to. If [ 127.0.0.1 ], only clients on the local host can connect to it; if [ 0.0.0.0 ], clients can access it from any network interface.

Type: list of string

Default:

[
  "127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/quassel.nix>
services.quassel.portNumber

The port number the Quassel daemon will be listening to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 4242

Declared by:

<nixpkgs/nixos/modules/services/networking/quassel.nix>
services.quassel.requireSSL

Require SSL for connections from clients.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/quassel.nix>
services.quassel.user

The existing user the Quassel daemon should run as. If left empty, a default “quassel” user will be created.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/quassel.nix>
services.quicktun

QuickTun tunnels.

See http://wiki.ucis.nl/QuickTun for more information about available options.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/quicktun.nix>
services.quicktun.<name>.localAddress

IP address or hostname of the local end.

Type: null or string

Default: null

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/quicktun.nix>
services.quicktun.<name>.localPort

Local UDP port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 2998

Declared by:

<nixpkgs/nixos/modules/services/networking/quicktun.nix>
services.quicktun.<name>.privateKey

Local secret key in hexadecimal form.

Warning

This option is deprecated. Please use services.quicktun.<name>.privateKeyFile instead.

Note

Not needed when services.quicktun.<name>.protocol is set to raw.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/quicktun.nix>
services.quicktun.<name>.privateKeyFile

Path to file containing local secret key in binary or hexadecimal form.

Note

Not needed when services.quicktun.<name>.protocol is set to raw.

Type: null or path

Default: "null"

Declared by:

<nixpkgs/nixos/modules/services/networking/quicktun.nix>
services.quicktun.<name>.protocol

Which protocol to use.

Type: one of “raw”, “nacl0”, “nacltai”, “salty”

Default: "nacltai"

Declared by:

<nixpkgs/nixos/modules/services/networking/quicktun.nix>
services.quicktun.<name>.publicKey

Remote public key in hexadecimal form.

Note

Not needed when services.quicktun.<name>.protocol is set to raw.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/quicktun.nix>
services.quicktun.<name>.remoteAddress

IP address or hostname of the remote end (use 0.0.0.0 for a floating/dynamic remote endpoint).

Type: string

Default: "0.0.0.0"

Example: "tunnel.example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/quicktun.nix>
services.quicktun.<name>.remoteFloat

Whether to allow the remote address and port to change when properly encrypted packets are received.

Type: integer between 0 and 1 (both inclusive) or boolean convertible to it

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/quicktun.nix>
services.quicktun.<name>.remotePort

remote UDP port

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: config.services.quicktun.<name>.localPort

Declared by:

<nixpkgs/nixos/modules/services/networking/quicktun.nix>
services.quicktun.<name>.timeWindow

Allowed time window for first received packet in seconds (positive number allows packets from history)

Type: unsigned integer, meaning >=0

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/quicktun.nix>
services.quicktun.<name>.tunMode

Whether to operate in tun (IP) or tap (Ethernet) mode.

Type: integer between 0 and 1 (both inclusive) or boolean convertible to it

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/quicktun.nix>
services.quicktun.<name>.upScript

Run specified command or script after the tunnel device has been opened.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/quicktun.nix>
services.quickwit.enable

Whether to enable Quickwit.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/search/quickwit.nix>
services.quickwit.package

The Quickwit package to use.

Type: package

Default: pkgs.quickwit

Declared by:

<nixpkgs/nixos/modules/services/search/quickwit.nix>
services.quickwit.dataDir

Data directory for Quickwit. If you change this, you need to manually create the directory. You also need to create the quickwit user and group, or change services.quickwit.user and services.quickwit.group to existing ones with access to the directory.

Type: path

Default: "/var/lib/quickwit"

Declared by:

<nixpkgs/nixos/modules/services/search/quickwit.nix>
services.quickwit.extraFlags

Extra command line options to pass to Quickwit.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/search/quickwit.nix>
services.quickwit.group

The group quickwit runs as. Should be left at default unless you have very specific needs.

Type: string

Default: "quickwit"

Declared by:

<nixpkgs/nixos/modules/services/search/quickwit.nix>
services.quickwit.restartIfChanged

Automatically restart the service on config change. This can be set to false to defer restarts on a server or cluster. Please consider the security implications of inadvertently running an older version, and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/search/quickwit.nix>
services.quickwit.settings

Quickwit configuration.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/search/quickwit.nix>
services.quickwit.settings.grpc_listen_port

The port to listen on for gRPC traffic.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 7281

Declared by:

<nixpkgs/nixos/modules/services/search/quickwit.nix>
services.quickwit.settings.listen_address

Listen address of Quickwit.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/search/quickwit.nix>
services.quickwit.settings.rest

Rest server configuration for Quickwit

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/search/quickwit.nix>
services.quickwit.settings.rest.listen_port

The port to listen on for HTTP REST traffic.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 7280

Declared by:

<nixpkgs/nixos/modules/services/search/quickwit.nix>
services.quickwit.settings.version

Configuration file version.

Type: floating point number

Default: 0.7

Declared by:

<nixpkgs/nixos/modules/services/search/quickwit.nix>
services.quickwit.user

The user Quickwit runs as. Should be left at default unless you have very specific needs.

Type: string

Default: "quickwit"

Declared by:

<nixpkgs/nixos/modules/services/search/quickwit.nix>
services.quorum.enable

Whether to enable Quorum blockchain daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.quorum.blockperiod

Default minimum difference between two consecutive block’s timestamps in seconds.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.quorum.genesis

Blockchain genesis settings.

Type: null or (attribute set)

Default: null

Example:

{
         alloc = {
           a47385db68718bdcbddc2d2bb7c54018066ec111 = {
             balance = "1000000000000000000000000000";
           };
         };
         coinbase = "0x0000000000000000000000000000000000000000";
         config = {
           byzantiumBlock = 4;
           chainId = 494702925;
           eip150Block = 2;
           eip155Block = 3;
           eip158Block = 3;
           homesteadBlock = 1;
           isQuorum = true;
           istanbul = {
             epoch = 30000;
             policy = 0;
           };
         };
         difficulty = "0x1";
         extraData = "0x0000000000000000000000000000000000000000000000000000000000000000f85ad59438f0508111273d8e482f49410ca4078afc86a961b8410000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0";
         gasLimit = "0x2FEFD800";
         mixHash = "0x63746963616c2062797a616e74696e65201111756c7420746f6c6572616e6365";
         nonce = "0x0";
         parentHash = "0x0000000000000000000000000000000000000000000000000000000000000000";
         timestamp = "0x00";
         }

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.quorum.group

The group as which to run quorum.

Type: string

Default: config.services.quorum.user

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.quorum.nodekeyFile

Path to the nodekey.

Type: path

Default: "/var/lib/quorum/nodekey"

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.quorum.permissioned

Allow only a defined list of nodes to connect.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.quorum.port

Override the default port on which to listen for connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 21000

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.quorum.privateconfig

Configuration of privacy transaction manager.

Type: string

Default: "ignore"

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.quorum.rpc.enable

Enable RPC interface.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.quorum.rpc.address

Listening address for RPC connections.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.quorum.rpc.api

API’s offered over the HTTP-RPC interface.

Type: string

Default: "admin,db,eth,debug,miner,net,shh,txpool,personal,web3,quorum,istanbul"

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.quorum.rpc.port

Override the default port on which to listen for RPC connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 22004

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.quorum.staticNodes

List of validator nodes.

Type: list of string

Default: [ ]

Example:

[
  "enode://dd333ec28f0a8910c92eb4d336461eea1c20803eed9cf2c056557f986e720f8e693605bba2f4e8f289b1162e5ac7c80c914c7178130711e393ca76abc1d92f57@0.0.0.0:30303?discport=0"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.quorum.syncmode

Blockchain sync mode.

Type: one of “fast”, “full”, “light”

Default: "full"

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.quorum.user

The user as which to run quorum.

Type: string

Default: "quorum"

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.quorum.ws.enable

Enable WS-RPC interface.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.quorum.ws.address

Listening address for WS-RPC connections.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.quorum.ws.api

API’s offered over the WS-RPC interface.

Type: string

Default: "admin,db,eth,debug,miner,net,shh,txpool,personal,web3,quorum,istanbul"

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.quorum.ws.origins

Origins from which to accept websockets requests

Type: string

Default: "*"

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.quorum.ws.port

Override the default port on which to listen for WS-RPC connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8546

Declared by:

<nixpkgs/nixos/modules/services/networking/quorum.nix>
services.r53-ddns.enable

Whether to enable r53-ddyns.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/r53-ddns.nix>
services.r53-ddns.domain

The name of your domain in Route53

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/r53-ddns.nix>
services.r53-ddns.environmentFile

File containing the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in the format of an EnvironmentFile as described by systemd.exec(5)

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/r53-ddns.nix>
services.r53-ddns.hostname

Manually specify the hostname. Otherwise the tool will try to use the name returned by the OS (Call to gethostname)

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/r53-ddns.nix>
services.r53-ddns.interval

How often to update the entry

Type: string

Default: "15min"

Declared by:

<nixpkgs/nixos/modules/services/networking/r53-ddns.nix>
services.r53-ddns.zoneID

The ID of your zone in Route53

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/r53-ddns.nix>
services.rabbitmq.enable

Whether to enable the RabbitMQ server, an Advanced Message Queuing Protocol (AMQP) broker.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/amqp/rabbitmq.nix>
services.rabbitmq.package

The rabbitmq-server package to use.

Type: package

Default: pkgs.rabbitmq-server

Declared by:

<nixpkgs/nixos/modules/services/amqp/rabbitmq.nix>
services.rabbitmq.config

Verbatim advanced configuration file contents using the Erlang syntax. This is also known as the advanced.config file or the old config format.

configItems is preferred whenever possible. However, nested data structures can only be expressed properly using the config option.

The contents of this option will be merged into the configItems by RabbitMQ at runtime to form the final configuration.

See the second table on https://www.rabbitmq.com/configure.html#config-items For the distinct formats, see https://www.rabbitmq.com/configure.html#config-file-formats

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/amqp/rabbitmq.nix>
services.rabbitmq.configItems

Configuration options in RabbitMQ’s new config file format, which is a simple key-value format that can not express nested data structures. This is known as the rabbitmq.conf file, although outside NixOS that filename may have Erlang syntax, particularly prior to RabbitMQ 3.7.0.

If you do need to express nested data structures, you can use config option. Configuration from config will be merged into these options by RabbitMQ at runtime to form the final configuration.

See https://www.rabbitmq.com/configure.html#config-items For the distinct formats, see https://www.rabbitmq.com/configure.html#config-file-formats

Type: attribute set of string

Default: { }

Example:

{
  "auth_backends.1.authn" = "rabbit_auth_backend_ldap";
  "auth_backends.1.authz" = "rabbit_auth_backend_internal";
}

Declared by:

<nixpkgs/nixos/modules/services/amqp/rabbitmq.nix>
services.rabbitmq.dataDir

Data directory for rabbitmq.

Type: path

Default: "/var/lib/rabbitmq"

Declared by:

<nixpkgs/nixos/modules/services/amqp/rabbitmq.nix>
services.rabbitmq.listenAddress

IP address on which RabbitMQ will listen for AMQP connections. Set to the empty string to listen on all interfaces. Note that RabbitMQ creates a user named guest with password guest by default, so you should delete this user if you intend to allow external access.

Together with ‘port’ setting it’s mostly an alias for configItems.“listeners.tcp.1” and it’s left for backwards compatibility with previous version of this module.

Type: string

Default: "127.0.0.1"

Example: ""

Declared by:

<nixpkgs/nixos/modules/services/amqp/rabbitmq.nix>
services.rabbitmq.managementPlugin.enable

Whether to enable the management plugin.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/amqp/rabbitmq.nix>
services.rabbitmq.managementPlugin.port

On which port to run the management plugin

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 15672

Declared by:

<nixpkgs/nixos/modules/services/amqp/rabbitmq.nix>
services.rabbitmq.pluginDirs

The list of directories containing external plugins

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/amqp/rabbitmq.nix>
services.rabbitmq.plugins

The names of plugins to enable

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/amqp/rabbitmq.nix>
services.rabbitmq.port

Port on which RabbitMQ will listen for AMQP connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5672

Declared by:

<nixpkgs/nixos/modules/services/amqp/rabbitmq.nix>
services.rabbitmq.unsafeCookie

Erlang cookie is a string of arbitrary length which must be the same for several nodes to be allowed to communicate. Leave empty to generate automatically.

Setting the cookie via this option exposes the cookie to the store, which is not recommended for security reasons. Only use this option in an isolated non-production environment such as NixOS VM tests.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/amqp/rabbitmq.nix>
services.radarr.enable

Whether to enable Radarr, a UsetNet/BitTorrent movie downloader.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/radarr.nix>
services.radarr.package

The radarr package to use.

Type: package

Default: pkgs.radarr

Declared by:

<nixpkgs/nixos/modules/services/misc/radarr.nix>
services.radarr.dataDir

The directory where Radarr stores its data files.

Type: string

Default: "/var/lib/radarr/.config/Radarr"

Declared by:

<nixpkgs/nixos/modules/services/misc/radarr.nix>
services.radarr.group

Group under which Radarr runs.

Type: string

Default: "radarr"

Declared by:

<nixpkgs/nixos/modules/services/misc/radarr.nix>
services.radarr.openFirewall

Open ports in the firewall for the Radarr web interface.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/radarr.nix>
services.radarr.user

User account under which Radarr runs.

Type: string

Default: "radarr"

Declared by:

<nixpkgs/nixos/modules/services/misc/radarr.nix>
services.radicale.enable

Whether to enable Radicale CalDAV and CardDAV server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/radicale.nix>
services.radicale.package

Radicale package to use.

Type: package

Default: pkgs.radicale

Declared by:

<nixpkgs/nixos/modules/services/networking/radicale.nix>
services.radicale.config

Radicale configuration, this will set the service configuration file. This option is mutually exclusive with settings. This option is deprecated. Use settings instead.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/radicale.nix>
services.radicale.extraArgs

Extra arguments passed to the Radicale daemon.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/radicale.nix>
services.radicale.rights

Configuration for Radicale’s rights file. See https://radicale.org/v3.html#authentication-and-rights. This option only works in conjunction with settings. Setting this will also set settings.rights.type and settings.rights.file to appropriate values.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string) or a non-empty list of them)

Default: { }

Example:

root = {
  user = ".+";
  collection = "";
  permissions = "R";
};
principal = {
  user = ".+";
  collection = "{user}";
  permissions = "RW";
};
calendars = {
  user = ".+";
  collection = "{user}/[^/]+";
  permissions = "rw";
};

Declared by:

<nixpkgs/nixos/modules/services/networking/radicale.nix>
services.radicale.settings

Configuration for Radicale. See https://radicale.org/v3.html#configuration. This option is mutually exclusive with config.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string) or a non-empty list of them)

Default: { }

Example:

server = {
  hosts = [ "0.0.0.0:5232" "[::]:5232" ];
};
auth = {
  type = "htpasswd";
  htpasswd_filename = "/etc/radicale/users";
  htpasswd_encryption = "bcrypt";
};
storage = {
  filesystem_folder = "/var/lib/radicale/collections";
};

Declared by:

<nixpkgs/nixos/modules/services/networking/radicale.nix>
services.radicle.enable

Whether to enable Radicle Seed Node.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.package

The radicle-node package to use.

Type: package

Default: pkgs.radicle-node

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.checkConfig

Whether to enable checking the config.json file resulting from services.radicle.settings.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.enable

Whether to enable Radicle HTTP gateway to radicle-node.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.package

The radicle-httpd package to use.

Type: package

Default: pkgs.radicle-httpd

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.extraArgs

Extra arguments for radicle-httpd

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.listenAddress

The IP address on which radicle-httpd listens.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.listenPort

The port on which radicle-httpd listens.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx

With this option, you can customize an nginx virtual host which already has sensible defaults for radicle-httpd. Set to {} if you do not need any customization to the virtual host. If enabled, then by default, the serverName is radicle-${config.networking.hostName}.${config.networking.domain}, TLS is active, and certificates are acquired via ACME. If this is set to null (the default), no nginx virtual host will be configured.

Type: null or (submodule)

Default: null

Example:

{
  serverAliases = [
    "seed.${config.networking.domain}"
  ];
  enableACME = false;
  useACMEHost = config.networking.domain;
}

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: "radicle-\${config.networking.hostName}.\${config.networking.domain}"

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.httpd.nginx.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.node.extraArgs

Extra arguments for radicle-node

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.node.listenAddress

The IP address on which radicle-node listens.

Type: string

Default: "[::]"

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.node.listenPort

The port on which radicle-node listens.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8776

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.node.openFirewall

Whether to enable opening the firewall for radicle-node.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.privateKeyFile

Absolute file path to an SSH private key, usually generated by rad auth.

If it contains a colon (:) the string before the colon is taken as the credential name and the string after as a path encrypted with systemd-creds.

Type: path or string

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.publicKey

An SSH public key (as an absolute file path or directly as a string), usually generated by rad auth.

Type: path or string

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radicle.settings

See https://app.radicle.xyz/nodes/seed.radicle.garden/rad:z3gqcJUoA1n9HaHKufZs5FCSGazv5/tree/radicle/src/node/config.rs#L275

Type: JSON value

Default: { }

Example:

{
  web.pinned.repositories = [
    "rad:z3gqcJUoA1n9HaHKufZs5FCSGazv5" # heartwood
    "rad:z3trNYnLWS11cJWC6BbxDs5niGo82" # rips
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/misc/radicle.nix>
services.radvd.enable

Whether to enable the Router Advertisement Daemon (radvd), which provides link-local advertisements of IPv6 router addresses and prefixes using the Neighbor Discovery Protocol (NDP). This enables stateless address autoconfiguration in IPv6 clients on the network.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/radvd.nix>
services.radvd.package

The radvd package to use.

Type: package

Default: pkgs.radvd

Declared by:

<nixpkgs/nixos/modules/services/networking/radvd.nix>
services.radvd.config

The contents of the radvd configuration file.

Type: strings concatenated with “\n”

Example:

''
  interface eth0 {
    AdvSendAdvert on;
    prefix 2001:db8:1234:5678::/64 { };
  };
''

Declared by:

<nixpkgs/nixos/modules/services/networking/radvd.nix>
services.radvd.debugLevel

The debugging level is an integer in the range from 1 to 5, from quiet to very verbose. A debugging level of 0 completely turns off debugging.

Type: signed integer

Default: 0

Example: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/radvd.nix>
services.ratbagd.enable

Whether to enable ratbagd for configuring gaming mice.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/ratbagd.nix>
services.ratbagd.package

The libratbag package to use.

Type: package

Default: pkgs.libratbag

Declared by:

<nixpkgs/nixos/modules/services/hardware/ratbagd.nix>
services.rathole.enable

Whether to enable Rathole.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/rathole.nix>
services.rathole.package

The rathole package to use.

Type: package

Default: pkgs.rathole

Declared by:

<nixpkgs/nixos/modules/services/networking/rathole.nix>
services.rathole.credentialsFile

Path to a TOML file to be merged with the settings. Useful to set secret config parameters like tokens, which should not appear in the Nix Store.

Type: path

Default: "/dev/null"

Example: "/var/lib/secrets/rathole/config.toml"

Declared by:

<nixpkgs/nixos/modules/services/networking/rathole.nix>
services.rathole.role

Select whether rathole needs to be run as a client or a server. Server is a machine with a public IP and client is a device behind NAT, but running some services that need to be exposed to the Internet.

Type: one of “server”, “client”

Declared by:

<nixpkgs/nixos/modules/services/networking/rathole.nix>
services.rathole.settings

Rathole configuration, for options reference see the example on GitHub. Both server and client configurations can be specified at the same time, regardless of the selected role.

Type: TOML value

Default: { }

Example:

{
  server = {
    bind_addr = "0.0.0.0:2333";
    services = {
      my_nas_ssh = {
        bind_addr = "0.0.0.0:5202";
        token = "use_a_secret_that_only_you_know";
      };
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/rathole.nix>
services.rdnssd.enable

Whether to enable the RDNSS daemon (rdnssd), which configures DNS servers in /etc/resolv.conf from RDNSS advertisements sent by IPv6 routers.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/rdnssd.nix>
services.readarr.enable

Whether to enable Readarr, a Usenet/BitTorrent ebook downloader.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/readarr.nix>
services.readarr.package

The readarr package to use.

Type: package

Default: pkgs.readarr

Declared by:

<nixpkgs/nixos/modules/services/misc/readarr.nix>
services.readarr.dataDir

The directory where Readarr stores its data files.

Type: string

Default: "/var/lib/readarr/"

Declared by:

<nixpkgs/nixos/modules/services/misc/readarr.nix>
services.readarr.group

Group under which Readarr runs.

Type: string

Default: "readarr"

Declared by:

<nixpkgs/nixos/modules/services/misc/readarr.nix>
services.readarr.openFirewall

Open ports in the firewall for Readarr

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/readarr.nix>
services.readarr.user

User account under which Readarr runs.

Type: string

Default: "readarr"

Declared by:

<nixpkgs/nixos/modules/services/misc/readarr.nix>
services.realm.enable

Whether to enable A simple, high performance relay server written in rust.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/realm.nix>
services.realm.package

The realm package to use.

Type: package

Default: pkgs.realm

Declared by:

<nixpkgs/nixos/modules/services/networking/realm.nix>
services.realm.config

The realm configuration, see https://github.com/zhboner/realm#overview for documentation.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/realm.nix>
services.redis.package

The redis package to use.

Type: package

Default: pkgs.redis

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers

Configuration of multiple redis-server instances.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.enable

Whether to enable Redis server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.appendFsync

How often to fsync the append-only log, options: no, always, everysec.

Type: string

Default: "everysec"

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.appendOnly

By default data is only periodically persisted to disk, enable this option to use an append-only file for improved persistence.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.bind

The IP interface to bind to. null means “all interfaces”.

Type: null or string

Default: "127.0.0.1"

Example: "192.0.2.1"

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.databases

Set the number of databases.

Type: signed integer

Default: 16

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.extraParams

Extra parameters to append to redis-server invocation

Type: list of string

Default: [ ]

Example:

[
  "--sentinel"
]

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.group

Group account under which this instance of redis-server runs.

Note

If left as the default value this group will automatically be created on system activation, otherwise you are responsible for ensuring the group exists before the redis service starts.

Type: string

Default: config.user

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.logLevel

Specify the server verbosity level, options: debug, verbose, notice, warning.

Type: string

Default: "notice"

Example: "debug"

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.logfile

Specify the log file name. Also ‘stdout’ can be used to force Redis to log on the standard output.

Type: string

Default: "/dev/null"

Example: "/var/log/redis.log"

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.masterAuth

If the master is password protected (using the requirePass configuration) it is possible to tell the slave to authenticate before starting the replication synchronization process, otherwise the master will refuse the slave request. (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.maxclients

Set the max number of connected clients at the same time.

Type: signed integer

Default: 10000

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.openFirewall

Whether to open ports in the firewall for the server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.port

The TCP port to accept connections. If port 0 is specified Redis will not listen on a TCP socket.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: if name == "" then 6379 else 0

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.requirePass

Password for database (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE). Use requirePassFile to store it outside of the nix store in a dedicated file.

Type: null or string

Default: null

Example: "letmein!"

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.requirePassFile

File with password for the database.

Type: null or path

Default: null

Example: "/run/keys/redis-password"

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.save

The schedule in which data is persisted to disk, represented as a list of lists where the first element represent the amount of seconds and the second the number of changes.

If set to the empty list ([]) then RDB persistence will be disabled (useful if you are using AOF or don’t want any persistence).

Type: list of list of signed integer

Default:

[
  [
    900
    1
  ]
  [
    300
    10
  ]
  [
    60
    10000
  ]
]

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.settings

Redis configuration. Refer to https://redis.io/topics/config for details on supported values.

Type: attribute set of (boolean or signed integer or string or list of string)

Default: { }

Example:

{
  loadmodule = [ "/path/to/my_module.so" "/path/to/other_module.so" ];
}

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.slaveOf

IP and port to which this redis instance acts as a slave.

Type: null or (submodule)

Default: null

Example:

{
  ip = "192.168.1.100";
  port = 6379;
}

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.slaveOf.ip

IP of the Redis master

Type: string

Example: "192.168.1.100"

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.slaveOf.port

port of the Redis master

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6379

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.slowLogLogSlowerThan

Log queries whose execution take longer than X in milliseconds.

Type: signed integer

Default: 10000

Example: 1000

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.slowLogMaxLen

Maximum number of items to keep in slow log.

Type: signed integer

Default: 128

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.syslog

Enable logging to the system logger.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.unixSocket

The path to the socket to bind to.

Type: null or path

Default:

if name == "" then "/run/redis/redis.sock" else "/run/redis-${name}/redis.sock"

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.unixSocketPerm

Change permissions for the socket

Type: signed integer

Default: 660

Example: 600

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.servers.<name>.user

User account under which this instance of redis-server runs.

Note

If left as the default value this user will automatically be created on system activation, otherwise you are responsible for ensuring the user exists before the redis service starts.

Type: string

Default:

if name == "" then "redis" else "redis-${name}"

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redis.vmOverCommit

Whether to enable set vm.overcommit_memory sysctl to 1 (Suggested for Background Saving: https://redis.io/docs/get-started/faq/) .

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/redis.nix>
services.redlib.enable

Whether to enable Private front-end for Reddit.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/redlib.nix>
services.redlib.package

The redlib package to use.

Type: package

Default: pkgs.redlib

Declared by:

<nixpkgs/nixos/modules/services/misc/redlib.nix>
services.redlib.address

The address to listen on

Type: string

Default: "0.0.0.0"

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/misc/redlib.nix>
services.redlib.openFirewall

Open ports in the firewall for the redlib web interface

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/redlib.nix>
services.redlib.port

The port to listen on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Example: 8000

Declared by:

<nixpkgs/nixos/modules/services/misc/redlib.nix>
services.redlib.settings

See GitHub for available settings.

Type: attribute set of (null or boolean or signed integer or string)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/redlib.nix>
services.redmine.enable

Whether to enable Redmine, a project management web application.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.package

The redmine package to use.

Type: package

Default: pkgs.redmine

Example: redmine.override { ruby = pkgs.ruby_3_2; }

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.address

IP address Redmine should bind to.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.components.breezy

bazaar integration.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.components.cvs

cvs integration.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.components.ghostscript

Allows exporting Gant diagrams as PDF.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.components.git

git integration.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.components.imagemagick

Allows exporting Gant diagrams as PNG.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.components.mercurial

Mercurial integration.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.components.minimagick_font_path

MiniMagick font path

Type: string

Default: ""

Example: "/run/current-system/sw/share/X11/fonts/LiberationSans-Regular.ttf"

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.components.subversion

Subversion integration.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.database.createLocally

Create the database and database user locally.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.database.host

Database host address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.database.name

Database name.

Type: string

Default: "redmine"

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.database.passwordFile

A file containing the password corresponding to database.user.

Type: null or path

Default: null

Example: "/run/keys/redmine-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.database.port

Database host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3306

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.database.socket

Path to the unix socket file to use for authentication.

Type: null or path

Default: /run/mysqld/mysqld.sock

Example: "/run/mysqld/mysqld.sock"

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.database.type

Database engine to use.

Type: one of “mysql2”, “postgresql”, “sqlite3”

Default: "mysql2"

Example: "postgresql"

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.database.user

Database user.

Type: string

Default: "redmine"

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.extraEnv

Extra configuration in additional_environment.rb.

See https://svn.redmine.org/redmine/trunk/config/additional_environment.rb.example for details.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  config.logger.level = Logger::DEBUG
''

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.group

Group under which Redmine is ran.

Type: string

Default: "redmine"

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.plugins

Set of plugins.

Type: attribute set of path

Default: { }

Example:

{
  redmine_env_auth = builtins.fetchurl {
    url = "https://github.com/Intera/redmine_env_auth/archive/0.6.zip";
    sha256 = "0yyr1yjd8gvvh832wdc8m3xfnhhxzk2pk3gm2psg5w9jdvd6skak";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.port

Port on which Redmine is ran.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.settings

Redmine configuration (configuration.yml). Refer to https://guides.rubyonrails.org/action_mailer_basics.html#action-mailer-configuration for details.

Type: YAML value

Default: { }

Example:

{
  email_delivery = {
    delivery_method = "smtp";
    smtp_settings = {
      address = "mail.example.com";
      port = 25;
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.stateDir

The state directory, logs and plugins are stored here.

Type: path

Default: "/var/lib/redmine"

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.themes

Set of themes.

Type: attribute set of path

Default: { }

Example:

{
  dkuk-redmine_alex_skin = builtins.fetchurl {
    url = "https://bitbucket.org/dkuk/redmine_alex_skin/get/1842ef675ef3.zip";
    sha256 = "0hrin9lzyi50k4w2bd2b30vrf1i4fi1c0gyas5801wn8i7kpm9yl";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redmine.user

User under which Redmine is ran.

Type: string

Default: "redmine"

Declared by:

<nixpkgs/nixos/modules/services/misc/redmine.nix>
services.redshift.enable

Enable Redshift to change your screen’s colour temperature depending on the time of day.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/redshift.nix>
services.redshift.package

The redshift package to use.

Type: package

Default: pkgs.redshift

Declared by:

<nixpkgs/nixos/modules/services/x11/redshift.nix>
services.redshift.brightness.day

Screen brightness to apply during the day, between 0.1 and 1.0.

Type: string

Default: "1"

Declared by:

<nixpkgs/nixos/modules/services/x11/redshift.nix>
services.redshift.brightness.night

Screen brightness to apply during the night, between 0.1 and 1.0.

Type: string

Default: "1"

Declared by:

<nixpkgs/nixos/modules/services/x11/redshift.nix>
services.redshift.executable

Redshift executable to use within the package.

Type: string

Default: "/bin/redshift"

Example: "/bin/redshift-gtk"

Declared by:

<nixpkgs/nixos/modules/services/x11/redshift.nix>
services.redshift.extraOptions

Additional command-line arguments to pass to redshift.

Type: list of string

Default: [ ]

Example:

[
  "-v"
  "-m randr"
]

Declared by:

<nixpkgs/nixos/modules/services/x11/redshift.nix>
services.redshift.temperature.day

Colour temperature to use during the day, between 1000 and 25000 K.

Type: signed integer

Default: 5500

Declared by:

<nixpkgs/nixos/modules/services/x11/redshift.nix>
services.redshift.temperature.night

Colour temperature to use at night, between 1000 and 25000 K.

Type: signed integer

Default: 3700

Declared by:

<nixpkgs/nixos/modules/services/x11/redshift.nix>
services.redsocks.enable

Whether to enable redsocks.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/redsocks.nix>
services.redsocks.chroot

Chroot under which to run redsocks. Log file is opened before chroot, but if logging to syslog /etc/localtime may be required.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/redsocks.nix>
services.redsocks.log

Where to send logs.

Possible values are:

  • stderr

  • file:/path/to/file

  • syslog:FACILITY where FACILITY is any of “daemon”, “local0”, etc.

Type: string

Default: "stderr"

Declared by:

<nixpkgs/nixos/modules/services/networking/redsocks.nix>
services.redsocks.log_debug

Log connection progress.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/redsocks.nix>
services.redsocks.log_info

Log start and end of client sessions.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/redsocks.nix>
services.redsocks.redsocks

Local port to proxy associations to be performed.

The example shows how to configure a proxy to handle port 80 as HTTP relay, and all other ports as HTTP connect.

Type: list of (submodule)

Example:

[
  {
    doNotRedirect = [
      "-d 1.2.0.0/16"
    ];
    port = 23456;
    proxy = "1.2.3.4:8080";
    redirectCondition = "--dport 80";
    type = "http-relay";
  }
  {
    doNotRedirect = [
      "-d 1.2.0.0/16"
    ];
    port = 23457;
    proxy = "1.2.3.4:8080";
    redirectCondition = true;
    type = "http-connect";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/redsocks.nix>
services.redsocks.redsocks.*.disclose_src

Way to disclose client IP to the proxy.

  • “false”: do not disclose

http-connect supports the following ways:

  • “X-Forwarded-For”: add header “X-Forwarded-For: IP”

  • “Forwarded_ip”: add header “Forwarded: for=IP” (see RFC7239)

  • “Forwarded_ipport”: add header ‘Forwarded: for=“IP:port”’

Type: one of “false”, “X-Forwarded-For”, “Forwarded_ip”, “Forwarded_ipport”

Default: "false"

Declared by:

<nixpkgs/nixos/modules/services/networking/redsocks.nix>
services.redsocks.redsocks.*.doNotRedirect

Iptables filters that if matched will get the packet off of redsocks.

Type: list of string

Default: [ ]

Example:

[
  "-d 1.2.3.4"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/redsocks.nix>
services.redsocks.redsocks.*.ip

IP on which redsocks should listen. Defaults to 127.0.0.1 for security reasons.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/redsocks.nix>
services.redsocks.redsocks.*.login

Login to send to proxy.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/redsocks.nix>
services.redsocks.redsocks.*.password

Password to send to proxy. WARNING, this will end up world-readable in the store! Awaiting https://github.com/NixOS/nix/issues/8 to be able to fix.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/redsocks.nix>
services.redsocks.redsocks.*.port

Port on which redsocks should listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 12345

Declared by:

<nixpkgs/nixos/modules/services/networking/redsocks.nix>
services.redsocks.redsocks.*.proxy

Proxy through which redsocks should forward incoming traffic. Example: “example.org:8080”

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/redsocks.nix>
services.redsocks.redsocks.*.redirectCondition

Conditions to make outbound packets go through this redsocks instance.

If set to false, no packet will be forwarded. If set to true, all packets will be forwarded (except packets excluded by redirectInternetOnly).

If set to a string, this is an iptables filter that will be matched against packets before getting them into redsocks. For example, setting it to “–dport 80” will only send packets to port 80 to redsocks. Note “-p tcp” is always implicitly added, as udp can only be proxied through redudp or the like.

Type: boolean or string

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/redsocks.nix>
services.redsocks.redsocks.*.redirectInternetOnly

Exclude all non-globally-routable IPs from redsocks

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/redsocks.nix>
services.redsocks.redsocks.*.type

Type of proxy.

Type: one of “socks4”, “socks5”, “http-connect”, “http-relay”

Declared by:

<nixpkgs/nixos/modules/services/networking/redsocks.nix>
services.renovate.enable

Whether to enable renovate.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/renovate.nix>
services.renovate.package

The renovate package to use.

Type: package

Default: pkgs.renovate

Declared by:

<nixpkgs/nixos/modules/services/misc/renovate.nix>
services.renovate.credentials

Allows configuring environment variable credentials for renovate, read from files. This should always be used for passing confidential data to renovate.

Type: attribute set of path

Default: { }

Example:

{
  RENOVATE_TOKEN = "/etc/renovate/token";
}

Declared by:

<nixpkgs/nixos/modules/services/misc/renovate.nix>
services.renovate.runtimePackages

Packages available to renovate.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/renovate.nix>
services.renovate.schedule

How often to run renovate. See systemd.time(7) for the format.

Type: null or string

Default: null

Example: "*:0/10"

Declared by:

<nixpkgs/nixos/modules/services/misc/renovate.nix>
services.renovate.settings

Renovate’s global configuration. If you want to pass secrets to renovate, please use services.renovate.credentials for that.

Type: JSON value

Default: { }

Example:

{
  endpoint = "https://git.example.com";
  gitAuthor = "Renovate <renovate@example.com>";
  platform = "gitea";
}

Declared by:

<nixpkgs/nixos/modules/services/misc/renovate.nix>
services.renovate.validateSettings

Weither to run renovate’s config validator on the built configuration.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/renovate.nix>
services.resilio.enable

If enabled, start the Resilio Sync daemon. Once enabled, you can interact with the service through the Web UI, or configure it in your NixOS configuration.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/resilio.nix>
services.resilio.enableWebUI

Enable Web UI for administration. Bound to the specified httpListenAddress and httpListenPort.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/resilio.nix>
services.resilio.package

The resilio-sync package to use.

Type: package

Default: pkgs.resilio-sync

Declared by:

<nixpkgs/nixos/modules/services/networking/resilio.nix>
services.resilio.apiKey

API key, which enables the developer API.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/resilio.nix>
services.resilio.checkForUpdates

Determines whether to check for updates and alert the user about them in the UI.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/resilio.nix>
services.resilio.deviceName

Name of the Resilio Sync device.

Type: string

Default: config.networking.hostName

Example: "Voltron"

Declared by:

<nixpkgs/nixos/modules/services/networking/resilio.nix>
services.resilio.directoryRoot

Default directory to add folders in the web UI.

Type: string

Default: ""

Example: "/media"

Declared by:

<nixpkgs/nixos/modules/services/networking/resilio.nix>
services.resilio.downloadLimit

Download speed limit. 0 is unlimited (default).

Type: signed integer

Default: 0

Example: 1024

Declared by:

<nixpkgs/nixos/modules/services/networking/resilio.nix>
services.resilio.encryptLAN

Encrypt LAN data.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/resilio.nix>
services.resilio.httpListenAddr

HTTP address to bind to.

Type: string

Default: "[::1]"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/resilio.nix>
services.resilio.httpListenPort

HTTP port to bind on.

Type: signed integer

Default: 9000

Declared by:

<nixpkgs/nixos/modules/services/networking/resilio.nix>
services.resilio.httpLogin

HTTP web login username.

Type: string

Default: ""

Example: "allyourbase"

Declared by:

<nixpkgs/nixos/modules/services/networking/resilio.nix>
services.resilio.httpPass

HTTP web login password.

Type: string

Default: ""

Example: "arebelongtous"

Declared by:

<nixpkgs/nixos/modules/services/networking/resilio.nix>
services.resilio.listeningPort

Listening port. Defaults to 0 which randomizes the port.

Type: signed integer

Default: 0

Example: 44444

Declared by:

<nixpkgs/nixos/modules/services/networking/resilio.nix>
services.resilio.sharedFolders

Shared folder list. If enabled, web UI must be disabled. Secrets can be generated using rslsync --generate-secret.

If you would like to be able to modify the contents of this directories, it is recommended that you make your user a member of the rslsync group.

Directories in this list should be in the rslsync group, and that group must have write access to the directory. It is also recommended that chmod g+s is applied to the directory so that any sub directories created will also belong to the rslsync group. Also, setfacl -d -m group:rslsync:rwx and setfacl -m group:rslsync:rwx should also be applied so that the sub directories are writable by the group.

Type: list of attribute set of anything

Default: [ ]

Example:

[
  {
    directory = "/home/user/sync_test";
    knownHosts = [
      "192.168.1.2:4444"
      "192.168.1.3:4444"
    ];
    searchLAN = true;
    secretFile = "/run/resilio-secret";
    useDHT = false;
    useRelayServer = true;
    useSyncTrash = true;
    useTracker = true;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/resilio.nix>
services.resilio.storagePath

Where BitTorrent Sync will store it’s database files (containing things like username info and licenses). Generally, you should not need to ever change this.

Type: path

Default: "/var/lib/resilio-sync/"

Declared by:

<nixpkgs/nixos/modules/services/networking/resilio.nix>
services.resilio.uploadLimit

Upload speed limit. 0 is unlimited (default).

Type: signed integer

Default: 0

Example: 1024

Declared by:

<nixpkgs/nixos/modules/services/networking/resilio.nix>
services.resilio.useUpnp

Use Universal Plug-n-Play (UPnP)

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/resilio.nix>
services.resolved.enable

Whether to enable the systemd DNS resolver daemon, systemd-resolved.

Search for services.resolved to see all options.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/resolved.nix>
services.resolved.dnsovertls

If set to

  • "true": all DNS lookups will be encrypted. This requires that the DNS server supports DNS-over-TLS and has a valid certificate. If the hostname was specified via the address#hostname format in services.resolved.domains then the specified hostname is used to validate its certificate.

  • "opportunistic": all DNS lookups will attempt to be encrypted, but will fallback to unecrypted requests if the server does not support DNS-over-TLS. Note that this mode does allow for a malicious party to conduct a downgrade attack by immitating the DNS server and pretending to not support encryption.

  • "false": all DNS lookups are done unencrypted.

Type: one of “true”, “opportunistic”, “false”

Default: "false"

Example: "true"

Declared by:

<nixpkgs/nixos/modules/system/boot/resolved.nix>
services.resolved.dnssec

If set to

  • "true": all DNS lookups are DNSSEC-validated locally (excluding LLMNR and Multicast DNS). Note that this mode requires a DNS server that supports DNSSEC. If the DNS server does not properly support DNSSEC all validations will fail.

  • "allow-downgrade": DNSSEC validation is attempted, but if the server does not support DNSSEC properly, DNSSEC mode is automatically disabled. Note that this mode makes DNSSEC validation vulnerable to “downgrade” attacks, where an attacker might be able to trigger a downgrade to non-DNSSEC mode by synthesizing a DNS response that suggests DNSSEC was not supported.

  • "false": DNS lookups are not DNSSEC validated.

At the time of September 2023, systemd upstream advise to disable DNSSEC by default as the current code is not robust enough to deal with “in the wild” non-compliant servers, which will usually give you a broken bad experience in addition of insecure.

Type: one of “true”, “allow-downgrade”, “false”

Default: "false"

Example: "true"

Declared by:

<nixpkgs/nixos/modules/system/boot/resolved.nix>
services.resolved.domains

A list of domains. These domains are used as search suffixes when resolving single-label host names (domain names which contain no dot), in order to qualify them into fully-qualified domain names (FQDNs).

For compatibility reasons, if this setting is not specified, the search domains listed in /etc/resolv.conf are used instead, if that file exists and any domains are configured in it.

Type: list of string

Default: config.networking.search

Example:

[
  "example.com"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/resolved.nix>
services.resolved.extraConfig

Extra config to append to resolved.conf.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/resolved.nix>
services.resolved.fallbackDns

A list of IPv4 and IPv6 addresses to use as the fallback DNS servers. If this option is null, a compiled-in list of DNS servers is used instead. Setting this option to an empty list will override the built-in list to an empty list, disabling fallback.

Type: null or (list of string)

Default: null

Example:

[
  "8.8.8.8"
  "2001:4860:4860::8844"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/resolved.nix>
services.resolved.llmnr

Controls Link-Local Multicast Name Resolution support (RFC 4795) on the local host.

If set to

  • "true": Enables full LLMNR responder and resolver support.

  • "false": Disables both.

  • "resolve": Only resolution support is enabled, but responding is disabled.

Type: one of “true”, “resolve”, “false”

Default: "true"

Example: "false"

Declared by:

<nixpkgs/nixos/modules/system/boot/resolved.nix>
services.restic.backups

Periodic backups to create with Restic.

Type: attribute set of (submodule)

Default: { }

Example:

{
  localbackup = {
    exclude = [
      "/home/*/.cache"
    ];
    initialize = true;
    passwordFile = "/etc/nixos/secrets/restic-password";
    paths = [
      "/home"
    ];
    repository = "/mnt/backup-hdd";
  };
  remotebackup = {
    extraOptions = [
      "sftp.command='ssh backup@host -i /etc/nixos/secrets/backup-private-key -s sftp'"
    ];
    passwordFile = "/etc/nixos/secrets/restic-password";
    paths = [
      "/home"
    ];
    repository = "sftp:backup@host:/backups/home";
    timerConfig = {
      OnCalendar = "00:05";
      RandomizedDelaySec = "5h";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.package

The restic package to use.

Type: package

Default: pkgs.restic

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.backupCleanupCommand

A script that must run after finishing the backup process.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.backupPrepareCommand

A script that must run before starting the backup process.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.checkOpts

A list of options for ‘restic check’.

Type: list of string

Default: [ ]

Example:

[
  "--with-cache"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.createWrapper

Whether to generate and add a script to the system path, that has the same environment variables set as the systemd service. This can be used to e.g. mount snapshots or perform other opterations, without having to manually specify most options.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.dynamicFilesFrom

A script that produces a list of files to back up. The results of this command are given to the ‘–files-from’ option. The result is merged with paths specified via paths.

Type: null or string

Default: null

Example: "find /home/matt/git -type d -name .git"

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.environmentFile

file containing the credentials to access the repository, in the format of an EnvironmentFile as described by systemd.exec(5)

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.exclude

Patterns to exclude when backing up. See https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files for details on syntax.

Type: list of string

Default: [ ]

Example:

[
  "/var/cache"
  "/home/*/.cache"
  ".git"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.extraBackupArgs

Extra arguments passed to restic backup.

Type: list of string

Default: [ ]

Example:

[
  "--exclude-file=/etc/nixos/restic-ignore"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.extraOptions

Extra extended options to be passed to the restic --option flag.

Type: list of string

Default: [ ]

Example:

[
  "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.inhibitsSleep

Prevents the system from sleeping while backing up.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.initialize

Create the repository if it doesn’t exist.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.passwordFile

Read the repository password from a file.

Type: string

Example: "/etc/nixos/restic-password"

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.paths

Which paths to backup, in addition to ones specified via dynamicFilesFrom. If null or an empty array and dynamicFilesFrom is also null, no backup command will be run. This can be used to create a prune-only job.

Type: null or (list of string)

Default: [ ]

Example:

[
  "/var/lib/postgresql"
  "/home/user/backup"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.pruneOpts

A list of options (–keep-* et al.) for ‘restic forget –prune’, to automatically prune old snapshots. The ‘forget’ command is run after the ‘backup’ command, so keep that in mind when constructing the --keep-* options.

Type: list of string

Default: [ ]

Example:

[
  "--keep-daily 7"
  "--keep-weekly 5"
  "--keep-monthly 12"
  "--keep-yearly 75"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.rcloneConfig

Configuration for the rclone remote being used for backup. See the remote’s specific options under rclone’s docs at https://rclone.org/docs/. When specifying option names, use the “config” name specified in the docs. For example, to set --b2-hard-delete for a B2 remote, use hard_delete = true in the attribute set. Warning: Secrets set in here will be world-readable in the Nix store! Consider using the rcloneConfigFile option instead to specify secret values separately. Note that options set here will override those set in the config file.

Type: null or (attribute set of (string or boolean))

Default: null

Example:

{
  account = "xxx";
  hard_delete = true;
  key = "xxx";
  type = "b2";
}

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.rcloneConfigFile

Path to the file containing rclone configuration. This file must contain configuration for the remote specified in this backup set and also must be readable by root. Options set in rcloneConfig will override those set in this file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.rcloneOptions

Options to pass to rclone to control its behavior. See https://rclone.org/docs/#options for available options. When specifying option names, strip the leading --. To set a flag such as --drive-use-trash, which does not take a value, set the value to the Boolean true.

Type: null or (attribute set of (string or boolean))

Default: null

Example:

{
  bwlimit = "10M";
  drive-use-trash = "true";
}

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.repository

repository to backup to.

Type: null or string

Default: null

Example: "sftp:backup@192.168.1.100:/backups/‹name›"

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.repositoryFile

Path to the file containing the repository location to backup to.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.runCheck

Whether to run the check command with the provided checkOpts options.

Type: boolean

Default: builtins.length config.services.backups.‹name›.checkOpts > 0

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.timerConfig

When to run the backup. See systemd.timer(5) for details. If null no timer is created and the backup will only run when explicitly started.

Type: null or (attribute set of (systemd option))

Default:

{
  OnCalendar = "daily";
  Persistent = true;
}

Example:

{
  OnCalendar = "00:05";
  Persistent = true;
  RandomizedDelaySec = "5h";
}

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.backups.<name>.user

As which user the backup should run.

Type: string

Default: "root"

Example: "postgresql"

Declared by:

<nixpkgs/nixos/modules/services/backup/restic.nix>
services.restic.server.enable

Whether to enable Restic REST Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/restic-rest-server.nix>
services.restic.server.package

The restic-rest-server package to use.

Type: package

Default: pkgs.restic-rest-server

Declared by:

<nixpkgs/nixos/modules/services/backup/restic-rest-server.nix>
services.restic.server.appendOnly

Enable append only mode. This mode allows creation of new backups but prevents deletion and modification of existing backups. This can be useful when backing up systems that have a potential of being hacked.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/restic-rest-server.nix>
services.restic.server.dataDir

The directory for storing the restic repository.

Type: path

Default: "/var/lib/restic"

Declared by:

<nixpkgs/nixos/modules/services/backup/restic-rest-server.nix>
services.restic.server.extraFlags

Extra commandline options to pass to Restic REST server.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/backup/restic-rest-server.nix>
services.restic.server.listenAddress

Listen on a specific IP address and port or unix socket.

Type: string

Default: "8000"

Example: "127.0.0.1:8080"

Declared by:

<nixpkgs/nixos/modules/services/backup/restic-rest-server.nix>
services.restic.server.privateRepos

Enable private repos. Grants access only when a subdirectory with the same name as the user is specified in the repository URL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/restic-rest-server.nix>
services.restic.server.prometheus

Enable Prometheus metrics at /metrics.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/restic-rest-server.nix>
services.riemann.enable

Whether to enable Riemann network monitoring daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/riemann.nix>
services.riemann.config

Contents of the Riemann configuration file. For more complicated config you should use configFile.

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/monitoring/riemann.nix>
services.riemann.configFile

A Riemann config file. Any files in the same directory as this file will be added to the classpath by Riemann.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/riemann.nix>
services.riemann.configFiles

Extra files containing Riemann configuration. These files will be loaded at runtime by Riemann (with Clojure’s load-file function) at the end of the configuration if you use the config option, this is ignored if you use configFile.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/riemann.nix>
services.riemann.extraClasspathEntries

Extra entries added to the Java classpath when running Riemann.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/riemann.nix>
services.riemann.extraJavaOpts

Extra Java options used when launching Riemann.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/riemann.nix>
services.riemann-dash.enable

Enable the riemann-dash dashboard daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/riemann-dash.nix>
services.riemann-dash.config

Contents added to the end of the riemann-dash configuration file.

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/monitoring/riemann-dash.nix>
services.riemann-dash.dataDir

Location of the riemann-base dir. The dashboard configuration file is is stored to this directory. The directory is created automatically on service start, and owner is set to the riemanndash user.

Type: string

Default: "/var/riemann-dash"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/riemann-dash.nix>
services.riemann-tools.enableHealth

Enable the riemann-health daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/riemann-tools.nix>
services.riemann-tools.extraArgs

A list of commandline-switches forwarded to a riemann-tool. See for example riemann-health --help for available options.

Type: list of string

Default: [ ]

Example:

[
  "-p 5555"
  "--timeout=30"
  "--attribute=myattribute=42"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/riemann-tools.nix>
services.riemann-tools.riemannHost

Address of the host riemann node. Defaults to localhost.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/riemann-tools.nix>
services.rimgo.enable

Whether to enable rimgo.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rimgo.nix>
services.rimgo.package

The rimgo package to use.

Type: package

Default: pkgs.rimgo

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rimgo.nix>
services.rimgo.settings

Settings for rimgo, see the official documentation for supported options.

Type: attribute set of string

Example:

{
  PORT = 69420;
  FORCE_WEBP = "1";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rimgo.nix>
services.rimgo.settings.ADDRESS

The address to listen on.

Type: string

Default: "127.0.0.1"

Example: "1.1.1.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rimgo.nix>
services.rimgo.settings.PORT

The port to use.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Example: 69420

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rimgo.nix>
services.rippleDataApi.enable

Whether to enable ripple data api.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/ripple-data-api.nix>
services.rippleDataApi.couchdb.create

Whether to create couchdb database needed by ripple data api.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/ripple-data-api.nix>
services.rippleDataApi.couchdb.db

Ripple data api couchdb database.

Type: string

Default: "rippled"

Declared by:

<nixpkgs/nixos/modules/services/misc/ripple-data-api.nix>
services.rippleDataApi.couchdb.host

Ripple data api couchdb host.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/misc/ripple-data-api.nix>
services.rippleDataApi.couchdb.pass

Ripple data api couchdb password.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/ripple-data-api.nix>
services.rippleDataApi.couchdb.port

Ripple data api couchdb port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5984

Declared by:

<nixpkgs/nixos/modules/services/misc/ripple-data-api.nix>
services.rippleDataApi.couchdb.user

Ripple data api couchdb username.

Type: string

Default: "rippled"

Declared by:

<nixpkgs/nixos/modules/services/misc/ripple-data-api.nix>
services.rippleDataApi.importMode

Ripple data api import mode.

Type: one of “live”, “liveOnly”

Default: "liveOnly"

Declared by:

<nixpkgs/nixos/modules/services/misc/ripple-data-api.nix>
services.rippleDataApi.maxLedger

Ripple data api maximal ledger to fetch.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/ripple-data-api.nix>
services.rippleDataApi.minLedger

Ripple data api minimal ledger to fetch.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/ripple-data-api.nix>
services.rippleDataApi.port

Ripple data api port

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5993

Declared by:

<nixpkgs/nixos/modules/services/misc/ripple-data-api.nix>
services.rippleDataApi.redis.enable

Whether to enable caching of ripple data to redis.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/ripple-data-api.nix>
services.rippleDataApi.redis.host

Ripple data api redis host.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/misc/ripple-data-api.nix>
services.rippleDataApi.redis.port

Ripple data api redis port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5984

Declared by:

<nixpkgs/nixos/modules/services/misc/ripple-data-api.nix>
services.rippleDataApi.rippleds

List of rippleds to be used by ripple data api.

Type: list of string

Default:

[
  "http://s_east.ripple.com:51234"
  "http://s_west.ripple.com:51234"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/ripple-data-api.nix>
services.rippled.enable

Whether to enable rippled, a decentralized cryptocurrency blockchain daemon implementing the XRP Ledger protocol in C++.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.package

The rippled package to use.

Type: package

Default: pkgs.rippled

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.databasePath

Path to the ripple database.

Type: path

Default: "/var/lib/rippled"

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.extraConfig

Extra lines to be added verbatim to the rippled.cfg configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.fetchDepth

The number of past ledgers to serve to other peers that request historical ledger data (or “full” for no limit).

Type: signed integer or value “full” (singular enum)

Default: "full"

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.importDb

Settings for performing a one-time import.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.importDb.advisoryDelete

If set, then require administrative RPC call “can_delete” to enable online deletion of ledger records.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.importDb.compression

Whether to enable snappy compression.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.importDb.extraOpts

Extra database options.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.importDb.onlineDelete

Enable automatic purging of older ledger information.

Type: null or signed integer

Default: config.services.rippled.ledgerHistory

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.importDb.path

Location to store the database.

Type: path

Default: config.services.rippled.databasePath

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.importDb.type

Rippled database type.

Type: one of “rocksdb”, “nudb”

Default: "rocksdb"

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.ips

List of hostnames or ips where the Ripple protocol is served. For a starter list, you can either copy entries from: https://ripple.com/ripple.txt or if you prefer you can let it default to r.ripple.com 51235

A port may optionally be specified after adding a space to the address. By convention, if known, IPs are listed in from most to least trusted.

Type: list of string

Default:

[
  "r.ripple.com 51235"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.ipsFixed

List of IP addresses or hostnames to which rippled should always attempt to maintain peer connections with. This is useful for manually forming private networks, for example to configure a validation server that connects to the Ripple network through a public-facing server, or for building a set of cluster peers.

A port may optionally be specified after adding a space to the address

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.ledgerHistory

The number of past ledgers to acquire on server startup and the minimum to maintain while running.

Type: signed integer or value “full” (singular enum)

Default: 1296000

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.logLevel

Logging verbosity.

Type: one of “debug”, “error”, “info”

Default: "error"

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.nodeDb

Rippled main database options.

Type: null or (submodule)

Default:

{
  extraOpts = ''
    open_files=2000
    filter_bits=12
    cache_mb=256
    file_size_pb=8
    file_size_mult=2;
  '';
  type = "rocksdb";
}

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.nodeDb.advisoryDelete

If set, then require administrative RPC call “can_delete” to enable online deletion of ledger records.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.nodeDb.compression

Whether to enable snappy compression.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.nodeDb.extraOpts

Extra database options.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.nodeDb.onlineDelete

Enable automatic purging of older ledger information.

Type: null or signed integer

Default: config.services.rippled.ledgerHistory

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.nodeDb.path

Location to store the database.

Type: path

Default: config.services.rippled.databasePath

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.nodeDb.type

Rippled database type.

Type: one of “rocksdb”, “nudb”

Default: "rocksdb"

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.nodeSize

Rippled size of the node you are running. “tiny”, “small”, “medium”, “large”, and “huge”

Type: one of “tiny”, “small”, “medium”, “large”, “huge”

Default: "small"

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.ports

Ports exposed by rippled

Type: attribute set of (submodule)

Default:

{
  peer = {
    ip = "0.0.0.0";
    port = 51235;
    protocol = [
      "peer"
    ];
  };
  rpc = {
    admin = [
      "127.0.0.1"
    ];
    port = 5005;
    protocol = [
      "http"
    ];
  };
  ws_public = {
    ip = "0.0.0.0";
    port = 5006;
    protocol = [
      "ws"
      "wss"
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.ports.<name>.admin

A comma-separated list of admin IP addresses.

Type: list of string

Default:

[
  "127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.ports.<name>.ip

Ip where rippled listens.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.ports.<name>.password

When set, these credentials will be required on HTTP/S requests.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.ports.<name>.port

Port where rippled listens.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.ports.<name>.protocol

Protocols expose by rippled.

Type: list of (one of “http”, “https”, “ws”, “wss”, “peer”)

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.ports.<name>.ssl.cert

Specifies the path to the SSL certificate file in PEM format. This is not needed if the chain includes it.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.ports.<name>.ssl.chain

If you need a certificate chain, specify the path to the certificate chain here. The chain may include the end certificate.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.ports.<name>.ssl.key

Specifies the filename holding the SSL key in PEM format.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.ports.<name>.user

When set, these credentials will be required on HTTP/S requests.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.sntpServers

IP address or domain of NTP servers to use for time synchronization.;

Type: list of string

Default:

[
  "time.windows.com"
  "time.apple.com"
  "time.nist.gov"
  "pool.ntp.org"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.statsd.enable

Whether to enable statsd monitoring for rippled.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.statsd.address

The UDP address and port of the listening StatsD server.

Type: string

Default: "127.0.0.1:8125"

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.statsd.prefix

A string prepended to each collected metric.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.tempDb

Rippled temporary database options.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.tempDb.advisoryDelete

If set, then require administrative RPC call “can_delete” to enable online deletion of ledger records.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.tempDb.compression

Whether to enable snappy compression.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.tempDb.extraOpts

Extra database options.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.tempDb.onlineDelete

Enable automatic purging of older ledger information.

Type: null or signed integer

Default: config.services.rippled.ledgerHistory

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.tempDb.path

Location to store the database.

Type: path

Default: config.services.rippled.databasePath

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.tempDb.type

Rippled database type.

Type: one of “rocksdb”, “nudb”

Default: "rocksdb"

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.validationQuorum

The minimum number of trusted validations a ledger must have before the server considers it fully validated.

Type: signed integer

Default: 3

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rippled.validators

List of nodes to always accept as validators. Nodes are specified by domain or public key.

Type: list of string

Default:

[
  "n949f75evCHwgyP4fPVgaHqNHxUVN15PsJEZ3B3HnXPcPjcZAoy7  RL1"
  "n9MD5h24qrQqiyBC8aeqqCWvpiBiYQ3jxSr91uiDvmrkyHRdYLUj  RL2"
  "n9L81uNCaPgtUJfaHh89gmdvXKAmSt5Gdsw2g1iPWaPkAHW5Nm4C  RL3"
  "n9KiYM9CgngLvtRCQHZwgC2gjpdaZcCcbt3VboxiNFcKuwFVujzS  RL4"
  "n9LdgEtkmGB9E2h3K4Vp7iGUaKuq23Zr32ehxiU8FWY7xoxbWTSA  RL5"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/rippled.nix>
services.rke2.enable

Whether to enable rke2.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.package

The rke2 package to use.

Type: package

Default: pkgs.rke2

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.agentToken

Shared secret used to join agents to the cluster, but not servers.

WARNING: This option will expose store your token unencrypted world-readable in the nix store. If this is undesired use the agentTokenFile option instead.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.agentTokenFile

File path containing rke2 agent token to use when connecting to the server.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.cisHardening

Enable CIS Hardening for RKE2.

It will set the configurations and controls required to address Kubernetes benchmark controls from the Center for Internet Security (CIS).

Learn more about CIS Hardening for RKE2.

NOTICE:

You may need restart the systemd-sysctl muaually by:

sudo systemctl restart systemd-sysctl

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.cni

CNI Plugins to deploy, one of none, calico, canal, cilium or flannel.

All CNI plugins get installed via a helm chart after the main components are up and running and can be customized by modifying the helm chart options.

Learn more about RKE2 and CNI plugins

WARNING: Flannel support in RKE2 is currently experimental.

Type: one of “none”, “canal”, “cilium”, “calico”, “flannel”

Default: "canal"

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.configPath

Load configuration from FILE.

Type: path

Default: "/etc/rancher/rke2/config.yaml"

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.dataDir

The folder to hold state in.

Type: path

Default: "/var/lib/rancher/rke2"

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.debug

Turn on debug logs.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.disable

Do not deploy packaged components and delete any deployed components.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.environmentVars

Environment variables for configuring the rke2 service/agent.

Here you can find all the available environment variables:

Besides the options above, you can also active environment variables by edit/create those files:

  • /etc/default/rke2

  • /etc/sysconfig/rke2

  • /usr/local/lib/systemd/system/rke2.env

Type: attribute set of string

Default:

{
  HOME = "/root";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.extraFlags

Extra flags to pass to the rke2 service/agent.

Here you can find all the available flags:

Type: list of string

Default: [ ]

Example:

[
  "--disable-kube-proxy"
  "--cluster-cidr=10.24.0.0/16"
]

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.nodeIP

IPv4/IPv6 addresses to advertise for node.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.nodeLabel

Registering and starting kubelet with set of labels.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.nodeName

Node name.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.nodeTaint

Registering kubelet with set of taints.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.role

Whether rke2 should run as a server or agent.

If it’s a server:

  • By default it also runs workloads as an agent.

  • any optionals is allowed.

If it’s an agent:

  • serverAddr is required.

  • token or tokenFile is required.

  • agentToken or agentTokenFile or disable or cni are not allowed.

Type: one of “server”, “agent”

Default: "server"

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.selinux

Enable SELinux in containerd.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.serverAddr

The rke2 server to connect to, used to join a cluster.

Type: string

Default: ""

Example: "https://10.0.0.10:6443"

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.token

Shared secret used to join a server or agent to a cluster.

WARNING: This option will expose store your token unencrypted world-readable in the nix store. If this is undesired use the tokenFile option instead.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rke2.tokenFile

File path containing rke2 token to use when connecting to the server.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/cluster/rke2/default.nix>
services.rkvm.enable

Whether to enable rkvm, a Virtual KVM switch for Linux machines.

Type: boolean

Default: config.services.rkvm.server.enable || config.services.rkvm.client.enable

Declared by:

<nixpkgs/nixos/modules/services/misc/rkvm.nix>
services.rkvm.package

The rkvm package to use.

Type: package

Default: pkgs.rkvm

Declared by:

<nixpkgs/nixos/modules/services/misc/rkvm.nix>
services.rkvm.client.enable

Whether to enable the rkvm client daemon (input receiver).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/rkvm.nix>
services.rkvm.client.settings

Structured client daemon configuration

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/rkvm.nix>
services.rkvm.client.settings.certificate

TLS ceritficate path.

Note

This should be generated with rkvm-certificate-gen.

Type: path

Default: "/etc/rkvm/certificate.pem"

Declared by:

<nixpkgs/nixos/modules/services/misc/rkvm.nix>
services.rkvm.client.settings.password

Shared secret token to authenticate the client. Make sure this matches your server’s config.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/rkvm.nix>
services.rkvm.client.settings.server

An RKVM server’s internet socket address, either IPv4 or IPv6.

Type: string

Example: "192.168.0.123:5258"

Declared by:

<nixpkgs/nixos/modules/services/misc/rkvm.nix>
services.rkvm.server.enable

Whether to enable the rkvm server daemon (input transmitter).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/rkvm.nix>
services.rkvm.server.settings

Structured server daemon configuration

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/rkvm.nix>
services.rkvm.server.settings.certificate

TLS certificate path.

Note

This should be generated with rkvm-certificate-gen.

Type: path

Default: "/etc/rkvm/certificate.pem"

Declared by:

<nixpkgs/nixos/modules/services/misc/rkvm.nix>
services.rkvm.server.settings.key

TLS key path.

Note

This should be generated with rkvm-certificate-gen.

Type: path

Default: "/etc/rkvm/key.pem"

Declared by:

<nixpkgs/nixos/modules/services/misc/rkvm.nix>
services.rkvm.server.settings.listen

An internet socket address to listen on, either IPv4 or IPv6.

Type: string

Default: "0.0.0.0:5258"

Declared by:

<nixpkgs/nixos/modules/services/misc/rkvm.nix>
services.rkvm.server.settings.password

Shared secret token to authenticate the client. Make sure this matches your client’s config.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/rkvm.nix>
services.rkvm.server.settings.switch-keys

A key list specifying a host switch combination.

A list of key names is available in https://github.com/htrefil/rkvm/blob/master/switch-keys.md.

Type: list of string

Default:

[
  "left-alt"
  "left-ctrl"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/rkvm.nix>
services.rmfakecloud.enable

Whether to enable rmfakecloud remarkable self-hosted cloud.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/rmfakecloud.nix>
services.rmfakecloud.package

The rmfakecloud package to use.

Type: package

Default: pkgs.rmfakecloud

Declared by:

<nixpkgs/nixos/modules/services/misc/rmfakecloud.nix>
services.rmfakecloud.environmentFile

Path to an environment file loaded for the rmfakecloud service.

This can be used to securely store tokens and secrets outside of the world-readable Nix store. Since this file is read by systemd, it may have permission 0400 and be owned by root.

Type: null or path

Default: null

Example: "/etc/secrets/rmfakecloud.env"

Declared by:

<nixpkgs/nixos/modules/services/misc/rmfakecloud.nix>
services.rmfakecloud.extraSettings

Extra settings in the form of a set of key-value pairs. For tokens and secrets, use environmentFile instead.

Available settings are listed on https://ddvk.github.io/rmfakecloud/install/configuration/.

Type: attribute set of string

Default: { }

Example:

{
  DATADIR = "/custom/path/for/rmfakecloud/data";
}

Declared by:

<nixpkgs/nixos/modules/services/misc/rmfakecloud.nix>
services.rmfakecloud.logLevel

Logging level.

Type: one of “info”, “debug”, “warn”, “error”

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/misc/rmfakecloud.nix>
services.rmfakecloud.port

Listening port number.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/misc/rmfakecloud.nix>
services.rmfakecloud.storageUrl

URL used by the tablet to access the rmfakecloud service.

Type: string

Example: "https://local.appspot.com"

Declared by:

<nixpkgs/nixos/modules/services/misc/rmfakecloud.nix>
services.robustirc-bridge.enable

Whether to enable RobustIRC bridge.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/robustirc-bridge.nix>
services.robustirc-bridge.extraFlags

Extra flags passed to the robustirc-bridge command. See RobustIRC Documentation or robustirc-bridge(1) for details.

Type: list of string

Default: [ ]

Example:

[
  "-network robustirc.net"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/robustirc-bridge.nix>
services.roon-bridge.enable

Whether to enable Roon Bridge.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/roon-bridge.nix>
services.roon-bridge.group

Group to run the Roon Bridge as.

Type: string

Default: "roon-bridge"

Declared by:

<nixpkgs/nixos/modules/services/audio/roon-bridge.nix>
services.roon-bridge.openFirewall

Open ports in the firewall for the bridge.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/audio/roon-bridge.nix>
services.roon-bridge.user

User to run the Roon bridge as.

Type: string

Default: "roon-bridge"

Declared by:

<nixpkgs/nixos/modules/services/audio/roon-bridge.nix>
services.roon-server.enable

Whether to enable Roon Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/roon-server.nix>
services.roon-server.package

The roon-server package to use.

Type: package

Default: pkgs.roon-server

Declared by:

<nixpkgs/nixos/modules/services/audio/roon-server.nix>
services.roon-server.group

Group to run the Roon Server as.

Type: string

Default: "roon-server"

Declared by:

<nixpkgs/nixos/modules/services/audio/roon-server.nix>
services.roon-server.openFirewall

Open ports in the firewall for the server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/audio/roon-server.nix>
services.roon-server.user

User to run the Roon Server as.

Type: string

Default: "roon-server"

Declared by:

<nixpkgs/nixos/modules/services/audio/roon-server.nix>
services.rosenpass.enable

Whether to enable Rosenpass.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/rosenpass.nix>
services.rosenpass.package

The rosenpass package to use.

Type: package

Default: pkgs.rosenpass

Declared by:

<nixpkgs/nixos/modules/services/networking/rosenpass.nix>
services.rosenpass.defaultDevice

Name of the network interface to use for all peers by default.

Type: null or string

Example: "wg0"

Declared by:

<nixpkgs/nixos/modules/services/networking/rosenpass.nix>
services.rosenpass.settings

Configuration for Rosenpass, see https://rosenpass.eu/ for further information.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/rosenpass.nix>
services.rosenpass.settings.listen

List of local endpoints to listen for connections.

Type: list of string

Default: [ ]

Example: [ "0.0.0.0:10000" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/rosenpass.nix>
services.rosenpass.settings.peers

List of peers to exchange keys with.

Type: list of (TOML value)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/rosenpass.nix>
services.rosenpass.settings.peers.*.device

Name of the local WireGuard interface to use for this peer.

Type: string

Default: config.services.rosenpass.defaultDevice

Declared by:

<nixpkgs/nixos/modules/services/networking/rosenpass.nix>
services.rosenpass.settings.peers.*.endpoint

Endpoint of the remote Rosenpass peer.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/rosenpass.nix>
services.rosenpass.settings.peers.*.peer

WireGuard public key corresponding to the remote Rosenpass peer.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/rosenpass.nix>
services.rosenpass.settings.peers.*.public_key

Path to a file containing the public key of the remote Rosenpass peer.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/rosenpass.nix>
services.rosenpass.settings.public_key

Path to a file containing the public key of the local Rosenpass peer. Generate this by running rosenpass gen-keys.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/rosenpass.nix>
services.rosenpass.settings.secret_key

Path to a file containing the secret key of the local Rosenpass peer. Generate this by running rosenpass gen-keys.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/rosenpass.nix>
services.rosenpass.settings.verbosity

Verbosity of output produced by the service.

Type: one of “Verbose”, “Quiet”

Default: "Quiet"

Declared by:

<nixpkgs/nixos/modules/services/networking/rosenpass.nix>
services.roundcube.enable

Whether to enable roundcube.

Also enables nginx virtual host management. Further nginx configuration can be done by adapting services.nginx.virtualHosts.<name>. See services.nginx.virtualHosts for further information.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/roundcube.nix>
services.roundcube.package

The roundcube package to use.

Type: package

Default: pkgs.roundcube

Example: roundcube.withPlugins (plugins: [ plugins.persistent_login ])

Declared by:

<nixpkgs/nixos/modules/services/mail/roundcube.nix>
services.roundcube.configureNginx

Configure nginx as a reverse proxy for roundcube.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/mail/roundcube.nix>
services.roundcube.database.dbname

Name of the postgresql database

Type: string

Default: "roundcube"

Declared by:

<nixpkgs/nixos/modules/services/mail/roundcube.nix>
services.roundcube.database.host

Host of the postgresql server. If this is not set to localhost, you have to create the postgresql user and database yourself, with appropriate permissions.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/mail/roundcube.nix>
services.roundcube.database.password

Password for the postgresql connection. Do not use: the password will be stored world readable in the store; use passwordFile instead.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/roundcube.nix>
services.roundcube.database.passwordFile

Password file for the postgresql connection. Must be formatted according to PostgreSQL .pgpass standard (see https://www.postgresql.org/docs/current/libpq-pgpass.html) but only one line, no comments and readable by user nginx. Ignored if database.host is set to localhost, as peer authentication will be used.

Type: path

Example:

pkgs.writeText "roundcube-postgres-passwd.txt" ''
  hostname:port:database:username:password
''

Declared by:

<nixpkgs/nixos/modules/services/mail/roundcube.nix>
services.roundcube.database.username

Username for the postgresql connection. If database.host is set to localhost, a unix user and group of the same name will be created as well.

Type: string

Default: "roundcube"

Declared by:

<nixpkgs/nixos/modules/services/mail/roundcube.nix>
services.roundcube.dicts

List of aspell dictionaries for spell checking. If empty, spell checking is disabled.

Type: list of package

Default: [ ]

Example: with pkgs.aspellDicts; [ en fr de ]

Declared by:

<nixpkgs/nixos/modules/services/mail/roundcube.nix>
services.roundcube.extraConfig

Extra configuration for roundcube webmail instance

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/roundcube.nix>
services.roundcube.hostName

Hostname to use for the nginx vhost

Type: string

Example: "webmail.example.com"

Declared by:

<nixpkgs/nixos/modules/services/mail/roundcube.nix>
services.roundcube.maxAttachmentSize

The maximum attachment size in MB. [upstream issue comment]: https://github.com/roundcube/roundcubemail/issues/7979#issuecomment-808879209

Note

Since there is some overhead in base64 encoding applied to attachments, + 37% will be added to the value set in this option in order to offset the overhead. For example, setting maxAttachmentSize to 100 would result in 137M being the real value in the configuration. See [upstream issue comment] for more details on the motivations behind this.

Type: signed integer

Default: 18

Declared by:

<nixpkgs/nixos/modules/services/mail/roundcube.nix>
services.roundcube.plugins

List of roundcube plugins to enable. Currently, only those directly shipped with Roundcube are supported.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/roundcube.nix>
services.routedns.enable

Whether to enable RouteDNS - DNS stub resolver, proxy and router.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/routedns.nix>
services.routedns.package

The routedns package to use.

Type: package

Default: pkgs.routedns

Declared by:

<nixpkgs/nixos/modules/services/networking/routedns.nix>
services.routedns.configFile

Path to RouteDNS TOML configuration file.

Type: path

Default: "A RouteDNS configuration file automatically generated by values from services.routedns.*"

Example: "${pkgs.routedns}/cmd/routedns/example-config/use-case-1.toml"

Declared by:

<nixpkgs/nixos/modules/services/networking/routedns.nix>
services.routedns.settings

Configuration for RouteDNS, see https://github.com/folbricht/routedns/blob/master/doc/configuration.md for more information.

Type: TOML value

Example:

{
  resolvers.cloudflare-dot = {
    address = "1.1.1.1:853";
    protocol = "dot";
  };
  groups.cloudflare-cached = {
    type = "cache";
    resolvers = ["cloudflare-dot"];
  };
  listeners.local-udp = {
    address = "127.0.0.1:53";
    protocol = "udp";
    resolver = "cloudflare-cached";
  };
  listeners.local-tcp = {
    address = "127.0.0.1:53";
    protocol = "tcp";
    resolver = "cloudflare-cached";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/routedns.nix>
services.rpcbind.enable

Whether to enable rpcbind, an ONC RPC directory service notably used by NFS and NIS, and which can be queried using the rpcinfo(1) command. rpcbind is a replacement for portmap.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/rpcbind.nix>
services.rshim.enable

Whether to enable user-space rshim driver for the BlueField SoC.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/rshim.nix>
services.rshim.package

The rshim-user-space package to use.

Type: package

Default: pkgs.rshim-user-space

Declared by:

<nixpkgs/nixos/modules/services/misc/rshim.nix>
services.rshim.backend

Specify the backend to attach. If not specified, the driver will scan all rshim backends unless the device option is given with a device name specified.

Type: null or one of “usb”, “pcie”, “pcie_lf”

Default: null

Example: "pcie"

Declared by:

<nixpkgs/nixos/modules/services/misc/rshim.nix>
services.rshim.config

Structural setting for the rshim configuration file (/etc/rshim.conf). It can be used to specify the static mapping between rshim devices and rshim names. It can also be used to ignore some rshim devices.

Type: attribute set of (signed integer or string)

Default: { }

Example:

{
  DISPLAY_LEVEL = 0;
  none = "usb-1-1.4";
  rshim0 = "usb-2-1.7";
}

Declared by:

<nixpkgs/nixos/modules/services/misc/rshim.nix>
services.rshim.device

Specify the device name to attach. The backend driver can be deduced from the device name, thus the backend option is not needed.

Type: null or string

Default: null

Example: "pcie-04:00.2"

Declared by:

<nixpkgs/nixos/modules/services/misc/rshim.nix>
services.rshim.index

Specify the index to create device path /dev/rshim<index>. It’s also used to create network interface name tmfifo_net<index>. This option is needed when multiple rshim instances are running.

Type: null or signed integer

Default: null

Example: 1

Declared by:

<nixpkgs/nixos/modules/services/misc/rshim.nix>
services.rshim.log-level

Specify the log level (0:none, 1:error, 2:warning, 3:notice, 4:debug).

Type: signed integer

Default: 2

Example: 4

Declared by:

<nixpkgs/nixos/modules/services/misc/rshim.nix>
services.rsnapshot.enable

Whether to enable rsnapshot backups.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/rsnapshot.nix>
services.rsnapshot.enableManualRsnapshot

Whether to enable manual usage of the rsnapshot command with this module.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/backup/rsnapshot.nix>
services.rsnapshot.cronIntervals

Periodicity at which intervals should be run by cron. Note that the intervals also have to exist in configuration as retain options.

Type: attribute set of string

Default: { }

Example:

{
  daily = "50 21 * * *";
  hourly = "0 * * * *";
}

Declared by:

<nixpkgs/nixos/modules/services/backup/rsnapshot.nix>
services.rsnapshot.extraConfig

rsnapshot configuration option in addition to the defaults from rsnapshot and this module.

Note that tabs are required to separate option arguments, and directory names require trailing slashes.

The “extra” in the option name might be a little misleading right now, as it is required to get a functional configuration.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  retains	hourly	24
  retain	daily	365
  backup	/home/	localhost/
''

Declared by:

<nixpkgs/nixos/modules/services/backup/rsnapshot.nix>
services.rspamd.enable

Whether to enable rspamd, the Rapid spam filtering system.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.debug

Whether to run the rspamd daemon in debug mode.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.extraConfig

Extra configuration to add at the end of the rspamd configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.group

Group to use when no root privileges are required.

Type: string

Default: "rspamd"

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.localLuaRules

Path of file to link to /etc/rspamd/rspamd.local.lua for local rules written in Lua

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.locals

Local configuration files, written into /etc/rspamd/local.d/{name}.

Type: attribute set of (submodule)

Default: { }

Example:

{ "redis.conf".source = "/nix/store/.../etc/dir/redis.conf";
  "arc.conf".text = "allow_envfrom_empty = true;";
}

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.locals.<name>.enable

Whether this file locals should be generated. This option allows specific locals files to be disabled.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.locals.<name>.source

Path of the source file.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.locals.<name>.text

Text of the file.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.overrides

Overridden configuration files, written into /etc/rspamd/override.d/{name}.

Type: attribute set of (submodule)

Default: { }

Example:

{ "redis.conf".source = "/nix/store/.../etc/dir/redis.conf";
  "arc.conf".text = "allow_envfrom_empty = true;";
}

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.overrides.<name>.enable

Whether this file overrides should be generated. This option allows specific overrides files to be disabled.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.overrides.<name>.source

Path of the source file.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.overrides.<name>.text

Text of the file.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.postfix.enable

Add rspamd milter to postfix main.conf

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.postfix.config

Addon to postfix configuration

Type: attribute set of (boolean or string or list of string)

Default:

{
  non_smtpd_milters = [
    "unix:/run/rspamd/rspamd-milter.sock"
  ];
  smtpd_milters = [
    "unix:/run/rspamd/rspamd-milter.sock"
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.user

User to use when no root privileges are required.

Type: string

Default: "rspamd"

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.workers

Attribute set of workers to start.

Type: attribute set of (submodule)

Default:

{
  controller = { };
  normal = { };
}

Example:

{
  normal = {
    includes = [ "$CONFDIR/worker-normal.inc" ];
    bindSockets = [{
      socket = "/run/rspamd/rspamd.sock";
      mode = "0660";
      owner = "${config.services.rspamd.user}";
      group = "${config.services.rspamd.group}";
    }];
  };
  controller = {
    includes = [ "$CONFDIR/worker-controller.inc" ];
    bindSockets = [ "[::1]:11334" ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.workers.<name>.enable

Whether to run the rspamd worker.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.workers.<name>.bindSockets

List of sockets to listen, in format acceptable by rspamd

Type: list of (string or (submodule))

Default: [ ]

Example:

[
  {
    mode = "0666";
    owner = "rspamd";
    socket = "/run/rspamd.sock";
  }
  "*:11333"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.workers.<name>.count

Number of worker instances to run

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.workers.<name>.extraConfig

Additional entries to put verbatim into worker section of rspamd config file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.workers.<name>.includes

List of files to include in configuration

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.workers.<name>.name

Name of the worker

Type: null or string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd.workers.<name>.type

The type of this worker. The type proxy is deprecated and only kept for backwards compatibility and should be replaced with rspamd_proxy.

Type: null or one of “normal”, “controller”, “fuzzy”, “rspamd_proxy”, “lua”, “proxy”

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd.nix>
services.rspamd-trainer.enable

Whether to enable Spam/ham trainer for rspamd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd-trainer.nix>
services.rspamd-trainer.secrets

A list of files containing the various secrets. Should be in the format expected by systemd’s EnvironmentFile directory. For the IMAP account password use PASSWORD = mypassword.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd-trainer.nix>
services.rspamd-trainer.settings

IMAP authentication configuration for rspamd-trainer. For supplying the IMAP password, use the secrets option.

Type: TOML value

Default: { }

Example:

{
  HOST = "localhost";
  USERNAME = "spam@example.com";
  INBOXPREFIX = "INBOX/";
}

Declared by:

<nixpkgs/nixos/modules/services/mail/rspamd-trainer.nix>
services.rss-bridge.enable

Whether to enable rss-bridge.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rss-bridge.nix>
services.rss-bridge.config

Attribute set of arbitrary config options. Please consult the documentation at the wiki and sample config to see a list of available options.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Example:

{
  system.enabled_bridges = [ "*" ];
  error = {
    output = "http";
    report_limit = 5;
  };
  FileCache = {
    enable_purge = true;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rss-bridge.nix>
services.rss-bridge.config.FileCache.path

Directory where to store cache files (if cache.type = “file”).

Type: string

Default: ${config.services.rss-bridge.dataDir}/cache/

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rss-bridge.nix>
services.rss-bridge.config.system.enabled_bridges

Only enabled bridges are available for feed production

Type: null or string or list of string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rss-bridge.nix>
services.rss-bridge.dataDir

Location in which cache directory will be created. You can put config.ini.php in here.

Type: string

Default: "/var/lib/rss-bridge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rss-bridge.nix>
services.rss-bridge.group

Group under which the web-application run.

Type: string

Default: "nginx"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rss-bridge.nix>
services.rss-bridge.pool

Name of existing phpfpm pool that is used to run web-application. If not specified a pool will be created automatically with default values.

Type: string

Default: "rss-bridge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rss-bridge.nix>
services.rss-bridge.user

User account under which both the service and the web-application run.

Type: string

Default: "nginx"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rss-bridge.nix>
services.rss-bridge.virtualHost

Name of the nginx virtualhost to use and setup. If null, do not setup any virtualhost.

Type: null or string

Default: "rss-bridge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rss-bridge.nix>
services.rss2email.enable

Whether to enable rss2email.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/rss2email.nix>
services.rss2email.config

The configuration to give rss2email.

Default will use system-wide sendmail to send the email. This is rss2email’s default when running r2e new.

This set contains key-value associations that will be set in the [DEFAULT] block along with the to parameter.

See man r2e for more information on which parameters are accepted.

Type: attribute set of (string or signed integer or boolean)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/mail/rss2email.nix>
services.rss2email.feeds

The feeds to watch.

Type: attribute set of (submodule)

Declared by:

<nixpkgs/nixos/modules/services/mail/rss2email.nix>
services.rss2email.feeds.<name>.to

Email address to which to send feed items.

If null, this will not be set in the configuration file, and rss2email will make it default to rss2email.to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/rss2email.nix>
services.rss2email.feeds.<name>.url

The URL at which to fetch the feed.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/mail/rss2email.nix>
services.rss2email.interval

How often to check the feeds, in systemd interval format

Type: string

Default: "12h"

Declared by:

<nixpkgs/nixos/modules/services/mail/rss2email.nix>
services.rss2email.to

Mail address to which to send emails

Type: string

Declared by:

<nixpkgs/nixos/modules/services/mail/rss2email.nix>
services.rstudio-server.enable

Whether to enable RStudio server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/development/rstudio-server/default.nix>
services.rstudio-server.package

The rstudio-server package to use.

Type: package

Default: pkgs.rstudio-server

Example: rstudioServerWrapper.override { packages = [ pkgs.rPackages.ggplot2 ]; }

Declared by:

<nixpkgs/nixos/modules/services/development/rstudio-server/default.nix>
services.rstudio-server.listenAddr

Address to listen on (www-address in rserver.conf).

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/development/rstudio-server/default.nix>
services.rstudio-server.rserverExtraConfig

Extra contents for rserver.conf.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/development/rstudio-server/default.nix>
services.rstudio-server.rsessionExtraConfig

Extra contents for resssion.conf.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/development/rstudio-server/default.nix>
services.rstudio-server.serverWorkingDir

Default working directory for server (server-working-dir in rserver.conf).

Type: string

Default: "/var/lib/rstudio-server"

Declared by:

<nixpkgs/nixos/modules/services/development/rstudio-server/default.nix>
services.rsyncd.enable

Whether to enable the rsync daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/rsyncd.nix>
services.rsyncd.port

TCP port the daemon will listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 873

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/rsyncd.nix>
services.rsyncd.settings

Configuration for rsyncd. See rsyncd.conf(5).

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  cvs = {
    "auth users" = [
      "tridge"
      "susan"
    ];
    comment = "CVS repository (requires authentication)";
    path = "/data/cvs";
    "secrets file" = "/etc/rsyncd.secrets";
  };
  ftp = {
    comment = "whole ftp area";
    path = "/var/ftp/./pub";
  };
  global = {
    gid = "nobody";
    "max connections" = 4;
    uid = "nobody";
    "use chroot" = true;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/rsyncd.nix>
services.rsyncd.socketActivated

If enabled Rsync will be socket-activated rather than run persistently.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/rsyncd.nix>
services.rsyslogd.enable

Whether to enable syslogd. Note that systemd also logs syslog messages, so you normally don’t need to run syslogd.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/logging/rsyslogd.nix>
services.rsyslogd.defaultConfig

The default syslog.conf file configures a fairly standard setup of log files, which can be extended by means of extraConfig.

Type: strings concatenated with “\n”

Default:

''
  # "local1" is used for dhcpd messages.
  local1.*                     -/var/log/dhcpd
  
  mail.*                       -/var/log/mail
  
  *.=warning;*.=err            -/var/log/warn
  *.crit                        /var/log/warn
  
  *.*;mail.none;local1.none    -/var/log/messages
''

Declared by:

<nixpkgs/nixos/modules/services/logging/rsyslogd.nix>
services.rsyslogd.extraConfig

Additional text appended to syslog.conf, i.e. the contents of defaultConfig.

Type: strings concatenated with “\n”

Default: ""

Example: "news.* -/var/log/news"

Declared by:

<nixpkgs/nixos/modules/services/logging/rsyslogd.nix>
services.rsyslogd.extraParams

Additional parameters passed to rsyslogd.

Type: list of string

Default: [ ]

Example:

[
  "-m 0"
]

Declared by:

<nixpkgs/nixos/modules/services/logging/rsyslogd.nix>
services.rtorrent.enable

Whether to enable rtorrent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/torrent/rtorrent.nix>
services.rtorrent.package

The rtorrent package to use.

Type: package

Default: pkgs.rtorrent

Declared by:

<nixpkgs/nixos/modules/services/torrent/rtorrent.nix>
services.rtorrent.configText

The content of rtorrent.rc. The modernized configuration template with the values specified in this module will be prepended using mkBefore. You can use mkForce to overwrite the config completely.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/torrent/rtorrent.nix>
services.rtorrent.dataDir

The directory where rtorrent stores its data files.

Type: string

Default: "/var/lib/rtorrent"

Declared by:

<nixpkgs/nixos/modules/services/torrent/rtorrent.nix>
services.rtorrent.dataPermissions

Unix Permissions in octal on the rtorrent directory.

Type: string

Default: "0750"

Example: "0755"

Declared by:

<nixpkgs/nixos/modules/services/torrent/rtorrent.nix>
services.rtorrent.downloadDir

Where to put downloaded files.

Type: string

Default: "${config.services.rtorrent.dataDir}/download"

Declared by:

<nixpkgs/nixos/modules/services/torrent/rtorrent.nix>
services.rtorrent.group

Group under which rtorrent runs.

Type: string

Default: "rtorrent"

Declared by:

<nixpkgs/nixos/modules/services/torrent/rtorrent.nix>
services.rtorrent.openFirewall

Whether to open the firewall for the port in services.rtorrent.port.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/torrent/rtorrent.nix>
services.rtorrent.port

The rtorrent port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 50000

Declared by:

<nixpkgs/nixos/modules/services/torrent/rtorrent.nix>
services.rtorrent.rpcSocket

RPC socket path.

Type: string (read only)

Default: "/run/rtorrent/rpc.sock"

Declared by:

<nixpkgs/nixos/modules/services/torrent/rtorrent.nix>
services.rtorrent.user

User account under which rtorrent runs.

Type: string

Default: "rtorrent"

Declared by:

<nixpkgs/nixos/modules/services/torrent/rtorrent.nix>
services.rustdesk-server.enable

Whether to enable RustDesk, a remote access and remote control software, allowing maintenance of computers and other devices.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/rustdesk-server.nix>
services.rustdesk-server.package

The rustdesk-server package to use.

Type: package

Default: pkgs.rustdesk-server

Declared by:

<nixpkgs/nixos/modules/services/monitoring/rustdesk-server.nix>
services.rustdesk-server.openFirewall

Open the connection ports. TCP (21115, 21116, 21117, 21118, 21119) UDP (21116)

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/rustdesk-server.nix>
services.rustdesk-server.relay.enable

Whether to enable the RustDesk relay server.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/rustdesk-server.nix>
services.rustdesk-server.relay.extraArgs

A list of extra command line arguments to pass to the hbbr process.

Type: list of string

Default: [ ]

Example:

[
  "-k"
  "_"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/rustdesk-server.nix>
services.rustdesk-server.signal.enable

Whether to enable the RustDesk signal server.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/rustdesk-server.nix>
services.rustdesk-server.signal.extraArgs

A list of extra command line arguments to pass to the hbbs process.

Type: list of string

Default: [ ]

Example:

[
  "-k"
  "_"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/rustdesk-server.nix>
services.rustdesk-server.signal.relayHosts

The relay server IP addresses or DNS names of the RustDesk relay.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/rustdesk-server.nix>
services.rustus.enable

Whether to enable TUS protocol implementation in Rust.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.cors

list of origins allowed to upload

Type: list of string

Default:

[
  "*"
]

Example:

[
  "*.staging.domain"
  "*.prod.domain"
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.disable_health_access_logs

disable access log for /health endpoint

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.host

The host that rustus will connect to.

Type: string

Default: "127.0.0.1"

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.info_storage

Info storages are used to store information about file uploads. These storages must be persistent, because every time chunk is uploaded rustus updates information about upload. And when someone wants to download file, information about it requested from storage to get actual path of an upload.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.info_storage.dir

directory to store info about uploads

Type: string

Default: "/var/lib/rustus"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.info_storage.type

Type of info storage to use

Type: value “file-info-storage” (singular enum)

Default: "file-info-storage"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.log_level

Desired log level

Type: one of “DEBUG”, “INFO”, “ERROR”

Default: "INFO"

Example: "ERROR"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.max_body_size

Maximum body size in bytes

Type: string

Default: "10000000"

Example: "100000000"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.port

The port that rustus will connect to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1081

Example: 1081

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.remove_parts

remove parts files after successful concatenation

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.storage

Storages are used to actually store your files. You can configure where you want to store files.

Type: submodule

Default: { }

Example:

{
  type = "hybrid-s3"
  s3_access_key_file = konfig.age.secrets.R2_ACCESS_KEY.path;
  s3_secret_key_file = konfig.age.secrets.R2_SECRET_KEY.path;
  s3_bucket = "my_bucket";
  s3_url = "https://s3.example.com";
}

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.storage.data_dir

path to the local directory where all files are stored

Type: string

Default: "/var/lib/rustus"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.storage.dir_structure

pattern of a directory structure locally and on s3

Type: string

Default: "{year}/{month}/{day}"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.storage.force_sync

calls fsync system call after every write to disk in local storage

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.storage.s3_access_key_file

File path that contains the S3 access key.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.storage.s3_bucket

S3 bucket.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.storage.s3_region

S3 region name.

Type: string

Default: "us-east-1"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.storage.s3_secret_key_file

File path that contains the S3 secret key.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.storage.s3_url

S3 url.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.storage.type

Type of storage to use

Type: one of “file-storage”, “hybrid-s3”

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.tus_extensions

Since TUS protocol offers extensibility you can turn off some protocol extensions.

Type: list of (one of “getting”, “creation”, “termination”, “creation-with-upload”, “creation-defer-length”, “concatenation”, “checksum”)

Default:

[
  "getting"
  "creation"
  "termination"
  "creation-with-upload"
  "creation-defer-length"
  "concatenation"
  "checksum"
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rustus.url

url path for uploads

Type: string

Default: "/files"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/rustus.nix>
services.rutorrent.enable

Whether to enable ruTorrent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rutorrent.nix>
services.rutorrent.dataDir

Storage path of ruTorrent.

Type: string

Default: "/var/lib/rutorrent"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rutorrent.nix>
services.rutorrent.group

Group which runs the ruTorrent service.

Type: string

Default: "rutorrent"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rutorrent.nix>
services.rutorrent.hostName

FQDN for the ruTorrent instance.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rutorrent.nix>
services.rutorrent.nginx.enable

Whether to enable nginx virtual host management. Further nginx configuration can be done by adapting <literal>services.nginx.virtualHosts.<name></literal>. See <xref linkend=“opt-services.nginx.virtualHosts”/> for further information.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rutorrent.nix>
services.rutorrent.nginx.exposeInsecureRPC2mount

If you do not enable one of the <literal>rpc</literal> or <literal>httprpc</literal> plugins you need to expose an RPC mount through scgi using this option. Warning: This allow to run arbitrary commands, as the rtorrent user, so make sure to use authentification. The simplest way would be to use the <literal>services.nginx.virtualHosts.<name>.basicAuth</literal> option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rutorrent.nix>
services.rutorrent.plugins

List of plugins to enable. See the list of <link xlink:href=“https://github.com/Novik/ruTorrent/wiki/Plugins#currently-there-are-the-following-plugins”>available plugins</link>. Note: the <literal>unpack</literal> plugin needs the nonfree <literal>unrar</literal> package. You need to either enable one of the <literal>rpc</literal> or <literal>httprpc</literal> plugin or enable the <xref linkend=“opt-services.rutorrent.nginx.exposeInsecureRPC2mount”/> option.

Type: list of (string or package)

Default:

[
  "httprpc"
]

Example: [ "httprpc" "data" "diskspace" "edit" "erasedata" "theme" "trafic" ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rutorrent.nix>
services.rutorrent.poolSettings

Options for ruTorrent’s PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = 32;
  "pm.max_requests" = 500;
  "pm.max_spare_servers" = 4;
  "pm.min_spare_servers" = 2;
  "pm.start_servers" = 2;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rutorrent.nix>
services.rutorrent.rpcSocket

Path to rtorrent rpc socket.

Type: string

Default: "config.services.rtorrent.rpcSocket"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rutorrent.nix>
services.rutorrent.user

User which runs the ruTorrent service.

Type: string

Default: "rutorrent"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/rutorrent.nix>
services.sabnzbd.enable

Whether to enable the sabnzbd server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/sabnzbd.nix>
services.sabnzbd.package

The sabnzbd package to use.

Type: package

Default: pkgs.sabnzbd

Declared by:

<nixpkgs/nixos/modules/services/networking/sabnzbd.nix>
services.sabnzbd.configFile

Path to config file.

Type: path

Default: "/var/lib/sabnzbd/sabnzbd.ini"

Declared by:

<nixpkgs/nixos/modules/services/networking/sabnzbd.nix>
services.sabnzbd.group

Group to run the service as

Type: string

Default: "sabnzbd"

Declared by:

<nixpkgs/nixos/modules/services/networking/sabnzbd.nix>
services.sabnzbd.openFirewall

Open ports in the firewall for the sabnzbd web interface

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/sabnzbd.nix>
services.sabnzbd.user

User to run the service as

Type: string

Default: "sabnzbd"

Declared by:

<nixpkgs/nixos/modules/services/networking/sabnzbd.nix>
services.safeeyes.enable

Whether to enable the safeeyes OSGi service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/safeeyes.nix>
services.salt.master.enable

Whether to enable Salt configuration management system master service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/admin/salt/master.nix>
services.salt.master.configuration

Salt master configuration as Nix attribute set.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/admin/salt/master.nix>
services.salt.minion.enable

Whether to enable Salt configuration management system minion service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/admin/salt/minion.nix>
services.salt.minion.configuration

Salt minion configuration as Nix attribute set. See https://docs.saltstack.com/en/latest/ref/configuration/minion.html for details.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/admin/salt/minion.nix>
services.samba.enable

Whether to enable Samba, the SMB/CIFS protocol.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba.nix>
services.samba.package

The samba package to use.

Type: package

Default: pkgs.samba

Example: samba4Full

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba.nix>
services.samba.nmbd.enable

Whether to enable Samba’s nmbd, which replies to NetBIOS over IP name service requests. It also participates in the browsing protocols which make up the Windows “Network Neighborhood” view.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba.nix>
services.samba.nmbd.extraArgs

Extra arguments to pass to the nmbd service.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba.nix>
services.samba.nsswins

Whether to enable WINS NSS (Name Service Switch) plug-in.

Enabling it allows applications to resolve WINS/NetBIOS names (a.k.a. Windows machine names) by transparently querying the winbindd daemon .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba.nix>
services.samba.openFirewall

Whether to enable opening the default ports in the firewall for Samba.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba.nix>
services.samba.settings

Configuration file for the Samba suite in ini format. This file is located in /etc/samba/smb.conf

Refer to https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html for all available options.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string) or a non-empty list of them)

Default:

{
  global = {
    "invalid users" = [
      "root"
    ];
    "passwd program" = "/run/wrappers/bin/passwd %u";
    security = "user";
  };
}

Example:

{
  global = {
    "invalid users" = [
      "root"
    ];
    "passwd program" = "/run/wrappers/bin/passwd %u";
    security = "user";
  };
  public = {
    browseable = "yes";
    comment = "Public samba share.";
    "guest ok" = "yes";
    path = "/srv/public";
    "read only" = "yes";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba.nix>
services.samba.settings.global."invalid users"

List of users who are denied to login via Samba.

Type: list of string

Default:

[
  "root"
]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba.nix>
services.samba.settings.global."passwd program"

Path to a program that can be used to set UNIX user passwords.

Type: string

Default: "/run/wrappers/bin/passwd %u"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba.nix>
services.samba.settings.global.security

Samba security type.

Type: one of “auto”, “user”, “domain”, “ads”

Default: "user"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba.nix>
services.samba.smbd.enable

Whether to enable Samba’s smbd daemon.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba.nix>
services.samba.smbd.extraArgs

Extra arguments to pass to the smbd service.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba.nix>
services.samba.usershares.enable

Whether to enable user-configurable Samba shares.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba.nix>
services.samba.usershares.group

Name of the group members of which will be allowed to create usershares.

The group will be created automatically.

Type: string

Default: "samba"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba.nix>
services.samba.winbindd.enable

Whether to enable Samba’s winbindd, which provides a number of services to the Name Service Switch capability found in most modern C libraries, to arbitrary applications via PAM and ntlm_auth and to Samba itself.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba.nix>
services.samba.winbindd.extraArgs

Extra arguments to pass to the winbindd service.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba.nix>
services.samba-wsdd.enable

Whether to enable Web Services Dynamic Discovery host daemon. This enables (Samba) hosts, like your local NAS device, to be found by Web Service Discovery Clients like Windows .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba-wsdd.nix>
services.samba-wsdd.discovery

Enable discovery operation mode.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba-wsdd.nix>
services.samba-wsdd.domain

Set domain name (disables workgroup).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba-wsdd.nix>
services.samba-wsdd.extraOptions

Additional wsdd options.

Type: list of string

Default:

[
  "--shortlog"
]

Example:

[
  "--verbose"
  "--no-http"
  "--ipv4only"
  "--no-host"
]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba-wsdd.nix>
services.samba-wsdd.hoplimit

Hop limit for multicast packets (default = 1).

Type: null or signed integer

Default: null

Example: 2

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba-wsdd.nix>
services.samba-wsdd.hostname

Override (NetBIOS) hostname to be used (default hostname).

Type: null or string

Default: null

Example: "FILESERVER"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba-wsdd.nix>
services.samba-wsdd.interface

Interface or address to use.

Type: null or string

Default: null

Example: "eth0"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba-wsdd.nix>
services.samba-wsdd.listen

Listen on path or localhost port in discovery mode.

Type: string

Default: "/run/wsdd/wsdd.sock"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba-wsdd.nix>
services.samba-wsdd.openFirewall

Whether to open the required firewall ports in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba-wsdd.nix>
services.samba-wsdd.workgroup

Set workgroup name (default WORKGROUP).

Type: null or string

Default: null

Example: "HOME"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/samba-wsdd.nix>
services.saned.enable

Enable saned network daemon for remote connection to scanners.

saned would be run from scanner user; to allow access to hardware that doesn’t have scanner group you should add needed groups to this user.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane.nix>
services.saned.extraConfig

Extra saned configuration lines.

Type: strings concatenated with “\n”

Default: ""

Example: "192.168.0.0/24"

Declared by:

<nixpkgs/nixos/modules/services/hardware/sane.nix>
services.sanoid.enable

Whether to enable Sanoid ZFS snapshotting service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.package

The sanoid package to use.

Type: package

Default: pkgs.sanoid

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.datasets

Datasets to snapshot.

Type: attribute set of (dataset/template options)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.datasets.<name>.autoprune

Whether to automatically prune old snapshots.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.datasets.<name>.autosnap

Whether to automatically take snapshots.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.datasets.<name>.daily

Number of daily snapshots.

Type: null or (unsigned integer, meaning >=0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.datasets.<name>.hourly

Number of hourly snapshots.

Type: null or (unsigned integer, meaning >=0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.datasets.<name>.monthly

Number of monthly snapshots.

Type: null or (unsigned integer, meaning >=0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.datasets.<name>.processChildrenOnly

Whether to only snapshot child datasets if recursing.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.datasets.<name>.process_children_only

Whether to only snapshot child datasets if recursing.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.datasets.<name>.recursive

Whether to recursively snapshot dataset children. You can also set this to "zfs" to handle datasets recursively in an atomic way without the possibility to override settings for child datasets.

Type: boolean or value “zfs” (singular enum)

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.datasets.<name>.useTemplate

Names of the templates to use for this dataset.

Type: list of configured template name

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.datasets.<name>.use_template

Names of the templates to use for this dataset.

Type: list of configured template name

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.datasets.<name>.yearly

Number of yearly snapshots.

Type: null or (unsigned integer, meaning >=0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.extraArgs

Extra arguments to pass to sanoid. See https://github.com/jimsalterjrs/sanoid/#sanoid-command-line-options for allowed options.

Type: list of string

Default: [ ]

Example:

[
  "--verbose"
  "--readonly"
  "--debug"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.interval

Run sanoid at this interval. The default is to run hourly.

The format is described in systemd.time(7).

Type: string

Default: "hourly"

Example: "daily"

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.settings

Free-form settings written directly to the config file. See https://github.com/jimsalterjrs/sanoid/blob/master/sanoid.defaults.conf for allowed values.

Type: attribute set of dataset/template options

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.templates

Templates for datasets.

Type: attribute set of (dataset/template options)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.templates.<name>.autoprune

Whether to automatically prune old snapshots.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.templates.<name>.autosnap

Whether to automatically take snapshots.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.templates.<name>.daily

Number of daily snapshots.

Type: null or (unsigned integer, meaning >=0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.templates.<name>.hourly

Number of hourly snapshots.

Type: null or (unsigned integer, meaning >=0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.templates.<name>.monthly

Number of monthly snapshots.

Type: null or (unsigned integer, meaning >=0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.sanoid.templates.<name>.yearly

Number of yearly snapshots.

Type: null or (unsigned integer, meaning >=0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/sanoid.nix>
services.saslauthd.enable

Whether to enable saslauthd, the Cyrus SASL authentication daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/system/saslauthd.nix>
services.saslauthd.package

The bin package to use.

Type: package

Default: pkgs.cyrus_sasl.bin

Declared by:

<nixpkgs/nixos/modules/services/system/saslauthd.nix>
services.saslauthd.config

Configuration to use for Cyrus SASL authentication daemon.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/system/saslauthd.nix>
services.saslauthd.mechanism

Auth mechanism to use

Type: string

Default: "pam"

Declared by:

<nixpkgs/nixos/modules/services/system/saslauthd.nix>
services.saunafs.chunkserver.enable

Whether to enable Saunafs chunkserver daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/saunafs.nix>
services.saunafs.chunkserver.hdds

Mount points to be used by chunkserver for storage (see sfshdd.cfg(5)).

Note, that these mount points must writeable by the user defined by the saunafs user.

Type: list of string

Default: null

Example:

[ "/mnt/hdd1" ];

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/saunafs.nix>
services.saunafs.chunkserver.openFirewall

Whether to automatically open the necessary ports in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/saunafs.nix>
services.saunafs.chunkserver.settings

Contents of chunkserver config file (see sfschunkserver.cfg(5)).

Type: attribute set of (Flat key-value file)

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/saunafs.nix>
services.saunafs.chunkserver.settings.DATA_PATH

Directory for chunck meta data

Type: string

Default: "/var/lib/saunafs/chunkserver"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/saunafs.nix>
services.saunafs.client.enable

Whether to enable Saunafs client.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/saunafs.nix>
services.saunafs.master.enable

Enable Saunafs master daemon.

You need to run sfsmaster-init on a freshly installed master server to initialize the DATA_PATH directory.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/saunafs.nix>
services.saunafs.master.exports

Paths to exports file (see sfsexports.cfg(5)).

Type: list of string

Default: null

Example:

[ "* / rw,alldirs,admin,maproot=0:0" ];

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/saunafs.nix>
services.saunafs.master.openFirewall

Whether to automatically open the necessary ports in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/saunafs.nix>
services.saunafs.master.settings

Contents of config file (sfsmaster.cfg(5)).

Type: attribute set of (Flat key-value file)

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/saunafs.nix>
services.saunafs.master.settings.DATA_PATH

Data storage directory.

Type: string

Default: "/var/lib/saunafs/master"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/saunafs.nix>
services.saunafs.masterHost

IP or hostname name of master host.

Type: string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/saunafs.nix>
services.saunafs.metalogger.enable

Whether to enable Saunafs metalogger daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/saunafs.nix>
services.saunafs.metalogger.settings

Contents of metalogger config file (see sfsmetalogger.cfg(5)).

Type: attribute set of (Flat key-value file)

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/saunafs.nix>
services.saunafs.metalogger.settings.DATA_PATH

Data storage directory

Type: string

Default: "/var/lib/saunafs/metalogger"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/saunafs.nix>
services.saunafs.sfsUser

Run daemons as user.

Type: string

Default: "saunafs"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/saunafs.nix>
services.scanservjs.enable

Whether to enable scanservjs.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/scanservjs.nix>
services.scanservjs.extraActions

Actions to add to config.local.js’s actions.

Type: list of strings concatenated with “\n”

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/hardware/scanservjs.nix>
services.scanservjs.extraConfig

Extra code to add to config.local.js’s afterConfig.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/hardware/scanservjs.nix>
services.scanservjs.extraDevicesConfig

Extra code to add to config.local.js’s afterDevices.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/hardware/scanservjs.nix>
services.scanservjs.runAfterScan

Extra code to add to config.local.js’s afterScan.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/hardware/scanservjs.nix>
services.scanservjs.settings

Config to set in config.local.js’s afterConfig.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/hardware/scanservjs.nix>
services.scanservjs.settings.host

The IP to listen on.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/hardware/scanservjs.nix>
services.scanservjs.settings.port

The port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/hardware/scanservjs.nix>
services.scanservjs.stateDir

State directory for scanservjs.

Type: string

Default: "/var/lib/scanservjs"

Declared by:

<nixpkgs/nixos/modules/services/hardware/scanservjs.nix>
services.schleuder.enable

Whether to enable Schleuder secure remailer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/schleuder.nix>
services.schleuder.enablePostfix

Whether to enable automatic postfix integration.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/schleuder.nix>
services.schleuder.extraSettingsFile

YAML file to merge into the schleuder config at runtime. This can be used for secrets such as API keys.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/schleuder.nix>
services.schleuder.listDefaults

Default settings for lists (list-defaults.yml).

Check the example configuration for possible values.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/mail/schleuder.nix>
services.schleuder.lists

List of list addresses that should be handled by Schleuder.

Note that this is only handled by the postfix integration, and the setup of the lists, their members and their keys has to be performed separately via schleuder’s API, using a tool such as schleuder-cli.

Type: list of string

Default: [ ]

Example:

[
  "widget-team@example.com"
  "security@example.com"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/schleuder.nix>
services.schleuder.settings

Settings for schleuder.yml.

Check the example configuration for possible values.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/mail/schleuder.nix>
services.schleuder.settings.keyserver

Key server from which to fetch and update keys.

Note that NixOS uses a different default from upstream, since the upstream default sks-keyservers.net is deprecated.

Type: string

Default: "keys.openpgp.org"

Declared by:

<nixpkgs/nixos/modules/services/mail/schleuder.nix>
services.scion.enable

Whether to enable all of the scion components and services.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/scion/scion.nix>
services.scion.package

The scion package to use.

Type: package

Default: pkgs.scion

Declared by:

<nixpkgs/nixos/modules/services/networking/scion/scion.nix>
services.scion.bypassBootstrapWarning

bypass Nix warning about SCION PKI bootstrapping

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/scion/scion.nix>
services.scion.scion-control.enable

Whether to enable the scion-control service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/scion/scion-control.nix>
services.scion.scion-control.settings

scion-control configuration. Refer to https://docs.scion.org/en/latest/manuals/common.html for details on supported values.

Type: TOML value

Default: { }

Example:

{
  path_db = {
    connection = "/run/scion-control/control.path.db";
  };
  log.console = {
    level = "info";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/scion/scion-control.nix>
services.scion.scion-daemon.enable

Whether to enable the scion-daemon service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/scion/scion-daemon.nix>
services.scion.scion-daemon.settings

scion-daemon configuration. Refer to https://docs.scion.org/en/latest/manuals/common.html for details on supported values.

Type: TOML value

Default: { }

Example:

{
  path_db = {
    connection = "/run/scion-daemon/sd.path.db";
  };
  log.console = {
    level = "info";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/scion/scion-daemon.nix>
services.scion.scion-dispatcher.enable

Whether to enable the scion-dispatcher service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/scion/scion-dispatcher.nix>
services.scion.scion-dispatcher.settings

scion-dispatcher configuration. Refer to https://docs.scion.org/en/latest/manuals/common.html for details on supported values.

Type: TOML value

Default: { }

Example:

{
  dispatcher = {
    id = "dispatcher";
    socket_file_mode = "0770";
    application_socket = "/dev/shm/dispatcher/default.sock";
  };
  log.console = {
    level = "info";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/scion/scion-dispatcher.nix>
services.scion.scion-ip-gateway.enable

Whether to enable the scion-ip-gateway service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/scion/scion-ip-gateway.nix>
services.scion.scion-ip-gateway.config

scion-ip-gateway daemon configuration

Type: TOML value

Default: { }

Example:

{
  tunnel = {
    src_ipv4 = "172.16.100.1";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/scion/scion-ip-gateway.nix>
services.scion.scion-ip-gateway.trafficConfig

scion-ip-gateway traffic configuration

Type: JSON value

Default: { }

Example:

{
  ASes = {
    "2-ffaa:0:b" = {
      Nets = [
          "172.16.1.0/24"
      ];
    };
  };
  ConfigVersion = 9001;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/scion/scion-ip-gateway.nix>
services.scion.scion-router.enable

Whether to enable the scion-router service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/scion/scion-router.nix>
services.scion.scion-router.settings

scion-router configuration. Refer to https://docs.scion.org/en/latest/manuals/common.html for details on supported values.

Type: TOML value

Default: { }

Example:

{
  general.id = "br";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/scion/scion-router.nix>
services.scion.stateless

Setting this value to false (stateful) can lead to improved caching and performance.

This option decides whether to persist the SCION path sqlite databases on disk or not. Persisting this data can lead to database corruption in extreme cases such as power outage, meaning SCION fails to work on the next boot. This is being investigated.

If true, /run/scion-* is used for data If false, use /var/lib/scion-* is used for data

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/scion/scion.nix>
services.scollector.enable

Whether to run scollector.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scollector.nix>
services.scollector.package

The scollector package to use.

Type: package

Default: pkgs.scollector

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scollector.nix>
services.scollector.bosunHost

Host and port of the bosun server that will store the collected data.

Type: string

Default: "localhost:8070"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scollector.nix>
services.scollector.collectors

An attribute set mapping the frequency of collection to a list of binaries that should be executed at that frequency. You can use “0” to run a binary forever.

Type: attribute set of list of path

Default: { }

Example: { "0" = [ "${postgresStats}/bin/collect-stats" ]; }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scollector.nix>
services.scollector.extraConfig

Extra scollector configuration added to the end of scollector.toml

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scollector.nix>
services.scollector.extraOpts

Extra scollector command line options

Type: list of string

Default: [ ]

Example:

[
  "-d"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scollector.nix>
services.scollector.group

Group account under which scollector runs.

Type: string

Default: "scollector"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scollector.nix>
services.scollector.user

User account under which scollector runs.

Type: string

Default: "scollector"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scollector.nix>
services.screego.enable

Whether to enable screego screen-sharing server for developers.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/screego.nix>
services.screego.environmentFile

Environment file (see systemd.exec(5) “EnvironmentFile=” section for the syntax) passed to the service. This option can be used to safely include secrets in the configuration.

Type: null or path

Default: null

Example: "/run/secrets/screego-envfile"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/screego.nix>
services.screego.openFirewall

Open the firewall port(s).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/screego.nix>
services.screego.settings

Screego settings passed as Nix attribute set, they will be merged with the defaults. Settings will be passed as environment variables.

See https://screego.net/#/config for possible values

Type: attribute set of string

Default:

{
  SCREEGO_AUTH_MODE = "turn";
  SCREEGO_CLOSE_ROOM_WHEN_OWNER_LEAVES = "true";
  SCREEGO_LOG_LEVEL = "info";
  SCREEGO_SERVER_ADDRESS = "127.0.0.1:5050";
  SCREEGO_SESSION_TIMEOUT_SECONDS = "0";
  SCREEGO_TURN_ADDRESS = "0.0.0.0:3478";
  SCREEGO_TURN_PORT_RANGE = "50000:55000";
}

Example:

{
  SCREEGO_EXTERNAL_IP = "dns:example.com";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/screego.nix>
services.scrutiny.enable

Whether to enable Scrutiny, a web application for drive monitoring.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.package

The scrutiny package to use.

Type: package

Default: pkgs.scrutiny

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.collector.enable

Whether to enable the Scrutiny metrics collector.

Type: boolean

Default: config.services.scrutiny.enable

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.collector.package

The scrutiny-collector package to use.

Type: package

Default: pkgs.scrutiny-collector

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.collector.schedule

How often to run the collector in systemd calendar format.

Type: string

Default: "*:0/15"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.collector.settings

Collector settings to be rendered into the collector configuration file.

See https://github.com/AnalogJ/scrutiny/blob/master/example.collector.yaml.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.collector.settings.api.endpoint

Scrutiny app API endpoint for sending metrics to.

Type: string

Default: "http://${config.services.scrutiny.settings.web.listen.host}:${config.services.scrutiny.settings.web.listen.port}"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.collector.settings.host.id

Host ID for identifying/labelling groups of disks

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.collector.settings.log.level

Log level for Scrutiny collector.

Type: one of “INFO”, “DEBUG”

Default: "INFO"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.influxdb.enable

Enables InfluxDB on the host system using the services.influxdb2 NixOS module with default options.

If you already have InfluxDB configured, or wish to connect to an external InfluxDB instance, disable this option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.openFirewall

Whether to enable opening the default ports in the firewall for Scrutiny.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.settings

Scrutiny settings to be rendered into the configuration file.

See https://github.com/AnalogJ/scrutiny/blob/master/example.scrutiny.yaml.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.settings.log.level

Log level for Scrutiny.

Type: one of “INFO”, “DEBUG”

Default: "INFO"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.settings.web.influxdb.bucket

InfluxDB bucket in which to store data.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.settings.web.influxdb.host

IP or hostname of the InfluxDB instance.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.settings.web.influxdb.org

InfluxDB organisation under which to store data.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.settings.web.influxdb.port

The port of the InfluxDB instance.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8086

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.settings.web.influxdb.scheme

URL scheme to use when connecting to InfluxDB.

Type: string

Default: "http"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.settings.web.influxdb.tls.insecure_skip_verify

Whether to enable skipping TLS verification when connecting to InfluxDB.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.settings.web.influxdb.token

Authentication token for connecting to InfluxDB.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.settings.web.listen.basepath

If Scrutiny will be behind a path prefixed reverse proxy, you can override this value to serve Scrutiny on a subpath.

Type: string

Default: ""

Example: "/scrutiny"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.settings.web.listen.host

Interface address for web application to bind to.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scrutiny.settings.web.listen.port

Port for web application to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/monitoring/scrutiny.nix>
services.scx.enable

Whether to enable SCX service, a daemon to run schedulers from userspace.

Note

This service requires a kernel with the Sched-ext feature. Generally, kernel version 6.12 and later are supported.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/scheduling/scx.nix>
services.scx.package

scx package to use. scx.full, which includes all schedulers, is the default. You may choose a minimal package, such as pkgs.scx.rustscheds.

Note

Overriding this does not change the default scheduler; you should set services.scx.scheduler for it.

Type: package

Default: pkgs.scx.full

Example: pkgs.scx.rustscheds

Declared by:

<nixpkgs/nixos/modules/services/scheduling/scx.nix>
services.scx.extraArgs

Parameters passed to the chosen scheduler at runtime.

Note

Run chosen-scx-scheduler --help to see the available options. Generally, each scheduler has its own set of options, and they are incompatible with each other.

Type: list of (optionally newline-terminated) single-line string

Default: [ ]

Example:

[
  "--slice-us 5000"
  "--verbose"
]

Declared by:

<nixpkgs/nixos/modules/services/scheduling/scx.nix>
services.scx.scheduler

Which scheduler to use. See SCX documentation for details on each scheduler and guidance on selecting the most suitable one.

Type: one of “scx_bpfland”, “scx_central”, “scx_flash”, “scx_flatcg”, “scx_lavd”, “scx_layered”, “scx_mitosis”, “scx_nest”, “scx_pair”, “scx_qmap”, “scx_rlfifo”, “scx_rustland”, “scx_rusty”, “scx_sdt”, “scx_simple”, “scx_userland”

Default: "scx_rustland"

Example: "scx_bpfland"

Declared by:

<nixpkgs/nixos/modules/services/scheduling/scx.nix>
services.sdrplayApi.enable

Whether to enable the SDRplay API service and udev rules.

Note

To enable integration with SoapySDR and GUI applications like gqrx create an overlay containing soapysdr-with-plugins = super.soapysdr.override { extraPackages = [ super.soapysdrplay ]; };

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sdrplay.nix>
services.seafile.enable

Whether to enable Seafile server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/seafile.nix>
services.seafile.adminEmail

Seafile Seahub Admin Account Email.

Type: (optionally newline-terminated) single-line string

Example: "john@example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/seafile.nix>
services.seafile.ccnetSettings

Configuration for ccnet, see https://manual.seafile.com/config/ccnet-conf/ for supported values.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/seafile.nix>
services.seafile.ccnetSettings.General.SERVICE_URL

Seahub public URL.

Type: (optionally newline-terminated) single-line string

Example: "https://www.example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/seafile.nix>
services.seafile.dataDir

Path in which to store user data

Type: path

Default: "/var/lib/seafile/data"

Declared by:

<nixpkgs/nixos/modules/services/networking/seafile.nix>
services.seafile.gc.enable

Whether to enable automatic garbage collection on stored data blocks.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/seafile.nix>
services.seafile.gc.dates

When to run garbage collection on stored data blocks. The time format is described in systemd.time(7).

Type: list of (optionally newline-terminated) single-line string

Default:

[
  "Sun 03:00:00"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/seafile.nix>
services.seafile.gc.persistent

Takes a boolean argument. If true, the time when the service unit was last triggered is stored on disk. When the timer is activated, the service unit is triggered immediately if it would have been triggered at least once during the time when the timer was inactive. Such triggering is nonetheless subject to the delay imposed by RandomizedDelaySec=. This is useful to catch up on missed runs of the service when the system was powered down.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/networking/seafile.nix>
services.seafile.gc.randomizedDelaySec

Add a randomized delay before each garbage collection. The delay will be chosen between zero and this value. This value must be a time span in the format specified by systemd.time(7)

Type: (optionally newline-terminated) single-line string

Default: "0"

Example: "45min"

Declared by:

<nixpkgs/nixos/modules/services/networking/seafile.nix>
services.seafile.group

Group under which seafile runs.

Type: (optionally newline-terminated) single-line string

Default: "seafile"

Declared by:

<nixpkgs/nixos/modules/services/networking/seafile.nix>
services.seafile.initialAdminPassword

Seafile Seahub Admin Account initial password. Should be changed via Seahub web front-end.

Type: (optionally newline-terminated) single-line string

Example: "someStrongPass"

Declared by:

<nixpkgs/nixos/modules/services/networking/seafile.nix>
services.seafile.seafileSettings

Configuration for seafile-server, see https://manual.seafile.com/config/seafile-conf/ for supported values.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/seafile.nix>
services.seafile.seafileSettings.fileserver.host

The bind address used by seafile fileserver.

The addr can be defined as one of the following:

  • ipv6:<ipv6addr> for binding to an IPv6 address.

  • unix:<named pipe> for binding to a unix named socket

  • ipv4:<ipv4addr> for binding to an ipv4 address Otherwise the addr is assumed to be ipv4.

Type: (optionally newline-terminated) single-line string

Default: "ipv4:127.0.0.1"

Example: "unix:/run/seafile/server.sock"

Declared by:

<nixpkgs/nixos/modules/services/networking/seafile.nix>
services.seafile.seafileSettings.fileserver.port

The tcp port used by seafile fileserver.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8082

Declared by:

<nixpkgs/nixos/modules/services/networking/seafile.nix>
services.seafile.seahubAddress

Which address to bind the seahub server to, of the form:

  • HOST

  • HOST:PORT

  • unix:PATH. IPv6 HOSTs must be wrapped in brackets.

Type: (optionally newline-terminated) single-line string

Default: "unix:/run/seahub/gunicorn.sock"

Example: "[::1]:8083"

Declared by:

<nixpkgs/nixos/modules/services/networking/seafile.nix>
services.seafile.seahubExtraConf

Extra config to append to seahub_settings.py file. Refer to https://manual.seafile.com/config/seahub_settings_py/ for all available options.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  CSRF_TRUSTED_ORIGINS = ["https://example.com"]
''

Declared by:

<nixpkgs/nixos/modules/services/networking/seafile.nix>
services.seafile.seahubPackage

The seahub package to use.

Type: package

Default: pkgs.seahub

Declared by:

<nixpkgs/nixos/modules/services/networking/seafile.nix>
services.seafile.user

User account under which seafile runs.

Type: (optionally newline-terminated) single-line string

Default: "seafile"

Declared by:

<nixpkgs/nixos/modules/services/networking/seafile.nix>
services.seafile.workers

The number of gunicorn worker processes for handling requests.

Type: signed integer

Default: 4

Example: 10

Declared by:

<nixpkgs/nixos/modules/services/networking/seafile.nix>
services.searx.enable

Whether to enable Searx, the meta search engine.

Type: boolean

Default: false

Related packages:

Declared by:

<nixpkgs/nixos/modules/services/networking/searx.nix>
services.searx.package

The searxng package to use.

Type: package

Default: pkgs.searxng

Declared by:

<nixpkgs/nixos/modules/services/networking/searx.nix>
services.searx.environmentFile

Environment file (see systemd.exec(5) “EnvironmentFile=” section for the syntax) to define variables for Searx. This option can be used to safely include secret keys into the Searx configuration.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/searx.nix>
services.searx.limiterSettings

Limiter settings for SearXNG.

Note

For available settings, see the SearXNG schema file.

Type: attribute set of (JSON value)

Default: { }

Example:

{
  real_ip = {
    x_for = 1;
    ipv4_prefix = 32;
    ipv6_prefix = 56;
  }
  botdetection.ip_lists.block_ip = [
    # "93.184.216.34" # example.org
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/networking/searx.nix>
services.searx.redisCreateLocally

Configure a local Redis server for SearXNG. This is required if you want to enable the rate limiter and bot protection of SearXNG.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/searx.nix>
services.searx.runInUwsgi

Whether to run searx in uWSGI as a “vassal”, instead of using its built-in HTTP server. This is the recommended mode for public or large instances, but is unnecessary for LAN or local-only use.

Warning

The built-in HTTP server logs all queries by default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/searx.nix>
services.searx.settings

Searx settings. These will be merged with (taking precedence over) the default configuration. It’s also possible to refer to environment variables (defined in services.searx.environmentFile) using the syntax @VARIABLE_NAME@.

Note

For available settings, see the Searx docs.

Type: attribute set of (JSON value)

Default: { }

Example:

{ server.port = 8080;
  server.bind_address = "0.0.0.0";
  server.secret_key = "@SEARX_SECRET_KEY@";

  engines = lib.singleton
    { name = "wolframalpha";
      shortcut = "wa";
      api_key = "@WOLFRAM_API_KEY@";
      engine = "wolframalpha_api";
    };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/searx.nix>
services.searx.settingsFile

The path of the Searx server settings.yml file. If no file is specified, a default file is used (default config file has debug mode enabled). Note: setting this options overrides services.searx.settings.

Warning

This file, along with any secret key it contains, will be copied into the world-readable Nix store.

Type: path

Default: "/run/searx/settings.yml"

Declared by:

<nixpkgs/nixos/modules/services/networking/searx.nix>
services.searx.uwsgiConfig

Additional configuration of the uWSGI vassal running searx. It should notably specify on which interfaces and ports the vassal should listen.

Type: Json value or lambda

Default:

{
  http = ":8080";
}

Example:

{
  disable-logging = true;
  http = ":8080";                   # serve via HTTP...
  socket = "/run/searx/searx.sock"; # ...or UNIX socket
  chmod-socket = "660";             # allow the searx group to read/write to the socket
}

Declared by:

<nixpkgs/nixos/modules/services/networking/searx.nix>
services.seatd.enable

Whether to enable seatd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/seatd.nix>
services.seatd.group

Group to own the seatd socket

Type: string

Default: "seat"

Declared by:

<nixpkgs/nixos/modules/services/desktops/seatd.nix>
services.seatd.logLevel

Logging verbosity

Type: one of “debug”, “info”, “error”, “silent”

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/desktops/seatd.nix>
services.seatd.user

User to own the seatd socket

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/desktops/seatd.nix>
services.self-deploy.enable

Whether to enable self-deploy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/system/self-deploy.nix>
services.self-deploy.branch

Branch to track

Technically speaking any ref can be specified here, as this is passed directly to a git fetch, but for the use-case of continuous deployment you’re likely to want to specify a branch.

Type: string

Default: "master"

Declared by:

<nixpkgs/nixos/modules/services/system/self-deploy.nix>
services.self-deploy.nixArgs

Arguments to nix-build passed as --argstr or --arg depending on the type.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/system/self-deploy.nix>
services.self-deploy.nixAttribute

Attribute of nixFile that builds the current system.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/system/self-deploy.nix>
services.self-deploy.nixFile

Path to nix file in repository. Leading ‘/’ refers to root of git repository.

Type: path

Default: "/default.nix"

Declared by:

<nixpkgs/nixos/modules/services/system/self-deploy.nix>
services.self-deploy.repository

The repository to fetch from. Must be properly formatted for git.

If this value is set to a path (must begin with /) then it’s assumed that the repository is local and the resulting service won’t wait for the network to be up.

If the repository will be fetched over SSH, you must add an entry to programs.ssh.knownHosts for the SSH host for the fetch to be successful.

Type: path or string

Declared by:

<nixpkgs/nixos/modules/services/system/self-deploy.nix>
services.self-deploy.sshKeyFile

Path to SSH private key used to fetch private repositories over SSH.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/system/self-deploy.nix>
services.self-deploy.startAt

The schedule on which to run the self-deploy service. Format specified by systemd.time 7.

This value can also be a list of systemd.time 7 formatted strings, in which case the service will be started on multiple schedules.

Type: string or list of string

Default: "hourly"

Declared by:

<nixpkgs/nixos/modules/services/system/self-deploy.nix>
services.self-deploy.switchCommand

The switch-to-configuration subcommand used.

Type: one of “boot”, “switch”, “dry-activate”, “test”

Default: "switch"

Declared by:

<nixpkgs/nixos/modules/services/system/self-deploy.nix>
services.selfoss.enable

Whether to enable selfoss.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/selfoss.nix>
services.selfoss.database.host

Host of the database (has no effect if type is “sqlite”).

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/selfoss.nix>
services.selfoss.database.name

Name of the existing database (has no effect if type is “sqlite”).

Type: string

Default: "tt_rss"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/selfoss.nix>
services.selfoss.database.password

The database user’s password (has no effect if type is “sqlite”).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/selfoss.nix>
services.selfoss.database.port

The database’s port. If not set, the default ports will be provided (5432 and 3306 for pgsql and mysql respectively) (has no effect if type is “sqlite”).

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/selfoss.nix>
services.selfoss.database.type

Database to store feeds. Supported are sqlite, pgsql and mysql.

Type: one of “pgsql”, “mysql”, “sqlite”

Default: "sqlite"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/selfoss.nix>
services.selfoss.database.user

The database user. The user must exist and has access to the specified database (has no effect if type is “sqlite”).

Type: string

Default: "tt_rss"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/selfoss.nix>
services.selfoss.extraConfig

Extra configuration added to config.ini

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/selfoss.nix>
services.selfoss.pool

Name of existing phpfpm pool that is used to run web-application. If not specified a pool will be created automatically with default values.

Type: string

Default: "selfoss_pool"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/selfoss.nix>
services.selfoss.user

User account under which both the service and the web-application run.

Type: string

Default: "nginx"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/selfoss.nix>
services.send.enable

Whether to enable Send, a file sharing web sevice for ffsend…

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/send.nix>
services.send.package

The send package to use.

Type: package

Default: pkgs.send

Declared by:

<nixpkgs/nixos/modules/services/web-servers/send.nix>
services.send.baseUrl

Base URL for the Send service. Leave it blank to automatically detect the base url.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/send.nix>
services.send.dataDir

Directory for uploaded files. Due to limitations in systemd.services.send.serviceConfig.DynamicUser, this item is read only.

Type: path (read only)

Default: "/var/lib/send"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/send.nix>
services.send.environment

All the available config options and their defaults can be found here: https://github.com/timvisee/send/blob/master/server/config.js, some descriptions can found here: https://github.com/timvisee/send/blob/master/docs/docker.md#environment-variables

Values under services.send.environment will override the predefined values in the Send service.

  • Time/duration should be in seconds

  • Filesize values should be in bytes

Type: attribute set of (null or boolean or signed integer or string or list of signed integer)

Example:

{
  DEFAULT_DOWNLOADS = 1;
  DETECT_BASE_URL = true;
  EXPIRE_TIMES_SECONDS = [
    300
    3600
    86400
    604800
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/web-servers/send.nix>
services.send.host

The hostname or IP address for Send to bind to.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/send.nix>
services.send.openFirewall

Whether to open firewall ports for send

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/send.nix>
services.send.port

Port the Send service listens on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1443

Declared by:

<nixpkgs/nixos/modules/services/web-servers/send.nix>
services.send.redis.createLocally

Whether to create a local redis automatically.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/send.nix>
services.send.redis.host

Redis server address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/send.nix>
services.send.redis.name

Name of the redis server. Only used if services.send.redis.createLocally is set to true.

Type: string

Default: "send"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/send.nix>
services.send.redis.passwordFile

The path to the file containing the Redis password.

If services.send.redis.createLocally is set to true, the content of this file will be used as the password for the locally created Redis instance.

Leave it blank if no password is required.

Type: null or path

Default: null

Example: "/run/agenix/send-redis-password"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/send.nix>
services.send.redis.port

Port of the redis server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6379

Declared by:

<nixpkgs/nixos/modules/services/web-servers/send.nix>
services.serviio.enable

Whether to enable the Serviio Media Server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/serviio.nix>
services.serviio.dataDir

The directory where serviio stores its state, data, etc.

Type: path

Default: "/var/lib/serviio"

Declared by:

<nixpkgs/nixos/modules/services/misc/serviio.nix>
services.sftpgo.enable

sftpgo

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.package

The sftpgo package to use.

Type: package

Default: pkgs.sftpgo

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.dataDir

The directory where SFTPGo stores its data files.

Type: path

Default: "/var/lib/sftpgo"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.extraArgs

Additional command line arguments to pass to the sftpgo daemon.

Type: list of string

Default: [ ]

Example:

[
  "--log-level"
  "info"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.extraReadWriteDirs

Extra directories where SFTPGo is allowed to write to.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.group

Group name under which SFTPGo runs.

Type: string

Default: "sftpgo"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.loadDataFile

Path to a json file containing users and folders to load (or update) on startup. Check the documentation for the --loaddata-from command line argument for more info.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings

The primary sftpgo configuration. See the configuration reference for possible values.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.ftpd.bindings

Configure listen addresses and ports for ftpd.

Type: list of (JSON value)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.ftpd.bindings.*.address

Network listen address. Leave blank to listen on all available network interfaces. On *NIX you can specify an absolute path to listen on a Unix-domain socket.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.ftpd.bindings.*.port

The port for serving FTP requests.

Setting the port to 0 disables listening on this interface binding.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.httpd.bindings

Configure listen addresses and ports for httpd.

Type: list of (JSON value)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.httpd.bindings.*.enable_web_admin

Enable the built-in web admin for this interface binding.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.httpd.bindings.*.enable_web_client

Enable the built-in web client for this interface binding.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.httpd.bindings.*.address

Network listen address. Leave blank to listen on all available network interfaces. On *NIX you can specify an absolute path to listen on a Unix-domain socket.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.httpd.bindings.*.port

The port for serving HTTP(S) requests.

Setting the port to 0 disables listening on this interface binding.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.sftpd.bindings

Configure listen addresses and ports for sftpd.

Type: list of (JSON value)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.sftpd.bindings.*.address

Network listen address. Leave blank to listen on all available network interfaces. On *NIX you can specify an absolute path to listen on a Unix-domain socket.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.sftpd.bindings.*.port

The port for serving SFTP requests.

Setting the port to 0 disables listening on this interface binding.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.smtp

SMTP configuration section.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.smtp.auth_type
  • 0: Plain

  • 1: Login

  • 2: CRAM-MD5

Type: one of 0, 1, 2

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.smtp.encryption

Encryption scheme:

  • 0: No encryption

  • 1: TLS

  • 2: STARTTLS

Type: one of 0, 1, 2

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.smtp.from

From address.

Type: string

Default: "SFTPGo <sftpgo@example.com>"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.smtp.host

Location of SMTP email server. Leave empty to disable email sending capabilities.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.smtp.port

Port of the SMTP Server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 465

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.smtp.user

SMTP username.

Type: string

Default: "sftpgo"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.webdavd.bindings

Configure listen addresses and ports for webdavd.

Type: list of (JSON value)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.webdavd.bindings.*.address

Network listen address. Leave blank to listen on all available network interfaces. On *NIX you can specify an absolute path to listen on a Unix-domain socket.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.settings.webdavd.bindings.*.port

The port for serving WebDAV requests.

Setting the port to 0 disables listening on this interface binding.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.sftpgo.user

User account name under which SFTPGo runs.

Type: string

Default: "sftpgo"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sftpgo.nix>
services.shadowsocks.enable

Whether to run shadowsocks-libev shadowsocks server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/shadowsocks.nix>
services.shadowsocks.encryptionMethod

Encryption method. See https://github.com/shadowsocks/shadowsocks-org/wiki/AEAD-Ciphers.

Type: string

Default: "chacha20-ietf-poly1305"

Declared by:

<nixpkgs/nixos/modules/services/networking/shadowsocks.nix>
services.shadowsocks.extraConfig

Additional configuration for shadowsocks that is not covered by the provided options. The provided attrset will be serialized to JSON and has to contain valid shadowsocks options. Unfortunately most additional options are undocumented but it’s easy to find out what is available by looking into the source code of https://github.com/shadowsocks/shadowsocks-libev/blob/master/src/jconf.c

Type: attribute set

Default: { }

Example:

{
  nameserver = "8.8.8.8";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/shadowsocks.nix>
services.shadowsocks.fastOpen

use TCP fast-open

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/shadowsocks.nix>
services.shadowsocks.localAddress

Local addresses to which the server binds.

Type: (list of string) or string convertible to it

Default:

[
  "[::0]"
  "0.0.0.0"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/shadowsocks.nix>
services.shadowsocks.mode

Relay protocols.

Type: one of “tcp_only”, “tcp_and_udp”, “udp_only”

Default: "tcp_and_udp"

Declared by:

<nixpkgs/nixos/modules/services/networking/shadowsocks.nix>
services.shadowsocks.password

Password for connecting clients.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/shadowsocks.nix>
services.shadowsocks.passwordFile

Password file with a password for connecting clients.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/shadowsocks.nix>
services.shadowsocks.plugin

SIP003 plugin for shadowsocks

Type: null or string

Default: null

Example: "${pkgs.shadowsocks-v2ray-plugin}/bin/v2ray-plugin"

Declared by:

<nixpkgs/nixos/modules/services/networking/shadowsocks.nix>
services.shadowsocks.pluginOpts

Options to pass to the plugin if one was specified

Type: string

Default: ""

Example: "server;host=example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/shadowsocks.nix>
services.shadowsocks.port

Port which the server uses.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8388

Declared by:

<nixpkgs/nixos/modules/services/networking/shadowsocks.nix>
services.shairport-sync.enable

Enable the shairport-sync daemon.

Running with a local system-wide or remote pulseaudio server is recommended.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/shairport-sync.nix>
services.shairport-sync.package

The shairport-sync package to use.

Type: package

Default: pkgs.shairport-sync

Declared by:

<nixpkgs/nixos/modules/services/networking/shairport-sync.nix>
services.shairport-sync.arguments

Arguments to pass to the daemon. Defaults to a local pulseaudio server.

Type: string

Default: "-v -o pa"

Declared by:

<nixpkgs/nixos/modules/services/networking/shairport-sync.nix>
services.shairport-sync.group

Group account name under which to run shairport-sync. The account will be created.

Type: string

Default: "shairport"

Declared by:

<nixpkgs/nixos/modules/services/networking/shairport-sync.nix>
services.shairport-sync.openFirewall

Whether to automatically open ports in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/shairport-sync.nix>
services.shairport-sync.user

User account name under which to run shairport-sync. The account will be created.

Type: string

Default: "shairport"

Declared by:

<nixpkgs/nixos/modules/services/networking/shairport-sync.nix>
services.shellhub-agent.enable

Whether to enable ShellHub Agent daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/shellhub-agent.nix>
services.shellhub-agent.package

The shellhub-agent package to use.

Type: package

Default: pkgs.shellhub-agent

Declared by:

<nixpkgs/nixos/modules/services/networking/shellhub-agent.nix>
services.shellhub-agent.keepAliveInterval

Determine the interval to send the keep alive message to the server. This has a direct impact of the bandwidth used by the device.

Type: signed integer

Default: 30

Declared by:

<nixpkgs/nixos/modules/services/networking/shellhub-agent.nix>
services.shellhub-agent.preferredHostname

Set the device preferred hostname. This provides a hint to the server to use this as hostname if it is available.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/shellhub-agent.nix>
services.shellhub-agent.privateKey

Location where to store the ShellHub Agent private key.

Type: path

Default: "/var/lib/shellhub-agent/private.key"

Declared by:

<nixpkgs/nixos/modules/services/networking/shellhub-agent.nix>
services.shellhub-agent.server

Server address of ShellHub Gateway to connect.

Type: string

Default: "https://cloud.shellhub.io"

Declared by:

<nixpkgs/nixos/modules/services/networking/shellhub-agent.nix>
services.shellhub-agent.tenantId

The tenant ID to use when connecting to the ShellHub Gateway.

Type: string

Example: "ba0a880c-2ada-11eb-a35e-17266ef329d6"

Declared by:

<nixpkgs/nixos/modules/services/networking/shellhub-agent.nix>
services.shibboleth-sp.enable

Whether to enable the shibboleth service

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/shibboleth-sp.nix>
services.shibboleth-sp.configFile

Path to shibboleth config file

Type: path

Example: "${pkgs.shibboleth-sp}/etc/shibboleth/shibboleth2.xml"

Declared by:

<nixpkgs/nixos/modules/services/security/shibboleth-sp.nix>
services.shibboleth-sp.fastcgi.enable

Whether to include the shibauthorizer and shibresponder FastCGI processes

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/shibboleth-sp.nix>
services.shibboleth-sp.fastcgi.shibAuthorizerPort

Port for shibauthorizer FastCGI process to bind to

Type: signed integer

Default: 9100

Declared by:

<nixpkgs/nixos/modules/services/security/shibboleth-sp.nix>
services.shibboleth-sp.fastcgi.shibResponderPort

Port for shibauthorizer FastCGI process to bind to

Type: signed integer

Default: 9101

Declared by:

<nixpkgs/nixos/modules/services/security/shibboleth-sp.nix>
services.shiori.enable

Whether to enable Shiori simple bookmarks manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/shiori.nix>
services.shiori.package

The shiori package to use.

Type: package

Default: pkgs.shiori

Declared by:

<nixpkgs/nixos/modules/services/web-apps/shiori.nix>
services.shiori.address

The IP address on which Shiori will listen. If empty, listens on all interfaces.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/shiori.nix>
services.shiori.databaseUrl

The connection URL to connect to MySQL or PostgreSQL

Type: null or string

Default: null

Example: "postgres:///shiori?host=/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/shiori.nix>
services.shiori.environmentFile

Path to file containing environment variables. Useful for passing down secrets. https://github.com/go-shiori/shiori/blob/master/docs/Configuration.md#overall-configuration

Type: null or path

Default: null

Example: "/path/to/environmentFile"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/shiori.nix>
services.shiori.port

The port of the Shiori web application

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/web-apps/shiori.nix>
services.shiori.webRoot

The root of the Shiori web application

Type: string

Default: "/"

Example: "/shiori"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/shiori.nix>
services.shorewall.enable

Whether to enable Shorewall IPv4 Firewall.

Warning

Enabling this service WILL disable the existing NixOS firewall! Default firewall rules provided by packages are not considered at the moment.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/shorewall.nix>
services.shorewall.package

The shorewall package to use.

Type: package

Default: pkgs.shorewall

Declared by:

<nixpkgs/nixos/modules/services/networking/shorewall.nix>
services.shorewall.configs

This option defines the Shorewall configs. The attribute name defines the name of the config, and the attribute value defines the content of the config.

Type: attribute set of strings concatenated with “\n”

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/shorewall.nix>
services.shorewall6.enable

Whether to enable Shorewall IPv6 Firewall.

Warning

Enabling this service WILL disable the existing NixOS firewall! Default firewall rules provided by packages are not considered at the moment.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/shorewall6.nix>
services.shorewall6.package

The shorewall package to use.

Type: package

Default: pkgs.shorewall

Declared by:

<nixpkgs/nixos/modules/services/networking/shorewall6.nix>
services.shorewall6.configs

This option defines the Shorewall configs. The attribute name defines the name of the config, and the attribute value defines the content of the config.

Type: attribute set of strings concatenated with “\n”

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/shorewall6.nix>
services.sickbeard.enable

Whether to enable the sickbeard server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/sickbeard.nix>
services.sickbeard.package

The sickbeard package to use. Enable pkgs.sickrage or pkgs.sickgear as an alternative to SickBeard

Type: package

Default: pkgs.sickbeard

Example: sickrage

Declared by:

<nixpkgs/nixos/modules/services/misc/sickbeard.nix>
services.sickbeard.configFile

Path to config file.

Type: path

Default: "${config.services.sickbeard.dataDir}/config.ini"

Declared by:

<nixpkgs/nixos/modules/services/misc/sickbeard.nix>
services.sickbeard.dataDir

Path where to store data files.

Type: path

Default: "/var/lib/sickbeard"

Declared by:

<nixpkgs/nixos/modules/services/misc/sickbeard.nix>
services.sickbeard.group

Group to run the service as

Type: string

Default: "sickbeard"

Declared by:

<nixpkgs/nixos/modules/services/misc/sickbeard.nix>
services.sickbeard.port

Port to bind to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8081

Declared by:

<nixpkgs/nixos/modules/services/misc/sickbeard.nix>
services.sickbeard.user

User to run the service as

Type: string

Default: "sickbeard"

Declared by:

<nixpkgs/nixos/modules/services/misc/sickbeard.nix>
services.signald.enable

Whether to enable signald, the unofficial daemon for interacting with Signal.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/signald.nix>
services.signald.group

Group under which signald runs.

Type: string

Default: "signald"

Declared by:

<nixpkgs/nixos/modules/services/misc/signald.nix>
services.signald.socketPath

Path to the signald socket

Type: string

Default: "/run/signald/signald.sock"

Declared by:

<nixpkgs/nixos/modules/services/misc/signald.nix>
services.signald.user

User under which signald runs.

Type: string

Default: "signald"

Declared by:

<nixpkgs/nixos/modules/services/misc/signald.nix>
services.silverbullet.enable

Whether to enable Silverbullet, an open-source, self-hosted, offline-capable Personal Knowledge Management (PKM) web application.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/silverbullet.nix>
services.silverbullet.package

The silverbullet package to use.

Type: package

Default: pkgs.silverbullet

Declared by:

<nixpkgs/nixos/modules/services/web-apps/silverbullet.nix>
services.silverbullet.envFile

File containing extra environment variables. For example:

SB_USER=user:password
SB_AUTH_TOKEN=abcdefg12345

Type: null or path

Default: null

Example: "/etc/silverbullet.env"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/silverbullet.nix>
services.silverbullet.extraArgs

Extra arguments passed to silverbullet.

Type: list of string

Default: [ ]

Example:

[
  "--db /path/to/silverbullet.db"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/silverbullet.nix>
services.silverbullet.group

The group to run Silverbullet under. By default, a group named silverbullet will be created.

Type: string

Default: "silverbullet"

Example: "yourGroup"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/silverbullet.nix>
services.silverbullet.listenAddress

Address or hostname to listen on. Defaults to 127.0.0.1.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/silverbullet.nix>
services.silverbullet.listenPort

Port to listen on.

Type: signed integer

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/silverbullet.nix>
services.silverbullet.openFirewall

Open port in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/silverbullet.nix>
services.silverbullet.spaceDir

Folder to store Silverbullet’s space/workspace. By default it is located at /var/lib/silverbullet.

Type: path

Default: "/var/lib/silverbullet"

Example: "/home/yourUser/silverbullet"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/silverbullet.nix>
services.silverbullet.user

The user to run Silverbullet as. By default, a user named silverbullet will be created whose space directory is spaceDir.

Type: string

Default: "silverbullet"

Example: "yourUser"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/silverbullet.nix>
services.simplesamlphp

Instances of SimpleSAMLphp. This module is designed to work with already existing PHP-FPM pool and NGINX virtualHost.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/simplesamlphp.nix>
services.simplesamlphp.<name>.package

The simplesamlphp package to use.

Type: package

Default: pkgs.simplesamlphp

Declared by:

<nixpkgs/nixos/modules/services/web-apps/simplesamlphp.nix>
services.simplesamlphp.<name>.authSources

Auth sources options used by SimpleSAMLphp.

Type: PHP value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/simplesamlphp.nix>
services.simplesamlphp.<name>.configDir

Path to the SimpleSAMLphp config directory.

Type: string (read only)

Declared by:

<nixpkgs/nixos/modules/services/web-apps/simplesamlphp.nix>
services.simplesamlphp.<name>.configureNginx

Configure nginx as a reverse proxy for SimpleSAMLphp.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/simplesamlphp.nix>
services.simplesamlphp.<name>.libDir

Path to the SimpleSAMLphp library directory.

Type: string (read only)

Declared by:

<nixpkgs/nixos/modules/services/web-apps/simplesamlphp.nix>
services.simplesamlphp.<name>.localDomain

The domain serving your SimpleSAMLphp instance. This option modifies only /saml route.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/simplesamlphp.nix>
services.simplesamlphp.<name>.phpfpmPool

The PHP-FPM pool that serves SimpleSAMLphp instance.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/simplesamlphp.nix>
services.simplesamlphp.<name>.settings

Configuration options used by SimpleSAMLphp. See for available options.

Type: PHP value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/simplesamlphp.nix>
services.simplesamlphp.<name>.settings.baseurlpath

URL where SimpleSAMLphp can be reached.

Type: string

Example: "https://filesender.example.com/saml/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/simplesamlphp.nix>
services.sing-box.enable

Whether to enable sing-box universal proxy platform.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/sing-box.nix>
services.sing-box.package

The sing-box package to use.

Type: package

Default: pkgs.sing-box

Declared by:

<nixpkgs/nixos/modules/services/networking/sing-box.nix>
services.sing-box.settings

The sing-box configuration, see https://sing-box.sagernet.org/configuration/ for documentation.

Options containing secret data should be set to an attribute set containing the attribute _secret - a string pointing to a file containing the value the option should be set to.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/sing-box.nix>
services.sing-box.settings.route.geoip.path

The path to the sing-geoip database.

Type: path

Default: ${pkgs.sing-geoip}/share/sing-box/geoip.db

Declared by:

<nixpkgs/nixos/modules/services/networking/sing-box.nix>
services.sing-box.settings.route.geosite.path

The path to the sing-geosite database.

Type: path

Default: ${pkgs.sing-geosite}/share/sing-box/geosite.db

Declared by:

<nixpkgs/nixos/modules/services/networking/sing-box.nix>
services.siproxd.enable

Whether to enable the Siproxd SIP proxy/masquerading daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/siproxd.nix>
services.siproxd.extraConfig

Extra configuration to add to siproxd configuration.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/siproxd.nix>
services.siproxd.hostsAllowReg

Access control list for incoming SIP registrations.

Type: list of string

Default: [ ]

Example:

[
  "192.168.1.0/24"
  "192.168.2.0/24"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/siproxd.nix>
services.siproxd.hostsAllowSip

Access control list for incoming SIP traffic.

Type: list of string

Default: [ ]

Example:

[
  "123.45.0.0/16"
  "123.46.0.0/16"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/siproxd.nix>
services.siproxd.hostsDenySip

Access control list for denying incoming SIP registrations and traffic.

Type: list of string

Default: [ ]

Example:

[
  "10.0.0.0/8"
  "11.0.0.0/8"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/siproxd.nix>
services.siproxd.ifInbound

Local network interface

Type: string

Example: "eth0"

Declared by:

<nixpkgs/nixos/modules/services/misc/siproxd.nix>
services.siproxd.ifOutbound

Public network interface

Type: string

Example: "ppp0"

Declared by:

<nixpkgs/nixos/modules/services/misc/siproxd.nix>
services.siproxd.passwordFile

Path to per-user password file.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/siproxd.nix>
services.siproxd.rtpDscp

DSCP (differentiated services) value to be assigned to RTP packets. Allows QOS aware routers to handle different types traffic with different priorities.

Type: signed integer

Default: 46

Declared by:

<nixpkgs/nixos/modules/services/misc/siproxd.nix>
services.siproxd.rtpPortHigh

Top of UDP port range for incoming and outgoing RTP traffic

Type: signed integer

Default: 7089

Declared by:

<nixpkgs/nixos/modules/services/misc/siproxd.nix>
services.siproxd.rtpPortLow

Bottom of UDP port range for incoming and outgoing RTP traffic

Type: signed integer

Default: 7070

Declared by:

<nixpkgs/nixos/modules/services/misc/siproxd.nix>
services.siproxd.rtpTimeout

Timeout for an RTP stream. If for the specified number of seconds no data is relayed on an active stream, it is considered dead and will be killed.

Type: signed integer

Default: 300

Declared by:

<nixpkgs/nixos/modules/services/misc/siproxd.nix>
services.siproxd.sipDscp

DSCP (differentiated services) value to be assigned to SIP packets. Allows QOS aware routers to handle different types traffic with different priorities.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/misc/siproxd.nix>
services.siproxd.sipListenPort

Port to listen for incoming SIP messages.

Type: signed integer

Default: 5060

Declared by:

<nixpkgs/nixos/modules/services/misc/siproxd.nix>
services.sitespeed-io.enable

Whether to enable Sitespeed.io.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/sitespeed-io.nix>
services.sitespeed-io.package

Sitespeed.io package to use.

Type: package

Default: "pkgs.sitespeed-io"

Declared by:

<nixpkgs/nixos/modules/services/networking/sitespeed-io.nix>
services.sitespeed-io.dataDir

The base sitespeed-io data directory.

Type: string

Default: "/var/lib/sitespeed-io"

Declared by:

<nixpkgs/nixos/modules/services/networking/sitespeed-io.nix>
services.sitespeed-io.period

Systemd calendar expression when to run. See systemd.time(7).

Type: string

Default: "hourly"

Declared by:

<nixpkgs/nixos/modules/services/networking/sitespeed-io.nix>
services.sitespeed-io.runs

A list of run configurations. The service will call sitespeed-io once for every run listed here. This lets you examine different websites with different sitespeed-io settings.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/sitespeed-io.nix>
services.sitespeed-io.runs.*.extraArgs

Extra command line arguments to pass to the program.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/sitespeed-io.nix>
services.sitespeed-io.runs.*.settings

Configuration for sitespeed-io, see https://www.sitespeed.io/documentation/sitespeed.io/configuration/ for available options. The value here will be directly transformed to JSON and passed as --config to the program.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/sitespeed-io.nix>
services.sitespeed-io.runs.*.urls

URLs the service should monitor.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/sitespeed-io.nix>
services.sitespeed-io.user

User account under which sitespeed-io runs.

Type: string

Default: "sitespeed-io"

Declared by:

<nixpkgs/nixos/modules/services/networking/sitespeed-io.nix>
services.sks.enable

Whether to enable SKS (synchronizing key server for OpenPGP) and start the database server. You need to create “${dataDir}/dump/*.gpg” for the initial import.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/sks.nix>
services.sks.package

The sks package to use.

Type: package

Default: pkgs.sks

Declared by:

<nixpkgs/nixos/modules/services/security/sks.nix>
services.sks.dataDir

Data directory (-basedir) for SKS, where the database and all configuration files are located (e.g. KDB, PTree, membership and sksconf).

Type: path

Default: "/var/db/sks"

Example: "/var/lib/sks"

Declared by:

<nixpkgs/nixos/modules/services/security/sks.nix>
services.sks.extraDbConfig

Set contents of the files “KDB/DB_CONFIG” and “PTree/DB_CONFIG” within the ${dataDir} directory. This is used to configure options for the database for the sks key server.

Documentation of available options are available in the file named “sampleConfig/DB_CONFIG” in the following repository: https://bitbucket.org/skskeyserver/sks-keyserver/src

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/security/sks.nix>
services.sks.hkpAddress

Domain names, IPv4 and/or IPv6 addresses to listen on for HKP requests.

Type: list of string

Default:

[
  "127.0.0.1"
  "::1"
]

Declared by:

<nixpkgs/nixos/modules/services/security/sks.nix>
services.sks.hkpPort

HKP port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 11371

Declared by:

<nixpkgs/nixos/modules/services/security/sks.nix>
services.sks.webroot

Source directory (will be symlinked, if not null) for the files the built-in webserver should serve. SKS (${pkgs.sks.webSamples}) provides the following examples: “HTML5”, “OpenPKG”, and “XHTML+ES”. The index file can be named index.html, index.htm, index.xhtm, or index.xhtml. Files with the extensions .css, .es, .js, .jpg, .jpeg, .png, or .gif are supported. Subdirectories and filenames with anything other than alphanumeric characters and the ‘.’ character will be ignored.

Type: null or path

Default: "${package.webSamples}/OpenPKG"

Declared by:

<nixpkgs/nixos/modules/services/security/sks.nix>
services.skydns.enable

Whether to enable skydns service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/skydns.nix>
services.skydns.package

The skydns package to use.

Type: package

Default: pkgs.skydns

Declared by:

<nixpkgs/nixos/modules/services/networking/skydns.nix>
services.skydns.address

Skydns address to bind to.

Type: string

Default: "0.0.0.0:53"

Declared by:

<nixpkgs/nixos/modules/services/networking/skydns.nix>
services.skydns.domain

Skydns default domain if not specified by etcd config.

Type: string

Default: "skydns.local."

Declared by:

<nixpkgs/nixos/modules/services/networking/skydns.nix>
services.skydns.etcd.caCert

Skydns path of TLS certificate authority public key.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/skydns.nix>
services.skydns.etcd.machines

Skydns list of etcd endpoints to connect to.

Type: list of string

Default:

[
  "http://127.0.0.1:2379"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/skydns.nix>
services.skydns.etcd.tlsKey

Skydns path of TLS client certificate - private key.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/skydns.nix>
services.skydns.etcd.tlsPem

Skydns path of TLS client certificate - public key.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/skydns.nix>
services.skydns.extraConfig

Skydns attribute set of extra config options passed as environment variables.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/skydns.nix>
services.skydns.nameservers

Skydns list of nameservers to forward DNS requests to when not authoritative for a domain.

Type: list of string

Default: map (n: n + ":53") config.networking.nameservers

Example:

[
  "8.8.8.8:53"
  "8.8.4.4:53"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/skydns.nix>
services.slimserver.enable

Whether to enable slimserver.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/audio/slimserver.nix>
services.slimserver.package

The slimserver package to use.

Type: package

Default: pkgs.slimserver

Declared by:

<nixpkgs/nixos/modules/services/audio/slimserver.nix>
services.slimserver.dataDir

The directory where slimserver stores its state, tag cache, playlists etc.

Type: path

Default: "/var/lib/slimserver"

Declared by:

<nixpkgs/nixos/modules/services/audio/slimserver.nix>
services.slskd.enable

Whether to enable slskd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.package

The slskd package to use.

Type: package

Default: pkgs.slskd

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.domain

If non-null, enables an nginx reverse proxy virtual host at this FQDN, at the path configurated with services.slskd.web.url_base.

Type: null or string

Example: "slskd.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.environmentFile

Path to the environment file sourced on startup. It must at least contain the variables SLSKD_SLSK_USERNAME and SLSKD_SLSK_PASSWORD. Web interface credentials should also be set here in SLSKD_USERNAME and SLSKD_PASSWORD. Other, optional credentials like SOCKS5 with SLSKD_SLSK_PROXY_USERNAME and SLSKD_SLSK_PROXY_PASSWORD should all reside here instead of in the world-readable nix store. Variables are documented at https://github.com/slskd/slskd/blob/master/docs/config.md

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.group

Group under which slskd runs.

Type: string

Default: "slskd"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx

This option customizes the nginx virtual host set up for slskd.

Type: submodule

Default: { }

Example:

{
  enableACME = true;
  forceHttps = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.nginx.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.openFirewall

Whether to open the firewall for the soulseek network listen port (not the web interface port).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings

Application configuration for slskd. See documentation.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.directories.downloads

Directory where downloaded files are stored.

Type: null or path

Default: "/var/lib/slskd/downloads"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.directories.incomplete

Directory where incomplete downloading files are stored.

Type: null or path

Default: "/var/lib/slskd/incomplete"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.filters.search.request

Incoming search requests which match this filter are ignored.

Type: list of string

Example: [ "^.{1,2}$" ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.flags.force_share_scan

Force a rescan of shares on every startup.

Type: boolean

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.global.download.slots

Limit of the number of concurrent download slots.

Type: unsigned integer, meaning >=0

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.global.download.speed_limit

Total upload download limit

Type: unsigned integer, meaning >=0

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.global.upload.slots

Limit of the number of concurrent upload slots.

Type: unsigned integer, meaning >=0

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.global.upload.speed_limit

Total upload speed limit.

Type: unsigned integer, meaning >=0

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.remote_file_management

Whether to enable modification of share contents through the web ui.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.retention.files.complete

Lifespan of completely downloaded files in minutes.

Type: unsigned integer, meaning >=0

Default: "(indefinite)"

Example: 20160

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.retention.files.incomplete

Lifespan of incomplete downloading files in minutes.

Type: unsigned integer, meaning >=0

Default: "(indefinite)"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.retention.transfers.download.cancelled

Lifespan of cancelled download tasks.

Type: unsigned integer, meaning >=0

Default: "(indefinite)"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.retention.transfers.download.errored

Lifespan of errored download tasks.

Type: unsigned integer, meaning >=0

Default: "(indefinite)"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.retention.transfers.download.succeeded

Lifespan of succeeded download tasks.

Type: unsigned integer, meaning >=0

Default: "(indefinite)"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.retention.transfers.upload.cancelled

Lifespan of cancelled upload tasks.

Type: unsigned integer, meaning >=0

Default: "(indefinite)"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.retention.transfers.upload.errored

Lifespan of errored upload tasks.

Type: unsigned integer, meaning >=0

Default: "(indefinite)"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.retention.transfers.upload.succeeded

Lifespan of succeeded upload tasks.

Type: unsigned integer, meaning >=0

Default: "(indefinite)"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.rooms

Chat rooms to join on startup.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.shares.directories

Paths to shared directories. See documentation for advanced usage.

Type: list of string

Example: [ "/home/John/Music" "!/home/John/Music/Recordings" "[Music Drive]/mnt" ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.shares.filters

Regular expressions of files to exclude from sharing.

Type: list of string

Example: [ "\.ini$" "Thumbs.db$" "\.DS_Store$" ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.soulseek.description

The user description for the Soulseek network.

Type: string

Default: "A slskd user. https://github.com/slskd/slskd"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.soulseek.listen_port

The port on which to listen for incoming connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 50300

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.web.https.disabled

Disable the built-in HTTPS server

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.web.port

The HTTP listen port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5030

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.settings.web.url_base

The base path in the url for web requests.

Type: path

Default: "/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slskd.user

User account under which slskd runs.

Type: string

Default: "slskd"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/slskd.nix>
services.slurm.enableSrunX11

If enabled srun will accept the option “–x11” to allow for X11 forwarding from within an interactive session or a batch job. This activates the slurm-spank-x11 module. Note that this option also enables services.openssh.forwardX11 on the client.

This option requires slurm to be compiled without native X11 support. The default behavior is to re-compile the slurm package with native X11 support disabled if this option is set to true.

To use the native X11 support add PrologFlags=X11 in extraConfig. Note that this method will only work RSA SSH host keys.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.enableStools

Whether to provide a slurm.conf file. Enable this option if you do not run a slurm daemon on this host (i.e. server.enable and client.enable are false) but you still want to run slurm commands from this host.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.package

The slurm package to use.

Type: package

Default: pkgs.slurm

Example: slurm-full

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.client.enable

Whether to enable slurm client daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.clusterName

Necessary to distinguish accounting records in a multi-cluster environment.

Type: string

Default: "default"

Example: "myCluster"

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.controlAddr

Name that ControlMachine should be referred to in establishing a communications path.

Type: null or string

Default: config.services.slurm.controlMachine

Example: null

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.controlMachine

The short hostname of the machine where SLURM control functions are executed (i.e. the name returned by the command “hostname -s”, use “tux001” rather than “tux001.my.com”).

Type: null or string

Default: null

Example: null

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.dbdserver.enable

Whether to enable SlurmDBD service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.dbdserver.dbdHost

Hostname of the machine where slurmdbd is running (i.e. name returned by hostname -s).

Type: string

Default: config.networking.hostName

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.dbdserver.extraConfig

Extra configuration for slurmdbd.conf See also: slurmdbd.conf(8).

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.dbdserver.storagePassFile

Path to file with database password. The content of this will be used to create the password for the StoragePass option.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.dbdserver.storageUser

Database user name.

Type: string

Default: config.services.slurm.user

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.extraCgroupConfig

Extra configuration for cgroup.conf. This file is used when procTrackType=proctrack/cgroup.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.extraConfig

Extra configuration options that will be added verbatim at the end of the slurm configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.extraConfigPaths

Slurm expects config files for plugins in the same path as slurm.conf. Add extra nix store paths that should be merged into same directory as slurm.conf.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.extraPlugstackConfig

Extra configuration that will be added to the end of plugstack.conf.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.mpi.PmixCliTmpDirBase

Base path for PMIx temporary files.

Type: string

Default: "/tmp/pmix"

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.mpi.extraMpiConfig

Extra configuration for that will be added to mpi.conf.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.nodeName

Name that SLURM uses to refer to a node (or base partition for BlueGene systems). Typically this would be the string that “/bin/hostname -s” returns. Note that now you have to write node’s parameters after the name.

Type: list of string

Default: [ ]

Example: [ "linux[1-32] CPUs=1 State=UNKNOWN" ];

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.partitionName

Name by which the partition may be referenced. Note that now you have to write the partition’s parameters after the name.

Type: list of string

Default: [ ]

Example: [ "debug Nodes=linux[1-32] Default=YES MaxTime=INFINITE State=UP" ];

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.procTrackType

Plugin to be used for process tracking on a job step basis. The slurmd daemon uses this mechanism to identify all processes which are children of processes it spawns for a user job step.

Type: string

Default: "proctrack/linuxproc"

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.server.enable

Whether to enable the slurm control daemon. Note that the standard authentication method is “munge”. The “munge” service needs to be provided with a password file in order for slurm to work properly (see services.munge.password).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.stateSaveLocation

Directory into which the Slurm controller, slurmctld, saves its state.

Type: string

Default: "/var/spool/slurmctld"

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.slurm.user

Set this option when you want to run the slurmctld daemon as something else than the default slurm user “slurm”. Note that the UID of this user needs to be the same on all nodes.

Type: string

Default: "slurm"

Declared by:

<nixpkgs/nixos/modules/services/computing/slurm/slurm.nix>
services.smartd.enable

Whether to enable smartd daemon from smartmontools package.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/smartd.nix>
services.smartd.autodetect

Whenever smartd should monitor all devices connected to the machine at the time it’s being started (the default).

Set to false to monitor the devices listed in services.smartd.devices only.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/smartd.nix>
services.smartd.defaults.autodetected

Like services.smartd.defaults.monitored, but for the autodetected devices.

Type: strings concatenated with " "

Default: config.services.smartd.defaults.monitored

Declared by:

<nixpkgs/nixos/modules/services/monitoring/smartd.nix>
services.smartd.defaults.monitored

Common default options for explicitly monitored (listed in services.smartd.devices) devices.

The default value turns on monitoring of all the things (see man 5 smartd.conf).

The example also turns on SMART Automatic Offline Testing on startup, and schedules short self-tests daily, and long self-tests weekly.

Type: strings concatenated with " "

Default: "-a"

Example: "-a -o on -s (S/../.././02|L/../../7/04)"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/smartd.nix>
services.smartd.devices

List of devices to monitor.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    device = "/dev/sda";
  }
  {
    device = "/dev/sdb";
    options = "-d sat";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/smartd.nix>
services.smartd.devices.*.device

Location of the device.

Type: string

Example: "/dev/sda"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/smartd.nix>
services.smartd.devices.*.options

Options that determine how smartd monitors the device.

Type: strings concatenated with " "

Default: ""

Example: "-d sat"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/smartd.nix>
services.smartd.extraOptions

Extra command-line options passed to the smartd daemon on startup.

(See man 8 smartd.)

Type: list of string

Default: [ ]

Example:

[
  "-A /var/log/smartd/"
  "--interval=3600"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/smartd.nix>
services.smartd.notifications.mail.enable

Whenever to send e-mail notifications.

Type: boolean

Default: config.services.mail.sendmailSetuidWrapper != null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/smartd.nix>
services.smartd.notifications.mail.mailer

Sendmail-compatible binary to be used to send the messages.

You should probably enable services.postfix or some other MTA for this to work.

Type: path

Default: "/run/wrappers/bin/sendmail"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/smartd.nix>
services.smartd.notifications.mail.recipient

Recipient of the notification messages.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/smartd.nix>
services.smartd.notifications.mail.sender

Sender of the notification messages. Acts as the value of email in the emails’ From: ... field.

Type: string

Default: "root"

Example: "example@domain.tld"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/smartd.nix>
services.smartd.notifications.systembus-notify.enable

Whenever to send systembus-notify notifications.

WARNING: enabling this option (while convenient) should not be done on a machine where you do not trust the other users as it allows any other local user to DoS your session by spamming notifications.

To actually see the notifications in your GUI session, you need to have systembus-notify running as your user, which this option handles by enabling services.systembus-notify.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/smartd.nix>
services.smartd.notifications.test

Whenever to send a test notification on startup.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/smartd.nix>
services.smartd.notifications.wall.enable

Whenever to send wall notifications to all users.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/smartd.nix>
services.smartd.notifications.x11.enable

Whenever to send X11 xmessage notifications.

Type: boolean

Default: config.services.xserver.enable

Declared by:

<nixpkgs/nixos/modules/services/monitoring/smartd.nix>
services.smartd.notifications.x11.display

DISPLAY to send X11 notifications to.

Type: string

Default: ":${toString config.services.xserver.display}"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/smartd.nix>
services.smartdns.enable

Whether to enable SmartDNS DNS server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/smartdns.nix>
services.smartdns.bindPort

DNS listening port number.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 53

Declared by:

<nixpkgs/nixos/modules/services/networking/smartdns.nix>
services.smartdns.settings

A set that will be generated into configuration file, see the SmartDNS README for details of configuration parameters. You could override the options here like services.smartdns.bindPort by writing settings.bind = ":5353 -no-rule -group example";.

Type: attribute set of ((list of (string or signed integer or boolean)) or (string or signed integer or boolean) convertible to it)

Example:

{
  bind = ":5353 -no-rule -group example";
  cache-size = 4096;
  server-tls = [ "8.8.8.8:853" "1.1.1.1:853" ];
  server-https = "https://cloudflare-dns.com/dns-query -exclude-default-group";
  prefetch-domain = true;
  speed-check-mode = "ping,tcp:80";
};

Declared by:

<nixpkgs/nixos/modules/services/networking/smartdns.nix>
services.smokeping.enable

Whether to enable smokeping service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.package

The smokeping package to use.

Type: package

Default: pkgs.smokeping

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.alertConfig

Configuration for alerts.

Type: strings concatenated with “\n”

Default:

''
  to = root@localhost
  from = smokeping@localhost
''

Example:

''
  to = alertee@address.somewhere
  from = smokealert@company.xy
  
  +someloss
  type = loss
  # in percent
  pattern = >0%,*12*,>0%,*12*,>0%
  comment = loss 3 times  in a row;
''

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.cgiUrl

URL to the smokeping cgi.

Type: string

Default: "http://${hostName}/smokeping.cgi"

Example: "https://somewhere.example.com/smokeping.cgi"

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.config

Full smokeping config supplied by the user. Overrides and replaces any other configuration supplied.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.databaseConfig

Configure the ping frequency and retention of the rrd files. Once set, changing the interval will require deletion or migration of all the collected data.

Type: strings concatenated with “\n”

Default:

''
  step     = 300
  pings    = 20
  # consfn mrhb steps total
  AVERAGE  0.5   1  1008
  AVERAGE  0.5  12  4320
      MIN  0.5  12  4320
      MAX  0.5  12  4320
  AVERAGE  0.5 144   720
      MAX  0.5 144   720
      MIN  0.5 144   720
  
''

Example:

''
  # near constant pings.
  step     = 30
  pings    = 20
  # consfn mrhb steps total
  AVERAGE  0.5   1  10080
  AVERAGE  0.5  12  43200
      MIN  0.5  12  43200
      MAX  0.5  12  43200
  AVERAGE  0.5 144   7200
      MAX  0.5 144   7200
      MIN  0.5 144   7200
''

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.extraConfig

Any additional customization not already included.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.host

Host/IP to bind to for the web server.

Setting it to null skips passing the -h option to thttpd, which makes it bind to all interfaces.

Type: null or string

Default: "localhost"

Example: "192.0.2.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.hostName

DNS name for the urls generated in the cgi.

Type: string

Default: config.networking.fqdn

Example: "somewhere.example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.imgUrl

Base url for images generated in the cgi.

The default is a relative URL to ensure it works also when e.g. forwarding the GUI port via SSH.

Type: string

Default: "cache"

Example: "https://somewhere.example.com/cache"

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.linkStyle

DNS name for the urls generated in the cgi.

Type: one of “original”, “absolute”, “relative”

Default: "relative"

Example: "absolute"

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.mailHost

Use this SMTP server to send alerts

Type: string

Default: ""

Example: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.owner

Real name of the owner of the instance

Type: string

Default: "nobody"

Example: "Bob Foobawr"

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.ownerEmail

Email contact for owner

Type: string

Default: "no-reply@${hostName}"

Example: "no-reply@yourdomain.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.presentationConfig

presentation graph style

Type: strings concatenated with “\n”

Default:

''
  + charts
  menu = Charts
  title = The most interesting destinations
  ++ stddev
  sorter = StdDev(entries=>4)
  title = Top Standard Deviation
  menu = Std Deviation
  format = Standard Deviation %f
  ++ max
  sorter = Max(entries=>5)
  title = Top Max Roundtrip Time
  menu = by Max
  format = Max Roundtrip Time %f seconds
  ++ loss
  sorter = Loss(entries=>5)
  title = Top Packet Loss
  menu = Loss
  format = Packets Lost %f
  ++ median
  sorter = Median(entries=>5)
  title = Top Median Roundtrip Time
  menu = by Median
  format = Median RTT %f seconds
  + overview
  width = 600
  height = 50
  range = 10h
  + detail
  width = 600
  height = 200
  unison_tolerance = 2
  "Last 3 Hours"    3h
  "Last 30 Hours"   30h
  "Last 10 Days"    10d
  "Last 360 Days"   360d
''

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.presentationTemplate

Default page layout for the web UI.

Type: string

Default: "${pkgs.smokeping}/etc/basepage.html.dist"

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.probeConfig

Probe configuration

Type: strings concatenated with “\n”

Default:

''
  + FPing
  binary = ${config.security.wrapperDir}/fping
''

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.sendmail

Use this sendmail compatible script to deliver alerts

Type: null or path

Default: null

Example: "/run/wrappers/bin/sendmail"

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.smokeMailTemplate

Specify the smokemail template for alerts.

Type: string

Default: "${package}/etc/smokemail.dist"

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.targetConfig

Target configuration

Type: strings concatenated with “\n”

Default:

''
  probe = FPing
  menu = Top
  title = Network Latency Grapher
  remark = Welcome to the SmokePing website of xxx Company. \
           Here you will learn all about the latency of our network.
  + Local
  menu = Local
  title = Local Network
  ++ LocalMachine
  menu = Local Machine
  title = This host
  host = localhost
''

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.user

User that runs smokeping and (optionally) thttpd. A group of the same name will be created as well.

Type: string

Default: "smokeping"

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.smokeping.webService

Enable a smokeping web interface

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/smokeping.nix>
services.snapper.cleanupInterval

Cleanup interval.

The format is described in systemd.time(7).

Type: string

Default: "1d"

Declared by:

<nixpkgs/nixos/modules/services/misc/snapper.nix>
services.snapper.configs

Subvolume configuration. Any option mentioned in man:snapper-configs(5) is valid here, even if NixOS doesn’t document it.

Type: attribute set of (attribute set of ((list of (string without line breaks or quotes)) or boolean or string without line breaks or quotes or signed integer or floating point number))

Default: { }

Example:

{
  home = {
    SUBVOLUME = "/home";
    ALLOW_USERS = [ "alice" ];
    TIMELINE_CREATE = true;
    TIMELINE_CLEANUP = true;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/snapper.nix>
services.snapper.configs.<name>.ALLOW_GROUPS

List of groups allowed to operate with the config.

Also see the PERMISSIONS section in man:snapper(8).

Type: list of (string without line breaks or quotes)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/snapper.nix>
services.snapper.configs.<name>.ALLOW_USERS

List of users allowed to operate with the config. “root” is always implicitly included.

Also see the PERMISSIONS section in man:snapper(8).

Type: list of (string without line breaks or quotes)

Default: [ ]

Example:

[
  "alice"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/snapper.nix>
services.snapper.configs.<name>.FSTYPE

Filesystem type. Only btrfs is stable and tested.

Type: value “btrfs” (singular enum)

Default: "btrfs"

Declared by:

<nixpkgs/nixos/modules/services/misc/snapper.nix>
services.snapper.configs.<name>.SUBVOLUME

Path of the subvolume or mount point. This path is a subvolume and has to contain a subvolume named .snapshots. See also man:snapper(8) section PERMISSIONS.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/misc/snapper.nix>
services.snapper.configs.<name>.TIMELINE_CLEANUP

Defines whether the timeline cleanup algorithm should be run for the config.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/snapper.nix>
services.snapper.configs.<name>.TIMELINE_CREATE

Defines whether hourly snapshots should be created.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/snapper.nix>
services.snapper.configs.<name>.TIMELINE_LIMIT_DAILY

Limits for timeline cleanup.

Type: unsigned integer, meaning >=0, or string containing either a number or a range

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/misc/snapper.nix>
services.snapper.configs.<name>.TIMELINE_LIMIT_HOURLY

Limits for timeline cleanup.

Type: unsigned integer, meaning >=0, or string containing either a number or a range

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/misc/snapper.nix>
services.snapper.configs.<name>.TIMELINE_LIMIT_MONTHLY

Limits for timeline cleanup.

Type: unsigned integer, meaning >=0, or string containing either a number or a range

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/misc/snapper.nix>
services.snapper.configs.<name>.TIMELINE_LIMIT_QUARTERLY

Limits for timeline cleanup.

Type: unsigned integer, meaning >=0, or string containing either a number or a range

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/misc/snapper.nix>
services.snapper.configs.<name>.TIMELINE_LIMIT_WEEKLY

Limits for timeline cleanup.

Type: unsigned integer, meaning >=0, or string containing either a number or a range

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/misc/snapper.nix>
services.snapper.configs.<name>.TIMELINE_LIMIT_YEARLY

Limits for timeline cleanup.

Type: unsigned integer, meaning >=0, or string containing either a number or a range

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/misc/snapper.nix>
services.snapper.filters

Global display difference filter. See man:snapper(8) for more details.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/snapper.nix>
services.snapper.persistentTimer

Set the Persistent option for the systemd.timer(5) which triggers the snapshot immediately if the last trigger was missed (e.g. if the system was powered down).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/snapper.nix>
services.snapper.snapshotInterval

Snapshot interval.

The format is described in systemd.time(7).

Type: string

Default: "hourly"

Declared by:

<nixpkgs/nixos/modules/services/misc/snapper.nix>
services.snapper.snapshotRootOnBoot

Whether to snapshot root on boot

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/snapper.nix>
services.snapraid.enable

Whether to enable SnapRAID.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/snapraid.nix>
services.snapraid.contentFiles

SnapRAID content list files.

Type: list of string

Default: [ ]

Example:

[
  "/var/snapraid.content"
  "/mnt/disk1/snapraid.content"
  "/mnt/disk2/snapraid.content"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/snapraid.nix>
services.snapraid.dataDisks

SnapRAID data disks.

Type: attribute set of string

Default: { }

Example:

{
  d1 = "/mnt/disk1/";
  d2 = "/mnt/disk2/";
  d3 = "/mnt/disk3/";
}

Declared by:

<nixpkgs/nixos/modules/services/backup/snapraid.nix>
services.snapraid.exclude

SnapRAID exclude directives.

Type: list of string

Default: [ ]

Example:

[
  "*.unrecoverable"
  "/tmp/"
  "/lost+found/"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/snapraid.nix>
services.snapraid.extraConfig

Extra config options for SnapRAID.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  nohidden
  blocksize 256
  hashsize 16
  autosave 500
  pool /pool
''

Declared by:

<nixpkgs/nixos/modules/services/backup/snapraid.nix>
services.snapraid.parityFiles

SnapRAID parity files.

Type: list of string

Default: [ ]

Example:

[
  "/mnt/diskp/snapraid.parity"
  "/mnt/diskq/snapraid.2-parity"
  "/mnt/diskr/snapraid.3-parity"
  "/mnt/disks/snapraid.4-parity"
  "/mnt/diskt/snapraid.5-parity"
  "/mnt/disku/snapraid.6-parity"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/snapraid.nix>
services.snapraid.scrub.interval

How often to run snapraid scrub.

Type: string

Default: "Mon *-*-* 02:00:00"

Example: "weekly"

Declared by:

<nixpkgs/nixos/modules/services/backup/snapraid.nix>
services.snapraid.scrub.olderThan

Number of days since data was last scrubbed before it can be scrubbed again.

Type: signed integer

Default: 10

Example: 20

Declared by:

<nixpkgs/nixos/modules/services/backup/snapraid.nix>
services.snapraid.scrub.plan

Percent of the array that should be checked by snapraid scrub.

Type: signed integer

Default: 8

Example: 5

Declared by:

<nixpkgs/nixos/modules/services/backup/snapraid.nix>
services.snapraid.sync.interval

How often to run snapraid sync.

Type: string

Default: "01:00"

Example: "daily"

Declared by:

<nixpkgs/nixos/modules/services/backup/snapraid.nix>
services.snapraid.touchBeforeSync

Whether snapraid touch should be run before snapraid sync.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/backup/snapraid.nix>
services.snapserver.enable

Whether to enable snapserver.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.package

The snapcast package to use.

Type: package

Default: pkgs.snapcast

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.buffer

Network buffer in ms.

Type: null or signed integer

Default: null

Example: 1000

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.codec

Default audio compression method.

Type: null or string

Default: null

Example: "flac"

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.http.enable

Whether to enable the JSON-RPC via HTTP.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.http.docRoot

Path to serve from the HTTP servers root.

Type: null or path

Default: pkgs.snapweb

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.http.listenAddress

The address where the HTTP JSON-RPC listens on.

Type: string

Default: "::"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.http.port

The port where the HTTP JSON-RPC listens on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1780

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.listenAddress

The address where snapclients can connect.

Type: string

Default: "::"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.openFirewall

Whether to automatically open the specified ports in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.port

The port that snapclients can connect to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1704

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.sampleFormat

Default sample format.

Type: null or string

Default: null

Example: "48000:16:2"

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.sendToMuted

Send audio to muted clients.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.streamBuffer

Stream read (input) buffer in ms.

Type: null or signed integer

Default: null

Example: 20

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.streams

The definition for an input source.

Type: attribute set of (submodule)

Default:

{
  default = { };
}

Example:

{
  mpd = {
    type = "pipe";
    location = "/run/snapserver/mpd";
    sampleFormat = "48000:16:2";
    codec = "pcm";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.streams.<name>.codec

Default audio compression method.

Type: null or string

Default: null

Example: "flac"

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.streams.<name>.location

For type pipe or file, the path to the pipe or file. For type librespot, airplay or process, the path to the corresponding binary. For type tcp, the host:port address to connect to or listen on. For type meta, a list of stream names in the form /one/two/.... Don’t forget the leading slash. For type alsa, use an empty string.

Type: path or string

Example:

"/path/to/pipe"
"/path/to/librespot"
"192.168.1.2:4444"
"/MyTCP/Spotify/MyPipe"

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.streams.<name>.query

Key-value pairs that convey additional parameters about a stream.

Type: attribute set of string

Default: { }

Example:

# for type == "pipe":
{
  mode = "create";
};
# for type == "process":
{
  params = "--param1 --param2";
  logStderr = "true";
};
# for type == "tcp":
{
  mode = "client";
}
# for type == "alsa":
{
  device = "hw:0,0";
}

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.streams.<name>.sampleFormat

Default sample format.

Type: null or string

Default: null

Example: "48000:16:2"

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.streams.<name>.type

The type of input stream.

Type: one of “pipe”, “librespot”, “airplay”, “file”, “process”, “tcp”, “alsa”, “spotify”, “meta”

Default: "pipe"

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.tcp.enable

Whether to enable the JSON-RPC via TCP.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.tcp.listenAddress

The address where the TCP JSON-RPC listens on.

Type: string

Default: "::"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snapserver.tcp.port

The port where the TCP JSON-RPC listens on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1705

Declared by:

<nixpkgs/nixos/modules/services/audio/snapserver.nix>
services.snipe-it.enable

Whether to enable snipe-it, a free open source IT asset/license management system.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.appKeyFile

A file containing the Laravel APP_KEY - a 32 character long, base64 encoded key used for encryption where needed. Can be generated with head -c 32 /dev/urandom | base64.

Type: path

Example: "/run/keys/snipe-it/appkey"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.appURL

The root URL that you want to host Snipe-IT on. All URLs in Snipe-IT will be generated using this value. If you change this in the future you may need to run a command to update stored URLs in the database. Command example: snipe-it snipe-it:update-url https://old.example.com https://new.example.com

Type: string

Default:

''
  http''${lib.optionalString tlsEnabled "s"}://''${cfg.hostName}
''

Example: "https://example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.config

Snipe-IT configuration options to set in the .env file. Refer to https://snipe-it.readme.io/docs/configuration for details on supported values.

Settings containing secret data should be set to an attribute set containing the attribute _secret - a string pointing to a file containing the value the option should be set to. See the example to get a better picture of this: in the resulting .env file, the OIDC_CLIENT_SECRET key will be set to the contents of the /run/keys/oidc_secret file.

Type: attribute set of (null or boolean or signed integer or 16 bit unsigned integer; between 0 and 65535 (both inclusive) or path or string or (submodule))

Default: { }

Example:

{
  ALLOWED_IFRAME_HOSTS = "https://example.com";
  WKHTMLTOPDF = "${pkgs.wkhtmltopdf}/bin/wkhtmltopdf";
  AUTH_METHOD = "oidc";
  OIDC_NAME = "MyLogin";
  OIDC_DISPLAY_NAME_CLAIMS = "name";
  OIDC_CLIENT_ID = "snipe-it";
  OIDC_CLIENT_SECRET = {_secret = "/run/keys/oidc_secret"};
  OIDC_ISSUER = "https://keycloak.example.com/auth/realms/My%20Realm";
  OIDC_ISSUER_DISCOVER = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.dataDir

snipe-it data directory

Type: path

Default: "/var/lib/snipe-it"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.database.createLocally

Create the database and database user locally.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.database.host

Database host address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.database.name

Database name.

Type: string

Default: "snipeit"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.database.passwordFile

A file containing the password corresponding to database.user.

Type: null or path

Default: null

Example: "/run/keys/snipe-it/dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.database.port

Database host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3306

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.database.user

Database username.

Type: string

Default: user

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.group

Group snipe-it runs as.

Type: string

Default: "snipeit"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.hostName

The hostname to serve Snipe-IT on.

Type: string

Default: config.networking.fqdnOrHostName

Example: "snipe-it.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.mail.backupNotificationAddress

Email Address to send Backup Notifications to.

Type: string

Default: "backup@example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.mail.driver

Mail driver to use.

Type: one of “smtp”, “sendmail”

Default: "smtp"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.mail.encryption

SMTP encryption mechanism to use.

Type: null or one of “tls”, “ssl”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.mail.from.address

Mail “from” address.

Type: string

Default: "mail@example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.mail.from.name

Mail “from” name.

Type: string

Default: "Snipe-IT Asset Management"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.mail.host

Mail host address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.mail.passwordFile

A file containing the password corresponding to mail.user.

Type: null or path

Default: null

Example: "/run/keys/snipe-it/mailpassword"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.mail.port

Mail host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1025

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.mail.replyTo.address

Mail “reply-to” address.

Type: string

Default: "mail@example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.mail.replyTo.name

Mail “reply-to” name.

Type: string

Default: "Snipe-IT Asset Management"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.mail.user

Mail username.

Type: null or string

Default: null

Example: "snipeit"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.maxUploadSize

The maximum size for uploads (e.g. images).

Type: string

Default: "18M"

Example: "1G"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx

With this option, you can customize the nginx virtualHost settings.

Type: submodule

Default: { }

Example:

{
  serverAliases = [
    "snipe-it.${config.networking.domain}"
  ];
  # To enable encryption and let let's encrypt take care of certificate
  forceSSL = true;
  enableACME = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.nginx.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.poolConfig

Options for the snipe-it PHP pool. See the documentation on php-fpm.conf for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = 32;
  "pm.max_requests" = 500;
  "pm.max_spare_servers" = 4;
  "pm.min_spare_servers" = 2;
  "pm.start_servers" = 2;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.snipe-it.user

User snipe-it runs as.

Type: string

Default: "snipeit"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/snipe-it.nix>
services.sniproxy.enable

Whether to enable sniproxy server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/sniproxy.nix>
services.sniproxy.config

sniproxy.conf configuration excluding the daemon username and pid file.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  error_log {
    filename /var/log/sniproxy/error.log
  }
  access_log {
    filename /var/log/sniproxy/access.log
  }
  listen 443 {
    proto tls
  }
  table {
    example.com 192.0.2.10
    example.net 192.0.2.20
  }
''

Declared by:

<nixpkgs/nixos/modules/services/networking/sniproxy.nix>
services.sniproxy.group

Group under which sniproxy runs.

Type: string

Default: "sniproxy"

Declared by:

<nixpkgs/nixos/modules/services/networking/sniproxy.nix>
services.sniproxy.user

User account under which sniproxy runs.

Type: string

Default: "sniproxy"

Declared by:

<nixpkgs/nixos/modules/services/networking/sniproxy.nix>
services.snmpd.enable

Whether to enable snmpd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/snmpd.nix>
services.snmpd.package

The net-snmp package to use.

Type: package

Default: pkgs.net-snmp

Declared by:

<nixpkgs/nixos/modules/services/monitoring/snmpd.nix>
services.snmpd.configFile

Path to the snmpd.conf file. By default, if configText is set, a config file will be automatically generated.

Type: path

Default: The value of configText.

Declared by:

<nixpkgs/nixos/modules/services/monitoring/snmpd.nix>
services.snmpd.configText

The contents of the snmpd.conf. If the configFile option is set, this value will be ignored.

Note that the contents of this option will be added to the Nix store as world-readable plain text, configFile can be used in addition to a secret management tool to protect sensitive data.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/snmpd.nix>
services.snmpd.listenAddress

The address to listen on for SNMP and AgentX messages.

Type: string

Default: "0.0.0.0"

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/snmpd.nix>
services.snmpd.openFirewall

Open port in firewall for snmpd.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/snmpd.nix>
services.snmpd.port

The port to listen on for SNMP and AgentX messages.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 161

Declared by:

<nixpkgs/nixos/modules/services/monitoring/snmpd.nix>
services.snowflake-proxy.enable

Whether to enable snowflake-proxy, a system to defeat internet censorship.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/snowflake-proxy.nix>
services.snowflake-proxy.broker

Broker URL (default “https://snowflake-broker.torproject.net/”)

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/snowflake-proxy.nix>
services.snowflake-proxy.capacity

Limits the amount of maximum concurrent clients allowed.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/snowflake-proxy.nix>
services.snowflake-proxy.relay

websocket relay URL (default “wss://snowflake.bamsoftware.com/”)

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/snowflake-proxy.nix>
services.snowflake-proxy.stun

STUN broker URL (default “stun:stun.stunprotocol.org:3478”)

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/snowflake-proxy.nix>
services.soft-serve.enable

Whether to enable soft-serve.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/soft-serve.nix>
services.soft-serve.package

The soft-serve package to use.

Type: package

Default: pkgs.soft-serve

Declared by:

<nixpkgs/nixos/modules/services/misc/soft-serve.nix>
services.soft-serve.settings

The contents of the configuration file for soft-serve.

See https://charm.sh/blog/self-hosted-soft-serve/.

Type: YAML value

Default: { }

Example:

{
  name = "dadada's repos";
  log_format = "text";
  ssh = {
    listen_addr = ":23231";
    public_url = "ssh://localhost:23231";
    max_timeout = 30;
    idle_timeout = 120;
  };
  stats.listen_addr = ":23233";
}

Declared by:

<nixpkgs/nixos/modules/services/misc/soft-serve.nix>
services.softether.enable

Whether to enable SoftEther VPN services.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/softether.nix>
services.softether.package

The softether package to use.

Type: package

Default: pkgs.softether

Declared by:

<nixpkgs/nixos/modules/services/networking/softether.nix>
services.softether.dataDir

Data directory for SoftEther VPN.

Type: path

Default: "/var/lib/softether"

Declared by:

<nixpkgs/nixos/modules/services/networking/softether.nix>
services.softether.vpnbridge.enable

Whether to enable SoftEther VPN Bridge.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/softether.nix>
services.softether.vpnclient.enable

Whether to enable SoftEther VPN Client.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/softether.nix>
services.softether.vpnclient.down

Shell commands executed when the Virtual Network Adapter(s) is/are shutting down.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/softether.nix>
services.softether.vpnclient.up

Shell commands executed when the Virtual Network Adapter(s) is/are starting.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/softether.nix>
services.softether.vpnserver.enable

Whether to enable SoftEther VPN Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/softether.nix>
services.sogo.enable

Whether to enable SOGo groupware.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sogo.nix>
services.sogo.configReplaces

Replacement-filepath mapping for sogo.conf. Every key is replaced with the contents of the file specified as value.

In the example, every occurrence of LDAP_BINDPW will be replaced with the text of the specified file.

Type: attribute set of string

Default: { }

Example:

{
  LDAP_BINDPW = "/var/lib/secrets/sogo/ldappw";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sogo.nix>
services.sogo.ealarmsCredFile

Optional path to a credentials file for email alarms

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sogo.nix>
services.sogo.extraConfig

Extra sogo.conf configuration lines

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sogo.nix>
services.sogo.language

Language of SOGo

Type: string

Default: "English"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sogo.nix>
services.sogo.timezone

Timezone of your SOGo instance

Type: string

Example: "America/Montreal"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sogo.nix>
services.sogo.vhostName

Name of the nginx vhost

Type: string

Default: "sogo"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/sogo.nix>
services.soju.enable

Whether to enable soju.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/soju.nix>
services.soju.enableMessageLogging

Whether to enable message logging.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/soju.nix>
services.soju.package

The soju package to use.

Type: package

Default: pkgs.soju

Declared by:

<nixpkgs/nixos/modules/services/networking/soju.nix>
services.soju.acceptProxyIP

Allow the specified IPs to act as a proxy. Proxys have the ability to overwrite the remote and local connection addresses (via the X-Forwarded-* HTTP header fields). The special name “localhost” accepts the loopback addresses 127.0.0.0/8 and ::1/128. By default, all IPs are rejected.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/soju.nix>
services.soju.adminSocket.enable

Listen for admin connections from sojuctl at /run/soju/admin.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/soju.nix>
services.soju.extraConfig

Lines added verbatim to the configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/soju.nix>
services.soju.hostName

Server hostname.

Type: string

Default: config.networking.hostName

Declared by:

<nixpkgs/nixos/modules/services/networking/soju.nix>
services.soju.httpOrigins

List of allowed HTTP origins for WebSocket listeners. The parameters are interpreted as shell patterns, see glob(7).

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/soju.nix>
services.soju.listen

Where soju should listen for incoming connections. See the listen directive in soju(1).

Type: list of string

Default:

[
  ":6697"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/soju.nix>
services.soju.tlsCertificate

Path to server TLS certificate.

Type: null or path

Default: null

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/networking/soju.nix>
services.soju.tlsCertificateKey

Path to server TLS certificate key.

Type: null or path

Default: null

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/networking/soju.nix>
services.solanum.enable

Whether to enable Solanum IRC daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/solanum.nix>
services.solanum.config

Solanum IRC daemon configuration file. check https://github.com/solanum-ircd/solanum/blob/main/doc/reference.conf for all options.

Type: string

Default:

''
  serverinfo {
    name = "irc.example.com";
    sid = "1ix";
    description = "irc!";
  
    vhost = "0.0.0.0";
    vhost6 = "::";
  };
  
  listen {
    host = "0.0.0.0";
    port = 6667;
  };
  
  auth {
    user = "*@*";
    class = "users";
    flags = exceed_limit;
  };
  channel {
    default_split_user_count = 0;
  };
''

Declared by:

<nixpkgs/nixos/modules/services/networking/solanum.nix>
services.solanum.motd

Solanum MOTD text.

Solanum will read its MOTD from /etc/solanum/ircd.motd. If set, the value of this option will be written to this path.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/solanum.nix>
services.solanum.openFilesLimit

Maximum number of open files. Limits the clients and server connections.

Type: signed integer

Default: 1024

Declared by:

<nixpkgs/nixos/modules/services/networking/solanum.nix>
services.sonarr.enable

Whether to enable Sonarr.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sonarr.nix>
services.sonarr.package

The sonarr package to use.

Type: package

Default: pkgs.sonarr

Declared by:

<nixpkgs/nixos/modules/services/misc/sonarr.nix>
services.sonarr.dataDir

The directory where Sonarr stores its data files.

Type: string

Default: "/var/lib/sonarr/.config/NzbDrone"

Declared by:

<nixpkgs/nixos/modules/services/misc/sonarr.nix>
services.sonarr.group

Group under which Sonaar runs.

Type: string

Default: "sonarr"

Declared by:

<nixpkgs/nixos/modules/services/misc/sonarr.nix>
services.sonarr.openFirewall

Open ports in the firewall for the Sonarr web interface

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/sonarr.nix>
services.sonarr.user

User account under which Sonaar runs.

Type: string

Default: "sonarr"

Declared by:

<nixpkgs/nixos/modules/services/misc/sonarr.nix>
services.sonic-server.enable

Whether to enable Sonic Search Index.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/search/sonic-server.nix>
services.sonic-server.package

The sonic-server package to use.

Type: package

Default: pkgs.sonic-server

Declared by:

<nixpkgs/nixos/modules/services/search/sonic-server.nix>
services.sonic-server.settings

Sonic Server configuration options.

Refer to https://github.com/valeriansaliou/sonic/blob/master/CONFIGURATION.md for a full list of available options.

Type: TOML value

Default:

{
  store = {
    fst = {
      path = "/var/lib/sonic/fst";
    };
    kv = {
      path = "/var/lib/sonic/kv";
    };
  };
}

Example:

{
  channel = {
    inet = "[::1]:1491";
  };
  server = {
    log_level = "debug";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/search/sonic-server.nix>
services.sourcehut.enable

Whether to enable sourcehut - git hosting, continuous integration, mailing list, ticket tracking, wiki and account management services .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.builds.enable

Whether to enable builds service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.builds.enableWorker

Whether to enable worker for builds.sr.ht

Warning

For smaller deployments, job runners can be installed alongside the master server but even if you only build your own software, integration with other services may cause you to run untrusted builds (e.g. automatic testing of patches via listssrht). See https://man.sr.ht/builds.sr.ht/configuration.md#security-model.

.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.builds.group

Group for builds.sr.ht. Membership grants access to the Git/Mercurial repositories by default, but not to the config.ini file (where secrets are).

Type: string

Default: "buildsrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.builds.gunicorn.extraArgs

Extra arguments passed to Gunicorn.

Type: list of string

Default:

[
  "--timeout 120"
  "--workers 1"
  "--log-level=info"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.builds.images

Images for builds.sr.ht. Each package should be distro.release.arch and point to a /nix/store/package/root.img.qcow2.

Type: attribute set of attribute set of attribute set of package

Default: { }

Example:

(let
            # Pinning unstable to allow usage with flakes and limit rebuilds.
            pkgs_unstable = builtins.fetchGit {
                url = "https://github.com/NixOS/nixpkgs";
                rev = "ff96a0fa5635770390b184ae74debea75c3fd534";
                ref = "nixos-unstable";
            };
            image_from_nixpkgs = (import ("${pkgs.sourcehut.buildsrht}/lib/images/nixos/image.nix") {
              pkgs = (import pkgs_unstable {});
            });
          in
          {
            nixos.unstable.x86_64 = image_from_nixpkgs;
          }
        )

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.builds.port

Port on which the “builds” backend should listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5002

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.builds.postgresql.database

PostgreSQL database name for the builds.sr.ht service, used if services.sourcehut.postgresql.enable is true.

Type: string

Default: "builds.sr.ht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.builds.redis.host

The redis host URL. This is used for caching and temporary storage, and must be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be shared between services. It may be shared between services, however, with no ill effect, if this better suits your infrastructure.

Type: string

Default: "unix:///run/redis-sourcehut-buildsrht/redis.sock?db=0"

Example: "redis://shared.wireguard:6379/0"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.builds.user

User for builds.sr.ht.

Type: string

Default: "buildsrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.git.enable

Whether to enable git service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.git.package

The git package to use.

Type: package

Default: pkgs.git

Example: gitFull

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.git.fcgiwrap.preforkProcess

Number of fcgiwrap processes to prefork.

Type: signed integer

Default: 4

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.git.group

Group for git.sr.ht. Membership grants access to the Git/Mercurial repositories by default, but not to the config.ini file (where secrets are).

Type: string

Default: "gitsrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.git.gunicorn.extraArgs

Extra arguments passed to Gunicorn.

Type: list of string

Default:

[
  "--timeout 120"
  "--workers 1"
  "--log-level=info"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.git.port

Port on which the “git” backend should listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5001

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.git.postgresql.database

PostgreSQL database name for the git.sr.ht service, used if services.sourcehut.postgresql.enable is true.

Type: string

Default: "git.sr.ht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.git.redis.host

The redis host URL. This is used for caching and temporary storage, and must be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be shared between services. It may be shared between services, however, with no ill effect, if this better suits your infrastructure.

Type: string

Default: "unix:///run/redis-sourcehut-gitsrht/redis.sock?db=0"

Example: "redis://shared.wireguard:6379/0"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.git.user

User for git.sr.ht.

Type: string

Default: "gitsrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.git.webhooks.celeryConfig

Content of the celeryconfig.py used by the Celery responsible for webhooks.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.git.webhooks.extraArgs

Extra arguments passed to the Celery responsible for webhooks.

Type: list of string

Default:

[
  "--loglevel DEBUG"
  "--pool eventlet"
  "--without-heartbeat"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.hg.enable

Whether to enable hg service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.hg.package

The mercurial package to use.

Type: package

Default: pkgs.mercurial

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.hg.cloneBundles

Generate clonebundles (which require more disk space but dramatically speed up cloning large repositories).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.hg.group

Group for hg.sr.ht. Membership grants access to the Git/Mercurial repositories by default, but not to the config.ini file (where secrets are).

Type: string

Default: "hgsrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.hg.gunicorn.extraArgs

Extra arguments passed to Gunicorn.

Type: list of string

Default:

[
  "--timeout 120"
  "--workers 1"
  "--log-level=info"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.hg.port

Port on which the “hg” backend should listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5010

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.hg.postgresql.database

PostgreSQL database name for the hg.sr.ht service, used if services.sourcehut.postgresql.enable is true.

Type: string

Default: "hg.sr.ht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.hg.redis.host

The redis host URL. This is used for caching and temporary storage, and must be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be shared between services. It may be shared between services, however, with no ill effect, if this better suits your infrastructure.

Type: string

Default: "unix:///run/redis-sourcehut-hgsrht/redis.sock?db=0"

Example: "redis://shared.wireguard:6379/0"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.hg.user

User for hg.sr.ht.

Type: string

Default: "hgsrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.hg.webhooks.celeryConfig

Content of the celeryconfig.py used by the Celery responsible for webhooks.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.hg.webhooks.extraArgs

Extra arguments passed to the Celery responsible for webhooks.

Type: list of string

Default:

[
  "--loglevel DEBUG"
  "--pool eventlet"
  "--without-heartbeat"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.hub.enable

Whether to enable hub service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.hub.group

Group for hub.sr.ht. Membership grants access to the Git/Mercurial repositories by default, but not to the config.ini file (where secrets are).

Type: string

Default: "hubsrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.hub.gunicorn.extraArgs

Extra arguments passed to Gunicorn.

Type: list of string

Default:

[
  "--timeout 120"
  "--workers 1"
  "--log-level=info"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.hub.port

Port on which the “hub” backend should listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5014

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.hub.postgresql.database

PostgreSQL database name for the hub.sr.ht service, used if services.sourcehut.postgresql.enable is true.

Type: string

Default: "hub.sr.ht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.hub.redis.host

The redis host URL. This is used for caching and temporary storage, and must be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be shared between services. It may be shared between services, however, with no ill effect, if this better suits your infrastructure.

Type: string

Default: "unix:///run/redis-sourcehut-hubsrht/redis.sock?db=0"

Example: "redis://shared.wireguard:6379/0"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.hub.user

User for hub.sr.ht.

Type: string

Default: "hubsrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.listenAddress

Address to bind to.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.lists.enable

Whether to enable lists service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.lists.group

Group for lists.sr.ht. Membership grants access to the Git/Mercurial repositories by default, but not to the config.ini file (where secrets are).

Type: string

Default: "listssrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.lists.gunicorn.extraArgs

Extra arguments passed to Gunicorn.

Type: list of string

Default:

[
  "--timeout 120"
  "--workers 1"
  "--log-level=info"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.lists.port

Port on which the “lists” backend should listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5006

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.lists.postgresql.database

PostgreSQL database name for the lists.sr.ht service, used if services.sourcehut.postgresql.enable is true.

Type: string

Default: "lists.sr.ht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.lists.process.celeryConfig

Content of the celeryconfig.py used by the Celery of listssrht-process.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.lists.process.extraArgs

Extra arguments passed to the Celery responsible for processing mails.

Type: list of string

Default:

[
  "--loglevel DEBUG"
  "--pool eventlet"
  "--without-heartbeat"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.lists.redis.host

The redis host URL. This is used for caching and temporary storage, and must be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be shared between services. It may be shared between services, however, with no ill effect, if this better suits your infrastructure.

Type: string

Default: "unix:///run/redis-sourcehut-listssrht/redis.sock?db=0"

Example: "redis://shared.wireguard:6379/0"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.lists.user

User for lists.sr.ht.

Type: string

Default: "listssrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.lists.webhooks.celeryConfig

Content of the celeryconfig.py used by the Celery responsible for webhooks.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.lists.webhooks.extraArgs

Extra arguments passed to the Celery responsible for webhooks.

Type: list of string

Default:

[
  "--loglevel DEBUG"
  "--pool eventlet"
  "--without-heartbeat"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.man.enable

Whether to enable man service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.man.group

Group for man.sr.ht. Membership grants access to the Git/Mercurial repositories by default, but not to the config.ini file (where secrets are).

Type: string

Default: "mansrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.man.gunicorn.extraArgs

Extra arguments passed to Gunicorn.

Type: list of string

Default:

[
  "--timeout 120"
  "--workers 1"
  "--log-level=info"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.man.port

Port on which the “man” backend should listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5004

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.man.postgresql.database

PostgreSQL database name for the man.sr.ht service, used if services.sourcehut.postgresql.enable is true.

Type: string

Default: "man.sr.ht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.man.redis.host

The redis host URL. This is used for caching and temporary storage, and must be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be shared between services. It may be shared between services, however, with no ill effect, if this better suits your infrastructure.

Type: string

Default: "unix:///run/redis-sourcehut-mansrht/redis.sock?db=0"

Example: "redis://shared.wireguard:6379/0"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.man.user

User for man.sr.ht.

Type: string

Default: "mansrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.meta.enable

Whether to enable meta service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.meta.group

Group for meta.sr.ht. Membership grants access to the Git/Mercurial repositories by default, but not to the config.ini file (where secrets are).

Type: string

Default: "metasrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.meta.gunicorn.extraArgs

Extra arguments passed to Gunicorn.

Type: list of string

Default:

[
  "--timeout 120"
  "--workers 1"
  "--log-level=info"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.meta.port

Port on which the “meta” backend should listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5000

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.meta.postgresql.database

PostgreSQL database name for the meta.sr.ht service, used if services.sourcehut.postgresql.enable is true.

Type: string

Default: "meta.sr.ht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.meta.redis.host

The redis host URL. This is used for caching and temporary storage, and must be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be shared between services. It may be shared between services, however, with no ill effect, if this better suits your infrastructure.

Type: string

Default: "unix:///run/redis-sourcehut-metasrht/redis.sock?db=0"

Example: "redis://shared.wireguard:6379/0"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.meta.user

User for meta.sr.ht.

Type: string

Default: "metasrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.meta.webhooks.celeryConfig

Content of the celeryconfig.py used by the Celery responsible for webhooks.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.meta.webhooks.extraArgs

Extra arguments passed to the Celery responsible for webhooks.

Type: list of string

Default:

[
  "--loglevel DEBUG"
  "--pool eventlet"
  "--without-heartbeat"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.minio.enable

Whether to enable local minio integration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.nginx.enable

Whether to enable local nginx integration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.nginx.virtualHost

Virtual-host configuration merged with all Sourcehut’s virtual-hosts.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.pages.enable

Whether to enable pages service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.pages.group

Group for pages.sr.ht. Membership grants access to the Git/Mercurial repositories by default, but not to the config.ini file (where secrets are).

Type: string

Default: "pagessrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.pages.gunicorn.extraArgs

Extra arguments passed to Gunicorn.

Type: list of string

Default:

[
  "--timeout 120"
  "--workers 1"
  "--log-level=info"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.pages.port

Port on which the “pages” backend should listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5112

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.pages.postgresql.database

PostgreSQL database name for the pages.sr.ht service, used if services.sourcehut.postgresql.enable is true.

Type: string

Default: "pages.sr.ht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.pages.redis.host

The redis host URL. This is used for caching and temporary storage, and must be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be shared between services. It may be shared between services, however, with no ill effect, if this better suits your infrastructure.

Type: string

Default: "unix:///run/redis-sourcehut-pagessrht/redis.sock?db=0"

Example: "redis://shared.wireguard:6379/0"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.pages.user

User for pages.sr.ht.

Type: string

Default: "pagessrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.paste.enable

Whether to enable paste service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.paste.group

Group for paste.sr.ht. Membership grants access to the Git/Mercurial repositories by default, but not to the config.ini file (where secrets are).

Type: string

Default: "pastesrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.paste.gunicorn.extraArgs

Extra arguments passed to Gunicorn.

Type: list of string

Default:

[
  "--timeout 120"
  "--workers 1"
  "--log-level=info"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.paste.port

Port on which the “paste” backend should listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5011

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.paste.postgresql.database

PostgreSQL database name for the paste.sr.ht service, used if services.sourcehut.postgresql.enable is true.

Type: string

Default: "paste.sr.ht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.paste.redis.host

The redis host URL. This is used for caching and temporary storage, and must be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be shared between services. It may be shared between services, however, with no ill effect, if this better suits your infrastructure.

Type: string

Default: "unix:///run/redis-sourcehut-pastesrht/redis.sock?db=0"

Example: "redis://shared.wireguard:6379/0"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.paste.user

User for paste.sr.ht.

Type: string

Default: "pastesrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.postfix.enable

Whether to enable local postfix integration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.postgresql.enable

Whether to enable local postgresql integration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.redis.enable

Whether to enable local redis integration in a dedicated redis-server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings

The configuration for the sourcehut network.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string) or a non-empty list of them)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."builds.sr.ht".allow-free

Whether to enable nonpaying users to submit builds.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."builds.sr.ht".api-origin

Origin URL for the API

Type: string

Default: "http://${services.sourcehut.listenAddress}:${toString (services.sourcehut.builds.port + 100)}"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."builds.sr.ht".connection-string

SQLAlchemy connection string for the database.

Type: string

Default: "postgresql:///localhost?user=buildssrht&host=/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."builds.sr.ht".debug-host

Address to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."builds.sr.ht".debug-port

Port to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."builds.sr.ht".migrate-on-upgrade

Whether to enable automatic migrations on package upgrade.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."builds.sr.ht".oauth-client-id

builds.sr.ht’s OAuth client id for meta.sr.ht.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."builds.sr.ht".oauth-client-secret

builds.sr.ht’s OAuth client secret for meta.sr.ht.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."builds.sr.ht".origin

URL builds.sr.ht is being served at (protocol://domain)

Type: string

Default: "https://builds.example.com"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."builds.sr.ht".redis

The Redis connection used for the Celery worker.

Type: string

Default: "redis+socket:///run/redis-sourcehut-buildsrht/redis.sock?virtual_host=2"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."builds.sr.ht".shell

Scripts used to launch on SSH connection. /usr/bin/master-shell on master, /usr/bin/runner-shell on runner. If master and worker are on the same system set to /usr/bin/runner-shell.

Type: one of “/usr/bin/master-shell”, “/usr/bin/runner-shell”

Default: "/usr/bin/master-shell"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."builds.sr.ht::worker".bind-address

HTTP bind address for serving local build information/monitoring.

Type: string

Default: "localhost:8080"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."builds.sr.ht::worker".buildlogs

Path to write build logs.

Type: string

Default: "/var/log/sourcehut/buildsrht-worker"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."builds.sr.ht::worker".name

Listening address and listening port of the build runner (with HTTP port if not 80).

Type: string

Default: "localhost:5020"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."builds.sr.ht::worker".timeout

Max build duration. See https://golang.org/pkg/time/#ParseDuration.

Type: string

Default: "3m"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."git.sr.ht".api-origin

Origin URL for the API

Type: string

Default: "http://${services.sourcehut.listenAddress}:${toString (services.sourcehut.git.port + 100)}"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."git.sr.ht".connection-string

SQLAlchemy connection string for the database.

Type: string

Default: "postgresql:///localhost?user=gitsrht&host=/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."git.sr.ht".debug-host

Address to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."git.sr.ht".debug-port

Port to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."git.sr.ht".migrate-on-upgrade

Whether to enable automatic migrations on package upgrade.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."git.sr.ht".oauth-client-id

git.sr.ht’s OAuth client id for meta.sr.ht.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."git.sr.ht".oauth-client-secret

git.sr.ht’s OAuth client secret for meta.sr.ht.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."git.sr.ht".origin

URL git.sr.ht is being served at (protocol://domain)

Type: string

Default: "https://git.example.com"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."git.sr.ht".outgoing-domain

Outgoing domain.

Type: string

Default: "https://git.localhost.localdomain"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."git.sr.ht".post-update-script

A post-update script which is installed in every git repo. This setting is propagated to newer and existing repositories.

Type: path

Default: "\${pkgs.sourcehut.gitsrht}/bin/gitsrht-update-hook"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."git.sr.ht".repos

Path to git repositories on disk. If changing the default, you must ensure that the gitsrht’s user as read and write access to it.

Type: string

Default: "/var/lib/sourcehut/gitsrht/repos"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."git.sr.ht".webhooks

The Redis connection used for the webhooks worker.

Type: string

Default: "redis+socket:///run/redis-sourcehut-gitsrht/redis.sock?virtual_host=1"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."git.sr.ht::api".internal-ipnet

Set of IP subnets which are permitted to utilize internal API authentication. This should be limited to the subnets from which your *.sr.ht services are running. See services.sourcehut.listenAddress.

Type: list of string

Default:

[
  "127.0.0.0/8"
  "::1/128"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hg.sr.ht".api-origin

Origin URL for the API

Type: string

Default: "http://${services.sourcehut.listenAddress}:${toString (services.sourcehut.hg.port + 100)}"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hg.sr.ht".changegroup-script

A changegroup script which is installed in every mercurial repo. This setting is propagated to newer and existing repositories.

Type: string

Default: "\${pkgs.sourcehut.hgsrht}/bin/hgsrht-hook-changegroup"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hg.sr.ht".clone_bundle_threshold

.hg/store size (in MB) past which the nightly job generates clone bundles.

Type: unsigned integer, meaning >=0

Default: 50

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hg.sr.ht".connection-string

SQLAlchemy connection string for the database.

Type: string

Default: "postgresql:///localhost?user=hgsrht&host=/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hg.sr.ht".debug-host

Address to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hg.sr.ht".debug-port

Port to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hg.sr.ht".hg_ssh

Path to hg-ssh (if not in $PATH).

Type: string

Default: "\${pkgs.mercurial}/bin/hg-ssh"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hg.sr.ht".migrate-on-upgrade

Whether to enable automatic migrations on package upgrade.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hg.sr.ht".oauth-client-id

hg.sr.ht’s OAuth client id for meta.sr.ht.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hg.sr.ht".oauth-client-secret

hg.sr.ht’s OAuth client secret for meta.sr.ht.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hg.sr.ht".origin

URL hg.sr.ht is being served at (protocol://domain)

Type: string

Default: "https://hg.example.com"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hg.sr.ht".repos

Path to mercurial repositories on disk. If changing the default, you must ensure that the hgsrht’s user as read and write access to it.

Type: string

Default: "/var/lib/sourcehut/hgsrht/repos"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hg.sr.ht".srhtext

Path to the srht mercurial extension (defaults to where the hgsrht code is)

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hg.sr.ht".webhooks

The Redis connection used for the webhooks worker.

Type: string

Default: "redis+socket:///run/redis-sourcehut-hgsrht/redis.sock?virtual_host=1"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hub.sr.ht".api-origin

Origin URL for the API

Type: string

Default: "http://${services.sourcehut.listenAddress}:${toString (services.sourcehut.hub.port + 100)}"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hub.sr.ht".connection-string

SQLAlchemy connection string for the database.

Type: string

Default: "postgresql:///localhost?user=hubsrht&host=/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hub.sr.ht".debug-host

Address to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hub.sr.ht".debug-port

Port to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hub.sr.ht".migrate-on-upgrade

Whether to enable automatic migrations on package upgrade.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hub.sr.ht".oauth-client-id

hub.sr.ht’s OAuth client id for meta.sr.ht.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hub.sr.ht".oauth-client-secret

hub.sr.ht’s OAuth client secret for meta.sr.ht.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."hub.sr.ht".origin

URL hub.sr.ht is being served at (protocol://domain)

Type: string

Default: "https://hub.example.com"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."lists.sr.ht".allow-new-lists

Whether to enable creation of new lists.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."lists.sr.ht".api-origin

Origin URL for the API

Type: string

Default: "http://${services.sourcehut.listenAddress}:${toString (services.sourcehut.lists.port + 100)}"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."lists.sr.ht".connection-string

SQLAlchemy connection string for the database.

Type: string

Default: "postgresql:///localhost?user=listssrht&host=/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."lists.sr.ht".debug-host

Address to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."lists.sr.ht".debug-port

Port to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."lists.sr.ht".migrate-on-upgrade

Whether to enable automatic migrations on package upgrade.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."lists.sr.ht".notify-from

Outgoing email for notifications generated by users.

Type: string

Default: "lists-notify@localhost.localdomain"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."lists.sr.ht".oauth-client-id

lists.sr.ht’s OAuth client id for meta.sr.ht.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."lists.sr.ht".oauth-client-secret

lists.sr.ht’s OAuth client secret for meta.sr.ht.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."lists.sr.ht".origin

URL lists.sr.ht is being served at (protocol://domain)

Type: string

Default: "https://lists.example.com"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."lists.sr.ht".posting-domain

Posting domain.

Type: string

Default: "lists.localhost.localdomain"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."lists.sr.ht".redis

The Redis connection used for the Celery worker.

Type: string

Default: "redis+socket:///run/redis-sourcehut-listssrht/redis.sock?virtual_host=2"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."lists.sr.ht".webhooks

The Redis connection used for the webhooks worker.

Type: string

Default: "redis+socket:///run/redis-sourcehut-listssrht/redis.sock?virtual_host=1"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."lists.sr.ht::worker".reject-mimetypes

Comma-delimited list of Content-Types to reject. Messages with Content-Types included in this list are rejected. Multipart messages are always supported, and each part is checked against this list.

Uses fnmatch for wildcard expansion.

Type: list of string

Default:

[
  "text/html"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."lists.sr.ht::worker".reject-url

Reject URL.

Type: string

Default: "https://man.sr.ht/lists.sr.ht/etiquette.md"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."lists.sr.ht::worker".sock

Path for the lmtp daemon’s unix socket. Direct incoming mail to this socket. Alternatively, specify IP:PORT and an SMTP server will be run instead.

Type: string

Default: "/tmp/lists.sr.ht-lmtp.sock"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."lists.sr.ht::worker".sock-group

The lmtp daemon will make the unix socket group-read/write for users in this group.

Type: string

Default: "postfix"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings.mail.error-from

Address sending application exceptions

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings.mail.error-to

Address receiving application exceptions

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings.mail.pgp-key-id

OpenPGP key identifier.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings.mail.pgp-privkey

An absolute file path (which should be outside the Nix-store) to an OpenPGP private key.

Your PGP key information (DO NOT mix up pub and priv here) You must remove the password from your secret key, if present. You can do this with gpg --edit-key [key-id], then use the passwd command and do not enter a new password.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings.mail.pgp-pubkey

OpenPGP public key.

Type: path or string

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings.mail.smtp-from

Outgoing SMTP FROM.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings.mail.smtp-host

Outgoing SMTP host.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings.mail.smtp-password

Outgoing SMTP password.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings.mail.smtp-port

Outgoing SMTP port.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings.mail.smtp-user

Outgoing SMTP user.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."man.sr.ht".api-origin

Origin URL for the API

Type: string

Default: "http://${services.sourcehut.listenAddress}:${toString (services.sourcehut.man.port + 100)}"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."man.sr.ht".connection-string

SQLAlchemy connection string for the database.

Type: string

Default: "postgresql:///localhost?user=mansrht&host=/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."man.sr.ht".debug-host

Address to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."man.sr.ht".debug-port

Port to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."man.sr.ht".migrate-on-upgrade

Whether to enable automatic migrations on package upgrade.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."man.sr.ht".oauth-client-id

man.sr.ht’s OAuth client id for meta.sr.ht.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."man.sr.ht".oauth-client-secret

man.sr.ht’s OAuth client secret for meta.sr.ht.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."man.sr.ht".origin

URL man.sr.ht is being served at (protocol://domain)

Type: string

Default: "https://man.example.com"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."meta.sr.ht".api-origin

Origin URL for the API

Type: string

Default: "http://${services.sourcehut.listenAddress}:${toString (services.sourcehut.meta.port + 100)}"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."meta.sr.ht".connection-string

SQLAlchemy connection string for the database.

Type: string

Default: "postgresql:///localhost?user=metasrht&host=/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."meta.sr.ht".debug-host

Address to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."meta.sr.ht".debug-port

Port to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."meta.sr.ht".migrate-on-upgrade

Whether to enable automatic migrations on package upgrade.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."meta.sr.ht".origin

URL meta.sr.ht is being served at (protocol://domain)

Type: string

Default: "https://meta.example.com"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."meta.sr.ht".webhooks

The Redis connection used for the webhooks worker.

Type: string

Default: "redis+socket:///run/redis-sourcehut-metasrht/redis.sock?virtual_host=1"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."meta.sr.ht".welcome-emails

Whether to enable sending stock sourcehut welcome emails after signup.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."meta.sr.ht::aliases"

Aliases for the client IDs of commonly used OAuth clients.

Type: attribute set of signed integer

Default: { }

Example:

{
  "git.sr.ht" = 12345;
}

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."meta.sr.ht::api".internal-ipnet

Set of IP subnets which are permitted to utilize internal API authentication. This should be limited to the subnets from which your *.sr.ht services are running. See services.sourcehut.listenAddress.

Type: list of string

Default:

[
  "127.0.0.0/8"
  "::1/128"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."meta.sr.ht::billing".enabled

Whether to enable the billing system.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."meta.sr.ht::billing".stripe-public-key

Public key for Stripe. Get your keys at https://dashboard.stripe.com/account/apikeys

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."meta.sr.ht::billing".stripe-secret-key

An absolute file path (which should be outside the Nix-store) to a secret key for Stripe. Get your keys at https://dashboard.stripe.com/account/apikeys

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."meta.sr.ht::settings".onboarding-redirect

Where to redirect new users upon registration.

Type: string

Default: "https://meta.localhost.localdomain"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."meta.sr.ht::settings".registration

Whether to enable public registration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."meta.sr.ht::settings".user-invites

How many invites each user is issued upon registration (only applicable if open registration is disabled).

Type: unsigned integer, meaning >=0

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings.objects.s3-access-key

Access key to the S3-compatible object storage service

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings.objects.s3-secret-key

An absolute file path (which should be outside the Nix-store) to the secret key of the S3-compatible object storage service.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings.objects.s3-upstream

Configure the S3-compatible object storage service.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."pages.sr.ht".api-origin

Origin URL for the API

Type: string

Default: "http://${services.sourcehut.listenAddress}:${toString (services.sourcehut.pages.port + 100)}"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."pages.sr.ht".connection-string

SQLAlchemy connection string for the database.

Type: string

Default: "postgresql:///localhost?user=pagessrht&host=/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."pages.sr.ht".debug-host

Address to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."pages.sr.ht".debug-port

Port to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."pages.sr.ht".gemini-certs

An absolute file path (which should be outside the Nix-store) to Gemini certificates.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."pages.sr.ht".max-site-size

Maximum size of any given site (post-gunzip), in MiB.

Type: signed integer

Default: 1024

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."pages.sr.ht".migrate-on-upgrade

Whether to enable automatic migrations on package upgrade.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."pages.sr.ht".oauth-client-id

pages.sr.ht’s OAuth client id for meta.sr.ht.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."pages.sr.ht".oauth-client-secret

pages.sr.ht’s OAuth client secret for meta.sr.ht.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."pages.sr.ht".origin

URL pages.sr.ht is being served at (protocol://domain)

Type: string

Default: "https://pages.example.com"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."pages.sr.ht".user-domain

Configures the user domain, if enabled. All users are given <username>.this.domain.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."pages.sr.ht::api".internal-ipnet

Set of IP subnets which are permitted to utilize internal API authentication. This should be limited to the subnets from which your *.sr.ht services are running. See services.sourcehut.listenAddress.

Type: list of string

Default:

[
  "127.0.0.0/8"
  "::1/128"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."paste.sr.ht".api-origin

Origin URL for the API

Type: string

Default: "http://${services.sourcehut.listenAddress}:${toString (services.sourcehut.paste.port + 100)}"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."paste.sr.ht".connection-string

SQLAlchemy connection string for the database.

Type: string

Default: "postgresql:///localhost?user=pastesrht&host=/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."paste.sr.ht".debug-host

Address to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."paste.sr.ht".debug-port

Port to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."paste.sr.ht".migrate-on-upgrade

Whether to enable automatic migrations on package upgrade.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."paste.sr.ht".oauth-client-id

paste.sr.ht’s OAuth client id for meta.sr.ht.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."paste.sr.ht".oauth-client-secret

paste.sr.ht’s OAuth client secret for meta.sr.ht.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."paste.sr.ht".origin

URL paste.sr.ht is being served at (protocol://domain)

Type: string

Default: "https://paste.example.com"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."sr.ht".environment

Values other than “production” adds a banner to each page.

Type: one of “development”, “production”

Default: "development"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."sr.ht".global-domain

Global domain name.

Type: string

Example: "example.com"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."sr.ht".network-key

An absolute file path (which should be outside the Nix-store) to a secret key to encrypt internal messages with. Use srht-keygen network to generate this key. It must be consistent between all services and nodes.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."sr.ht".owner-email

Owner’s email.

Type: string

Default: "contact@example.com"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."sr.ht".owner-name

Owner’s name.

Type: string

Default: "John Doe"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."sr.ht".service-key

An absolute file path (which should be outside the Nix-store) to a key used for encrypting session cookies. Use srht-keygen service to generate the service key. This must be shared between each node of the same service (e.g. git1.sr.ht and git2.sr.ht), but different services may use different keys. If you configure all of your services with the same config.ini, you may use the same service-key for all of them.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."sr.ht".site-blurb

Blurb for your site.

Type: string

Default: "the hacker's forge"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."sr.ht".site-info

The top-level info page for your site.

Type: string

Default: "https://sourcehut.org"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."sr.ht".site-name

The name of your network of sr.ht-based sites.

Type: string

Default: "sourcehut"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."sr.ht".source-url

The source code for your fork of sr.ht.

Type: string

Default: "https://git.sr.ht/~sircmpwn/srht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."todo.sr.ht".api-origin

Origin URL for the API

Type: string

Default: "http://${services.sourcehut.listenAddress}:${toString (services.sourcehut.todo.port + 100)}"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."todo.sr.ht".connection-string

SQLAlchemy connection string for the database.

Type: string

Default: "postgresql:///localhost?user=todosrht&host=/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."todo.sr.ht".debug-host

Address to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."todo.sr.ht".debug-port

Port to bind the debug server to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."todo.sr.ht".migrate-on-upgrade

Whether to enable automatic migrations on package upgrade.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."todo.sr.ht".notify-from

Outgoing email for notifications generated by users.

Type: string

Default: "todo-notify@localhost.localdomain"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."todo.sr.ht".oauth-client-id

todo.sr.ht’s OAuth client id for meta.sr.ht.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."todo.sr.ht".oauth-client-secret

todo.sr.ht’s OAuth client secret for meta.sr.ht.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."todo.sr.ht".origin

URL todo.sr.ht is being served at (protocol://domain)

Type: string

Default: "https://todo.example.com"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."todo.sr.ht".webhooks

The Redis connection used for the webhooks worker.

Type: string

Default: "redis+socket:///run/redis-sourcehut-todosrht/redis.sock?virtual_host=1"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."todo.sr.ht::mail".posting-domain

Posting domain.

Type: string

Default: "todo.localhost.localdomain"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."todo.sr.ht::mail".sock

Path for the lmtp daemon’s unix socket. Direct incoming mail to this socket. Alternatively, specify IP:PORT and an SMTP server will be run instead.

Type: string

Default: "/tmp/todo.sr.ht-lmtp.sock"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings."todo.sr.ht::mail".sock-group

The lmtp daemon will make the unix socket group-read/write for users in this group.

Type: string

Default: "postfix"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.settings.webhooks.private-key

An absolute file path (which should be outside the Nix-store) to a base64-encoded Ed25519 key for signing webhook payloads. This should be consistent for all *.sr.ht sites, as this key will be used to verify signatures from other sites in your network. Use the srht-keygen webhook command to generate a key.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.todo.enable

Whether to enable todo service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.todo.group

Group for todo.sr.ht. Membership grants access to the Git/Mercurial repositories by default, but not to the config.ini file (where secrets are).

Type: string

Default: "todosrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.todo.gunicorn.extraArgs

Extra arguments passed to Gunicorn.

Type: list of string

Default:

[
  "--timeout 120"
  "--workers 1"
  "--log-level=info"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.todo.port

Port on which the “todo” backend should listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5003

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.todo.postgresql.database

PostgreSQL database name for the todo.sr.ht service, used if services.sourcehut.postgresql.enable is true.

Type: string

Default: "todo.sr.ht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.todo.redis.host

The redis host URL. This is used for caching and temporary storage, and must be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be shared between services. It may be shared between services, however, with no ill effect, if this better suits your infrastructure.

Type: string

Default: "unix:///run/redis-sourcehut-todosrht/redis.sock?db=0"

Example: "redis://shared.wireguard:6379/0"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.todo.user

User for todo.sr.ht.

Type: string

Default: "todosrht"

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.todo.webhooks.celeryConfig

Content of the celeryconfig.py used by the Celery responsible for webhooks.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.sourcehut.todo.webhooks.extraArgs

Extra arguments passed to the Celery responsible for webhooks.

Type: list of string

Default:

[
  "--loglevel DEBUG"
  "--pool eventlet"
  "--without-heartbeat"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/sourcehut>
services.spacecookie.enable

Whether to enable spacecookie.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/spacecookie.nix>
services.spacecookie.package

The spacecookie package to use.

Type: package

Default: pkgs.spacecookie

Example: haskellPackages.spacecookie

Declared by:

<nixpkgs/nixos/modules/services/networking/spacecookie.nix>
services.spacecookie.address

Address to listen on. Must be in the ListenStream= syntax of systemd.socket(5).

Type: string

Default: "[::]"

Declared by:

<nixpkgs/nixos/modules/services/networking/spacecookie.nix>
services.spacecookie.openFirewall

Whether to open the necessary port in the firewall for spacecookie.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/spacecookie.nix>
services.spacecookie.port

Port the gopher service should be exposed on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 70

Declared by:

<nixpkgs/nixos/modules/services/networking/spacecookie.nix>
services.spacecookie.settings

Settings for spacecookie. The settings set here are directly translated to the spacecookie JSON config file. See spacecookie.json(5) for explanations of all options.

Type: JSON value

Declared by:

<nixpkgs/nixos/modules/services/networking/spacecookie.nix>
services.spacecookie.settings.hostname

The hostname the service is reachable via. Clients will use this hostname for further requests after loading the initial gopher menu.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/networking/spacecookie.nix>
services.spacecookie.settings.log.enable

Whether to enable logging for spacecookie.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/networking/spacecookie.nix>
services.spacecookie.settings.log.hide-ips

If enabled, spacecookie will hide personal information of users like IP addresses from log output.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/spacecookie.nix>
services.spacecookie.settings.log.hide-time

If enabled, spacecookie will not print timestamps at the beginning of every log line.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/spacecookie.nix>
services.spacecookie.settings.log.level

Log level for the spacecookie service.

Type: one of “info”, “warn”, “error”

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/networking/spacecookie.nix>
services.spacecookie.settings.root

The directory spacecookie should serve via gopher. Files in there need to be world-readable since the spacecookie service file sets DynamicUser=true.

Type: path

Default: "/srv/gopher"

Declared by:

<nixpkgs/nixos/modules/services/networking/spacecookie.nix>
services.spamassassin.enable

Whether to enable the SpamAssassin daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/spamassassin.nix>
services.spamassassin.config

The SpamAssassin local.cf config

If you are using this configuration:

add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_

Then you can Use this sieve filter:

require ["fileinto", "reject", "envelope"];

if header :contains "X-Spam-Flag" "YES" {
  fileinto "spam";
}

Or this procmail filter:

:0:
* ^X-Spam-Flag: YES
/var/vpopmail/domains/lastlog.de/js/.maildir/.spam/new

To filter your messages based on the additional mail headers added by spamassassin.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  #rewrite_header Subject [***** SPAM _SCORE_ *****]
  required_score          5.0
  use_bayes               1
  bayes_auto_learn        1
  add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
''

Declared by:

<nixpkgs/nixos/modules/services/mail/spamassassin.nix>
services.spamassassin.debug

Whether to run the SpamAssassin daemon in debug mode

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/spamassassin.nix>
services.spamassassin.initPreConf

The SpamAssassin init.pre config.

Type: string or path

Default:

''
  #
  # to update this list, run this command in the rules directory:
  # grep 'loadplugin.*Mail::SpamAssassin::Plugin::.*' -o -h * | sort | uniq
  #
  
  #loadplugin Mail::SpamAssassin::Plugin::AccessDB
  #loadplugin Mail::SpamAssassin::Plugin::AntiVirus
  loadplugin Mail::SpamAssassin::Plugin::AskDNS
  # loadplugin Mail::SpamAssassin::Plugin::ASN
  loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
  #loadplugin Mail::SpamAssassin::Plugin::AWL
  loadplugin Mail::SpamAssassin::Plugin::Bayes
  loadplugin Mail::SpamAssassin::Plugin::BodyEval
  loadplugin Mail::SpamAssassin::Plugin::Check
  #loadplugin Mail::SpamAssassin::Plugin::DCC
  loadplugin Mail::SpamAssassin::Plugin::DKIM
  loadplugin Mail::SpamAssassin::Plugin::DMARC
  loadplugin Mail::SpamAssassin::Plugin::DNSEval
  loadplugin Mail::SpamAssassin::Plugin::FreeMail
  loadplugin Mail::SpamAssassin::Plugin::HeaderEval
  loadplugin Mail::SpamAssassin::Plugin::HTMLEval
  loadplugin Mail::SpamAssassin::Plugin::HTTPSMismatch
  loadplugin Mail::SpamAssassin::Plugin::ImageInfo
  loadplugin Mail::SpamAssassin::Plugin::MIMEEval
  loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
  # loadplugin Mail::SpamAssassin::Plugin::PDFInfo
  #loadplugin Mail::SpamAssassin::Plugin::PhishTag
  loadplugin Mail::SpamAssassin::Plugin::Pyzor
  loadplugin Mail::SpamAssassin::Plugin::Razor2
  # loadplugin Mail::SpamAssassin::Plugin::RelayCountry
  loadplugin Mail::SpamAssassin::Plugin::RelayEval
  loadplugin Mail::SpamAssassin::Plugin::ReplaceTags
  # loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody
  # loadplugin Mail::SpamAssassin::Plugin::Shortcircuit
  loadplugin Mail::SpamAssassin::Plugin::SpamCop
  loadplugin Mail::SpamAssassin::Plugin::SPF
  #loadplugin Mail::SpamAssassin::Plugin::TextCat
  # loadplugin Mail::SpamAssassin::Plugin::TxRep
  loadplugin Mail::SpamAssassin::Plugin::URIDetail
  loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
  loadplugin Mail::SpamAssassin::Plugin::URIEval
  # loadplugin Mail::SpamAssassin::Plugin::URILocalBL
  loadplugin Mail::SpamAssassin::Plugin::VBounce
  loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
  loadplugin Mail::SpamAssassin::Plugin::WLBLEval
''

Declared by:

<nixpkgs/nixos/modules/services/mail/spamassassin.nix>
services.spark.package

The spark package to use.

Type: package

Default: pkgs.spark

Example:

spark.overrideAttrs (super: rec {
  pname = "spark";
  version = "2.4.4";

  src = pkgs.fetchzip {
    url    = "mirror://apache/spark/"${pname}-${version}/${pname}-${version}-bin-without-hadoop.tgz";
    sha256 = "1a9w5k0207fysgpxx6db3a00fs5hdc2ncx99x4ccy2s0v5ndc66g";
  };
})

Declared by:

<nixpkgs/nixos/modules/services/cluster/spark/default.nix>
services.spark.confDir

Spark configuration directory. Spark will use the configuration files (spark-defaults.conf, spark-env.sh, log4j.properties, etc) from this directory.

Type: path

Default: "${package}/conf"

Declared by:

<nixpkgs/nixos/modules/services/cluster/spark/default.nix>
services.spark.logDir

Spark log directory.

Type: path

Default: "/var/log/spark"

Declared by:

<nixpkgs/nixos/modules/services/cluster/spark/default.nix>
services.spark.master.enable

Whether to enable Spark master service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/spark/default.nix>
services.spark.master.bind

Address the spark master binds to.

Type: string

Default: "127.0.0.1"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/cluster/spark/default.nix>
services.spark.master.extraEnvironment

Extra environment variables to pass to spark master. See spark-standalone documentation.

Type: attribute set of string

Default: { }

Example:

{
  SPARK_MASTER_OPTS = "-Dspark.deploy.defaultCores=5";
  SPARK_MASTER_WEBUI_PORT = 8181;
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/spark/default.nix>
services.spark.master.restartIfChanged

Automatically restart master service on config change. This can be set to false to defer restarts on clusters running critical applications. Please consider the security implications of inadvertently running an older version, and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/spark/default.nix>
services.spark.worker.enable

Whether to enable Spark worker service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/spark/default.nix>
services.spark.worker.extraEnvironment

Extra environment variables to pass to spark worker.

Type: attribute set of string

Default: { }

Example:

{
  SPARK_WORKER_CORES = 5;
  SPARK_WORKER_MEMORY = "2g";
}

Declared by:

<nixpkgs/nixos/modules/services/cluster/spark/default.nix>
services.spark.worker.master

Address of the spark master.

Type: string

Default: "127.0.0.1:7077"

Declared by:

<nixpkgs/nixos/modules/services/cluster/spark/default.nix>
services.spark.worker.restartIfChanged

Automatically restart worker service on config change. This can be set to false to defer restarts on clusters running critical applications. Please consider the security implications of inadvertently running an older version, and the possibility of unexpected behavior caused by inconsistent versions across a cluster when disabling this option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/cluster/spark/default.nix>
services.spark.worker.workDir

Spark worker work dir.

Type: path

Default: "/var/lib/spark"

Declared by:

<nixpkgs/nixos/modules/services/cluster/spark/default.nix>
services.speechd.enable

Whether to enable speech-dispatcher speech synthesizer daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/accessibility/speechd.nix>
services.speechd.package

The speechd package to use.

Type: package

Default: pkgs.speechd

Declared by:

<nixpkgs/nixos/modules/services/accessibility/speechd.nix>
services.spice-autorandr.enable

Whether to enable spice-autorandr service that will automatically resize display to match SPICE client window size.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/spice-autorandr.nix>
services.spice-autorandr.package

The spice-autorandr package to use.

Type: package

Default: pkgs.spice-autorandr

Declared by:

<nixpkgs/nixos/modules/services/misc/spice-autorandr.nix>
services.spice-vdagentd.enable

Whether to enable Spice guest vdagent daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/spice-vdagentd.nix>
services.spice-webdavd.enable

Whether to enable the spice guest webdav proxy daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/spice-webdavd.nix>
services.spice-webdavd.package

The phodav package to use.

Type: package

Default: pkgs.phodav

Declared by:

<nixpkgs/nixos/modules/services/misc/spice-webdavd.nix>
services.spiped.enable

Enable the spiped service module.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/spiped.nix>
services.spiped.config

Configuration for a secure pipe daemon. The daemon can be started, stopped, or examined using systemctl, under the name spiped@foo.

Type: attribute set of (submodule)

Default: { }

Example:

{
  pipe1 =
    { keyfile = "/var/lib/spiped/pipe1.key";
      encrypt = true;
      source  = "localhost:6000";
      target  = "endpoint.example.com:7000";
    };
  pipe2 =
    { keyfile = "/var/lib/spiped/pipe2.key";
      decrypt = true;
      source  = "0.0.0.0:7000";
      target  = "localhost:3000";
    };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/spiped.nix>
services.spiped.config.<name>.decrypt

Take encrypted connections from the source socket and send unencrypted connections to the target socket.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/spiped.nix>
services.spiped.config.<name>.disableKeepalives

Disable transport layer keep-alives.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/spiped.nix>
services.spiped.config.<name>.disableReresolution

Disable target address re-resolution.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/spiped.nix>
services.spiped.config.<name>.encrypt

Take unencrypted connections from the source socket and send encrypted connections to the target socket.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/spiped.nix>
services.spiped.config.<name>.keyfile

Name of a file containing the spiped key. As the daemon runs as the spiped user, the key file must be readable by that user. To securely manage the file within your configuration consider a tool such as agenix or sops-nix.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/spiped.nix>
services.spiped.config.<name>.maxConns

Limit on the number of simultaneous connections allowed.

Type: signed integer

Default: 100

Declared by:

<nixpkgs/nixos/modules/services/networking/spiped.nix>
services.spiped.config.<name>.resolveRefresh

Resolution refresh time for the target socket, in seconds.

Type: signed integer

Default: 60

Declared by:

<nixpkgs/nixos/modules/services/networking/spiped.nix>
services.spiped.config.<name>.source

Address on which spiped should listen for incoming connections. Must be in one of the following formats: /absolute/path/to/unix/socket, host.name:port, [ip.v4.ad.dr]:port or [ipv6::addr]:port - note that hostnames are resolved when spiped is launched and are not re-resolved later; thus if DNS entries change spiped will continue to connect to the expired address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/spiped.nix>
services.spiped.config.<name>.target

Address to which spiped should connect.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/spiped.nix>
services.spiped.config.<name>.timeout

Timeout, in seconds, after which an attempt to connect to the target or a protocol handshake will be aborted (and the connection dropped) if not completed

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/networking/spiped.nix>
services.spiped.config.<name>.waitForDNS

Wait for DNS. Normally when spiped is launched it resolves addresses and binds to its source socket before the parent process returns; with this option it will daemonize first and retry failed DNS lookups until they succeed. This allows spiped to launch even if DNS isn’t set up yet, but at the expense of losing the guarantee that once spiped has finished launching it will be ready to create pipes.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/spiped.nix>
services.spiped.config.<name>.weakHandshake

Use fast/weak handshaking: This reduces the CPU time spent in the initial connection setup, at the expense of losing perfect forward secrecy.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/spiped.nix>
services.spotifyd.enable

Whether to enable spotifyd, a Spotify playing daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/spotifyd.nix>
services.spotifyd.config

(Deprecated) Configuration for Spotifyd. For syntax and directives, see https://docs.spotifyd.rs/config/File.html.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/audio/spotifyd.nix>
services.spotifyd.settings

Configuration for Spotifyd. For syntax and directives, see https://docs.spotifyd.rs/config/File.html.

Type: TOML value

Default: { }

Example:

{
  global = {
    bitrate = 320;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/audio/spotifyd.nix>
services.squeezelite.enable

Whether to enable Squeezelite, a software Squeezebox emulator.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/squeezelite.nix>
services.squeezelite.extraArguments

Additional command line arguments to pass to Squeezelite.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/audio/squeezelite.nix>
services.squeezelite.pulseAudio

Whether to enable pulseaudio support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/squeezelite.nix>
services.squid.enable

Whether to run squid web proxy.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/squid.nix>
services.squid.package

The squid package to use.

Type: package

Default: pkgs.squid

Declared by:

<nixpkgs/nixos/modules/services/networking/squid.nix>
services.squid.configText

Verbatim contents of squid.conf. If null (default), use the autogenerated file from NixOS instead.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/squid.nix>
services.squid.extraConfig

Squid configuration. Contents will be added verbatim to the configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/squid.nix>
services.squid.proxyAddress

IP address on which squid will listen.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/squid.nix>
services.squid.proxyPort

TCP port on which squid will listen.

Type: signed integer

Default: 3128

Declared by:

<nixpkgs/nixos/modules/services/networking/squid.nix>
services.sshd.enable

Alias of services.openssh.enable.

Type: boolean

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
services.sshguard.enable

Whether to enable the sshguard service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/sshguard.nix>
services.sshguard.attack_threshold

Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10.

Type: signed integer

Default: 30

Declared by:

<nixpkgs/nixos/modules/services/security/sshguard.nix>
services.sshguard.blacklist_file

Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.

Type: path

Default: "/var/lib/sshguard/blacklist.db"

Declared by:

<nixpkgs/nixos/modules/services/security/sshguard.nix>
services.sshguard.blacklist_threshold

Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.

Type: null or signed integer

Default: null

Example: 120

Declared by:

<nixpkgs/nixos/modules/services/security/sshguard.nix>
services.sshguard.blocktime

Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5.

sshguard unblocks attacks at random intervals, so actual block times will be longer.

Type: signed integer

Default: 120

Declared by:

<nixpkgs/nixos/modules/services/security/sshguard.nix>
services.sshguard.detection_time

Remember potential attackers for up to detection_time seconds before resetting their score.

Type: signed integer

Default: 1800

Declared by:

<nixpkgs/nixos/modules/services/security/sshguard.nix>
services.sshguard.services

Systemd services sshguard should receive logs of.

Type: list of string

Default:

[
  "sshd"
]

Example:

[
  "sshd"
  "exim"
]

Declared by:

<nixpkgs/nixos/modules/services/security/sshguard.nix>
services.sshguard.whitelist

Whitelist a list of addresses, hostnames, or address blocks.

Type: list of string

Default: [ ]

Example:

[
  "198.51.100.56"
  "198.51.100.2"
]

Declared by:

<nixpkgs/nixos/modules/services/security/sshguard.nix>
services.sslh.enable

Whether to enable sslh, protocol demultiplexer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/sslh.nix>
services.sslh.listenAddresses

Listening addresses or hostnames.

Type: (list of string) or string convertible to it

Default:

[
  "0.0.0.0"
  "[::]"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/sslh.nix>
services.sslh.method

The method to use for handling connections:

  • fork forks a new process for each incoming connection. It is well-tested and very reliable, but incurs the overhead of many processes.

  • select uses only one thread, which monitors all connections at once. It has lower overhead per connection, but if it stops, you’ll lose all connections.

  • ev is implemented using libev, it’s similar to select but scales better to a large number of connections.

Type: one of “fork”, “select”, “ev”

Default: "fork"

Declared by:

<nixpkgs/nixos/modules/services/networking/sslh.nix>
services.sslh.port

Listening port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 443

Declared by:

<nixpkgs/nixos/modules/services/networking/sslh.nix>
services.sslh.settings

sslh configuration. See sslh(8) for available settings.

Type: attribute set of (libconfig value)

Declared by:

<nixpkgs/nixos/modules/services/networking/sslh.nix>
services.sslh.settings.numeric

Whether to disable reverse DNS lookups, thus keeping IP address literals in the log.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/sslh.nix>
services.sslh.settings.protocols

List of protocols sslh will probe for and redirect. Each protocol entry consists of:

  • name: name of the probe.

  • service: libwrap service name (see hosts_access(5)),

  • host, port: where to connect when this probe succeeds,

  • log_level: to log incoming connections,

  • transparent: proxy this protocol transparently,

  • etc.

See the documentation for all options, including probe-specific ones.

Type: list of attribute set of (libconfig value)

Default:

[
  {
    host = "localhost";
    name = "ssh";
    port = "22";
    service = "ssh";
  }
  {
    host = "localhost";
    name = "openvpn";
    port = "1194";
  }
  {
    host = "localhost";
    name = "xmpp";
    port = "5222";
  }
  {
    host = "localhost";
    name = "http";
    port = "80";
  }
  {
    host = "localhost";
    name = "tls";
    port = "443";
  }
  {
    host = "localhost";
    name = "anyprot";
    port = "443";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/sslh.nix>
services.sslh.settings.timeout

Timeout in seconds.

Type: unsigned integer, meaning >=0

Default: 2

Declared by:

<nixpkgs/nixos/modules/services/networking/sslh.nix>
services.sslh.settings.transparent

Whether the services behind sslh (Apache, sshd and so on) will see the external IP and ports as if the external world connected directly to them.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/sslh.nix>
services.sslh.settings.verbose-connections

Where to log connections information. Possible values are:

  1. don’t log anything

  2. write log to stdout

  3. write log to syslog

  4. write log to both stdout and syslog

  5. write to a log file (sslh.settings.logfile)

Type: integer between 0 and 4 (both inclusive)

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/sslh.nix>
services.sslmate-agent.enable

Whether to enable sslmate-agent, a daemon for managing SSL/TLS certificates on a server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/sslmate-agent.nix>
services.sssd.enable

Whether to enable the System Security Services Daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sssd.nix>
services.sssd.config

Contents of sssd.conf.

Type: strings concatenated with “\n”

Default:

''
  [sssd]
  config_file_version = 2
  services = nss, pam
  domains = shadowutils
  
  [nss]
  
  [pam]
  
  [domain/shadowutils]
  id_provider = proxy
  proxy_lib_name = files
  auth_provider = proxy
  proxy_pam_target = sssd-shadowutils
  proxy_fast_alias = True
''

Declared by:

<nixpkgs/nixos/modules/services/misc/sssd.nix>
services.sssd.environmentFile

Environment file as defined in systemd.exec(5).

Secrets may be passed to the service without adding them to the world-readable Nix store, by specifying placeholder variables as the option value in Nix and setting these variables accordingly in the environment file.

  # snippet of sssd-related config
  [domain/LDAP]
  ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK
  # contents of the environment file
  SSSD_LDAP_DEFAULT_AUTHTOK=verysecretpassword

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/sssd.nix>
services.sssd.kcm

Whether to use SSS as a Kerberos Cache Manager (KCM). Kerberos will be configured to cache credentials in SSS.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/sssd.nix>
services.sssd.sshAuthorizedKeysIntegration

Whether to make sshd look up authorized keys from SSS. For this to work, the ssh SSS service must be enabled in the sssd configuration.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/sssd.nix>
services.stalwart-mail.enable

Whether to enable the Stalwart all-in-one email server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/stalwart-mail.nix>
services.stalwart-mail.package

The stalwart-mail package to use.

Type: package

Default: pkgs.stalwart-mail

Declared by:

<nixpkgs/nixos/modules/services/mail/stalwart-mail.nix>
services.stalwart-mail.openFirewall

Whether to open TCP firewall ports, which are specified in services.stalwart-mail.settings.listener on all interfaces.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/mail/stalwart-mail.nix>
services.stalwart-mail.settings

Configuration options for the Stalwart email server. See https://stalw.art/docs/category/configuration for available options.

By default, the module is configured to store everything locally.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/mail/stalwart-mail.nix>
services.stargazer.enable

Whether to enable Stargazer Gemini server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/stargazer.nix>
services.stargazer.allowCgiUser

When enabled, the stargazer process will be given CAP_SETGID and CAP_SETUID so that it can run cgi processes as a different user. This is required if the cgi-user option is used for a route. Note that these capabilities could allow privilege escalation so be careful. For that reason, this is disabled by default.

You will need to create the user mentioned cgi-user if it does not already exist.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/stargazer.nix>
services.stargazer.certLifetime

How long certs generated by Stargazer should live for. Certs live forever by default.

Type: string

Default: ""

Example: "1y"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/stargazer.nix>
services.stargazer.certOrg

The name of the organization responsible for the X.509 certificate’s /O name.

Type: string

Default: "stargazer"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/stargazer.nix>
services.stargazer.connectionLogging

Whether or not to log connections to stdout.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/stargazer.nix>
services.stargazer.debugMode

Run Stargazer in debug mode.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/stargazer.nix>
services.stargazer.genCerts

Set to false to disable automatic certificate generation. Use if you want to provide your own certs.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/stargazer.nix>
services.stargazer.group

Group account under which stargazer runs.

Type: string

Default: "stargazer"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/stargazer.nix>
services.stargazer.ipLog

Log client IP addresses in the connection log.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/stargazer.nix>
services.stargazer.ipLogPartial

Log partial client IP addresses in the connection log.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/stargazer.nix>
services.stargazer.listen

Address and port to listen on.

Type: list of string

Default: [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]"

Example: [ "10.0.0.12" "[2002:a00:1::]" ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/stargazer.nix>
services.stargazer.regenCerts

Set to false to turn off automatic regeneration of expired certificates. Use if you want to provide your own certs.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/stargazer.nix>
services.stargazer.requestTimeout

Number of seconds to wait for the client to send a complete request. Set to 0 to disable.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/web-servers/stargazer.nix>
services.stargazer.responseTimeout

Number of seconds to wait for the client to send a complete request and for stargazer to finish sending the response. Set to 0 to disable.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/web-servers/stargazer.nix>
services.stargazer.routes

Routes that Stargazer should server.

Expressed as a list of attribute sets. Each set must have a key route that becomes the section name for that route in the stargazer ini cofig. The remaining keys and values become the parameters for that route.

Refer to upstream docs for other params

Type: list of (attribute set of (INI atom (null, bool, int, float or string)))

Default: [ ]

Example:

[
  {
    route = "example.com";
    root = "/srv/gemini/example.com"
  }
  {
    route = "example.com:/man";
    root = "/cgi-bin";
    cgi = true;
  }
  {
    route = "other.org~(.*)";
    redirect = "gemini://example.com";
    rewrite = "\1";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/stargazer.nix>
services.stargazer.routes.*.route

Route section name

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-servers/stargazer.nix>
services.stargazer.store

Path to the certificate store on disk. This should be a persistent directory writable by Stargazer.

Type: path

Default: /var/lib/gemini/certs

Declared by:

<nixpkgs/nixos/modules/services/web-servers/stargazer.nix>
services.stargazer.user

User account under which stargazer runs.

Type: string

Default: "stargazer"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/stargazer.nix>
services.static-web-server.enable

Whether to enable Static Web Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/static-web-server.nix>
services.static-web-server.configuration

Configuration for Static Web Server. See https://static-web-server.net/configuration/config-file/. NOTE: Don’t set “host”, “port”, or “root” here. They will be ignored. Use the top-level “listen” and “root” options instead.

Type: TOML value

Default: { }

Example:

{
  general = {
    directory-listing = true;
    log-level = "error";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-servers/static-web-server.nix>
services.static-web-server.listen

The “ListenStream” used in static-web-server.socket. This is equivalent to SWS’s “host” and “port” options. See here for specific syntax: https://www.freedesktop.org/software/systemd/man/systemd.socket.html#ListenStream=

Type: string

Default: "[::]:8787"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/static-web-server.nix>
services.static-web-server.root

The location of files for SWS to serve. Equivalent to SWS’s “root” config value. NOTE: This folder must exist before starting SWS.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-servers/static-web-server.nix>
services.statsd.enable

Whether to enable statsd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/statsd.nix>
services.statsd.backends

List of backends statsd will use for data persistence

Type: list of string

Default: [ ]

Example:

[
  "graphite"
  "console"
  "repeater"
  "statsd-librato-backend"
  "statsd-influxdb-backend"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/statsd.nix>
services.statsd.extraConfig

Extra configuration options for statsd

Type: null or string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/statsd.nix>
services.statsd.graphiteHost

Hostname or IP of Graphite server

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/statsd.nix>
services.statsd.graphitePort

Port of Graphite server (i.e. carbon-cache).

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/statsd.nix>
services.statsd.listenAddress

Address that statsd listens on over UDP

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/statsd.nix>
services.statsd.mgmt_address

Address to run management TCP interface on

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/statsd.nix>
services.statsd.mgmt_port

Port to run the management TCP interface on

Type: signed integer

Default: 8126

Declared by:

<nixpkgs/nixos/modules/services/monitoring/statsd.nix>
services.statsd.port

Port that stats listens for messages on over UDP

Type: signed integer

Default: 8125

Declared by:

<nixpkgs/nixos/modules/services/monitoring/statsd.nix>
services.step-ca.enable

Whether to enable the smallstep certificate authority server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/step-ca.nix>
services.step-ca.package

Which step-ca package to use.

Type: package

Default: pkgs.step-ca

Declared by:

<nixpkgs/nixos/modules/services/security/step-ca.nix>
services.step-ca.address

The address (without port) the certificate authority should listen at. This combined with services.step-ca.port overrides services.step-ca.settings.address.

Type: string

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/security/step-ca.nix>
services.step-ca.intermediatePasswordFile

Path to the file containing the password for the intermediate certificate private key.

Warning

Make sure to use a quoted absolute path instead of a path literal to prevent it from being copied to the globally readable Nix store.

Type: path

Example: "/run/keys/smallstep-password"

Declared by:

<nixpkgs/nixos/modules/services/security/step-ca.nix>
services.step-ca.openFirewall

Whether to enable opening the certificate authority server port.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/step-ca.nix>
services.step-ca.port

The port the certificate authority should listen on. This combined with services.step-ca.address overrides services.step-ca.settings.address.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Example: 8443

Declared by:

<nixpkgs/nixos/modules/services/security/step-ca.nix>
services.step-ca.settings

Settings that go into ca.json. See the step-ca manual for more information. The easiest way to configure this module would be to run step ca init to generate ca.json and then import it using builtins.fromJSON. This article may also be useful if you want to customize certain aspects of certificate generation for your CA. You need to change the database storage path to /var/lib/step-ca/db.

Warning

The services.step-ca.settings.address option will be ignored and overwritten by services.step-ca.address and services.step-ca.port.

Type: attribute set of anything

Declared by:

<nixpkgs/nixos/modules/services/security/step-ca.nix>
services.stirling-pdf.enable

Whether to enable the stirling-pdf service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/stirling-pdf.nix>
services.stirling-pdf.package

The stirling-pdf package to use.

Type: package

Default: pkgs.stirling-pdf

Declared by:

<nixpkgs/nixos/modules/services/web-apps/stirling-pdf.nix>
services.stirling-pdf.environment

Environment variables for the stirling-pdf app. See https://github.com/Stirling-Tools/Stirling-PDF#customisation for available options.

Type: attribute set of (string or signed integer)

Default: { }

Example:

{
  INSTALL_BOOK_AND_ADVANCED_HTML_OPS = "true";
  SERVER_PORT = 8080;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/stirling-pdf.nix>
services.stirling-pdf.environmentFiles

Files containing additional environment variables to pass to Stirling PDF. Secrets should be added in environmentFiles instead of environment.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/stirling-pdf.nix>
services.stratis.enable

Whether to enable Stratis Storage - Easy to use local storage management for Linux.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/tasks/stratis.nix>
services.strongswan.enable

Whether to enable strongSwan.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan.nix>
services.strongswan.enabledPlugins

A list of additional plugins to enable if managePlugins is true.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan.nix>
services.strongswan.ca

A set of CAs (certification authorities) and their options for the ‘ca xxx’ sections of the ipsec.conf file.

Type: attribute set of attribute set of string

Default: { }

Example:

{
  strongswan = {
    auto = "add";
    cacert = "/run/keys/strongswanCert.pem";
    crluri = "http://crl2.strongswan.org/strongswan.crl";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan.nix>
services.strongswan.connections

A set of connections and their options for the ‘conn xxx’ sections of the ipsec.conf file.

Type: attribute set of attribute set of string

Default: { }

Example:

{
  "%default" = {
    keyexchange = "ikev2";
    keyingtries = "1";
  };
  roadwarrior = {
    auto       = "add";
    leftcert   = "/run/keys/moonCert.pem";
    leftid     = "@moon.strongswan.org";
    leftsubnet = "10.1.0.0/16";
    right      = "%any";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan.nix>
services.strongswan.managePlugins

If set to true, this option will disable automatic plugin loading and then tell strongSwan to enable the plugins specified in the enabledPlugins option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan.nix>
services.strongswan.secrets

A list of paths to IPSec secret files. These files will be included into the main ipsec.secrets file with the include directive. It is safer if these paths are absolute.

Type: list of string

Default: [ ]

Example:

[
  "/run/keys/ipsec-foo.secret"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan.nix>
services.strongswan.setup

A set of options for the ‘config setup’ section of the ipsec.conf file. Defines general configuration parameters.

Type: attribute set of string

Default: { }

Example:

{
  cachecrls = "yes";
  strictcrlpolicy = "yes";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan.nix>
services.strongswan-swanctl.enable

Whether to enable strongswan-swanctl service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.package

The strongswan package to use.

Type: package

Default: pkgs.strongswan

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.includes

Extra configuration files to include in the swanctl configuration. This can be used to provide secret values from outside the nix store.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.strongswan.extraConfig

Contents of the strongswan.conf file.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.authorities

Section defining complementary attributes of certification authorities, each in its own subsection with an arbitrary yet unique name

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.authorities.<name>.cacert

The certificates may use a relative path from the swanctl x509ca directory or an absolute path.

Configure one of cacert, file, or handle per section.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.authorities.<name>.cert_uri_base

Defines the base URI for the Hash and URL feature supported by IKEv2. Instead of exchanging complete certificates, IKEv2 allows one to send an URI that resolves to the DER encoded certificate. The certificate URIs are built by appending the SHA1 hash of the DER encoded certificates to this base URI.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.authorities.<name>.crl_uris

List of CRL distribution points (ldap, http, or file URI).

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.authorities.<name>.file

Absolute path to the certificate to load. Passed as-is to the daemon, so it must be readable by it.

Configure either this or handle, but not both, in one section.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.authorities.<name>.handle

Hex-encoded CKA_ID or handle of the certificate on a token or TPM, respectively.

Configure either this or file, but not both, in one section.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.authorities.<name>.module

Optional PKCS#11 module name.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.authorities.<name>.ocsp_uris

List of OCSP URIs.

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.authorities.<name>.slot

Optional slot number of the token that stores the certificate.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections

Section defining IKE connection configurations, each in its own subsection with an arbitrary yet unique name

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.aggressive

Enables Aggressive Mode instead of Main Mode with Identity Protection. Aggressive Mode is considered less secure, because the ID and HASH payloads are exchanged unprotected. This allows a passive attacker to snoop peer identities, and even worse, start dictionary attacks on the Preshared Key.

StrongSwan default: false

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.childless

Use childless IKE_SA initiation (allow, prefer, force or never).

Use childless IKE_SA initiation (RFC 6023) for IKEv2, with the first CHILD_SA created with a separate CREATE_CHILD_SA exchange (e.g. to use an independent DH exchange for all CHILD_SAs). Acceptable values are allow (the default), prefer, force and never. If set to allow, responders will accept childless IKE_SAs (as indicated via notify in the IKE_SA_INIT response) while initiators continue to create regular IKE_SAs with the first CHILD_SA created during IKE_AUTH, unless the IKE_SA is initiated explicitly without any children (which will fail if the responder does not support or has disabled this extension). The effect of prefer is the same as allow on responders, but as initiator a childless IKE_SA is initiated if the responder supports it. If set to force, only childless initiation is accepted in either role. Finally, setting the option to never disables support for childless IKE_SAs as responder.

StrongSwan default: "allow"

Type: null or one of “allow”, “prefer”, “force”, “never”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children

CHILD_SA configuration sub-section. Each connection definition may have one or more sections in its children subsection. The section name defines the name of the CHILD_SA configuration, which must be unique within the connection (denoted <child> below).

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.ah_proposals

AH proposals to offer for the CHILD_SA. A proposal is a set of algorithms. For AH, this includes an integrity algorithm and an optional Diffie-Hellman group. If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial negotiation uses a separate Diffie-Hellman exchange using the specified group (refer to esp_proposals for details).

In IKEv2, multiple algorithms of the same kind can be specified in a single proposal, from which one gets selected. In IKEv1, only one algorithm per kind is allowed per proposal, more algorithms get implicitly stripped. Use multiple proposals to offer different algorithms combinations in IKEv1.

Algorithm keywords get separated using dashes. Multiple proposals may be specified in a list. The special value default forms a default proposal of supported algorithms considered safe, and is usually a good choice for interoperability. By default no AH proposals are included, instead ESP is proposed.

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.close_action

Action to perform after a CHILD_SA gets closed by the peer.

  • The default of none does not take any action,

  • trap installs a trap policy for the CHILD_SA.

  • start tries to re-create the CHILD_SA.

close_action does not provide any guarantee that the CHILD_SA is kept alive. It acts on explicit close messages only, but not on negotiation failures. Use trap policies to reliably re-create failed CHILD_SAs.

StrongSwan default: "none"

Type: null or one of “none”, “trap”, “start”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.copy_df

Whether to copy the DF bit to the outer IPv4 header in tunnel mode. This effectively disables Path MTU discovery (PMTUD). Controlling this behavior is not supported by all kernel interfaces.

StrongSwan default: true

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.copy_dscp

Whether to copy the DSCP (Differentiated Services Field Codepoint) header field to/from the outer IP header in tunnel mode. The value out only copies the field from the inner to the outer header, the value in does the opposite and only copies the field from the outer to the inner header when decapsulating, the value yes copies the field in both directions, and the value no disables copying the field altogether. Setting this to yes or in could allow an attacker to adversely affect other traffic at the receiver, which is why the default is out. Controlling this behavior is not supported by all kernel interfaces.

StrongSwan default: "out"

Type: null or one of “out”, “in”, “yes”, “no”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.copy_ecn

Whether to copy the ECN (Explicit Congestion Notification) header field to/from the outer IP header in tunnel mode. Controlling this behavior is not supported by all kernel interfaces.

StrongSwan default: true

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.dpd_action

Action to perform for this CHILD_SA on DPD timeout. The default clear closes the CHILD_SA and does not take further action. trap installs a trap policy, which will catch matching traffic and tries to re-negotiate the tunnel on-demand. restart immediately tries to re-negotiate the CHILD_SA under a fresh IKE_SA.

StrongSwan default: "clear"

Type: null or one of “clear”, “trap”, “restart”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.esp_proposals

ESP proposals to offer for the CHILD_SA. A proposal is a set of algorithms. For ESP non-AEAD proposals, this includes an integrity algorithm, an encryption algorithm, an optional Diffie-Hellman group and an optional Extended Sequence Number Mode indicator. For AEAD proposals, a combined mode algorithm is used instead of the separate encryption/integrity algorithms.

If a DH group is specified, CHILD_SA/Quick Mode rekeying and initial negotiation use a separate Diffie-Hellman exchange using the specified group. However, for IKEv2, the keys of the CHILD_SA created implicitly with the IKE_SA will always be derived from the IKE_SA’s key material. So any DH group specified here will only apply when the CHILD_SA is later rekeyed or is created with a separate CREATE_CHILD_SA exchange. A proposal mismatch might, therefore, not immediately be noticed when the SA is established, but may later cause rekeying to fail.

Extended Sequence Number support may be indicated with the esn and noesn values, both may be included to indicate support for both modes. If omitted, noesn is assumed.

In IKEv2, multiple algorithms of the same kind can be specified in a single proposal, from which one gets selected. In IKEv1, only one algorithm per kind is allowed per proposal, more algorithms get implicitly stripped. Use multiple proposals to offer different algorithms combinations in IKEv1.

Algorithm keywords get separated using dashes. Multiple proposals may be specified as a list. The special value default forms a default proposal of supported algorithms considered safe, and is usually a good choice for interoperability. If no algorithms are specified for AH nor ESP, the default set of algorithms for ESP is included.

StrongSwan default: ["default"]

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.hostaccess

Hostaccess variable to pass to updown script.

StrongSwan default: false

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.hw_offload

Enable hardware offload for this CHILD_SA, if supported by the IPsec implementation. The values crypto or packet enforce crypto or full packet offloading and the installation will fail if the selected mode is not supported by either kernel or device. On Linux, packet also offloads policies, including trap policies. The value auto enables full packet or crypto offloading, if either is supported, but the installation does not fail otherwise.

StrongSwan default: "no"

Type: null or one of “yes”, “no”, “auto”, “crypto”, “packet”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.if_id_in

XFRM interface ID set on inbound policies/SA. This allows installing duplicate policies/SAs and associates them with an interface with the same ID. The special value %unique sets a unique interface ID on each CHILD_SA instance, beyond that the value %unique-dir assigns a different unique interface ID for each CHILD_SA direction (in/out).

StrongSwan default: "0"

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.if_id_out

XFRM interface ID set on outbound policies/SA. This allows installing duplicate policies/SAs and associates them with an interface with the same ID. The special value %unique sets a unique interface ID on each CHILD_SA instance, beyond that the value %unique-dir assigns a different unique interface ID for each CHILD_SA direction (in/out).

The daemon will not install routes for CHILD_SAs that have this option set.

StrongSwan default: "0"

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.inactivity

Timeout before closing CHILD_SA after inactivity. If no traffic has been processed in either direction for the configured timeout, the CHILD_SA gets closed due to inactivity. The default value of 0 disables inactivity checks.

StrongSwan default: "0s"

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.interface

Optional interface name to restrict outbound IPsec policies.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.ipcomp

Enable IPComp compression before encryption. If enabled, IKE tries to negotiate IPComp compression to compress ESP payload data prior to encryption.

StrongSwan default: false

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.life_bytes

Maximum bytes processed before CHILD_SA gets closed. Usually this hard volume limit is never reached, because the CHILD_SA gets rekeyed before. If that fails for whatever reason, this limit closes the CHILD_SA. The default is 10% more than rekey_bytes.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.life_packets

Maximum number of packets processed before CHILD_SA gets closed. Usually this hard packets limit is never reached, because the CHILD_SA gets rekeyed before. If that fails for whatever reason, this limit closes the CHILD_SA.

The default is 10% more than rekey_bytes.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.life_time

Maximum lifetime before CHILD_SA gets closed. Usually this hard lifetime is never reached, because the CHILD_SA gets rekeyed before. If that fails for whatever reason, this limit closes the CHILD_SA. The default is 10% more than the rekey_time.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.local_ts

List of local traffic selectors to include in CHILD_SA. Each selector is a CIDR subnet definition, followed by an optional proto/port selector. The special value dynamic may be used instead of a subnet definition, which gets replaced by the tunnel outer address or the virtual IP, if negotiated. This is the default.

A protocol/port selector is surrounded by opening and closing square brackets. Between these brackets, a numeric or getservent(3) protocol name may be specified. After the optional protocol restriction, an optional port restriction may be specified, separated by a slash. The port restriction may be numeric, a getservent(3) service name, or the special value opaque for RFC 4301 OPAQUE selectors. Port ranges may be specified as well, none of the kernel backends currently support port ranges, though.

When IKEv1 is used only the first selector is interpreted, except if the Cisco Unity extension plugin is used. This is due to a limitation of the IKEv1 protocol, which only allows a single pair of selectors per CHILD_SA. So to tunnel traffic matched by several pairs of selectors when using IKEv1 several children (CHILD_SAs) have to be defined that cover the selectors. The IKE daemon uses traffic selector narrowing for IKEv1, the same way it is standardized and implemented for IKEv2. However, this may lead to problems with other implementations. To avoid that, configure identical selectors in such scenarios.

StrongSwan default: ["dynamic"]

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.mark_in

Netfilter mark and mask for input traffic. On Linux, Netfilter may require marks on each packet to match an SA/policy having that option set. This allows installing duplicate policies and enables Netfilter rules to select specific SAs/policies for incoming traffic. Note that inbound marks are only set on policies, by default, unless mark_in_sa is enabled. The special value %unique sets a unique mark on each CHILD_SA instance, beyond that the value %unique-dir assigns a different unique mark for each

An additional mask may be appended to the mark, separated by /. The default mask if omitted is 0xffffffff.

StrongSwan default: "0/0x00000000"

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.mark_in_sa

Whether to set mark_in on the inbound SA. By default, the inbound mark is only set on the inbound policy. The tuple destination address, protocol and SPI is unique and the mark is not required to find the correct SA, allowing to mark traffic after decryption instead (where more specific selectors may be used) to match different policies. Marking packets before decryption is still possible, even if no mark is set on the SA.

StrongSwan default: false

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.mark_out

Netfilter mark and mask for output traffic. On Linux, Netfilter may require marks on each packet to match a policy/SA having that option set. This allows installing duplicate policies and enables Netfilter rules to select specific policies/SAs for outgoing traffic. The special value %unique sets a unique mark on each CHILD_SA instance, beyond that the value %unique-dir assigns a different unique mark for each CHILD_SA direction (in/out).

An additional mask may be appended to the mark, separated by /. The default mask if omitted is 0xffffffff.

StrongSwan default: "0/0x00000000"

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.mode

IPsec Mode to establish CHILD_SA with.

  • tunnel negotiates the CHILD_SA in IPsec Tunnel Mode,

  • whereas transport uses IPsec Transport Mode.

  • transport_proxy signifying the special Mobile IPv6 Transport Proxy Mode.

  • beet is the Bound End to End Tunnel mixture mode, working with fixed inner addresses without the need to include them in each packet.

  • Both transport and beet modes are subject to mode negotiation; tunnel mode is negotiated if the preferred mode is not available.

  • pass and drop are used to install shunt policies which explicitly bypass the defined traffic from IPsec processing or drop it, respectively.

StrongSwan default: "tunnel"

Type: null or one of “tunnel”, “transport”, “transport_proxy”, “beet”, “pass”, “drop”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.policies

Whether to install IPsec policies or not. Disabling this can be useful in some scenarios e.g. MIPv6, where policies are not managed by the IKE daemon. Since 5.3.3.

StrongSwan default: true

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.policies_fwd_out

Whether to install outbound FWD IPsec policies or not. Enabling this is required in case there is a drop policy that would match and block forwarded traffic for this CHILD_SA. Since 5.5.1.

StrongSwan default: false

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.priority

Optional fixed priority for IPsec policies. This could be useful to install high-priority drop policies. The default of 0 uses dynamically calculated priorities based on the size of the traffic selectors.

StrongSwan default: 0

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rand_bytes

Byte range from which to choose a random value to subtract from rekey_bytes. The default is the difference between life_bytes and rekey_bytes.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rand_packets

Packet range from which to choose a random value to subtract from rekey_packets. The default is the difference between life_packets and rekey_packets.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rand_time

Time range from which to choose a random value to subtract from rekey_time. The default is the difference between life_time and rekey_time.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rekey_bytes

Number of bytes processed before initiating CHILD_SA rekeying. CHILD_SA rekeying refreshes key material, optionally using a Diffie-Hellman exchange if a group is specified in the proposal.

To avoid rekey collisions initiated by both ends simultaneously, a value in the range of rand_bytes gets subtracted to form the effective soft volume limit.

Volume based CHILD_SA rekeying is disabled by default.

StrongSwan default: 0

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rekey_packets

Number of packets processed before initiating CHILD_SA rekeying. CHILD_SA rekeying refreshes key material, optionally using a Diffie-Hellman exchange if a group is specified in the proposal.

To avoid rekey collisions initiated by both ends simultaneously, a value in the range of rand_packets gets subtracted to form the effective soft packet count limit.

Packet count based CHILD_SA rekeying is disabled by default.

StrongSwan default: 0

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rekey_time

Time to schedule CHILD_SA rekeying. CHILD_SA rekeying refreshes key material, optionally using a Diffie-Hellman exchange if a group is specified in the proposal. To avoid rekey collisions initiated by both ends simultaneously, a value in the range of rand_time gets subtracted to form the effective soft lifetime.

By default CHILD_SA rekeying is scheduled every hour, minus rand_time.

StrongSwan default: "1h"

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.remote_ts

List of remote selectors to include in CHILD_SA. See local_ts for a description of the selector syntax.

StrongSwan default: ["dynamic"]

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.replay_window

IPsec replay window to configure for this CHILD_SA. Larger values than the default of 32 are supported using the Netlink backend only, a value of 0 disables IPsec replay protection.

StrongSwan default: 32

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.reqid

Fixed reqid to use for this CHILD_SA. This might be helpful in some scenarios, but works only if each CHILD_SA configuration is instantiated not more than once. The default of 0 uses dynamic reqids, allocated incrementally.

StrongSwan default: 0

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.set_mark_in

Netfilter mark applied to packets after the inbound IPsec SA processed them. This way it’s not necessary to mark packets via Netfilter before decryption or right afterwards to match policies or process them differently (e.g. via policy routing).

An additional mask may be appended to the mark, separated by /. The default mask if omitted is 0xffffffff. The special value %same uses the value (but not the mask) from mark_in as mark value, which can be fixed, %unique or %unique-dir.

Setting marks in XFRM input requires Linux 4.19 or higher.

StrongSwan default: "0/0x00000000"

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.set_mark_out

Netfilter mark applied to packets after the outbound IPsec SA processed them. This allows processing ESP packets differently than the original traffic (e.g. via policy routing).

An additional mask may be appended to the mark, separated by /. The default mask if omitted is 0xffffffff. The special value %same uses the value (but not the mask) from mark_out as mark value, which can be fixed, %unique_ or %unique-dir.

Setting marks in XFRM output is supported since Linux 4.14. Setting a mask requires at least Linux 4.19.

StrongSwan default: "0/0x00000000"

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.sha256_96

HMAC-SHA-256 is used with 128-bit truncation with IPsec. For compatibility with implementations that incorrectly use 96-bit truncation this option may be enabled to configure the shorter truncation length in the kernel. This is not negotiated, so this only works with peers that use the incorrect truncation length (or have this option enabled).

StrongSwan default: false

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.start_action

Action to perform after loading the configuration.

  • The default of none loads the connection only, which then can be manually initiated or used as a responder configuration.

  • The value trap installs a trap policy, which triggers the tunnel as soon as matching traffic has been detected.

  • The value start initiates the connection actively.

  • Since version 5.9.6 two modes above can be combined with trap|start, to immediately initiate a connection for which trap policies have been installed.

When unloading or replacing a CHILD_SA configuration having a start_action different from none, the inverse action is performed. Configurations with start get closed, while such with trap get uninstalled.

StrongSwan default: "none"

Type: null or one of “none”, “trap”, “start”, “trap|start”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.tfc_padding

Pads ESP packets with additional data to have a consistent ESP packet size for improved Traffic Flow Confidentiality. The padding defines the minimum size of all ESP packets sent. The default value of 0 disables TFC padding, the special value mtu adds TFC padding to create a packet size equal to the Path Maximum Transfer Unit.

StrongSwan default: 0

Type: null or signed integer or value “mtu” (singular enum)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.updown

Updown script to invoke on CHILD_SA up and down events.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.dpd_delay

Interval to check the liveness of a peer actively using IKEv2 INFORMATIONAL exchanges or IKEv1 R_U_THERE messages. Active DPD checking is only enforced if no IKE or ESP/AH packet has been received for the configured DPD delay.

StrongSwan default: "0s"

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.dpd_timeout

Charon by default uses the normal retransmission mechanism and timeouts to check the liveness of a peer, as all messages are used for liveness checking. For compatibility reasons, with IKEv1 a custom interval may be specified; this option has no effect on connections using IKEv2.

StrongSwan default: "0s"

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.dscp

Differentiated Services Field Codepoint to set on outgoing IKE packets for this connection. The value is a six digit binary encoded string specifying the Codepoint to set, as defined in RFC 2474.

StrongSwan default: "000000"

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.encap

To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the NAT detection payloads. This makes the peer believe that NAT takes place on the path, forcing it to encapsulate ESP packets in UDP.

Usually this is not required, but it can help to work around connectivity issues with too restrictive intermediary firewalls.

StrongSwan default: false

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.fragmentation

Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2 fragmentation). Acceptable values are yes (the default since 5.5.1), accept (since versions:5.5.3), force and no.

  • If set to yes, and the peer supports it, oversized IKE messages will be sent in fragments.

  • If set to accept, support for fragmentation is announced to the peer but the daemon does not send its own messages in fragments.

  • If set to force (only supported for IKEv1) the initial IKE message will already be fragmented if required.

  • Finally, setting the option to no will disable announcing support for this feature.

Note that fragmented IKE messages sent by a peer are always processed irrespective of the value of this option (even when set to no).

StrongSwan default: "yes"

Type: null or one of “yes”, “accept”, “force”, “no”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.if_id_in

XFRM interface ID set on inbound policies/SA, can be overridden by child config, see there for details.

The special value %unique allocates a unique interface ID per IKE_SA, which is inherited by all its CHILD_SAs (unless overridden there), beyond that the value %unique-dir assigns a different unique interface ID for each direction (in/out).

StrongSwan default: "0"

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.if_id_out

XFRM interface ID set on outbound policies/SA, can be overridden by child config, see there for details.

The special value %unique allocates a unique interface ID per IKE_SA, which is inherited by all its CHILD_SAs (unless overridden there), beyond that the value %unique-dir assigns a different unique interface ID for each direction (in/out).

StrongSwan default: "0"

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.keyingtries

Number of retransmission sequences to perform during initial connect. Instead of giving up initiation after the first retransmission sequence with the default value of 1, additional sequences may be started according to the configured value. A value of 0 initiates a new sequence until the connection establishes or fails with a permanent error.

StrongSwan default: 1

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.local

Section for a local authentication round. A local authentication round defines the rules how authentication is performed for the local peer. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple Authentication or IKEv1 XAuth.

Each round is defined in a section having local as prefix, and an optional unique suffix. To define a single authentication round, the suffix may be omitted.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.aaa_id

Server side EAP-Identity to expect in the EAP method. Some EAP methods, such as EAP-TLS, use an identity for the server to perform mutual authentication. This identity may differ from the IKE identity, especially when EAP authentication is delegated from the IKE responder to an AAA backend.

For EAP-(T)TLS, this defines the identity for which the server must provide a certificate in the TLS exchange.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.auth

Authentication to perform locally.

  • The default pubkey uses public key authentication using a private key associated to a usable certificate.

  • psk uses pre-shared key authentication.

  • The IKEv1 specific xauth is used for XAuth or Hybrid authentication,

  • while the IKEv2 specific eap keyword defines EAP authentication.

  • For xauth, a specific backend name may be appended, separated by a dash. The appropriate xauth backend is selected to perform the XAuth exchange. For traditional XAuth, the xauth method is usually defined in the second authentication round following an initial pubkey (or psk) round. Using xauth in the first round performs Hybrid Mode client authentication.

  • For eap, a specific EAP method name may be appended, separated by a dash. An EAP module implementing the appropriate method is selected to perform the EAP conversation.

  • Since 5.4.0, if both peers support RFC 7427 (“Signature Authentication in IKEv2”) specific hash algorithms to be used during IKEv2 authentication may be configured. To do so use ike: followed by a trust chain signature scheme constraint (see description of the remote section’s auth keyword). For example, with ike:pubkey-sha384-sha256 a public key signature scheme with either SHA-384 or SHA-256 would get used for authentication, in that order and depending on the hash algorithms supported by the peer. If no specific hash algorithms are configured, the default is to prefer an algorithm that matches or exceeds the strength of the signature key. If no constraints with ike: prefix are configured any signature scheme constraint (without ike: prefix) will also apply to IKEv2 authentication, unless this is disabled in strongswan.conf. To use RSASSA-PSS signatures use rsa/pss instead of pubkey or rsa as in e.g. ike:rsa/pss-sha256. If pubkey or rsa constraints are configured RSASSA-PSS signatures will only be used if enabled in strongswan.conf(5).

StrongSwan default: "pubkey"

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.cert

Section for a certificate candidate to use for authentication. Certificates in certs are transmitted as binary blobs, these sections offer more flexibility.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.cert.<name>.file

Absolute path to the certificate to load. Passed as-is to the daemon, so it must be readable by it.

Configure either this or handle, but not both, in one section.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.cert.<name>.handle

Hex-encoded CKA_ID or handle of the certificate on a token or TPM, respectively.

Configure either this or file, but not both, in one section.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.cert.<name>.module

Optional PKCS#11 module name.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.cert.<name>.slot

Optional slot number of the token that stores the certificate.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.certs

List of certificate candidates to use for authentication. The certificates may use a relative path from the swanctl x509 directory or an absolute path.

The certificate used for authentication is selected based on the received certificate request payloads. If no appropriate CA can be located, the first certificate is used.

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.eap_id

Client EAP-Identity to use in EAP-Identity exchange and the EAP method.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.id

IKE identity to use for authentication round. When using certificate authentication, the IKE identity must be contained in the certificate, either as subject or as subjectAltName.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.pubkeys

List of raw public key candidates to use for authentication. The public keys may use a relative path from the swanctl pubkey directory or an absolute path.

Even though multiple local public keys could be defined in principle, only the first public key in the list is used for authentication.

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.round

Optional numeric identifier by which authentication rounds are sorted. If not specified rounds are ordered by their position in the config file/vici message.

StrongSwan default: 0

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.xauth_id

Client XAuth username used in the XAuth exchange.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.local_addrs

Local address(es) to use for IKE communication. Takes single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges.

As initiator, the first non-range/non-subnet is used to initiate the connection from. As responder, the local destination address must match at least to one of the specified addresses, subnets or ranges.

If FQDNs are assigned they are resolved every time a configuration lookup is done. If DNS resolution times out, the lookup is delayed for that time.

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.local_port

Local UDP port for IKE communication. By default the port of the socket backend is used, which is usually 500. If port 500 is used, automatic IKE port floating to port 4500 is used to work around NAT issues.

Using a non-default local IKE port requires support from the socket backend in use (socket-dynamic).

StrongSwan default: 500

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.mediated_by

The name of the connection to mediate this connection through. If given, the connection will be mediated through the named mediation connection. The mediation connection must have mediation enabled.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.mediation

Whether this connection is a mediation connection, that is, whether this connection is used to mediate other connections using the IKEv2 Mediation Extension. Mediation connections create no CHILD_SA.

StrongSwan default: false

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.mediation_peer

Identity under which the peer is registered at the mediation server, that is, the IKE identity the other end of this connection uses as its local identity on its connection to the mediation server. This is the identity we request the mediation server to mediate us with. Only relevant on connections that set mediated_by. If it is not given, the remote IKE identity of the first authentication round of this connection will be used.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.mobike

Enables MOBIKE on IKEv2 connections. MOBIKE is enabled by default on IKEv2 connections, and allows mobility of clients and multi-homing on servers by migrating active IPsec tunnels.

Usually keeping MOBIKE enabled is unproblematic, as it is not used if the peer does not indicate support for it. However, due to the design of MOBIKE, IKEv2 always floats to port 4500 starting from the second exchange. Some implementations don’t like this behavior, hence it can be disabled.

StrongSwan default: true

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.over_time

Hard IKE_SA lifetime if rekey/reauth does not complete, as time. To avoid having an IKE/ISAKMP kept alive if IKE reauthentication or rekeying fails perpetually, a maximum hard lifetime may be specified. If the IKE_SA fails to rekey or reauthenticate within the specified time, the IKE_SA gets closed.

In contrast to CHILD_SA rekeying, over_time is relative in time to the rekey_time and reauth_time values, as it applies to both.

The default is 10% of the longer of rekey_time and reauth_time.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.pools

List of named IP pools to allocate virtual IP addresses and other configuration attributes from. Each name references a pool by name from either the pools section or an external pool.

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.ppk_id

String identifying the Postquantum Preshared Key (PPK) to be used.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.ppk_required

Whether a Postquantum Preshared Key (PPK) is required for this connection.

StrongSwan default: false

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.proposals

A proposal is a set of algorithms. For non-AEAD algorithms, this includes for IKE an encryption algorithm, an integrity algorithm, a pseudo random function and a Diffie-Hellman group. For AEAD algorithms, instead of encryption and integrity algorithms, a combined algorithm is used.

In IKEv2, multiple algorithms of the same kind can be specified in a single proposal, from which one gets selected. In IKEv1, only one algorithm per kind is allowed per proposal, more algorithms get implicitly stripped. Use multiple proposals to offer different algorithms combinations in IKEv1.

Algorithm keywords get separated using dashes. Multiple proposals may be specified in a list. The special value default forms a default proposal of supported algorithms considered safe, and is usually a good choice for interoperability.

StrongSwan default: ["default"]

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.pull

If the default of yes is used, Mode Config works in pull mode, where the initiator actively requests a virtual IP. With no, push mode is used, where the responder pushes down a virtual IP to the initiating peer.

Push mode is currently supported for IKEv1, but not in IKEv2. It is used by a few implementations only, pull mode is recommended.

StrongSwan default: true

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.rand_time

Time range from which to choose a random value to subtract from rekey/reauth times. To avoid having both peers initiating the rekey/reauth procedure simultaneously, a random time gets subtracted from the rekey/reauth times.

The default is equal to the configured over_time.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.reauth_time

Time to schedule IKE reauthentication. IKE reauthentication recreates the IKE/ISAKMP SA from scratch and re-evaluates the credentials. In asymmetric configurations (with EAP or configuration payloads) it might not be possible to actively reauthenticate as responder. The IKEv2 reauthentication lifetime negotiation can instruct the client to perform reauthentication.

Reauthentication is disabled by default. Enabling it usually may lead to small connection interruptions, as strongSwan uses a break-before-make policy with IKEv2 to avoid any conflicts with associated tunnel resources.

StrongSwan default: "0s"

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.rekey_time

IKE rekeying refreshes key material using a Diffie-Hellman exchange, but does not re-check associated credentials. It is supported in IKEv2 only, IKEv1 performs a reauthentication procedure instead.

With the default value IKE rekeying is scheduled every 4 hours, minus the configured rand_time. If a reauth_time is configured, rekey_time defaults to zero, disabling rekeying; explicitly set both to enforce rekeying and reauthentication.

StrongSwan default: "4h"

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote

Section for a remote authentication round. A remote authentication round defines the constraints how the peers must authenticate to use this connection. Multiple rounds may be defined to use IKEv2 RFC 4739 Multiple Authentication or IKEv1 XAuth.

Each round is defined in a section having remote as prefix, and an optional unique suffix. To define a single authentication round, the suffix may be omitted.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.auth

Authentication to expect from remote. See the local section’s auth keyword description about the details of supported mechanisms.

Since 5.4.0, to require a trustchain public key strength for the remote side, specify the key type followed by the minimum strength in bits (for example ecdsa-384 or rsa-2048-ecdsa-256). To limit the acceptable set of hashing algorithms for trustchain validation, append hash algorithms to pubkey or a key strength definition (for example pubkey-sha256-sha512, rsa-2048-sha256-sha384-sha512 or rsa-2048-sha256-ecdsa-256-sha256-sha384). Unless disabled in strongswan.conf, or explicit IKEv2 signature constraints are configured (refer to the description of the local section’s auth keyword for details), such key types and hash algorithms are also applied as constraints against IKEv2 signature authentication schemes used by the remote side. To require RSASSA-PSS signatures use rsa/pss instead of pubkey or rsa as in e.g. rsa/pss-sha256. If pubkey or rsa constraints are configured RSASSA-PSS signatures will only be accepted if enabled in strongswan.conf(5).

To specify trust chain constraints for EAP-(T)TLS, append a colon to the EAP method, followed by the key type/size and hash algorithm as discussed above (e.g. eap-tls:ecdsa-384-sha384).

StrongSwan default: "pubkey"

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.ca_id

Identity in CA certificate to accept for authentication. The specified identity must be contained in one (intermediate) CA of the remote peer trustchain, either as subject or as subjectAltName. This has the same effect as specifying cacerts to force clients under a CA to specific connections; it does not require the CA certificate to be available locally, and can be received from the peer during the IKE exchange.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert

Section for a CA certificate to accept for authentication. Certificates in cacerts are transmitted as binary blobs, these sections offer more flexibility.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.file

Absolute path to the certificate to load. Passed as-is to the daemon, so it must be readable by it.

Configure either this or handle, but not both, in one section.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.handle

Hex-encoded CKA_ID or handle of the certificate on a token or TPM, respectively.

Configure either this or file, but not both, in one section.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.module

Optional PKCS#11 module name.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.slot

Optional slot number of the token that stores the certificate.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacerts

List of CA certificates to accept for authentication. The certificates may use a relative path from the swanctl x509ca directory or an absolute path.

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert

Section for a certificate candidate to use for authentication. Certificates in certs are transmitted as binary blobs, these sections offer more flexibility.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert.<name>.file

Absolute path to the certificate to load. Passed as-is to the daemon, so it must be readable by it.

Configure either this or handle, but not both, in one section.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert.<name>.handle

Hex-encoded CKA_ID or handle of the certificate on a token or TPM, respectively.

Configure either this or file, but not both, in one section.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert.<name>.module

Optional PKCS#11 module name.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert.<name>.slot

Optional slot number of the token that stores the certificate.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert_policy

List of certificate policy OIDs the peer’s certificate must have. OIDs are specified using the numerical dotted representation.

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.certs

List of certificates to accept for authentication. The certificates may use a relative path from the swanctl x509 directory or an absolute path.

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.eap_id

Identity to use as peer identity during EAP authentication. If set to %any the EAP-Identity method will be used to ask the client for an EAP identity.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.groups

Authorization group memberships to require. The peer must prove membership to at least one of the specified groups. Group membership can be certified by different means, for example by appropriate Attribute Certificates or by an AAA backend involved in the authentication.

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.id

IKE identity to expect for authentication round. When using certificate authentication, the IKE identity must be contained in the certificate, either as subject or as subjectAltName.

StrongSwan default: "%any"

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.pubkeys

List of raw public keys to accept for authentication. The public keys may use a relative path from the swanctl pubkey directory or an absolute path.

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.revocation

Certificate revocation policy for CRL or OCSP revocation.

  • A strict revocation policy fails if no revocation information is available, i.e. the certificate is not known to be unrevoked.

  • ifuri fails only if a CRL/OCSP URI is available, but certificate revocation checking fails, i.e. there should be revocation information available, but it could not be obtained.

  • The default revocation policy relaxed fails only if a certificate is revoked, i.e. it is explicitly known that it is bad.

StrongSwan default: "relaxed"

Type: null or one of “strict”, “ifuri”, “relaxed”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.round

Optional numeric identifier by which authentication rounds are sorted. If not specified rounds are ordered by their position in the config file/vici message.

StrongSwan default: 0

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote_addrs

Remote address(es) to use for IKE communication. Takes single IPv4/IPv6 addresses, DNS names, CIDR subnets or IP address ranges.

As initiator, the first non-range/non-subnet is used to initiate the connection to. As responder, the initiator source address must match at least to one of the specified addresses, subnets or ranges.

If FQDNs are assigned they are resolved every time a configuration lookup is done. If DNS resolution times out, the lookup is delayed for that time. To initiate a connection, at least one specific address or DNS name must be specified.

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.remote_port

Remote UDP port for IKE communication. If the default of port 500 is used, automatic IKE port floating to port 4500 is used to work around NAT issues.

StrongSwan default: 500

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.send_cert

Send certificate payloads when using certificate authentication.

  • With the default of ifasked the daemon sends certificate payloads only if certificate requests have been received.

  • never disables sending of certificate payloads altogether,

  • always causes certificate payloads to be sent unconditionally whenever certificate authentication is used.

StrongSwan default: "ifasked"

Type: null or one of “always”, “never”, “ifasked”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.send_certreq

Send certificate request payloads to offer trusted root CA certificates to the peer. Certificate requests help the peer to choose an appropriate certificate/private key for authentication and are enabled by default. Disabling certificate requests can be useful if too many trusted root CA certificates are installed, as each certificate request increases the size of the initial IKE packets.

StrongSwan default: true

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.unique

Connection uniqueness policy to enforce. To avoid multiple connections from the same user, a uniqueness policy can be enforced.

  • The value never does never enforce such a policy, even if a peer included INITIAL_CONTACT notification messages,

  • whereas no replaces existing connections for the same identity if a new one has the INITIAL_CONTACT notify.

  • keep rejects new connection attempts if the same user already has an active connection,

  • replace deletes any existing connection if a new one for the same user gets established.

To compare connections for uniqueness, the remote IKE identity is used. If EAP or XAuth authentication is involved, the EAP-Identity or XAuth username is used to enforce the uniqueness policy instead.

On initiators this setting specifies whether an INITIAL_CONTACT notify is sent during IKE_AUTH if no existing connection is found with the remote peer (determined by the identities of the first authentication round). Unless set to never the client will send a notify.

StrongSwan default: "no"

Type: null or one of “no”, “never”, “keep”, “replace”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.version

IKE major version to use for connection.

  • 1 uses IKEv1 aka ISAKMP,

  • 2 uses IKEv2.

  • A connection using the default of 0 accepts both IKEv1 and IKEv2 as responder, and initiates the connection actively with IKEv2.

StrongSwan default: 0

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.connections.<name>.vips

List of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all.

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.pools

Section defining named pools. Named pools may be referenced by connections with the pools option to assign virtual IPs and other configuration attributes. Each pool must have a unique name (denoted <name> below).

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.pools.<name>.addrs

Subnet or range defining addresses allocated in pool. Accepts a single CIDR subnet defining the pool to allocate addresses from or an address range (<from>-<to>). Pools must be unique and non-overlapping.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.pools.<name>.dhcp

Address or CIDR subnets

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.pools.<name>.dns

Address or CIDR subnets

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.pools.<name>.nbns

Address or CIDR subnets

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.pools.<name>.netmask

Address or CIDR subnets

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.pools.<name>.server

Address or CIDR subnets

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.pools.<name>.split_exclude

Address or CIDR subnets

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.pools.<name>.split_include

Address or CIDR subnets

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.pools.<name>.subnet

Address or CIDR subnets

StrongSwan default: []

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.eap

EAP secret section for a specific secret. Each EAP secret is defined in a unique section having the eap prefix. EAP secrets are used for XAuth authentication as well.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.eap.<name>.id

Identity the EAP/XAuth secret belongs to. Multiple unique identities may be specified, each having an id prefix, if a secret is shared between multiple users.

Type: attribute set of (null or string)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.eap.<name>.secret

Value of the EAP/XAuth secret. It may either be an ASCII string, a hex encoded string if it has a 0x prefix or a Base64 encoded string if it has a 0s prefix in its value.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.ecdsa

Private key decryption passphrase for a key in the ecdsa folder.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.ecdsa.<name>.file

File name in the ecdsa folder for which this passphrase should be used.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.ecdsa.<name>.secret

Value of decryption passphrase for ECDSA key.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.ike

IKE preshared secret section for a specific secret. Each IKE PSK is defined in a unique section having the ike prefix.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.ike.<name>.id

IKE identity the IKE preshared secret belongs to. Multiple unique identities may be specified, each having an id prefix, if a secret is shared between multiple peers.

Type: attribute set of (null or string)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.ike.<name>.secret

Value of the IKE preshared secret. It may either be an ASCII string, a hex encoded string if it has a 0x prefix or a Base64 encoded string if it has a 0s prefix in its value.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.ntlm

NTLM secret section for a specific secret. Each NTLM secret is defined in a unique section having the ntlm prefix. NTLM secrets may only be used for EAP-MSCHAPv2 authentication.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.ntlm.<name>.id

Identity the NTLM secret belongs to. Multiple unique identities may be specified, each having an id prefix, if a secret is shared between multiple users.

Type: attribute set of (null or string)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.ntlm.<name>.secret

Value of the NTLM secret, which is the NT Hash of the actual secret, that is, MD4(UTF-16LE(secret)). The resulting 16-byte value may either be given as a hex encoded string with a 0x prefix or as a Base64 encoded string with a 0s prefix.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.pkcs12

PKCS#12 decryption passphrase for a container in the pkcs12 folder.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.pkcs12.<name>.file

File name in the pkcs12 folder for which this passphrase should be used.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.pkcs12.<name>.secret

Value of decryption passphrase for PKCS#12 container.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.pkcs8

Private key decryption passphrase for a key in the pkcs8 folder.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.pkcs8.<name>.file

File name in the pkcs8 folder for which this passphrase should be used.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.pkcs8.<name>.secret

Value of decryption passphrase for PKCS#8 key.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.ppk

Postquantum Preshared Key (PPK) section for a specific secret. Each PPK is defined in a unique section having the ppk prefix.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.ppk.<name>.id

PPK identity the PPK belongs to. Multiple unique identities may be specified, each having an id prefix, if a secret is shared between multiple peers.

Type: attribute set of (null or string)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.ppk.<name>.secret

Value of the PPK. It may either be an ASCII string, a hex encoded string if it has a 0x prefix or a Base64 encoded string if it has a 0s prefix in its value. Should have at least 256 bits of entropy for 128-bit security.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.private

Private key decryption passphrase for a key in the private folder.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.private.<name>.file

File name in the private folder for which this passphrase should be used.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.private.<name>.secret

Value of decryption passphrase for private key.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.rsa

Private key decryption passphrase for a key in the rsa folder.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.rsa.<name>.file

File name in the rsa folder for which this passphrase should be used.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.rsa.<name>.secret

Value of decryption passphrase for RSA key.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.token

Definition for a private key that’s stored on a token/smartcard/TPM.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.token.<name>.handle

Hex-encoded CKA_ID or handle of the private key on the token or TPM, respectively.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.token.<name>.module

Optional PKCS#11 module name to access the token.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.token.<name>.pin

Optional PIN required to access the key on the token. If none is provided the user is prompted during an interactive --load-creds call.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.token.<name>.slot

Optional slot number to access the token.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.xauth

EAP secret section for a specific secret. Each EAP secret is defined in a unique section having the eap prefix. EAP secrets are used for XAuth authentication as well.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.xauth.<name>.id

Identity the EAP/XAuth secret belongs to. Multiple unique identities may be specified, each having an id prefix, if a secret is shared between multiple users.

Type: attribute set of (null or string)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.strongswan-swanctl.swanctl.secrets.xauth.<name>.secret

Value of the EAP/XAuth secret. It may either be an ASCII string, a hex encoded string if it has a 0x prefix or a Base64 encoded string if it has a 0s prefix in its value.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>
services.stubby.enable

Whether to enable Stubby DNS resolver.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/stubby.nix>
services.stubby.logLevel

Log verbosity (syslog keyword or level).

Type: null or one of “alert”, “crit”, “debug”, “emerg”, “error”, “info”, “notice”, “warning”, 1, 2, 7, 0, 3, 6, 5, 4

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/stubby.nix>
services.stubby.settings

Content of the Stubby configuration file. All Stubby settings may be set or queried here. The default settings are available at pkgs.stubby.passthru.settingsExample. See https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby. A list of the public recursive servers can be found here: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers.

Type: attribute set of (YAML value)

Example:

pkgs.stubby.passthru.settingsExample // {
  upstream_recursive_servers = [{
    address_data = "158.64.1.29";
    tls_auth_name = "kaitain.restena.lu";
    tls_pubkey_pinset = [{
      digest = "sha256";
      value = "7ftvIkA+UeN/ktVkovd/7rPZ6mbkhVI7/8HnFJIiLa4=";
    }];
  }];
};

Declared by:

<nixpkgs/nixos/modules/services/networking/stubby.nix>
services.stunnel.enable

Whether to enable the stunnel TLS tunneling service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/stunnel.nix>
services.stunnel.enableInsecureSSLv3

Enable support for the insecure SSLv3 protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/stunnel.nix>
services.stunnel.clients

Define the client configurations.

By default, verifyChain and OCSPaia are enabled and a CAFile is provided from pkgs.cacert.

See “SERVICE-LEVEL OPTIONS” in stunnel(8).

Type: attribute set of attribute set of (null or boolean or signed integer or string)

Default: { }

Example:

{
  foobar = {
    accept = "0.0.0.0:8080";
    connect = "nixos.org:443";
    verifyChain = false;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/stunnel.nix>
services.stunnel.fipsMode

Enable FIPS 140-2 mode required for compliance.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/stunnel.nix>
services.stunnel.group

The group under which stunnel runs.

Type: null or string

Default: "nogroup"

Declared by:

<nixpkgs/nixos/modules/services/networking/stunnel.nix>
services.stunnel.logLevel

Verbosity of stunnel output.

Type: one of “emerg”, “alert”, “crit”, “err”, “warning”, “notice”, “info”, “debug”

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/networking/stunnel.nix>
services.stunnel.servers

Define the server configurations.

See “SERVICE-LEVEL OPTIONS” in stunnel(8).

Type: attribute set of attribute set of (null or boolean or signed integer or string)

Default: { }

Example:

{
  fancyWebserver = {
    accept = 443;
    cert = "/path/to/pem/file";
    connect = 8080;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/stunnel.nix>
services.stunnel.user

The user under which stunnel runs.

Type: null or string

Default: "nobody"

Declared by:

<nixpkgs/nixos/modules/services/networking/stunnel.nix>
services.subsonic.enable

Whether to enable Subsonic daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/subsonic.nix>
services.subsonic.contextPath

The context path, i.e., the last part of the Subsonic URL. Typically ‘/’ or ‘/subsonic’. Default ‘/’

Type: path

Default: "/"

Declared by:

<nixpkgs/nixos/modules/services/misc/subsonic.nix>
services.subsonic.defaultMusicFolder

Configure Subsonic to use this folder for music. This option only has effect the first time Subsonic is started.

Type: path

Default: "/var/music"

Declared by:

<nixpkgs/nixos/modules/services/misc/subsonic.nix>
services.subsonic.defaultPlaylistFolder

Configure Subsonic to use this folder for playlists. This option only has effect the first time Subsonic is started.

Type: path

Default: "/var/playlists"

Declared by:

<nixpkgs/nixos/modules/services/misc/subsonic.nix>
services.subsonic.defaultPodcastFolder

Configure Subsonic to use this folder for Podcasts. This option only has effect the first time Subsonic is started.

Type: path

Default: "/var/music/Podcast"

Declared by:

<nixpkgs/nixos/modules/services/misc/subsonic.nix>
services.subsonic.home

The directory where Subsonic will create files. Make sure it is writable.

Type: path

Default: "/var/lib/subsonic"

Declared by:

<nixpkgs/nixos/modules/services/misc/subsonic.nix>
services.subsonic.httpsPort

The port on which Subsonic will listen for incoming HTTPS traffic. Set to 0 to disable.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/misc/subsonic.nix>
services.subsonic.listenAddress

The host name or IP address on which to bind Subsonic. Only relevant if you have multiple network interfaces and want to make Subsonic available on only one of them. The default value will bind Subsonic to all available network interfaces.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/misc/subsonic.nix>
services.subsonic.maxMemory

The memory limit (max Java heap size) in megabytes. Default: 100

Type: signed integer

Default: 100

Declared by:

<nixpkgs/nixos/modules/services/misc/subsonic.nix>
services.subsonic.port

The port on which Subsonic will listen for incoming HTTP traffic. Set to 0 to disable.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 4040

Declared by:

<nixpkgs/nixos/modules/services/misc/subsonic.nix>
services.subsonic.transcoders

List of paths to transcoder executables that should be accessible from Subsonic. Symlinks will be created to each executable inside ${config.services.subsonic.home}/transcoders.

Type: list of path

Default: [ "${pkgs.ffmpeg.bin}/bin/ffmpeg" ]

Declared by:

<nixpkgs/nixos/modules/services/misc/subsonic.nix>
services.sundtek.enable

Whether to enable Sundtek driver.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sundtek.nix>
services.sunshine.enable

Whether to enable Sunshine, a self-hosted game stream host for Moonlight.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/sunshine.nix>
services.sunshine.package

The sunshine package to use.

Type: package

Default: pkgs.sunshine

Declared by:

<nixpkgs/nixos/modules/services/networking/sunshine.nix>
services.sunshine.applications

Configuration for applications to be exposed to Moonlight. If this is set, no configuration is possible from the web UI, and must be by the settings option.

Type: submodule

Default: { }

Example:

{
  env = {
    PATH = "$(PATH):$(HOME)/.local/bin";
  };
  apps = [
    {
      name = "1440p Desktop";
      prep-cmd = [
        {
          do = "${pkgs.kdePackages.libkscreen}/bin/kscreen-doctor output.DP-4.mode.2560x1440@144";
          undo = "${pkgs.kdePackages.libkscreen}/bin/kscreen-doctor output.DP-4.mode.3440x1440@144";
        }
      ];
      exclude-global-prep-cmd = "false";
      auto-detach = "true";
    }
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/networking/sunshine.nix>
services.sunshine.applications.apps

Applications to be exposed to Moonlight.

Type: list of (attribute set)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/sunshine.nix>
services.sunshine.applications.env

Environment variables to be set for the applications.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/sunshine.nix>
services.sunshine.autoStart

Whether sunshine should be started automatically.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/sunshine.nix>
services.sunshine.capSysAdmin

Whether to give the Sunshine binary CAP_SYS_ADMIN, required for DRM/KMS screen capture.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/sunshine.nix>
services.sunshine.openFirewall

Whether to automatically open ports in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/sunshine.nix>
services.sunshine.settings

Settings to be rendered into the configuration file. If this is set, no configuration is possible from the web UI.

See https://docs.lizardbyte.dev/projects/sunshine/en/latest/about/advanced_usage.html#configuration for syntax.

Type: attribute set of (atom (null, bool, int, float or string))

Default: { }

Example:

{
  sunshine_name = "nixos";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/sunshine.nix>
services.sunshine.settings.port

Base port – others used are offset from this one, see https://docs.lizardbyte.dev/projects/sunshine/en/latest/about/advanced_usage.html#port for details.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 47989

Declared by:

<nixpkgs/nixos/modules/services/networking/sunshine.nix>
services.supergfxd.enable

Whether to enable the supergfxd service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/supergfxd.nix>
services.supergfxd.settings

The content of /etc/supergfxd.conf. See https://gitlab.com/asus-linux/supergfxctl/#config-options-etcsupergfxdconf.

Type: null or JSON value

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/supergfxd.nix>
services.supybot.enable

Enable Supybot, an IRC bot (also known as Limnoria).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/supybot.nix>
services.supybot.configFile

Path to initial supybot config file. This can be generated by running supybot-wizard.

Note: all paths should include the full path to the stateDir directory (backup conf data logs logs/plugins plugins tmp web).

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/supybot.nix>
services.supybot.extraPackages

Extra Python packages available to supybot plugins. The value must be a function which receives the attrset defined in python3Packages as the sole argument.

Type: function that evaluates to a(n) list of package

Default: p: []

Example: p: [ p.lxml p.requests ]

Declared by:

<nixpkgs/nixos/modules/services/networking/supybot.nix>
services.supybot.plugins

Attribute set of additional plugins that will be symlinked to the plugin subdirectory.

Please note that you still need to add the plugins to the config file (or with !load) using their attribute name.

Type: attribute set of path

Default: { }

Example:

let
  plugins = pkgs.fetchzip {
    url = "https://github.com/ProgVal/Supybot-plugins/archive/57c2450c.zip";
    sha256 = "077snf84ibnva3sbpzdfpfma6hcdw7dflwnhg6pw7mgnf0nd84qd";
  };
in
{
  Wikipedia = "${plugins}/Wikipedia";
  Decide = ./supy-decide;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/supybot.nix>
services.supybot.stateDir

The root directory, logs and plugins are stored here

Type: path

Default: /var/lib/supybot

Declared by:

<nixpkgs/nixos/modules/services/networking/supybot.nix>
services.suricata.enable

Whether to enable Suricata.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.enabledSources

List of sources that should be enabled. Currently sources which require a secret-code are not supported.

Type: list of string

Default:

[
  "et/open"
  "etnetera/aggressive"
  "stamus/lateral"
  "oisf/trafficid"
  "tgreen/hunting"
  "sslbl/ja3-fingerprints"
  "sslbl/ssl-fp-blacklist"
  "malsilo/win-malware"
  "pawpatrules"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.package

The suricata package to use.

Type: package

Default: pkgs.suricata

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.disabledRules

List of rules that should be disabled.

Type: list of string

Default:

[
  "2270000"
  "2270001"
  "2270002"
  "2270003"
  "2270004"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings

Suricata settings

Type: YAML value

Example:

vars.address-groups.HOME_NET = "192.168.178.0/24";
outputs = [
  {
    fast = {
      enabled = true;
      filename = "fast.log";
      append = "yes";
    };
  }
  {
    eve-log = {
      enabled = true;
      filetype = "regular";
      filename = "eve.json";
      community-id = true;
      types = [
        {
          alert.tagged-packets = "yes";
        }
      ];
    };
  }
];
af-packet = [
  {
    interface = "eth0";
    cluster-id = "99";
    cluster-type = "cluster_flow";
    defrag = "yes";
  }
  {
    interface = "default";
  }
];
af-xdp = [
  {
    interface = "eth1";
  }
];
dpdk.interfaces = [
  {
    interface = "eth2";
  }
];
pcap = [
  {
    interface = "eth3";
  }
];
app-layer.protocols = {
  telnet.enabled = "yes";
  dnp3.enabled = "yes";
  modbus.enabled = "yes";
};

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.af-packet

Linux high speed capture support.

Type: null or (list of (YAML value))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.af-packet.*.interface

af-packet capture interface, see upstream docs reagrding tuning.

Type: string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.af-xdp

Linux high speed af-xdp capture support, see docs/capture-hardware/af-xdp.

Type: null or (list of (YAML value))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.af-xdp.*.interface

af-xdp capture interface, see upstream docs.

Type: string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.app-layer

app-layer configuration, see upstream docs.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.app-layer.error-policy

The error-policy setting applies to all app-layer parsers. Values can be “drop-flow”, “pass-flow”, “bypass”, “drop-packet”, “pass-packet”, “reject” or “ignore” (the default).

Type: one of “drop-flow”, “pass-flow”, “bypass”, “drop-packet”, “pass-packet”, “reject”, “ignore”

Default: "ignore"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.app-layer.protocols

app-layer protocols, see upstream docs.

Type: null or (attribute set of (YAML value))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.app-layer.protocols.<name>.enabled

The option “enabled” takes 3 values - “yes”, “no”, “detection-only”. “yes” enables both detection and the parser, “no” disables both, and “detection-only” enables protocol detection only (parser disabled).

Type: one of “yes”, “no”, “detection-only”

Default: "no"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.classification-file

Suricata classification configuration file.

Type: string

Default: "/var/lib/suricata/rules/classification.config"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.default-log-dir

The default logging directory. Any log or output file will be placed here if it’s not specified with a full path name. This can be overridden with the -l command line parameter.

Type: string

Default: "/var/log/suricata"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.default-rule-path

Path in which suricata-update managed rules are stored by default.

Type: path

Default: "/var/lib/suricata/rules"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.dpdk

Data Plane Development Kit is a framework for fast packet processing in data plane applications running on a wide variety of CPU architectures. DPDK’s Environment Abstraction Layer (EAL) provides a generic interface to low-level resources. It is a unique way how DPDK libraries access NICs. EAL creates an API for an application to access NIC resources from the userspace level. In DPDK, packets are not retrieved via interrupt handling. Instead, the application polls the NIC for newly received packets.

DPDK allows the user space application to directly access memory where the NIC stores the packets. As a result, neither DPDK nor the application copies the packets for the inspection. The application directly processes packets via passed packet descriptors. See docs/capture-hardware/dpdk and docs/configuration/suricata-yaml.html#data-plane-development-kit-dpdk.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.dpdk.eal-params.proc-type

dpdk eal-params.proc-type, see data plane development kit docs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.dpdk.interfaces

See upstream docs: docs/capture-hardware/dpdk and docs/configuration/suricata-yaml.html#data-plane-development-kit-dpdk.

Type: null or (list of (YAML value))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.dpdk.interfaces.*.interface

See upstream docs: docs/capture-hardware/dpdk and docs/configuration/suricata-yaml.html#data-plane-development-kit-dpdk.

Type: string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.exception-policy

Define a common behavior for all exception policies. In IPS mode, the default is drop-flow. For cases when that’s not possible, the engine will fall to drop-packet. To fallback to old behavior (setting each of them individually, or ignoring all), set this to ignore. All values available for exception policies can be used, and there is one extra option: auto - which means drop-flow or drop-packet (as explained above) in IPS mode, and ignore in IDS mode. Exception policy values are: drop-packet, drop-flow, reject, bypass, pass-packet, pass-flow, ignore (disable).

Type: one of “auto”, “drop-packet”, “drop-flow”, “reject”, “bypass”, “pass-packet”, “pass-flow”, “ignore”

Default: "auto"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.host-mode

If the Suricata box is a router for the sniffed networks, set it to ‘router’. If it is a pure sniffing setup, set it to ‘sniffer-only’. If set to auto, the variable is internally switched to ‘router’ in IPS mode and ‘sniffer-only’ in IDS mode. This feature is currently only used by the reject* keywords.

Type: one of “router”, “sniffer-only”, “auto”

Default: "auto"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.includes

Files to include in the suricata configuration. See docs/configuration/suricata-yaml for available options.

Type: null or (list of path)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.logging.default-log-format

The default output format. Optional parameter, should default to something reasonable if not provided. Can be overridden in an output section. You can leave this out to get the default.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.logging.default-log-level

The default log level: can be overridden in an output section. Note that debug level logging will only be emitted if Suricata was compiled with the --enable-debug configure option.

Type: one of “error”, “warning”, “notice”, “info”, “perf”, “config”, “debug”

Default: "notice"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.logging.default-output-filter

A regex to filter output. Can be overridden in an output section. Defaults to empty (no filter).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.logging.outputs.console.enable

Whether to enable logging to console.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.logging.outputs.file.enable

Whether to enable logging to file.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.logging.outputs.file.filename

Filename of the logfile.

Type: string

Default: "suricata.log"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.logging.outputs.file.format

Logformat for logs written to the logfile.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.logging.outputs.file.level

Loglevel for logs written to the logfile.

Type: one of “error”, “warning”, “notice”, “info”, “perf”, “config”, “debug”

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.logging.outputs.file.type

Type of logfile.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.logging.outputs.syslog.enable

Whether to enable logging to syslog.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.logging.outputs.syslog.facility

Facility to log to.

Type: string

Default: "local5"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.logging.outputs.syslog.format

Logformat for logs send to syslog.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.logging.outputs.syslog.type

Type of logs send to syslog.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.logging.stacktrace-on-signal

Requires libunwind to be available when Suricata is configured and built. If a signal unexpectedly terminates Suricata, displays a brief diagnostic message with the offending stacktrace if enabled.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.outputs

Configure the type of alert (and other) logging you would like.

Valid values for <NAME> are e. g. fast, eve-log, syslog, file-store, …

  • fast: a line based alerts log similar to Snort’s fast.log

  • eve-log: Extensible Event Format (nicknamed EVE) event log in JSON format

For more details regarding the configuration, checkout the shipped suricata.yaml

nix-shell -p suricata yq coreutils-full --command 'yq < $(dirname $(which suricata))/../etc/suricata/suricata.yaml'

and the suricata documentation.

Type: null or (list of attribute set of (YAML value))

Default: null

Example:

[
  {
    fast = {
      enabled = "yes";
      filename = "fast.log";
      append = "yes";
    };
  }
  {
    eve-log = {
      enabled = "yes";
      filetype = "regular";
      filename = "eve.json";
      community-id = true;
      types = [
        {
          alert.tagged-packets = "yes";
        }
      ];
    };
  }
];

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.outputs.*.<name>.enabled

Whether to enable <NAME>.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.pcap

Cross platform libpcap capture support.

Type: null or (list of (YAML value))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.pcap.*.interface

pcap capture interface, see upstream docs.

Type: string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.pcap-file.checksum-checks

Possible values are:

  • yes: checksum validation is forced

  • no: checksum validation is disabled

  • auto: Suricata uses a statistical approach to detect when checksum off-loading is used. (default) Warning: ‘checksum-validation’ must be set to yes to have checksum tested.

Type: one of “yes”, “no”, “auto”

Default: "auto"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.plugins

Plugins – Experimental – specify the filename for each plugin shared object.

Type: null or (list of path)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.reference-config-file

Suricata reference configuration file.

Type: string

Default: "\${config.services.suricata.package}/etc/suricata/reference.config"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.rule-files

Files to load suricata-update managed rules, relative to ‘default-rule-path’.

Type: list of string

Default:

[
  "suricata.rules"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.run-as.group

Run Suricata with a specific group-id.

Type: string

Default: "suricata"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.run-as.user

Run Suricata with a specific user-id.

Type: string

Default: "suricata"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.stats

Engine statistics such as packet counters, memory use counters and others can be logged in several ways. A separate text log ‘stats.log’ and an EVE record type ‘stats’ are enabled by default.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.stats.enable

Whether to enable suricata global stats.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.stats.decoder-events

Add decode events to stats

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.stats.decoder-events-prefix

Decoder event prefix in stats. Has been ‘decoder’ before, but that leads to missing events in the eve.stats records.

Type: string

Default: "decoder.event"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.stats.interval

The interval field (in seconds) controls the interval at which stats are updated in the log.

Type: string

Default: "8"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.stats.stream-events

Add stream events as stats.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.threshold-file

Suricata threshold configuration file.

Type: string

Default: "\${config.services.suricata.package}/etc/suricata/threshold.config"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.unix-command

Unix command socket that can be used to pass commands to Suricata. An external tool can then connect to get information from Suricata or trigger some modifications of the engine. Set enabled to yes to activate the feature. In auto mode, the feature will only be activated in live capture mode. You can use the filename variable to set the file name of the socket.

Type: null or (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.unix-command.enabled

Enable unix-command socket.

Type: boolean or value “auto” (singular enum)

Default: "auto"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.unix-command.filename

Filename for unix-command socket.

Type: path

Default: "/run/suricata/suricata-command.socket"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.vars

Variables to be used within the suricata rules.

Type: null or (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.vars.address-groups

The address group variables for suricata, if not defined the default value of suricata (see example) will be used. Your settings will extend the predefined values in example.

Type: submodule

Default: { }

Example:

{
  AIM_SERVERS = "$EXTERNAL_NET";
  DC_SERVERS = "$HOME_NET";
  DNP3_CLIENT = "$HOME_NET";
  DNP3_SERVER = "$HOME_NET";
  DNS_SERVERS = "$HOME_NET";
  ENIP_CLIENT = "$HOME_NET";
  ENIP_SERVER = "$HOME_NET";
  EXTERNAL_NET = "!$HOME_NET";
  HOME_NET = "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]";
  HTTP_SERVERS = "$HOME_NET";
  MODBUS_CLIENT = "$HOME_NET";
  MODBUS_SERVER = "$HOME_NET";
  SMTP_SERVERS = "$HOME_NET";
  SQL_SERVERS = "$HOME_NET";
  TELNET_SERVERS = "$HOME_NET";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.vars.address-groups.AIM_SERVERS

AIM_SERVERS variable.

Type: unspecified value

Default: "$EXTERNAL_NET"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.vars.address-groups.DC_SERVERS

DC_SERVERS variable.

Type: unspecified value

Default: "$HOME_NET"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.vars.address-groups.DNP3_CLIENT

DNP3_CLIENT variable.

Type: unspecified value

Default: "$HOME_NET"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.vars.address-groups.DNP3_SERVER

DNP3_SERVER variable.

Type: unspecified value

Default: "$HOME_NET"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.vars.address-groups.DNS_SERVERS

DNS_SERVERS variable.

Type: unspecified value

Default: "$HOME_NET"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.vars.address-groups.ENIP_CLIENT

ENIP_CLIENT variable.

Type: unspecified value

Default: "$HOME_NET"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.vars.address-groups.ENIP_SERVER

ENIP_SERVER variable.

Type: unspecified value

Default: "$HOME_NET"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.vars.address-groups.EXTERNAL_NET

EXTERNAL_NET variable.

Type: unspecified value

Default: "!$HOME_NET"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.vars.address-groups.HOME_NET

HOME_NET variable.

Type: unspecified value

Default: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.vars.address-groups.HTTP_SERVERS

HTTP_SERVERS variable.

Type: unspecified value

Default: "$HOME_NET"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.vars.address-groups.MODBUS_CLIENT

MODBUS_CLIENT variable

Type: unspecified value

Default: "$HOME_NET"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.vars.address-groups.MODBUS_SERVER

MODBUS_SERVER variable.

Type: unspecified value

Default: "$HOME_NET"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.vars.address-groups.SMTP_SERVERS

SMTP_SERVERS variable.

Type: unspecified value

Default: "$HOME_NET"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.vars.address-groups.SQL_SERVERS

SQL_SERVERS variable.

Type: unspecified value

Default: "$HOME_NET"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.vars.address-groups.TELNET_SERVERS

TELNET_SERVERS variable.

Type: unspecified value

Default: "$HOME_NET"

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.suricata.settings.vars.port-groups

The port group variables for suricata.

Type: null or (attribute set of string)

Default:

{
  DNP3_PORTS = "20000";
  FILE_DATA_PORTS = "[$HTTP_PORTS,110,143]";
  FTP_PORTS = "21";
  GENEVE_PORTS = "6081";
  HTTP_PORTS = "80";
  MODBUS_PORTS = "502";
  ORACLE_PORTS = "1521";
  SHELLCODE_PORTS = "!80";
  SSH_PORTS = "22";
  TEREDO_PORTS = "3544";
  VXLAN_PORTS = "4789";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/suricata/default.nix>
services.surrealdb.enable

Whether to enable SurrealDB, a scalable, distributed, collaborative, document-graph database, for the realtime web.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/surrealdb.nix>
services.surrealdb.package

The surrealdb package to use.

Type: package

Default: pkgs.surrealdb

Declared by:

<nixpkgs/nixos/modules/services/databases/surrealdb.nix>
services.surrealdb.dbPath

The path that surrealdb will write data to. Use null for in-memory. Can be one of “memory”, “rocksdb://:path”, “surrealkv://:path”, “tikv://:addr”, “fdb://:addr”.

Type: string

Default: "rocksdb:///var/lib/surrealdb/"

Example: "memory"

Declared by:

<nixpkgs/nixos/modules/services/databases/surrealdb.nix>
services.surrealdb.extraFlags

Specify a list of additional command line flags.

Type: list of string

Default: [ ]

Example:

[
  "--allow-all"
  "--user"
  "root"
  "--pass"
  "root"
]

Declared by:

<nixpkgs/nixos/modules/services/databases/surrealdb.nix>
services.surrealdb.host

The host that surrealdb will connect to.

Type: string

Default: "127.0.0.1"

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/databases/surrealdb.nix>
services.surrealdb.port

The port that surrealdb will connect to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8000

Example: 8000

Declared by:

<nixpkgs/nixos/modules/services/databases/surrealdb.nix>
services.suwayomi-server.enable

Whether to enable Suwayomi, a free and open source manga reader server that runs extensions built for Tachiyomi.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/suwayomi-server.nix>
services.suwayomi-server.package

The suwayomi-server package to use.

Type: package

Default: pkgs.suwayomi-server

Declared by:

<nixpkgs/nixos/modules/services/web-apps/suwayomi-server.nix>
services.suwayomi-server.dataDir

The path to the data directory in which Suwayomi-Server will download scans.

Type: path

Default: "/var/lib/suwayomi-server"

Example: "/var/data/mangas"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/suwayomi-server.nix>
services.suwayomi-server.group

Group under which Suwayomi-Server runs.

Type: string

Default: "suwayomi"

Example: "medias"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/suwayomi-server.nix>
services.suwayomi-server.openFirewall

Whether to open the firewall for the port in services.suwayomi-server.settings.server.port.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/suwayomi-server.nix>
services.suwayomi-server.settings

Configuration to write to server.conf. See https://github.com/Suwayomi/Suwayomi-Server/wiki/Configuring-Suwayomi-Server for more information.

Type: HOCON value

Default: { }

Example:

{
  server = {
    socksProxyEnabled = true;
    socksProxyHost = "yourproxyhost.com";
    socksProxyPort = "8080";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/suwayomi-server.nix>
services.suwayomi-server.settings.server.basicAuthEnabled

Whether to enable basic access authentication for Suwayomi-Server. Enabling this option is useful when hosting on a public network/the Internet .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/suwayomi-server.nix>
services.suwayomi-server.settings.server.basicAuthPasswordFile

The password file containing the value that you have to provide when authenticating.

Type: null or path

Default: null

Example: "/var/secrets/suwayomi-server-password"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/suwayomi-server.nix>
services.suwayomi-server.settings.server.basicAuthUsername

The username value that you have to provide when authenticating.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/suwayomi-server.nix>
services.suwayomi-server.settings.server.downloadAsCbz

Download chapters as .cbz files.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/suwayomi-server.nix>
services.suwayomi-server.settings.server.extensionRepos

URL of repositories from which the extensions can be installed.

Type: list of string

Default: [ ]

Example:

[
  "https://raw.githubusercontent.com/MY_ACCOUNT/MY_REPO/repo/index.min.json"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/suwayomi-server.nix>
services.suwayomi-server.settings.server.ip

The ip that Suwayomi will bind to.

Type: string

Default: "0.0.0.0"

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/suwayomi-server.nix>
services.suwayomi-server.settings.server.localSourcePath

Path to the local source folder.

Type: path

Default: suwayomi-server.dataDir

Example: "/var/data/local_mangas"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/suwayomi-server.nix>
services.suwayomi-server.settings.server.port

The port that Suwayomi will listen to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Example: 4567

Declared by:

<nixpkgs/nixos/modules/services/web-apps/suwayomi-server.nix>
services.suwayomi-server.settings.server.systemTrayEnabled

Whether to enable a system tray icon, if possible.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/suwayomi-server.nix>
services.suwayomi-server.user

User account under which Suwayomi-Server runs.

Type: string

Default: "suwayomi"

Example: "root"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/suwayomi-server.nix>
services.svnserve.enable

Whether to enable svnserve to serve Subversion repositories through the SVN protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/svnserve.nix>
services.svnserve.svnBaseDir

Base directory from which Subversion repositories are accessed.

Type: string

Default: "/repos"

Declared by:

<nixpkgs/nixos/modules/services/misc/svnserve.nix>
services.swapspace.enable

Whether to enable Swapspace, a dynamic swap space manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/system/swapspace.nix>
services.swapspace.package

The swapspace package to use.

Type: package

Default: pkgs.swapspace

Declared by:

<nixpkgs/nixos/modules/services/system/swapspace.nix>
services.swapspace.extraArgs

Any extra arguments to pass to swapspace

Type: list of string

Default: [ ]

Example:

[
  "-P"
  "-v"
]

Declared by:

<nixpkgs/nixos/modules/services/system/swapspace.nix>
services.swapspace.settings

Config file for swapspace. See the options here: https://github.com/Tookmund/Swapspace/blob/master/swapspace.conf

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/system/swapspace.nix>
services.swapspace.settings.buffer_elasticity

Percentage of buffer space considered to be “free”

Type: integer between 0 and 100 (both inclusive)

Default: 30

Declared by:

<nixpkgs/nixos/modules/services/system/swapspace.nix>
services.swapspace.settings.cache_elasticity

Percentage of cache space considered to be “free”

Type: integer between 0 and 100 (both inclusive)

Default: 80

Declared by:

<nixpkgs/nixos/modules/services/system/swapspace.nix>
services.swapspace.settings.cooldown

Duration (roughly in seconds) of the moratorium on swap allocation that is instated if disk space runs out, or the cooldown time after a new swapfile is successfully allocated before swapspace will consider deallocating swap space again. The default cooldown period is about 10 minutes.

Type: unsigned integer, meaning >=0

Default: 600

Declared by:

<nixpkgs/nixos/modules/services/system/swapspace.nix>
services.swapspace.settings.freetarget

Percentage of free space swapspace should aim for when adding swapspace. This should fall somewhere between lower_freelimit and upper_freelimit.

Type: integer between 2 and 99 (both inclusive)

Default: 30

Declared by:

<nixpkgs/nixos/modules/services/system/swapspace.nix>
services.swapspace.settings.lower_freelimit

Lower free-space threshold: if the percentage of free space drops below this number, additional swapspace is allocated

Type: integer between 0 and 99 (both inclusive)

Default: 20

Declared by:

<nixpkgs/nixos/modules/services/system/swapspace.nix>
services.swapspace.settings.max_swapsize

Greatest allowed size for individual swapfiles

Type: string

Default: "2t"

Declared by:

<nixpkgs/nixos/modules/services/system/swapspace.nix>
services.swapspace.settings.min_swapsize

Smallest allowed size for individual swapfiles

Type: string

Default: "4m"

Declared by:

<nixpkgs/nixos/modules/services/system/swapspace.nix>
services.swapspace.settings.swappath

Location where swapspace may create and delete swapfiles

Type: string

Default: "/var/lib/swapspace"

Declared by:

<nixpkgs/nixos/modules/services/system/swapspace.nix>
services.swapspace.settings.upper_freelimit

Upper free-space threshold: if the percentage of free space exceeds this number, swapspace will attempt to free up swapspace

Type: integer between 0 and 100 (both inclusive)

Default: 60

Declared by:

<nixpkgs/nixos/modules/services/system/swapspace.nix>
services.switcherooControl.enable

Whether to enable switcheroo-control, a D-Bus service to check the availability of dual-GPU.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/hardware/video/switcheroo-control.nix>
services.switcherooControl.package

The switcheroo-control package to use.

Type: package

Default: pkgs.switcheroo-control

Declared by:

<nixpkgs/nixos/modules/hardware/video/switcheroo-control.nix>
services.sympa.enable

Whether to enable Sympa mailing list manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.database.createLocally

Whether to create a local database automatically.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.database.host

Database host address.

For MySQL, use localhost to connect using Unix domain socket.

For PostgreSQL, use path to directory (e.g. /run/postgresql) to connect using Unix domain socket located in this directory.

Use null to fall back on Sympa default, or when using services.sympa.database.createLocally.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.database.name

Database name. When using SQLite this must be an absolute path to the database file.

Type: string

Default: if database.type == "SQLite" then "/var/lib/sympa/sympa.sqlite" else "sympa"

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.database.passwordFile

A file containing the password for services.sympa.database.name.

Type: null or path

Default: null

Example: "/run/keys/sympa-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.database.port

Database port. Use null for default port.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.database.type

Database engine to use.

Type: one of “SQLite”, “PostgreSQL”, “MySQL”

Default: "SQLite"

Example: "MySQL"

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.database.user

Database user. The system user name is used as a default.

Type: null or string

Default: "sympa"

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.domains

Email domains handled by this instance. There have to be MX records for keys of this attribute set.

Type: attribute set of (submodule)

Example:

{
  "lists.example.org" = {
    webHost = "lists.example.org";
    webLocation = "/";
  };
  "sympa.example.com" = {
    webHost = "example.com";
    webLocation = "/sympa";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.domains.<name>.settings

The robot.conf configuration file as key value set. See https://sympa-community.github.io/gpldoc/man/sympa.conf.5.html for list of configuration parameters.

Type: attribute set of (string or signed integer or boolean)

Default: { }

Example:

{
  default_max_list_members = 3;
}

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.domains.<name>.webHost

Domain part of the web interface URL (no web interface for this domain if null). DNS record of type A (or AAAA or CNAME) has to exist with this value.

Type: null or string

Default: null

Example: "archive.example.org"

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.domains.<name>.webLocation

URL path part of the web interface.

Type: string

Default: "/"

Example: "/sympa"

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.lang

Default Sympa language. See https://github.com/sympa-community/sympa/tree/sympa-6.2/po/sympa for available options.

Type: string

Default: "en_US"

Example: "cs"

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.listMasters

The list of the email addresses of the listmasters (users authorized to perform global server commands).

Type: list of string

Example:

[
  "postmaster@sympa.example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.mainDomain

Main domain to be used in sympa.conf. If null, one of the services.sympa.domains is chosen for you.

Type: null or string

Default: null

Example: "lists.example.org"

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.mta.type

Mail transfer agent (MTA) integration. Use none if you want to configure it yourself.

The postfix integration sets up local Postfix instance that will pass incoming messages from configured domains to Sympa. You still need to configure at least outgoing message handling using e.g. services.postfix.relayHost.

Type: one of “postfix”, “none”

Default: "postfix"

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.settings

The sympa.conf configuration file as key value set. See https://sympa-community.github.io/gpldoc/man/sympa.conf.5.html for list of configuration parameters.

Type: attribute set of (string or signed integer or boolean)

Default: { }

Example:

{
  default_home = "lists";
  viewlogs_page_size = 50;
}

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.settingsFile

Set of files to be linked in /var/lib/sympa.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "list_data/lists.example.org/help" = {
    text = "subject This list provides help to users";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.settingsFile.<name>.enable

Whether this file should be generated. This option allows specific files to be disabled.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.settingsFile.<name>.source

Path of the source file.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.settingsFile.<name>.text

Text of the file.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.web.enable

Whether to enable Sympa web interface.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.web.fcgiProcs

Number of FastCGI processes to fork.

Type: positive integer, meaning >0

Default: 2

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.web.https

Whether to use HTTPS. When nginx integration is enabled, this option forces SSL and enables ACME. Please note that Sympa web interface always uses https links even when this option is disabled.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.sympa.web.server

The webserver used for the Sympa web interface. Set it to none if you want to configure it yourself. Further nginx configuration can be done by adapting services.nginx.virtualHosts.«name».

Type: one of “nginx”, “none”

Default: "nginx"

Declared by:

<nixpkgs/nixos/modules/services/mail/sympa.nix>
services.syncoid.enable

Whether to enable Syncoid ZFS synchronization service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.package

The sanoid package to use.

Type: package

Default: pkgs.sanoid

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.commands

Syncoid commands to run.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "pool/test".target = "root@target:pool/test";
}

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.commands.<name>.extraArgs

Extra syncoid arguments for this command.

Type: list of string

Default: [ ]

Example:

[
  "--sshport 2222"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.commands.<name>.localSourceAllow

Permissions granted for the services.syncoid.user user for local source datasets. See https://openzfs.github.io/openzfs-docs/man/8/zfs-allow.8.html for available permissions. Defaults to services.syncoid.localSourceAllow option.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.commands.<name>.localTargetAllow

Permissions granted for the services.syncoid.user user for local target datasets. See https://openzfs.github.io/openzfs-docs/man/8/zfs-allow.8.html for available permissions. Make sure to include the change-key permission if you send raw encrypted datasets, the compression permission if you send raw compressed datasets, and so on. For remote target datasets you’ll have to set your remote user permissions by yourself.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.commands.<name>.recursive

Whether to enable the transfer of child datasets.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.commands.<name>.recvOptions

Advanced options to pass to zfs recv. Options are specified without their leading dashes and separated by spaces.

Type: strings concatenated with " "

Default: ""

Example: "ux recordsize o compression=lz4"

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.commands.<name>.sendOptions

Advanced options to pass to zfs send. Options are specified without their leading dashes and separated by spaces.

Type: strings concatenated with " "

Default: ""

Example: "Lc e"

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.commands.<name>.service

Systemd configuration specific to this syncoid service.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.commands.<name>.source

Source ZFS dataset. Can be either local or remote. Defaults to the attribute name.

Type: string

Example: "pool/dataset"

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.commands.<name>.sshKey

SSH private key file to use to login to the remote system. Defaults to services.syncoid.sshKey option.

Type: null or (string or path convertible to it)

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.commands.<name>.target

Target ZFS dataset. Can be either local («pool/dataset») or remote («user@server:pool/dataset»).

Type: string

Example: "user@server:pool/dataset"

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.commands.<name>.useCommonArgs

Whether to add the configured common arguments to this command.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.commonArgs

Arguments to add to every syncoid command, unless disabled for that command. See https://github.com/jimsalterjrs/sanoid/#syncoid-command-line-options for available options.

Type: list of string

Default: [ ]

Example:

[
  "--no-sync-snap"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.group

The group for the service.

Type: string

Default: "syncoid"

Example: "backup"

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.interval

Run syncoid at this interval. The default is to run hourly.

The format is described in systemd.time(7).

Type: string

Default: "hourly"

Example: "*-*-* *:15:00"

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.localSourceAllow

Permissions granted for the services.syncoid.user user for local source datasets. See https://openzfs.github.io/openzfs-docs/man/8/zfs-allow.8.html for available permissions.

Type: list of string

Default:

[
  "bookmark"
  "hold"
  "send"
  "snapshot"
  "destroy"
  "mount"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.localTargetAllow

Permissions granted for the services.syncoid.user user for local target datasets. See https://openzfs.github.io/openzfs-docs/man/8/zfs-allow.8.html for available permissions. Make sure to include the change-key permission if you send raw encrypted datasets, the compression permission if you send raw compressed datasets, and so on. For remote target datasets you’ll have to set your remote user permissions by yourself.

Type: list of string

Default:

[
  "change-key"
  "compression"
  "create"
  "mount"
  "mountpoint"
  "receive"
  "rollback"
]

Example:

[
  "create"
  "mount"
  "receive"
  "rollback"
]

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.service

Systemd configuration common to all syncoid services.

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.sshKey

SSH private key file to use to login to the remote system. Can be overridden in individual commands.

Type: null or (string or path convertible to it)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncoid.user

The user for the service. ZFS privilege delegation will be automatically configured for any local pools used by syncoid if this option is set to a user other than root. The user will be given the “hold” and “send” privileges on any pool that has datasets being sent and the “create”, “mount”, “receive”, and “rollback” privileges on any pool that has datasets being received.

Type: string

Default: "syncoid"

Example: "backup"

Declared by:

<nixpkgs/nixos/modules/services/backup/syncoid.nix>
services.syncplay.enable

If enabled, start the Syncplay server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.package

Package to use for syncplay.

Type: package

Default: pkgs.syncplay-nogui

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.certDir

TLS certificates directory to use for encryption. See https://github.com/Syncplay/syncplay/wiki/TLS-support.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.chat

Chat with users in the same room.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.extraArgs

Additional arguments to be passed to the service.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.interfaceIpv4

The IP address to bind to for IPv4. Leaving it empty defaults to using all.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.interfaceIpv6

The IP address to bind to for IPv6. Leaving it empty defaults to using all.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.ipv4Only

Listen only on IPv4 when strting the server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.ipv6Only

Listen only on IPv6 when strting the server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.isolateRooms

Enable room isolation.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.maxChatMessageLength

Maximum number of characters in a chat message.

Type: unsigned integer, meaning >=0

Default: 150

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.maxUsernameLength

Maximum number of characters in a username.

Type: unsigned integer, meaning >=0

Default: 16

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.motd

Text to display when users join. The motd will be readable in the nix store and the processlist. If this is not intended use motdFile instead. Will be overriden by services.syncplay.motdFile.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.motdFile

Path to text to display when users join. Will override services.syncplay.motd.

Type: null or string

Default: if services.syncplay.motd != null then (builtins.toFile "motd" services.syncplay.motd) else null

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.passwordFile

Path to the file that contains the server password. If null, the server doesn’t require a password.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.permanentRooms

List of rooms that will be listed even if the room is empty. Will be overriden by services.syncplay.permanentRoomsFile.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.permanentRoomsFile

File with list of rooms that will be listed even if the room is empty, newline delimited. Will override services.syncplay.permanentRooms.

Type: null or string

Default: if services.syncplay.permanentRooms != [ ] then (builtins.toFile "perm" (builtins.concatStringsSep "\n" services.syncplay.permanentRooms)) else null

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.port

TCP port to bind to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8999

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.ready

Check readiness of users.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.roomsDBFile

Path to SQLite database file to store room states. Relative to the working directory provided by systemd.

Type: null or string

Default: null

Example: "rooms.db"

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.salt

Salt to allow room operator passwords generated by this server instance to still work when the server is restarted. The salt will be readable in the nix store and the processlist. If this is not intended use saltFile instead. Mutually exclusive with services.syncplay.saltFile.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.saltFile

Path to the file that contains the server salt. This allows room operator passwords generated by this server instance to still work when the server is restarted. null, the server doesn’t load the salt from a file. Mutually exclusive with services.syncplay.salt.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.statsDBFile

Path to SQLite database file to store stats. Relative to the working directory provided by systemd.

Type: null or string

Default: null

Example: "stats.db"

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncplay.useACMEHost

If set, use NixOS-generated ACME certificate with the specified name for TLS.

Note that it requires security.acme to be setup, e.g., credentials provided if using DNS-01 validation.

Type: null or string

Default: null

Example: "syncplay.example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/syncplay.nix>
services.syncthing.enable

Whether to enable Syncthing, a self-hosted open-source alternative to Dropbox and Bittorrent Sync.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.package

The syncthing package to use.

Type: package

Default: pkgs.syncthing

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.all_proxy

Overwrites the all_proxy environment variable for the Syncthing process to the given value. This is normally used to let Syncthing connect through a SOCKS5 proxy server. See https://docs.syncthing.net/users/proxying.html.

Type: null or string

Default: null

Example: "socks5://address.com:1234"

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.cert

Path to the cert.pem file, which will be copied into Syncthing’s configDir.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.configDir

The path where the settings and keys will exist.

Type: path

Default:

  • if stateVersion >= 19.03:

    config.services.syncthing.dataDir + "/.config/syncthing"
    
  • otherwise:

    config.services.syncthing.dataDir
    

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.dataDir

The path where synchronised directories will exist.

Type: path

Default: "/var/lib/syncthing"

Example: "/home/yourUser"

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.databaseDir

The directory containing the database and logs.

Type: path

Default: config.services.syncthing.configDir

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.extraFlags

Extra flags passed to the syncthing command in the service definition.

Type: list of string

Default: [ ]

Example:

[
  "--reset-deltas"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.group

The group to run Syncthing under. By default, a group named syncthing will be created.

Type: string

Default: "syncthing"

Example: "yourGroup"

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.guiAddress

The address to serve the web interface at.

Type: string

Default: "127.0.0.1:8384"

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.key

Path to the key.pem file, which will be copied into Syncthing’s configDir.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.openDefaultPorts

Whether to open the default ports in the firewall: TCP/UDP 22000 for transfers and UDP 21027 for discovery.

If multiple users are running Syncthing on this machine, you will need to manually open a set of ports for each instance and leave this disabled. Alternatively, if you are running only a single instance on this machine using the default ports, enable this.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.overrideDevices

Whether to delete the devices which are not configured via the devices option. If set to false, devices added via the web interface will persist and will have to be deleted manually.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.overrideFolders

Whether to delete the folders which are not configured via the folders option. If set to false, folders added via the web interface will persist and will have to be deleted manually.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.relay.enable

Whether to enable Syncthing relay service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing-relay.nix>
services.syncthing.relay.extraOptions

Extra command line arguments to pass to strelaysrv.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing-relay.nix>
services.syncthing.relay.globalRateBps

Global bandwidth rate limit in bytes per second.

Type: null or (positive integer, meaning >0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing-relay.nix>
services.syncthing.relay.listenAddress

Address to listen on for relay traffic.

Type: string

Default: ""

Example: "1.2.3.4"

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing-relay.nix>
services.syncthing.relay.perSessionRateBps

Per session bandwidth rate limit in bytes per second.

Type: null or (positive integer, meaning >0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing-relay.nix>
services.syncthing.relay.pools

Relay pools to join. If null, uses the default global pool.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing-relay.nix>
services.syncthing.relay.port

Port to listen on for relay traffic. This port should be added to networking.firewall.allowedTCPPorts.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 22067

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing-relay.nix>
services.syncthing.relay.providedBy

Human-readable description of the provider of the relay (you).

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing-relay.nix>
services.syncthing.relay.statusListenAddress

Address to listen on for serving the relay status API.

Type: string

Default: ""

Example: "1.2.3.4"

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing-relay.nix>
services.syncthing.relay.statusPort

Port to listen on for serving the relay status API. This port should be added to networking.firewall.allowedTCPPorts.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 22070

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing-relay.nix>
services.syncthing.settings

Extra configuration options for Syncthing. See https://docs.syncthing.net/users/config.html. Note that this attribute set does not exactly match the documented xml format. Instead, this is the format of the json rest api. There are slight differences. For example, this xml:

<options>
  <listenAddress>default</listenAddress>
  <minHomeDiskFree unit="%">1</minHomeDiskFree>
</options>

corresponds to the json:

{
  options: {
    listenAddresses = [
      "default"
    ];
    minHomeDiskFree = {
      unit = "%";
      value = 1;
    };
  };
}

Type: JSON value

Default: { }

Example:

{
  gui = {
    theme = "black";
  };
  options = {
    localAnnounceEnabled = false;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.devices

Peers/devices which Syncthing should communicate with.

Note that you can still add devices manually, but those changes will be reverted on restart if overrideDevices is enabled.

Type: attribute set of (JSON value)

Default: { }

Example:

{
  bigbox = {
    addresses = [
      "tcp://192.168.0.10:51820"
    ];
    id = "7CFNTQM-IMTJBHJ-3UWRDIU-ZGQJFR6-VCXZ3NB-XUH3KZO-N52ITXR-LAIYUAU";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.devices.<name>.autoAcceptFolders

Automatically create or share folders that this device advertises at the default path. See https://docs.syncthing.net/users/config.html?highlight=autoaccept#config-file-format.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.devices.<name>.id

The device ID. See https://docs.syncthing.net/dev/device-ids.html.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.devices.<name>.name

The name of the device.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.folders

Folders which should be shared by Syncthing.

Note that you can still add folders manually, but those changes will be reverted on restart if overrideFolders is enabled.

Type: attribute set of (JSON value)

Default: { }

Example:

{
  "/home/user/sync" = {
    id = "syncme";
    devices = [ "bigbox" ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.folders.<name>.enable

Whether to share this folder. This option is useful when you want to define all folders in one place, but not every machine should share all folders.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.folders.<name>.copyOwnershipFromParent

On Unix systems, tries to copy file/folder ownership from the parent directory (the directory it’s located in). Requires running Syncthing as a privileged user, or granting it additional capabilities (e.g. CAP_CHOWN on Linux).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.folders.<name>.devices

The devices this folder should be shared with. Each device must be defined in the devices option.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.folders.<name>.id

The ID of the folder. Must be the same on all devices.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.folders.<name>.label

The label of the folder.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.folders.<name>.path

The path to the folder which should be shared. Only absolute paths (starting with /) and paths relative to the user’s home directory (starting with ~/) are allowed.

Type: string starting with / or ~/

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.folders.<name>.type

Controls how the folder is handled by Syncthing. See https://docs.syncthing.net/users/config.html#config-option-folder.type.

Type: one of “sendreceive”, “sendonly”, “receiveonly”, “receiveencrypted”

Default: "sendreceive"

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.folders.<name>.versioning

How to keep changed/deleted files with Syncthing. There are 4 different types of versioning with different parameters. See https://docs.syncthing.net/users/versioning.html.

Type: null or (JSON value)

Default: null

Example:

[
  {
    versioning = {
      type = "simple";
      params.keep = "10";
    };
  }
  {
    versioning = {
      type = "trashcan";
      params.cleanoutDays = "1000";
    };
  }
  {
    versioning = {
      type = "staggered";
      fsPath = "/syncthing/backup";
      params = {
        cleanInterval = "3600";
        maxAge = "31536000";
      };
    };
  }
  {
    versioning = {
      type = "external";
      params.versionsPath = pkgs.writers.writeBash "backup" ''
        folderpath="$1"
        filepath="$2"
        rm -rf "$folderpath/$filepath"
      '';
    };
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.folders.<name>.versioning.type

The type of versioning. See https://docs.syncthing.net/users/versioning.html.

Type: one of “external”, “simple”, “staggered”, “trashcan”

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.options

The options element contains all other global configuration options

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.options.limitBandwidthInLan

Whether to apply bandwidth limits to devices in the same broadcast domain as the local device.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.options.localAnnounceEnabled

Whether to send announcements to the local LAN, also use such announcements to find other devices.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.options.localAnnouncePort

The port on which to listen and send IPv4 broadcast announcements to.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.options.maxFolderConcurrency

This option controls how many folders may concurrently be in I/O-intensive operations such as syncing or scanning. The mechanism is described in detail in a separate chapter.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.options.relaysEnabled

When true, relays will be connected to and potentially used for device to device connections.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.settings.options.urAccepted

Whether the user has accepted to submit anonymous usage data. The default, 0, mean the user has not made a choice, and Syncthing will ask at some point in the future. “-1” means no, a number above zero means that that version of usage reporting has been accepted.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.systemService

Whether to auto-launch Syncthing as a system service.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.syncthing.user

The user to run Syncthing as. By default, a user named syncthing will be created whose home directory is dataDir.

Type: string

Default: "syncthing"

Example: "yourUser"

Declared by:

<nixpkgs/nixos/modules/services/networking/syncthing.nix>
services.synergy.client.enable

Whether to enable the Synergy client (receive keyboard and mouse events from a Synergy server).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/synergy.nix>
services.synergy.client.autoStart

Whether the Synergy client should be started automatically.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/synergy.nix>
services.synergy.client.screenName

Use the given name instead of the hostname to identify ourselves to the server.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/synergy.nix>
services.synergy.client.serverAddress

The server address is of the form: [hostname][:port]. The hostname must be the address or hostname of the server. The port overrides the default port, 24800.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/misc/synergy.nix>
services.synergy.server.enable

Whether to enable the Synergy server (send keyboard and mouse events).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/synergy.nix>
services.synergy.server.address

Address on which to listen for clients.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/synergy.nix>
services.synergy.server.autoStart

Whether the Synergy server should be started automatically.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/synergy.nix>
services.synergy.server.configFile

The Synergy server configuration file.

Type: path

Default: "/etc/synergy-server.conf"

Declared by:

<nixpkgs/nixos/modules/services/misc/synergy.nix>
services.synergy.server.screenName

Use the given name instead of the hostname to identify this screen in the configuration.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/synergy.nix>
services.synergy.server.tls.enable

Whether TLS encryption should be used.

Using this requires a TLS certificate that can be generated by starting the Synergy GUI once and entering a valid product key.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/synergy.nix>
services.synergy.server.tls.cert

The TLS certificate to use for encryption.

Type: null or string

Default: null

Example: "~/.synergy/SSL/Synergy.pem"

Declared by:

<nixpkgs/nixos/modules/services/misc/synergy.nix>
services.syslog-ng.enable

Whether to enable the syslog-ng daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/logging/syslog-ng.nix>
services.syslog-ng.package

The syslogng package to use.

Type: package

Default: pkgs.syslogng

Declared by:

<nixpkgs/nixos/modules/services/logging/syslog-ng.nix>
services.syslog-ng.configHeader

The very first lines of the configuration file. Should usually contain the syslog-ng version header.

Type: strings concatenated with “\n”

Default:

''
  @version: 4.4
  @include "scl.conf"
''

Declared by:

<nixpkgs/nixos/modules/services/logging/syslog-ng.nix>
services.syslog-ng.extraConfig

Configuration added to the end of syslog-ng.conf.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/logging/syslog-ng.nix>
services.syslog-ng.extraModulePaths

A list of paths that should be included in syslog-ng’s --module-path option. They should usually end in /lib/syslog-ng

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/logging/syslog-ng.nix>
services.syslogd.enable

Whether to enable syslogd. Note that systemd also logs syslog messages, so you normally don’t need to run syslogd.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/logging/syslogd.nix>
services.syslogd.enableNetworkInput

Accept logging through UDP. Option -r of syslogd(8).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/logging/syslogd.nix>
services.syslogd.defaultConfig

The default syslog.conf file configures a fairly standard setup of log files, which can be extended by means of extraConfig.

Type: strings concatenated with “\n”

Default:

''
  # Send emergency messages to all users.
  *.emerg                       *
  
  # "local1" is used for dhcpd messages.
  local1.*                     -/var/log/dhcpd
  
  mail.*                       -/var/log/mail
  
  *.=warning;*.=err            -/var/log/warn
  *.crit                        /var/log/warn
  
  *.*;mail.none;local1.none    -/var/log/messages
''

Declared by:

<nixpkgs/nixos/modules/services/logging/syslogd.nix>
services.syslogd.extraConfig

Additional text appended to syslog.conf, i.e. the contents of defaultConfig.

Type: strings concatenated with “\n”

Default: ""

Example: "news.* -/var/log/news"

Declared by:

<nixpkgs/nixos/modules/services/logging/syslogd.nix>
services.syslogd.extraParams

Additional parameters passed to syslogd.

Type: list of string

Default: [ ]

Example:

[
  "-m 0"
]

Declared by:

<nixpkgs/nixos/modules/services/logging/syslogd.nix>
services.syslogd.tty

The tty device on which syslogd will print important log messages. Leave this option blank to disable tty logging.

Type: string

Default: "tty10"

Declared by:

<nixpkgs/nixos/modules/services/logging/syslogd.nix>
services.sysprof.enable

Whether to enable sysprof profiling daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/sysprof.nix>
services.sysstat.enable

Whether to enable sar system activity collection.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/sysstat.nix>
services.sysstat.collect-args

Arguments to pass sa1 when collecting statistics

Type: string

Default: "1 1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/sysstat.nix>
services.sysstat.collect-frequency

OnCalendar specification for sysstat-collect

Type: string

Default: "*:00/10"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/sysstat.nix>
services.system-config-printer.enable

Whether to enable system-config-printer, a service for CUPS administration used by printing interfaces.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/system-config-printer.nix>
services.system76-scheduler.enable

Whether to enable system76-scheduler.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.package

Which System76-Scheduler package to use.

Type: package

Default: pkgs.system76-scheduler

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.assignments

Process profile assignments.

Type: attribute set of (submodule)

Default: { }

Example:

{
  nix-builds = {
    nice = 15;
    class = "batch";
    ioClass = "idle";
    matchers = [
      "nix-daemon"
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.assignments.<name>.class

CPU scheduler class.

Type: null or one of “idle”, “batch”, “other”, “rr”, “fifo”

Default: null

Example: "batch"

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.assignments.<name>.ioClass

IO scheduler class.

Type: null or one of “idle”, “best-effort”, “realtime”

Default: null

Example: "best-effort"

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.assignments.<name>.ioPrio

IO scheduler priority.

Type: null or integer between 0 and 7 (both inclusive)

Default: null

Example: 4

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.assignments.<name>.matchers

Process matchers.

Type: null or (list of string)

Default: [ ]

Example:

[
  "include cgroup=\"/user.slice/*.service\" parent=\"systemd\""
  "emacs"
]

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.assignments.<name>.nice

Niceness.

Type: null or integer between -20 and 19 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.assignments.<name>.prio

CPU scheduler priority.

Type: null or integer between 1 and 99 (both inclusive)

Default: null

Example: 49

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.exceptions

Processes that are left alone.

Type: list of string

Default: [ ]

Example:

[
  "include descends=\"schedtool\""
  "schedtool"
]

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.cfsProfiles.enable

Tweak CFS latency parameters when going on/off battery

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.cfsProfiles.default.bandwidth-size

sched_cfs_bandwidth_slice_us.

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.cfsProfiles.default.latency

sched_latency_ns.

Type: signed integer

Default: 6

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.cfsProfiles.default.nr-latency

sched_nr_latency.

Type: signed integer

Default: 8

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.cfsProfiles.default.preempt

Preemption mode.

Type: one of “none”, “voluntary”, “full”

Default: "voluntary"

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.cfsProfiles.default.wakeup-granularity

sched_wakeup_granularity_ns.

Type: floating point number

Default: 1.0

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.cfsProfiles.responsive.bandwidth-size

sched_cfs_bandwidth_slice_us.

Type: signed integer

Default: 3

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.cfsProfiles.responsive.latency

sched_latency_ns.

Type: signed integer

Default: 4

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.cfsProfiles.responsive.nr-latency

sched_nr_latency.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.cfsProfiles.responsive.preempt

Preemption mode.

Type: one of “none”, “voluntary”, “full”

Default: "full"

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.cfsProfiles.responsive.wakeup-granularity

sched_wakeup_granularity_ns.

Type: floating point number

Default: 0.5

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.enable

Tweak scheduling of individual processes in real time.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.foregroundBoost.enable

Boost foreground process priorities.

(And de-boost background ones). Note that this option needs cooperation from the desktop environment to work. On Gnome the client side is implemented by the “System76 Scheduler” shell extension.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.foregroundBoost.background.class

CPU scheduler class.

Type: null or one of “idle”, “batch”, “other”, “rr”, “fifo”

Default: null

Example: "batch"

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.foregroundBoost.background.ioClass

IO scheduler class.

Type: null or one of “idle”, “best-effort”, “realtime”

Default: "idle"

Example: "best-effort"

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.foregroundBoost.background.ioPrio

IO scheduler priority.

Type: null or integer between 0 and 7 (both inclusive)

Default: null

Example: 4

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.foregroundBoost.background.matchers

Process matchers.

Type: null or (list of string)

Default: [ ]

Example:

[
  "include cgroup=\"/user.slice/*.service\" parent=\"systemd\""
  "emacs"
]

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.foregroundBoost.background.nice

Niceness.

Type: null or integer between -20 and 19 (both inclusive)

Default: 6

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.foregroundBoost.background.prio

CPU scheduler priority.

Type: null or integer between 1 and 99 (both inclusive)

Default: null

Example: 49

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.foregroundBoost.foreground.class

CPU scheduler class.

Type: null or one of “idle”, “batch”, “other”, “rr”, “fifo”

Default: null

Example: "batch"

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.foregroundBoost.foreground.ioClass

IO scheduler class.

Type: null or one of “idle”, “best-effort”, “realtime”

Default: "best-effort"

Example: "best-effort"

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.foregroundBoost.foreground.ioPrio

IO scheduler priority.

Type: null or integer between 0 and 7 (both inclusive)

Default: 0

Example: 4

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.foregroundBoost.foreground.matchers

Process matchers.

Type: null or (list of string)

Default: [ ]

Example:

[
  "include cgroup=\"/user.slice/*.service\" parent=\"systemd\""
  "emacs"
]

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.foregroundBoost.foreground.nice

Niceness.

Type: null or integer between -20 and 19 (both inclusive)

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.foregroundBoost.foreground.prio

CPU scheduler priority.

Type: null or integer between 1 and 99 (both inclusive)

Default: null

Example: 49

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.pipewireBoost.enable

Boost Pipewire client priorities.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.pipewireBoost.profile.class

CPU scheduler class.

Type: null or one of “idle”, “batch”, “other”, “rr”, “fifo”

Default: null

Example: "batch"

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.pipewireBoost.profile.ioClass

IO scheduler class.

Type: null or one of “idle”, “best-effort”, “realtime”

Default: "best-effort"

Example: "best-effort"

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.pipewireBoost.profile.ioPrio

IO scheduler priority.

Type: null or integer between 0 and 7 (both inclusive)

Default: 0

Example: 4

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.pipewireBoost.profile.matchers

Process matchers.

Type: null or (list of string)

Default: [ ]

Example:

[
  "include cgroup=\"/user.slice/*.service\" parent=\"systemd\""
  "emacs"
]

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.pipewireBoost.profile.nice

Niceness.

Type: null or integer between -20 and 19 (both inclusive)

Default: -6

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.pipewireBoost.profile.prio

CPU scheduler priority.

Type: null or integer between 1 and 99 (both inclusive)

Default: null

Example: 49

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.refreshInterval

Process list poll interval, in seconds

Type: signed integer

Default: 60

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.settings.processScheduler.useExecsnoop

Use execsnoop (otherwise poll the precess list periodically).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.system76-scheduler.useStockConfig

Use the (reasonable and featureful) stock configuration.

When this option is true, services.system76-scheduler.settings are ignored.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/system76-scheduler.nix>
services.systembus-notify.enable

Whether to enable System bus notification support

WARNING: enabling this option (while convenient) should not be done on a machine where you do not trust the other users as it allows any other local user to DoS your session by spamming notifications .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/system/systembus-notify.nix>
services.systemd-lock-handler.enable

Whether to enable systemd-lock-handler.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/system/systemd-lock-handler.nix>
services.systemd-lock-handler.package

The systemd-lock-handler package to use.

Type: package

Default: pkgs.systemd-lock-handler

Declared by:

<nixpkgs/nixos/modules/services/system/systemd-lock-handler.nix>
services.tabby.enable

Whether to enable Self-hosted AI coding assistant using large language models.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/tabby.nix>
services.tabby.package

The tabby package to use.

Type: package

Default: pkgs.tabby

Declared by:

<nixpkgs/nixos/modules/services/misc/tabby.nix>
services.tabby.acceleration

Specifies the device to use for hardware acceleration.

  • cpu: no acceleration just use the CPU

  • rocm: supported by modern AMD GPUs

  • cuda: supported by modern NVIDIA GPUs

  • metal: supported on darwin aarch64 machines

Tabby will try and determine what type of acceleration that is already enabled in your configuration when acceleration = null.

  • nixpkgs.config.cudaSupport

  • nixpkgs.config.rocmSupport

  • if stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64

IFF multiple acceleration methods are found to be enabled or if you haven’t set either cudaSupport or rocmSupport you will have to specify the device type manually here otherwise it will default to the first from the list above or to cpu.

Type: null or one of “cpu”, “rocm”, “cuda”, “metal”

Default: null

Example: "rocm"

Declared by:

<nixpkgs/nixos/modules/services/misc/tabby.nix>
services.tabby.indexInterval

Run tabby scheduler to generate the index database at this interval. Updates by default every 5 hours. This value applies to OnUnitInactiveSec

The format is described in systemd.time(7).

To disable running tabby scheduler --now updates, set to "never"

Type: string

Default: "5hours"

Example: "5hours"

Declared by:

<nixpkgs/nixos/modules/services/misc/tabby.nix>
services.tabby.model

Specify the model that tabby will use to generate completions.

This model will be downloaded automatically if it is not already present.

If you want to utilize an existing model that you’ve already downloaded you’ll need to move it into tabby’s state directory which lives in /var/lib/tabby. Because the tabby.service is configured to use a DynamicUser the service will need to have been started at least once before you can move the locally existing model into /var/lib/tabby. You can set the model to ‘none’ and tabby will startup and fail to download a model, but will have created the /var/lib/tabby directory. You can then copy over the model manually into /var/lib/tabby, update the model option to the name you just downloaded and copied over then nixos-rebuild switch to start using it.

$ tabby download --model TabbyML/DeepseekCoder-6.7B $ find ~/.tabby/ | tail -n1 /home/ghthor/.tabby/models/TabbyML/DeepseekCoder-6.7B/ggml/q8_0.v2.gguf $ sudo rsync -r ~/.tabby/models/ /var/lib/tabby/models/ $ sudo chown -R tabby:tabby /var/lib/tabby/models/

See for Model Options:

https://github.com/TabbyML/registry-tabby

Type: string

Default: "TabbyML/StarCoder-1B"

Declared by:

<nixpkgs/nixos/modules/services/misc/tabby.nix>
services.tabby.port

Specifies the bind port on which the tabby server HTTP interface listens.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 11029

Declared by:

<nixpkgs/nixos/modules/services/misc/tabby.nix>
services.tabby.settings

Tabby scheduler configuration

See for more details:

https://tabby.tabbyml.com/docs/configuration/#repository-context-for-code-completion

Type: TOML value

Default: { }

Example:

settings = {
  repositories = [
    { name = "tabby"; git_url = "https://github.com/TabbyML/tabby.git"; }
    { name = "CTranslate2"; git_url = "git@github.com:OpenNMT/CTranslate2.git"; }

    # local directory is also supported, but limited by systemd DynamicUser=1
    # adding local repositories will need to be done manually
    { name = "repository_a"; git_url = "file:///var/lib/tabby/repository_a"; }
  ];
};

Declared by:

<nixpkgs/nixos/modules/services/misc/tabby.nix>
services.tabby.usageCollection

Enable sending anonymous usage data.

See for more details:

https://tabby.tabbyml.com/docs/configuration#usage-collection

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/tabby.nix>
services.tahoe.introducers

The Tahoe introducers.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.introducers.<name>.package

The tahoelafs package to use.

Type: package

Default: pkgs.tahoelafs

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.introducers.<name>.nickname

The nickname of this Tahoe introducer.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.introducers.<name>.tub.location

The external location that the introducer should listen on.

If specified, the port should be included.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.introducers.<name>.tub.port

The port on which the introducer will listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3458

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes

The Tahoe nodes.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes.<name>.package

The tahoelafs package to use.

Type: package

Default: pkgs.tahoelafs

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes.<name>.client.helper

The furl for a Tahoe helper node.

Like all furls, keep this safe and don’t share it.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes.<name>.client.introducer

The furl for a Tahoe introducer node.

Like all furls, keep this safe and don’t share it.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes.<name>.client.shares.happy

The number of distinct storage nodes required to store a file.

Type: signed integer

Default: 7

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes.<name>.client.shares.needed

The number of shares required to reconstitute a file.

Type: signed integer

Default: 3

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes.<name>.client.shares.total

The number of shares required to store a file.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes.<name>.helper.enable

Whether to enable helper service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes.<name>.nickname

The nickname of this Tahoe node.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes.<name>.sftpd.enable

Whether to enable SFTP service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes.<name>.sftpd.accounts.file

Path to the accounts file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes.<name>.sftpd.accounts.url

URL of the accounts server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes.<name>.sftpd.hostPrivateKeyFile

Path to the SSH host private key.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes.<name>.sftpd.hostPublicKeyFile

Path to the SSH host public key.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes.<name>.sftpd.port

The port on which the SFTP server will listen.

This is the correct setting to tweak if you want Tahoe’s SFTP daemon to listen on a different port.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes.<name>.storage.enable

Whether to enable storage service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes.<name>.storage.reservedSpace

The amount of filesystem space to not use for storage.

Type: string

Default: "1G"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes.<name>.tub.location

The external location that the node should listen on.

This is the setting to tweak if there are multiple interfaces and you want to alter which interface Tahoe is advertising.

If specified, the port should be included.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes.<name>.tub.port

The port on which the tub will listen.

This is the correct setting to tweak if you want Tahoe’s storage system to listen on a different port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3457

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tahoe.nodes.<name>.web.port

The port on which the Web server will listen.

This is the correct setting to tweak if you want Tahoe’s WUI to listen on a different port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3456

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/tahoe.nix>
services.tailscale.enable

Whether to enable Tailscale client daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale.nix>
services.tailscale.package

The tailscale package to use.

Type: package

Default: pkgs.tailscale

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale.nix>
services.tailscale.authKeyFile

A file containing the auth key. Tailscale will be automatically started if provided.

Type: null or path

Default: null

Example: "/run/secrets/tailscale_key"

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale.nix>
services.tailscale.authKeyParameters

Extra parameters to pass after the auth key. See https://tailscale.com/kb/1215/oauth-clients#registering-new-nodes-using-oauth-credentials

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale.nix>
services.tailscale.authKeyParameters.baseURL

Base URL for the Tailscale API.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale.nix>
services.tailscale.authKeyParameters.ephemeral

Whether to register as an ephemeral node.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale.nix>
services.tailscale.authKeyParameters.preauthorized

Whether to skip manual device approval.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale.nix>
services.tailscale.derper.enable

Whether to enable Tailscale Derper. See upstream doc https://tailscale.com/kb/1118/custom-derp-servers how to configure it on clients.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale-derper.nix>
services.tailscale.derper.package

The derper package to use.

Type: package

Default: pkgs.tailscale.derper

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale-derper.nix>
services.tailscale.derper.domain

Domain name under which the derper server is reachable.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale-derper.nix>
services.tailscale.derper.openFirewall

Whether to open the firewall for the specified port. Derper requires the used ports to be opened, otherwise it doesn’t work as expected.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale-derper.nix>
services.tailscale.derper.port

The port the derper process will listen on. This is not the port tailscale will connect to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8010

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale-derper.nix>
services.tailscale.derper.stunPort

STUN port to listen on. See online docs https://tailscale.com/kb/1118/custom-derp-servers#prerequisites on how to configure a different external port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3478

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale-derper.nix>
services.tailscale.derper.verifyClients

Whether to verify clients against a locally running tailscale daemon if they are allowed to connect to this node or not.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale-derper.nix>
services.tailscale.disableTaildrop

Whether to disable the Taildrop feature for sending files between nodes.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale.nix>
services.tailscale.extraDaemonFlags

Extra flags to pass to tailscaled.

Type: list of string

Default: [ ]

Example:

[
  "--no-logs-no-support"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale.nix>
services.tailscale.extraSetFlags

Extra flags to pass to tailscale set.

Type: list of string

Default: [ ]

Example:

[
  "--advertise-exit-node"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale.nix>
services.tailscale.extraUpFlags

Extra flags to pass to tailscale up. Only applied if authKeyFile is specified.";

Type: list of string

Default: [ ]

Example:

[
  "--ssh"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale.nix>
services.tailscale.interfaceName

The interface name for tunnel traffic. Use “userspace-networking” (beta) to not use TUN.

Type: string

Default: "tailscale0"

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale.nix>
services.tailscale.openFirewall

Whether to open the firewall for the specified port.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale.nix>
services.tailscale.permitCertUid

Username or user ID of the user allowed to to fetch Tailscale TLS certificates for the node.

Type: null or non-empty string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale.nix>
services.tailscale.port

The port to listen on for tunnel traffic (0=autoselect).

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 41641

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale.nix>
services.tailscale.useRoutingFeatures

Enables settings required for Tailscale’s routing features like subnet routers and exit nodes.

To use these these features, you will still need to call sudo tailscale up with the relevant flags like --advertise-exit-node and --exit-node.

When set to client or both, reverse path filtering will be set to loose instead of strict. When set to server or both, IP forwarding will be enabled.

Type: one of “none”, “client”, “server”, “both”

Default: "none"

Example: "server"

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale.nix>
services.tailscaleAuth.enable

Whether to enable tailscale.nginx-auth, to authenticate users via tailscale.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale-auth.nix>
services.tailscaleAuth.package

The tailscale-nginx-auth package to use.

Type: package

Default: pkgs.tailscale-nginx-auth

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale-auth.nix>
services.tailscaleAuth.group

Group which runs tailscale-nginx-auth

Type: string

Default: "tailscale-nginx-auth"

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale-auth.nix>
services.tailscaleAuth.socketPath

Path of the socket listening to authorization requests.

Type: path

Default: "/run/tailscale-nginx-auth/tailscale-nginx-auth.sock"

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale-auth.nix>
services.tailscaleAuth.user

User which runs tailscale-nginx-auth

Type: string

Default: "tailscale-nginx-auth"

Declared by:

<nixpkgs/nixos/modules/services/networking/tailscale-auth.nix>
services.tandoor-recipes.enable

Enable Tandoor Recipes.

When started, the Tandoor Recipes database is automatically created if it doesn’t exist and updated if the package has changed. Both tasks are achieved by running a Django migration.

A script to manage the instance (by wrapping Django’s manage.py) is linked to /var/lib/tandoor-recipes/tandoor-recipes-manage.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/tandoor-recipes.nix>
services.tandoor-recipes.package

The tandoor-recipes package to use.

Type: package

Default: pkgs.tandoor-recipes

Declared by:

<nixpkgs/nixos/modules/services/misc/tandoor-recipes.nix>
services.tandoor-recipes.address

Web interface address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/misc/tandoor-recipes.nix>
services.tandoor-recipes.extraConfig

Extra tandoor recipes config options.

See the example dot-env file for available options.

Type: attribute set

Default: { }

Example:

{
  ENABLE_SIGNUP = "1";
}

Declared by:

<nixpkgs/nixos/modules/services/misc/tandoor-recipes.nix>
services.tandoor-recipes.port

Web interface port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/misc/tandoor-recipes.nix>
services.tang.enable

Whether to enable tang.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/tang.nix>
services.tang.package

The tang package to use.

Type: package

Default: pkgs.tang

Declared by:

<nixpkgs/nixos/modules/services/security/tang.nix>
services.tang.ipAddressAllow

Whitelist a list of address prefixes. Preferably, internal addresses should be used.

Type: list of string

Example:

[
  "192.168.1.0/24"
]

Declared by:

<nixpkgs/nixos/modules/services/security/tang.nix>
services.tang.listenStream

Addresses and/or ports on which tang should listen. For detailed syntax see ListenStream in systemd.socket(5).

Type: list of string

Default:

[
  "7654"
]

Example:

[
  "198.168.100.1:7654"
  "[2001:db8::1]:7654"
  "7654"
]

Declared by:

<nixpkgs/nixos/modules/services/security/tang.nix>
services.target.enable

Whether to enable the kernel’s LIO iscsi target.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/iscsi/target.nix>
services.target.config

Content of /etc/target/saveconfig.json This file is normally read and written by targetcli

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/iscsi/target.nix>
services.tarsnap.enable

Whether to enable periodic tarsnap backups.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.package

The tarsnap package to use.

Type: package

Default: pkgs.tarsnap

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.archives

Tarsnap archive configurations. Each attribute names an archive to be created at a given time interval, according to the options associated with it. When uploading to the tarsnap server, archive names are suffixed by a 1 second resolution timestamp, with the format %Y%m%d%H%M%S.

For each member of the set is created a timer which triggers the instanced tarsnap-archive-name service unit. You may use systemctl start tarsnap-archive-name to manually trigger creation of archive-name at any time.

Type: attribute set of (submodule)

Default: { }

Example:

{
  nixos =
    { directories = [ "/home" "/root/ssl" ];
    };

  gamedata =
    { directories = [ "/var/lib/minecraft" ];
      period      = "*:30";
    };
}

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.archives.<name>.aggressiveNetworking

Upload data over multiple TCP connections, potentially increasing tarsnap’s bandwidth utilisation at the cost of slowing down all other network traffic. Not recommended unless TCP congestion is the dominant limiting factor.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.archives.<name>.cachedir

The cache allows tarsnap to identify previously stored data blocks, reducing archival time and bandwidth usage.

Should the cache become desynchronized or corrupted, tarsnap will refuse to run until you manually rebuild the cache with tarsnap --fsck.

Set to null to disable caching.

Type: null or path

Default:

"/var/cache/tarsnap/${utils.escapeSystemdPath config.services.tarsnap.archives.<name>.keyfile}"

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.archives.<name>.checkpointBytes

Create a checkpoint every checkpointBytes of uploaded data (optionally specified using an SI prefix).

1GB is the minimum value. A higher value is recommended, as checkpointing is expensive.

Set to null to disable checkpointing.

Type: null or string

Default: "1GB"

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.archives.<name>.directories

List of filesystem paths to archive.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.archives.<name>.excludes

Exclude files and directories matching these patterns.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.archives.<name>.explicitSymlinks

Whether to follow symlinks specified as archives.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.archives.<name>.followSymlinks

Whether to follow all symlinks in archive trees.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.archives.<name>.includes

Include only files and directories matching these patterns (the empty list includes everything).

Exclusions have precedence over inclusions.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.archives.<name>.keyfile

Set a specific keyfile for this archive. This defaults to "/root/tarsnap.key" if left unspecified.

Use this option if you want to run multiple backups concurrently - each archive must have a unique key. You can generate a write-only key derived from your master key (which is recommended) using tarsnap-keymgmt(1).

Note: every archive must have an individual master key. You must generate multiple keys with tarsnap-keygen(1), and then generate write only keys from those.

The keyfile name should be given as a string and not a path, to avoid the key being copied into the Nix store.

Type: string

Default: config.services.tarsnap.keyfile

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.archives.<name>.lowmem

Reduce memory consumption by not caching small files. Possibly beneficial if the average file size is smaller than 1 MB and the number of files is lower than the total amount of RAM in KB.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.archives.<name>.maxbw

Abort archival if upstream bandwidth usage in bytes exceeds this threshold.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.archives.<name>.maxbwRateDown

Download bandwidth rate limit in bytes.

Type: null or signed integer

Default: null

Example: 50 * 1000

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.archives.<name>.maxbwRateUp

Upload bandwidth rate limit in bytes.

Type: null or signed integer

Default: null

Example: 25 * 1000

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.archives.<name>.nodump

Exclude files with the nodump flag.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.archives.<name>.period

Create archive at this interval.

The format is described in systemd.time(7).

Type: string

Default: "01:15"

Example: "hourly"

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.archives.<name>.printStats

Print global archive statistics upon completion. The output is available via systemctl status tarsnap-archive-name.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.archives.<name>.verbose

Whether to produce verbose logging output.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.archives.<name>.verylowmem

Reduce memory consumption by a factor of 2 beyond what lowmem does, at the cost of significantly slowing down the archiving process.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.tarsnap.keyfile

The keyfile which associates this machine with your tarsnap account. Create the keyfile with tarsnap-keygen.

Note that each individual archive (specified below) may also have its own individual keyfile specified. Tarsnap does not allow multiple concurrent backups with the same cache directory and key (starting a new backup will cause another one to fail). If you have multiple archives specified, you should either spread out your backups to be far apart, or specify a separate key for each archive. By default every archive defaults to using "/root/tarsnap.key".

It’s recommended for backups that you generate a key for every archive using tarsnap-keygen(1), and then generate a write-only tarsnap key using tarsnap-keymgmt(1), and keep your master key(s) for a particular machine off-site.

The keyfile name should be given as a string and not a path, to avoid the key being copied into the Nix store.

Type: string

Default: "/root/tarsnap.key"

Declared by:

<nixpkgs/nixos/modules/services/backup/tarsnap.nix>
services.taskchampion-sync-server.enable

Whether to enable TaskChampion Sync Server for Taskwarrior 3.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/taskchampion-sync-server.nix>
services.taskchampion-sync-server.package

The taskchampion-sync-server package to use.

Type: package

Default: pkgs.taskchampion-sync-server

Declared by:

<nixpkgs/nixos/modules/services/misc/taskchampion-sync-server.nix>
services.taskchampion-sync-server.dataDir

Directory in which to store data

Type: path

Default: "/var/lib/taskchampion-sync-server"

Declared by:

<nixpkgs/nixos/modules/services/misc/taskchampion-sync-server.nix>
services.taskchampion-sync-server.group

Unix Group to run the server under

Type: string

Default: "taskchampion"

Declared by:

<nixpkgs/nixos/modules/services/misc/taskchampion-sync-server.nix>
services.taskchampion-sync-server.openFirewall

Whether to enable Open firewall port for taskchampion-sync-server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/taskchampion-sync-server.nix>
services.taskchampion-sync-server.port

Port on which to serve

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 10222

Declared by:

<nixpkgs/nixos/modules/services/misc/taskchampion-sync-server.nix>
services.taskchampion-sync-server.snapshot.days

Target number of days between snapshots

Type: positive integer, meaning >0

Default: 14

Declared by:

<nixpkgs/nixos/modules/services/misc/taskchampion-sync-server.nix>
services.taskchampion-sync-server.snapshot.versions

Target number of versions between snapshots

Type: positive integer, meaning >0

Default: 100

Declared by:

<nixpkgs/nixos/modules/services/misc/taskchampion-sync-server.nix>
services.taskchampion-sync-server.user

Unix User to run the server under

Type: string

Default: "taskchampion"

Declared by:

<nixpkgs/nixos/modules/services/misc/taskchampion-sync-server.nix>
services.taskserver.enable

Whether to enable the Taskwarrior 2 server.

More instructions about NixOS in conjunction with Taskserver can be found in the NixOS manual.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.allowedClientIDs

A list of regular expressions that are matched against the reported client id (such as task 2.3.0).

The values all or none have special meaning. Overridden by any entry in the option services.taskserver.disallowedClientIDs.

Type: string or list of string

Default: [ ]

Example:

[
  "[Tt]ask [2-9]+"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.ciphers

List of GnuTLS ciphers to use. See the GnuTLS documentation about priority strings at https://gnutls.org/manual/html_node/Priority-Strings.html for full details.

Type: null or strings concatenated with “:”

Default: null

Example: "NORMAL:-VERS-SSL3.0"

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.config

Configuration options to pass to Taskserver.

The options here are the same as described in taskdrc(5) from the taskwarrior2 package, but with one difference:

The server option is server.listen here, because the server option would collide with other options like server.cert and we would run in a type error (attribute set versus string).

Nix types like integers or booleans are automatically converted to the right values Taskserver would expect.

Type: attribute set

Example:

{
  client = {
    cert = "/tmp/debugging.cert";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.confirmation

Determines whether certain commands are confirmed.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.dataDir

Data directory for Taskserver.

Type: path

Default: "/var/lib/taskserver"

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.debug

Logs debugging information.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.disallowedClientIDs

A list of regular expressions that are matched against the reported client id (such as task 2.3.0).

The values all or none have special meaning. Any entry here overrides those in services.taskserver.allowedClientIDs.

Type: string or list of string

Default: [ ]

Example:

[
  "[Tt]ask [2-9]+"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.extensions

Fully qualified path of the Taskserver extension scripts. Currently there are none.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.fqdn

The fully qualified domain name of this server, which is also used as the common name in the certificates.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.group

Group for Taskserver.

Type: string

Default: "taskd"

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.ipLog

Logs the IP addresses of incoming requests.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.listenHost

The address (IPv4, IPv6 or DNS) to listen on.

Type: string

Default: "localhost"

Example: "::"

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.listenPort

Port number of the Taskserver.

Type: signed integer

Default: 53589

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.openFirewall

Whether to open the firewall for the specified Taskserver port.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.organisations

An attribute set where the keys name the organisation and the values are a set of lists of users and groups.

Type: attribute set of (submodule)

Default: { }

Example:

{
  myShinyOrganisation = {
    groups = [
      "staff"
      "outsiders"
    ];
    users = [
      "alice"
      "bob"
    ];
  };
  yetAnotherOrganisation = {
    users = [
      "foo"
      "bar"
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.organisations.<name>.groups

A list of group names that belong to the organization.

Type: list of string

Default: [ ]

Example:

[
  "workers"
  "slackers"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.organisations.<name>.users

A list of user names that belong to the organization.

Type: list of string

Default: [ ]

Example:

[
  "alice"
  "bob"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.pki.auto.bits

The bit size for generated keys.

Note

This option is for the automatically handled CA and will be ignored if any of the services.taskserver.pki.manual.* options are set.

Type: signed integer

Default: 4096

Example: 2048

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.pki.auto.expiration.ca

The expiration time of the CA certificate in days or null for no expiration time.

Note

This option is for the automatically handled CA and will be ignored if any of the services.taskserver.pki.manual.* options are set.

Type: null or signed integer

Default: null

Example: 365

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.pki.auto.expiration.client

The expiration time of client certificates in days or null for no expiration time.

Note

This option is for the automatically handled CA and will be ignored if any of the services.taskserver.pki.manual.* options are set.

Type: null or signed integer

Default: null

Example: 365

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.pki.auto.expiration.crl

The expiration time of the certificate revocation list (CRL) in days or null for no expiration time.

Note

This option is for the automatically handled CA and will be ignored if any of the services.taskserver.pki.manual.* options are set.

Type: null or signed integer

Default: null

Example: 365

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.pki.auto.expiration.server

The expiration time of the server certificate in days or null for no expiration time.

Note

This option is for the automatically handled CA and will be ignored if any of the services.taskserver.pki.manual.* options are set.

Type: null or signed integer

Default: null

Example: 365

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.pki.manual.ca.cert

Fully qualified path to the CA certificate.

Note

Setting this option will prevent automatic CA creation and handling.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.pki.manual.server.cert

Fully qualified path to the server certificate.

Note

Setting this option will prevent automatic CA creation and handling.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.pki.manual.server.crl

Fully qualified path to the server certificate revocation list.

Note

Setting this option will prevent automatic CA creation and handling.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.pki.manual.server.key

Fully qualified path to the server key.

Note

Setting this option will prevent automatic CA creation and handling.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.queueSize

Size of the connection backlog, see listen(2).

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.requestLimit

Size limit of incoming requests, in bytes.

Type: signed integer

Default: 1048576

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.trust

Determines how client certificates are validated.

The value allow all performs no client certificate validation. This is not recommended. The value strict causes the client certificate to be validated against a CA.

Type: one of “allow all”, “strict”

Default: "strict"

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.taskserver.user

User for Taskserver.

Type: string

Default: "taskd"

Declared by:

<nixpkgs/nixos/modules/services/misc/taskserver>
services.tautulli.enable

Whether to enable Tautulli Plex Monitor.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/tautulli.nix>
services.tautulli.package

The tautulli package to use.

Type: package

Default: pkgs.tautulli

Declared by:

<nixpkgs/nixos/modules/services/misc/tautulli.nix>
services.tautulli.configFile

The location of Tautulli’s config file.

Type: string

Default: "/var/lib/plexpy/config.ini"

Declared by:

<nixpkgs/nixos/modules/services/misc/tautulli.nix>
services.tautulli.dataDir

The directory where Tautulli stores its data files.

Type: string

Default: "/var/lib/plexpy"

Declared by:

<nixpkgs/nixos/modules/services/misc/tautulli.nix>
services.tautulli.group

Group under which Tautulli runs.

Type: string

Default: "nogroup"

Declared by:

<nixpkgs/nixos/modules/services/misc/tautulli.nix>
services.tautulli.openFirewall

Open ports in the firewall for Tautulli.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/tautulli.nix>
services.tautulli.port

TCP port where Tautulli listens.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8181

Declared by:

<nixpkgs/nixos/modules/services/misc/tautulli.nix>
services.tautulli.user

User account under which Tautulli runs.

Type: string

Default: "plexpy"

Declared by:

<nixpkgs/nixos/modules/services/misc/tautulli.nix>
services.tayga.enable

Whether to enable Tayga.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/tayga.nix>
services.tayga.package

The tayga package to use.

Type: package

Default: pkgs.tayga

Declared by:

<nixpkgs/nixos/modules/services/networking/tayga.nix>
services.tayga.dataDir

Directory for persistent data.

Type: path

Default: "/var/lib/tayga"

Declared by:

<nixpkgs/nixos/modules/services/networking/tayga.nix>
services.tayga.ipv4

IPv4-specific configuration.

Type: submodule

Example:

{
  address = "192.0.2.0";
  router = {
    address = "192.0.2.1";
  };
  pool = {
    address = "192.0.2.1";
    prefixLength = 24;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/tayga.nix>
services.tayga.ipv4.address

The source IPv4 address of the TAYGA server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/tayga.nix>
services.tayga.ipv4.pool

The pool of IPv4 addresses which are used for translation.

Type: null or (submodule)

Declared by:

<nixpkgs/nixos/modules/services/networking/tayga.nix>
services.tayga.ipv4.pool.address

IPv4 address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/tayga.nix>
services.tayga.ipv4.pool.prefixLength

Subnet mask of the interface, specified as the number of bits in the prefix (“24”).

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/services/networking/tayga.nix>
services.tayga.ipv4.router.address

The IPv4 address of the router.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/tayga.nix>
services.tayga.ipv6

IPv6-specific configuration.

Type: submodule

Example:

{
  address = "2001:db8::1";
  router = {
    address = "64:ff9b::1";
  };
  pool = {
    address = "64:ff9b::";
    prefixLength = 96;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/tayga.nix>
services.tayga.ipv6.address

The source IPv6 address of the TAYGA server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/tayga.nix>
services.tayga.ipv6.pool

The pool of IPv6 addresses which are used for translation.

Type: null or (submodule)

Declared by:

<nixpkgs/nixos/modules/services/networking/tayga.nix>
services.tayga.ipv6.pool.address

IPv6 address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/tayga.nix>
services.tayga.ipv6.pool.prefixLength

Subnet mask of the interface, specified as the number of bits in the prefix (“64”).

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/services/networking/tayga.nix>
services.tayga.ipv6.router.address

The IPv6 address of the router.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/tayga.nix>
services.tayga.mappings

Static IPv4 -> IPv6 host mappings.

Type: attribute set of string

Default: { }

Example:

{
  "192.168.5.42" = "2001:db8:1:4444::1";
  "192.168.5.43" = "2001:db8:1:4444::2";
  "192.168.255.2" = "2001:db8:1:569::143";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/tayga.nix>
services.tayga.tunDevice

Name of the nat64 tun device.

Type: string

Default: "nat64"

Declared by:

<nixpkgs/nixos/modules/services/networking/tayga.nix>
services.tcsd.enable

Whether to enable tcsd, a Trusted Computing management service that provides TCG Software Stack (TSS). The tcsd daemon is the only portal to the Trusted Platform Module (TPM), a hardware chip on the motherboard.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/tcsd.nix>
services.tcsd.conformanceCred

Path to the conformance credential for your TPM. See also the platformCred option

Type: path

Default: "${config.services.tcsd.stateDir}/conformance.cert"

Declared by:

<nixpkgs/nixos/modules/services/hardware/tcsd.nix>
services.tcsd.endorsementCred

Path to the endorsement credential for your TPM. See also the platformCred option

Type: path

Default: "${config.services.tcsd.stateDir}/endorsement.cert"

Declared by:

<nixpkgs/nixos/modules/services/hardware/tcsd.nix>
services.tcsd.firmwarePCRs

PCR indices used in the TPM for firmware measurements.

Type: string

Default: "0,1,2,3,4,5,6,7"

Declared by:

<nixpkgs/nixos/modules/services/hardware/tcsd.nix>
services.tcsd.group

Group account under which tcsd runs.

Type: string

Default: "tss"

Declared by:

<nixpkgs/nixos/modules/services/hardware/tcsd.nix>
services.tcsd.kernelPCRs

PCR indices used in the TPM for kernel measurements.

Type: string

Default: "8,9,10,11,12"

Declared by:

<nixpkgs/nixos/modules/services/hardware/tcsd.nix>
services.tcsd.platformCred

Path to the platform credential for your TPM. Your TPM manufacturer may have provided you with a set of credentials (certificates) that should be used when creating identities using your TPM. When a user of your TPM makes an identity, this credential will be encrypted as part of that process. See the 1.1b TPM Main specification section 9.3 for information on this process.

Type: path

Default: "${config.services.tcsd.stateDir}/platform.cert"

Declared by:

<nixpkgs/nixos/modules/services/hardware/tcsd.nix>
services.tcsd.stateDir

The location of the system persistent storage file. The system persistent storage file holds keys and data across restarts of the TCSD and system reboots.

Type: path

Default: "/var/lib/tpm"

Declared by:

<nixpkgs/nixos/modules/services/hardware/tcsd.nix>
services.tcsd.user

User account under which tcsd runs.

Type: string

Default: "tss"

Declared by:

<nixpkgs/nixos/modules/services/hardware/tcsd.nix>
services.teamspeak3.enable

Whether to run the Teamspeak3 voice communication server daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/teamspeak3.nix>
services.teamspeak3.dataDir

Directory to store TS3 database and other state/data files.

Type: path

Default: "/var/lib/teamspeak3-server"

Declared by:

<nixpkgs/nixos/modules/services/networking/teamspeak3.nix>
services.teamspeak3.defaultVoicePort

Default UDP port for clients to connect to virtual servers - used for first virtual server, subsequent ones will open on incrementing port numbers by default.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9987

Declared by:

<nixpkgs/nixos/modules/services/networking/teamspeak3.nix>
services.teamspeak3.fileTransferIP

IP on which the server instance will listen for incoming file transfer connections. Defaults to any IP.

Type: null or string

Default: null

Example: "[::]"

Declared by:

<nixpkgs/nixos/modules/services/networking/teamspeak3.nix>
services.teamspeak3.fileTransferPort

TCP port opened for file transfers.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 30033

Declared by:

<nixpkgs/nixos/modules/services/networking/teamspeak3.nix>
services.teamspeak3.logPath

Directory to store log files in.

Type: path

Default: "/var/log/teamspeak3-server/"

Declared by:

<nixpkgs/nixos/modules/services/networking/teamspeak3.nix>
services.teamspeak3.openFirewall

Open ports in the firewall for the TeamSpeak3 server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/teamspeak3.nix>
services.teamspeak3.openFirewallServerQuery

Open ports in the firewall for the TeamSpeak3 serverquery (administration) system. Requires openFirewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/teamspeak3.nix>
services.teamspeak3.queryHttpPort

TCP port opened for ServerQuery connections using the HTTP protocol.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 10080

Declared by:

<nixpkgs/nixos/modules/services/networking/teamspeak3.nix>
services.teamspeak3.queryIP

IP on which the server instance will listen for incoming ServerQuery connections. Defaults to any IP.

Type: null or string

Default: null

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/teamspeak3.nix>
services.teamspeak3.queryPort

TCP port opened for ServerQuery connections using the raw telnet protocol.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 10011

Declared by:

<nixpkgs/nixos/modules/services/networking/teamspeak3.nix>
services.teamspeak3.querySshPort

TCP port opened for ServerQuery connections using the SSH protocol.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 10022

Declared by:

<nixpkgs/nixos/modules/services/networking/teamspeak3.nix>
services.teamspeak3.voiceIP

IP on which the server instance will listen for incoming voice connections. Defaults to any IP.

Type: null or string

Default: null

Example: "[::]"

Declared by:

<nixpkgs/nixos/modules/services/networking/teamspeak3.nix>
services.teamviewer.enable

Whether to enable TeamViewer daemon & system package.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/teamviewer.nix>
services.teamviewer.package

The teamviewer package to use.

Type: package

Default: pkgs.teamviewer

Declared by:

<nixpkgs/nixos/modules/services/monitoring/teamviewer.nix>
services.technitium-dns-server.enable

Whether to enable Technitium DNS Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/technitium-dns-server.nix>
services.technitium-dns-server.package

The technitium-dns-server package to use.

Type: package

Default: pkgs.technitium-dns-server

Declared by:

<nixpkgs/nixos/modules/services/networking/technitium-dns-server.nix>
services.technitium-dns-server.firewallTCPPorts

List of TCP ports to open in firewall. You might want to open ports 443 and 853 if you intend to use DNS over HTTPS or DNS over TLS.

Type: list of signed integer

Default:

[
  53
  5380
  53443
]

Declared by:

<nixpkgs/nixos/modules/services/networking/technitium-dns-server.nix>
services.technitium-dns-server.firewallUDPPorts

List of UDP ports to open in firewall.

Type: list of signed integer

Default:

[
  53
]

Declared by:

<nixpkgs/nixos/modules/services/networking/technitium-dns-server.nix>
services.technitium-dns-server.openFirewall

Whether to open ports in the firewall. Standard ports are 53 (UDP and TCP, for DNS), 5380 and 53443 (TCP, HTTP and HTTPS for web interface). Specify different or additional ports in options firewallUDPPorts and firewallTCPPorts if necessary.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/technitium-dns-server.nix>
services.teeworlds.enable

Whether to enable Teeworlds Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.package

The teeworlds-server package to use.

Type: package

Default: pkgs.teeworlds-server

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.environmentFile

Environment file as defined in systemd.exec(5).

Secrets may be passed to the service without adding them to the world-readable Nix store, by specifying placeholder variables as the option value in Nix and setting these variables accordingly in the environment file.

  # snippet of teeworlds-related config
  services.teeworlds.password = "$TEEWORLDS_PASSWORD";
  # content of the environment file
  TEEWORLDS_PASSWORD=verysecretpassword

Note that this file needs to be available on the host on which teeworlds is running.

Type: null or path

Default: null

Example: "/var/lib/teeworlds/teeworlds.env"

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.extraOptions

Extra configuration lines for the teeworlds.cfg. See Teeworlds Documentation.

Type: list of string

Default: [ ]

Example:

[
  "sv_map dm1"
  "sv_gametype dm"
]

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.game.enablePowerups

Whether to allow powerups such as the ninja.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.game.enableReadyMode

Whether to enable “ready mode”; where players can pause/unpause the game and start the game in warmup, using their ready state.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.game.enableTeamDamage

Whether to enable team damage; whether to allow team mates to inflict damage on one another.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.game.enableVoteKick

Whether to enable voting to kick players.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.game.gameType

The game type to use on the server.

The default gametypes are dm, tdm, ctf, lms, and lts.

Type: string

Default: "dm"

Example: "ctf"

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.game.map

The map to use on the server.

Type: string

Default: "dm1"

Example: "ctf5"

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.game.playerSlots

The amount of slots to reserve for players (as opposed to spectators).

Type: unsigned integer, meaning >=0

Default: 8

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.game.restrictSpectators

Whether to restrict access to information such as health, ammo and armour in spectator mode.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.game.scoreLimit

The score limit needed to win a round.

Type: unsigned integer, meaning >=0

Default: 20

Example: 400

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.game.swapTeams

Whether to swap teams each round.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.game.timeLimit

Time limit of the game. In cases of equal points, there will be sudden death. Setting this to 0 disables a time limit.

Type: unsigned integer, meaning >=0

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.game.tournamentMode

Whether to enable tournament mode. In tournament mode, players join as spectators. If this is set to restrictSpectators, tournament mode is enabled but spectator chat is restricted.

Type: one of “disable”, “enable”, “restrictSpectators”

Default: "disable"

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.game.voteKickBanTime

The amount of minutes that a player is banned for if they get kicked by a vote.

Type: unsigned integer, meaning >=0

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.game.voteKickMinimumPlayers

The minimum amount of players required to start a kick vote.

Type: unsigned integer, meaning >=0

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.motd

The server’s message of the day text.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.name

Name of the server.

Type: string

Default: "unnamed server"

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.openPorts

Whether to open firewall ports for Teeworlds.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.password

Password to connect to the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.port

Port the server will listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8303

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.rconPassword

Password to access the remote console. If not set, a randomly generated one is displayed in the server log.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.register

Whether the server registers as a public server in the global server list. This is disabled by default for privacy reasons.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.server.enableHighBandwidth

Whether to enable high bandwidth mode on LAN servers. This will double the amount of bandwidth required for running the server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.server.enableSpamProtection

Whether to enable chat spam protection.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.server.bindAddr

The address the server will bind to.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.server.hostName

Hostname for the server.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.server.inactivePenalty

Specify what to do when a client goes inactive (see services.teeworlds.server.inactiveTime).

  • spectator: send the client into spectator mode

  • spectator/kick: send the client into a free spectator slot, otherwise kick the client

  • kick: kick the client

Type: one of “spectator”, “spectator/kick”, “kick”

Default: "spectator/kick"

Example: "spectator"

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.server.inactiveTime

The amount of minutes a client has to idle before it is considered inactive.

Type: unsigned integer, meaning >=0

Default: 3

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.server.kickInactiveSpectators

Whether to kick inactive spectators.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.server.maxClients

The maximum amount of clients that can be connected to the server at the same time.

Type: unsigned integer, meaning >=0

Default: 12

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.server.maxClientsPerIP

The maximum amount of clients with the same IP address that can be connected to the server at the same time.

Type: unsigned integer, meaning >=0

Default: 12

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.teeworlds.server.skillLevel

The skill level shown in the server browser.

Type: one of “casual”, “normal”, “competitive”

Default: "normal"

Declared by:

<nixpkgs/nixos/modules/services/games/teeworlds.nix>
services.telegraf.enable

Whether to enable telegraf server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/telegraf.nix>
services.telegraf.package

The telegraf package to use.

Type: package

Default: pkgs.telegraf

Declared by:

<nixpkgs/nixos/modules/services/monitoring/telegraf.nix>
services.telegraf.environmentFiles

File to load as environment file. Environment variables from this file will be interpolated into the config file using envsubst with this syntax: $ENVIRONMENT or ${VARIABLE}. This is useful to avoid putting secrets into the nix store.

Type: list of path

Default: [ ]

Example:

[
  "/run/keys/telegraf.env"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/telegraf.nix>
services.telegraf.extraConfig

Extra configuration options for telegraf

Type: TOML value

Default: { }

Example:

{
  inputs = {
    statsd = {
      delete_timings = true;
      service_address = ":8125";
    };
  };
  outputs = {
    influxdb = {
      database = "telegraf";
      urls = [
        "http://localhost:8086"
      ];
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/telegraf.nix>
services.telepathy.enable

Whether to enable Telepathy service, a communications framework that enables real-time communication via pluggable protocol backends.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/desktops/telepathy.nix>
services.teleport.enable

Whether to enable the Teleport service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/teleport.nix>
services.teleport.package

The teleport package to use.

Type: package

Default: pkgs.teleport

Example: teleport_11

Declared by:

<nixpkgs/nixos/modules/services/networking/teleport.nix>
services.teleport.diag.enable

Whether to enable endpoints for monitoring purposes.

See https://goteleport.com/docs/setup/admin/troubleshooting/#troubleshooting/ .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/teleport.nix>
services.teleport.diag.addr

Metrics and diagnostics address.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/teleport.nix>
services.teleport.diag.port

Metrics and diagnostics port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/networking/teleport.nix>
services.teleport.insecure.enable

Whether to enable starting teleport in insecure mode.

This is dangerous! Sensitive information will be logged to console and certificates will not be verified. Proceed with caution!

Teleport starts with disabled certificate validation on Proxy Service, validation still occurs on Auth Service .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/teleport.nix>
services.teleport.settings

Contents of the teleport.yaml config file. The --config arguments will only be passed if this set is not empty.

See https://goteleport.com/docs/setup/reference/config/.

Type: YAML value

Default: { }

Example:

{
  teleport = {
    nodename = "client";
    advertise_ip = "192.168.1.2";
    auth_token = "60bdc117-8ff4-478d-95e4-9914597847eb";
    auth_servers = [ "192.168.1.1:3025" ];
    log.severity = "DEBUG";
  };
  ssh_service = {
    enabled = true;
    labels = {
      role = "client";
    };
  };
  proxy_service.enabled = false;
  auth_service.enabled = false;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/teleport.nix>
services.tempo.enable

Whether to enable Grafana Tempo.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/tracing/tempo.nix>
services.tempo.configFile

Specify a path to a configuration file that Tempo should use.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/tracing/tempo.nix>
services.tempo.extraFlags

Additional flags to pass to the ExecStart= in tempo.service.

Type: list of string

Default: [ ]

Example:

[ "-config.expand-env=true" ]

Declared by:

<nixpkgs/nixos/modules/services/tracing/tempo.nix>
services.tempo.settings

Specify the configuration for Tempo in Nix.

See https://grafana.com/docs/tempo/latest/configuration/ for available options.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/tracing/tempo.nix>
services.terraria.enable

If enabled, starts a Terraria server. The server can be connected to via tmux -S ${config.services.terraria.dataDir}/terraria.sock attach for administration by users who are a part of the terraria group (use C-b d shortcut to detach again).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/terraria.nix>
services.terraria.autoCreatedWorldSize

Specifies the size of the auto-created world if worldPath does not point to an existing world.

Type: one of “small”, “medium”, “large”

Default: "medium"

Declared by:

<nixpkgs/nixos/modules/services/games/terraria.nix>
services.terraria.banListPath

The path to the ban list.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/terraria.nix>
services.terraria.dataDir

Path to variable state data directory for terraria.

Type: string

Default: "/var/lib/terraria"

Example: "/srv/terraria"

Declared by:

<nixpkgs/nixos/modules/services/games/terraria.nix>
services.terraria.maxPlayers

Sets the max number of players (between 1 and 255).

Type: 8 bit unsigned integer; between 0 and 255 (both inclusive)

Default: 255

Declared by:

<nixpkgs/nixos/modules/services/games/terraria.nix>
services.terraria.messageOfTheDay

Set the server message of the day text.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/terraria.nix>
services.terraria.noUPnP

Disables automatic Universal Plug and Play.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/terraria.nix>
services.terraria.openFirewall

Whether to open ports in the firewall

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/terraria.nix>
services.terraria.password

Sets the server password. Leave null for no password.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/terraria.nix>
services.terraria.port

Specifies the port to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 7777

Declared by:

<nixpkgs/nixos/modules/services/games/terraria.nix>
services.terraria.secure

Adds additional cheat protection to the server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/terraria.nix>
services.terraria.worldPath

The path to the world file (.wld) which should be loaded. If no world exists at this path, one will be created with the size specified by autoCreatedWorldSize.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/terraria.nix>
services.tetrd.enable

Whether to enable tetrd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/tetrd.nix>
services.tftpd.enable

Whether to enable tftpd, a Trivial File Transfer Protocol server. The server will be run as an xinetd service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/tftpd.nix>
services.tftpd.path

Where the tftp server files are stored.

Type: path

Default: "/srv/tftp"

Declared by:

<nixpkgs/nixos/modules/services/networking/tftpd.nix>
services.thanos.package

The thanos package to use.

Type: package

Default: pkgs.thanos

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.compact.enable

Whether to enable the Thanos compactor which continuously compacts blocks in an object store bucket.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.compact.arguments

Arguments to the thanos compact command.

Defaults to a list of arguments formed by converting the structured options of services.thanos.compact to a list of arguments.

Overriding this option will cause none of the structured options to have any effect. So only set this if you know what you’re doing!

Type: list of string

Default: calculated from config.services.thanos.compact

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.compact.compact.concurrency

Number of goroutines to use when compacting groups.

Defaults to 1 in Thanos when set to null.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.compact.consistency-delay

Minimum age of fresh (non-compacted) blocks before they are being processed. Malformed blocks older than the maximum of consistency-delay and 30m0s will be removed.

Defaults to 30m in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.compact.downsampling.disable

Disables downsampling.

This is not recommended as querying long time ranges without non-downsampled data is not efficient and useful e.g it is not possible to render all samples for a human eye anyway

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.compact.http-address

Listen host:port for HTTP endpoints.

Defaults to 0.0.0.0:10902 in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.compact.log.format

Log format to use.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.compact.log.level

Log filtering level.

Defaults to info in Thanos when set to null.

Type: null or one of “debug”, “info”, “warn”, “error”, “fatal”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.compact.objstore.config

Object store configuration.

When not null the attribute set gets converted to a YAML file and stored in the Nix store. The option objstore.config-file will default to its path.

If objstore.config-file is set this option has no effect.

See format details: https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage

Type: null or (attribute set)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.compact.objstore.config-file

Path to YAML file that contains object store configuration.

See format details: https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage

Type: null or string

Default:

if config.services.thanos.<cmd>.objstore.config == null then null
else toString (toYAML "objstore.yaml" config.services.thanos.<cmd>.objstore.config);

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.compact.retention.resolution-1h

How long to retain samples of resolution 2 (1 hour) in bucket.

0d - disables this retention

Defaults to 0d in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.compact.retention.resolution-5m

How long to retain samples of resolution 1 (5 minutes) in bucket.

0d - disables this retention

Defaults to 0d in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.compact.retention.resolution-raw

How long to retain raw samples in bucket.

0d - disables this retention

Defaults to 0d in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.compact.startAt

When this option is set to a systemd.time specification the Thanos compactor will run at the specified period.

When this option is null the Thanos compactor service will run continuously. So it will not exit after all compactions have been processed but wait for new work.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.compact.stateDir

Data directory relative to /var/lib in which to cache blocks and process compactions.

Type: string

Default: "thanos-compact"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.compact.tracing.config

Tracing configuration.

When not null the attribute set gets converted to a YAML file and stored in the Nix store. The option tracing.config-file will default to its path.

If tracing.config-file is set this option has no effect.

See format details: https://thanos.io/tip/thanos/tracing.md/#configuration

Type: null or (attribute set)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.compact.tracing.config-file

Path to YAML file that contains tracing configuration.

See format details: https://thanos.io/tip/thanos/tracing.md/#configuration

Type: null or string

Default:

if config.services.thanos.<cmd>.tracing.config == null then null
else toString (toYAML "tracing.yaml" config.services.thanos.<cmd>.tracing.config);

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.downsample.enable

Whether to enable the Thanos downsampler which continuously downsamples blocks in an object store bucket.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.downsample.arguments

Arguments to the thanos downsample command.

Defaults to a list of arguments formed by converting the structured options of services.thanos.downsample to a list of arguments.

Overriding this option will cause none of the structured options to have any effect. So only set this if you know what you’re doing!

Type: list of string

Default: calculated from config.services.thanos.downsample

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.downsample.log.format

Log format to use.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.downsample.log.level

Log filtering level.

Defaults to info in Thanos when set to null.

Type: null or one of “debug”, “info”, “warn”, “error”, “fatal”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.downsample.objstore.config

Object store configuration.

When not null the attribute set gets converted to a YAML file and stored in the Nix store. The option objstore.config-file will default to its path.

If objstore.config-file is set this option has no effect.

See format details: https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage

Type: null or (attribute set)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.downsample.objstore.config-file

Path to YAML file that contains object store configuration.

See format details: https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage

Type: null or string

Default:

if config.services.thanos.<cmd>.objstore.config == null then null
else toString (toYAML "objstore.yaml" config.services.thanos.<cmd>.objstore.config);

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.downsample.stateDir

Data directory relative to /var/lib in which to cache blocks and process downsamplings.

Type: string

Default: "thanos-downsample"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.downsample.tracing.config

Tracing configuration.

When not null the attribute set gets converted to a YAML file and stored in the Nix store. The option tracing.config-file will default to its path.

If tracing.config-file is set this option has no effect.

See format details: https://thanos.io/tip/thanos/tracing.md/#configuration

Type: null or (attribute set)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.downsample.tracing.config-file

Path to YAML file that contains tracing configuration.

See format details: https://thanos.io/tip/thanos/tracing.md/#configuration

Type: null or string

Default:

if config.services.thanos.<cmd>.tracing.config == null then null
else toString (toYAML "tracing.yaml" config.services.thanos.<cmd>.tracing.config);

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.enable

Whether to enable the Thanos query node exposing PromQL enabled Query API with data retrieved from multiple store nodes.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.arguments

Arguments to the thanos query command.

Defaults to a list of arguments formed by converting the structured options of services.thanos.query to a list of arguments.

Overriding this option will cause none of the structured options to have any effect. So only set this if you know what you’re doing!

Type: list of string

Default: calculated from config.services.thanos.query

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.endpoints

Addresses of statically configured Thanos API servers (repeatable).

The scheme may be prefixed with ‘dns+’ or ‘dnssrv+’ to detect Thanos API servers through respective DNS lookups.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.grpc-address

Listen ip:port address for gRPC endpoints (StoreAPI).

Make sure this address is routable from other components.

Defaults to 0.0.0.0:10901 in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.grpc-client-server-name

Server name to verify the hostname on the returned gRPC certificates. See https://tools.ietf.org/html/rfc4366#section-3.1

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.grpc-client-tls-ca

TLS CA Certificates to use to verify gRPC servers

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.grpc-client-tls-cert

TLS Certificates to use to identify this client to the server

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.grpc-client-tls-key

TLS Key for the client’s certificate

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.grpc-client-tls-secure

Use TLS when talking to the gRPC server

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.grpc-compression

Compression algorithm to use for gRPC requests to other clients.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.grpc-server-tls-cert

TLS Certificate for gRPC server, leave blank to disable TLS

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.grpc-server-tls-client-ca

TLS CA to verify clients against.

If no client CA is specified, there is no client verification on server side. (tls.NoClientCert)

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.grpc-server-tls-key

TLS Key for the gRPC server, leave blank to disable TLS

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.http-address

Listen host:port for HTTP endpoints.

Defaults to 0.0.0.0:10902 in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.log.format

Log format to use.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.log.level

Log filtering level.

Defaults to info in Thanos when set to null.

Type: null or one of “debug”, “info”, “warn”, “error”, “fatal”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.query.auto-downsampling

Enable automatic adjustment (step / 5) to what source of data should be used in store gateways if no max_source_resolution param is specified.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.query.default-evaluation-interval

Set default evaluation interval for sub queries.

Defaults to 1m in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.query.max-concurrent

Maximum number of queries processed concurrently by query node.

Defaults to 20 in Thanos when set to null.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.query.partial-response

Enable partial response for queries if no partial_response param is specified.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.query.replica-labels

Labels to treat as a replica indicator along which data is deduplicated.

Still you will be able to query without deduplication using ‘dedup=false’ parameter. Data includes time series, recording rules, and alerting rules.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.query.timeout

Maximum time to process query by query node.

Defaults to 2m in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.selector-labels

Query selector labels that will be exposed in info endpoint.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.store.response-timeout

If a Store doesn’t send any data in this specified duration then a Store will be ignored and partial data will be returned if it’s enabled. 0 disables timeout.

Defaults to 0ms in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.store.sd-dns-interval

Interval between DNS resolutions.

Defaults to 30s in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.store.sd-files

Path to files that contain addresses of store API servers. The path can be a glob pattern.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.store.sd-interval

Refresh interval to re-read file SD files. It is used as a resync fallback.

Defaults to 5m in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.store.unhealthy-timeout

Timeout before an unhealthy store is cleaned from the store UI page.

Defaults to 5m in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.tracing.config

Tracing configuration.

When not null the attribute set gets converted to a YAML file and stored in the Nix store. The option tracing.config-file will default to its path.

If tracing.config-file is set this option has no effect.

See format details: https://thanos.io/tip/thanos/tracing.md/#configuration

Type: null or (attribute set)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.tracing.config-file

Path to YAML file that contains tracing configuration.

See format details: https://thanos.io/tip/thanos/tracing.md/#configuration

Type: null or string

Default:

if config.services.thanos.<cmd>.tracing.config == null then null
else toString (toYAML "tracing.yaml" config.services.thanos.<cmd>.tracing.config);

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.web.external-prefix

Static prefix for all HTML links and redirect URLs in the UI query web interface.

Actual endpoints are still served on / or the web.route-prefix. This allows thanos UI to be served behind a reverse proxy that strips a URL sub-path.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.web.prefix-header

Name of HTTP request header used for dynamic prefixing of UI links and redirects.

This option is ignored if the option web.external-prefix is set.

Security risk: enable this option only if a reverse proxy in front of thanos is resetting the header.

The setting web.prefix-header="X-Forwarded-Prefix" can be useful, for example, if Thanos UI is served via Traefik reverse proxy with PathPrefixStrip option enabled, which sends the stripped prefix value in X-Forwarded-Prefix header. This allows thanos UI to be served on a sub-path.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query.web.route-prefix

Prefix for API and UI endpoints.

This allows thanos UI to be served on a sub-path. This option is analogous to web.route-prefix of Promethus.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query-frontend.enable

Whether to enable the Thanos query frontend implements a service deployed in front of queriers to improve query parallelization and caching…

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query-frontend.arguments

Arguments to the thanos query-frontend command.

Defaults to a list of arguments formed by converting the structured options of services.thanos.query-frontend to a list of arguments.

Overriding this option will cause none of the structured options to have any effect. So only set this if you know what you’re doing!

Type: list of string

Default: calculated from config.services.thanos.query-frontend

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query-frontend.grpc-address

Listen ip:port address for gRPC endpoints (StoreAPI).

Make sure this address is routable from other components.

Defaults to 0.0.0.0:10901 in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query-frontend.grpc-server-tls-cert

TLS Certificate for gRPC server, leave blank to disable TLS

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query-frontend.grpc-server-tls-client-ca

TLS CA to verify clients against.

If no client CA is specified, there is no client verification on server side. (tls.NoClientCert)

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query-frontend.grpc-server-tls-key

TLS Key for the gRPC server, leave blank to disable TLS

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query-frontend.http-address

Listen host:port for HTTP endpoints.

Defaults to 0.0.0.0:10902 in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query-frontend.log.format

Log format to use.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query-frontend.log.level

Log filtering level.

Defaults to info in Thanos when set to null.

Type: null or one of “debug”, “info”, “warn”, “error”, “fatal”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query-frontend.query-frontend.downstream-url

URL of downstream Prometheus Query compatible API.

Defaults to http://localhost:9090 in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query-frontend.tracing.config

Tracing configuration.

When not null the attribute set gets converted to a YAML file and stored in the Nix store. The option tracing.config-file will default to its path.

If tracing.config-file is set this option has no effect.

See format details: https://thanos.io/tip/thanos/tracing.md/#configuration

Type: null or (attribute set)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.query-frontend.tracing.config-file

Path to YAML file that contains tracing configuration.

See format details: https://thanos.io/tip/thanos/tracing.md/#configuration

Type: null or string

Default:

if config.services.thanos.<cmd>.tracing.config == null then null
else toString (toYAML "tracing.yaml" config.services.thanos.<cmd>.tracing.config);

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.receive.enable

Whether to enable the Thanos receiver which accept Prometheus remote write API requests and write to local tsdb.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.receive.arguments

Arguments to the thanos receive command.

Defaults to a list of arguments formed by converting the structured options of services.thanos.receive to a list of arguments.

Overriding this option will cause none of the structured options to have any effect. So only set this if you know what you’re doing!

Type: list of string

Default: calculated from config.services.thanos.receive

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.receive.grpc-address

Listen ip:port address for gRPC endpoints (StoreAPI).

Make sure this address is routable from other components.

Defaults to 0.0.0.0:10901 in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.receive.grpc-server-tls-cert

TLS Certificate for gRPC server, leave blank to disable TLS

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.receive.grpc-server-tls-client-ca

TLS CA to verify clients against.

If no client CA is specified, there is no client verification on server side. (tls.NoClientCert)

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.receive.grpc-server-tls-key

TLS Key for the gRPC server, leave blank to disable TLS

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.receive.http-address

Listen host:port for HTTP endpoints.

Defaults to 0.0.0.0:10902 in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.receive.labels

External labels to announce.

This flag will be removed in the future when handling multiple tsdb instances is added.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.receive.log.format

Log format to use.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.receive.log.level

Log filtering level.

Defaults to info in Thanos when set to null.

Type: null or one of “debug”, “info”, “warn”, “error”, “fatal”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.receive.objstore.config

Object store configuration.

When not null the attribute set gets converted to a YAML file and stored in the Nix store. The option objstore.config-file will default to its path.

If objstore.config-file is set this option has no effect.

See format details: https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage

Type: null or (attribute set)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.receive.objstore.config-file

Path to YAML file that contains object store configuration.

See format details: https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage

Type: null or string

Default:

if config.services.thanos.<cmd>.objstore.config == null then null
else toString (toYAML "objstore.yaml" config.services.thanos.<cmd>.objstore.config);

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.receive.receive.grpc-compression

Compression algorithm to use for gRPC requests to other receivers.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.receive.remote-write.address

Address to listen on for remote write requests.

Defaults to 0.0.0.0:19291 in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.receive.stateDir

Data directory relative to /var/lib of TSDB.

Type: string

Default: "thanos-receive"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.receive.tracing.config

Tracing configuration.

When not null the attribute set gets converted to a YAML file and stored in the Nix store. The option tracing.config-file will default to its path.

If tracing.config-file is set this option has no effect.

See format details: https://thanos.io/tip/thanos/tracing.md/#configuration

Type: null or (attribute set)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.receive.tracing.config-file

Path to YAML file that contains tracing configuration.

See format details: https://thanos.io/tip/thanos/tracing.md/#configuration

Type: null or string

Default:

if config.services.thanos.<cmd>.tracing.config == null then null
else toString (toYAML "tracing.yaml" config.services.thanos.<cmd>.tracing.config);

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.receive.tsdb.retention

How long to retain raw samples on local storage.

0d - disables this retention

Defaults to 15d in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.enable

Whether to enable the Thanos ruler service which evaluates Prometheus rules against given Query nodes, exposing Store API and storing old blocks in bucket.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.alert.label-drop

Labels by name to drop before sending to alertmanager.

This allows alert to be deduplicated on replica label.

Similar Prometheus alert relabelling

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.alert.query-url

The external Thanos Query URL that would be set in all alerts ‘Source’ field.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.alertmanagers.send-timeout

Timeout for sending alerts to alertmanager.

Defaults to 10s in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.alertmanagers.urls

Alertmanager replica URLs to push firing alerts.

Ruler claims success if push to at least one alertmanager from discovered succeeds. The scheme may be prefixed with dns+ or dnssrv+ to detect Alertmanager IPs through respective DNS lookups. The port defaults to 9093 or the SRV record’s value. The URL path is used as a prefix for the regular Alertmanager API path.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.arguments

Arguments to the thanos rule command.

Defaults to a list of arguments formed by converting the structured options of services.thanos.rule to a list of arguments.

Overriding this option will cause none of the structured options to have any effect. So only set this if you know what you’re doing!

Type: list of string

Default: calculated from config.services.thanos.rule

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.eval-interval

The default evaluation interval to use.

Defaults to 1m in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.grpc-address

Listen ip:port address for gRPC endpoints (StoreAPI).

Make sure this address is routable from other components.

Defaults to 0.0.0.0:10901 in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.grpc-server-tls-cert

TLS Certificate for gRPC server, leave blank to disable TLS

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.grpc-server-tls-client-ca

TLS CA to verify clients against.

If no client CA is specified, there is no client verification on server side. (tls.NoClientCert)

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.grpc-server-tls-key

TLS Key for the gRPC server, leave blank to disable TLS

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.http-address

Listen host:port for HTTP endpoints.

Defaults to 0.0.0.0:10902 in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.labels

Labels to be applied to all generated metrics.

Similar to external labels for Prometheus, used to identify ruler and its blocks as unique source.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.log.format

Log format to use.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.log.level

Log filtering level.

Defaults to info in Thanos when set to null.

Type: null or one of “debug”, “info”, “warn”, “error”, “fatal”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.objstore.config

Object store configuration.

When not null the attribute set gets converted to a YAML file and stored in the Nix store. The option objstore.config-file will default to its path.

If objstore.config-file is set this option has no effect.

See format details: https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage

Type: null or (attribute set)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.objstore.config-file

Path to YAML file that contains object store configuration.

See format details: https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage

Type: null or string

Default:

if config.services.thanos.<cmd>.objstore.config == null then null
else toString (toYAML "objstore.yaml" config.services.thanos.<cmd>.objstore.config);

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.query.addresses

Addresses of statically configured query API servers.

The scheme may be prefixed with dns+ or dnssrv+ to detect query API servers through respective DNS lookups.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.query.sd-dns-interval

Interval between DNS resolutions.

Defaults to 30s in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.query.sd-files

Path to file that contain addresses of query peers. The path can be a glob pattern.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.query.sd-interval

Refresh interval to re-read file SD files. (used as a fallback)

Defaults to 5m in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.rule-files

Rule files that should be used by rule manager. Can be in glob format.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.stateDir

Data directory relative to /var/lib.

Type: string

Default: "thanos-rule"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.tracing.config

Tracing configuration.

When not null the attribute set gets converted to a YAML file and stored in the Nix store. The option tracing.config-file will default to its path.

If tracing.config-file is set this option has no effect.

See format details: https://thanos.io/tip/thanos/tracing.md/#configuration

Type: null or (attribute set)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.tracing.config-file

Path to YAML file that contains tracing configuration.

See format details: https://thanos.io/tip/thanos/tracing.md/#configuration

Type: null or string

Default:

if config.services.thanos.<cmd>.tracing.config == null then null
else toString (toYAML "tracing.yaml" config.services.thanos.<cmd>.tracing.config);

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.tsdb.block-duration

Block duration for TSDB block.

Defaults to 2h in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.tsdb.retention

Block retention time on local disk.

Defaults to 48h in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.web.external-prefix

Static prefix for all HTML links and redirect URLs in the UI query web interface.

Actual endpoints are still served on / or the web.route-prefix. This allows thanos UI to be served behind a reverse proxy that strips a URL sub-path.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.web.prefix-header

Name of HTTP request header used for dynamic prefixing of UI links and redirects.

This option is ignored if the option web.external-prefix is set.

Security risk: enable this option only if a reverse proxy in front of thanos is resetting the header.

The header X-Forwarded-Prefix can be useful, for example, if Thanos UI is served via Traefik reverse proxy with PathPrefixStrip option enabled, which sends the stripped prefix value in X-Forwarded-Prefix header. This allows thanos UI to be served on a sub-path.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.rule.web.route-prefix

Prefix for API and UI endpoints.

This allows thanos UI to be served on a sub-path.

This option is analogous to --web.route-prefix of Promethus.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.sidecar.enable

Whether to enable the Thanos sidecar for Prometheus server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.sidecar.arguments

Arguments to the thanos sidecar command.

Defaults to a list of arguments formed by converting the structured options of services.thanos.sidecar to a list of arguments.

Overriding this option will cause none of the structured options to have any effect. So only set this if you know what you’re doing!

Type: list of string

Default: calculated from config.services.thanos.sidecar

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.sidecar.grpc-address

Listen ip:port address for gRPC endpoints (StoreAPI).

Make sure this address is routable from other components.

Defaults to 0.0.0.0:10901 in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.sidecar.grpc-server-tls-cert

TLS Certificate for gRPC server, leave blank to disable TLS

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.sidecar.grpc-server-tls-client-ca

TLS CA to verify clients against.

If no client CA is specified, there is no client verification on server side. (tls.NoClientCert)

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.sidecar.grpc-server-tls-key

TLS Key for the gRPC server, leave blank to disable TLS

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.sidecar.http-address

Listen host:port for HTTP endpoints.

Defaults to 0.0.0.0:10902 in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.sidecar.log.format

Log format to use.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.sidecar.log.level

Log filtering level.

Defaults to info in Thanos when set to null.

Type: null or one of “debug”, “info”, “warn”, “error”, “fatal”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.sidecar.objstore.config

Object store configuration.

When not null the attribute set gets converted to a YAML file and stored in the Nix store. The option objstore.config-file will default to its path.

If objstore.config-file is set this option has no effect.

See format details: https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage

Type: null or (attribute set)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.sidecar.objstore.config-file

Path to YAML file that contains object store configuration.

See format details: https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage

Type: null or string

Default:

if config.services.thanos.<cmd>.objstore.config == null then null
else toString (toYAML "objstore.yaml" config.services.thanos.<cmd>.objstore.config);

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.sidecar.prometheus.url

URL at which to reach Prometheus’s API.

For better performance use local network.

Defaults to http://localhost:9090 in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.sidecar.reloader.config-envsubst-file

Output file for environment variable substituted config file.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.sidecar.reloader.config-file

Config file watched by the reloader.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.sidecar.reloader.rule-dirs

Rule directories for the reloader to refresh.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.sidecar.tracing.config

Tracing configuration.

When not null the attribute set gets converted to a YAML file and stored in the Nix store. The option tracing.config-file will default to its path.

If tracing.config-file is set this option has no effect.

See format details: https://thanos.io/tip/thanos/tracing.md/#configuration

Type: null or (attribute set)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.sidecar.tracing.config-file

Path to YAML file that contains tracing configuration.

See format details: https://thanos.io/tip/thanos/tracing.md/#configuration

Type: null or string

Default:

if config.services.thanos.<cmd>.tracing.config == null then null
else toString (toYAML "tracing.yaml" config.services.thanos.<cmd>.tracing.config);

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.sidecar.tsdb.path

Data directory of TSDB.

Type: string

Default: "/var/lib/${config.services.prometheus.stateDir}/data"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.enable

Whether to enable the Thanos store node giving access to blocks in a bucket provider.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.arguments

Arguments to the thanos store command.

Defaults to a list of arguments formed by converting the structured options of services.thanos.store to a list of arguments.

Overriding this option will cause none of the structured options to have any effect. So only set this if you know what you’re doing!

Type: list of string

Default: calculated from config.services.thanos.store

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.block-sync-concurrency

Number of goroutines to use when syncing blocks from object storage.

Defaults to 20 in Thanos when set to null.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.chunk-pool-size

Maximum size of concurrently allocatable bytes for chunks.

Defaults to 2GB in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.grpc-address

Listen ip:port address for gRPC endpoints (StoreAPI).

Make sure this address is routable from other components.

Defaults to 0.0.0.0:10901 in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.grpc-server-tls-cert

TLS Certificate for gRPC server, leave blank to disable TLS

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.grpc-server-tls-client-ca

TLS CA to verify clients against.

If no client CA is specified, there is no client verification on server side. (tls.NoClientCert)

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.grpc-server-tls-key

TLS Key for the gRPC server, leave blank to disable TLS

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.http-address

Listen host:port for HTTP endpoints.

Defaults to 0.0.0.0:10902 in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.index-cache-size

Maximum size of items held in the index cache.

Defaults to 250MB in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.log.format

Log format to use.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.log.level

Log filtering level.

Defaults to info in Thanos when set to null.

Type: null or one of “debug”, “info”, “warn”, “error”, “fatal”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.max-time

End of time range limit to serve.

Thanos Store serves only blocks, which happened earlier than this value. Option can be a constant time in RFC3339 format or time duration relative to current time, such as -1d or 2h45m. Valid duration units are ms, s, m, h, d, w, y.

Defaults to 9999-12-31T23:59:59Z in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.min-time

Start of time range limit to serve.

Thanos Store serves only metrics, which happened later than this value. Option can be a constant time in RFC3339 format or time duration relative to current time, such as -1d or 2h45m. Valid duration units are ms, s, m, h, d, w, y.

Defaults to 0000-01-01T00:00:00Z in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.objstore.config

Object store configuration.

When not null the attribute set gets converted to a YAML file and stored in the Nix store. The option objstore.config-file will default to its path.

If objstore.config-file is set this option has no effect.

See format details: https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage

Type: null or (attribute set)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.objstore.config-file

Path to YAML file that contains object store configuration.

See format details: https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage

Type: null or string

Default:

if config.services.thanos.<cmd>.objstore.config == null then null
else toString (toYAML "objstore.yaml" config.services.thanos.<cmd>.objstore.config);

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.stateDir

Data directory relative to /var/lib in which to cache remote blocks.

Type: string

Default: "thanos-store"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.store.grpc.series-max-concurrency

Maximum number of concurrent Series calls.

Defaults to 20 in Thanos when set to null.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.store.limits.request-samples

The maximum samples allowed for a single Series request. The Series call fails if this limit is exceeded.

0 means no limit.

NOTE: For efficiency the limit is internally implemented as ‘chunks limit’ considering each chunk contains a maximum of 120 samples.

Defaults to 0 in Thanos when set to null.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.sync-block-duration

Repeat interval for syncing the blocks between local and remote view.

Defaults to 3m in Thanos when set to null.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.tracing.config

Tracing configuration.

When not null the attribute set gets converted to a YAML file and stored in the Nix store. The option tracing.config-file will default to its path.

If tracing.config-file is set this option has no effect.

See format details: https://thanos.io/tip/thanos/tracing.md/#configuration

Type: null or (attribute set)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thanos.store.tracing.config-file

Path to YAML file that contains tracing configuration.

See format details: https://thanos.io/tip/thanos/tracing.md/#configuration

Type: null or string

Default:

if config.services.thanos.<cmd>.tracing.config == null then null
else toString (toYAML "tracing.yaml" config.services.thanos.<cmd>.tracing.config);

Declared by:

<nixpkgs/nixos/modules/services/monitoring/thanos.nix>
services.thelounge.enable

Whether to enable The Lounge web IRC client.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/thelounge.nix>
services.thelounge.package

The thelounge package to use.

Type: package

Default: pkgs.thelounge

Declared by:

<nixpkgs/nixos/modules/services/networking/thelounge.nix>
services.thelounge.extraConfig

The Lounge’s config.js contents as attribute set (will be converted to JSON to generate the configuration file).

The options defined here will be merged to the default configuration file. Note: In case of duplicate configuration, options from extraConfig have priority.

Documentation: https://thelounge.chat/docs/server/configuration

Type: attribute set

Default: { }

Example:

{
  reverseProxy = true;
  defaults = {
    name = "Your Network";
    host = "localhost";
    port = 6697;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/thelounge.nix>
services.thelounge.plugins

The Lounge plugins to install. Plugins can be found in pkgs.theLoungePlugins.plugins and pkgs.theLoungePlugins.themes.

Type: list of package

Default: [ ]

Example: [ pkgs.theLoungePlugins.themes.solarized ]

Declared by:

<nixpkgs/nixos/modules/services/networking/thelounge.nix>
services.thelounge.port

TCP port to listen on for http connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9000

Declared by:

<nixpkgs/nixos/modules/services/networking/thelounge.nix>
services.thelounge.public

Make your The Lounge instance public. Setting this to false will require you to configure user accounts by using the (thelounge) command or by adding entries in /var/lib/thelounge/users. You might need to restart The Lounge after making changes to the state directory.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/thelounge.nix>
services.thermald.enable

Whether to enable thermald, the temperature management daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/thermald.nix>
services.thermald.package

The thermald package to use.

Type: package

Default: pkgs.thermald

Declared by:

<nixpkgs/nixos/modules/services/hardware/thermald.nix>
services.thermald.configFile

The thermald manual configuration file.

Leave unspecified to run with the --adaptive flag instead which will have thermald use your computer’s DPTF adaptive tables.

See man thermald for more information.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/thermald.nix>
services.thermald.debug

Whether to enable debug logging.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/thermald.nix>
services.thermald.ignoreCpuidCheck

Whether to ignore the cpuid check to allow running on unsupported platforms

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/thermald.nix>
services.thinkfan.enable

Whether to enable thinkfan, a fan control program.

Note

This module targets IBM/Lenovo thinkpads by default, for other hardware you will have configure it more carefully.

Type: boolean

Default: false

Related packages:

Declared by:

<nixpkgs/nixos/modules/services/hardware/thinkfan.nix>
services.thinkfan.extraArgs

A list of extra command line arguments to pass to thinkfan. Check the thinkfan(1) manpage for available arguments.

Type: list of string

Default: [ ]

Example:

[
  "-b"
  "0"
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/thinkfan.nix>
services.thinkfan.fans

List of fans thinkfan will control.

Note

This section slightly departs from the thinkfan.conf syntax. The type and path must be specified like this:

  type = "tpacpi";
  query = "/proc/acpi/ibm/fan";

instead of a single declaration like:

  - tpacpi: /proc/acpi/ibm/fan

Type: list of (attribute set of (YAML value))

Default:

[
  {
    query = "/proc/acpi/ibm/fan";
    type = "tpacpi";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/thinkfan.nix>
services.thinkfan.fans.*.indices

A list of fans to pick in case multiple fans match the query.

Note

Indices start from 0.

Type: null or (list of (unsigned integer, meaning >=0))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/thinkfan.nix>
services.thinkfan.fans.*.query

The query string used to match one or more fans: can be a fullpath to the temperature file (single fan) or a fullpath to a driver directory (multiple fans).

Note

When multiple fans match, the query can be restricted using the name or indices options.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/hardware/thinkfan.nix>
services.thinkfan.fans.*.type

The fan type, can be hwmon for standard fans,

atasmart to read the temperature via S.M.A.R.T (requires smartSupport to be enabled),

tpacpi for the legacy thinkpac_acpi driver, or

nvml for the (proprietary) nVidia driver.

Type: one of “hwmon”, “atasmart”, “tpacpi”, “nvml”

Declared by:

<nixpkgs/nixos/modules/services/hardware/thinkfan.nix>
services.thinkfan.levels

[LEVEL LOW HIGH]

LEVEL is the fan level to use: it can be an integer (0-7 with thinkpad_acpi), “level auto” (to keep the default firmware behavior), “level full-speed” or “level disengaged” (to run the fan as fast as possible). LOW is the temperature at which to step down to the previous level. HIGH is the temperature at which to step up to the next level. All numbers are integers.

Type: list of (tuple of (unsigned integer, meaning >=0, or one of “level auto”, “level full-speed”, “level disengaged”) (unsigned integer, meaning >=0) (unsigned integer, meaning >=0))

Default:

[
  [
    0
    0
    55
  ]
  [
    1
    48
    60
  ]
  [
    2
    50
    61
  ]
  [
    3
    52
    63
  ]
  [
    6
    56
    65
  ]
  [
    7
    60
    85
  ]
  [
    "level auto"
    80
    32767
  ]
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/thinkfan.nix>
services.thinkfan.sensors

List of temperature sensors thinkfan will monitor.

Note

This section slightly departs from the thinkfan.conf syntax. The type and path must be specified like this:

  type = "tpacpi";
  query = "/proc/acpi/ibm/thermal";

instead of a single declaration like:

  - tpacpi: /proc/acpi/ibm/thermal

Type: list of (attribute set of (YAML value))

Default:

[
  {
    query = "/proc/acpi/ibm/thermal";
    type = "tpacpi";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/thinkfan.nix>
services.thinkfan.sensors.*.correction

A list of values to be added to the temperature of each sensor, can be used to equalize small discrepancies in temperature ratings.

Type: null or (list of signed integer)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/thinkfan.nix>
services.thinkfan.sensors.*.indices

A list of sensors to pick in case multiple sensors match the query.

Note

Indices start from 0.

Type: null or (list of (unsigned integer, meaning >=0))

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/thinkfan.nix>
services.thinkfan.sensors.*.query

The query string used to match one or more sensors: can be a fullpath to the temperature file (single sensor) or a fullpath to a driver directory (multiple sensors).

Note

When multiple sensors match, the query can be restricted using the name or indices options.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/hardware/thinkfan.nix>
services.thinkfan.sensors.*.type

The sensor type, can be hwmon for standard sensors,

atasmart to read the temperature via S.M.A.R.T (requires smartSupport to be enabled),

tpacpi for the legacy thinkpac_acpi driver, or

nvml for the (proprietary) nVidia driver.

Type: one of “hwmon”, “atasmart”, “tpacpi”, “nvml”

Declared by:

<nixpkgs/nixos/modules/services/hardware/thinkfan.nix>
services.thinkfan.settings

Thinkfan settings. Use this option to configure thinkfan settings not exposed in a NixOS option or to bypass one. Before changing this, read the thinkfan.conf(5) manpage and take a look at the example config file at https://github.com/vmatare/thinkfan/blob/master/examples/thinkfan.yaml

Type: attribute set of (YAML value)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/hardware/thinkfan.nix>
services.thinkfan.smartSupport

Whether to build thinkfan with S.M.A.R.T. support to read temperatures directly from hard disks.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/thinkfan.nix>
services.throttled.enable

Whether to enable fix for Intel CPU throttling.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/throttled.nix>
services.throttled.extraConfig

Alternative configuration

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/hardware/throttled.nix>
services.tiddlywiki.enable

Whether to enable TiddlyWiki nodejs server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/tiddlywiki.nix>
services.tiddlywiki.listenOptions

Parameters passed to --listen command. Refer to https://tiddlywiki.com/#WebServer for details on supported values.

Type: attribute set

Default: { }

Example:

{
  credentials = "../credentials.csv";
  port = 3456;
  readers = "(authenticated)";
}

Declared by:

<nixpkgs/nixos/modules/services/misc/tiddlywiki.nix>
services.tigerbeetle.enable

Whether to enable TigerBeetle server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/databases/tigerbeetle.nix>
services.tigerbeetle.package

The tigerbeetle package to use.

Type: package

Default: pkgs.tigerbeetle

Declared by:

<nixpkgs/nixos/modules/services/databases/tigerbeetle.nix>
services.tigerbeetle.addresses

The addresses of all replicas in the cluster. This should be a list of IPv4/IPv6 addresses with port numbers. Either the address or port number (but not both) may be omitted, in which case a default of 127.0.0.1 or 3001 will be used. The first address in the list corresponds to the address for replica 0, the second address for replica 1, and so on.

Type: list of non-empty string

Default:

[
  "3001"
]

Declared by:

<nixpkgs/nixos/modules/services/databases/tigerbeetle.nix>
services.tigerbeetle.cacheGridSize

The grid cache size. The grid cache acts like a page cache for TigerBeetle. It is recommended to set this as large as possible.

Type: string matching the pattern [0-9]+(K|M|G)iB

Default: "1GiB"

Declared by:

<nixpkgs/nixos/modules/services/databases/tigerbeetle.nix>
services.tigerbeetle.clusterId

The 128-bit cluster ID used to create the replica data file (if needed). Since Nix only supports integers up to 64 bits, you need to pass a string to this if the cluster ID can’t fit in 64 bits. Otherwise, you can pass the cluster ID as either an integer or a string.

Type: unsigned integer, meaning >=0, or string matching the pattern [0-9]+

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/databases/tigerbeetle.nix>
services.tigerbeetle.replicaCount

The number of replicas participating in replication of the cluster.

Type: unsigned integer, meaning >=0

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/databases/tigerbeetle.nix>
services.tigerbeetle.replicaIndex

The index (starting at 0) of the replica in the cluster.

Type: unsigned integer, meaning >=0

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/databases/tigerbeetle.nix>
services.tika.enable

Whether to enable Apache Tika server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/search/tika.nix>
services.tika.enableOcr

Whether to enable OCR support by adding the tesseract package as a dependency.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/search/tika.nix>
services.tika.package

The tika package to use.

Type: package

Default: pkgs.tika

Declared by:

<nixpkgs/nixos/modules/services/search/tika.nix>
services.tika.configFile

The Apache Tika configuration (XML) file to use.

Type: null or path

Default: null

Example: ./tika/tika-config.xml

Declared by:

<nixpkgs/nixos/modules/services/search/tika.nix>
services.tika.listenAddress

The Apache Tika bind address.

Type: string

Default: "127.0.0.1"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/search/tika.nix>
services.tika.openFirewall

Whether to open the firewall for Apache Tika. This adds services.tika.port to networking.firewall.allowedTCPPorts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/search/tika.nix>
services.tika.port

The Apache Tike port to listen on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9998

Declared by:

<nixpkgs/nixos/modules/services/search/tika.nix>
services.timesyncd.enable

Enables the systemd NTP client daemon.

Type: boolean

Default: !config.boot.isContainer

Declared by:

<nixpkgs/nixos/modules/system/boot/timesyncd.nix>
services.timesyncd.extraConfig

Extra config options for systemd-timesyncd. See timesyncd.conf(5) for available options.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  PollIntervalMaxSec=180
''

Declared by:

<nixpkgs/nixos/modules/system/boot/timesyncd.nix>
services.timesyncd.fallbackServers

The set of fallback NTP servers from which to synchronise.

Setting this option to an empty list will write FallbackNTP= to the timesyncd.conf file as opposed to setting this option to null which will remove FallbackNTP= entirely.

See man:timesyncd.conf(5) for details.

Type: null or (list of string)

Default: config.networking.timeServers

Declared by:

<nixpkgs/nixos/modules/system/boot/timesyncd.nix>
services.timesyncd.servers

The set of NTP servers from which to synchronise.

Setting this option to an empty list will write NTP= to the timesyncd.conf file as opposed to setting this option to null which will remove NTP= entirely.

See man:timesyncd.conf(5) for details.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/timesyncd.nix>
services.tinc.networks

Defines the tinc networks which will be started. Each network invokes a different daemon.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.package

The tinc_pre package to use.

Type: package

Default: pkgs.tinc_pre

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.bindToAddress

The ip address to bind to (both listen on and send packets from).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.chroot

Change process root directory to the directory where the config file is located (/etc/tinc/netname/), for added security. The chroot is performed after all the initialization is done, after writing pid files and opening network sockets.

Note that this currently breaks dns resolution and tinc can’t run scripts anymore (such as tinc-down or host-up), unless it is setup to be runnable inside chroot environment.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.debugLevel

The amount of debugging information to add to the log. 0 means little logging while 5 is the most logging. man tincd for more details.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.ed25519PrivateKeyFile

Path of the private ed25519 keyfile.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.extraConfig

Extra lines to add to the tinc service configuration file.

Note that using the declarative service.tinc.networks.<name>.settings option is preferred.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.hostSettings

The name of the host in the network as well as the configuration for that host. This name should only contain alphanumerics and underscores.

Type: attribute set of (submodule)

Default: { }

Example:

{
  host1 = {
    addresses = [
      { address = "192.168.1.42"; }
      { address = "192.168.1.42"; port = 1655; }
    ];
    subnets = [ { address = "10.0.0.42"; } ];
    rsaPublicKey = "...";
    settings = {
      Ed25519PublicKey = "...";
    };
  };
  host2 = {
    subnets = [ { address = "10.0.1.0"; prefixLength = 24; weight = 2; } ];
    rsaPublicKey = "...";
    settings = {
      Compression = 10;
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.hostSettings.<name>.addresses

The external address where the host can be reached. This will set this host’s settings.Address option.

This variable is only required if you want to connect to this host.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.hostSettings.<name>.addresses.*.address

The external IP address or hostname where the host can be reached.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.hostSettings.<name>.addresses.*.port

The port where the host can be reached.

If no port is specified, the default Port is used.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.hostSettings.<name>.rsaPublicKey

Legacy RSA public key of the host in PEM format, including start and end markers.

This will be appended as-is in the host’s configuration file.

The ed25519 public key can be specified using the settings.Ed25519PublicKey option instead.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.hostSettings.<name>.settings

Configuration for this host.

See https://tinc-vpn.org/documentation-1.1/Host-configuration-variables.html for supported values.

Type: attribute set of (boolean or string or signed integer or list of (boolean or string or signed integer))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.hostSettings.<name>.subnets

The subnets which this tinc daemon will serve. This will set this host’s settings.Subnet option.

Tinc tries to look up which other daemon it should send a packet to by searching the appropriate subnet. If the packet matches a subnet, it will be sent to the daemon who has this subnet in his host configuration file.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.hostSettings.<name>.subnets.*.address

The subnet of this host.

Subnets can either be single MAC, IPv4 or IPv6 addresses, in which case a subnet consisting of only that single address is assumed, or they can be a IPv4 or IPv6 network address with a prefix length.

IPv4 subnets are notated like 192.168.1.0/24, IPv6 subnets are notated like fec0:0:0:1::/64. MAC addresses are notated like 0:1a:2b:3c:4d:5e.

Note that subnets like 192.168.1.1/24 are invalid.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.hostSettings.<name>.subnets.*.prefixLength

The prefix length of the subnet.

If null, a subnet consisting of only that single address is assumed.

This conforms to standard CIDR notation as described in RFC1519.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.hostSettings.<name>.subnets.*.weight

Indicates the priority over identical Subnets owned by different nodes.

Lower values indicate higher priority. Packets will be sent to the node with the highest priority, unless that node is not reachable, in which case the node with the next highest priority will be tried, and so on.

Type: unsigned integer, meaning >=0

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.hosts

The name of the host in the network as well as the configuration for that host. This name should only contain alphanumerics and underscores.

Note that using the declarative service.tinc.networks.<name>.hostSettings option is preferred.

Type: attribute set of strings concatenated with “\n”

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.interfaceType

The type of virtual interface used for the network connection.

Type: one of “tun”, “tap”

Default: "tun"

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.listenAddress

The ip address to listen on for incoming connections.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.name

The name of the node which is used as an identifier when communicating with the remote nodes in the mesh. If null then the hostname of the system is used to derive a name (note that tinc may replace non-alphanumeric characters in hostnames by underscores).

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.rsaPrivateKeyFile

Path of the private RSA keyfile.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinc.networks.<name>.settings

Configuration of the Tinc daemon for this network.

See https://tinc-vpn.org/documentation-1.1/Main-configuration-variables.html for supported values.

Type: attribute set of (boolean or string or signed integer or list of (boolean or string or signed integer))

Default: { }

Example:

{
  Interface = "custom.interface";
  DirectOnly = true;
  Mode = "switch";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/tinc.nix>
services.tinydns.enable

Whether to run the tinydns dns server

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/tinydns.nix>
services.tinydns.data

The DNS data to serve, in the format described by tinydns-data(8)

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/tinydns.nix>
services.tinydns.ip

IP address on which to listen for connections

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/tinydns.nix>
services.tinyproxy.enable

Whether to enable Tinyproxy daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/tinyproxy.nix>
services.tinyproxy.package

The tinyproxy package to use.

Type: package

Default: pkgs.tinyproxy

Declared by:

<nixpkgs/nixos/modules/services/networking/tinyproxy.nix>
services.tinyproxy.settings

Configuration for tinyproxy.

Type: attribute set of (atom (null, bool, int, float or string) or a list of them for duplicate keys)

Default: { }

Example:

{
          Port 8888;
          Listen 127.0.0.1;
          Timeout 600;
          Allow 127.0.0.1;
          Anonymous = ['"Host"' '"Authorization"'];
          ReversePath = '"/example/" "http://www.example.com/"';
        }

Declared by:

<nixpkgs/nixos/modules/services/networking/tinyproxy.nix>
services.tinyproxy.settings.Anonymous

If an Anonymous keyword is present, then anonymous proxying is enabled. The headers listed with Anonymous are allowed through, while all others are denied. If no Anonymous keyword is present, then all headers are allowed through. You must include quotes around the headers.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/tinyproxy.nix>
services.tinyproxy.settings.Filter

Tinyproxy supports filtering of web sites based on URLs or domains. This option specifies the location of the file containing the filter rules, one rule per line.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/tinyproxy.nix>
services.tinyproxy.settings.Listen

Specify which address to listen to.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/tinyproxy.nix>
services.tinyproxy.settings.Port

Specify which port to listen to.

Type: signed integer

Default: 8888

Declared by:

<nixpkgs/nixos/modules/services/networking/tinyproxy.nix>
services.tlp.enable

Whether to enable the TLP power management daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/tlp.nix>
services.tlp.extraConfig

Verbatim additional configuration variables for TLP. DEPRECATED: use services.tlp.settings instead.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/hardware/tlp.nix>
services.tlp.settings

Options passed to TLP. See https://linrunner.de/tlp for all supported options…

Type: attribute set of (boolean or signed integer or floating point number or string or list of string)

Default: { }

Example:

{
  SATA_LINKPWR_ON_BAT = "med_power_with_dipm";
  USB_BLACKLIST_PHONE = 1;
}

Declared by:

<nixpkgs/nixos/modules/services/hardware/tlp.nix>
services.tmate-ssh-server.enable

Whether to enable tmate ssh server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/tmate-ssh-server.nix>
services.tmate-ssh-server.package

The tmate-ssh-server package to use.

Type: package

Default: pkgs.tmate-ssh-server

Declared by:

<nixpkgs/nixos/modules/services/networking/tmate-ssh-server.nix>
services.tmate-ssh-server.advertisedPort

External port advertised to clients

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/services/networking/tmate-ssh-server.nix>
services.tmate-ssh-server.host

External host name

Type: string

Default: config.networking.domain or config.networking.hostName

Declared by:

<nixpkgs/nixos/modules/services/networking/tmate-ssh-server.nix>
services.tmate-ssh-server.keysDir

Directory containing ssh keys, defaulting to auto-generation

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/tmate-ssh-server.nix>
services.tmate-ssh-server.openFirewall

Whether to automatically open the specified ports in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/tmate-ssh-server.nix>
services.tmate-ssh-server.port

Listen port for the ssh server

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 2222

Declared by:

<nixpkgs/nixos/modules/services/networking/tmate-ssh-server.nix>
services.todesk.enable

Whether to enable ToDesk daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/todesk.nix>
services.todesk.package

The todesk package to use.

Type: package

Default: pkgs.todesk

Declared by:

<nixpkgs/nixos/modules/services/monitoring/todesk.nix>
services.tomcat.enable

Whether to enable Apache Tomcat.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.package

The tomcat9 package to use.

Type: package

Default: pkgs.tomcat9

Example: tomcat10

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.axis2.enable

Whether to enable Apache Axis2 container.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.axis2.services

List containing AAR files or directories with AAR files which are web services to be deployed on Axis2

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.baseDir

Location where Tomcat stores configuration files, web applications and logfiles. Note that it is partially cleared on each service startup if purifyOnStart is enabled.

Type: path

Default: "/var/tomcat"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.catalinaOpts

Parameters to pass to the Java Virtual Machine which spawns the Catalina servlet container

Type: (list of string) or string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.commonLibs

List containing JAR files or directories with JAR files which are libraries shared by the web applications and the servlet container

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.extraConfigFiles

Extra configuration files to pull into the tomcat conf directory

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.extraEnvironment

Environment Variables to pass to the tomcat service

Type: list of string

Default: [ ]

Example:

[
  "ENVIRONMENT=production"
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.extraGroups

Defines extra groups to which the tomcat user belongs.

Type: list of string

Default: [ ]

Example:

[
  "users"
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.group

Group account under which Apache Tomcat runs.

Type: string

Default: "tomcat"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.javaOpts

Parameters to pass to the Java Virtual Machine which spawns Apache Tomcat

Type: (list of string) or string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.jdk

The jdk package to use.

Type: package

Default: pkgs.jdk

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.logDirs

Directories to create in baseDir/logs/

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.logPerVirtualHost

Whether to enable logging per virtual host.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.port

The TCP port Tomcat should listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.purifyOnStart

On startup, the baseDir directory is populated with various files, subdirectories and symlinks. If this option is enabled, these items (except for the logs and work subdirectories) are first removed. This prevents interference from remainders of an old configuration (libraries, webapps, etc.), so it’s recommended to enable this option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.serverXml

Verbatim server.xml configuration. This is mutually exclusive with the virtualHosts options.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.sharedLibs

List containing JAR files or directories with JAR files which are libraries shared by the web applications

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.user

User account under which Apache Tomcat runs.

Type: string

Default: "tomcat"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.virtualHosts

List consisting of a virtual host name and a list of web applications to deploy on each virtual host

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.virtualHosts.*.aliases

aliases of the virtualhost

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.virtualHosts.*.name

name of the virtualhost

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.virtualHosts.*.webapps

List containing web application WAR files and/or directories containing web applications and configuration files for the virtual host.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tomcat.webapps

List containing WAR files or directories with WAR files which are web applications to be deployed on Tomcat

Type: list of path

Default: [ config.services.tomcat.package.webapps ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/tomcat.nix>
services.tor.enable

Whether to enable Tor daemon. By default, the daemon is run without relay, exit, bridge or client connectivity.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.enableGeoIP

Whether to enable use of GeoIP databases. Disabling this will disable by-country statistics for bridges and relays and some client and third-party software functionality.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.package

The tor package to use.

Type: package

Default: pkgs.tor

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.client.enable

Whether to enable the routing of application connections. You might want to disable this if you plan running a dedicated Tor relay.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.client.dns.enable

Whether to enable DNS resolver.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.client.onionServices

See torrc manual.

Type: attribute set of (submodule)

Default: { }

Example:

{
  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx = {
    clientAuthorizations = [
      "/run/keys/tor/alice.prv.x25519"
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.client.onionServices.<name>.clientAuthorizations

Clients’ authorizations for a v3 onion service, as a list of files containing each one private key, in the format:

descriptor:x25519:<base32-private-key>

See torrc manual.

Type: list of path

Default: [ ]

Example:

[
  "/run/keys/tor/alice.prv.x25519"
]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.client.socksListenAddress

Bind to this address to listen for connections from Socks-speaking applications.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive) or (submodule)

Default:

{
  IsolateDestAddr = true;
  addr = "127.0.0.1";
  port = 9050;
}

Example:

{
  IsolateDestAddr = true;
  addr = "192.168.0.1";
  port = 9090;
}

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.client.transparentProxy.enable

Whether to enable transparent proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.controlSocket.enable

Whether to enable control socket, created in /run/tor/control.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.openFirewall

Whether to enable opening of the relay port(s) in the firewall.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.enable

Whether to enable relaying of Tor traffic for others.

See https://www.torproject.org/docs/tor-doc-relay for details.

Setting this to true requires setting services.tor.relay.role and services.tor.settings.ORPort options.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.onionServices

See torrc manual.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "example.org/www" = {
    authorizedClients = [
      "descriptor:x25519:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    ];
    map = [
      80
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.onionServices.<name>.authorizeClient

See torrc manual.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.onionServices.<name>.authorizeClient.authType

Either "basic" for a general-purpose authorization protocol or "stealth" for a less scalable protocol that also hides service activity from unauthorized clients.

Type: one of “basic”, “stealth”

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.onionServices.<name>.authorizeClient.clientNames

Only clients that are listed here are authorized to access the hidden service. Generated authorization data can be found in /var/lib/tor/onion/$name/hostname. Clients need to put this authorization data in their configuration file using services.tor.settings.HidServAuth.

Type: non-empty (list of string matching the pattern [A-Za-z0-9±_]+)

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.onionServices.<name>.authorizedClients

Authorized clients for a v3 onion service, as a list of public key, in the format:

descriptor:x25519:<base32-public-key>

See torrc manual.

Type: list of string

Default: [ ]

Example:

[
  "descriptor:x25519:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.onionServices.<name>.map

See torrc manual.

Type: list of (16 bit unsigned integer; between 0 and 65535 (both inclusive) or (submodule))

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.onionServices.<name>.path

Path where to store the data files of the hidden service. If the secretKey is null this defaults to /var/lib/tor/onion/$onion, otherwise to /run/tor/onion/$onion.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.onionServices.<name>.secretKey

Secret key of the onion service. If null, Tor reuses any preexisting secret key (in path) or generates a new one. The associated public key and hostname are deterministically regenerated from this file if they do not exist.

Type: null or path

Default: null

Example: "/run/keys/tor/onion/expyuzz4wqqyqhjn/hs_ed25519_secret_key"

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.onionServices.<name>.settings

Settings of the onion service. See torrc manual.

Type: settings option

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.onionServices.<name>.settings.HiddenServiceAllowUnknownPorts

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.onionServices.<name>.settings.HiddenServiceDirGroupReadable

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.onionServices.<name>.settings.HiddenServiceExportCircuitID

See torrc manual.

Type: null or value “haproxy” (singular enum)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.onionServices.<name>.settings.HiddenServiceMaxStreams

See torrc manual.

Type: null or integer between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.onionServices.<name>.settings.HiddenServiceMaxStreamsCloseCircuit

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.onionServices.<name>.settings.HiddenServiceNumIntroductionPoints

See torrc manual.

Type: null or integer between 0 and 20 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.onionServices.<name>.settings.HiddenServiceSingleHopMode

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.onionServices.<name>.settings.RendPostPeriod

See torrc manual.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.onionServices.<name>.version

See torrc manual.

Type: null or one of 2, 3

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.relay.role

Your role in Tor network. There’re several options:

  • exit: An exit relay. This allows Tor users to access regular Internet services through your public IP.

    You can specify which services Tor users may access via your exit relay using settings.ExitPolicy option.

  • relay: Regular relay. This allows Tor users to relay onion traffic to other Tor nodes, but not to public Internet.

    See https://www.torproject.org/docs/tor-doc-relay.html.en for more info.

  • bridge: Regular bridge. Works like a regular relay, but doesn’t list you in the public relay directory and hides your Tor node behind obfs4proxy.

    Using this option will make Tor advertise your bridge to users through various mechanisms like https://bridges.torproject.org/, though.

    See https://www.torproject.org/docs/bridges.html.en for more info.

  • private-bridge: Private bridge. Works like regular bridge, but does not advertise your node in any way.

    Using this role means that you won’t contribute to Tor network in any way unless you advertise your node yourself in some way.

    Use this if you want to run a private bridge, for example because you’ll give out your bridge addr manually to your friends.

    Switching to this role after measurable time in “bridge” role is pretty useless as some Tor users would have learned about your node already. In the latter case you can still change port option.

    See https://www.torproject.org/docs/bridges.html.en for more info.

Important

Running an exit relay may expose you to abuse complaints. See https://www.torproject.org/faq.html.en#ExitPolicies for more info.

Important

Note that some misconfigured and/or disrespectful towards privacy sites will block you even if your relay is not an exit relay. That is, just being listed in a public relay directory can have unwanted consequences.

Which means you might not want to use this role if you browse public Internet from the same network as your relay, unless you want to write e-mails to those sites (you should!).

Important

WARNING: THE FOLLOWING PARAGRAPH IS NOT LEGAL ADVICE. Consult with your lawyer when in doubt.

The bridge role should be safe to use in most situations (unless the act of forwarding traffic for others is a punishable offence under your local laws, which would be pretty insane as it would make ISP illegal).

Type: one of “exit”, “relay”, “bridge”, “private-bridge”

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings

See torrc manual for documentation.

Type: settings option

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.AccountingMax

See torrc manual.

Type: null or signed integer or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.AccountingStart

See torrc manual.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.Address

See torrc manual.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.AssumeReachable

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.AuthDirHasIPv6Connectivity

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.AuthDirListBadExits

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.AuthDirPinKeys

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.AuthDirSharedRandomness

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.AuthDirTestEd25519LinkKeys

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.AuthoritativeDirectory

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.AutomapHostsOnResolve

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.AutomapHostsSuffixes

See torrc manual.

Type: list of string

Default:

[
  ".onion"
  ".exit"
]

Example:

[
  ".onion"
]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.BandwidthBurst

See torrc manual.

Type: null or signed integer or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.BandwidthRate

See torrc manual.

Type: null or signed integer or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.BridgeAuthoritativeDir

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.BridgeRecordUsageByCountry

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.BridgeRelay

See torrc manual.

Type: null or boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.CacheDirectory

See torrc manual.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.CacheDirectoryGroupReadable

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.CellStatistics

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ClientAutoIPv6ORPort

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ClientDNSRejectInternalAddresses

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ClientOnionAuthDir

See torrc manual.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ClientPreferIPv6DirPort

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ClientPreferIPv6ORPort

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ClientRejectInternalAddresses

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ClientUseIPv4

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ClientUseIPv6

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ConnDirectionStatistics

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ConstrainedSockets

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ContactInfo

See torrc manual.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ControlPort

See torrc manual.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive) or value “auto” (singular enum) or list of (16 bit unsigned integer; between 0 and 65535 (both inclusive) or value “auto” (singular enum) or (submodule))

Default: [ ]

Example:

[
  {
    port = 9051;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ControlPortFileGroupReadable

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ControlPortWriteToFile

See torrc manual.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ControlSocket

See torrc manual.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ControlSocketsGroupWritable

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.CookieAuthFile

See torrc manual.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.CookieAuthFileGroupReadable

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.CookieAuthentication

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DNSPort

See torrc manual.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive) or value “auto” (singular enum) or (submodule) or list of (16 bit unsigned integer; between 0 and 65535 (both inclusive) or value “auto” (singular enum) or (submodule))

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DataDirectory

See torrc manual.

Type: null or path

Default: "/var/lib/tor"

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DataDirectoryGroupReadable

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DirAllowPrivateAddresses

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DirCache

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DirPolicy

See torrc manual.

Type: list of string

Default: [ ]

Example:

[
  "accept *:*"
]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DirPort

See torrc manual.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive) or value “auto” (singular enum) or list of (16 bit unsigned integer; between 0 and 65535 (both inclusive) or value “auto” (singular enum) or (submodule))

Default: [ ]

Example: 443

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DirPortFrontPage

See torrc manual.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DirReqStatistics

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DisableAllSwap

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DisableDebuggerAttachment

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DisableNetwork

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DisableOOSCheck

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DoSCircuitCreationEnabled

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DoSConnectionEnabled

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DoSRefuseSingleHopClientRendezvous

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DormantCanceledByStartup

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DormantOnFirstStartup

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DormantTimeoutDisabledByIdleStreams

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.DownloadExtraInfo

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.EnforceDistinctSubnets

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.EntryStatistics

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ExitPolicy

See torrc manual.

Type: list of string

Default:

[
  "reject *:*"
]

Example:

[
  "accept *:*"
]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ExitPolicyRejectLocalInterfaces

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ExitPolicyRejectPrivate

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ExitPortStatistics

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ExitRelay

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ExtORPort

See torrc manual.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive) or value “auto” (singular enum) or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ExtORPortCookieAuthFile

See torrc manual.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ExtORPortCookieAuthFileGroupReadable

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ExtendAllowPrivateAddresses

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ExtraInfoStatistics

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.FascistFirewall

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.FetchDirInfoEarly

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.FetchDirInfoExtraEarly

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.FetchHidServDescriptors

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.FetchServerDescriptors

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.FetchUselessDescriptors

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.GeoIPFile

See torrc manual.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.GeoIPv6File

See torrc manual.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.GuardfractionFile

See torrc manual.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.HSLayer2Nodes

See torrc manual.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.HSLayer3Nodes

See torrc manual.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.HTTPTunnelPort

See torrc manual.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive) or value “auto” (singular enum) or (submodule) or list of (16 bit unsigned integer; between 0 and 65535 (both inclusive) or value “auto” (singular enum) or (submodule))

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.HidServAuth

See torrc manual.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    auth = "xxxxxxxxxxxxxxxxxxxxxx";
    onion = "xxxxxxxxxxxxxxxx.onion";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.HidServAuth.*.auth

Authentication cookie.

Type: string matching the pattern [A-Za-z0-9+/]{22}

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.HidServAuth.*.onion

Onion address.

Type: string matching the pattern [a-z2-7]{16}\.onion

Example: "xxxxxxxxxxxxxxxx.onion"

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.HiddenServiceNonAnonymousMode

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.HiddenServiceStatistics

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.IPv6Exit

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.KeyDirectory

See torrc manual.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.KeyDirectoryGroupReadable

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.LogMessageDomains

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.LongLivedPorts

See torrc manual.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.MainloopStats

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.MaxAdvertisedBandwidth

See torrc manual.

Type: null or signed integer or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.MaxCircuitDirtiness

See torrc manual.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.MaxClientCircuitsPending

See torrc manual.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.NATDPort

See torrc manual.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive) or value “auto” (singular enum) or (submodule) or list of (16 bit unsigned integer; between 0 and 65535 (both inclusive) or value “auto” (singular enum) or (submodule))

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.NewCircuitPeriod

See torrc manual.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.Nickname

See torrc manual.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ORPort

See torrc manual.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive) or value “auto” (singular enum) or list of (16 bit unsigned integer; between 0 and 65535 (both inclusive) or value “auto” (singular enum) or (submodule))

Default: [ ]

Example: 443

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.OfflineMasterKey

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.OptimisticData

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.PaddingStatistics

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.PerConnBWBurst

See torrc manual.

Type: null or signed integer or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.PerConnBWRate

See torrc manual.

Type: null or signed integer or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.PidFile

See torrc manual.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ProtocolWarnings

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.PublishHidServDescriptors

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.PublishServerDescriptor

See torrc manual.

Type: null or one of false, true, 0, 1, “0”, “1”, “v3”, “bridge”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ReachableAddresses

See torrc manual.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ReachableDirAddresses

See torrc manual.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ReachableORAddresses

See torrc manual.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ReducedExitPolicy

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.RefuseUnknownExits

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.RejectPlaintextPorts

See torrc manual.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.RelayBandwidthBurst

See torrc manual.

Type: null or signed integer or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.RelayBandwidthRate

See torrc manual.

Type: null or signed integer or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.SOCKSPort

See torrc manual.

Type: list of (16 bit unsigned integer; between 0 and 65535 (both inclusive) or (submodule))

Default:

if config.services.tor.settings.HiddenServiceNonAnonymousMode == true
then [ { port = 0; } ]
else [ ]

Example:

[
  {
    port = 9090;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.Sandbox

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ServerDNSAllowBrokenConfig

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ServerDNSAllowNonRFC953Hostnames

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ServerDNSDetectHijacking

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ServerDNSRandomizeCase

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ServerDNSResolvConfFile

See torrc manual.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ServerDNSSearchDomains

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ServerTransportPlugin

See torrc manual.

Type: null or (submodule)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ServerTransportPlugin.exec

Command of pluggable transport.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ServerTransportPlugin.transports

List of pluggable transports.

Type: list of string

Example:

[
  "obfs2"
  "obfs3"
  "obfs4"
  "scramblesuit"
]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.ShutdownWaitLength

See torrc manual.

Type: signed integer

Default: 30

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.SocksPolicy

See torrc manual.

Type: list of string

Default: [ ]

Example:

[
  "accept *:*"
]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.TestingTorNetwork

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.TransPort

See torrc manual.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive) or value “auto” (singular enum) or (submodule) or list of (16 bit unsigned integer; between 0 and 65535 (both inclusive) or value “auto” (singular enum) or (submodule))

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.TransProxyType

See torrc manual.

Type: null or one of “default”, “TPROXY”, “ipfw”, “pf-divert”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.UnixSocksGroupWritable

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.UseDefaultFallbackDirs

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.UseMicrodescriptors

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.V3AuthUseLegacyKey

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.V3AuthoritativeDirectory

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.VersioningAuthoritativeDirectory

See torrc manual.

Type: null or boolean

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.VirtualAddrNetworkIPv4

See torrc manual.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.VirtualAddrNetworkIPv6

See torrc manual.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.settings.WarnPlaintextPorts

See torrc manual.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/security/tor.nix>
services.tor.torsocks.enable

Whether to build /etc/tor/torsocks.conf containing the specified global torsocks configuration.

Type: boolean

Default: config.services.tor.enable && config.services.tor.client.enable

Declared by:

<nixpkgs/nixos/modules/services/security/torsocks.nix>
services.tor.torsocks.allowInbound

Set Torsocks to accept inbound connections. If set to true, listen() and accept() will be allowed to be used with non localhost address.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/torsocks.nix>
services.tor.torsocks.fasterServer

IP/Port of the Tor SOCKS server for torsocks-faster wrapper suitable for HTTP. Currently, hostnames are NOT supported by torsocks.

Type: string

Default: "127.0.0.1:9063"

Example: "192.168.0.20:1234"

Declared by:

<nixpkgs/nixos/modules/services/security/torsocks.nix>
services.tor.torsocks.onionAddrRange

Tor hidden sites do not have real IP addresses. This specifies what range of IP addresses will be handed to the application as “cookies” for .onion names. Of course, you should pick a block of addresses which you aren’t going to ever need to actually connect to. This is similar to the MapAddress feature of the main tor daemon.

Type: string

Default: "127.42.42.0/24"

Declared by:

<nixpkgs/nixos/modules/services/security/torsocks.nix>
services.tor.torsocks.server

IP/Port of the Tor SOCKS server. Currently, hostnames are NOT supported by torsocks.

Type: string

Default: "127.0.0.1:9050"

Example: "192.168.0.20:1234"

Declared by:

<nixpkgs/nixos/modules/services/security/torsocks.nix>
services.tor.torsocks.socks5Password

SOCKS5 password. The TORSOCKS_PASSWORD environment variable overrides this option if it is set.

Type: null or string

Default: null

Example: "sekret"

Declared by:

<nixpkgs/nixos/modules/services/security/torsocks.nix>
services.tor.torsocks.socks5Username

SOCKS5 username. The TORSOCKS_USERNAME environment variable overrides this option if it is set.

Type: null or string

Default: null

Example: "bob"

Declared by:

<nixpkgs/nixos/modules/services/security/torsocks.nix>
services.tor.tsocks.enable

Whether to build tsocks wrapper script to relay application traffic via Tor.

Important

You shouldn’t use this unless you know what you’re doing because your installation of Tor already comes with its own superior (doesn’t leak DNS queries) torsocks wrapper which does pretty much exactly the same thing as this.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/torify.nix>
services.tor.tsocks.config

Extra configuration. Contents will be added verbatim to TSocks configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/security/torify.nix>
services.tor.tsocks.server

IP address of TOR client to use.

Type: string

Default: "localhost:9050"

Example: "192.168.0.20"

Declared by:

<nixpkgs/nixos/modules/services/security/torify.nix>
services.torque.mom.enable

Whether to enable torque computing node.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/computing/torque/mom.nix>
services.torque.mom.serverNode

Hostname running pbs server.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/computing/torque/mom.nix>
services.torque.server.enable

Whether to enable torque server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/computing/torque/server.nix>
services.torrentstream.enable

Whether to enable TorrentStream daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/torrent/torrentstream.nix>
services.torrentstream.package

The torrentstream package to use.

Type: package

Default: pkgs.torrentstream

Declared by:

<nixpkgs/nixos/modules/services/torrent/torrentstream.nix>
services.torrentstream.address

Address to listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/torrent/torrentstream.nix>
services.torrentstream.openFirewall

Open ports in the firewall for TorrentStream daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/torrent/torrentstream.nix>
services.torrentstream.port

TorrentStream port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5082

Declared by:

<nixpkgs/nixos/modules/services/torrent/torrentstream.nix>
services.touchegg.enable

Whether to enable touchegg, a multi-touch gesture recognizer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/touchegg.nix>
services.touchegg.package

The touchegg package to use.

Type: package

Default: pkgs.touchegg

Declared by:

<nixpkgs/nixos/modules/services/x11/touchegg.nix>
services.tox-node.enable

Whether to enable Tox Node service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/tox-node.nix>
services.tox-node.keysFile

Path to the file where DHT keys are stored.

Type: string

Default: "/var/lib/tox-node/keys"

Declared by:

<nixpkgs/nixos/modules/services/networking/tox-node.nix>
services.tox-node.lanDiscovery

Enable local network discovery.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/tox-node.nix>
services.tox-node.logType

Logging implementation.

Type: one of “Stderr”, “Stdout”, “Syslog”, “None”

Default: "Stderr"

Declared by:

<nixpkgs/nixos/modules/services/networking/tox-node.nix>
services.tox-node.motd

Message of the day

Type: string

Default: "Hi from tox-rs! I'm up {{uptime}}. TCP: incoming {{tcp_packets_in}}, outgoing {{tcp_packets_out}}, UDP: incoming {{udp_packets_in}}, outgoing {{udp_packets_out}}"

Declared by:

<nixpkgs/nixos/modules/services/networking/tox-node.nix>
services.tox-node.tcpAddresses

TCP addresses to run TCP relay.

Type: list of string

Default:

[
  "0.0.0.0:33445"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/tox-node.nix>
services.tox-node.tcpConnectionLimit

Maximum number of active TCP connections relay can hold

Type: signed integer

Default: 8192

Declared by:

<nixpkgs/nixos/modules/services/networking/tox-node.nix>
services.tox-node.threads

Number of threads for execution

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/networking/tox-node.nix>
services.tox-node.udpAddress

UDP address to run DHT node.

Type: string

Default: "0.0.0.0:33445"

Declared by:

<nixpkgs/nixos/modules/services/networking/tox-node.nix>
services.toxBootstrapd.enable

Whether to enable the Tox DHT bootstrap daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix>
services.toxBootstrapd.extraConfig

Configuration for bootstrap daemon. See https://github.com/irungentoo/toxcore/blob/master/other/bootstrap_daemon/tox-bootstrapd.conf and https://wiki.tox.chat/users/nodes.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix>
services.toxBootstrapd.keysFile

Node key file.

Type: string

Default: "/var/lib/tox-bootstrapd/keys"

Declared by:

<nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix>
services.toxBootstrapd.port

Listening port (UDP).

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 33445

Declared by:

<nixpkgs/nixos/modules/services/networking/tox-bootstrapd.nix>
services.toxvpn.enable

Whether to enable toxvpn running on startup.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/toxvpn.nix>
services.toxvpn.auto_add_peers

peers to automatically connect to on startup

Type: list of string

Default: [ ]

Example:

[
  "toxid1"
  "toxid2"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/toxvpn.nix>
services.toxvpn.localip

your ip on the vpn

Type: string

Default: "10.123.123.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/toxvpn.nix>
services.toxvpn.port

udp port for toxcore, port-forward to help with connectivity if you run many nodes behind one NAT

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 33445

Declared by:

<nixpkgs/nixos/modules/services/networking/toxvpn.nix>
services.tp-auto-kbbl.enable

Whether to enable auto toggle keyboard back-lighting on Thinkpads (and maybe other laptops) for Linux.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/tp-auto-kbbl.nix>
services.tp-auto-kbbl.package

The tp-auto-kbbl package to use.

Type: package

Default: pkgs.tp-auto-kbbl

Declared by:

<nixpkgs/nixos/modules/services/misc/tp-auto-kbbl.nix>
services.tp-auto-kbbl.arguments

List of arguments appended to ./tp-auto-kbbl --device [device] [arguments]

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/tp-auto-kbbl.nix>
services.tp-auto-kbbl.device

Device watched for activities.

Type: string

Default: "/dev/input/event0"

Declared by:

<nixpkgs/nixos/modules/services/misc/tp-auto-kbbl.nix>
services.traccar.enable

Whether to enable Traccar, an open source GPS tracking system.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/traccar.nix>
services.traccar.environmentFile

File containing environment variables to substitute in the configuration before starting Traccar.

Can be used for storing the secrets without making them available in the world-readable Nix store.

For example, you can set services.traccar.settings.databasePassword = "$TRACCAR_DB_PASSWORD" and then specify TRACCAR_DB_PASSWORD="<secret>" in the environment file. This value will get substituted in the configuration file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/traccar.nix>
services.traccar.settings

config.xml configuration as a Nix attribute set. Attribute names are translated from camelCase to dot-separated strings. For instance: mailSmtpPort = "25" would result in the following configuration property: <entry key='mail.smtp.port'>25</entry> Configuration options should match those described in Traccar - Configuration File. Secret tokens should be specified using environmentFile instead of this world-readable attribute set.

Type: unspecified value

Default:

{
  databaseDriver = "org.h2.Driver";
  databasePassword = "";
  databaseUrl = "jdbc:h2:/var/lib/traccar/traccar";
  databaseUser = "sa";
  loggerConsole = "true";
  mediaPath = "/var/lib/traccar/media";
  templatesRoot = "/var/lib/traccar/templates";
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/traccar.nix>
services.traefik.enable

Whether to enable Traefik web server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/traefik.nix>
services.traefik.package

The traefik package to use.

Type: package

Default: pkgs.traefik

Declared by:

<nixpkgs/nixos/modules/services/web-servers/traefik.nix>
services.traefik.dataDir

Location for any persistent data traefik creates, ie. acme

Type: path

Default: "/var/lib/traefik"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/traefik.nix>
services.traefik.dynamicConfigFile

Path to traefik’s dynamic configuration to use. (Using that option has precedence over dynamicConfigOptions)

Type: null or path

Default: null

Example: /path/to/dynamic_config.toml

Declared by:

<nixpkgs/nixos/modules/services/web-servers/traefik.nix>
services.traefik.dynamicConfigOptions

Dynamic configuration for Traefik.

Type: JSON value

Default: { }

Example:

{
  http = {
    routers = {
      router1 = {
        rule = "Host(`localhost`)";
        service = "service1";
      };
    };
    services = {
      service1 = {
        loadBalancer = {
          servers = [
            {
              url = "http://localhost:8080";
            }
          ];
        };
      };
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-servers/traefik.nix>
services.traefik.environmentFiles

Files to load as environment file. Environment variables from this file will be substituted into the static configuration file using envsubst.

Type: list of path

Default: [ ]

Example:

[
  "/run/secrets/traefik.env"
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/traefik.nix>
services.traefik.group

Set the group that traefik runs under. For the docker backend this needs to be set to docker instead.

Type: string

Default: "traefik"

Example: "docker"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/traefik.nix>
services.traefik.staticConfigFile

Path to traefik’s static configuration to use. (Using that option has precedence over staticConfigOptions and dynamicConfigOptions)

Type: null or path

Default: null

Example: /path/to/static_config.toml

Declared by:

<nixpkgs/nixos/modules/services/web-servers/traefik.nix>
services.traefik.staticConfigOptions

Static configuration for Traefik.

Type: JSON value

Default:

{
  entryPoints = {
    http = {
      address = ":80";
    };
  };
}

Example:

{
  api = { };
  entryPoints = {
    http = {
      address = ":80";
    };
    web = {
      address = ":8080";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-servers/traefik.nix>
services.trafficserver.enable

Whether to enable Apache Traffic Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix>
services.trafficserver.cache

Caching rules that overrule the origin’s caching policy.

Consult the upstream documentation for more details.

Type: strings concatenated with “\n”

Default: ""

Example: "dest_domain=example.com suffix=js action=never-cache"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix>
services.trafficserver.hosting

Partition the cache according to origin server or domain

Consult the upstream documentation for more details.

Type: strings concatenated with “\n”

Default: ""

Example: "domain=example.com volume=1"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix>
services.trafficserver.ipAllow

Control client access to Traffic Server and Traffic Server connections to upstream servers.

Consult the upstream documentation for more details.

Type: null or YAML value

Default: upstream defaults

Example:

{
  ip_allow = [{
    apply = "in";
    ip_addrs = "127.0.0.1";
    action = "allow";
    methods = "ALL";
  }];
}

Declared by:

<nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix>
services.trafficserver.logging

Configure logs.

Consult the upstream documentation for more details.

Type: null or YAML value

Default: upstream defaults

Example: { }

Declared by:

<nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix>
services.trafficserver.parent

Identify the parent proxies used in an cache hierarchy.

Consult the upstream documentation for more details.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  dest_domain=. method=get parent="p1.example:8080; p2.example:8080" round_robin=true
''

Declared by:

<nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix>
services.trafficserver.plugins

Controls run-time loadable plugins available to Traffic Server, as well as their configuration.

Consult the upstream documentation for more details.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix>
services.trafficserver.plugins.*.arg

arguments to pass to the plugin

Type: string

Default: ""

Example: "--header=ATS-My-Debug"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix>
services.trafficserver.plugins.*.path

Path to plugin. The path can either be absolute, or relative to the plugin directory.

Type: string

Example: "xdebug.so"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix>
services.trafficserver.records

List of configurable variables used by Traffic Server.

Consult the upstream documentation for more details.

Type: Traffic Server records value

Default: { }

Example:

{
  proxy = {
    config = {
      proxy_name = "my_server";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix>
services.trafficserver.remap

URL remapping rules used by Traffic Server.

Consult the upstream documentation for more details.

Type: strings concatenated with “\n”

Default: ""

Example: "map http://from.example http://origin.example"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix>
services.trafficserver.sni

Configure aspects of TLS connection handling for both inbound and outbound connections.

Consult the upstream documentation for more details.

Type: null or YAML value

Default: null

Example:

{
  sni = [{
    fqdn = "no-http2.example.com";
    https = "off";
  }];
}

Declared by:

<nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix>
services.trafficserver.splitDns

Specify the DNS server that Traffic Server should use under specific conditions.

Consult the upstream documentation for more details.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  dest_domain=internal.corp.example named="255.255.255.255:212 255.255.255.254" def_domain=corp.example search_list="corp.example corp1.example"
  dest_domain=!internal.corp.example named=255.255.255.253
''

Declared by:

<nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix>
services.trafficserver.sslMulticert

Configure SSL server certificates to terminate the SSL sessions.

Consult the upstream documentation for more details.

Type: strings concatenated with “\n”

Default: ""

Example: "dest_ip=* ssl_cert_name=default.pem"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix>
services.trafficserver.storage

List all the storage that make up the Traffic Server cache.

Consult the upstream documentation for more details.

Type: strings concatenated with “\n”

Default: "/var/cache/trafficserver 256M"

Example: "/dev/disk/by-id/XXXXX volume=1"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix>
services.trafficserver.strategies

Specify the next hop proxies used in an cache hierarchy and the algorithms used to select the next proxy.

Consult the upstream documentation for more details.

Type: null or YAML value

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix>
services.trafficserver.volume

Manage cache space more efficiently and restrict disk usage by creating cache volumes of different sizes.

Consult the upstream documentation for more details.

Type: null or YAML value

Default: ""

Example: "volume=1 scheme=http size=20%"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/trafficserver/default.nix>
services.transfer-sh.enable

Whether to enable Easy and fast file sharing from the command-line.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/transfer-sh.nix>
services.transfer-sh.package

The transfer-sh package to use.

Type: package

Default: pkgs.transfer-sh

Declared by:

<nixpkgs/nixos/modules/services/misc/transfer-sh.nix>
services.transfer-sh.provider

Storage providers to use

Type: one of “local”, “s3”, “storj”, “gdrive”

Default: "local"

Declared by:

<nixpkgs/nixos/modules/services/misc/transfer-sh.nix>
services.transfer-sh.secretFile

Path to file containing environment variables. Useful for passing down secrets. Some variables that can be considered secrets are:

  • AWS_ACCESS_KEY

  • AWS_ACCESS_KEY

  • TLS_PRIVATE_KEY

  • HTTP_AUTH_HTPASSWD

Type: null or path

Default: null

Example: "/run/secrets/transfer-sh.env"

Declared by:

<nixpkgs/nixos/modules/services/misc/transfer-sh.nix>
services.transfer-sh.settings

Additional configuration for transfer-sh, see https://github.com/dutchcoders/transfer.sh#usage-1 for supported values.

For secrets use secretFile option instead.

Type: attribute set of (boolean or signed integer or string)

Default: { }

Example:

{
  BASEDIR = "/var/lib/transfer.sh";
  LISTENER = ":8080";
  TLS_LISTENER_ONLY = false;
}

Declared by:

<nixpkgs/nixos/modules/services/misc/transfer-sh.nix>
services.transmission.enable

Whether to enable the headless Transmission BitTorrent daemon.

Transmission daemon can be controlled via the RPC interface using transmission-remote, the WebUI (http://127.0.0.1:9091/ by default), or other clients like stig or tremc.

Torrents are downloaded to services.transmission.home/Downloads by default and are accessible to users in the “transmission” group.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.package

The transmission package to use.

Type: package

Default: pkgs.transmission_3

Example: pkgs.transmission_4

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.credentialsFile

Path to a JSON file to be merged with the settings. Useful to merge a file which is better kept out of the Nix store to set secret config parameters like rpc-password.

Type: path

Default: "/dev/null"

Example: "/var/lib/secrets/transmission/settings.json"

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.downloadDirPermissions

If not null, is used as the permissions set by system.activationScripts.transmission-daemon on the directories services.transmission.settings.download-dir, services.transmission.settings.incomplete-dir. and services.transmission.settings.watch-dir. Note that you may also want to change services.transmission.settings.umask.

Keep in mind, that if the default user is used, the home directory is locked behind a 750 permission, which affects all subdirectories as well. There are 3 ways to get around this:

  1. (Recommended) add the users that should have access to the group set by services.transmission.group

  2. Change services.transmission.settings.download-dir to be under a directory that has the right permissions

  3. Change systemd.services.transmission.serviceConfig.StateDirectoryMode to the same value as this option

Type: null or string

Default: null

Example: "770"

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.extraFlags

Extra flags passed to the transmission command in the service definition.

Type: list of string

Default: [ ]

Example:

[
  "--log-debug"
]

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.group

Group account under which Transmission runs.

Type: string

Default: "transmission"

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.home

The directory where Transmission will create .config/transmission-daemon. as well as Downloads/ unless services.transmission.settings.download-dir is changed, and .incomplete/ unless services.transmission.settings.incomplete-dir is changed.

Type: path

Default: "/var/lib/transmission"

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.openFirewall

Alias of services.transmission.openPeerPorts.

Type: boolean

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.openPeerPorts

Whether to enable opening of the peer port(s) in the firewall.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.openRPCPort

Whether to enable opening of the RPC port in the firewall.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.performanceNetParameters

Whether to enable tweaking of kernel parameters to open many more connections at the same time.

Note that you may also want to increase peer-limit-global. And be aware that these settings are quite aggressive and might not suite your regular desktop use. For instance, SSH sessions may time out more easily.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.settings

Settings whose options overwrite fields in .config/transmission-daemon/settings.json (each time the service starts).

See Transmission’s Wiki for documentation of settings not explicitly covered by this module.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.settings.download-dir

Directory where to download torrents.

Type: path

Default: "${config.services.transmission.home}/Downloads"

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.settings.incomplete-dir

When enabled with services.transmission.home services.transmission.settings.incomplete-dir-enabled, new torrents will download the files to this directory. When complete, the files will be moved to download-dir services.transmission.settings.download-dir.

Type: path

Default: "${config.services.transmission.home}/.incomplete"

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.settings.incomplete-dir-enabled

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.settings.message-level

Set verbosity of transmission messages.

Type: integer between 0 and 6 (both inclusive)

Default: 2

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.settings.peer-port

The peer port to listen for incoming connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 51413

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.settings.peer-port-random-high

The maximum peer port to listen to for incoming connections when services.transmission.settings.peer-port-random-on-start is enabled.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 65535

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.settings.peer-port-random-low

The minimal peer port to listen to for incoming connections when services.transmission.settings.peer-port-random-on-start is enabled.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 65535

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.settings.peer-port-random-on-start

Randomize the peer port.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.settings.rpc-bind-address

Where to listen for RPC connections. Use 0.0.0.0 to listen on all interfaces.

Type: string

Default: "127.0.0.1"

Example: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.settings.rpc-port

The RPC port to listen to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9091

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.settings.script-torrent-done-enabled

Whether to run services.transmission.settings.script-torrent-done-filename at torrent completion.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.settings.script-torrent-done-filename

Executable to be run at torrent completion.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.settings.trash-original-torrent-files

Whether to delete torrents added from the services.transmission.settings.watch-dir.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.settings.umask

Sets transmission’s file mode creation mask. See the umask(2) manpage for more information. Users who want their saved torrents to be world-writable may want to set this value to 0/"000".

Keep in mind, that if you are using Transmission 3, this has to be passed as a base 10 integer, whereas Transmission 4 takes an octal number in a string instead.

Type: signed integer or string

Default: if cfg.package == pkgs.transmission_3 then 18 else "022"

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.settings.utp-enabled

Whether to enable Micro Transport Protocol (µTP).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.settings.watch-dir

Watch a directory for torrent files and add them to transmission.

Type: path

Default: "${config.services.transmission.home}/watchdir"

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.settings.watch-dir-enabled

Whether to enable the services.transmission.settings.watch-dir.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.user

User account under which Transmission runs.

Type: string

Default: "transmission"

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.transmission.webHome

If not null, sets the value of the TRANSMISSION_WEB_HOME environment variable used by the service. Useful for overriding the web interface files, without overriding the transmission package and thus requiring rebuilding it locally. Use this if you want to use an alternative web interface, such as pkgs.flood-for-transmission.

Type: null or path

Default: null

Example: "pkgs.flood-for-transmission"

Declared by:

<nixpkgs/nixos/modules/services/torrent/transmission.nix>
services.tremor-rs.enable

Whether to enable Tremor event- or stream-processing system.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/tremor-rs.nix>
services.tremor-rs.host

The host tremor should be listening on

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/tremor-rs.nix>
services.tremor-rs.loggerSettings

Tremor logger configuration

Type: YAML value

Default:

{
  refresh_rate = "30 seconds";
  appenders.stdout.kind = "console";
  root = {
    level = "warn";
    appenders = [ "stdout" ];
  };
  loggers = {
    tremor_runtime = {
      level = "debug";
      appenders = [ "stdout" ];
      additive = false;
    };
    tremor = {
      level = "debug";
      appenders = [ "stdout" ];
      additive = false;
    };
  };
}

Example:

{
  appenders = {
    stdout = {
      kind = "console";
    };
  };
  loggers = {
    tremor = {
      additive = false;
      appenders = [
        "stdout"
      ];
      level = "debug";
    };
    tremor_runtime = {
      additive = false;
      appenders = [
        "stdout"
      ];
      level = "debug";
    };
  };
  refresh_rate = "30 seconds";
  root = {
    appenders = [
      "stdout"
    ];
    level = "warn";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/tremor-rs.nix>
services.tremor-rs.port

the port tremor should be listening on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9898

Declared by:

<nixpkgs/nixos/modules/services/monitoring/tremor-rs.nix>
services.tremor-rs.tremorLibDir

Directory where to find /lib containing tremor script files

Type: path

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/tremor-rs.nix>
services.tremor-rs.troyFileList

List of troy files to load.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/tremor-rs.nix>
services.trezord.enable

Enable Trezor bridge daemon, for use with Trezor hardware bitcoin wallets.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/trezord.nix>
services.trezord.emulator.enable

Enable Trezor emulator support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/trezord.nix>
services.trezord.emulator.port

Listening port for the Trezor emulator.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 21324

Declared by:

<nixpkgs/nixos/modules/services/hardware/trezord.nix>
services.trickster.enable

Enable Trickster.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/trickster.nix>
services.trickster.package

The trickster package to use.

Type: package

Default: pkgs.trickster

Declared by:

<nixpkgs/nixos/modules/services/networking/trickster.nix>
services.trickster.configFile

Path to configuration file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/trickster.nix>
services.trickster.instance-id

Instance ID for when running multiple processes (default null).

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/trickster.nix>
services.trickster.log-level

Level of Logging to use (debug, info, warn, error) (default “info”).

Type: string

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/networking/trickster.nix>
services.trickster.metrics-port

Port that the /metrics endpoint will listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8082

Declared by:

<nixpkgs/nixos/modules/services/networking/trickster.nix>
services.trickster.origin-type

Type of origin (prometheus, influxdb)

Type: one of “prometheus”, “influxdb”

Default: "prometheus"

Declared by:

<nixpkgs/nixos/modules/services/networking/trickster.nix>
services.trickster.origin-url

URL to the Origin. Enter it like you would in grafana, e.g., http://prometheus:9090 (default http://prometheus:9090).

Type: string

Default: "http://prometheus:9090"

Declared by:

<nixpkgs/nixos/modules/services/networking/trickster.nix>
services.trickster.profiler-port

Port that the /debug/pprof endpoint will listen on.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/trickster.nix>
services.trickster.proxy-port

Port that the Proxy server will listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9090

Declared by:

<nixpkgs/nixos/modules/services/networking/trickster.nix>
services.triggerhappy.enable

Whether to enable the triggerhappy hotkey daemon.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/triggerhappy.nix>
services.triggerhappy.bindings

Key bindings for triggerhappy.

Type: list of (submodule)

Default: [ ]

Example:

[ { keys = ["PLAYPAUSE"];  cmd = "${lib.getExe pkgs.mpc} -q toggle"; } ]

Declared by:

<nixpkgs/nixos/modules/services/hardware/triggerhappy.nix>
services.triggerhappy.bindings.*.cmd

What to run.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/hardware/triggerhappy.nix>
services.triggerhappy.bindings.*.event

Event to match.

Type: one of “press”, “hold”, “release”

Default: "press"

Declared by:

<nixpkgs/nixos/modules/services/hardware/triggerhappy.nix>
services.triggerhappy.bindings.*.keys

List of keys to match. Key names as defined in linux/input-event-codes.h

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/hardware/triggerhappy.nix>
services.triggerhappy.extraConfig

Literal contents to append to the end of triggerhappy configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/hardware/triggerhappy.nix>
services.triggerhappy.user

User account under which triggerhappy runs.

Type: string

Default: "nobody"

Example: "root"

Declared by:

<nixpkgs/nixos/modules/services/hardware/triggerhappy.nix>
services.trilium-server.enable

Whether to enable trilium-server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/trilium.nix>
services.trilium-server.dataDir

The directory storing the notes database and the configuration.

Type: string

Default: "/var/lib/trilium"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/trilium.nix>
services.trilium-server.host

The host address to bind to (defaults to localhost).

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/trilium.nix>
services.trilium-server.instanceName

Instance name used to distinguish between different instances

Type: string

Default: "Trilium"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/trilium.nix>
services.trilium-server.nginx

Configuration for nginx reverse proxy.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/trilium.nix>
services.trilium-server.nginx.enable

Configure the nginx reverse proxy settings.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/trilium.nix>
services.trilium-server.nginx.hostName

The hostname use to setup the virtualhost configuration

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/trilium.nix>
services.trilium-server.noAuthentication

If set to true, no password is required to access the web frontend.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/trilium.nix>
services.trilium-server.noBackup

Disable periodic database backups.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/trilium.nix>
services.trilium-server.port

The port number to bind to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/web-apps/trilium.nix>
services.tsmBackup.enable

Whether to enable automatic backups with the IBM Storage Protect (Tivoli Storage Manager, TSM) client. This also enables programs.tsmClient.enable .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/tsm.nix>
services.tsmBackup.autoTime

The backup service will be invoked automatically at the given date/time, which must be in the format described in systemd.time(5). The default null disables automatic backups.

Type: null or non-empty string

Default: null

Example: "12:00"

Declared by:

<nixpkgs/nixos/modules/services/backup/tsm.nix>
services.tsmBackup.command

The actual command passed to the dsmc executable to start the backup.

Type: non-empty string

Default: "backup"

Example: "incr"

Declared by:

<nixpkgs/nixos/modules/services/backup/tsm.nix>
services.tsmBackup.servername

Create a systemd system service tsm-backup.service that starts a backup based on the given servername’s stanza. Note that this server’s passwdDir will default to /var/lib/tsm-backup/password (but may be overridden); also, the service will use /var/lib/tsm-backup as HOME when calling dsmc.

Type: non-empty string

Example: "mainTsmServer"

Declared by:

<nixpkgs/nixos/modules/services/backup/tsm.nix>
services.tt-rss.enable

Whether to enable tt-rss.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.enableGZipOutput

Selectively gzip output to improve wire performance. This requires PHP Zlib extension on the server. Enabling this can break tt-rss in several httpd/php configurations, if you experience weird errors and tt-rss failing to start, blank pages after login, or content encoding errors, disable it.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.auth.autoCreate

Allow authentication modules to auto-create users in tt-rss internal database when authenticated successfully.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.auth.autoLogin

Automatically login user on remote or other kind of externally supplied authentication, otherwise redirect to login form as normal. If set to true, users won’t be able to set application language and settings profile.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.database.createLocally

Create the database and database user locally.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.database.host

Host of the database. Leave null to use Unix domain socket.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.database.name

Name of the existing database.

Type: string

Default: "tt_rss"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.database.password

The database user’s password.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.database.passwordFile

The database user’s password.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.database.port

The database’s port. If not set, the default ports will be provided (5432 and 3306 for pgsql and mysql respectively).

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.database.type

Database to store feeds. Supported are pgsql and mysql.

Type: one of “pgsql”, “mysql”

Default: "pgsql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.database.user

The database user. The user must exist and has access to the specified database.

Type: string

Default: "tt_rss"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.email.digestSubject

Subject line for email digests.

Type: string

Default: "[tt-rss] New headlines for last 24 hours"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.email.fromAddress

Address for sending outgoing mail. This applies to password reset notifications, digest emails and any other mail.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.email.fromName

Name for sending outgoing mail. This applies to password reset notifications, digest emails and any other mail.

Type: string

Default: "Tiny Tiny RSS"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.email.login

SMTP authentication login used when sending outgoing mail.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.email.password

SMTP authentication password used when sending outgoing mail.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.email.security

Used to select a secure SMTP connection. Allowed values: ssl, tls, or empty.

Type: one of “”, “ssl”, “tls”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.email.server

Hostname:port combination to send outgoing mail. Blank - use system MTA.

Type: string

Default: ""

Example: "localhost:25"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.extraConfig

Additional lines to append to config.php.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.feedCryptKey

Key used for encryption of passwords for password-protected feeds in the database. A string of 24 random characters. If left blank, encryption is not used. Requires mcrypt functions. Warning: changing this key will make your stored feed passwords impossible to decrypt.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.forceArticlePurge

When this option is not 0, users ability to control feed purging intervals is disabled and all articles (which are not starred) older than this amount of days are purged.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.logDestination

Log destination to use. Possible values: sql (uses internal logging you can read in Preferences -> System), syslog - logs to system log. Setting this to blank uses PHP logging (usually to http server error.log).

Type: one of “”, “sql”, “syslog”

Default: "sql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.phpPackage

php package to use for php fpm and update daemon.

Type: package

Default: "pkgs.php"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.pluginPackages

List of plugins to install. The list elements are expected to be derivations. All elements in this derivation are automatically copied to the plugins.local directory.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.plugins

List of plugins to load automatically for all users. System plugins have to be specified here. Please enable at least one authentication plugin here (auth_*). Users may enable other user plugins from Preferences/Plugins but may not disable plugins specified in this list. Disabling auth_internal in this list would automatically disable reset password link on the login form.

Type: list of string

Default:

[
  "auth_internal"
  "note"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.pool

Name of existing phpfpm pool that is used to run web-application. If not specified a pool will be created automatically with default values.

Type: string

Default: "tt-rss"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.pubSubHubbub.enable

Enable client PubSubHubbub support in tt-rss. When disabled, tt-rss won’t try to subscribe to PUSH feed updates.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.pubSubHubbub.hub

URL to a PubSubHubbub-compatible hub server. If defined, “Published articles” generated feed would automatically become PUSH-enabled.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.registration.enable

Allow users to register themselves. Please be aware that allowing random people to access your tt-rss installation is a security risk and potentially might lead to data loss or server exploit. Disabled by default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.registration.maxUsers

Maximum amount of users which will be allowed to register on this system. 0 - no limit.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.registration.notifyAddress

Email address to send new user notifications to.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.root

Root of the application.

Type: path

Default: "/var/lib/tt-rss"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.selfUrlPath

Full URL of your tt-rss installation. This should be set to the location of tt-rss directory, e.g. http://example.org/tt-rss/ You need to set this option correctly otherwise several features including PUSH, bookmarklets and browser integration will not work properly.

Type: string

Example: "http://localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.sessionCookieLifetime

Default lifetime of a session (e.g. login) cookie. In seconds, 0 means cookie will be deleted when browser closes.

Type: signed integer

Default: 86400

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.simpleUpdateMode

Enables fallback update mode where tt-rss tries to update feeds in background while tt-rss is open in your browser. If you don’t have a lot of feeds and don’t want to or can’t run background processes while not running tt-rss, this method is generally viable to keep your feeds up to date. Still, there are more robust (and recommended) updating methods available, you can read about them here: https://tt-rss.org/wiki/UpdatingFeeds

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.singleUserMode

Operate in single user mode, disables all functionality related to multiple users and authentication. Enabling this assumes you have your tt-rss directory protected by other means (e.g. http auth).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.sphinx.index

Index names in Sphinx configuration. Example configuration files are available on tt-rss wiki.

Type: list of string

Default:

[
  "ttrss"
  "delta"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.sphinx.server

Hostname:port combination for the Sphinx server.

Type: string

Default: "localhost:9312"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.themePackages

List of themes to install. The list elements are expected to be derivations. All elements in this derivation are automatically copied to the themes.local directory.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.user

User account under which both the update daemon and the web-application run.

Type: string

Default: "tt_rss"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tt-rss.virtualHost

Name of the nginx virtualhost to use and setup. If null, do not setup any virtualhost.

Type: null or string

Default: "tt-rss"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/tt-rss.nix>
services.tts.servers

TTS server instances.

Type: attribute set of (submodule)

Default: { }

Example:

{
  english = {
    port = 5300;
    model = "tts_models/en/ljspeech/tacotron2-DDC";
  };
  german = {
    port = 5301;
    model = "tts_models/de/thorsten/tacotron2-DDC";
  };
  dutch = {
    port = 5302;
    model = "tts_models/nl/mai/tacotron2-DDC";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/audio/tts.nix>
services.tts.servers.<name>.enable

Whether to enable Coqui TTS server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/tts.nix>
services.tts.servers.<name>.extraArgs

Extra arguments to pass to the server commandline.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/audio/tts.nix>
services.tts.servers.<name>.model

Name of the model to download and use for speech synthesis.

Check tts-server --list_models for possible values.

Set to null to use a custom model.

Type: null or string

Default: "tts_models/en/ljspeech/tacotron2-DDC"

Example: null

Declared by:

<nixpkgs/nixos/modules/services/audio/tts.nix>
services.tts.servers.<name>.port

Port to bind the TTS server to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Example: 5000

Declared by:

<nixpkgs/nixos/modules/services/audio/tts.nix>
services.tts.servers.<name>.useCuda

Whether to offload computation onto a CUDA compatible GPU.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/tts.nix>
services.ttyd.enable

Whether to enable ttyd daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.enableIPv6

Whether or not to enable IPv6 support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.enableSSL

Whether or not to enable SSL (https) support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.caFile

SSL CA file path for client certificate verification.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.certFile

SSL certificate file path.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.checkOrigin

Whether to allow a websocket connection from a different origin.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.clientOptions

Attribute set of client options for xtermjs. https://xtermjs.org/docs/api/terminal/interfaces/iterminaloptions/

Type: attribute set of string

Default: { }

Example:

{
  fontSize = "16";
  fontFamily = "Fira Code";
}

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.entrypoint

Which command ttyd runs.

Type: list of string

Default:

[ "${pkgs.shadow}/bin/login" ]

Example:

[ (lib.getExe pkgs.htop) ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.indexFile

Custom index.html path

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.interface

Network interface to bind.

Type: null or string

Default: null

Example: "eth0"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.keyFile

SSL key file path. For insecurely putting the keyFile in the globally readable store use pkgs.writeText "ttydKeyFile" "SSLKEY".

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.logLevel

Set log level.

Type: signed integer

Default: 7

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.maxClients

Maximum clients to support (0, no limit)

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.passwordFile

File containing the password to use for basic http authentication. For insecurely putting the password in the globally readable store use pkgs.writeText "ttydpw" "MyPassword".

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.port

Port to listen on (use 0 for random port)

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 7681

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.signal

Signal to send to the command on session close.

Type: 8 bit unsigned integer; between 0 and 255 (both inclusive)

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.socket

UNIX domain socket path to bind.

Type: null or path

Default: null

Example: "/var/run/ttyd.sock"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.terminalType

Terminal type to report.

Type: string

Default: "xterm-256color"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.user

Which unix user ttyd should run as.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.username

Username for basic http authentication.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.ttyd.writeable

Allow clients to write to the TTY.

Type: null or boolean

Default: null

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/ttyd.nix>
services.tumbler.enable

Whether to enable Tumbler, A D-Bus thumbnailer service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/tumbler.nix>
services.tuptime.enable

Whether to enable the total uptime service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/tuptime.nix>
services.tuptime.timer.enable

Whether to regularly log uptime to detect bad shutdowns.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/tuptime.nix>
services.tuptime.timer.period

systemd calendar event

Type: string

Default: "*:0/5"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/tuptime.nix>
services.turn-rs.enable

Whether to enable turn-rs server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/turn-rs.nix>
services.turn-rs.package

The turn-rs package to use.

Type: package

Default: pkgs.turn-rs

Declared by:

<nixpkgs/nixos/modules/services/misc/turn-rs.nix>
services.turn-rs.secretFile

Environment variables from this file will be interpolated into the final config file using envsubst with this syntax: $ENVIRONMENT or ${VARIABLE}. The file should contain lines formatted as SECRET_VAR=SECRET_VALUE. This is useful to avoid putting secrets into the nix store.

Type: null or path

Default: null

Example: "/run/keys/turn-rs.env"

Declared by:

<nixpkgs/nixos/modules/services/misc/turn-rs.nix>
services.turn-rs.settings

Turn-rs server config file

Type: TOML value

Default: { }

Example:

{
  auth = {
    static_credentials = {
      user1 = "test";
      user2 = "test";
    };
  };
  turn = {
    interfaces = [
      {
        bind = "127.0.0.1:3478";
        external = "127.0.0.1:3478";
        transport = "udp";
      }
      {
        bind = "127.0.0.1:3478";
        external = "127.0.0.1:3478";
        transport = "tcp";
      }
    ];
    realm = "localhost";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/misc/turn-rs.nix>
services.twingate.enable

Whether to enable Twingate Client daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/twingate.nix>
services.twingate.package

The twingate package to use.

Type: package

Default: pkgs.twingate

Declared by:

<nixpkgs/nixos/modules/services/networking/twingate.nix>
services.typesense.enable

Whether to enable typesense.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/search/typesense.nix>
services.typesense.package

The typesense package to use.

Type: package

Default: pkgs.typesense

Declared by:

<nixpkgs/nixos/modules/services/search/typesense.nix>
services.typesense.apiKeyFile

Sets the admin api key for typesense. Always use this option instead of settings.server.api-key to prevent the key from being written to the world-readable nix store.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/search/typesense.nix>
services.typesense.settings

Typesense configuration. Refer to the documentation for supported values.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string) or a non-empty list of them)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/search/typesense.nix>
services.typesense.settings.server.api-address

Address to which Typesense API service binds.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/search/typesense.nix>
services.typesense.settings.server.api-port

Port on which the Typesense API service listens.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8108

Declared by:

<nixpkgs/nixos/modules/services/search/typesense.nix>
services.typesense.settings.server.data-dir

Path to the directory where data will be stored on disk.

Type: string

Default: "/var/lib/typesense"

Declared by:

<nixpkgs/nixos/modules/services/search/typesense.nix>
services.tzupdate.enable

Enable the tzupdate timezone updating service. This provides a one-shot service which can be activated with systemctl to update the timezone.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/tzupdate.nix>
services.u9fs.enable

Whether to run the u9fs 9P server for Unix.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/u9fs.nix>
services.u9fs.extraArgs

Extra arguments to pass on invocation, see man 4 u9fs

Type: string

Default: ""

Example: "-a none"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/u9fs.nix>
services.u9fs.listenStreams

Sockets to listen for clients on. See man 5 systemd.socket for socket syntax.

Type: list of string

Default:

[
  "564"
]

Example:

[
  "192.168.16.1:564"
]

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/u9fs.nix>
services.u9fs.user

User to run u9fs under.

Type: string

Default: "nobody"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/u9fs.nix>
services.udev.enable

Whether to enable udev, a device manager for the Linux kernel.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/udev.nix>
services.udev.packages

List of packages containing udev rules. All files found in «pkg»/etc/udev/rules.d and «pkg»/lib/udev/rules.d will be included.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/hardware/udev.nix>
services.udev.extraHwdb

Additional hwdb files. They’ll be written into file 99-local.hwdb. Thus they are read after all other files.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  evdev:input:b0003v05AFp8277*
    KEYBOARD_KEY_70039=leftalt
    KEYBOARD_KEY_700e2=leftctrl
''

Declared by:

<nixpkgs/nixos/modules/services/hardware/udev.nix>
services.udev.extraRules

Additional udev rules. They’ll be written into file 99-local.rules. Thus they are read and applied after all other rules.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  ENV{ID_VENDOR_ID}=="046d", ENV{ID_MODEL_ID}=="0825", ENV{PULSE_IGNORE}="1"
''

Declared by:

<nixpkgs/nixos/modules/services/hardware/udev.nix>
services.udev.path

Packages added to the PATH environment variable when executing programs from Udev rules.

coreutils, gnu{sed,grep}, util-linux and config.systemd.package are automatically included.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/hardware/udev.nix>
services.udisks2.enable

Whether to enable udisks2, a DBus service that allows applications to query and manipulate storage devices.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/udisks2.nix>
services.udisks2.package

The udisks2 package to use.

Type: package

Default: pkgs.udisks2

Declared by:

<nixpkgs/nixos/modules/services/hardware/udisks2.nix>
services.udisks2.mountOnMedia

When enabled, instructs udisks2 to mount removable drives under /media/ directory, instead of the default, ACL-controlled /run/media/$USER/. Since /media/ is not mounted as tmpfs by default, it requires cleanup to get rid of stale mountpoints; enabling this option will take care of this at boot.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/udisks2.nix>
services.udisks2.settings

Options passed to udisksd. See here and drive configuration in here for supported options.

Type: attribute set of attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string) or a non-empty list of them)

Default:

{
  "udisks2.conf" = {
    defaults = {
      encryption = "luks2";
    };
    udisks2 = {
      modules = [
        "*"
      ];
      modules_load_preference = "ondemand";
    };
  };
}

Example:

{
  "WDC-WD10EZEX-60M2NA0-WD-WCC3F3SJ0698.conf" = {
    ATA = {
      StandbyTimeout = 50;
    };
  };
};

Declared by:

<nixpkgs/nixos/modules/services/hardware/udisks2.nix>
services.uhub

Uhub ADC hub instances

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/misc/uhub.nix>
services.uhub.<name>.enable

Whether to enable hub instance.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/uhub.nix>
services.uhub.<name>.enableTLS

Whether to enable TLS support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/uhub.nix>
services.uhub.<name>.plugins

Uhub plugin configuration.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/misc/uhub.nix>
services.uhub.<name>.plugins.*.plugin

Path to plugin file.

Type: path

Example: $${pkgs.uhub}/plugins/mod_auth_sqlite.so

Declared by:

<nixpkgs/nixos/modules/services/misc/uhub.nix>
services.uhub.<name>.plugins.*.settings

Settings specific to this plugin.

Type: attribute set of string

Example:

{
  file = "/etc/uhub/users.db";
}

Declared by:

<nixpkgs/nixos/modules/services/misc/uhub.nix>
services.uhub.<name>.settings

Configuration of uhub. See https://www.uhub.org/doc/config.php for a list of options.

Type: attribute set of (boolean or signed integer or string)

Default: { }

Example:

{
  hub_description = "Yet another ADC hub";
  hub_name = "My Public Hub";
  max_users = 150;
  server_bind_addr = "any";
  server_port = 1511;
}

Declared by:

<nixpkgs/nixos/modules/services/misc/uhub.nix>
services.ulogd.enable

Whether to enable ulogd, a userspace logging daemon for netfilter/iptables related logging.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/logging/ulogd.nix>
services.ulogd.logLevel

Log level (1 = debug, 3 = info, 5 = notice, 7 = error, 8 = fatal)

Type: one of 1, 3, 5, 7, 8

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/logging/ulogd.nix>
services.ulogd.settings

Configuration for ulogd. See /share/doc/ulogd/ in pkgs.ulogd.doc.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string) or a list of them for duplicate keys)

Default: { }

Example:

{
  emu1 = {
    file = "/var/log/ulogd_pkts.log";
    sync = 1;
  };
  global = {
    stack = [
      "log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU"
      "log1:NFLOG,base1:BASE,pcap1:PCAP"
    ];
  };
  log1 = {
    group = 2;
  };
  pcap1 = {
    file = "/var/log/ulogd.pcap";
    sync = 1;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/logging/ulogd.nix>
services.unbound.enable

Whether to enable Unbound domain name server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/unbound.nix>
services.unbound.enableRootTrustAnchor

Use and update root trust anchor for DNSSEC validation.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/unbound.nix>
services.unbound.package

The unbound-with-systemd package to use.

Type: package

Default: pkgs.unbound-with-systemd

Declared by:

<nixpkgs/nixos/modules/services/networking/unbound.nix>
services.unbound.checkconf

Whether to check the resulting config file with unbound checkconf for syntax errors.

If settings.include is used, this options is disabled, as the import can likely not be accessed at build time. If settings.remote-control is used, this option is disabled, too as the control-key-file, server-cert-file and server-key-file cannot be accessed at build time.

Type: boolean

Default: "!services.unbound.settings ? include && !services.unbound.settings ? remote-control"

Declared by:

<nixpkgs/nixos/modules/services/networking/unbound.nix>
services.unbound.group

Group under which unbound runs.

Type: string

Default: "unbound"

Declared by:

<nixpkgs/nixos/modules/services/networking/unbound.nix>
services.unbound.localControlSocketPath

When not set to null this option defines the path at which the unbound remote control socket should be created at. The socket will be owned by the unbound user (unbound) and group will be nogroup.

Users that should be permitted to access the socket must be in the config.services.unbound.group group.

If this option is null remote control will not be enabled. Unbounds default values apply.

Type: null or string

Default: null

Example: "/run/unbound/unbound.ctl"

Declared by:

<nixpkgs/nixos/modules/services/networking/unbound.nix>
services.unbound.resolveLocalQueries

Whether unbound should resolve local queries (i.e. add 127.0.0.1 to /etc/resolv.conf).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/unbound.nix>
services.unbound.settings

Declarative Unbound configuration See the unbound.conf(5) manpage for a list of available options.

Type: unbound.conf configuration type. The format consist of an attribute set of settings. Each settings can be either one value, a list of values or an attribute set. The allowed values are integers, strings, booleans or floats.

Default: { }

Example:

{
  server = {
    interface = [ "127.0.0.1" ];
  };
  forward-zone = [
    {
      name = ".";
      forward-addr = "1.1.1.1@853#cloudflare-dns.com";
    }
    {
      name = "example.org.";
      forward-addr = [
        "1.1.1.1@853#cloudflare-dns.com"
        "1.0.0.1@853#cloudflare-dns.com"
      ];
    }
  ];
  remote-control.control-enable = true;
};

Declared by:

<nixpkgs/nixos/modules/services/networking/unbound.nix>
services.unbound.stateDir

Directory holding all state for unbound to run.

Type: path

Default: "/var/lib/unbound"

Declared by:

<nixpkgs/nixos/modules/services/networking/unbound.nix>
services.unbound.user

User account under which unbound runs.

Type: string

Default: "unbound"

Declared by:

<nixpkgs/nixos/modules/services/networking/unbound.nix>
services.unclutter.enable

Enable unclutter to hide your mouse cursor when inactive

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/unclutter.nix>
services.unclutter.package

The unclutter package to use.

Type: package

Default: pkgs.unclutter

Declared by:

<nixpkgs/nixos/modules/services/x11/unclutter.nix>
services.unclutter.excluded

Names of windows where unclutter should not apply

Type: list of string

Default: [ ]

Example:

[
  ""
]

Declared by:

<nixpkgs/nixos/modules/services/x11/unclutter.nix>
services.unclutter.extraOptions

More arguments to pass to the unclutter command

Type: list of string

Default: [ ]

Example:

[
  "noevent"
  "grab"
]

Declared by:

<nixpkgs/nixos/modules/services/x11/unclutter.nix>
services.unclutter.keystroke

Wait for a keystroke before hiding the cursor

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/unclutter.nix>
services.unclutter.threshold

Minimum number of pixels considered cursor movement

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/x11/unclutter.nix>
services.unclutter.timeout

Number of seconds before the cursor is marked inactive

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/x11/unclutter.nix>
services.unclutter-xfixes.enable

Enable unclutter-xfixes to hide your mouse cursor when inactive.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/unclutter-xfixes.nix>
services.unclutter-xfixes.package

The unclutter-xfixes package to use.

Type: package

Default: pkgs.unclutter-xfixes

Declared by:

<nixpkgs/nixos/modules/services/x11/unclutter-xfixes.nix>
services.unclutter-xfixes.extraOptions

More arguments to pass to the unclutter-xfixes command.

Type: list of string

Default: [ ]

Example:

[
  "exclude-root"
  "ignore-scrolling"
  "fork"
]

Declared by:

<nixpkgs/nixos/modules/services/x11/unclutter-xfixes.nix>
services.unclutter-xfixes.threshold

Minimum number of pixels considered cursor movement.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/x11/unclutter-xfixes.nix>
services.unclutter-xfixes.timeout

Number of seconds before the cursor is marked inactive.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/x11/unclutter-xfixes.nix>
services.undervolt.enable

Whether to enable Undervolting service for Intel CPUs.

Warning: This service is not endorsed by Intel and may permanently damage your hardware. Use at your own risk .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/undervolt.nix>
services.undervolt.package

The undervolt package to use.

Type: package

Default: pkgs.undervolt

Declared by:

<nixpkgs/nixos/modules/services/hardware/undervolt.nix>
services.undervolt.analogioOffset

The amount of voltage in mV to offset analogio by.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/undervolt.nix>
services.undervolt.coreOffset

The amount of voltage in mV to offset the CPU cores by.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/undervolt.nix>
services.undervolt.gpuOffset

The amount of voltage in mV to offset the GPU by.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/undervolt.nix>
services.undervolt.p1.limit

The P1 Power Limit in Watts. Both limit and window must be set.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/undervolt.nix>
services.undervolt.p1.window

The P1 Time Window in seconds. Both limit and window must be set.

Type: null or floating point number or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/undervolt.nix>
services.undervolt.p2.limit

The P2 Power Limit in Watts. Both limit and window must be set.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/undervolt.nix>
services.undervolt.p2.window

The P2 Time Window in seconds. Both limit and window must be set.

Type: null or floating point number or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/undervolt.nix>
services.undervolt.temp

The temperature target in Celsius degrees.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/undervolt.nix>
services.undervolt.tempAc

The temperature target on AC power in Celsius degrees.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/undervolt.nix>
services.undervolt.tempBat

The temperature target on battery power in Celsius degrees.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/undervolt.nix>
services.undervolt.turbo

Changes the Intel Turbo feature status (1 is disabled and 0 is enabled).

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/undervolt.nix>
services.undervolt.uncoreOffset

The amount of voltage in mV to offset uncore by.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/hardware/undervolt.nix>
services.undervolt.useTimer

Whether to set a timer that applies the undervolt settings every 30s. This will cause spam in the journal but might be required for some hardware under specific conditions. Enable this if your undervolt settings don’t hold.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/undervolt.nix>
services.undervolt.verbose

Whether to enable verbose logging.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/undervolt.nix>
services.unifi.enable

Whether or not to enable the unifi controller service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/unifi.nix>
services.unifi.extraJvmOptions

Set extra options to pass to the JVM.

Type: list of string

Default: [ ]

Example: ["-Xlog:gc"]

Declared by:

<nixpkgs/nixos/modules/services/networking/unifi.nix>
services.unifi.initialJavaHeapSize

Set the initial heap size for the JVM in MB. If this option isn’t set, the JVM will decide this value at runtime.

Type: null or signed integer

Default: null

Example: 1024

Declared by:

<nixpkgs/nixos/modules/services/networking/unifi.nix>
services.unifi.jrePackage

The jdk package to use. Check the UniFi controller release notes to ensure it is supported.

Type: package

Default: pkgs.jdk17_headless

Declared by:

<nixpkgs/nixos/modules/services/networking/unifi.nix>
services.unifi.maximumJavaHeapSize

Set the maximum heap size for the JVM in MB. If this option isn’t set, the JVM will decide this value at runtime.

Type: null or signed integer

Default: null

Example: 4096

Declared by:

<nixpkgs/nixos/modules/services/networking/unifi.nix>
services.unifi.mongodbPackage

The mongodb package to use.

Type: package

Default: pkgs.mongodb-7_0

Declared by:

<nixpkgs/nixos/modules/services/networking/unifi.nix>
services.unifi.openFirewall

Whether or not to open the minimum required ports on the firewall.

This is necessary to allow firmware upgrades and device discovery to work. For remote login, you should additionally open (or forward) port 8443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/unifi.nix>
services.unifi.unifiPackage

The unifi package to use.

Type: package

Default: pkgs.unifi8

Declared by:

<nixpkgs/nixos/modules/services/networking/unifi.nix>
services.unit.enable

Whether to enable Unit App Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/unit/default.nix>
services.unit.package

The unit package to use.

Type: package

Default: pkgs.unit

Declared by:

<nixpkgs/nixos/modules/services/web-servers/unit/default.nix>
services.unit.config

Unit configuration in JSON format. More details here https://unit.nginx.org/configuration

Type: string

Default:

''
  {
    "listeners": {},
    "applications": {}
  }
''

Example:

''
  {
    "listeners": {
      "*:8300": {
        "application": "example-php-72"
      }
    },
    "applications": {
      "example-php-72": {
        "type": "php 7.2",
        "processes": 4,
        "user": "nginx",
        "group": "nginx",
        "root": "/var/www",
        "index": "index.php",
        "options": {
          "file": "/etc/php.d/default.ini",
          "admin": {
            "max_execution_time": "30",
            "max_input_time": "30",
            "display_errors": "off",
            "display_startup_errors": "off",
            "open_basedir": "/dev/urandom:/proc/cpuinfo:/proc/meminfo:/etc/ssl/certs:/var/www",
            "disable_functions": "exec,passthru,shell_exec,system"
          }
        }
      }
    }
  }
''

Declared by:

<nixpkgs/nixos/modules/services/web-servers/unit/default.nix>
services.unit.group

Group account under which unit runs.

Type: string

Default: "unit"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/unit/default.nix>
services.unit.logDir

Unit log directory.

Type: path

Default: "/var/log/unit"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/unit/default.nix>
services.unit.stateDir

Unit data directory.

Type: path

Default: "/var/spool/unit"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/unit/default.nix>
services.unit.user

User account under which unit runs.

Type: string

Default: "unit"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/unit/default.nix>
services.unpoller.enable

Whether to enable unpoller.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.influxdb.db

Database name. Database should exist.

Type: string

Default: "unifi"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.influxdb.disable

Whether to disable the influxdb output plugin.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.influxdb.interval

Setting this lower than the Unifi controller’s refresh interval may lead to zeroes in your database.

Type: string

Default: "30s"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.influxdb.pass

Path of a file containing the password for influxdb. This file needs to be readable by the unifi-poller user.

Type: path

Default: unpoller-influxdb-default.password

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.influxdb.url

URL of the influxdb host.

Type: string

Default: "http://127.0.0.1:8086"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.influxdb.user

Username for the influxdb.

Type: string

Default: "unifipoller"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.influxdb.verify_ssl

Verify the influxdb’s certificate.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.loki.interval

How often the events are polled and pushed to Loki.

Type: string

Default: "2m"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.loki.pass

Path of a file containing the password for Loki. This file needs to be readable by the unifi-poller user.

Type: path

Default: "unpoller-influxdb-default.password"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.loki.tenant_id

Tenant ID to use in Loki.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.loki.timeout

Should be increased in case of timeout errors.

Type: string

Default: "10s"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.loki.url

URL of the Loki host.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.loki.user

Username for Loki.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.loki.verify_ssl

Verify Loki’s certificate.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.poller.debug

Turns on line numbers, microsecond logging, and a per-device log. This may be noisy if you have a lot of devices. It adds one line per device.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.poller.plugins

Load additional plugins.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.poller.quiet

Turns off per-interval logs. Only startup and error logs will be emitted.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.prometheus.disable

Whether to disable the prometheus output plugin.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.prometheus.http_listen

Bind the prometheus exporter to this IP or hostname.

Type: string

Default: "[::]:9130"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.prometheus.report_errors

Whether to report errors.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.controllers

List of Unifi controllers to poll. Use defaults if empty.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.controllers.*.hash_pii

Hash, with md5, client names and MAC addresses. This attempts to protect personally identifiable information.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.controllers.*.pass

Path of a file containing the password for the unifi service user. This file needs to be readable by the unifi-poller user.

Type: path

Default: unpoller-unifi-default.password

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.controllers.*.save_alarms

Collect and save data from UniFi alarms to influxdb and Loki.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.controllers.*.save_anomalies

Collect and save data from UniFi anomalies to influxdb and Loki.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.controllers.*.save_dpi

Collect and save data from deep packet inspection. Adds around 150 data points and impacts performance.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.controllers.*.save_events

Collect and save data from UniFi events to influxdb and Loki.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.controllers.*.save_ids

Collect and save data from the intrusion detection system to influxdb and Loki.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.controllers.*.save_sites

Collect and save site data.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.controllers.*.sites

List of site names for which statistics should be exported. Or the string “default” for the default site or the string “all” for all sites.

Type: one of “default”, “all” or list of string

Default: "all"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.controllers.*.url

URL of the Unifi controller.

Type: string

Default: "https://unifi:8443"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.controllers.*.user

Unifi service user name.

Type: string

Default: "unifi"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.controllers.*.verify_ssl

Verify the Unifi controller’s certificate.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.defaults.hash_pii

Hash, with md5, client names and MAC addresses. This attempts to protect personally identifiable information.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.defaults.pass

Path of a file containing the password for the unifi service user. This file needs to be readable by the unifi-poller user.

Type: path

Default: unpoller-unifi-default.password

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.defaults.save_alarms

Collect and save data from UniFi alarms to influxdb and Loki.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.defaults.save_anomalies

Collect and save data from UniFi anomalies to influxdb and Loki.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.defaults.save_dpi

Collect and save data from deep packet inspection. Adds around 150 data points and impacts performance.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.defaults.save_events

Collect and save data from UniFi events to influxdb and Loki.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.defaults.save_ids

Collect and save data from the intrusion detection system to influxdb and Loki.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.defaults.save_sites

Collect and save site data.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.defaults.sites

List of site names for which statistics should be exported. Or the string “default” for the default site or the string “all” for all sites.

Type: one of “default”, “all” or list of string

Default: "all"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.defaults.url

URL of the Unifi controller.

Type: string

Default: "https://unifi:8443"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.defaults.user

Unifi service user name.

Type: string

Default: "unifi"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.defaults.verify_ssl

Verify the Unifi controller’s certificate.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.unpoller.unifi.dynamic

Let prometheus select which controller to poll when scraping. Use with default credentials. See unifi-poller wiki for more.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/unpoller.nix>
services.upower.enable

Whether to enable Upower, a DBus service that provides power management support to applications.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/upower.nix>
services.upower.enableWattsUpPro

Enable the Watts Up Pro device.

The Watts Up Pro contains a generic FTDI USB device without a specific vendor and product ID. When we probe for WUP devices, we can cause the user to get a perplexing “Device or resource busy” error when attempting to use their non-WUP device.

The generic FTDI device is known to also be used on:

  • Sparkfun FT232 breakout board

  • Parallax Propeller

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/upower.nix>
services.upower.package

The upower package to use.

Type: package

Default: pkgs.upower

Declared by:

<nixpkgs/nixos/modules/services/hardware/upower.nix>
services.upower.criticalPowerAction

The action to take when timeAction or percentageAction has been reached for the batteries (UPS or laptop batteries) supplying the computer

Type: one of “PowerOff”, “Hibernate”, “HybridSleep”

Default: "HybridSleep"

Declared by:

<nixpkgs/nixos/modules/services/hardware/upower.nix>
services.upower.ignoreLid

Do we ignore the lid state

Some laptops are broken. The lid state is either inverted, or stuck on or off. We can’t do much to fix these problems, but this is a way for users to make the laptop panel vanish, a state that might be used by a couple of user-space daemons. On Linux systems, see also logind.conf(5).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/upower.nix>
services.upower.noPollBatteries

Don’t poll the kernel for battery level changes.

Some hardware will send us battery level changes through events, rather than us having to poll for it. This option allows disabling polling for hardware that sends out events.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/upower.nix>
services.upower.percentageAction

When usePercentageForPolicy is true, the levels at which UPower will take action for the critical battery level.

This will also be used for batteries which don’t have time information such as that of peripherals.

If any value (of percentageLow, percentageCritical and percentageAction) is invalid, or not in descending order, the defaults will be used.

Type: unsigned integer, meaning >=0

Default: 2

Declared by:

<nixpkgs/nixos/modules/services/hardware/upower.nix>
services.upower.percentageCritical

When usePercentageForPolicy is true, the levels at which UPower will consider the battery critical.

This will also be used for batteries which don’t have time information such as that of peripherals.

If any value (of percentageLow, percentageCritical and percentageAction) is invalid, or not in descending order, the defaults will be used.

Type: unsigned integer, meaning >=0

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/hardware/upower.nix>
services.upower.percentageLow

When usePercentageForPolicy is true, the levels at which UPower will consider the battery low.

This will also be used for batteries which don’t have time information such as that of peripherals.

If any value (of percentageLow, percentageCritical and percentageAction) is invalid, or not in descending order, the defaults will be used.

Type: unsigned integer, meaning >=0

Default: 20

Declared by:

<nixpkgs/nixos/modules/services/hardware/upower.nix>
services.upower.timeAction

When usePercentageForPolicy is false, the time remaining in seconds at which UPower will take action for the critical battery level.

If any value (of timeLow, timeCritical and timeAction) is invalid, or not in descending order, the defaults will be used.

Type: unsigned integer, meaning >=0

Default: 120

Declared by:

<nixpkgs/nixos/modules/services/hardware/upower.nix>
services.upower.timeCritical

When usePercentageForPolicy is false, the time remaining in seconds at which UPower will consider the battery critical.

If any value (of timeLow, timeCritical and timeAction) is invalid, or not in descending order, the defaults will be used.

Type: unsigned integer, meaning >=0

Default: 300

Declared by:

<nixpkgs/nixos/modules/services/hardware/upower.nix>
services.upower.timeLow

When usePercentageForPolicy is false, the time remaining in seconds at which UPower will consider the battery low.

If any value (of timeLow, timeCritical and timeAction) is invalid, or not in descending order, the defaults will be used.

Type: unsigned integer, meaning >=0

Default: 1200

Declared by:

<nixpkgs/nixos/modules/services/hardware/upower.nix>
services.upower.usePercentageForPolicy

Policy for warnings and action based on battery levels

Whether battery percentage based policy should be used. The default is to use the percentage, which should work around broken firmwares. It is also more reliable than the time left (frantically saving all your files is going to use more battery than letting it rest for example).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/upower.nix>
services.uptermd.enable

Whether to enable uptermd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/uptermd.nix>
services.uptermd.extraFlags

Extra flags passed to the uptermd command.

Type: list of string

Default: [ ]

Example:

[
  "--debug"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/uptermd.nix>
services.uptermd.hostKey

Path to SSH host key. If not defined, an ed25519 keypair is generated automatically.

Type: null or path

Default: null

Example: "/run/keys/upterm_host_ed25519_key"

Declared by:

<nixpkgs/nixos/modules/services/networking/uptermd.nix>
services.uptermd.listenAddress

Address the server will listen on.

Type: string

Default: "[::]"

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/uptermd.nix>
services.uptermd.openFirewall

Whether to open the firewall for the port in services.uptermd.port.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/uptermd.nix>
services.uptermd.port

Port the server will listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 2222

Declared by:

<nixpkgs/nixos/modules/services/networking/uptermd.nix>
services.uptime.enableSeparateMonitoringService

Whether to enable the uptime monitoring service.

Type: boolean

Default: config.services.uptime.enableWebService

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/uptime.nix>
services.uptime.enableWebService

Whether to enable the uptime monitoring program web service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/uptime.nix>
services.uptime.configFile

The uptime configuration file

If mongodb: server != localhost, please set usesRemoteMongo = true

If you only want to run the monitor, please set enableWebService = false and enableSeparateMonitoringService = true

If autoStartMonitor: false (recommended) and you want to run both services, please set enableSeparateMonitoringService = true

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/uptime.nix>
services.uptime.nodeEnv

The node environment to run in (development, production, etc.)

Type: string

Default: "production"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/uptime.nix>
services.uptime.usesRemoteMongo

Whether the configuration file specifies a remote mongo instance

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/uptime.nix>
services.uptime-kuma.enable

Whether to enable Uptime Kuma, this assumes a reverse proxy to be set.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/uptime-kuma.nix>
services.uptime-kuma.package

The uptime-kuma package to use.

Type: package

Default: pkgs.uptime-kuma

Declared by:

<nixpkgs/nixos/modules/services/monitoring/uptime-kuma.nix>
services.uptime-kuma.appriseSupport

Whether to enable apprise support for notifications.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/uptime-kuma.nix>
services.uptime-kuma.settings

Additional configuration for Uptime Kuma, see https://github.com/louislam/uptime-kuma/wiki/Environment-Variables for supported values.

Type: attribute set of string

Default: { }

Example:

{
  NODE_EXTRA_CA_CERTS = "/etc/ssl/certs/ca-certificates.crt";
  PORT = "4000";
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/uptime-kuma.nix>
services.uptimed.enable

Enable uptimed, allowing you to track your highest uptimes.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/system/uptimed.nix>
services.urserver.enable

Whether to enable urserver.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/urserver.nix>
services.urxvtd.enable

Enable urxvtd, the urxvt terminal daemon. To use urxvtd, run “urxvtc”.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/urxvtd.nix>
services.urxvtd.package

The rxvt-unicode package to use.

Type: package

Default: pkgs.rxvt-unicode

Declared by:

<nixpkgs/nixos/modules/services/x11/urxvtd.nix>
services.usbguard.enable

Whether to enable USBGuard daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/usbguard.nix>
services.usbguard.package

The usbguard package to use. If you do not need the Qt GUI, use pkgs.usbguard-nox to save disk space.

Type: package

Default: pkgs.usbguard

Declared by:

<nixpkgs/nixos/modules/services/security/usbguard.nix>
services.usbguard.IPCAllowedGroups

A list of groupnames that the daemon will accept IPC connections from.

Type: list of string

Default: [ ]

Example:

[
  "wheel"
]

Declared by:

<nixpkgs/nixos/modules/services/security/usbguard.nix>
services.usbguard.IPCAllowedUsers

A list of usernames that the daemon will accept IPC connections from.

Type: list of string

Default:

[
  "root"
]

Example:

[
  "root"
  "yourusername"
]

Declared by:

<nixpkgs/nixos/modules/services/security/usbguard.nix>
services.usbguard.dbus.enable

Whether to enable USBGuard dbus daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/usbguard.nix>
services.usbguard.deviceRulesWithPort

Generate device specific rules including the “via-port” attribute.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/usbguard.nix>
services.usbguard.implicitPolicyTarget

How to treat USB devices that don’t match any rule in the policy. Target should be one of allow, block or reject (logically remove the device node from the system).

Type: one of “allow”, “block”, “reject”

Default: "block"

Declared by:

<nixpkgs/nixos/modules/services/security/usbguard.nix>
services.usbguard.insertedDevicePolicy

How to treat USB devices that are already connected after the daemon starts. One of block, reject, apply-policy.

Type: one of “block”, “reject”, “apply-policy”

Default: "apply-policy"

Declared by:

<nixpkgs/nixos/modules/services/security/usbguard.nix>
services.usbguard.presentControllerPolicy

How to treat USB controller devices that are already connected when the daemon starts. One of allow, block, reject, keep or apply-policy.

Type: one of “allow”, “block”, “reject”, “keep”, “apply-policy”

Default: "keep"

Declared by:

<nixpkgs/nixos/modules/services/security/usbguard.nix>
services.usbguard.presentDevicePolicy

How to treat USB devices that are already connected when the daemon starts. Policy should be one of allow, block, reject, keep (keep whatever state the device is currently in) or apply-policy (evaluate the rule set for every present device).

Type: one of “allow”, “block”, “reject”, “keep”, “apply-policy”

Default: "apply-policy"

Declared by:

<nixpkgs/nixos/modules/services/security/usbguard.nix>
services.usbguard.restoreControllerDeviceState

The USBGuard daemon modifies some attributes of controller devices like the default authorization state of new child device instances. Using this setting, you can control whether the daemon will try to restore the attribute values to the state before modification on shutdown.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/usbguard.nix>
services.usbguard.ruleFile

This tells the USBGuard daemon which file to load as policy rule set.

The file can be changed manually or via the IPC interface assuming it has the right file permissions.

For more details see usbguard-rules.conf(5).

Type: null or path

Default: "/var/lib/usbguard/rules.conf"

Example: "/run/secrets/usbguard-rules"

Declared by:

<nixpkgs/nixos/modules/services/security/usbguard.nix>
services.usbguard.rules

The USBGuard daemon will load this as the policy rule set. As these rules are NixOS managed they are immutable and can’t be changed by the IPC interface.

If you do not set this option, the USBGuard daemon will load it’s policy rule set from the option configured in services.usbguard.ruleFile.

Running usbguard generate-policy as root will generate a config for your currently plugged in devices.

For more details see usbguard-rules.conf(5).

Type: null or strings concatenated with “\n”

Default: null

Example:

''
  allow with-interface equals { 08:*:* }
''

Declared by:

<nixpkgs/nixos/modules/services/security/usbguard.nix>
services.usbmuxd.enable

Enable the usbmuxd (“USB multiplexing daemon”) service. This daemon is in charge of multiplexing connections over USB to an iOS device. This is needed for transferring data from and to iOS devices (see ifuse). Also this may enable plug-n-play tethering for iPhones.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/hardware/usbmuxd.nix>
services.usbmuxd.package

Which package to use for the usbmuxd daemon.

Type: package

Default: pkgs.usbmuxd

Related packages:

Declared by:

<nixpkgs/nixos/modules/services/hardware/usbmuxd.nix>
services.usbmuxd.group

The group usbmuxd should use to run after startup.

Type: string

Default: "usbmux"

Declared by:

<nixpkgs/nixos/modules/services/hardware/usbmuxd.nix>
services.usbmuxd.user

The user usbmuxd should use to run after startup.

Type: string

Default: "usbmux"

Declared by:

<nixpkgs/nixos/modules/services/hardware/usbmuxd.nix>
services.usbrelayd.enable

Whether to enable USB Relay MQTT daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/usbrelayd.nix>
services.usbrelayd.broker

Hostname or IP address of your MQTT Broker.

Type: string

Default: "127.0.0.1"

Example:

[
  "mqtt"
  "192.168.1.1"
]

Declared by:

<nixpkgs/nixos/modules/services/hardware/usbrelayd.nix>
services.usbrelayd.clientName

Name, your client connects as.

Type: string

Default: "MyUSBRelay"

Declared by:

<nixpkgs/nixos/modules/services/hardware/usbrelayd.nix>
services.userborn.enable

Whether to enable userborn.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/system/userborn.nix>
services.userborn.package

The userborn package to use.

Type: package

Default: pkgs.userborn

Declared by:

<nixpkgs/nixos/modules/services/system/userborn.nix>
services.userborn.passwordFilesLocation

The location of the original password files.

If this is not /etc, the files are symlinked from this location to /etc.

The primary motivation for this is an immutable /etc, where we cannot write the files directly to /etc.

However this an also serve other use cases, e.g. when /etc is on a tmpfs.

Type: string

Default: if immutableEtc then "/var/lib/nixos" else "/etc"

Declared by:

<nixpkgs/nixos/modules/services/system/userborn.nix>
services.userdbd.enable

Whether to enable the systemd JSON user/group record lookup service .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/userdbd.nix>
services.uvcvideo.dynctrl.enable

Whether to enable uvcvideo dynamic controls.

Note that enabling this brings the uvcdynctrl tool into your environment and register all dynamic controls from specified packages to the uvcvideo driver.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/hardware/video/uvcvideo/default.nix>
services.uvcvideo.dynctrl.packages

List of packages containing uvcvideo dynamic controls rules. All files found in «pkg»/share/uvcdynctrl/data will be included.

Note that these will serve as input to the libwebcam package which through its own udev rule will register the dynamic controls from specified packages to the uvcvideo driver.

Type: list of path

Example: [ pkgs.tiscamera ]

Declared by:

<nixpkgs/nixos/modules/hardware/video/uvcvideo/default.nix>
services.uwsgi.enable

Enable uWSGI

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-servers/uwsgi.nix>
services.uwsgi.capabilities

Grant capabilities to the uWSGI instance. See the capabilities(7) for available values.

Note

uWSGI runs as an unprivileged user (even as Emperor) with the minimal capabilities required. This option can be used to add fine-grained permissions without running the service as root.

When in Emperor mode, any capability to be inherited by a vassal must be specified again in the vassal configuration using cap. See the uWSGI docs for more information.

Type: list of string

Default: [ ]

Example:

[
  "CAP_NET_BIND_SERVICE" # bind on ports <1024
  "CAP_NET_RAW"          # open raw sockets
]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/uwsgi.nix>
services.uwsgi.group

Group account under which uWSGI runs.

Type: string

Default: "uwsgi"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/uwsgi.nix>
services.uwsgi.instance

uWSGI configuration. It awaits an attribute type inside which can be either normal or emperor.

For normal mode you can specify pythonPackages as a function from libraries set into a list of libraries. pythonpath will be set accordingly.

For emperor mode, you should use vassals attribute which should be either a set of names and configurations or a path to a directory.

Other attributes will be used in configuration file as-is. Notice that you can redefine plugins setting here.

Type: Json value or lambda

Default:

{
  type = "normal";
}

Example:

{
  type = "emperor";
  vassals = {
    moin = {
      type = "normal";
      pythonPackages = self: with self; [ moinmoin ];
      socket = "${config.services.uwsgi.runDir}/uwsgi.sock";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-servers/uwsgi.nix>
services.uwsgi.plugins

Plugins used with uWSGI

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/uwsgi.nix>
services.uwsgi.runDir

Where uWSGI communication sockets can live

Type: path

Default: "/run/uwsgi"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/uwsgi.nix>
services.uwsgi.user

User account under which uWSGI runs.

Type: string

Default: "uwsgi"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/uwsgi.nix>
services.v2ray.enable

Whether to run v2ray server.

Either configFile or config must be specified.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/v2ray.nix>
services.v2ray.package

The v2ray package to use.

Type: package

Default: pkgs.v2ray

Declared by:

<nixpkgs/nixos/modules/services/networking/v2ray.nix>
services.v2ray.config

The configuration object.

Either configFile or config must be specified.

See https://www.v2fly.org/en_US/v5/config/overview.html.

Type: null or JSON value

Default: null

Example:

{
  inbounds = [
    {
      listen = "127.0.0.1";
      port = 1080;
      protocol = "http";
    }
  ];
  outbounds = [
    {
      protocol = "freedom";
    }
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/networking/v2ray.nix>
services.v2ray.configFile

The absolute path to the configuration file.

Either configFile or config must be specified.

See https://www.v2fly.org/en_US/v5/config/overview.html.

Type: null or string

Default: null

Example: "/etc/v2ray/config.json"

Declared by:

<nixpkgs/nixos/modules/services/networking/v2ray.nix>
services.v2raya.enable

Whether to enable the v2rayA service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/v2raya.nix>
services.v2raya.package

The v2raya package to use.

Type: package

Default: pkgs.v2raya

Declared by:

<nixpkgs/nixos/modules/services/networking/v2raya.nix>
services.v2raya.cliPackage

The v2ray package to use. This is the package used for overriding the value of the v2ray attribute in the package set by services.v2raya.package.

Type: package

Default: pkgs.v2ray

Example: pkgs.xray

Declared by:

<nixpkgs/nixos/modules/services/networking/v2raya.nix>
services.v4l2-relayd.instances

v4l2-relayd instances to be created.

Type: attribute set of (submodule)

Default: { }

Example:

{
  example = {
    cardLabel = "Example card";
    input.pipeline = "videotestsrc";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/video/v4l2-relayd.nix>
services.v4l2-relayd.instances.<name>.enable

Whether to enable this v4l2-relayd instance.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/video/v4l2-relayd.nix>
services.v4l2-relayd.instances.<name>.cardLabel

The name the camera will show up as.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/video/v4l2-relayd.nix>
services.v4l2-relayd.instances.<name>.extraPackages

Extra packages to add to GST_PLUGIN_PATH for the instance.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/video/v4l2-relayd.nix>
services.v4l2-relayd.instances.<name>.input.format

The video-format to read from input-stream.

Type: string

Default: "YUY2"

Declared by:

<nixpkgs/nixos/modules/services/video/v4l2-relayd.nix>
services.v4l2-relayd.instances.<name>.input.framerate

The framerate to read from input-stream.

Type: positive integer, meaning >0

Default: 30

Declared by:

<nixpkgs/nixos/modules/services/video/v4l2-relayd.nix>
services.v4l2-relayd.instances.<name>.input.height

The height to read from input-stream.

Type: positive integer, meaning >0

Default: 720

Declared by:

<nixpkgs/nixos/modules/services/video/v4l2-relayd.nix>
services.v4l2-relayd.instances.<name>.input.pipeline

The gstreamer-pipeline to use for the input-stream.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/video/v4l2-relayd.nix>
services.v4l2-relayd.instances.<name>.input.width

The width to read from input-stream.

Type: positive integer, meaning >0

Default: 1280

Declared by:

<nixpkgs/nixos/modules/services/video/v4l2-relayd.nix>
services.v4l2-relayd.instances.<name>.name

The name of the instance.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/video/v4l2-relayd.nix>
services.v4l2-relayd.instances.<name>.output.format

The video-format to write to output-stream.

Type: string

Default: "YUY2"

Declared by:

<nixpkgs/nixos/modules/services/video/v4l2-relayd.nix>
services.varnish.enable

Whether to enable Varnish Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/varnish/default.nix>
services.varnish.enableConfigCheck

Whether to enable checking the config during build time.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-servers/varnish/default.nix>
services.varnish.package

The varnish package to use.

Type: package

Default: pkgs.varnish

Declared by:

<nixpkgs/nixos/modules/services/web-servers/varnish/default.nix>
services.varnish.config

Verbatim default.vcl configuration.

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/web-servers/varnish/default.nix>
services.varnish.extraCommandLine

Command line switches for varnishd (run ‘varnishd -?’ to get list of options)

Type: string

Default: ""

Example: "-s malloc,256M"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/varnish/default.nix>
services.varnish.extraModules

Varnish modules (except ‘std’).

Type: list of package

Default: [ ]

Example: [ pkgs.varnishPackages.geoip ]

Declared by:

<nixpkgs/nixos/modules/services/web-servers/varnish/default.nix>
services.varnish.http_address

HTTP listen address and port.

Type: string

Default: "*:6081"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/varnish/default.nix>
services.varnish.stateDir

Directory holding all state for Varnish to run. Note that this should be a tmpfs in order to avoid performance issues and crashes.

Type: path

Default: "/run/varnish/${config.networking.hostName}"

Declared by:

<nixpkgs/nixos/modules/services/web-servers/varnish/default.nix>
services.vault.enable

Whether to enable Vault daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/vault.nix>
services.vault.package

The vault package to use.

Type: package

Default: pkgs.vault

Declared by:

<nixpkgs/nixos/modules/services/security/vault.nix>
services.vault.address

The name of the ip interface to listen to

Type: string

Default: "127.0.0.1:8200"

Declared by:

<nixpkgs/nixos/modules/services/security/vault.nix>
services.vault.dev

In this mode, Vault runs in-memory and starts unsealed. This option is not meant production but for development and testing i.e. for nixos tests.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/vault.nix>
services.vault.devRootTokenID

Initial root token. This only applies when services.vault.dev is true

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/vault.nix>
services.vault.extraConfig

Extra text appended to vault.hcl.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/security/vault.nix>
services.vault.extraSettingsPaths

Configuration files to load besides the immutable one defined by the NixOS module. This can be used to avoid putting credentials in the Nix store, which can be read by any user.

Each path can point to a JSON- or HCL-formatted file, or a directory to be scanned for files with .hcl or .json extensions.

To upload the confidential file with NixOps, use for example:

# https://releases.nixos.org/nixops/latest/manual/manual.html#opt-deployment.keys
deployment.keys."vault.hcl" = let db = import ./db-credentials.nix; in {
  text = ''
    storage "postgresql" {
      connection_url = "postgres://${db.username}:${db.password}@host.example.com/exampledb?sslmode=verify-ca"
    }
  '';
  user = "vault";
};
services.vault.extraSettingsPaths = ["/run/keys/vault.hcl"];
services.vault.storageBackend = "postgresql";
users.users.vault.extraGroups = ["keys"];

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/security/vault.nix>
services.vault.listenerExtraConfig

Extra text appended to the listener section.

Type: strings concatenated with “\n”

Default:

''
  tls_min_version = "tls12"
''

Declared by:

<nixpkgs/nixos/modules/services/security/vault.nix>
services.vault.storageBackend

The name of the type of storage backend

Type: one of “inmem”, “file”, “consul”, “zookeeper”, “s3”, “azure”, “dynamodb”, “etcd”, “mssql”, “mysql”, “postgresql”, “swift”, “gcs”, “raft”

Default: "inmem"

Declared by:

<nixpkgs/nixos/modules/services/security/vault.nix>
services.vault.storageConfig

HCL configuration to insert in the storageBackend section.

Confidential values should not be specified here because this option’s value is written to the Nix store, which is publicly readable. Provide credentials and such in a separate file using services.vault.extraSettingsPaths.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/vault.nix>
services.vault.storagePath

Data directory for file backend

Type: null or path

Default:

if config.services.vault.storageBackend == "file" || cfg.storageBackend == "raft"
then "/var/lib/vault"
else null

Declared by:

<nixpkgs/nixos/modules/services/security/vault.nix>
services.vault.telemetryConfig

Telemetry configuration

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/security/vault.nix>
services.vault.tlsCertFile

TLS certificate file. TLS will be disabled unless this option is set

Type: null or string

Default: null

Example: "/path/to/your/cert.pem"

Declared by:

<nixpkgs/nixos/modules/services/security/vault.nix>
services.vault.tlsKeyFile

TLS private key file. TLS will be disabled unless this option is set

Type: null or string

Default: null

Example: "/path/to/your/key.pem"

Declared by:

<nixpkgs/nixos/modules/services/security/vault.nix>
services.vault-agent.instances

Attribute set of vault-agent instances. Creates independent vault-agent-${name}.service systemd units for each instance defined here.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/vault-agent.nix>
services.vault-agent.instances.<name>.enable

Whether to enable this vault-agent instance.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/vault-agent.nix>
services.vault-agent.instances.<name>.package

The vault package to use.

Type: package

Default: pkgs.vault

Declared by:

<nixpkgs/nixos/modules/services/security/vault-agent.nix>
services.vault-agent.instances.<name>.group

Group under which this instance runs.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/security/vault-agent.nix>
services.vault-agent.instances.<name>.settings

Free-form settings written directly to the config.json file. Refer to https://developer.hashicorp.com/vault/docs/agent#configuration-file-options for supported values.

Note

Resulting format is JSON not HCL. Refer to https://www.hcl2json.com/ if you are unsure how to convert HCL options to JSON.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/security/vault-agent.nix>
services.vault-agent.instances.<name>.settings.pid_file

Path to use for the pid file.

Type: string

Default: "/run/vault-agent/‹name›.pid"

Declared by:

<nixpkgs/nixos/modules/services/security/vault-agent.nix>
services.vault-agent.instances.<name>.settings.template

Template section of vault-agent. Refer to https://developer.hashicorp.com/vault/docs/agent/template for supported values.

Type: null or (list of attribute set of anything)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/security/vault-agent.nix>
services.vault-agent.instances.<name>.user

User under which this instance runs.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/security/vault-agent.nix>
services.vaultwarden.enable

Whether to enable vaultwarden.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/security/vaultwarden/default.nix>
services.vaultwarden.package

The vaultwarden package to use.

Type: package

Default: pkgs.vaultwarden

Declared by:

<nixpkgs/nixos/modules/services/security/vaultwarden/default.nix>
services.vaultwarden.backupDir

The directory under which vaultwarden will backup its persistent data.

Type: null or string

Default: null

Example: "/var/backup/vaultwarden"

Declared by:

<nixpkgs/nixos/modules/services/security/vaultwarden/default.nix>
services.vaultwarden.config

The configuration of vaultwarden is done through environment variables, therefore it is recommended to use upper snake case (e.g. DISABLE_2FA_REMEMBER).

However, camel case (e.g. disable2FARemember) is also supported: The NixOS module will convert it automatically to upper case snake case (e.g. DISABLE_2FA_REMEMBER). In this conversion digits (0-9) are handled just like upper case characters, so foo2 would be converted to FOO_2. Names already in this format remain unchanged, so FOO2 remains FOO2 if passed as such, even though foo2 would have been converted to FOO_2. This allows working around any potential future conflicting naming conventions.

Based on the attributes passed to this config option an environment file will be generated that is passed to vaultwarden’s systemd service.

The available configuration options can be found in the environment template file.

See services.vaultwarden.environmentFile for how to set up access to the Admin UI to invite initial users.

Type: attribute set of (null or boolean or signed integer or string)

Default:

{
  ROCKET_ADDRESS = "::1";
  ROCKET_PORT = 8222;
}

Example:

{
  DOMAIN = "https://bitwarden.example.com";
  SIGNUPS_ALLOWED = false;

  # Vaultwarden currently recommends running behind a reverse proxy
  # (nginx or similar) for TLS termination, see
  # https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#reverse-proxying
  # > you should avoid enabling HTTPS via vaultwarden's built-in Rocket TLS support,
  # > especially if your instance is publicly accessible.
  #
  # A suitable NixOS nginx reverse proxy example config might be:
  #
  #     services.nginx.virtualHosts."bitwarden.example.com" = {
  #       enableACME = true;
  #       forceSSL = true;
  #       locations."/" = {
  #         proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
  #       };
  #     };
  ROCKET_ADDRESS = "127.0.0.1";
  ROCKET_PORT = 8222;

  ROCKET_LOG = "critical";

  # This example assumes a mailserver running on localhost,
  # thus without transport encryption.
  # If you use an external mail server, follow:
  #   https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
  SMTP_HOST = "127.0.0.1";
  SMTP_PORT = 25;
  SMTP_SSL = false;

  SMTP_FROM = "admin@bitwarden.example.com";
  SMTP_FROM_NAME = "example.com Bitwarden server";
}

Declared by:

<nixpkgs/nixos/modules/services/security/vaultwarden/default.nix>
services.vaultwarden.dbBackend

Which database backend vaultwarden will be using.

Type: one of “sqlite”, “mysql”, “postgresql”

Default: "sqlite"

Declared by:

<nixpkgs/nixos/modules/services/security/vaultwarden/default.nix>
services.vaultwarden.environmentFile

Additional environment file as defined in systemd.exec(5).

Secrets like ADMIN_TOKEN and SMTP_PASSWORD should be passed to the service without adding them to the world-readable Nix store.

Note that this file needs to be available on the host on which vaultwarden is running.

As a concrete example, to make the Admin UI available (from which new users can be invited initially), the secret ADMIN_TOKEN needs to be defined as described here:

# Admin secret token, see
# https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page
ADMIN_TOKEN=...copy-paste a unique generated secret token here...

Type: null or path

Default: null

Example: "/var/lib/vaultwarden.env"

Declared by:

<nixpkgs/nixos/modules/services/security/vaultwarden/default.nix>
services.vaultwarden.webVaultPackage

Web vault package to use.

Type: package

Default: pkgs.vaultwarden.webvault

Declared by:

<nixpkgs/nixos/modules/services/security/vaultwarden/default.nix>
services.vdirsyncer.enable

Whether to enable vdirsyncer.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/vdirsyncer.nix>
services.vdirsyncer.package

The vdirsyncer package to use.

Type: package

Default: pkgs.vdirsyncer

Declared by:

<nixpkgs/nixos/modules/services/networking/vdirsyncer.nix>
services.vdirsyncer.jobs

vdirsyncer job configurations

Type: attribute set of (submodule)

Declared by:

<nixpkgs/nixos/modules/services/networking/vdirsyncer.nix>
services.vdirsyncer.jobs.<name>.enable

Whether to enable this vdirsyncer job.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/networking/vdirsyncer.nix>
services.vdirsyncer.jobs.<name>.additionalGroups

additional groups to add the dynamic user to

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/vdirsyncer.nix>
services.vdirsyncer.jobs.<name>.config.general

general configuration

Type: attribute set

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/vdirsyncer.nix>
services.vdirsyncer.jobs.<name>.config.pairs

vdirsyncer pair configurations

Type: attribute set of (attribute set)

Default: { }

Example:

{
  my_contacts = {
    a = "my_cloud_contacts";
    b = "my_local_contacts";
    collections = [ "from a" ];
    conflict_resolution = "a wins";
    metadata = [ "color" "displayname" ];
  };
};

Declared by:

<nixpkgs/nixos/modules/services/networking/vdirsyncer.nix>
services.vdirsyncer.jobs.<name>.config.statusPath

vdirsyncer’s status path

Type: null or string

Default: /var/lib/vdirsyncer/${attrName}

Declared by:

<nixpkgs/nixos/modules/services/networking/vdirsyncer.nix>
services.vdirsyncer.jobs.<name>.config.storages

vdirsyncer storage configurations

Type: attribute set of (attribute set)

Default: { }

Example:

{
  my_cloud_contacts = {
    type = "carddav";
    url = "https://dav.example.com/";
    read_only = true;
    username = "user";
    "password.fetch" = [ "command" "cat" "/etc/vdirsyncer/cloud.passwd" ];
  };
  my_local_contacts = {
    type = "carddav";
    url = "https://localhost/";
    username = "user";
    "password.fetch" = [ "command" "cat" "/etc/vdirsyncer/local.passwd" ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/vdirsyncer.nix>
services.vdirsyncer.jobs.<name>.configFile

existing configuration file

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/vdirsyncer.nix>
services.vdirsyncer.jobs.<name>.forceDiscover

Run yes | vdirsyncer discover prior to vdirsyncer sync

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/vdirsyncer.nix>
services.vdirsyncer.jobs.<name>.group

group to run vdirsyncer as

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/vdirsyncer.nix>
services.vdirsyncer.jobs.<name>.timerConfig

systemd timer configuration

Type: attribute set

Default:

{
  OnBootSec = "1h";
  OnUnitActiveSec = "6h";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/vdirsyncer.nix>
services.vdirsyncer.jobs.<name>.user

User account to run vdirsyncer as, otherwise as a systemd dynamic user

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/vdirsyncer.nix>
services.vdr.enable

Whether to enable VDR, a video disk recorder.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/vdr.nix>
services.vdr.enableLirc

Whether to enable LIRC.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/hardware/vdr.nix>
services.vdr.package

The vdr package to use.

Type: package

Default: pkgs.vdr

Example: wrapVdr.override { plugins = with pkgs.vdrPlugins; [ hello ]; }

Declared by:

<nixpkgs/nixos/modules/services/hardware/vdr.nix>
services.vdr.extraArguments

Additional command line arguments to pass to VDR.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/hardware/vdr.nix>
services.vdr.group

Group under which the VDRvdr service runs.

Type: string

Default: "vdr"

Declared by:

<nixpkgs/nixos/modules/services/hardware/vdr.nix>
services.vdr.user

User under which the VDR service runs.

Type: string

Default: "vdr"

Declared by:

<nixpkgs/nixos/modules/services/hardware/vdr.nix>
services.vdr.videoDir

Recording directory

Type: path

Default: "/srv/vdr/video"

Declared by:

<nixpkgs/nixos/modules/services/hardware/vdr.nix>
services.vector.enable

Whether to enable Vector, a high-performance observability data pipeline.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/logging/vector.nix>
services.vector.package

The vector package to use.

Type: package

Default: pkgs.vector

Declared by:

<nixpkgs/nixos/modules/services/logging/vector.nix>
services.vector.journaldAccess

Enable Vector to access journald.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/logging/vector.nix>
services.vector.settings

Specify the configuration for Vector in Nix.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/logging/vector.nix>
services.veilid.enable

Whether to enable Veilid Headless Node.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.openFirewall

Whether to open firewall on ports 5150/tcp, 5150/udp

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings

Build veilid-server.conf with nix expression. Check <link xlink:href=“https://veilid.gitlab.io/developer-book/admin/config.html#configuration-keys”>Configuration Keys</link>.

Type: YAML value

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings.client_api.ipc_directory

IPC directory where file sockets are stored.

Type: string

Default: "/var/db/veilid-server/ipc"

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings.client_api.ipc_enabled

veilid-server will respond to Python and other JSON client requests.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings.core.block_store.directory

The filesystem directory to store blocks for the block store.

Type: null or string

Default: "/var/db/veilid-server/block_store"

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings.core.capabilities.disable

A list of capabilities to disable (for example, DHTV to say you cannot store DHT information).

Type: list of string

Default: [ ]

Example:

[
  "APPM"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings.core.network.detect_address_changes

Should veilid-core detect and notify on network address changes?

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings.core.network.dht.min_peer_count

Minimum number of nodes to keep in the peer table.

Type: signed integer or floating point number

Default: 20

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings.core.network.routing_table.bootstrap

Host name of existing well-known Veilid bootstrap servers for the network to connect to.

Type: list of string

Default:

[
  "bootstrap.veilid.net"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings.core.network.routing_table.node_id

Base64-encoded public key for the node, used as the node’s ID.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings.core.network.upnp

Should the app try to improve its incoming network connectivity using UPnP?

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings.core.protected_store.allow_insecure_fallback

If we can’t use system-provided secure storage, should we proceed anyway?

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings.core.protected_store.always_use_insecure_storage

Should we bypass any attempt to use system-provided secure storage?

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings.core.protected_store.directory

The filesystem directory to store your protected store in.

Type: string

Default: "/var/db/veilid-server/protected_store"

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings.core.table_store.directory

The filesystem directory to store your table store within.

Type: string

Default: "/var/db/veilid-server/table_store"

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings.logging.api.enabled

Events of type ‘api’ will be logged.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings.logging.api.level

The minimum priority of api events to be logged.

Type: string

Default: "info"

Example: "debug"

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings.logging.system.enabled

Events of type ‘system’ will be logged.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings.logging.system.level

The minimum priority of system events to be logged.

Type: string

Default: "info"

Example: "debug"

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings.logging.terminal.enabled

Events of type ‘terminal’ will be logged.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.veilid.settings.logging.terminal.level

The minimum priority of terminal events to be logged.

Type: string

Default: "info"

Example: "debug"

Declared by:

<nixpkgs/nixos/modules/services/networking/veilid.nix>
services.victoriametrics.enable

Whether to enable VictoriaMetrics in single-node mode.

VictoriaMetrics is a fast, cost-effective and scalable monitoring solution and time series database.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/databases/victoriametrics.nix>
services.victoriametrics.package

The victoriametrics package to use.

Type: package

Default: pkgs.victoriametrics

Declared by:

<nixpkgs/nixos/modules/services/databases/victoriametrics.nix>
services.victoriametrics.extraOptions

Extra options to pass to VictoriaMetrics. See the docs: https://docs.victoriametrics.com/single-server-victoriametrics/#list-of-command-line-flags or victoriametrics -help for more information.

Type: list of string

Default: [ ]

Example:

[
  "-httpAuth.username=username"
  "-httpAuth.password=file:///abs/path/to/file"
  "-loggerLevel=WARN"
]

Declared by:

<nixpkgs/nixos/modules/services/databases/victoriametrics.nix>
services.victoriametrics.listenAddress

TCP address to listen for incoming http requests.

Type: string

Default: ":8428"

Declared by:

<nixpkgs/nixos/modules/services/databases/victoriametrics.nix>
services.victoriametrics.prometheusConfig

Config for prometheus style metrics. See the docs: https://docs.victoriametrics.com/vmagent/#how-to-collect-metrics-in-prometheus-format for more information.

Type: YAML value

Default: { }

Example:

{
  scrape_configs = [
    {
      job_name = "postgres-exporter";
      metrics_path = "/metrics";
      static_configs = [
        {
          targets = ["1.2.3.4:9187"];
          labels.type = "database";
        }
      ];
    }
    {
      job_name = "node-exporter";
      metrics_path = "/metrics";
      static_configs = [
        {
          targets = ["1.2.3.4:9100"];
          labels.type = "node";
        }
        {
          targets = ["5.6.7.8:9100"];
          labels.type = "node";
        }
      ];
    }
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/databases/victoriametrics.nix>
services.victoriametrics.retentionPeriod

How long to retain samples in storage. The minimum retentionPeriod is 24h or 1d. See also -retentionFilter The following optional suffixes are supported: s (second), h (hour), d (day), w (week), y (year). If suffix isn’t set, then the duration is counted in months (default 1)

Type: null or string

Default: null

Example: "15d"

Declared by:

<nixpkgs/nixos/modules/services/databases/victoriametrics.nix>
services.victoriametrics.stateDir

Directory below /var/lib to store VictoriaMetrics metrics data. This directory will be created automatically using systemd’s StateDirectory mechanism.

Type: string

Default: "victoriametrics"

Declared by:

<nixpkgs/nixos/modules/services/databases/victoriametrics.nix>
services.vikunja.enable

Whether to enable vikunja service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/vikunja.nix>
services.vikunja.package

The vikunja package to use.

Type: package

Default: pkgs.vikunja

Declared by:

<nixpkgs/nixos/modules/services/web-apps/vikunja.nix>
services.vikunja.database.database

Database name.

Type: string

Default: "vikunja"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/vikunja.nix>
services.vikunja.database.host

Database host address. Can also be a socket.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/vikunja.nix>
services.vikunja.database.path

Path to the sqlite3 database file.

Type: string

Default: "/var/lib/vikunja/vikunja.db"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/vikunja.nix>
services.vikunja.database.type

Database engine to use.

Type: one of “sqlite”, “mysql”, “postgres”

Default: "sqlite"

Example: "postgres"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/vikunja.nix>
services.vikunja.database.user

Database user.

Type: string

Default: "vikunja"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/vikunja.nix>
services.vikunja.environmentFiles

List of environment files set in the vikunja systemd service. For example passwords should be set in one of these files.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/vikunja.nix>
services.vikunja.frontendHostname

The Hostname under which the frontend is running.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/vikunja.nix>
services.vikunja.frontendScheme

Whether the site is available via http or https.

Type: one of “http”, “https”

Declared by:

<nixpkgs/nixos/modules/services/web-apps/vikunja.nix>
services.vikunja.port

The TCP port exposed by the API.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3456

Declared by:

<nixpkgs/nixos/modules/services/web-apps/vikunja.nix>
services.vikunja.settings

Vikunja configuration. Refer to https://vikunja.io/docs/config-options/ for details on supported values.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/vikunja.nix>
services.vmagent.enable

Whether to enable VictoriaMetrics’s vmagent.

vmagent efficiently scrape metrics from Prometheus-compatible exporters

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/vmagent.nix>
services.vmagent.package

The vmagent package to use.

Type: package

Default: pkgs.vmagent

Declared by:

<nixpkgs/nixos/modules/services/monitoring/vmagent.nix>
services.vmagent.extraArgs

Extra args to pass to vmagent. See the docs: https://docs.victoriametrics.com/vmagent.html#advanced-usage or vmagent -help for more information.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/vmagent.nix>
services.vmagent.openFirewall

Whether to open the firewall for the default ports.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/vmagent.nix>
services.vmagent.prometheusConfig

Config for prometheus style metrics

Type: YAML value

Declared by:

<nixpkgs/nixos/modules/services/monitoring/vmagent.nix>
services.vmagent.remoteWrite.basicAuthPasswordFile

File that contains the Basic Auth password used to connect to remote_write endpoint

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/vmagent.nix>
services.vmagent.remoteWrite.basicAuthUsername

Basic Auth username used to connect to remote_write endpoint

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/vmagent.nix>
services.vmagent.remoteWrite.url

Endpoint for prometheus compatible remote_write

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/monitoring/vmagent.nix>
services.vmalert.enable

Wether to enable VictoriaMetrics’s vmalert.

vmalert evaluates alerting and recording rules against a data source, sends notifications via Alertmanager.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/vmalert.nix>
services.vmalert.package

The victoriametrics package to use.

Type: package

Default: pkgs.victoriametrics

Declared by:

<nixpkgs/nixos/modules/services/monitoring/vmalert.nix>
services.vmalert.rules

A list of the given alerting or recording rules against configured "datasource.url" compatible with Prometheus HTTP API for vmalert to execute. Refer to https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/app/vmalert/README.md#rules for details on supported values.

Type: YAML value

Default: { }

Example:

{
  group = [
    {
      name = "TestGroup";
      rules = [
        {
          alert = "ExampleAlertAlwaysFiring";
          expr = ''
            sum by(job)
            (up == 1)
          '';
        }
      ];
    }
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/vmalert.nix>
services.vmalert.settings

vmalert configuration, passed via command line flags. Refer to https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/app/vmalert/README.md#configuration for details on supported values.

Type: attribute set of (boolean or signed integer or path or string or list of (boolean or signed integer or path or string))

Default: { }

Example:

{
  "datasource.disableKeepAlive" = true;
  "datasource.showURL" = false;
  "datasource.url" = "http://localhost:8428";
  rule = [
    "http://<some-server-addr>/path/to/rules"
    "dir/*.yaml"
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/vmalert.nix>
services.vmalert.settings."datasource.url"

Datasource compatible with Prometheus HTTP API.

Type: non-empty string

Example: "http://localhost:8428"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/vmalert.nix>
services.vmalert.settings."notifier.url"

Prometheus Alertmanager URL. List all Alertmanager URLs if it runs in the cluster mode to ensure high availability.

Type: list of non-empty string

Default: [ ]

Example:

[
  "http://127.0.0.1:9093"
]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/vmalert.nix>
services.vmalert.settings.rule

Path to the files with alerting and/or recording rules.

Note

Consider using the services.vmalert.rules option as a convenient alternative for declaring rules directly in the nix language.

Type: list of path

Declared by:

<nixpkgs/nixos/modules/services/monitoring/vmalert.nix>
services.vnstat.enable

Whether to enable update of network usage statistics via vnstatd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/vnstat.nix>
services.vsftpd.enable

Whether to enable vsftpd.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.enableVirtualUsers

Whether to enable the pam_userdb-based virtual user system

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.allowWriteableChroot

Allow the use of writeable root inside chroot().

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.anonymousMkdirEnable

Whether any uploads are permitted to anonymous users.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.anonymousUmask

Anonymous write umask.

Type: string

Default: "077"

Example: "002"

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.anonymousUploadEnable

Whether any uploads are permitted to anonymous users.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.anonymousUser

Whether to enable the anonymous FTP user.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.anonymousUserHome

Directory to consider the HOME of the anonymous user.

Type: path

Default: "/home/ftp/"

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.anonymousUserNoPassword

Whether to disable the password for the anonymous FTP user.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.chrootlocalUser

Whether local users are confined to their home directory.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.extraConfig

Extra configuration to add at the bottom of the generated configuration file.

Type: strings concatenated with “\n”

Default: ""

Example: "ftpd_banner=Hello"

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.forceLocalDataSSL

Only applies if sslEnable is true. Non anonymous (local) users must use a secure SSL connection for sending/receiving data on data connection.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.forceLocalLoginsSSL

Only applies if sslEnable is true. Non anonymous (local) users must use a secure SSL connection to send a password.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.localRoot

This option represents a directory which vsftpd will try to change into after a local (i.e. non- anonymous) login.

Failure is silently ignored.

Type: null or string

Default: null

Example: "/var/www/$USER"

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.localUsers

Whether to enable FTP for local users.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.portPromiscuous

Set to YES if you want to disable the PORT security check that ensures that outgoing data connections can only connect to the client. Only enable if you know what you are doing!

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.rsaCertFile

RSA certificate file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.rsaKeyFile

RSA private key file.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.ssl_sslv2

Only applies if ssl_enable is activated. If enabled, this option will permit SSL v2 protocol connections. TLS v1 connections are preferred.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.ssl_sslv3

Only applies if ssl_enable is activated. If enabled, this option will permit SSL v3 protocol connections. TLS v1 connections are preferred.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.ssl_tlsv1

Only applies if ssl_enable is activated. If enabled, this option will permit TLS v1 protocol connections. TLS v1 connections are preferred.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.userDbPath

Only applies if enableVirtualUsers is true. Path pointing to the pam_userdb user database used by vsftpd to authenticate the virtual users.

This user list should be stored in the Berkeley DB database format.

To generate a new user database, create a text file, add your users using the following format:

user1
password1
user2
password2

You can then install pkgs.db to generate the Berkeley DB using

db_load -T -t hash -f logins.txt userDb.db

Caution: pam_userdb will automatically append a .db suffix to the filename you provide though this option. This option shouldn’t include this filetype suffix.

Type: null or string

Default: null

Example: "/etc/vsftpd/userDb"

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.userlist

See userlistFile.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.userlistDeny

Specifies whether userlistFile is a list of user names to allow or deny access. The default false means whitelist/allow.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.userlistEnable

Whether users are included.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.userlistFile

Newline separated list of names to be allowed/denied if userlistEnable is true. Meaning see userlistDeny.

The default is a file containing the users from userlist.

If explicitly set to null userlist_file will not be set in vsftpd’s config file.

Type: path

Default: pkgs.writeText "userlist" (concatMapStrings (x: "${x}\n") cfg.userlist)

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.virtualUseLocalPrivs

If enabled, virtual users will use the same privileges as local users. By default, virtual users will use the same privileges as anonymous users, which tends to be more restrictive (especially in terms of write access).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.vsftpd.writeEnable

Whether any write activity is permitted to users.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/vsftpd.nix>
services.waagent.enable

Whether to enable Whether to enable the Windows Azure Linux Agent. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/waagent.nix>
services.waagent.package

The waagent package to use.

Type: package

Default: pkgs.waagent

Declared by:

<nixpkgs/nixos/modules/virtualisation/waagent.nix>
services.waagent.extraPackages

Additional packages to add to the waagent PATH.

Type: list of package

Default: [ ]

Example: [ pkgs.powershell ]

Declared by:

<nixpkgs/nixos/modules/virtualisation/waagent.nix>
services.waagent.settings

The waagent.conf configuration, see https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-linux for documentation.

Type: attribute set of (atom (bool, string, int or float) or null or a list of themor an attribute set of them)

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/waagent.nix>
services.waagent.settings.AutoUpdate.Enable

Whether to enable Enable or disable autoupdate for goal state processing. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/waagent.nix>
services.waagent.settings.HttpProxy.Host

If you set http proxy, waagent will use is proxy to access the Internet.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/virtualisation/waagent.nix>
services.waagent.settings.HttpProxy.Port

If you set http proxy, waagent will use this proxy to access the Internet.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/virtualisation/waagent.nix>
services.waagent.settings.Logs.Verbose

Whether to enable If you set this option, log verbosity is boosted. Waagent logs to /var/log/waagent.log and uses the system logrotate functionality to rotate logs. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/waagent.nix>
services.waagent.settings.OS.EnableRDMA

Whether to enable If enabled, the agent attempts to install and then load an RDMA kernel driver that matches the version of the firmware on the underlying hardware. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/waagent.nix>
services.waagent.settings.OS.RootDeviceScsiTimeout

Configures the SCSI timeout in seconds on the OS disk and data drives. If set to null, the system defaults are used.

Type: null or signed integer

Default: 300

Declared by:

<nixpkgs/nixos/modules/virtualisation/waagent.nix>
services.waagent.settings.Provisioning.Agent

Which provisioning agent to use.

Type: one of “auto”, “waagent”, “cloud-init”, “disabled”

Default: "auto"

Declared by:

<nixpkgs/nixos/modules/virtualisation/waagent.nix>
services.waagent.settings.Provisioning.Enable

Whether to enable provisioning functionality in the agent.

If provisioning is disabled, SSH host and user keys in the image are preserved and configuration in the Azure provisioning API is ignored.

Set to false if cloud-init is used for provisioning tasks.

Type: boolean

Default: !config.services.cloud-init.enable

Declared by:

<nixpkgs/nixos/modules/virtualisation/waagent.nix>
services.waagent.settings.ResourceDisk.EnableSwap

Whether to enable If enabled, the agent creates a swap file (/swapfile) on the resource disk and adds it to the system swap space.

This configuration has no effect if resource disk is managed by cloud-init. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/waagent.nix>
services.waagent.settings.ResourceDisk.FileSystem

The file system type for the resource disk. If the string is X, then mkfs.X should be present in the environment. You can add additional filesystem packages using services.waagent.extraPackages.

This configuration has no effect if resource disk is managed by cloud-init.

Type: string

Default: "ext4"

Declared by:

<nixpkgs/nixos/modules/virtualisation/waagent.nix>
services.waagent.settings.ResourceDisk.Format

Whether to enable If set to true, waagent formats and mounts the resource disk that the platform provides, unless the file system type in ResourceDisk.FileSystem is set to ntfs. The agent makes a single Linux partition (ID 83) available on the disk. This partition isn’t formatted if it can be successfully mounted.

This configuration has no effect if resource disk is managed by cloud-init. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/waagent.nix>
services.waagent.settings.ResourceDisk.MountOptions

This option specifies disk mount options to be passed to the mount -o command. For more information, see the mount(8) manual page.

Type: list of string

Default: [ ]

Example:

[
  "nodev"
  "nosuid"
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/waagent.nix>
services.waagent.settings.ResourceDisk.MountPoint

This option specifies the path at which the resource disk is mounted. The resource disk is a temporary disk and might be emptied when the VM is deprovisioned.

This configuration has no effect if resource disk is managed by cloud-init.

Type: string

Default: "/mnt/resource"

Declared by:

<nixpkgs/nixos/modules/virtualisation/waagent.nix>
services.waagent.settings.ResourceDisk.SwapSizeMB

Specifies the size of the swap file in megabytes.

This configuration has no effect if resource disk is managed by cloud-init.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/virtualisation/waagent.nix>
services.wakapi.enable

Whether to enable Wakapi.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wakapi.nix>
services.wakapi.package

The wakapi package to use.

Type: package

Default: pkgs.wakapi

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wakapi.nix>
services.wakapi.database.createLocally

Whether to enable automatic database configuration.

Note

Only PostgreSQL is supported for the time being.

.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wakapi.nix>
services.wakapi.database.dialect

The database type to use for Wakapi.

Type: null or one of “postgres”, “sqlite3”, “mysql”, “cockroach”, “mssql”

Default:

''
  Database dialect from settings if {option}`services.wakatime.settings.db.dialect`
  is set, or `null` otherwise.
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wakapi.nix>
services.wakapi.database.name

The name of the database to use for Wakapi.

Type: string

Default:

''
  Database name from settings if {option}`services.wakatime.settings.db.name`
  is set, or "wakapi" otherwise.
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wakapi.nix>
services.wakapi.database.user

The name of the user to use for Wakapi.

Type: string

Default:

''
  User from settings if {option}`services.wakatime.settings.db.user`
  is set, or "wakapi" otherwise.
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wakapi.nix>
services.wakapi.passwordSalt

The password salt to use for Wakapi.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wakapi.nix>
services.wakapi.passwordSaltFile

The path to a file containing the password salt to use for Wakapi.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wakapi.nix>
services.wakapi.settings

Settings for Wakapi.

See config.default.yml for a list of all possible options.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wakapi.nix>
services.wakapi.smtpPassword

The password used for the smtp mailed to used by Wakapi.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wakapi.nix>
services.wakapi.smtpPasswordFile

The path to a file containing the password for the smtp mailer used by Wakapi.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wakapi.nix>
services.wasabibackend.enable

Whether to enable Wasabi backend service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wasabibackend.nix>
services.wasabibackend.customConfigFile

Defines the path to a custom configuration file that is copied to the user’s directory. Overrides any config options.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/wasabibackend.nix>
services.wasabibackend.dataDir

The data directory for the Wasabi backend node.

Type: path

Default: "/var/lib/wasabibackend"

Declared by:

<nixpkgs/nixos/modules/services/networking/wasabibackend.nix>
services.wasabibackend.endpoint.ip

IP address for P2P connection to bitcoind.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/wasabibackend.nix>
services.wasabibackend.endpoint.port

Port for P2P connection to bitcoind.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8333

Declared by:

<nixpkgs/nixos/modules/services/networking/wasabibackend.nix>
services.wasabibackend.group

The group as which to run the wasabibackend node.

Type: string

Default: config.services.wasabibackend.user

Declared by:

<nixpkgs/nixos/modules/services/networking/wasabibackend.nix>
services.wasabibackend.network

The network to use for the Wasabi backend service.

Type: one of “mainnet”, “testnet”, “regtest”

Default: "mainnet"

Declared by:

<nixpkgs/nixos/modules/services/networking/wasabibackend.nix>
services.wasabibackend.rpc.ip

IP address for RPC connection to bitcoind.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/wasabibackend.nix>
services.wasabibackend.rpc.password

RPC password for the bitcoin endpoint. Warning: this is stored in cleartext in the Nix store! Use configFile or passwordFile if needed.

Type: string

Default: "password"

Declared by:

<nixpkgs/nixos/modules/services/networking/wasabibackend.nix>
services.wasabibackend.rpc.passwordFile

File that contains the password of the RPC user.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/wasabibackend.nix>
services.wasabibackend.rpc.port

Port for RPC connection to bitcoind.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8332

Declared by:

<nixpkgs/nixos/modules/services/networking/wasabibackend.nix>
services.wasabibackend.rpc.user

RPC user for the bitcoin endpoint.

Type: string

Default: "bitcoin"

Declared by:

<nixpkgs/nixos/modules/services/networking/wasabibackend.nix>
services.wasabibackend.user

The user as which to run the wasabibackend node.

Type: string

Default: "wasabibackend"

Declared by:

<nixpkgs/nixos/modules/services/networking/wasabibackend.nix>
services.wastebin.enable

Whether to enable Wastebin, a pastebin service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/wastebin.nix>
services.wastebin.package

The wastebin package to use.

Type: package

Default: pkgs.wastebin

Declared by:

<nixpkgs/nixos/modules/services/misc/wastebin.nix>
services.wastebin.secretFile

Path to file containing sensitive environment variables. Some variables that can be considered secrets are:

  • WASTEBIN_PASSWORD_SALT: salt used to hash user passwords used for encrypting pastes.

  • WASTEBIN_SIGNING_KEY: sets the key to sign cookies. If not set, a random key will be generated which means cookies will become invalid after restarts and paste creators will not be able to delete their pastes anymore.

Type: null or path

Default: null

Example: "/run/secrets/wastebin.env"

Declared by:

<nixpkgs/nixos/modules/services/misc/wastebin.nix>
services.wastebin.settings

Additional configuration for wastebin, see https://github.com/matze/wastebin#usage for supported values. For secrets use secretFile option instead.

Type: attribute set of (boolean or signed integer or string)

Default: { }

Example:

{
  WASTEBIN_TITLE = "My awesome pastebin";
}

Declared by:

<nixpkgs/nixos/modules/services/misc/wastebin.nix>
services.wastebin.settings.RUST_LOG

Influences logging. Besides the typical trace, debug, info etc. keys, you can also set the tower_http key to some log level to get additional information request and response logs.

Type: string

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/misc/wastebin.nix>
services.wastebin.settings.WASTEBIN_ADDRESS_PORT

Address and port to bind to

Type: string

Default: "0.0.0.0:8088"

Declared by:

<nixpkgs/nixos/modules/services/misc/wastebin.nix>
services.wastebin.settings.WASTEBIN_BASE_URL

Base URL for the QR code display. If not set, the user agent’s Host header field is used as an approximation.

Type: string

Default: "http://localhost"

Example: "https://myhost.tld"

Declared by:

<nixpkgs/nixos/modules/services/misc/wastebin.nix>
services.wastebin.settings.WASTEBIN_CACHE_SIZE

Number of rendered syntax highlight items to cache. Can be disabled by setting to 0.

Type: signed integer

Default: 128

Declared by:

<nixpkgs/nixos/modules/services/misc/wastebin.nix>
services.wastebin.settings.WASTEBIN_DATABASE_PATH

Path to the sqlite3 database file. If not set, an in-memory database is used.

Type: string

Default: "/var/lib/wastebin/sqlite3.db"

Declared by:

<nixpkgs/nixos/modules/services/misc/wastebin.nix>
services.wastebin.settings.WASTEBIN_HTTP_TIMEOUT

Maximum number of seconds a request can be processed until wastebin responds with 408

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/misc/wastebin.nix>
services.wastebin.settings.WASTEBIN_MAX_BODY_SIZE

Number of bytes to accept for POST requests

Type: signed integer

Default: 1024

Declared by:

<nixpkgs/nixos/modules/services/misc/wastebin.nix>
services.wastebin.settings.WASTEBIN_TITLE

Overrides the HTML page title

Type: string

Default: "wastebin"

Declared by:

<nixpkgs/nixos/modules/services/misc/wastebin.nix>
services.wastebin.stateDir

State directory of the daemon.

Type: path

Default: "/var/lib/wastebin"

Declared by:

<nixpkgs/nixos/modules/services/misc/wastebin.nix>
services.watchdogd.enable

Whether to enable watchdogd, an advanced system & process supervisor.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.package

The watchdogd package to use.

Type: package

Default: pkgs.watchdogd

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.settings

Configuration to put in watchdogd.conf. See watchdogd.conf(5) for more details.

Type: attribute set of (boolean or signed integer or floating point number or string or attribute set of (boolean or signed integer or floating point number or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.settings.filenr.enabled

Whether to enable watchdogd plugin filenr.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.settings.filenr.critical

The critical watermark level. Alert sent to log, followed by reboot or script action.

Type: nonnegative integer or floating point number, meaning >=0

Default: 1.0

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.settings.filenr.interval

Amount of seconds between every poll.

Type: unsigned integer, meaning >=0

Default: 300

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.settings.filenr.logmark

Whether to log current stats every poll interval.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.settings.filenr.warning

The high watermark level. Alert sent to log.

Type: nonnegative integer or floating point number, meaning >=0

Default: 0.9

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.settings.interval

The kick interval, i.e. how often watchdogd(8) should reset the WDT timer.

Type: unsigned integer, meaning >=0

Default: 5

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.settings.loadavg.enabled

Whether to enable watchdogd plugin loadavg.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.settings.loadavg.critical

The critical watermark level. Alert sent to log, followed by reboot or script action.

Type: nonnegative integer or floating point number, meaning >=0

Default: 2.0

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.settings.loadavg.interval

Amount of seconds between every poll.

Type: unsigned integer, meaning >=0

Default: 300

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.settings.loadavg.logmark

Whether to log current stats every poll interval.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.settings.loadavg.warning

The high watermark level. Alert sent to log.

Type: nonnegative integer or floating point number, meaning >=0

Default: 1.0

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.settings.meminfo.enabled

Whether to enable watchdogd plugin meminfo.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.settings.meminfo.critical

The critical watermark level. Alert sent to log, followed by reboot or script action.

Type: nonnegative integer or floating point number, meaning >=0

Default: 0.95

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.settings.meminfo.interval

Amount of seconds between every poll.

Type: unsigned integer, meaning >=0

Default: 300

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.settings.meminfo.logmark

Whether to log current stats every poll interval.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.settings.meminfo.warning

The high watermark level. Alert sent to log.

Type: nonnegative integer or floating point number, meaning >=0

Default: 0.9

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.settings.safe-exit

With safeExit enabled, the daemon will ask the driver to disable the WDT before exiting. However, some WDT drivers (or hardware) may not support this.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.watchdogd.settings.timeout

The WDT timeout before reset.

Type: unsigned integer, meaning >=0

Default: 15

Declared by:

<nixpkgs/nixos/modules/services/monitoring/watchdogd.nix>
services.webdav.enable

Whether to enable WebDAV server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/webdav.nix>
services.webdav.configFile

Path to config file. If this option is set, it will override any configuration done in options.services.webdav.settings.

Type: path

Default: "Config file generated from services.webdav.settings"

Example: "/etc/webdav/config.yaml"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/webdav.nix>
services.webdav.environmentFile

Environment file as defined in systemd.exec(5).

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/webdav.nix>
services.webdav.group

Group under which WebDAV runs.

Type: string

Default: "webdav"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/webdav.nix>
services.webdav.settings

Attrset that is converted and passed as config file. Available options can be found at here.

This program supports reading username and password configuration from environment variables, so it’s strongly recommended to store username and password in a separate EnvironmentFile. This prevents adding secrets to the world-readable Nix store.

Type: YAML value

Default: { }

Example:

{
    address = "0.0.0.0";
    port = 8080;
    scope = "/srv/public";
    modify = true;
    auth = true;
    users = [
      {
        username = "{env}ENV_USERNAME";
        password = "{env}ENV_PASSWORD";
      }
    ];
}

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/webdav.nix>
services.webdav.user

User account under which WebDAV runs.

Type: string

Default: "webdav"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/webdav.nix>
services.webdav-server-rs.enable

Whether to enable WebDAV server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/webdav-server-rs.nix>
services.webdav-server-rs.configFile

Path to config file. If this option is set, it will override any configuration done in services.webdav-server-rs.settings.

Type: path

Default: "Config file generated from services.webdav-server-rs.settings"

Example: "/etc/webdav-server.toml"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/webdav-server-rs.nix>
services.webdav-server-rs.debug

Enable debug mode.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/webdav-server-rs.nix>
services.webdav-server-rs.group

Group to run under when setuid is not enabled.

Type: string

Default: "webdav"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/webdav-server-rs.nix>
services.webdav-server-rs.settings

Attrset that is converted and passed as config file. Available options can be found at here.

Type: TOML value

Default: { }

Example:

{
  server.listen = [ "0.0.0.0:4918" "[::]:4918" ];
  accounts = {
    auth-type = "htpasswd.default";
    acct-type = "unix";
  };
  htpasswd.default = {
    htpasswd = "/etc/htpasswd";
  };
  location = [
    {
      route = [ "/public/*path" ];
      directory = "/srv/public";
      handler = "filesystem";
      methods = [ "webdav-ro" ];
      autoindex = true;
      auth = "false";
    }
    {
      route = [ "/user/:user/*path" ];
      directory = "~";
      handler = "filesystem";
      methods = [ "webdav-rw" ];
      autoindex = true;
      auth = "true";
      setuid = true;
    }
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/webdav-server-rs.nix>
services.webdav-server-rs.user

User to run under when setuid is not enabled.

Type: string

Default: "webdav"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/webdav-server-rs.nix>
services.webhook.enable

Whether to enable Webhook, a server written in Go that allows you to create HTTP endpoints (hooks), which execute configured commands for any person or service that knows the URL .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/webhook.nix>
services.webhook.enableTemplates

Enable the generated hooks file to be parsed as a Go template. See the documentation for more information.

Type: boolean

Default: hooksTemplated != {}

Declared by:

<nixpkgs/nixos/modules/services/networking/webhook.nix>
services.webhook.package

The webhook package to use.

Type: package

Default: pkgs.webhook

Declared by:

<nixpkgs/nixos/modules/services/networking/webhook.nix>
services.webhook.environment

Extra environment variables passed to webhook.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/webhook.nix>
services.webhook.extraArgs

These are arguments passed to the webhook command in the systemd service. You can find the available arguments and options in the documentation.

Type: list of string

Default: [ ]

Example:

[
  "-secure"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/webhook.nix>
services.webhook.group

Webhook will be run under this group.

If set, you must create this group yourself!

Type: string

Default: "webhook"

Declared by:

<nixpkgs/nixos/modules/services/networking/webhook.nix>
services.webhook.hooks

The actual configuration of which hooks will be served.

Read more on the project homepage and on the hook definition page. At least one hook needs to be configured.

Type: attribute set of (JSON value)

Default: { }

Example:

{
  echo = {
    execute-command = "echo";
    response-message = "Webhook is reachable!";
  };
  redeploy-webhook = {
    command-working-directory = "/var/webhook";
    execute-command = "/var/scripts/redeploy.sh";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/webhook.nix>
services.webhook.hooks.<name>.execute-command

The command that should be executed when the hook is triggered.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/webhook.nix>
services.webhook.hooks.<name>.id

The ID of your hook. This value is used to create the HTTP endpoint (protocol://yourserver:port/prefix/${id}).

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/networking/webhook.nix>
services.webhook.hooksTemplated

Same as hooks, but these hooks are specified as literal strings instead of Nix values, and hence can include template syntax which might not be representable as JSON.

Template syntax requires the enableTemplates option to be set to true, which is done by default if this option is set.

Type: attribute set of string

Default: { }

Example:

{
  echo-template = ''
    {
      "id": "echo-template",
      "execute-command": "echo",
      "response-message": "{{ getenv "MESSAGE" }}"
    }
  '';
}

Declared by:

<nixpkgs/nixos/modules/services/networking/webhook.nix>
services.webhook.ip

The IP webhook should serve hooks on.

The default means it can be reached on any interface if openFirewall = true.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/networking/webhook.nix>
services.webhook.openFirewall

Open the configured port in the firewall for external ingress traffic. Preferably the Webhook server is instead put behind a reverse proxy.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/webhook.nix>
services.webhook.port

The port webhook should be reachable from.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9000

Declared by:

<nixpkgs/nixos/modules/services/networking/webhook.nix>
services.webhook.urlPrefix

The URL path prefix to use for served hooks (protocol://yourserver:port/${prefix}/hook-id).

Type: string

Default: "hooks"

Declared by:

<nixpkgs/nixos/modules/services/networking/webhook.nix>
services.webhook.user

Webhook will be run under this user.

If set, you must create this user yourself!

Type: string

Default: "webhook"

Declared by:

<nixpkgs/nixos/modules/services/networking/webhook.nix>
services.webhook.verbose

Whether to show verbose output.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/webhook.nix>
services.weblate.enable

Whether to enable Weblate service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/weblate.nix>
services.weblate.package

The weblate package to use.

Type: package

Default: pkgs.weblate

Declared by:

<nixpkgs/nixos/modules/services/web-apps/weblate.nix>
services.weblate.djangoSecretKeyFile

Location of the Django secret key.

This should be a path pointing to a file with secure permissions (not /nix/store).

Can be generated with weblate-generate-secret-key which is available as the weblate user.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-apps/weblate.nix>
services.weblate.extraConfig

Text to append to settings.py Weblate configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/weblate.nix>
services.weblate.localDomain

The domain name serving your Weblate instance.

Type: string

Example: "weblate.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/weblate.nix>
services.weblate.smtp.enable

Whether to enable Weblate SMTP support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/weblate.nix>
services.weblate.smtp.host

SMTP host used when sending emails to users.

Type: string

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/weblate.nix>
services.weblate.smtp.passwordFile

Location of a file containing the SMTP password.

This should be a path pointing to a file with secure permissions (not /nix/store).

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-apps/weblate.nix>
services.weblate.smtp.user

SMTP login name.

Type: string

Example: "weblate@example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/weblate.nix>
services.weechat.enable

Whether to enable weechat.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/weechat.nix>
services.weechat.binary

Binary to execute.

Type: path

Default: "${pkgs.weechat}/bin/weechat"

Example: "${pkgs.weechat}/bin/weechat-headless"

Declared by:

<nixpkgs/nixos/modules/services/misc/weechat.nix>
services.weechat.root

Weechat state directory.

Type: string

Default: "/var/lib/weechat"

Declared by:

<nixpkgs/nixos/modules/services/misc/weechat.nix>
services.weechat.sessionName

Name of the screen session for weechat.

Type: string

Default: "weechat-screen"

Declared by:

<nixpkgs/nixos/modules/services/misc/weechat.nix>
services.wg-access-server.enable

Whether to enable wg-access-server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-access-server.nix>
services.wg-access-server.package

The wg-access-server package to use.

Type: package

Default: pkgs.wg-access-server

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-access-server.nix>
services.wg-access-server.secretsFile

yaml file containing all secrets. this needs to be in the same structure as the configuration.

This must to contain the admin password and wireguard private key. As well as the secrets for your auth backend.

Example:

adminPassword: <admin password>
wireguard:
  privateKey: <wireguard private key>
auth:
  oidc:
    clientSecret: <client secret>

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-access-server.nix>
services.wg-access-server.settings

See https://www.freie-netze.org/wg-access-server/2-configuration/ for possible options

Type: YAML value

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-access-server.nix>
services.wg-access-server.settings.dns.enabled

Enable/disable the embedded DNS proxy server. This is enabled by default and allows VPN clients to avoid DNS leaks by sending all DNS requests to wg-access-server itself.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-access-server.nix>
services.wg-access-server.settings.storage

A storage backend connection string. See storage docs

Type: string

Default: "sqlite3://db.sqlite"

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-access-server.nix>
services.wg-netmanager.enable

Whether to enable Wireguard network manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wg-netmanager.nix>
services.wgautomesh.enable

Whether to enable the wgautomesh daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wgautomesh.nix>
services.wgautomesh.enableGossipEncryption

Enable encryption of gossip traffic.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wgautomesh.nix>
services.wgautomesh.enablePersistence

Enable persistence of Wireguard peer info between restarts.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wgautomesh.nix>
services.wgautomesh.gossipSecretFile

File containing the gossip secret, a shared secret key to use for gossip encryption. Required if enableGossipEncryption is set. This file may contain any arbitrary-length utf8 string. To generate a new gossip secret, use a command such as openssl rand -base64 32.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/wgautomesh.nix>
services.wgautomesh.logLevel

wgautomesh log level.

Type: one of “trace”, “debug”, “info”, “warn”, “error”

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/networking/wgautomesh.nix>
services.wgautomesh.openFirewall

Automatically open gossip port in firewall (recommended).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wgautomesh.nix>
services.wgautomesh.settings

Configuration for wgautomesh.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/wgautomesh.nix>
services.wgautomesh.settings.gossip_port

wgautomesh gossip port, this MUST be the same number on all nodes in the wgautomesh network.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 1666

Declared by:

<nixpkgs/nixos/modules/services/networking/wgautomesh.nix>
services.wgautomesh.settings.interface

Wireguard interface to manage (it is NOT created by wgautomesh, you should use another NixOS option to create it such as networking.wireguard.interfaces.wg0 = {...};).

Type: string

Example: "wg0"

Declared by:

<nixpkgs/nixos/modules/services/networking/wgautomesh.nix>
services.wgautomesh.settings.lan_discovery

Enable discovery of peers on the same LAN using UDP broadcast.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wgautomesh.nix>
services.wgautomesh.settings.peers

wgautomesh peer list.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/wgautomesh.nix>
services.wgautomesh.settings.peers.*.address

Wireguard address of this peer (a single IP address, multiple addresses or address ranges are not supported).

Type: string

Example: "10.0.0.42"

Declared by:

<nixpkgs/nixos/modules/services/networking/wgautomesh.nix>
services.wgautomesh.settings.peers.*.endpoint

Bootstrap endpoint for connecting to this Wireguard peer if no other address is known or none are working.

Type: null or string

Default: null

Example: "wgnode.mydomain.example:51820"

Declared by:

<nixpkgs/nixos/modules/services/networking/wgautomesh.nix>
services.wgautomesh.settings.peers.*.pubkey

Wireguard public key of this peer.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/wgautomesh.nix>
services.wgautomesh.settings.upnp_forward_external_port

Public port number to try to redirect to this machine’s Wireguard daemon using UPnP IGD.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/wgautomesh.nix>
services.whisparr.enable

Whether to enable Whisparr.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/whisparr.nix>
services.whisparr.package

The whisparr package to use.

Type: package

Default: pkgs.whisparr

Declared by:

<nixpkgs/nixos/modules/services/misc/whisparr.nix>
services.whisparr.dataDir

The directory where Whisparr stores its data files.

Type: path

Default: "/var/lib/whisparr/.config/Whisparr"

Declared by:

<nixpkgs/nixos/modules/services/misc/whisparr.nix>
services.whisparr.group

Group under which Whisparr runs.

Type: string

Default: "whisparr"

Declared by:

<nixpkgs/nixos/modules/services/misc/whisparr.nix>
services.whisparr.openFirewall

Open ports in the firewall for the Whisparr web interface.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/whisparr.nix>
services.whisparr.user

User account under which Whisparr runs.

Type: string

Default: "whisparr"

Declared by:

<nixpkgs/nixos/modules/services/misc/whisparr.nix>
services.whitebophir.enable

Whether to enable whitebophir, an online collaborative whiteboard server (persistent state will be maintained under /var/lib/whitebophir).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/whitebophir.nix>
services.whitebophir.package

The whitebophir package to use.

Type: package

Default: pkgs.whitebophir

Declared by:

<nixpkgs/nixos/modules/services/web-apps/whitebophir.nix>
services.whitebophir.listenAddress

Address to listen on (use 0.0.0.0 to allow access from any address).

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/whitebophir.nix>
services.whitebophir.port

Port to bind to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5001

Declared by:

<nixpkgs/nixos/modules/services/web-apps/whitebophir.nix>
services.wiki-js.enable

Whether to enable wiki-js.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wiki-js.nix>
services.wiki-js.environmentFile

Environment file to inject e.g. secrets into the configuration.

Type: null or path

Default: null

Example: "/root/wiki-js.env"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wiki-js.nix>
services.wiki-js.settings

Settings to configure wiki-js. This directly corresponds to the upstream configuration options.

Secrets can be injected via the environment by

  • specifying services.wiki-js.environmentFile to contain secrets

  • and setting sensitive values to $(ENVIRONMENT_VAR) with this value defined in the environment-file.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wiki-js.nix>
services.wiki-js.settings.bindIP

IPs the service should listen to.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wiki-js.nix>
services.wiki-js.settings.db.db

Name of the database to use.

Type: string

Default: "wiki"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wiki-js.nix>
services.wiki-js.settings.db.host

Hostname or socket-path to connect to.

Type: string

Example: "/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wiki-js.nix>
services.wiki-js.settings.db.type

Database driver to use for persistence. Please note that sqlite is currently not supported as the build process for it is currently not implemented in pkgs.wiki-js and it’s not recommended by upstream for production use.

Type: one of “postgres”, “mysql”, “mariadb”, “mssql”

Default: "postgres"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wiki-js.nix>
services.wiki-js.settings.logLevel

Define how much detail is supposed to be logged at runtime.

Type: one of “error”, “warn”, “info”, “verbose”, “debug”, “silly”

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wiki-js.nix>
services.wiki-js.settings.offline

Disable latest file updates and enable sideloading.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wiki-js.nix>
services.wiki-js.settings.port

TCP port the process should listen to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wiki-js.nix>
services.wiki-js.stateDirectoryName

Name of the directory in /var/lib.

Type: string

Default: "wiki-js"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wiki-js.nix>
services.windmill.enable

Whether to enable windmill service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/windmill.nix>
services.windmill.baseUrl

The base url that windmill will be served on.

Type: string

Default:

"https://localhost:\$\{toString config.services.windmill.serverPort}";

Example: "https://windmill.example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/windmill.nix>
services.windmill.database.createLocally

Whether to create a local database automatically.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/windmill.nix>
services.windmill.database.name

Database name.

Type: string

Default: "windmill"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/windmill.nix>
services.windmill.database.url

Database url. Note that any secret here would be world-readable. Use services.windmill.database.urlPath unstead to include secrets in the url.

Type: string

Default:

"postgres://\$\{config.services.windmill.database.name}?host=/var/run/postgresql";

Declared by:

<nixpkgs/nixos/modules/services/web-apps/windmill.nix>
services.windmill.database.urlPath

Path to the file containing the database url windmill should connect to. This is not deducted from database user and name as it might contain a secret

Type: null or path

Default: null

Example: "config.age.secrets.DATABASE_URL_FILE.path"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/windmill.nix>
services.windmill.database.user

Database user.

Type: string

Default: "windmill"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/windmill.nix>
services.windmill.logLevel

Log level

Type: one of “error”, “warn”, “info”, “debug”, “trace”

Default: "info"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/windmill.nix>
services.windmill.lspPort

Port the windmill lsp listens on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3001

Declared by:

<nixpkgs/nixos/modules/services/web-apps/windmill.nix>
services.windmill.serverPort

Port the windmill server listens on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8001

Declared by:

<nixpkgs/nixos/modules/services/web-apps/windmill.nix>
services.wivrn.enable

Whether to enable WiVRn, an OpenXR streaming application.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/video/wivrn.nix>
services.wivrn.package

The wivrn package to use.

Type: package

Default: pkgs.wivrn

Declared by:

<nixpkgs/nixos/modules/services/video/wivrn.nix>
services.wivrn.autoStart

Whether to enable starting the service by default.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/video/wivrn.nix>
services.wivrn.config.enable

Whether to enable configuration for WiVRn.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/video/wivrn.nix>
services.wivrn.config.json

Configuration for WiVRn. The attributes are serialized to JSON in config.json. If a config or certain attributes are not provided, the server will default to stock values.

Note that the application option must be either a package or a list with package as the first element.

See https://github.com/WiVRn/WiVRn/blob/master/docs/configuration.md

Type: JSON value

Default: { }

Example:

{
  scale = 0.5;
  bitrate = 100000000;
  encoders = [
    {
      encoder = "nvenc";
      codec = "h264";
      width = 1.0;
      height = 1.0;
      offset_x = 0.0;
      offset_y = 0.0;
    }
  ];
  application = [ pkgs.wlx-overlay-s ];
}

Declared by:

<nixpkgs/nixos/modules/services/video/wivrn.nix>
services.wivrn.defaultRuntime

Whether to enable WiVRn Monado as the default OpenXR runtime on the system. The config can be found at /etc/xdg/openxr/1/active_runtime.json.

Note that applications can bypass this option by setting an active runtime in a writable XDG_CONFIG_DIRS location like ~/.config .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/video/wivrn.nix>
services.wivrn.extraApplicationFlags

Flags to add to the wivrn-application service. This is NOT the WiVRn startup application.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/video/wivrn.nix>
services.wivrn.extraPackages

Packages to add to the wivrn-application service $PATH.

Type: list of package

Default: [ ]

Example: [ pkgs.bash pkgs.procps ]

Declared by:

<nixpkgs/nixos/modules/services/video/wivrn.nix>
services.wivrn.extraServerFlags

Flags to add to the wivrn service.

Type: list of string

Default: [ ]

Example: "[ \"--no-publish-service\" ]"

Declared by:

<nixpkgs/nixos/modules/services/video/wivrn.nix>
services.wivrn.monadoEnvironment

Environment variables to be passed to the Monado environment.

Type: attribute set

Default:

{
  IPC_EXIT_ON_DISCONNECT = "off";
  XRT_COMPOSITOR_LOG = "debug";
  XRT_PRINT_OPTIONS = "on";
}

Declared by:

<nixpkgs/nixos/modules/services/video/wivrn.nix>
services.wivrn.openFirewall

Whether to enable the default ports in the firewall for the WiVRn server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/video/wivrn.nix>
services.woodpecker-agents.agents

woodpecker-agents configurations

Type: attribute set of (submodule)

Default: { }

Example:

{
  podman = {
    environment = {
      WOODPECKER_SERVER = "localhost:9000";
      WOODPECKER_BACKEND = "docker";
      DOCKER_HOST = "unix:///run/podman/podman.sock";
    };

    extraGroups = [ "podman" ];

    environmentFile = [ "/run/secrets/woodpecker/agent-secret.txt" ];
  };

  exec = {
    environment = {
      WOODPECKER_SERVER = "localhost:9000";
      WOODPECKER_BACKEND = "local";
    };

    environmentFile = [ "/run/secrets/woodpecker/agent-secret.txt" ];

    path = [
      # Needed to clone repos
      git
      git-lfs
      woodpecker-plugin-git
      # Used by the runner as the default shell
      bash
      # Most likely to be used in pipeline definitions
      coreutils
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/woodpecker/agents.nix>
services.woodpecker-agents.agents.<name>.enable

Whether to enable this Woodpecker-Agent. Agents execute tasks generated by a Server, every install will need one server and at least one agent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/woodpecker/agents.nix>
services.woodpecker-agents.agents.<name>.package

The woodpecker-agent package to use.

Type: package

Default: pkgs.woodpecker-agent

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/woodpecker/agents.nix>
services.woodpecker-agents.agents.<name>.environment

woodpecker-agent config environment variables, for other options read the documentation

Type: attribute set of string

Default: { }

Example:

{
  WOODPECKER_SERVER = "localhost:9000";
  WOODPECKER_BACKEND = "docker";
  DOCKER_HOST = "unix:///run/podman/podman.sock";
}

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/woodpecker/agents.nix>
services.woodpecker-agents.agents.<name>.environmentFile

File to load environment variables from. This is helpful for specifying secrets. Example content of environmentFile:

WOODPECKER_AGENT_SECRET=your-shared-secret-goes-here

Type: list of path

Default: [ ]

Example:

[
  "/var/secrets/woodpecker-agent.env"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/woodpecker/agents.nix>
services.woodpecker-agents.agents.<name>.extraGroups

Additional groups for the systemd service.

Type: list of string

Default: [ ]

Example:

[
  "podman"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/woodpecker/agents.nix>
services.woodpecker-agents.agents.<name>.path

Additional packages that should be added to the agent’s PATH. Mostly useful for the local backend.

Type: list of package

Default: [ ]

Example:

[
  ""
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/woodpecker/agents.nix>
services.woodpecker-server.enable

Whether to enable the Woodpecker-Server, a CI/CD application for automatic builds, deployments and tests.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/woodpecker/server.nix>
services.woodpecker-server.package

The woodpecker-server package to use.

Type: package

Default: pkgs.woodpecker-server

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/woodpecker/server.nix>
services.woodpecker-server.environment

woodpecker-server config environment variables, for other options read the documentation

Type: attribute set of string

Default: { }

Example:

{
  WOODPECKER_HOST = "https://woodpecker.example.com";
  WOODPECKER_OPEN = "true";
  WOODPECKER_GITEA = "true";
  WOODPECKER_GITEA_CLIENT = "ffffffff-ffff-ffff-ffff-ffffffffffff";
  WOODPECKER_GITEA_URL = "https://git.example.com";
}

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/woodpecker/server.nix>
services.woodpecker-server.environmentFile

File to load environment variables from. This is helpful for specifying secrets. Example content of environmentFile:

WOODPECKER_AGENT_SECRET=your-shared-secret-goes-here
WOODPECKER_GITEA_SECRET=gto_**************************************

Type: (list of path) or path convertible to it

Default: [ ]

Example:

[
  "/root/woodpecker-server.env"
]

Declared by:

<nixpkgs/nixos/modules/services/continuous-integration/woodpecker/server.nix>
services.wordpress.sites

Specification of one or more WordPress sites to serve

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.package

The wordpress package to use.

Type: package

Default: pkgs.wordpress

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.database.createLocally

Create the database and database user locally.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.database.host

Database host address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.database.name

Database name.

Type: string

Default: "wordpress"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.database.passwordFile

A file containing the password corresponding to database.user.

Type: null or path

Default: null

Example: "/run/keys/wordpress-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.database.port

Database host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3306

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.database.socket

Path to the unix socket file to use for authentication.

Type: null or path

Default: /run/mysqld/mysqld.sock

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.database.tablePrefix

The $table_prefix is the value placed in the front of your database tables. Change the value if you want to use something other than wp_ for your database prefix. Typically this is changed if you are installing multiple WordPress blogs in the same database.

See https://codex.wordpress.org/Editing_wp-config.php#table_prefix.

Type: string

Default: "wp_"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.database.user

Database user.

Type: string

Default: "wordpress"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.extraConfig

Any additional text to be appended to the wp-config.php configuration file. This is a PHP script. For configuration settings, see https://codex.wordpress.org/Editing_wp-config.php.

Note: Please pass structured settings via services.wordpress.sites.‹name›.settings instead.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  @ini_set( 'log_errors', 'Off' );
  @ini_set( 'display_errors', 'On' );
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.fontsDir

This directory is used to download fonts from a remote location, e.g. to host google fonts locally.

Type: path

Default: "/var/lib/wordpress/‹name›/fonts"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.languages

List of path(s) to respective language(s) which are copied from the ‘languages’ directory.

Type: list of path

Default: [ ]

Example:

[
  # Let's package the German language.
  # For other languages try to replace language and country code in the download URL with your desired one.
  # Reference https://translate.wordpress.org for available translations and
  # codes.
  (pkgs.stdenv.mkDerivation {
    name = "language-de";
    src = pkgs.fetchurl {
      url = "https://de.wordpress.org/wordpress-${pkgs.wordpress.version}-de_DE.tar.gz";
      # Name is required to invalidate the hash when wordpress is updated
      name = "wordpress-${pkgs.wordpress.version}-language-de";
      sha256 = "sha256-dlas0rXTSV4JAl8f/UyMbig57yURRYRhTMtJwF9g8h0=";
    };
    installPhase = "mkdir -p $out; cp -r ./wp-content/languages/* $out/";
  })
];

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.mergedConfig

Read only representation of the final configuration.

Type: unspecified value (read only)

Default:

{
  DISALLOW_FILE_EDIT = true;
  AUTOMATIC_UPDATER_DISABLED = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.plugins

Path(s) to respective plugin(s) which are copied from the ‘plugins’ directory.

Note

These plugins need to be packaged before use, see example.

Type: (attribute set of path) or (list of path) convertible to it

Default: { }

Example:

{
  inherit (pkgs.wordpressPackages.plugins) embed-pdf-viewer-plugin;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.poolConfig

Options for the WordPress PHP pool. See the documentation on php-fpm.conf for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = 32;
  "pm.max_requests" = 500;
  "pm.max_spare_servers" = 4;
  "pm.min_spare_servers" = 2;
  "pm.start_servers" = 2;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.settings

Structural Wordpress configuration. Refer to https://developer.wordpress.org/apis/wp-config-php for details and supported values.

Type: attribute set of anything

Default: { }

Example:

{
  WP_DEFAULT_THEME = "twentytwentytwo";
  WP_SITEURL = "https://example.org";
  WP_HOME = "https://example.org";
  WP_DEBUG = true;
  WP_DEBUG_DISPLAY = true;
  WPLANG = "de_DE";
  FORCE_SSL_ADMIN = true;
  AUTOMATIC_UPDATER_DISABLED = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.themes

Path(s) to respective theme(s) which are copied from the ‘theme’ directory.

Note

These themes need to be packaged before use, see example.

Type: (attribute set of path) or (list of path) convertible to it

Default: { inherit (pkgs.wordpressPackages.themes) twentytwentyfive; }

Example:

{
  inherit (pkgs.wordpressPackages.themes) responsive-theme;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.uploadsDir

This directory is used for uploads of pictures. The directory passed here is automatically created and permissions adjusted as required.

Type: path

Default: "/var/lib/wordpress/‹name›/uploads"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost

Apache configuration can be done by adapting services.httpd.virtualHosts.

Type: submodule

Example:

{
  adminAddr = "webmaster@example.org";
  forceSSL = true;
  enableACME = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.enableUserDir

Whether to enable serving ~/public_html as /~«username».

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.acmeRoot

Directory for the acme challenge which is PUBLIC, don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.adminAddr

E-mail address of the server administrator.

Type: null or string

Default: null

Example: "admin@example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.documentRoot

The path of Apache’s document root directory. If left undefined, an empty directory in the Nix store will be used as root.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.extraConfig

These lines go to httpd.conf verbatim. They will go after directories and directory aliases defined by default.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  <Directory /home>
    Options FollowSymlinks
    AllowOverride All
  </Directory>
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.forceSSL

Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.globalRedirect

If set, all requests for this host are redirected permanently to the given URL.

Type: null or string

Default: null

Example: "http://newserver.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.hostName

Canonical hostname for the server.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.http2

Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. However, if you use the prefork mpm, there will be severe restrictions. Refer to https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config for details.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.listen

Listen addresses and ports for this virtual host.

Note

This option overrides addSSL, forceSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    ip = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    ip = "192.154.1.1";
    port = 80;
  }
  {
    ip = "*";
    port = 8080;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.listen.*.ip

IP to listen on. 0.0.0.0 for IPv4 only, * for all.

Type: string

Default: "*"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.listen.*.port

Port to listen on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.listen.*.ssl

Whether to enable SSL (https) support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Type: non-empty (list of string)

Default:

[
  "*"
]

Example:

[
  "127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.locations

Declarative location config. See https://httpd.apache.org/docs/2.4/mod/core.html#location for details.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
  "/foo/bar.png" = {
    alias = "/home/eelco/some-file.png";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.locations.<name>.alias

Alias directory for requests. See https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.locations.<name>.index

Adds DirectoryIndex directive. See https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.locations.<name>.proxyPass

Sets up a simple reverse proxy as described by https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.logFormat

Log format for Apache’s log files. Possible values are: combined, common, referer, agent.

Type: string

Default: "common"

Example: "combined"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.robotsEntries

Specification of pages to be ignored by web crawlers. See http://www.robotstxt.org/ for details.

Type: strings concatenated with “\n”

Default: ""

Example: "Disallow: /foo/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.servedDirs

This option provides a simple way to serve static directories.

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    dir = "/home/eelco/Dev/nix-homepage";
    urlPath = "/nix";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.servedFiles

This option provides a simple way to serve individual, static files.

Note

This option has been deprecated and will be removed in a future version of NixOS. You can achieve the same result by making use of the locations.<name>.alias option.

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    file = "/home/eelco/some-file.png";
    urlPath = "/foo/bar.png";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "www.example.org:8080"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.sslServerCert

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.sslServerChain

Path to server SSL chain file.

Type: null or path

Default: null

Example: "/var/ca.pem"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.sslServerKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.sites.<name>.virtualHost.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.wordpress.webserver

Whether to use apache2 or nginx for virtual host management.

Further nginx configuration can be done by adapting services.nginx.virtualHosts.<name>. See services.nginx.virtualHosts for further information.

Further apache2 configuration can be done by adapting services.httpd.virtualHosts.<name>. See services.httpd.virtualHosts for further information.

Type: one of “httpd”, “nginx”, “caddy”

Default: "httpd"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/wordpress.nix>
services.workout-tracker.enable

Whether to enable workout tracking web application for personal use (or family, friends), geared towards running and other GPX-based activities.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/workout-tracker.nix>
services.workout-tracker.package

The workout-tracker package to use.

Type: package

Default: pkgs.workout-tracker

Declared by:

<nixpkgs/nixos/modules/services/misc/workout-tracker.nix>
services.workout-tracker.address

Web interface address.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/misc/workout-tracker.nix>
services.workout-tracker.environmentFile

An environment file as defined in systemd.exec(5).

Secrets like WT_JWT_ENCRYPTION_KEY may be passed to the service without adding them to the world-readable Nix store.

Type: null or path

Default: null

Example: "/run/keys/workout-tracker.env"

Declared by:

<nixpkgs/nixos/modules/services/misc/workout-tracker.nix>
services.workout-tracker.port

Web interface port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/misc/workout-tracker.nix>
services.workout-tracker.settings

Extra config options.

Type: attribute set of string

Default: { }

Example:

{
  WT_DATABASE_DRIVER = "sqlite";
  WT_DEBUG = "false";
  WT_DSN = "./database.db";
  WT_LOGGING = "true";
}

Declared by:

<nixpkgs/nixos/modules/services/misc/workout-tracker.nix>
services.writefreely.enable

Whether to enable Writefreely, build a digital writing community.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.package

Writefreely package to use.

Type: package

Default: pkgs.writefreely

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.acme.enable

Whether or not to automatically fetch and configure SSL certs.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.admin.initialPasswordFile

Path to a file containing the initial password for the admin user. If not provided, the default password will be set to nixos.

Type: path

Default: "/nix/store/xxx-default-admin-pass"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.admin.name

The name of the first admin user.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.database.createLocally

When services.writefreely.database.type is set to "mysql", this option will enable the MySQL service locally.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.database.host

The database host to connect to.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.database.migrate

Whether or not to automatically run migrations on startup.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.database.name

The name of the database to store data in.

Type: string

Default: "writefreely"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.database.passwordFile

The file to load the database password from.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.database.port

The port used when connecting to the database host.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3306

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.database.tls

Whether or not TLS should be used for the database connection.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.database.type

The database provider to use.

Type: one of “sqlite3”, “mysql”

Default: "sqlite3"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.database.user

The database user to connect as.

Type: null or string

Default: "writefreely"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.group

Group under which Writefreely is ran.

Type: string

Default: "writefreely"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.host

The public host name to serve.

Type: string

Default: ""

Example: "example.com"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.nginx.enable

Whether or not to enable and configure nginx as a proxy for WriteFreely.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.nginx.forceSSL

Whether or not to force the use of SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.settings

Writefreely configuration (config.ini). Refer to https://writefreely.org/docs/latest/admin/config for details.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.settings.app.theme

The theme to apply.

Type: string

Default: "write"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.settings.server.port

The port WriteFreely should listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: "80"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.stateDir

The state directory where keys and data are stored.

Type: path

Default: "/var/lib/writefreely"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.writefreely.user

User under which Writefreely is ran.

Type: string

Default: "writefreely"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/writefreely.nix>
services.wstunnel.enable

Whether to enable wstunnel.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.clients

wstunnel clients to set up.

Type: attribute set of (submodule)

Default: { }

Example:

{
  wg-tunnel = {
    connectTo = "wss://wstunnel.server.com:8443";
    localToRemote = [
      "tcp://1212:google.com:443"
      "tcp://2:n.lan:4?proxy_protocol"
    ];
    remoteToLocal = [
      "socks5://[::1]:1212"
      "unix://wstunnel.sock:g.com:443"
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.clients.<name>.enable

Whether to enable this wstunnel instance.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.clients.<name>.package

The wstunnel package to use.

Type: package

Default: pkgs.wstunnel

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.clients.<name>.addNetBind

Whether to enable Whether add CAP_NET_BIND_SERVICE to the tunnel service, this should be enabled if you want to bind port < 1024.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.clients.<name>.autoStart

Whether to enable starting this wstunnel instance automatically.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.clients.<name>.connectTo

Server address and port to connect to.

Type: string

Example: "https://wstunnel.server.com:8443"

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.clients.<name>.customHeaders

Custom HTTP headers to send during the upgrade request.

Type: attribute set of string

Default: { }

Example:

{
  X-Some-Header = "some-value";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.clients.<name>.environmentFile

Environment file to be passed to the systemd service. Useful for passing secrets to the service to prevent them from being world-readable in the Nix store. Note however that the secrets are passed to wstunnel through the command line, which makes them locally readable for all users of the system at runtime.

Type: null or path

Default: null

Example: "/var/lib/secrets/wstunnelSecrets"

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.clients.<name>.extraArgs

Extra command line arguments to pass to wstunnel. Attributes of the form argName = true; will be translated to --argName, and argName = \"value\" to --argName value.

Type: attribute set of (string or boolean)

Default: { }

Example:

{
  someNewOption = true;
  someNewOptionWithValue = "someValue";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.clients.<name>.httpProxy

Proxy to use to connect to the wstunnel server (USER:PASS@HOST:PORT).

Warning

Passwords specified here will be world-readable in the Nix store! To pass a password to the service, point the environmentFile option to a file containing PROXY_PASSWORD=<your-password-here> and set this option to <user>:$PROXY_PASSWORD@<host>:<port>. Note however that this will also locally leak the passwords at runtime via e.g. /proc/<pid>/cmdline.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.clients.<name>.localToRemote

Listen on local and forwards traffic from remote.

Type: list of string

Default: [ ]

Example:

[
  "tcp://1212:google.com:443"
  "unix:///tmp/wstunnel.sock:g.com:443"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.clients.<name>.loggingLevel

Passed to --log-lvl

Control the log verbosity. i.e: TRACE, DEBUG, INFO, WARN, ERROR, OFF For more details, checkout EnvFilter

Type: null or string

Default: null

Example: "INFO"

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.clients.<name>.remoteToLocal

Listen on remote and forwards traffic from local. Only tcp is supported

Type: list of string

Default: [ ]

Example:

[
  "tcp://1212:google.com:443"
  "unix://wstunnel.sock:g.com:443"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.clients.<name>.soMark

Mark network packets with the SO_MARK sockoption with the specified value. Setting this option will also enable the required CAP_NET_ADMIN capability for the systemd service.

Type: null or (unsigned integer, meaning >=0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.clients.<name>.tlsSNI

Use this as the SNI while connecting via TLS. Useful for circumventing hostname-based firewalls.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.clients.<name>.tlsVerifyCertificate

Whether to verify the TLS certificate of the server. It might be useful to set this to false when working with the tlsSNI option.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.clients.<name>.upgradeCredentials

Use these credentials to authenticate during the HTTP upgrade request (Basic authorization type, USER:[PASS]).

Warning

Passwords specified here will be world-readable in the Nix store! To pass a password to the service, point the environmentFile option to a file containing HTTP_PASSWORD=<your-password-here> and set this option to <user>:$HTTP_PASSWORD. Note however that this will also locally leak the passwords at runtime via e.g. /proc/<pid>/cmdline.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.clients.<name>.upgradePathPrefix

Use a specific HTTP path prefix that will show up in the upgrade request to the wstunnel server. Useful when running wstunnel behind a reverse proxy.

Type: null or string

Default: null

Example: "wstunnel"

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.clients.<name>.websocketPingInterval

Frequency at which the client will send websocket ping to the server.

Type: null or (unsigned integer, meaning >=0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.servers

wstunnel servers to set up.

Type: attribute set of (submodule)

Default: { }

Example:

{
  wg-tunnel = {
    enableHTTPS = true;
    listen = {
      host = "0.0.0.0";
      port = 8080;
    };
    restrictTo = [
      {
        host = "127.0.0.1";
        port = 51820;
      }
    ];
    tlsCertificate = "/var/lib/secrets/fullchain.pem";
    tlsKey = "/var/lib/secrets/key.pem";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.servers.<name>.enable

Whether to enable this wstunnel instance.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.servers.<name>.enableHTTPS

Use HTTPS for the tunnel server.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.servers.<name>.package

The wstunnel package to use.

Type: package

Default: pkgs.wstunnel

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.servers.<name>.autoStart

Whether to enable starting this wstunnel instance automatically.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.servers.<name>.environmentFile

Environment file to be passed to the systemd service. Useful for passing secrets to the service to prevent them from being world-readable in the Nix store. Note however that the secrets are passed to wstunnel through the command line, which makes them locally readable for all users of the system at runtime.

Type: null or path

Default: null

Example: "/var/lib/secrets/wstunnelSecrets"

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.servers.<name>.extraArgs

Extra command line arguments to pass to wstunnel. Attributes of the form argName = true; will be translated to --argName, and argName = \"value\" to --argName value.

Type: attribute set of (string or boolean)

Default: { }

Example:

{
  someNewOption = true;
  someNewOptionWithValue = "someValue";
}

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.servers.<name>.listen

Address and port to listen on. Setting the port to a value below 1024 will also give the process the required CAP_NET_BIND_SERVICE capability.

Type: submodule

Default:

{
  host = "0.0.0.0";
  port = if enableHTTPS then 443 else 80;
}

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.servers.<name>.listen.host

The hostname.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.servers.<name>.listen.port

The port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.servers.<name>.loggingLevel

Passed to --log-lvl

Control the log verbosity. i.e: TRACE, DEBUG, INFO, WARN, ERROR, OFF For more details, checkout EnvFilter

Type: null or string

Default: null

Example: "INFO"

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.servers.<name>.restrictTo

Accepted traffic will be forwarded only to this service.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    host = "127.0.0.1";
    port = 51820;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.servers.<name>.restrictTo.*.host

The hostname.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.servers.<name>.restrictTo.*.port

The port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.servers.<name>.tlsCertificate

TLS certificate to use instead of the hardcoded one in case of HTTPS connections. Use together with tlsKey.

Type: null or path

Default: null

Example: "/var/lib/secrets/cert.pem"

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.servers.<name>.tlsKey

TLS key to use instead of the hardcoded on in case of HTTPS connections. Use together with tlsCertificate.

Type: null or path

Default: null

Example: "/var/lib/secrets/key.pem"

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.servers.<name>.useACMEHost

Use a certificate generated by the NixOS ACME module for the given host. Note that this will not generate a new certificate - you will need to do so with security.acme.certs.

Type: null or string

Default: null

Example: "example.com"

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wstunnel.servers.<name>.websocketPingInterval

Frequency at which the client will send websocket ping to the server.

Type: null or (unsigned integer, meaning >=0)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/networking/wstunnel.nix>
services.wyoming.faster-whisper.package

The wyoming-faster-whisper package to use.

Type: package

Default: pkgs.wyoming-faster-whisper

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/faster-whisper.nix>
services.wyoming.faster-whisper.servers

Attribute set of faster-whisper instances to spawn.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/faster-whisper.nix>
services.wyoming.faster-whisper.servers.<name>.enable

Whether to enable Wyoming faster-whisper server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/faster-whisper.nix>
services.wyoming.faster-whisper.servers.<name>.beamSize

The number of beams to use in beam search.

Type: unsigned integer, meaning >=0

Default: 1

Example: 5

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/faster-whisper.nix>
services.wyoming.faster-whisper.servers.<name>.device

Determines the platform faster-whisper is run on. CPU works everywhere, CUDA requires a compatible NVIDIA GPU.

Type: one of “cpu”, “cuda”, “auto”

Default: "cpu"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/faster-whisper.nix>
services.wyoming.faster-whisper.servers.<name>.extraArgs

Extra arguments to pass to the server commandline.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/faster-whisper.nix>
services.wyoming.faster-whisper.servers.<name>.language

The language used to to parse words and sentences.

Type: one of “auto”, “af”, “am”, “ar”, “as”, “az”, “ba”, “be”, “bg”, “bn”, “bo”, “br”, “bs”, “ca”, “cs”, “cy”, “da”, “de”, “el”, “en”, “es”, “et”, “eu”, “fa”, “fi”, “fo”, “fr”, “gl”, “gu”, “ha”, “haw”, “he”, “hi”, “hr”, “ht”, “hu”, “hy”, “id”, “is”, “it”, “ja”, “jw”, “ka”, “kk”, “km”, “kn”, “ko”, “la”, “lb”, “ln”, “lo”, “lt”, “lv”, “mg”, “mi”, “mk”, “ml”, “mn”, “mr”, “ms”, “mt”, “my”, “ne”, “nl”, “nn”, “no”, “oc”, “pa”, “pl”, “ps”, “pt”, “ro”, “ru”, “sa”, “sd”, “si”, “sk”, “sl”, “sn”, “so”, “sq”, “sr”, “su”, “sv”, “sw”, “ta”, “te”, “tg”, “th”, “tk”, “tl”, “tr”, “tt”, “uk”, “ur”, “uz”, “vi”, “yi”, “yo”, “zh”

Example: "en"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/faster-whisper.nix>
services.wyoming.faster-whisper.servers.<name>.model

Name of the voice model to use.

Check the 2.0.0 release notes for possible values.

Type: string

Default: "tiny-int8"

Example: "Systran/faster-distil-whisper-small.en"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/faster-whisper.nix>
services.wyoming.faster-whisper.servers.<name>.uri

URI to bind the wyoming server to.

Type: string matching the pattern ^(tcp|unix)://.*$

Example: "tcp://0.0.0.0:10300"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/faster-whisper.nix>
services.wyoming.openwakeword.enable

Whether to enable Wyoming openWakeWord server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/openwakeword.nix>
services.wyoming.openwakeword.package

The wyoming-openwakeword package to use.

Type: package

Default: pkgs.wyoming-openwakeword

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/openwakeword.nix>
services.wyoming.openwakeword.customModelsDirectories

Paths to directories with custom wake word models (*.tflite model files).

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/openwakeword.nix>
services.wyoming.openwakeword.extraArgs

Extra arguments to pass to the server commandline.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/openwakeword.nix>
services.wyoming.openwakeword.preloadModels

List of wake word models to preload after startup.

Type: list of string

Default:

[
  "ok_nabu"
]

Example:

[
  "alexa"
  "hey_jarvis"
  "hey_mycroft"
  "hey_rhasspy"
  "ok_nabu"
]

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/openwakeword.nix>
services.wyoming.openwakeword.threshold

Activation threshold (0-1), where higher means fewer activations.

See trigger level for the relationship between activations and wake word detections.

Type: floating point number

Default: 0.5

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/openwakeword.nix>
services.wyoming.openwakeword.triggerLevel

Number of activations before a detection is registered.

A higher trigger level means fewer detections.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/openwakeword.nix>
services.wyoming.openwakeword.uri

URI to bind the wyoming server to.

Type: string matching the pattern ^(tcp|unix)://.*$

Default: "tcp://0.0.0.0:10400"

Example: "tcp://192.0.2.1:5000"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/openwakeword.nix>
services.wyoming.piper.package

The wyoming-piper package to use.

Type: package

Default: pkgs.wyoming-piper

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/piper.nix>
services.wyoming.piper.servers

Attribute set of piper instances to spawn.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/piper.nix>
services.wyoming.piper.servers.<name>.enable

Whether to enable Wyoming Piper server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/piper.nix>
services.wyoming.piper.servers.<name>.extraArgs

Extra arguments to pass to the server commandline.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/piper.nix>
services.wyoming.piper.servers.<name>.lengthScale

Phoneme length value.

Type: floating point number

Default: 1.0

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/piper.nix>
services.wyoming.piper.servers.<name>.noiseScale

Generator noise value.

Type: floating point number

Default: 0.667

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/piper.nix>
services.wyoming.piper.servers.<name>.noiseWidth

Phoneme width noise value.

Type: floating point number

Default: 0.333

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/piper.nix>
services.wyoming.piper.servers.<name>.piper

The piper-tts package to use.

Type: package

Default: pkgs.piper-tts

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/piper.nix>
services.wyoming.piper.servers.<name>.speaker

ID of a specific speaker in a multi-speaker model.

Type: unsigned integer, meaning >=0

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/piper.nix>
services.wyoming.piper.servers.<name>.uri

URI to bind the wyoming server to.

Type: string matching the pattern ^(tcp|unix)://.*$

Example: "tcp://0.0.0.0:10200"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/piper.nix>
services.wyoming.piper.servers.<name>.voice

Name of the voice model to use. See the following website for samples: https://rhasspy.github.io/piper-samples/

Type: string

Example: "en-us-ryan-medium"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/piper.nix>
services.wyoming.satellite.enable

Whether to enable Wyoming Satellite.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/satellite.nix>
services.wyoming.satellite.package

The wyoming-satellite package to use.

Type: package

Default: pkgs.wyoming-satellite

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/satellite.nix>
services.wyoming.satellite.area

Area to the satellite.

Type: null or string

Default: null

Example: "Kitchen"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/satellite.nix>
services.wyoming.satellite.extraArgs

Extra arguments to pass to the executable.

Check wyoming-satellite --help for possible options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/satellite.nix>
services.wyoming.satellite.group

Group to run wyoming-satellite under.

Type: string

Default: "users"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/satellite.nix>
services.wyoming.satellite.microphone.autoGain

Automatic gain control in dbFS, with 31 being the loudest value. Set to 0 to disable.

Type: integer between 0 and 31 (both inclusive)

Default: 5

Example: 15

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/satellite.nix>
services.wyoming.satellite.microphone.command

Program to run for audio input.

Type: string

Default: "arecord -r 16000 -c 1 -f S16_LE -t raw"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/satellite.nix>
services.wyoming.satellite.microphone.noiseSuppression

Noise suppression level with 4 being the maximum suppression, which may cause audio distortion. Set to 0 to disable.

Type: integer between 0 and 4 (both inclusive)

Default: 2

Example: 3

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/satellite.nix>
services.wyoming.satellite.name

Name of the satellite.

Type: string

Default:

config.networking.hostName

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/satellite.nix>
services.wyoming.satellite.sound.command

Program to run for sound output.

Type: null or string

Default: "aplay -r 22050 -c 1 -f S16_LE -t raw"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/satellite.nix>
services.wyoming.satellite.sounds.awake

Path to audio file in WAV format to play when wake word is detected.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/satellite.nix>
services.wyoming.satellite.sounds.done

Path to audio file in WAV format to play when voice command recording has ended.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/satellite.nix>
services.wyoming.satellite.uri

URI where wyoming-satellite will bind its socket.

Type: string

Default: "tcp://0.0.0.0:10700"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/satellite.nix>
services.wyoming.satellite.user

User to run wyoming-satellite under.

Type: string

Example: "alice"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/satellite.nix>
services.wyoming.satellite.vad.enable

Whether to enable voice activity detection.

Enabling will result in only streaming audio, when speech gets detected.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/home-automation/wyoming/satellite.nix>
services.x2goserver.enable

Enables the x2goserver module. NOTE: This will create a good amount of symlinks in /usr/local/bin

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/x2goserver.nix>
services.x2goserver.nxagentDefaultOptions

List of default nx agent options.

Type: list of string

Default:

[
  "-extension GLX"
  "-nolisten tcp"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/x2goserver.nix>
services.x2goserver.settings

x2goserver.conf ini configuration as nix attributes. See x2goserver.conf(5) for details

Type: attribute set of (attribute set)

Default: { }

Example:

{
  superenicer = {
    "enable" = "yes";
    "idle-nice-level" = 19;
  };
  telekinesis = { "enable" = "no"; };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/x2goserver.nix>
services.x2goserver.superenicer.enable

Enables the SupeReNicer code in x2gocleansessions, this will renice suspended sessions to nice level 19 and renice them to level 0 if the session becomes marked as running again

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/x2goserver.nix>
services.xandikos.enable

Whether to enable Xandikos CalDAV and CardDAV server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/xandikos.nix>
services.xandikos.package

The xandikos package to use.

Type: package

Default: pkgs.xandikos

Declared by:

<nixpkgs/nixos/modules/services/networking/xandikos.nix>
services.xandikos.address

The IP address on which Xandikos will listen. By default listens on localhost.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/networking/xandikos.nix>
services.xandikos.extraOptions

Extra command line arguments to pass to xandikos.

Type: list of string

Default: [ ]

Example:

[ "--autocreate"
  "--defaults"
  "--current-user-principal user"
  "--dump-dav-xml"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/xandikos.nix>
services.xandikos.nginx

Configuration for nginx reverse proxy.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/xandikos.nix>
services.xandikos.nginx.enable

Configure the nginx reverse proxy settings.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/xandikos.nix>
services.xandikos.nginx.hostName

The hostname use to setup the virtualhost configuration

Type: string

Declared by:

<nixpkgs/nixos/modules/services/networking/xandikos.nix>
services.xandikos.port

The port of the Xandikos web application

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/networking/xandikos.nix>
services.xandikos.routePrefix

Path to Xandikos. Useful when Xandikos is behind a reverse proxy.

Type: string

Default: "/"

Declared by:

<nixpkgs/nixos/modules/services/networking/xandikos.nix>
services.xbanish.enable

Whether to enable xbanish.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/xbanish.nix>
services.xbanish.arguments

Arguments to pass to xbanish command

Type: string

Default: ""

Example: "-d -i shift"

Declared by:

<nixpkgs/nixos/modules/services/x11/xbanish.nix>
services.xe-guest-utilities.enable

Whether to enable the XenServer guest utilities daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/xe-guest-utilities.nix>
services.xfs.enable

Whether to enable the X Font Server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/xfs.nix>
services.xinetd.enable

Whether to enable the xinetd super-server daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/xinetd.nix>
services.xinetd.extraDefaults

Additional configuration lines added to the default section of xinetd’s configuration.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/xinetd.nix>
services.xinetd.services

A list of services provided by xinetd.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/xinetd.nix>
services.xinetd.services.*.extraConfig

Extra configuration-lines added to the section of the service.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/xinetd.nix>
services.xinetd.services.*.flags

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/xinetd.nix>
services.xinetd.services.*.name

Name of the service.

Type: string

Example: "login"

Declared by:

<nixpkgs/nixos/modules/services/networking/xinetd.nix>
services.xinetd.services.*.port

Port number of the service.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 0

Example: 123

Declared by:

<nixpkgs/nixos/modules/services/networking/xinetd.nix>
services.xinetd.services.*.protocol

Protocol of the service. Usually tcp or udp.

Type: string

Default: "tcp"

Declared by:

<nixpkgs/nixos/modules/services/networking/xinetd.nix>
services.xinetd.services.*.server

Path of the program that implements the service.

Type: string

Example: "/foo/bin/ftpd"

Declared by:

<nixpkgs/nixos/modules/services/networking/xinetd.nix>
services.xinetd.services.*.serverArgs

Command-line arguments for the server program.

Type: strings concatenated with " "

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/xinetd.nix>
services.xinetd.services.*.unlisted

Whether this server is listed in /etc/services. If so, the port number can be omitted.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/xinetd.nix>
services.xinetd.services.*.user

User account for the service

Type: string

Default: "nobody"

Declared by:

<nixpkgs/nixos/modules/services/networking/xinetd.nix>
services.xl2tpd.enable

Whether to enable xl2tpd, the Layer 2 Tunnelling Protocol Daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/xl2tpd.nix>
services.xl2tpd.clientIpRange

The range from which client IPs are drawn.

Type: string

Default: "10.125.125.2-11"

Declared by:

<nixpkgs/nixos/modules/services/networking/xl2tpd.nix>
services.xl2tpd.extraPppdOptions

Adds extra lines to the pppd options file.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  ms-dns 8.8.8.8
  ms-dns 8.8.4.4
''

Declared by:

<nixpkgs/nixos/modules/services/networking/xl2tpd.nix>
services.xl2tpd.extraXl2tpOptions

Adds extra lines to the xl2tpd configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/xl2tpd.nix>
services.xl2tpd.serverIp

The server-side IP address.

Type: string

Default: "10.125.125.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/xl2tpd.nix>
services.xmrig.enable

Whether to enable XMRig Mining Software.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/xmrig.nix>
services.xmrig.package

The xmrig package to use.

Type: package

Default: pkgs.xmrig

Example: xmrig-mo

Declared by:

<nixpkgs/nixos/modules/services/misc/xmrig.nix>
services.xmrig.settings

XMRig configuration. Refer to https://xmrig.com/docs/miner/config for details on supported values.

Type: JSON value

Default: { }

Example:

{
  autosave = true;
  cpu = true;
  opencl = false;
  cuda = false;
  pools = [
    {
      url = "pool.supportxmr.com:443";
      user = "your-wallet";
      keepalive = true;
      tls = true;
    }
  ]
}

Declared by:

<nixpkgs/nixos/modules/services/misc/xmrig.nix>
services.xonotic.enable

Whether to enable Xonotic dedicated server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/games/xonotic.nix>
services.xonotic.package

The xonotic-dedicated package to use.

Type: package

Default: pkgs.xonotic-dedicated

Declared by:

<nixpkgs/nixos/modules/services/games/xonotic.nix>
services.xonotic.appendConfig

Literal text to insert at the end of server.cfg.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/xonotic.nix>
services.xonotic.dataDir

Data directory.

Type: path (read only)

Default: "/var/lib/xonotic"

Declared by:

<nixpkgs/nixos/modules/services/games/xonotic.nix>
services.xonotic.openFirewall

Open the firewall for TCP and UDP on the specified port.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/games/xonotic.nix>
services.xonotic.prependConfig

Literal text to insert at the start of server.cfg.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/services/games/xonotic.nix>
services.xonotic.settings

Generates the server.cfg file. Refer to upstream’s example for details.

Type: attribute set of ((optionally newline-terminated) single-line string or signed integer or floating point number or non-empty (list of ((optionally newline-terminated) single-line string or signed integer or floating point number)))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/games/xonotic.nix>
services.xonotic.settings.hostname

The name that will appear in the server list. $g_xonoticversion gets replaced with the current version.

Type: (optionally newline-terminated) single-line string

Default: "Xonotic $g_xonoticversion Server"

Declared by:

<nixpkgs/nixos/modules/services/games/xonotic.nix>
services.xonotic.settings.maxplayers

Number of player slots on the server, including spectators.

Type: signed integer

Default: 16

Declared by:

<nixpkgs/nixos/modules/services/games/xonotic.nix>
services.xonotic.settings.net_address

The address Xonotic will listen on.

Type: (optionally newline-terminated) single-line string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/games/xonotic.nix>
services.xonotic.settings.port

The port Xonotic will listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 26000

Declared by:

<nixpkgs/nixos/modules/services/games/xonotic.nix>
services.xonotic.settings.sv_motd

Text displayed when players join the server.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/games/xonotic.nix>
services.xonotic.settings.sv_public

Controls whether the server will be publicly listed.

Type: signed integer

Default: 0

Example:

[
  -1
  1
]

Declared by:

<nixpkgs/nixos/modules/services/games/xonotic.nix>
services.xonotic.settings.sv_termsofservice_url

URL for the Terms of Service for playing on your server.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/games/xonotic.nix>
services.xray.enable

Whether to run xray server.

Either settingsFile or settings must be specified.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/xray.nix>
services.xray.package

The xray package to use.

Type: package

Default: pkgs.xray

Declared by:

<nixpkgs/nixos/modules/services/networking/xray.nix>
services.xray.settings

The configuration object.

Either settingsFile or settings must be specified.

See https://www.v2fly.org/en_US/config/overview.html.

Type: null or (attribute set of unspecified value)

Default: null

Example:

{
  inbounds = [
    {
      listen = "127.0.0.1";
      port = 1080;
      protocol = "http";
    }
  ];
  outbounds = [
    {
      protocol = "freedom";
    }
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/networking/xray.nix>
services.xray.settingsFile

The absolute path to the configuration file.

Either settingsFile or settings must be specified.

See https://www.v2fly.org/en_US/config/overview.html.

Type: null or path

Default: null

Example: "/etc/xray/config.json"

Declared by:

<nixpkgs/nixos/modules/services/networking/xray.nix>
services.xrdp.enable

Whether to enable xrdp, the Remote Desktop Protocol server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/xrdp.nix>
services.xrdp.package

The xrdp package to use.

Type: package

Default: pkgs.xrdp

Declared by:

<nixpkgs/nixos/modules/services/networking/xrdp.nix>
services.xrdp.audio.enable

Whether to enable audio support for xrdp sessions. So far it only works with PulseAudio sessions on the server side. No PipeWire support yet.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/xrdp.nix>
services.xrdp.audio.package

The pulseaudio-module-xrdp package to use.

Type: package

Default: pkgs.pulseaudio-module-xrdp

Declared by:

<nixpkgs/nixos/modules/services/networking/xrdp.nix>
services.xrdp.defaultWindowManager

The script to run when user log in, usually a window manager, e.g. “icewm”, “xfce4-session” This is per-user overridable, if file ~/startwm.sh exists it will be used instead.

Type: string

Default: "xterm"

Example: "xfce4-session"

Declared by:

<nixpkgs/nixos/modules/services/networking/xrdp.nix>
services.xrdp.extraConfDirCommands

Extra commands to run on the default confDir derivation.

Type: string

Default: ""

Example:

''
  substituteInPlace $out/sesman.ini \
    --replace LogLevel=INFO LogLevel=DEBUG \
    --replace LogFile=/dev/null LogFile=/var/log/xrdp.log
''

Declared by:

<nixpkgs/nixos/modules/services/networking/xrdp.nix>
services.xrdp.openFirewall

Whether to open the firewall for the specified RDP port.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/xrdp.nix>
services.xrdp.port

Specifies on which port the xrdp daemon listens.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3389

Declared by:

<nixpkgs/nixos/modules/services/networking/xrdp.nix>
services.xrdp.sslCert

ssl certificate path A self-signed certificate will be generated if file not exists.

Type: string

Default: "/etc/xrdp/cert.pem"

Example: "/path/to/your/cert.pem"

Declared by:

<nixpkgs/nixos/modules/services/networking/xrdp.nix>
services.xrdp.sslKey

ssl private key path A self-signed certificate will be generated if file not exists.

Type: string

Default: "/etc/xrdp/key.pem"

Example: "/path/to/your/key.pem"

Declared by:

<nixpkgs/nixos/modules/services/networking/xrdp.nix>
services.xscreensaver.enable

Whether to enable xscreensaver user service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/xscreensaver.nix>
services.xscreensaver.package

Which xscreensaver package to use.

Type: package

Default: pkgs.xscreensaver

Declared by:

<nixpkgs/nixos/modules/services/x11/xscreensaver.nix>
services.xserver.enable

Whether to enable the X server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.enableCtrlAltBackspace

Whether to enable the DontZap option, which binds Ctrl+Alt+Backspace to forcefully kill X. This can lead to data loss and is disabled by default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.enableTCP

Whether to allow the X server to accept TCP connections.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.enableTearFree

Whether to enable the TearFree option in the first Device section.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.autoRepeatDelay

Sets the autorepeat delay (length of time in milliseconds that a key must be depressed before autorepeat starts).

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.autoRepeatInterval

Sets the autorepeat interval (length of time in milliseconds that should elapse between autorepeat-generated keystrokes).

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.autorun

Whether to start the X server automatically.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.cmt.enable

Enable chrome multitouch input (cmt). Touchpad drivers that are configured for chromebooks.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/cmt.nix>
services.xserver.cmt.models

Which models to enable cmt for. Enter the Code Name for your Chromebook. Code Name can be found at https://www.chromium.org/chromium-os/developer-information-for-chrome-os-devices.

Type: one of “atlas”, “banjo”, “candy”, “caroline”, “cave”, “celes”, “clapper”, “cyan”, “daisy”, “elan”, “elm”, “enguarde”, “eve”, “expresso”, “falco”, “gandof”, “glimmer”, “gnawty”, “heli”, “kevin”, “kip”, “leon”, “lulu”, “orco”, “pbody”, “peppy”, “pi”, “pit”, “puppy”, “quawks”, “rambi”, “samus”, “snappy”, “spring”, “squawks”, “swanky”, “winky”, “wolf”, “auron_paine”, “auron_yuna”, “daisy_skate”, “nyan_big”, “nyan_blaze”, “veyron_jaq”, “veyron_jerry”, “veyron_mighty”, “veyron_minnie”, “veyron_speedy”

Example: "banjo"

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/cmt.nix>
services.xserver.config

The contents of the configuration file of the X server (xorg.conf).

This option is set by multiple modules, and the configs are concatenated together.

In Xorg configs the last config entries take precedence, so you may want to use lib.mkAfter on this option to override NixOS’s defaults.

Type: strings concatenated with “\n”

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.defaultDepth

Default colour depth.

Type: signed integer

Default: 0

Example: 8

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.desktopManager.budgie.enable

Whether to enable the Budgie desktop.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/budgie.nix>
services.xserver.desktopManager.budgie.extraGSettingsOverridePackages

List of packages for which GSettings are overridden.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/budgie.nix>
services.xserver.desktopManager.budgie.extraGSettingsOverrides

Additional GSettings overrides.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/budgie.nix>
services.xserver.desktopManager.budgie.extraPlugins

Extra plugins for the Budgie desktop

Type: list of package

Default: [ ]

Example: [ pkgs.budgie-analogue-clock-applet ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/budgie.nix>
services.xserver.desktopManager.budgie.sessionPath

Additional list of packages to be added to the session search path. Useful for GSettings-conditional autostart.

Note that this should be a last resort; patching the package is preferred (see GPaste).

Type: list of package

Default: [ ]

Example: [ pkgs.gpaste ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/budgie.nix>
services.xserver.desktopManager.cde.enable

Whether to enable Common Desktop Environment.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/cde.nix>
services.xserver.desktopManager.cde.extraPackages

Extra packages to be installed system wide.

Type: list of package

Default:

with pkgs.xorg; [
  xclock bitmap xlsfonts xfd xrefresh xload xwininfo xdpyinfo xwd xwud
]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/cde.nix>
services.xserver.desktopManager.cinnamon.enable

Whether to enable the cinnamon desktop manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/cinnamon.nix>
services.xserver.desktopManager.cinnamon.extraGSettingsOverridePackages

List of packages for which gsettings are overridden.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/cinnamon.nix>
services.xserver.desktopManager.cinnamon.extraGSettingsOverrides

Additional gsettings overrides.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/cinnamon.nix>
services.xserver.desktopManager.cinnamon.sessionPath

Additional list of packages to be added to the session search path. Useful for GSettings-conditional autostart.

Note that this should be a last resort; patching the package is preferred (see GPaste).

Type: list of package

Default: [ ]

Example: [ pkgs.gpaste ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/cinnamon.nix>
services.xserver.desktopManager.deepin.enable

Whether to enable Deepin desktop manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/deepin.nix>
services.xserver.desktopManager.deepin.extraGSettingsOverridePackages

List of packages for which gsettings are overridden.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/deepin.nix>
services.xserver.desktopManager.deepin.extraGSettingsOverrides

Additional gsettings overrides.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/deepin.nix>
services.xserver.desktopManager.enlightenment.enable

Enable the Enlightenment desktop environment.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix>
services.xserver.desktopManager.gnome.enable

Enable GNOME desktop manager.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix>
services.xserver.desktopManager.gnome.debug

Whether to enable pkgs.gnome-session debug messages.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix>
services.xserver.desktopManager.gnome.extraGSettingsOverridePackages

List of packages for which gsettings are overridden.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix>
services.xserver.desktopManager.gnome.extraGSettingsOverrides

Additional gsettings overrides.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix>
services.xserver.desktopManager.gnome.flashback.enableMetacity

Whether to enable the standard GNOME Flashback session with Metacity.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix>
services.xserver.desktopManager.gnome.flashback.customSessions

Other GNOME Flashback sessions to enable.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix>
services.xserver.desktopManager.gnome.flashback.customSessions.*.enableGnomePanel

Whether to enable the GNOME panel in this session.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix>
services.xserver.desktopManager.gnome.flashback.customSessions.*.wmCommand

The executable of the window manager to use.

Type: string

Example: "${pkgs.haskellPackages.xmonad}/bin/xmonad"

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix>
services.xserver.desktopManager.gnome.flashback.customSessions.*.wmLabel

The name of the window manager to show in the session chooser.

Type: string

Example: "XMonad"

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix>
services.xserver.desktopManager.gnome.flashback.customSessions.*.wmName

A unique identifier for the window manager.

Type: string matching the pattern [a-zA-Z0-9_-]+

Example: "xmonad"

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix>
services.xserver.desktopManager.gnome.flashback.panelModulePackages

Packages containing modules that should be made available to pkgs.gnome-panel (usually for applets).

If you’re packaging something to use here, please install the modules in $out/lib/gnome-panel/modules.

Type: list of package

Default: [ pkgs.gnome-applets ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix>
services.xserver.desktopManager.gnome.sessionPath

Additional list of packages to be added to the session search path. Useful for GNOME Shell extensions or GSettings-conditional autostart.

Note that this should be a last resort; patching the package is preferred (see GPaste).

Type: list of package

Default: [ ]

Example: [ pkgs.gpaste ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/gnome.nix>
services.xserver.desktopManager.kodi.enable

Enable the kodi multimedia center.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/kodi.nix>
services.xserver.desktopManager.kodi.package

The kodi package to use.

Type: package

Default: pkgs.kodi

Example: kodi.withPackages (p: with p; [ jellyfin pvr-iptvsimple vfs-sftp ])

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/kodi.nix>
services.xserver.desktopManager.lumina.enable

Enable the Lumina desktop manager

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/lumina.nix>
services.xserver.desktopManager.lxqt.enable

Enable the LXQt desktop manager

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/lxqt.nix>
services.xserver.desktopManager.mate.enable

Enable the MATE desktop environment

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix>
services.xserver.desktopManager.mate.enableWaylandSession

Whether to enable MATE Wayland session.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix>
services.xserver.desktopManager.mate.debug

Whether to enable mate-session debug messages.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix>
services.xserver.desktopManager.mate.extraCajaExtensions

Extra extensions to add to caja.

Type: list of package

Default: [ ]

Example: with pkgs.mate; [ caja-extensions ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix>
services.xserver.desktopManager.mate.extraPanelApplets

Extra applets to add to mate-panel.

Type: list of package

Default: [ ]

Example: with pkgs.mate; [ mate-applets ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/mate.nix>
services.xserver.desktopManager.pantheon.enable

Enable the pantheon desktop manager

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix>
services.xserver.desktopManager.pantheon.debug

Whether to enable gnome-session debug messages.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix>
services.xserver.desktopManager.pantheon.extraGSettingsOverridePackages

List of packages for which gsettings are overridden.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix>
services.xserver.desktopManager.pantheon.extraGSettingsOverrides

Additional gsettings overrides.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix>
services.xserver.desktopManager.pantheon.extraSwitchboardPlugs

Plugs to add to Switchboard.

Type: null or (list of package)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix>
services.xserver.desktopManager.pantheon.extraWingpanelIndicators

Indicators to add to Wingpanel.

Type: null or (list of package)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix>
services.xserver.desktopManager.pantheon.sessionPath

Additional list of packages to be added to the session search path. Useful for GSettings-conditional autostart.

Note that this should be a last resort; patching the package is preferred (see GPaste).

Type: list of package

Default: [ ]

Example: [ pkgs.gpaste ]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/pantheon.nix>
services.xserver.desktopManager.phosh.enable

Enable the Phone Shell.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/phosh.nix>
services.xserver.desktopManager.phosh.package

The phosh package to use.

Type: package

Default: pkgs.phosh

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/phosh.nix>
services.xserver.desktopManager.phosh.group

The group to run the Phosh service.

Type: string

Example: "users"

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/phosh.nix>
services.xserver.desktopManager.phosh.phocConfig

Configurations for the Phoc compositor.

Type: strings concatenated with “\n” or path or (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/phosh.nix>
services.xserver.desktopManager.phosh.user

The user to run the Phosh service.

Type: string

Example: "alice"

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/phosh.nix>
services.xserver.desktopManager.plasma5.enable

Enable the Plasma 5 (KDE 5) desktop environment.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix>
services.xserver.desktopManager.plasma5.bigscreen.enable

Enable support for running the Plasma Bigscreen session.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix>
services.xserver.desktopManager.plasma5.mobile.enable

Enable support for running the Plasma Mobile shell.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix>
services.xserver.desktopManager.plasma5.mobile.installRecommendedSoftware

Installs software recommended for use with Plasma Mobile, but which is not strictly required for Plasma Mobile to run.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix>
services.xserver.desktopManager.plasma5.notoPackage

The Noto fonts package to use.

Type: package

Default: pkgs.noto-fonts

Example: noto-fonts-lgc-plus

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix>
services.xserver.desktopManager.plasma5.phononBackend

Phonon audio backend to install.

Type: one of “gstreamer”, “vlc”

Default: "vlc"

Example: "gstreamer"

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix>
services.xserver.desktopManager.plasma5.runUsingSystemd

Use systemd to manage the Plasma session

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix>
services.xserver.desktopManager.plasma5.useQtScaling

Enable HiDPI scaling in Qt.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/plasma5.nix>
services.xserver.desktopManager.retroarch.enable

Whether to enable RetroArch.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/retroarch.nix>
services.xserver.desktopManager.retroarch.package

The retroarch package to use.

Type: package

Default: pkgs.retroarch

Example: retroarch-full

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/retroarch.nix>
services.xserver.desktopManager.retroarch.extraArgs

Extra arguments to pass to RetroArch.

Type: list of string

Default: [ ]

Example:

[
  "--verbose"
  "--host"
]

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/retroarch.nix>
services.xserver.desktopManager.runXdgAutostartIfNone

Whether to run XDG autostart files for sessions without a desktop manager (with only a window manager), these sessions usually don’t handle XDG autostart files by default.

Some services like i18n.inputMethod and service.earlyoom use XDG autostart files to start. If this option is not set to true and you are using a window manager without a desktop manager, you need to manually start them or running dex somewhere.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/none.nix>
services.xserver.desktopManager.surf-display.enable

Whether to enable surf-display as a kiosk browser session.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/surf-display.nix>
services.xserver.desktopManager.surf-display.defaultWwwUri

Default URI to display.

Type: string

Default: "${pkgs.surf-display}/share/surf-display/empty-page.html"

Example: "https://www.example.com/"

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/surf-display.nix>
services.xserver.desktopManager.surf-display.extraConfig

Extra configuration options to append to /etc/default/surf-display.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  # Enforce fixed resolution for all displays (default: not set):
  DEFAULT_RESOLUTION="1920x1080"
  
  # HTTP proxy URL, if needed (default: not set).
  HTTP_PROXY_URL="http://webcache:3128"
  
  # Configure individual display screens with host specific parameters:
  DISPLAYS['display-host-0']="www_uri=https://www.displayserver.comany.net/display-1/index.html"
  DISPLAYS['display-host-1']="www_uri=https://www.displayserver.comany.net/display-2/index.html"
  DISPLAYS['display-host-2']="www_uri=https://www.displayserver.comany.net/display-3/index.html|res=1920x1280"
  DISPLAYS['display-host-3']="www_uri=https://www.displayserver.comany.net/display-4/index.html"|res=1280x1024"
  DISPLAYS['display-host-local-file']="www_uri=file:///usr/share/doc/surf-display/empty-page.html"
''

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/surf-display.nix>
services.xserver.desktopManager.surf-display.hideIdlePointer

Hide idle mouse pointer.

Type: string

Default: "yes"

Example: "no"

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/surf-display.nix>
services.xserver.desktopManager.surf-display.inactivityInterval

Setting for internal inactivity timer to restart surf-display if the user goes inactive/idle to get a fresh session for the next user of the kiosk.

If this value is set to zero, the whole feature of restarting due to inactivity is disabled.

Type: signed integer

Default: 300

Example: 0

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/surf-display.nix>
services.xserver.desktopManager.surf-display.pointerButtonMap

Disable right and middle pointer device click in browser sessions while keeping scrolling wheels’ functionality intact. See pointer subcommand on man xmodmap for details.

Type: string

Default: "1 0 0 4 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/surf-display.nix>
services.xserver.desktopManager.surf-display.screensaverSettings

Screensaver settings, see man 1 xset for possible options.

Type: strings concatenated with " "

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/surf-display.nix>
services.xserver.desktopManager.wallpaper.combineScreens

When set to true the wallpaper will stretch across all screens. When set to false the wallpaper is duplicated to all screens.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/default.nix>
services.xserver.desktopManager.wallpaper.mode

The file ~/.background-image is used as a background image. This option specifies the placement of this image onto your desktop.

Possible values: center: Center the image on the background. If it is too small, it will be surrounded by a black border. fill: Like scale, but preserves aspect ratio by zooming the image until it fits. Either a horizontal or a vertical part of the image will be cut off. max: Like fill, but scale the image to the maximum size that fits the screen with black borders on one side. scale: Fit the file into the background without repeating it, cutting off stuff or using borders. But the aspect ratio is not preserved either. tile: Tile (repeat) the image in case it is too small for the screen.

Type: one of “center”, “fill”, “max”, “scale”, “tile”

Default: "scale"

Example: "fill"

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/default.nix>
services.xserver.desktopManager.xfce.enable

Enable the Xfce desktop environment.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix>
services.xserver.desktopManager.xfce.enableScreensaver

Enable the XFCE screensaver.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix>
services.xserver.desktopManager.xfce.enableWaylandSession

Whether to enable the experimental Xfce Wayland session.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix>
services.xserver.desktopManager.xfce.enableXfwm

Enable the XFWM (default) window manager.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix>
services.xserver.desktopManager.xfce.noDesktop

Don’t install XFCE desktop components (xfdesktop and panel).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix>
services.xserver.desktopManager.xfce.waylandSessionCompositor

Command line to run a Wayland compositor, defaults to labwc --startup if not specified. Note that xfce4-session will be passed to it as an argument, see startxfce4 --help for details.

Some compositors do not have an option equivalent to labwc’s --startup and you might have to add xfce4-session somewhere in their configurations.

Type: string

Default: ""

Example: "wayfire"

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/xfce.nix>
services.xserver.desktopManager.xterm.enable

Enable a xterm terminal as a desktop manager.

Type: boolean

Default: versionOlder config.system.stateVersion "19.09" && config.services.xserver.enable;

Declared by:

<nixpkgs/nixos/modules/services/x11/desktop-managers/xterm.nix>
services.xserver.deviceSection

Contents of the first Device section of the X server configuration file.

Type: strings concatenated with “\n”

Default: ""

Example: "VideoRAM 131072"

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.digimend.enable

Whether to enable the digimend drivers for Huion/XP-Pen/etc. tablets.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/digimend.nix>
services.xserver.display

Display number for the X server.

Type: null or signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.displayManager.gdm.enable

Whether to enable GDM, the GNOME Display Manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix>
services.xserver.displayManager.gdm.autoLogin.delay

Seconds of inactivity after which the autologin will be performed.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix>
services.xserver.displayManager.gdm.autoSuspend

On the GNOME Display Manager login screen, suspend the machine after inactivity. (Does not affect automatic suspend while logged in, or at lock screen.)

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix>
services.xserver.displayManager.gdm.banner

Optional message to display on the login screen.

Type: null or strings concatenated with “\n”

Default: null

Example:

''
  foo
  bar
  baz
''

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix>
services.xserver.displayManager.gdm.debug

Whether to enable debugging messages in GDM.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix>
services.xserver.displayManager.gdm.settings

Options passed to the gdm daemon. See here for supported options.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  debug = {
    enable = true;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix>
services.xserver.displayManager.gdm.wayland

Allow GDM to run on Wayland instead of Xserver.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/gdm.nix>
services.xserver.displayManager.lightdm.enable

Whether to enable lightdm as the display manager.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix>
services.xserver.displayManager.lightdm.autoLogin.timeout

Show the greeter for this many seconds before automatic login occurs.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix>
services.xserver.displayManager.lightdm.background

The background image or color to use.

Type: path or string matching the pattern ^#[0-9]{6}$

Default: pkgs.nixos-artwork.wallpapers.simple-dark-gray-bottom.gnomeFilePath

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix>
services.xserver.displayManager.lightdm.extraConfig

Extra lines to append to LightDM section.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  user-authority-in-system-dir = true
''

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix>
services.xserver.displayManager.lightdm.extraSeatDefaults

Extra lines to append to SeatDefaults section.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  greeter-show-manual-login=true
''

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix>
services.xserver.displayManager.lightdm.greeter.enable

If set to false, run lightdm in greeterless mode. This only works if autologin is enabled and autoLogin.timeout is zero.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix>
services.xserver.displayManager.lightdm.greeter.package

The LightDM greeter to login via. The package should be a directory containing a .desktop file matching the name in the ‘name’ option.

Type: package

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix>
services.xserver.displayManager.lightdm.greeter.name

The name of a .desktop file in the directory specified in the ‘package’ option.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm.nix>
services.xserver.displayManager.lightdm.greeters.enso.enable

Whether to enable enso-os-greeter as the lightdm greeter

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/enso-os.nix>
services.xserver.displayManager.lightdm.greeters.enso.blur

Whether or not to enable blur

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/enso-os.nix>
services.xserver.displayManager.lightdm.greeters.enso.brightness

Brightness

Type: signed integer

Default: 7

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/enso-os.nix>
services.xserver.displayManager.lightdm.greeters.enso.cursorTheme.package

The package path that contains the cursor theme given in the name option.

Type: package

Default: pkgs.capitaine-cursors

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/enso-os.nix>
services.xserver.displayManager.lightdm.greeters.enso.cursorTheme.name

Name of the cursor theme to use for the lightdm-enso-os-greeter

Type: string

Default: "capitane-cursors"

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/enso-os.nix>
services.xserver.displayManager.lightdm.greeters.enso.extraConfig

Extra configuration that should be put in the greeter.conf configuration file

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/enso-os.nix>
services.xserver.displayManager.lightdm.greeters.enso.iconTheme.package

The package path that contains the icon theme given in the name option.

Type: package

Default: pkgs.papirus-icon-theme

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/enso-os.nix>
services.xserver.displayManager.lightdm.greeters.enso.iconTheme.name

Name of the icon theme to use for the lightdm-enso-os-greeter

Type: string

Default: "ePapirus"

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/enso-os.nix>
services.xserver.displayManager.lightdm.greeters.enso.theme.package

The package path that contains the theme given in the name option.

Type: package

Default: pkgs.gnome-themes-extra

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/enso-os.nix>
services.xserver.displayManager.lightdm.greeters.enso.theme.name

Name of the theme to use for the lightdm-enso-os-greeter

Type: string

Default: "Adwaita"

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/enso-os.nix>
services.xserver.displayManager.lightdm.greeters.gtk.enable

Whether to enable lightdm-gtk-greeter as the lightdm greeter.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix>
services.xserver.displayManager.lightdm.greeters.gtk.clock-format

Clock format string (as expected by strftime, e.g. “%H:%M”) to use with the lightdm gtk greeter panel.

If set to null the default clock format is used.

Type: null or string

Default: null

Example: "%F"

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix>
services.xserver.displayManager.lightdm.greeters.gtk.cursorTheme.package

The package path that contains the cursor theme given in the name option.

Type: package

Default: pkgs.adwaita-icon-theme

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix>
services.xserver.displayManager.lightdm.greeters.gtk.cursorTheme.name

Name of the cursor theme to use for the lightdm-gtk-greeter.

Type: string

Default: "Adwaita"

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix>
services.xserver.displayManager.lightdm.greeters.gtk.cursorTheme.size

Size of the cursor theme to use for the lightdm-gtk-greeter.

Type: signed integer

Default: 16

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix>
services.xserver.displayManager.lightdm.greeters.gtk.extraConfig

Extra configuration that should be put in the lightdm-gtk-greeter.conf configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix>
services.xserver.displayManager.lightdm.greeters.gtk.iconTheme.package

The package path that contains the icon theme given in the name option.

Type: package

Default: pkgs.adwaita-icon-theme

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix>
services.xserver.displayManager.lightdm.greeters.gtk.iconTheme.name

Name of the icon theme to use for the lightdm-gtk-greeter.

Type: string

Default: "Adwaita"

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix>
services.xserver.displayManager.lightdm.greeters.gtk.indicators

List of allowed indicator modules to use for the lightdm gtk greeter panel.

Built-in indicators include “~a11y”, “~language”, “~session”, “~power”, “~clock”, “~host”, “~spacer”. Unity indicators can be represented by short name (e.g. “sound”, “power”), service file name, or absolute path.

If set to null the default indicators are used.

Type: null or (list of string)

Default: null

Example:

[
  "~host"
  "~spacer"
  "~clock"
  "~spacer"
  "~session"
  "~language"
  "~a11y"
  "~power"
]

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix>
services.xserver.displayManager.lightdm.greeters.gtk.theme.package

The package path that contains the theme given in the name option.

Type: package

Default: pkgs.gnome-themes-extra

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix>
services.xserver.displayManager.lightdm.greeters.gtk.theme.name

Name of the theme to use for the lightdm-gtk-greeter.

Type: string

Default: "Adwaita"

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix>
services.xserver.displayManager.lightdm.greeters.lomiri.enable

Whether to enable lomiri’s greeter as the lightdm greeter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/lomiri.nix>
services.xserver.displayManager.lightdm.greeters.mini.enable

Whether to enable lightdm-mini-greeter as the lightdm greeter.

Note that this greeter starts only the default X session. You can configure the default X session using services.displayManager.defaultSession.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix>
services.xserver.displayManager.lightdm.greeters.mini.extraConfig

Extra configuration that should be put in the lightdm-mini-greeter.conf configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix>
services.xserver.displayManager.lightdm.greeters.mini.user

The user to login as.

Type: string

Default: "root"

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/mini.nix>
services.xserver.displayManager.lightdm.greeters.mobile.enable

Whether to enable lightdm-mobile-greeter as the lightdm greeter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/mobile.nix>
services.xserver.displayManager.lightdm.greeters.pantheon.enable

Whether to enable elementary-greeter as the lightdm greeter.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/pantheon.nix>
services.xserver.displayManager.lightdm.greeters.slick.enable

Whether to enable lightdm-slick-greeter as the lightdm greeter.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/slick.nix>
services.xserver.displayManager.lightdm.greeters.slick.cursorTheme.package

The package path that contains the cursor theme given in the name option.

Type: package

Default: pkgs.adwaita-icon-theme

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/slick.nix>
services.xserver.displayManager.lightdm.greeters.slick.cursorTheme.name

Name of the cursor theme to use for the lightdm-slick-greeter.

Type: string

Default: "Adwaita"

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/slick.nix>
services.xserver.displayManager.lightdm.greeters.slick.cursorTheme.size

Size of the cursor theme to use for the lightdm-slick-greeter.

Type: signed integer

Default: 24

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/slick.nix>
services.xserver.displayManager.lightdm.greeters.slick.draw-user-backgrounds

Whether to enable draw user backgrounds.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/slick.nix>
services.xserver.displayManager.lightdm.greeters.slick.extraConfig

Extra configuration that should be put in the lightdm-slick-greeter.conf configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/slick.nix>
services.xserver.displayManager.lightdm.greeters.slick.font.package

The package path that contains the font given in the name option.

Type: package

Default: pkgs.ubuntu-classic

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/slick.nix>
services.xserver.displayManager.lightdm.greeters.slick.font.name

Name of the font to use.

Type: string

Default: "Ubuntu 11"

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/slick.nix>
services.xserver.displayManager.lightdm.greeters.slick.iconTheme.package

The package path that contains the icon theme given in the name option.

Type: package

Default: pkgs.adwaita-icon-theme

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/slick.nix>
services.xserver.displayManager.lightdm.greeters.slick.iconTheme.name

Name of the icon theme to use for the lightdm-slick-greeter.

Type: string

Default: "Adwaita"

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/slick.nix>
services.xserver.displayManager.lightdm.greeters.slick.theme.package

The package path that contains the theme given in the name option.

Type: package

Default: pkgs.gnome-themes-extra

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/slick.nix>
services.xserver.displayManager.lightdm.greeters.slick.theme.name

Name of the theme to use for the lightdm-slick-greeter.

Type: string

Default: "Adwaita"

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/slick.nix>
services.xserver.displayManager.lightdm.greeters.tiny.enable

Whether to enable lightdm-tiny-greeter as the lightdm greeter.

Note that this greeter starts only the default X session. You can configure the default X session using services.displayManager.defaultSession.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/tiny.nix>
services.xserver.displayManager.lightdm.greeters.tiny.extraConfig

Section to describe style and ui.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/tiny.nix>
services.xserver.displayManager.lightdm.greeters.tiny.label.pass

The string to represent the pass_text label.

Type: string

Default: "Password"

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/tiny.nix>
services.xserver.displayManager.lightdm.greeters.tiny.label.user

The string to represent the user_text label.

Type: string

Default: "Username"

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/lightdm-greeters/tiny.nix>
services.xserver.displayManager.session

List of sessions supported with the command used to start each session. Each session script can set the waitPID shell variable to make this script wait until the end of the user session. Each script is used to define either a window manager or a desktop manager. These can be differentiated by setting the attribute manage either to "window" or "desktop".

The list of desktop manager and window manager should appear inside the display manager with the desktop manager name followed by the window manager name.

Type: list of (attribute set)

Default: [ ]

Example:

[ { manage = "desktop";
    name = "xterm";
    start = ''
      ${pkgs.xterm}/bin/xterm -ls &
      waitPID=$!
    '';
  }
]

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/default.nix>
services.xserver.displayManager.sessionCommands

Shell commands executed just before the window or desktop manager is started. These commands are not currently sourced for Wayland sessions.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  xmessage "Hello World!" &
''

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/default.nix>
services.xserver.displayManager.setupCommands

Shell commands executed just after the X server has started.

This option is only effective for display managers for which this feature is supported; currently these are LightDM, GDM and SDDM.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/default.nix>
services.xserver.displayManager.startx.enable

Whether to enable the dummy “startx” pseudo-display manager, which allows users to start X manually via the “startx” command from a vt shell. The X server runs under the user’s id, not as root. The user must provide a ~/.xinitrc file containing session startup commands, see startx(1). This is not automatically generated from the desktopManager and windowManager settings.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/startx.nix>
services.xserver.displayManager.sx.enable

Whether to enable the “sx” pseudo-display manager, which allows users to start manually via the “sx” command from a vt shell. The X server runs under the user’s id, not as root. The user must provide a ~/.config/sx/sxrc file containing session startup commands, see sx(1). This is not automatically generated from the desktopManager and windowManager settings. sx doesn’t have a way to directly set X server flags, but it can be done by overriding its xorgserver dependency.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/sx.nix>
services.xserver.displayManager.sx.package

The sx package to use.

Type: package

Default: pkgs.sx

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/sx.nix>
services.xserver.displayManager.sx.addAsSession

Whether to add sx as a display manager session. Keep in mind that sx expects to be run from a TTY, so it may not work in your display manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/sx.nix>
services.xserver.displayManager.xpra.enable

Whether to enable xpra as display manager.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/xpra.nix>
services.xserver.displayManager.xpra.auth

Authentication to use when connecting to xpra

Type: string

Default: "pam"

Example: "password:value=mysecret"

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/xpra.nix>
services.xserver.displayManager.xpra.bindTcp

Bind xpra to TCP

Type: null or string

Default: "127.0.0.1:10000"

Example: "0.0.0.0:10000"

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/xpra.nix>
services.xserver.displayManager.xpra.desktop

Start a desktop environment instead of seamless mode

Type: null or string

Default: null

Example: "gnome-shell"

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/xpra.nix>
services.xserver.displayManager.xpra.extraOptions

Extra xpra options

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/xpra.nix>
services.xserver.displayManager.xpra.pulseaudio

Whether to enable pulseaudio audio streaming.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/xpra.nix>
services.xserver.displayManager.xserverArgs

List of arguments for the X server.

Type: list of string

Default: [ ]

Example:

[
  "-ac"
  "-logverbose"
  "-verbose"
  "-nolisten tcp"
]

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/default.nix>
services.xserver.displayManager.xserverBin

Path to the X server used by display managers.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/x11/display-managers/default.nix>
services.xserver.dpi

Force global DPI resolution to use for X server. It’s recommended to use this only when DPI is detected incorrectly; also consider using Monitor section in configuration file instead.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.excludePackages

Which X11 packages to exclude from the default environment

Type: list of package

Default: [ ]

Example: [ pkgs.xterm ]

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.exportConfiguration

Whether to symlink the X server configuration under /etc/X11/xorg.conf.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.extraConfig

Additional contents (sections) included in the X server configuration file

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.extraDisplaySettings

Lines to be added to every Display subsection of the Screen section.

Type: strings concatenated with “\n”

Default: ""

Example: "Virtual 2048 2048"

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.filesSection

Contents of the first Files section of the X server configuration file.

Type: strings concatenated with “\n”

Default: ""

Example: "FontPath \"/path/to/my/fonts\""

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.fontPath

Set the X server FontPath. Defaults to null, which means the compiled in defaults will be used. See man xorg.conf for details.

Type: null or string

Default: null

Example: "unix/:7100"

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.imwheel.enable

Whether to enable IMWheel service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/imwheel.nix>
services.xserver.imwheel.extraOptions

Additional command-line arguments to pass to imwheel.

Type: list of string

Default:

[
  "--buttons=45"
]

Example:

[
  "--debug"
]

Declared by:

<nixpkgs/nixos/modules/services/x11/imwheel.nix>
services.xserver.imwheel.rules

Window class translation rules. /etc/X11/imwheelrc is generated based on this config which means this config is global for all users. See official man pages for more information.

Type: attribute set of string

Default: { }

Example:

{
  ".*" = ''
    None,      Up,   Button4, 8
    None,      Down, Button5, 8
    Shift_L,   Up,   Shift_L|Button4, 4
    Shift_L,   Down, Shift_L|Button5, 4
    Control_L, Up,   Control_L|Button4
    Control_L, Down, Control_L|Button5
  '';
}

Declared by:

<nixpkgs/nixos/modules/services/x11/imwheel.nix>
services.xserver.inputClassSections

Content of additional InputClass sections of the X server configuration file.

Type: list of strings concatenated with “\n”

Default: [ ]

Example:

[ ''
    Identifier      "Trackpoint Wheel Emulation"
    MatchProduct    "ThinkPad USB Keyboard with TrackPoint"
    Option          "EmulateWheel"          "true"
    Option          "EmulateWheelButton"    "2"
    Option          "Emulate3Buttons"       "false"
  ''
]

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.logFile

Controls the file Xorg logs to.

The default of /dev/null is set so that systemd services (like displayManagers) only log to the journal and don’t create their own log files.

Setting this to null will not pass the -logfile argument to Xorg which allows it to log to its default logfile locations instead (see man Xorg). You probably only want this behaviour when running Xorg manually (e.g. via startx).

Type: null or string

Default: "/dev/null"

Example: "/var/log/Xorg.0.log"

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.moduleSection

Contents of the Module section of the X server configuration file.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  SubSection "extmod"
  EndSubsection
''

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.modules

Packages to be added to the module search path of the X server.

Type: list of path

Default: [ ]

Example: [ pkgs.xf86_input_wacom ]

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.monitorSection

Contents of the first Monitor section of the X server configuration file.

Type: strings concatenated with “\n”

Default: ""

Example: "HorizSync 28-49"

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.resolutions

The screen resolutions for the X server. The first element is the default resolution. If this list is empty, the X server will automatically configure the resolution.

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    x = 1600;
    y = 1200;
  }
  {
    x = 1024;
    y = 786;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.screenSection

Contents of the first Screen section of the X server configuration file.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  Option "RandRRotation" "on"
''

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.serverFlagsSection

Contents of the ServerFlags section of the X server configuration file.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  Option "BlankTime" "0"
  Option "StandbyTime" "0"
  Option "SuspendTime" "0"
  Option "OffTime" "0"
''

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.serverLayoutSection

Contents of the ServerLayout section of the X server configuration file.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  Option "AIGLX" "true"
''

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.synaptics.enable

Whether to enable touchpad support. Deprecated: Consider services.libinput.enable.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix>
services.xserver.synaptics.accelFactor

Cursor acceleration (how fast speed increases from minSpeed to maxSpeed).

Type: null or string

Default: "0.001"

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix>
services.xserver.synaptics.additionalOptions

Additional options for synaptics touchpad driver.

Type: string

Default: ""

Example:

''
  Option "RTCornerButton" "2"
  Option "RBCornerButton" "3"
''

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix>
services.xserver.synaptics.buttonsMap

Remap touchpad buttons.

Type: list of signed integer

Default:

[
  1
  2
  3
]

Example:

[
  1
  3
  2
]

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix>
services.xserver.synaptics.dev

Path for touchpad device. Set to null to apply to any auto-detected touchpad.

Type: null or string

Default: null

Example: "/dev/input/event0"

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix>
services.xserver.synaptics.fingersMap

Remap several-fingers taps.

Type: list of signed integer

Default:

[
  1
  2
  3
]

Example:

[
  1
  3
  2
]

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix>
services.xserver.synaptics.horizEdgeScroll

Whether to enable horizontal edge drag-scrolling.

Type: boolean

Default: ! config.services.xserver.synaptics.horizTwoFingerScroll

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix>
services.xserver.synaptics.horizTwoFingerScroll

Whether to enable horizontal two-finger drag-scrolling.

Type: boolean

Default: config.services.xserver.synaptics.twoFingerScroll

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix>
services.xserver.synaptics.horizontalScroll

Whether to enable horizontal scrolling (on touchpad)

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix>
services.xserver.synaptics.maxSpeed

Cursor speed factor for highest-speed finger motion.

Type: null or string

Default: "1.0"

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix>
services.xserver.synaptics.minSpeed

Cursor speed factor for precision finger motion.

Type: null or string

Default: "0.6"

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix>
services.xserver.synaptics.palmDetect

Whether to enable palm detection (hardware support required)

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix>
services.xserver.synaptics.palmMinWidth

Minimum finger width at which touch is considered a palm

Type: null or signed integer

Default: null

Example: 5

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix>
services.xserver.synaptics.palmMinZ

Minimum finger pressure at which touch is considered a palm

Type: null or signed integer

Default: null

Example: 20

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix>
services.xserver.synaptics.scrollDelta

Move distance of the finger for a scroll event.

Type: null or signed integer

Default: null

Example: 75

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix>
services.xserver.synaptics.tapButtons

Whether to enable tap buttons.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix>
services.xserver.synaptics.twoFingerScroll

Whether to enable two-finger drag-scrolling. Overridden by horizTwoFingerScroll and vertTwoFingerScroll.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix>
services.xserver.synaptics.vertEdgeScroll

Whether to enable vertical edge drag-scrolling.

Type: boolean

Default: ! config.services.xserver.synaptics.vertTwoFingerScroll

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix>
services.xserver.synaptics.vertTwoFingerScroll

Whether to enable vertical two-finger drag-scrolling.

Type: boolean

Default: config.services.xserver.synaptics.twoFingerScroll

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/synaptics.nix>
services.xserver.terminateOnReset

Whether to terminate X upon server reset.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.tty

Virtual console for the X server.

Type: null or signed integer

Default: 7

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.updateDbusEnvironment

Whether to update the DBus activation environment after launching the desktop manager.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.upscaleDefaultCursor

Upscale the default X cursor to be more visible on high-density displays. Requires config.services.xserver.dpi to be set.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.verbose

Controls verbosity of X logging.

Type: null or signed integer

Default: 3

Example: 7

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.videoDriver

The name of the video driver for your graphics card. This option is obsolete; please set the services.xserver.videoDrivers instead.

Type: null or string

Default: null

Example: "i810"

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.videoDrivers

The names of the video drivers the configuration supports. They will be tried in order until one that supports your card is found. Don’t combine those with “incompatible” OpenGL implementations, e.g. free ones (mesa-based) with proprietary ones.

For unfree “nvidia*”, the supported GPU lists are on https://www.nvidia.com/object/unix.html

Type: list of string

Default:

[
  "modesetting"
  "fbdev"
]

Example:

[
  "nvidia"
  "amdgpu"
]

Related packages:

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.virtualScreen

Virtual screen size for Xrandr.

Type: null or (attribute set)

Default: null

Example:

{
  x = 2048;
  y = 2048;
}

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.wacom.enable

Whether to enable the Wacom touchscreen/digitizer/tablet. If you ever have any issues such as, try switching to terminal (ctrl-alt-F1) and back which will make Xorg reconfigure the device ?

If you’re not satisfied by the default behaviour you can override environment.etc."X11/xorg.conf.d/70-wacom.conf" in configuration.nix easily.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/hardware/wacom.nix>
services.xserver.windowManager."2bwm".enable

Whether to enable 2bwm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/2bwm.nix>
services.xserver.windowManager.afterstep.enable

Whether to enable afterstep.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/afterstep.nix>
services.xserver.windowManager.awesome.enable

Whether to enable Awesome window manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/awesome.nix>
services.xserver.windowManager.awesome.package

The awesome package to use.

Type: package

Default: pkgs.awesome

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/awesome.nix>
services.xserver.windowManager.awesome.luaModules

List of lua packages available for being used in the Awesome configuration.

Type: list of package

Default: [ ]

Example: [ pkgs.luaPackages.vicious ]

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/awesome.nix>
services.xserver.windowManager.awesome.noArgb

Disable client transparency support, which can be greatly detrimental to performance in some setups

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/awesome.nix>
services.xserver.windowManager.berry.enable

Whether to enable berry.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/berry.nix>
services.xserver.windowManager.bspwm.enable

Whether to enable bspwm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/bspwm.nix>
services.xserver.windowManager.bspwm.package

The bspwm package to use.

Type: package

Default: pkgs.bspwm

Example: bspwm-unstable

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/bspwm.nix>
services.xserver.windowManager.bspwm.configFile

Path to the bspwm configuration file. If null, $HOME/.config/bspwm/bspwmrc will be used.

Type: null or path

Default: null

Example: "${pkgs.bspwm}/share/doc/bspwm/examples/bspwmrc"

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/bspwm.nix>
services.xserver.windowManager.bspwm.sxhkd.package

The sxhkd package to use.

Type: package

Default: pkgs.sxhkd

Example: sxhkd-unstable

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/bspwm.nix>
services.xserver.windowManager.bspwm.sxhkd.configFile

Path to the sxhkd configuration file. If null, $HOME/.config/sxhkd/sxhkdrc will be used.

Type: null or path

Default: null

Example: "${pkgs.bspwm}/share/doc/bspwm/examples/sxhkdrc"

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/bspwm.nix>
services.xserver.windowManager.clfswm.enable

Whether to enable clfswm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/clfswm.nix>
services.xserver.windowManager.clfswm.package

The clfswm package to use.

Type: package

Default: pkgs.sbclPackages.clfswm

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/clfswm.nix>
services.xserver.windowManager.cwm.enable

Whether to enable cwm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/cwm.nix>
services.xserver.windowManager.dk.enable

Whether to enable dk.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/dk.nix>
services.xserver.windowManager.dk.package

The dk package to use.

Type: package

Default: pkgs.dk

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/dk.nix>
services.xserver.windowManager.dwm.enable

Whether to enable dwm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/dwm.nix>
services.xserver.windowManager.dwm.package

The dwm package to use.

Type: package

Default: pkgs.dwm

Example:

pkgs.dwm.overrideAttrs (oldAttrs: rec {
  patches = [
    (super.fetchpatch {
      url = "https://dwm.suckless.org/patches/steam/dwm-steam-6.2.diff";
      sha256 = "sha256-f3lffBjz7+0Khyn9c9orzReoLTqBb/9gVGshYARGdVc=";
    })
  ];
})

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/dwm.nix>
services.xserver.windowManager.e16.enable

Whether to enable e16.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/e16.nix>
services.xserver.windowManager.evilwm.enable

Whether to enable evilwm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/evilwm.nix>
services.xserver.windowManager.exwm.enable

Whether to enable exwm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/exwm.nix>
services.xserver.windowManager.exwm.extraPackages

Extra packages available to Emacs. The value must be a function which receives the attrset defined in emacs.pkgs as the sole argument.

Type: function that evaluates to a(n) list of package

Default: epkgs: []

Example:

epkgs: [
  epkgs.emms
  epkgs.magit
  epkgs.proofgeneral
]

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/exwm.nix>
services.xserver.windowManager.exwm.loadScript

Emacs lisp code to be run after loading the user’s init file.

Type: strings concatenated with “\n”

Default: "(require 'exwm)"

Example:

''
  (require 'exwm)
  (exwm-enable)
''

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/exwm.nix>
services.xserver.windowManager.fluxbox.enable

Whether to enable fluxbox.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/fluxbox.nix>
services.xserver.windowManager.fvwm2.enable

Whether to enable Fvwm2 window manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/fvwm2.nix>
services.xserver.windowManager.fvwm2.gestures

Whether or not to enable libstroke for gesture support

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/fvwm2.nix>
services.xserver.windowManager.fvwm3.enable

Whether to enable Fvwm3 window manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/fvwm3.nix>
services.xserver.windowManager.hackedbox.enable

Whether to enable hackedbox.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/hackedbox.nix>
services.xserver.windowManager.herbstluftwm.enable

Whether to enable herbstluftwm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/herbstluftwm.nix>
services.xserver.windowManager.herbstluftwm.package

The herbstluftwm package to use.

Type: package

Default: pkgs.herbstluftwm

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/herbstluftwm.nix>
services.xserver.windowManager.herbstluftwm.configFile

Path to the herbstluftwm configuration file. If left at the default value, $XDG_CONFIG_HOME/herbstluftwm/autostart will be used.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/herbstluftwm.nix>
services.xserver.windowManager.hypr.enable

Whether to enable hypr.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/hypr.nix>
services.xserver.windowManager.i3.enable

Whether to enable i3 window manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/i3.nix>
services.xserver.windowManager.i3.package

The i3 package to use.

Type: package

Default: pkgs.i3

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/i3.nix>
services.xserver.windowManager.i3.configFile

Path to the i3 configuration file. If left at the default value, $HOME/.i3/config will be used.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/i3.nix>
services.xserver.windowManager.i3.extraPackages

Extra packages to be installed system wide.

Type: list of package

Default:

with pkgs; [
  dmenu
  i3status
  i3lock
]

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/i3.nix>
services.xserver.windowManager.i3.extraSessionCommands

Shell commands executed just before i3 is started.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/i3.nix>
services.xserver.windowManager.i3.updateSessionEnvironment

Whether to run dbus-update-activation-environment and systemctl import-environment before session start. Required for xdg portals to function properly.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/i3.nix>
services.xserver.windowManager.icewm.enable

Whether to enable icewm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/icewm.nix>
services.xserver.windowManager.jwm.enable

Whether to enable jwm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/jwm.nix>
services.xserver.windowManager.katriawm.enable

Whether to enable katriawm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/katriawm.nix>
services.xserver.windowManager.katriawm.package

The katriawm package to use.

Type: package

Default: pkgs.katriawm

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/katriawm.nix>
services.xserver.windowManager.leftwm.enable

Whether to enable leftwm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/leftwm.nix>
services.xserver.windowManager.lwm.enable

Whether to enable lwm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/lwm.nix>
services.xserver.windowManager.metacity.enable

Whether to enable metacity.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/metacity.nix>
services.xserver.windowManager.mlvwm.enable

Whether to enable Macintosh-like Virtual Window Manager.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/mlvwm.nix>
services.xserver.windowManager.mlvwm.configFile

Path to the mlvwm configuration file. If left at the default value, $HOME/.mlvwmrc will be used.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/mlvwm.nix>
services.xserver.windowManager.mwm.enable

Whether to enable mwm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/mwm.nix>
services.xserver.windowManager.nimdow.enable

Whether to enable nimdow.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/nimdow.nix>
services.xserver.windowManager.nimdow.package

nimdow package to use

Type: package

Default: "pkgs.nimdow"

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/nimdow.nix>
services.xserver.windowManager.notion.enable

Whether to enable notion.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/notion.nix>
services.xserver.windowManager.openbox.enable

Whether to enable openbox.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/openbox.nix>
services.xserver.windowManager.pekwm.enable

Whether to enable pekwm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/pekwm.nix>
services.xserver.windowManager.qtile.enable

Whether to enable qtile.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/qtile.nix>
services.xserver.windowManager.qtile.package

The qtile-unwrapped package to use.

Type: package

Default: pkgs.qtile-unwrapped

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/qtile.nix>
services.xserver.windowManager.qtile.configFile

Path to the qtile configuration file. If null, $XDG_CONFIG_HOME/qtile/config.py will be used.

Type: null or path

Default: null

Example: ./your_config.py

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/qtile.nix>
services.xserver.windowManager.qtile.extraPackages

Extra Python packages available to Qtile. An example would be to include python3Packages.qtile-extras for additional unofficial widgets.

Type: function that evaluates to a(n) list of package

Default:

python3Packages: with python3Packages; [];

Example:

python3Packages: with python3Packages; [
  qtile-extras
];

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/qtile.nix>
services.xserver.windowManager.ragnarwm.enable

Whether to enable ragnarwm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/ragnarwm.nix>
services.xserver.windowManager.ragnarwm.package

The ragnarwm package to use.

Type: package

Default: pkgs.ragnarwm

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/ragnarwm.nix>
services.xserver.windowManager.ratpoison.enable

Whether to enable ratpoison.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/ratpoison.nix>
services.xserver.windowManager.sawfish.enable

Whether to enable sawfish.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/sawfish.nix>
services.xserver.windowManager.smallwm.enable

Whether to enable smallwm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/smallwm.nix>
services.xserver.windowManager.spectrwm.enable

Whether to enable spectrwm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/spectrwm.nix>
services.xserver.windowManager.stumpwm.enable

Whether to enable stumpwm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/stumpwm.nix>
services.xserver.windowManager.tinywm.enable

Whether to enable tinywm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/tinywm.nix>
services.xserver.windowManager.twm.enable

Whether to enable twm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/twm.nix>
services.xserver.windowManager.windowlab.enable

Whether to enable windowlab.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/windowlab.nix>
services.xserver.windowManager.windowmaker.enable

Whether to enable windowmaker.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/windowmaker.nix>
services.xserver.windowManager.wmderland.enable

Whether to enable wmderland.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/wmderland.nix>
services.xserver.windowManager.wmderland.extraPackages

Extra packages to be installed system wide.

Type: list of package

Default:

with pkgs; [
  rofi
  dunst
  light
  hsetroot
  feh
  rxvt-unicode
]

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/wmderland.nix>
services.xserver.windowManager.wmderland.extraSessionCommands

Shell commands executed just before wmderland is started.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/wmderland.nix>
services.xserver.windowManager.wmii.enable

Whether to enable wmii.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/wmii.nix>
services.xserver.windowManager.xmonad.enable

Whether to enable xmonad.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/xmonad.nix>
services.xserver.windowManager.xmonad.enableConfiguredRecompile

Enable recompilation even if config is set to a non-null value. This adds the necessary Haskell dependencies (GHC with packages) to the xmonad binary’s environment.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/xmonad.nix>
services.xserver.windowManager.xmonad.enableContribAndExtras

Enable xmonad-{contrib,extras} in Xmonad.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/xmonad.nix>
services.xserver.windowManager.xmonad.config

Configuration from which XMonad gets compiled. If no value is specified, a vanilla xmonad binary is put in PATH, which will attempt to recompile and exec your xmonad config from $HOME/.xmonad. This setup is then analogous to other (non-NixOS) linux distributions.

If you do set this option, you likely want to use “launch” as your entry point for xmonad (as in the example), to avoid xmonad’s recompilation logic on startup. Doing so will render the default “mod+q” restart key binding dysfunctional though, because that attempts to call your binary with the “–restart” command line option, unless you implement that yourself. You way mant to bind “mod+q” to (restart "xmonad" True) instead, which will just restart xmonad from PATH. This allows e.g. switching to the new xmonad binary after rebuilding your system with nixos-rebuild. For the same reason, ghc is not added to the environment when this option is set, unless enableConfiguredRecompile is set to true.

If you actually want to run xmonad with a config specified here, but also be able to recompile and restart it from a copy of that source in $HOME/.xmonad on the fly, set enableConfiguredRecompile to true and implement something like “compileRestart” from the example. This should allow you to switch at will between the local xmonad and the one NixOS puts in your PATH.

Type: null or path or string

Default: null

Example:

''
  import XMonad
  import XMonad.Util.EZConfig (additionalKeys)
  import Control.Monad (when)
  import Text.Printf (printf)
  import System.Posix.Process (executeFile)
  import System.Info (arch,os)
  import System.Environment (getArgs)
  import System.FilePath ((</>))
  
  compiledConfig = printf "xmonad-%s-%s" arch os
  
  myConfig = defaultConfig
    { modMask = mod4Mask -- Use Super instead of Alt
    , terminal = "urxvt" }
    `additionalKeys`
    [ ( (mod4Mask,xK_r), compileRestart True)
    , ( (mod4Mask,xK_q), restart "xmonad" True ) ]
  
  compileRestart resume = do
    dirs  <- asks directories
    whenX (recompile dirs True) $ do
      when resume writeStateToFile
      catchIO
          ( do
              args <- getArgs
              executeFile (cacheDir dirs </> compiledConfig) False args Nothing
          )
  
  main = getDirectories >>= launch myConfig
  
  --------------------------------------------
  {- For versions before 0.17.0 use this instead -}
  --------------------------------------------
  -- compileRestart resume =
  --   whenX (recompile True) $
  --     when resume writeStateToFile
  --       *> catchIO
  --         ( do
  --             dir <- getXMonadDataDir
  --             args <- getArgs
  --             executeFile (dir </> compiledConfig) False args Nothing
  --         )
  --
  -- main = launch myConfig
  --------------------------------------------
  
''

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/xmonad.nix>
services.xserver.windowManager.xmonad.extraPackages

Extra packages available to ghc when rebuilding Xmonad. The value must be a function which receives the attrset defined in haskellPackages as the sole argument.

Type: function that evaluates to a(n) list of package

Default: self: []

Example:

haskellPackages: [
  haskellPackages.xmonad-contrib
  haskellPackages.monad-logger
]

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/xmonad.nix>
services.xserver.windowManager.xmonad.ghcArgs

Command line arguments passed to the compiler (ghc) invocation when xmonad.config is set.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/xmonad.nix>
services.xserver.windowManager.xmonad.haskellPackages

haskellPackages used to build Xmonad and other packages. This can be used to change the GHC version used to build Xmonad and the packages listed in extraPackages.

Type: attribute set

Default: pkgs.haskellPackages

Example: pkgs.haskell.packages.ghc810

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/xmonad.nix>
services.xserver.windowManager.xmonad.xmonadCliArgs

Command line arguments passed to the xmonad binary.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/xmonad.nix>
services.xserver.windowManager.yeahwm.enable

Whether to enable yeahwm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/window-managers/yeahwm.nix>
services.xserver.xautolock.enable

Whether to enable xautolock.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/xautolock.nix>
services.xserver.xautolock.enableNotifier

Whether to enable the notifier feature of xautolock. This publishes a notification before the autolock.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/x11/xautolock.nix>
services.xserver.xautolock.extraOptions

Additional command-line arguments to pass to xautolock.

Type: list of string

Default: [ ]

Example:

[
  "-detectsleep"
]

Declared by:

<nixpkgs/nixos/modules/services/x11/xautolock.nix>
services.xserver.xautolock.killer

The script to use when nothing has happened for as long as killtime

Type: null or string

Default: null

Example: "/run/current-system/systemd/bin/systemctl suspend"

Declared by:

<nixpkgs/nixos/modules/services/x11/xautolock.nix>
services.xserver.xautolock.killtime

Minutes xautolock waits until it executes the script specified in killer (Has to be at least 10 minutes)

Type: signed integer

Default: 20

Declared by:

<nixpkgs/nixos/modules/services/x11/xautolock.nix>
services.xserver.xautolock.locker

The script to use when automatically locking the computer.

Type: string

Default: "${pkgs.xlockmore}/bin/xlock"

Example: "${pkgs.i3lock}/bin/i3lock -i /path/to/img"

Declared by:

<nixpkgs/nixos/modules/services/x11/xautolock.nix>
services.xserver.xautolock.notifier

Notification script to be used to warn about the pending autolock.

Type: null or string

Default: null

Example: "${pkgs.libnotify}/bin/notify-send 'Locking in 10 seconds'"

Declared by:

<nixpkgs/nixos/modules/services/x11/xautolock.nix>
services.xserver.xautolock.notify

Time (in seconds) before the actual lock when the notification about the pending lock should be published.

Type: signed integer

Default: 10

Declared by:

<nixpkgs/nixos/modules/services/x11/xautolock.nix>
services.xserver.xautolock.nowlocker

The script to use when manually locking the computer with xautolock -locknow.

Type: null or string

Default: null

Example: "${pkgs.i3lock}/bin/i3lock -i /path/to/img"

Declared by:

<nixpkgs/nixos/modules/services/x11/xautolock.nix>
services.xserver.xautolock.time

Idle time (in minutes) to wait until xautolock locks the computer.

Type: signed integer

Default: 15

Declared by:

<nixpkgs/nixos/modules/services/x11/xautolock.nix>
services.xserver.xkb.dir

Path used for -xkbdir xserver parameter.

Type: path

Default: "${pkgs.xkeyboard_config}/etc/X11/xkb"

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.xkb.extraLayouts

Extra custom layouts that will be included in the xkb configuration. Information on how to create a new layout can be found here: https://www.x.org/releases/current/doc/xorg-docs/input/XKB-Enhancing.html#Defining_New_Layouts. For more examples see https://wiki.archlinux.org/index.php/X_KeyBoard_extension#Basic_examples

Type: attribute set of (submodule)

Default: { }

Example:

{
  mine = {
    description = "My custom xkb layout.";
    languages = [ "eng" ];
    symbolsFile = /path/to/my/layout;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/x11/extra-layouts.nix>
services.xserver.xkb.extraLayouts.<name>.compatFile

The path to the xkb compat file. This file sets the compatibility state, used to preserve compatibility with xkb-unaware programs. It must contain a xkb_compat "name" { ... } block.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/x11/extra-layouts.nix>
services.xserver.xkb.extraLayouts.<name>.description

A short description of the layout.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/x11/extra-layouts.nix>
services.xserver.xkb.extraLayouts.<name>.geometryFile

The path to the xkb geometry file. This (completely optional) file describes the physical layout of keyboard, which maybe be used by programs to depict it. It must contain a xkb_geometry "name" { ... } block.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/x11/extra-layouts.nix>
services.xserver.xkb.extraLayouts.<name>.keycodesFile

The path to the xkb keycodes file. This file specifies the range and the interpretation of the raw keycodes sent by the keyboard. It must contain a xkb_keycodes "name" { ... } block.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/x11/extra-layouts.nix>
services.xserver.xkb.extraLayouts.<name>.languages

A list of languages provided by the layout. (Use ISO 639-2 codes, for example: “eng” for english)

Type: list of string

Declared by:

<nixpkgs/nixos/modules/services/x11/extra-layouts.nix>
services.xserver.xkb.extraLayouts.<name>.symbolsFile

The path to the xkb symbols file. This is the most important file: it defines which symbol or action maps to each key and must contain a xkb_symbols "name" { ... } block.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/x11/extra-layouts.nix>
services.xserver.xkb.extraLayouts.<name>.typesFile

The path to the xkb types file. This file specifies the key types that can be associated with the various keyboard keys. It must contain a xkb_types "name" { ... } block.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/x11/extra-layouts.nix>
services.xserver.xkb.layout

X keyboard layout, or multiple keyboard layouts separated by commas.

Type: string

Default: "us"

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.xkb.model

X keyboard model.

Type: string

Default: "pc104"

Example: "presario"

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.xkb.options

X keyboard options; layout switching goes here.

Type: strings concatenated with “,”

Default: "terminate:ctrl_alt_bksp"

Example: "grp:caps_toggle,grp_led:scroll"

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.xkb.variant

X keyboard variant.

Type: string

Default: ""

Example: "colemak"

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.xrandrHeads

Multiple monitor configuration, just specify a list of XRandR outputs. The individual elements should be either simple strings or an attribute set of output options.

If the element is a string, it is denoting the physical output for a monitor, if it’s an attribute set, you must at least provide the output option.

The monitors will be mapped from left to right in the order of the list.

By default, the first monitor will be set as the primary monitor if none of the elements contain an option that has set primary to true.

Note

Only one monitor is allowed to be primary.

Be careful using this option with multiple graphic adapters or with drivers that have poor support for XRandR, unexpected things might happen with those.

Type: list of ((submodule) or string convertible to it)

Default: [ ]

Example:

[
  "HDMI-0"
  {
    output = "DVI-0";
    primary = true;
  }
  {
    monitorConfig = "Option \"Rotate\" \"left\"";
    output = "DVI-1";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.xrandrHeads.*.monitorConfig

Extra lines to append to the Monitor section verbatim. Available options are documented in the MONITOR section in xorg.conf(5).

Type: strings concatenated with “\n”

Default: ""

Example:

''
  DisplaySize 408 306
  Option "DPMS" "false"
''

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.xrandrHeads.*.output

The output name of the monitor, as shown by xrandr(1) invoked without arguments.

Type: string

Example: "DVI-0"

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xserver.xrandrHeads.*.primary

Whether this head is treated as the primary monitor,

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/x11/xserver.nix>
services.xtreemfs.enable

Whether to enable XtreemFS.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.dir.enable

Whether to enable XtreemFS DIR service.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.dir.address

If specified, it defines the interface to listen on. If not specified, the service will listen on all interfaces (any).

Type: string

Default: ""

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.dir.extraConfig

Configuration of XtreemFS DIR service. WARNING: configuration is saved as plaintext inside nix store. For more options: https://www.xtreemfs.org/xtfs-guide-1.5.1/index.html

Type: strings concatenated with “\n”

Default: ""

Example:

''
  # specify whether SSL is required
  ssl.enabled = true
  ssl.service_creds.pw = passphrase
  ssl.service_creds.container = pkcs12
  ssl.service_creds = /etc/xos/xtreemfs/truststore/certs/dir.p12
  ssl.trusted_certs = /etc/xos/xtreemfs/truststore/certs/trusted.jks
  ssl.trusted_certs.pw = jks_passphrase
  ssl.trusted_certs.container = jks
''

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.dir.httpPort

Specifies the listen port for the HTTP service that returns the status page.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 30638

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.dir.port

The port to listen on for incoming connections (TCP).

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 32638

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.dir.replication.enable

Whether to enable XtreemFS DIR replication plugin.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.dir.replication.extraConfig

Configuration of XtreemFS DIR replication plugin. WARNING: configuration is saved as plaintext inside nix store. For more options: https://www.xtreemfs.org/xtfs-guide-1.5.1/index.html

Type: strings concatenated with “\n”

Example:

''
  # participants of the replication including this replica
  babudb.repl.participant.0 = 192.168.0.10
  babudb.repl.participant.0.port = 35676
  babudb.repl.participant.1 = 192.168.0.11
  babudb.repl.participant.1.port = 35676
  babudb.repl.participant.2 = 192.168.0.12
  babudb.repl.participant.2.port = 35676
  
  # number of servers that at least have to be up to date
  # To have a fault-tolerant system, this value has to be set to the
  # majority of nodes i.e., if you have three replicas, set this to 2
  # Please note that a setup with two nodes provides no fault-tolerance.
  babudb.repl.sync.n = 2
  
  # specify whether SSL is required
  babudb.ssl.enabled = true
  
  babudb.ssl.protocol = tlsv12
  
  # server credentials for SSL handshakes
  babudb.ssl.service_creds = /etc/xos/xtreemfs/truststore/certs/osd.p12
  babudb.ssl.service_creds.pw = passphrase
  babudb.ssl.service_creds.container = pkcs12
  
  # trusted certificates for SSL handshakes
  babudb.ssl.trusted_certs = /etc/xos/xtreemfs/truststore/certs/trusted.jks
  babudb.ssl.trusted_certs.pw = jks_passphrase
  babudb.ssl.trusted_certs.container = jks
  
  babudb.ssl.authenticationWithoutEncryption = false
''

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.dir.syncMode

The sync mode influences how operations are committed to the disk log before the operation is acknowledged to the caller.

-ASYNC mode the writes to the disk log are buffered in memory by the operating system. This is the fastest mode but will lead to data loss in case of a crash, kernel panic or power failure. -SYNC_WRITE_METADATA opens the file with O_SYNC, the system will not buffer any writes. The operation will be acknowledged when data has been safely written to disk. This mode is slow but offers maximum data safety. However, BabuDB cannot influence the disk drive caches, this depends on the OS and hard disk model. -SYNC_WRITE similar to SYNC_WRITE_METADATA but opens file with O_DSYNC which means that only the data is commit to disk. This can lead to some data loss depending on the implementation of the underlying file system. Linux does not implement this mode. -FDATASYNC is similar to SYNC_WRITE but opens the file in asynchronous mode and calls fdatasync() after writing the data to disk. -FSYNC is similar to SYNC_WRITE_METADATA but opens the file in asynchronous mode and calls fsync() after writing the data to disk.

For best throughput use ASYNC, for maximum data safety use FSYNC.

(If xtreemfs.dir.replication.enable is true then FDATASYNC is forced)

Type: one of “ASYNC”, “SYNC_WRITE_METADATA”, “SYNC_WRITE”, “FDATASYNC”, “FSYNC”

Default: "FSYNC"

Example: "FDATASYNC"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.dir.uuid

Must be set to a unique identifier, preferably a UUID according to RFC 4122. UUIDs can be generated with uuidgen command, found in the util-linux package.

Type: string

Example: "eacb6bab-f444-4ebf-a06a-3f72d7465e40"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.homeDir

XtreemFS home dir for the xtreemfs user.

Type: path

Default: "/var/lib/xtreemfs"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.mrc.enable

Whether to enable XtreemFS MRC service.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.mrc.address

If specified, it defines the interface to listen on. If not specified, the service will listen on all interfaces (any).

Type: string

Default: ""

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.mrc.extraConfig

Configuration of XtreemFS MRC service. WARNING: configuration is saved as plaintext inside nix store. For more options: https://www.xtreemfs.org/xtfs-guide-1.5.1/index.html

Type: strings concatenated with “\n”

Example:

''
  osd_check_interval = 300
  no_atime = true
  local_clock_renewal = 0
  remote_time_sync = 30000
  authentication_provider = org.xtreemfs.common.auth.NullAuthProvider
  
  # shared secret between the MRC and all OSDs
  capability_secret = iNG8UuQJrJ6XVDTe
  
  dir_service.host = 192.168.0.10
  dir_service.port = 32638
  
  # if replication is enabled
  dir_service.1.host = 192.168.0.11
  dir_service.1.port = 32638
  dir_service.2.host = 192.168.0.12
  dir_service.2.port = 32638
  
  # specify whether SSL is required
  ssl.enabled = true
  ssl.protocol = tlsv12
  ssl.service_creds.pw = passphrase
  ssl.service_creds.container = pkcs12
  ssl.service_creds = /etc/xos/xtreemfs/truststore/certs/mrc.p12
  ssl.trusted_certs = /etc/xos/xtreemfs/truststore/certs/trusted.jks
  ssl.trusted_certs.pw = jks_passphrase
  ssl.trusted_certs.container = jks
''

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.mrc.httpPort

Specifies the listen port for the HTTP service that returns the status page.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 30636

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.mrc.port

The port to listen on for incoming connections (TCP).

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 32636

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.mrc.replication.enable

Whether to enable XtreemFS MRC replication plugin.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.mrc.replication.extraConfig

Configuration of XtreemFS MRC replication plugin. WARNING: configuration is saved as plaintext inside nix store. For more options: https://www.xtreemfs.org/xtfs-guide-1.5.1/index.html

Type: strings concatenated with “\n”

Example:

''
  # participants of the replication including this replica
  babudb.repl.participant.0 = 192.168.0.10
  babudb.repl.participant.0.port = 35678
  babudb.repl.participant.1 = 192.168.0.11
  babudb.repl.participant.1.port = 35678
  babudb.repl.participant.2 = 192.168.0.12
  babudb.repl.participant.2.port = 35678
  
  # number of servers that at least have to be up to date
  # To have a fault-tolerant system, this value has to be set to the
  # majority of nodes i.e., if you have three replicas, set this to 2
  # Please note that a setup with two nodes provides no fault-tolerance.
  babudb.repl.sync.n = 2
  
  # specify whether SSL is required
  babudb.ssl.enabled = true
  
  babudb.ssl.protocol = tlsv12
  
  # server credentials for SSL handshakes
  babudb.ssl.service_creds = /etc/xos/xtreemfs/truststore/certs/osd.p12
  babudb.ssl.service_creds.pw = passphrase
  babudb.ssl.service_creds.container = pkcs12
  
  # trusted certificates for SSL handshakes
  babudb.ssl.trusted_certs = /etc/xos/xtreemfs/truststore/certs/trusted.jks
  babudb.ssl.trusted_certs.pw = jks_passphrase
  babudb.ssl.trusted_certs.container = jks
  
  babudb.ssl.authenticationWithoutEncryption = false
''

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.mrc.syncMode

The sync mode influences how operations are committed to the disk log before the operation is acknowledged to the caller.

-ASYNC mode the writes to the disk log are buffered in memory by the operating system. This is the fastest mode but will lead to data loss in case of a crash, kernel panic or power failure. -SYNC_WRITE_METADATA opens the file with O_SYNC, the system will not buffer any writes. The operation will be acknowledged when data has been safely written to disk. This mode is slow but offers maximum data safety. However, BabuDB cannot influence the disk drive caches, this depends on the OS and hard disk model. -SYNC_WRITE similar to SYNC_WRITE_METADATA but opens file with O_DSYNC which means that only the data is commit to disk. This can lead to some data loss depending on the implementation of the underlying file system. Linux does not implement this mode. -FDATASYNC is similar to SYNC_WRITE but opens the file in asynchronous mode and calls fdatasync() after writing the data to disk. -FSYNC is similar to SYNC_WRITE_METADATA but opens the file in asynchronous mode and calls fsync() after writing the data to disk.

For best throughput use ASYNC, for maximum data safety use FSYNC.

(If xtreemfs.mrc.replication.enable is true then FDATASYNC is forced)

Type: one of “ASYNC”, “SYNC_WRITE_METADATA”, “SYNC_WRITE”, “FDATASYNC”, “FSYNC”

Default: "FSYNC"

Example: "FDATASYNC"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.mrc.uuid

Must be set to a unique identifier, preferably a UUID according to RFC 4122. UUIDs can be generated with uuidgen command, found in the util-linux package.

Type: string

Example: "eacb6bab-f444-4ebf-a06a-3f72d7465e41"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.osd.enable

Whether to enable XtreemFS OSD service.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.osd.address

If specified, it defines the interface to listen on. If not specified, the service will listen on all interfaces (any).

Type: string

Default: ""

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.osd.extraConfig

Configuration of XtreemFS OSD service. WARNING: configuration is saved as plaintext inside nix store. For more options: https://www.xtreemfs.org/xtfs-guide-1.5.1/index.html

Type: strings concatenated with “\n”

Example:

''
  local_clock_renewal = 0
  remote_time_sync = 30000
  report_free_space = true
  capability_secret = iNG8UuQJrJ6XVDTe
  
  dir_service.host = 192.168.0.10
  dir_service.port = 32638
  
  # if replication is used
  dir_service.1.host = 192.168.0.11
  dir_service.1.port = 32638
  dir_service.2.host = 192.168.0.12
  dir_service.2.port = 32638
  
  # specify whether SSL is required
  ssl.enabled = true
  ssl.service_creds.pw = passphrase
  ssl.service_creds.container = pkcs12
  ssl.service_creds = /etc/xos/xtreemfs/truststore/certs/osd.p12
  ssl.trusted_certs = /etc/xos/xtreemfs/truststore/certs/trusted.jks
  ssl.trusted_certs.pw = jks_passphrase
  ssl.trusted_certs.container = jks
''

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.osd.httpPort

Specifies the listen port for the HTTP service that returns the status page.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 30640

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.osd.port

The port to listen on for incoming connections (TCP and UDP).

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 32640

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.xtreemfs.osd.uuid

Must be set to a unique identifier, preferably a UUID according to RFC 4122. UUIDs can be generated with uuidgen command, found in the util-linux package.

Type: string

Example: "eacb6bab-f444-4ebf-a06a-3f72d7465e42"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/xtreemfs.nix>
services.yandex-disk.enable

Whether to enable Yandex-disk client. See https://disk.yandex.ru/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/yandex-disk.nix>
services.yandex-disk.directory

The directory to use for Yandex.Disk storage

Type: path

Default: "/home/Yandex.Disk"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/yandex-disk.nix>
services.yandex-disk.excludes

Comma-separated list of directories which are excluded from synchronization.

Type: strings concatenated with “,”

Default: ""

Example: "data,backup"

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/yandex-disk.nix>
services.yandex-disk.password

Your yandex.com password. Warning: it will be world-readable in /nix/store.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/yandex-disk.nix>
services.yandex-disk.user

The user the yandex-disk daemon should run as.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/yandex-disk.nix>
services.yandex-disk.username

Your yandex.com login name.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/network-filesystems/yandex-disk.nix>
services.yggdrasil.enable

Whether to enable the yggdrasil system service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/yggdrasil.nix>
services.yggdrasil.package

The yggdrasil package to use.

Type: package

Default: pkgs.yggdrasil

Declared by:

<nixpkgs/nixos/modules/services/networking/yggdrasil.nix>
services.yggdrasil.configFile

A file which contains JSON or HJSON configuration for yggdrasil. See the settings option for more information.

Note: This file must not be larger than 1 MB because it is passed to the yggdrasil process via systemd‘s LoadCredential mechanism. For details, see https://systemd.io/CREDENTIALS/ and man 5 systemd.exec.

Type: null or path

Default: null

Example: "/run/keys/yggdrasil.conf"

Declared by:

<nixpkgs/nixos/modules/services/networking/yggdrasil.nix>
services.yggdrasil.denyDhcpcdInterfaces

Disable the DHCP client for any interface whose name matches any of the shell glob patterns in this list. Use this option to prevent the DHCP client from broadcasting requests on the yggdrasil network. It is only necessary to do so when yggdrasil is running in TAP mode, because TUN interfaces do not support broadcasting.

Type: list of string

Default: [ ]

Example:

[
  "tap*"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/yggdrasil.nix>
services.yggdrasil.extraArgs

Extra command line arguments.

Type: list of string

Default: [ ]

Example:

[
  "-loglevel"
  "info"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/yggdrasil.nix>
services.yggdrasil.group

Group to grant access to the Yggdrasil control socket. If null, only root can access the socket.

Type: null or string

Default: null

Example: "wheel"

Declared by:

<nixpkgs/nixos/modules/services/networking/yggdrasil.nix>
services.yggdrasil.openMulticastPort

Whether to open the UDP port used for multicast peer discovery. The NixOS firewall blocks link-local communication, so in order to make incoming local peering work you will also need to configure MulticastInterfaces in your Yggdrasil configuration (settings or configFile). You will then have to add the ports that you configure there to your firewall configuration (networking.firewall.allowedTCPPorts or networking.firewall.interfaces.<name>.allowedTCPPorts).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/yggdrasil.nix>
services.yggdrasil.persistentKeys

Whether to enable persistent keys. If enabled then keys will be generated once and Yggdrasil will retain the same IPv6 address when the service is restarted. Keys are stored at /var/lib/yggdrasil/keys.json .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/yggdrasil.nix>
services.yggdrasil.settings

Configuration for yggdrasil, as a Nix attribute set.

Warning: this is stored in the WORLD-READABLE Nix store! Therefore, it is not appropriate for private keys. If you wish to specify the keys, use configFile.

If the persistentKeys is enabled then the keys that are generated during activation will override those in settings or configFile.

If no keys are specified then ephemeral keys are generated and the Yggdrasil interface will have a random IPv6 address each time the service is started. This is the default.

If both configFile and settings are supplied, they will be combined, with values from configFile taking precedence.

You can use the command nix-shell -p yggdrasil --run "yggdrasil -genconf" to generate default configuration values with documentation.

Type: JSON value

Default: { }

Example:

{
  Listen = [
    "tcp://0.0.0.0:xxxxx"
  ];
  Peers = [
    "tcp://aa.bb.cc.dd:eeeee"
    "tcp://[aaaa:bbbb:cccc:dddd::eeee]:fffff"
  ];
}

Declared by:

<nixpkgs/nixos/modules/services/networking/yggdrasil.nix>
services.ympd.enable

Whether to enable ympd, the MPD Web GUI.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/audio/ympd.nix>
services.ympd.mpd.host

The host where MPD is listening.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/audio/ympd.nix>
services.ympd.mpd.port

The port where MPD is listening.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: config.services.mpd.network.port

Example: 6600

Declared by:

<nixpkgs/nixos/modules/services/audio/ympd.nix>
services.ympd.webPort

The port where ympd’s web interface will be available.

Type: string or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: "8080"

Example: "ssl://8080:/path/to/ssl-private-key.pem"

Declared by:

<nixpkgs/nixos/modules/services/audio/ympd.nix>
services.your_spotify.enable

Whether to enable your_spotify.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/your_spotify.nix>
services.your_spotify.enableLocalDB

Whether to enable a local mongodb instance.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/your_spotify.nix>
services.your_spotify.package

The your_spotify package to use.

Type: package

Default: pkgs.your_spotify

Declared by:

<nixpkgs/nixos/modules/services/web-apps/your_spotify.nix>
services.your_spotify.clientPackage

Client package to use.

Type: package

Declared by:

<nixpkgs/nixos/modules/services/web-apps/your_spotify.nix>
services.your_spotify.nginxVirtualHost

If set creates an nginx virtual host for the client. In most cases this should be the CLIENT_ENDPOINT without protocol prefix.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/your_spotify.nix>
services.your_spotify.settings

Your Spotify Configuration. Refer to Your Spotify for definitions and values.

Type: attribute set of string

Example:

{
  CLIENT_ENDPOINT = "https://example.com";
  API_ENDPOINT = "https://api.example.com";
  SPOTIFY_PUBLIC = "spotify_client_id";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/your_spotify.nix>
services.your_spotify.settings.API_ENDPOINT

The endpoint of your server This api has to be reachable from the device you use the website from not from the server. This means that for example you may need two nginx virtual hosts if you want to expose this on the internet. Has to include a protocol Prefix (e.g. http://)

Type: string

Example: "https://localhost:3000"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/your_spotify.nix>
services.your_spotify.settings.CLIENT_ENDPOINT

The endpoint of your web application. Has to include a protocol Prefix (e.g. http://)

Type: string

Example: "https://your_spotify.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/your_spotify.nix>
services.your_spotify.settings.MONGO_ENDPOINT

The endpoint of the Mongo database.

Type: string

Default: "mongodb://localhost:27017/your_spotify"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/your_spotify.nix>
services.your_spotify.settings.PORT

The port of the api server

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/your_spotify.nix>
services.your_spotify.settings.SPOTIFY_PUBLIC

The public client ID of your Spotify application. Refer to: Creating the Spotify Application

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/your_spotify.nix>
services.your_spotify.spotifySecretFile

A file containing the secret key of your Spotify application. Refer to: Creating the Spotify Application.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-apps/your_spotify.nix>
services.youtrack.enable

Whether to enable YouTrack service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/youtrack.nix>
services.youtrack.package

Package to use.

Type: package

Default: pkgs.youtrack

Declared by:

<nixpkgs/nixos/modules/services/web-apps/youtrack.nix>
services.youtrack.address

The interface youtrack will listen on.

Type: string

Default: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/youtrack.nix>
services.youtrack.autoUpgrade

Whether YouTrack should auto upgrade it without showing the upgrade dialog.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/youtrack.nix>
services.youtrack.environmentalParameters

Environmental configuration parameters, set imperatively. The values doesn’t get removed, when removed in Nix. See https://www.jetbrains.com/help/youtrack/server/2023.3/youtrack-java-start-parameters.html#environmental-parameters for more information.

Type: attribute set of (signed integer or string or 16 bit unsigned integer; between 0 and 65535 (both inclusive))

Default: { }

Example:

{
  secure-mode = "tls";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/youtrack.nix>
services.youtrack.environmentalParameters.listen-address

The interface YouTrack will listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/youtrack.nix>
services.youtrack.environmentalParameters.listen-port

The port YouTrack will listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/web-apps/youtrack.nix>
services.youtrack.generalParameters

General configuration parameters and other JVM options. See https://www.jetbrains.com/help/youtrack/server/2023.3/youtrack-java-start-parameters.html#general-parameters for more information.

Type: list of string

Default: [ ]

Example:

[
  "-Djetbrains.youtrack.admin.restore=true"
  "-Xmx1024m"
];

Declared by:

<nixpkgs/nixos/modules/services/web-apps/youtrack.nix>
services.youtrack.statePath

Path were the YouTrack state is stored. To this path the base version (e.g. 2023_1) of the used package will be appended.

Type: path

Default: "/var/lib/youtrack"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/youtrack.nix>
services.youtrack.virtualHost

Name of the nginx virtual host to use and setup. If null, do not setup anything.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/youtrack.nix>
services.yubikey-agent.enable

Whether to start yubikey-agent when you log in. Also sets SSH_AUTH_SOCK to point at yubikey-agent.

Note that yubikey-agent will use whatever pinentry is specified in programs.gnupg.agent.pinentryPackage.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/security/yubikey-agent.nix>
services.yubikey-agent.package

The yubikey-agent package to use.

Type: package

Default: pkgs.yubikey-agent

Declared by:

<nixpkgs/nixos/modules/services/security/yubikey-agent.nix>
services.zabbixAgent.enable

Whether to enable the Zabbix Agent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix>
services.zabbixAgent.package

The agent package to use.

Type: package

Default: pkgs.zabbix.agent

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix>
services.zabbixAgent.extraPackages

Packages to be added to the Zabbix PATH. Typically used to add executables for scripts, but can be anything.

Type: list of package

Default: with pkgs; [ nettools ]

Example: with pkgs; [ nettools mysql ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix>
services.zabbixAgent.listen.ip

List of comma delimited IP addresses that the agent should listen on.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix>
services.zabbixAgent.listen.port

Agent will listen on this port for connections from the server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 10050

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix>
services.zabbixAgent.modules

A set of modules to load.

Type: attribute set of package

Default: { }

Example:

{
  "dummy.so" = pkgs.stdenv.mkDerivation {
    name = "zabbix-dummy-module-${cfg.package.version}";
    src = cfg.package.src;
    buildInputs = [ cfg.package ];
    sourceRoot = "zabbix-${cfg.package.version}/src/modules/dummy";
    installPhase = ''
      mkdir -p $out/lib
      cp dummy.so $out/lib/
    '';
  };
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix>
services.zabbixAgent.openFirewall

Open ports in the firewall for the Zabbix Agent.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix>
services.zabbixAgent.server

The IP address or hostname of the Zabbix server to connect to.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix>
services.zabbixAgent.settings

Zabbix Agent configuration. Refer to https://www.zabbix.com/documentation/current/manual/appendix/config/zabbix_agentd for details on supported values.

Type: attribute set of (signed integer or string or list of string)

Default: { }

Example:

{
  DebugLevel = 4;
  Hostname = "example.org";
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-agent.nix>
services.zabbixProxy.enable

Whether to enable the Zabbix Proxy.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix>
services.zabbixProxy.package

The Zabbix package to use.

Type: package

Default: pkgs.zabbix.proxy-pgsql

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix>
services.zabbixProxy.database.createLocally

Whether to create a local database automatically.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix>
services.zabbixProxy.database.host

Database host address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix>
services.zabbixProxy.database.name

Database name.

Type: string

Default: zabbix

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix>
services.zabbixProxy.database.passwordFile

A file containing the password corresponding to database.user.

Type: null or path

Default: null

Example: "/run/keys/zabbix-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix>
services.zabbixProxy.database.port

Database host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

if config.services.zabbixProxy.database.type == "mysql"
then config.services.mysql.port
else config.services.postgresql.settings.port

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix>
services.zabbixProxy.database.socket

Path to the unix socket file to use for authentication.

Type: null or path

Default: null

Example: "/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix>
services.zabbixProxy.database.type

Database engine to use.

Type: one of “mysql”, “pgsql”, “sqlite”

Default: "pgsql"

Example: "mysql"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix>
services.zabbixProxy.database.user

Database user.

Type: string

Default: "zabbix"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix>
services.zabbixProxy.extraPackages

Packages to be added to the Zabbix PATH. Typically used to add executables for scripts, but can be anything.

Type: list of package

Default: [ nettools nmap traceroute ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix>
services.zabbixProxy.listen.ip

List of comma delimited IP addresses that the trapper should listen on. Trapper will listen on all network interfaces if this parameter is missing.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix>
services.zabbixProxy.listen.port

Listen port for trapper.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 10051

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix>
services.zabbixProxy.modules

A set of modules to load.

Type: attribute set of package

Default: { }

Example:

{
  "dummy.so" = pkgs.stdenv.mkDerivation {
    name = "zabbix-dummy-module-${cfg.package.version}";
    src = cfg.package.src;
    buildInputs = [ cfg.package ];
    sourceRoot = "zabbix-${cfg.package.version}/src/modules/dummy";
    installPhase = ''
      mkdir -p $out/lib
      cp dummy.so $out/lib/
    '';
  };
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix>
services.zabbixProxy.openFirewall

Open ports in the firewall for the Zabbix Proxy.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix>
services.zabbixProxy.server

The IP address or hostname of the Zabbix server to connect to.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix>
services.zabbixProxy.settings

Zabbix Proxy configuration. Refer to https://www.zabbix.com/documentation/current/manual/appendix/config/zabbix_proxy for details on supported values.

Type: attribute set of (signed integer or string or list of string)

Default: { }

Example:

{
  CacheSize = "1G";
  SSHKeyLocation = "/var/lib/zabbix/.ssh";
  StartPingers = 32;
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-proxy.nix>
services.zabbixServer.enable

Whether to enable the Zabbix Server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix>
services.zabbixServer.package

The Zabbix package to use.

Type: package

Default: pkgs.zabbix.server-pgsql

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix>
services.zabbixServer.database.createLocally

Whether to create a local database automatically.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix>
services.zabbixServer.database.host

Database host address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix>
services.zabbixServer.database.name

Database name.

Type: string

Default: "zabbix"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix>
services.zabbixServer.database.passwordFile

A file containing the password corresponding to database.user.

Type: null or path

Default: null

Example: "/run/keys/zabbix-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix>
services.zabbixServer.database.port

Database host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

if config.services.zabbixServer.database.type == "mysql"
then config.services.mysql.port
else config.services.postgresql.settings.port

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix>
services.zabbixServer.database.socket

Path to the unix socket file to use for authentication.

Type: null or path

Default: null

Example: "/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix>
services.zabbixServer.database.type

Database engine to use.

Type: one of “mysql”, “pgsql”

Default: "pgsql"

Example: "mysql"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix>
services.zabbixServer.database.user

Database user.

Type: string

Default: "zabbix"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix>
services.zabbixServer.extraPackages

Packages to be added to the Zabbix PATH. Typically used to add executables for scripts, but can be anything.

Type: list of package

Default: [ nettools nmap traceroute ]

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix>
services.zabbixServer.listen.ip

List of comma delimited IP addresses that the trapper should listen on. Trapper will listen on all network interfaces if this parameter is missing.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix>
services.zabbixServer.listen.port

Listen port for trapper.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 10051

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix>
services.zabbixServer.modules

A set of modules to load.

Type: attribute set of package

Default: { }

Example:

{
  "dummy.so" = pkgs.stdenv.mkDerivation {
    name = "zabbix-dummy-module-${cfg.package.version}";
    src = cfg.package.src;
    buildInputs = [ cfg.package ];
    sourceRoot = "zabbix-${cfg.package.version}/src/modules/dummy";
    installPhase = ''
      mkdir -p $out/lib
      cp dummy.so $out/lib/
    '';
  };
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix>
services.zabbixServer.openFirewall

Open ports in the firewall for the Zabbix Server.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix>
services.zabbixServer.settings

Zabbix Server configuration. Refer to https://www.zabbix.com/documentation/current/manual/appendix/config/zabbix_server for details on supported values.

Type: attribute set of (signed integer or string or list of string)

Default: { }

Example:

{
  CacheSize = "1G";
  SSHKeyLocation = "/var/lib/zabbix/.ssh";
  StartPingers = 32;
}

Declared by:

<nixpkgs/nixos/modules/services/monitoring/zabbix-server.nix>
services.zabbixWeb.enable

Whether to enable the Zabbix web interface.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.package

The web package to use.

Type: package

Default: pkgs.zabbix.web

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.database.host

Database host address.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.database.name

Database name.

Type: string

Default: "zabbix"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.database.passwordFile

A file containing the password corresponding to database.user.

Type: null or path

Default: null

Example: "/run/keys/zabbix-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.database.port

Database host port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

if config.services.zabbixWeb.database.type == "mysql" then config.services.mysql.port
else if config.services.zabbixWeb.database.type == "pgsql" then config.services.postgresql.settings.port
else 1521

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.database.socket

Path to the unix socket file to use for authentication.

Type: null or path

Default: null

Example: "/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.database.type

Database engine to use.

Type: one of “mysql”, “pgsql”, “oracle”

Default: "pgsql"

Example: "mysql"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.database.user

Database user.

Type: string

Default: "zabbix"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.extraConfig

Additional configuration to be copied verbatim into zabbix.conf.php.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.frontend

Frontend server to use.

Type: one of “nginx”, “httpd”

Default: "httpd"

Example: "nginx"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.hostname

Hostname for either nginx or httpd.

Type: string

Default: "zabbix.local"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost

Apache configuration can be done by adapting services.httpd.virtualHosts.<name>. See services.httpd.virtualHosts for further information.

Type: submodule

Default: { }

Example:

{
  hostName = "zabbix.example.org";
  adminAddr = "webmaster@example.org";
  forceSSL = true;
  enableACME = true;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.enableUserDir

Whether to enable serving ~/public_html as /~«username».

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.acmeRoot

Directory for the acme challenge which is PUBLIC, don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.adminAddr

E-mail address of the server administrator.

Type: null or string

Default: null

Example: "admin@example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.documentRoot

The path of Apache’s document root directory. If left undefined, an empty directory in the Nix store will be used as root.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.extraConfig

These lines go to httpd.conf verbatim. They will go after directories and directory aliases defined by default.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  <Directory /home>
    Options FollowSymlinks
    AllowOverride All
  </Directory>
''

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.forceSSL

Whether to add a separate nginx server block that permanently redirects (301) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.globalRedirect

If set, all requests for this host are redirected permanently to the given URL.

Type: null or string

Default: null

Example: "http://newserver.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.hostName

Canonical hostname for the server.

Type: string

Default: "‹name›"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.http2

Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. However, if you use the prefork mpm, there will be severe restrictions. Refer to https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config for details.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.listen

Listen addresses and ports for this virtual host.

Note

This option overrides addSSL, forceSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    ip = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    ip = "192.154.1.1";
    port = 80;
  }
  {
    ip = "*";
    port = 8080;
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.listen.*.ip

IP to listen on. 0.0.0.0 for IPv4 only, * for all.

Type: string

Default: "*"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.listen.*.port

Port to listen on

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.listen.*.ssl

Whether to enable SSL (https) support.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Type: non-empty (list of string)

Default:

[
  "*"
]

Example:

[
  "127.0.0.1"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.locations

Declarative location config. See https://httpd.apache.org/docs/2.4/mod/core.html#location for details.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
  "/foo/bar.png" = {
    alias = "/home/eelco/some-file.png";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.locations.<name>.alias

Alias directory for requests. See https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.locations.<name>.index

Adds DirectoryIndex directive. See https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.locations.<name>.proxyPass

Sets up a simple reverse proxy as described by https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.logFormat

Log format for Apache’s log files. Possible values are: combined, common, referer, agent.

Type: string

Default: "common"

Example: "combined"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.robotsEntries

Specification of pages to be ignored by web crawlers. See http://www.robotstxt.org/ for details.

Type: strings concatenated with “\n”

Default: ""

Example: "Disallow: /foo/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.servedDirs

This option provides a simple way to serve static directories.

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    dir = "/home/eelco/Dev/nix-homepage";
    urlPath = "/nix";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.servedFiles

This option provides a simple way to serve individual, static files.

Note

This option has been deprecated and will be removed in a future version of NixOS. You can achieve the same result by making use of the locations.<name>.alias option.

Type: list of (attribute set)

Default: [ ]

Example:

[
  {
    file = "/home/eelco/some-file.png";
    urlPath = "/foo/bar.png";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "www.example.org:8080"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.sslServerCert

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.sslServerChain

Path to server SSL chain file.

Type: null or path

Default: null

Example: "/var/ca.pem"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.sslServerKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.httpd.virtualHost.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost

Nginx configuration can be done by adapting services.nginx.virtualHosts.<name>. See services.nginx.virtualHosts for further information.

Type: submodule

Default: { }

Example:

{
  forceSSL = true;
  sslCertificateKey = "/etc/ssl/zabbix.key";
  sslCertificate = "/etc/ssl/zabbix.crt";
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.enableACME

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.acmeFallbackHost

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.acmeRoot

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.addSSL

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.default

Makes this vhost the default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.extraConfig

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.forceSSL

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.globalRedirect

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.http2

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.http3

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.http3_hq

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.kTLS

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.listen

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.listen.*.addr

Listen address.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.listen.*.extraParameters

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.listen.*.port

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.listen.*.proxyProtocol

Enable PROXY protocol.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.listen.*.ssl

Enable SSL.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.listenAddresses

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.locations

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.locations.<name>.alias

Alias directory for requests.

Type: null or path

Default: null

Example: "/your/alias/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.locations.<name>.basicAuth

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

{
  user = "password";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.locations.<name>.basicAuthFile

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.locations.<name>.extraConfig

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.locations.<name>.fastcgiParams

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or path)

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.locations.<name>.index

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.locations.<name>.priority

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.locations.<name>.proxyPass

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.locations.<name>.proxyWebsockets

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.locations.<name>.recommendedProxySettings

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.locations.<name>.return

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.locations.<name>.root

Root directory for requests.

Type: null or path

Default: null

Example: "/your/root/directory"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.locations.<name>.tryFiles

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.onlySSL

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.quic

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.redirectCode

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.rejectSSL

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.reuseport

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.root

The path of the web root directory.

Type: null or path

Default: null

Example: "/data/webserver/docs"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.serverAliases

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.serverName

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.sslCertificate

Path to server SSL certificate.

Type: path

Example: "/var/host.cert"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.sslCertificateKey

Path to server SSL certificate key.

Type: path

Example: "/var/host.key"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.sslTrustedCertificate

Path to root SSL certificate for stapling and client certificates.

Type: null or path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.nginx.virtualHost.useACMEHost

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.poolConfig

Options for the Zabbix PHP pool. See the documentation on php-fpm.conf for details on configuration directives.

Type: attribute set of (string or signed integer or boolean)

Default:

{
  pm = "dynamic";
  "pm.max_children" = 32;
  "pm.max_requests" = 500;
  "pm.max_spare_servers" = 4;
  "pm.min_spare_servers" = 2;
  "pm.start_servers" = 2;
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.server.address

The IP address or hostname of the Zabbix server to connect to.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zabbixWeb.server.port

The port of the Zabbix server to connect to.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 10051

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zabbix.nix>
services.zammad.enable

Whether to enable Zammad, a web-based, open source user support/ticketing solution.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.package

The zammad package to use.

Type: package

Default: pkgs.zammad

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.dataDir

Path to a folder that will contain Zammad working directory.

Type: path

Default: "/var/lib/zammad"

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.database.createLocally

Whether to create a local database automatically.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.database.host

Database host address.

Type: string

Default: "/run/postgresql"

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.database.name

Database name.

Type: string

Default: "zammad"

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.database.passwordFile

A file containing the password for services.zammad.database.user.

Type: null or path

Default: null

Example: "/run/keys/zammad-dbpassword"

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.database.port

Database port. Use null for default port.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.database.settings

The database.yml configuration file as key value set. See <TODO> for list of configuration parameters.

Type: YAML value

Default: { }

Example:

{
}

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.database.user

Database user.

Type: null or string

Default: "zammad"

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.group

Name of the Zammad group.

Type: string

Default: "zammad"

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.host

Host address.

Type: string

Default: "127.0.0.1"

Example: "192.168.23.42"

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.openPorts

Whether to open firewall ports for Zammad

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.port

Web service port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.redis.createLocally

Whether to create a local redis automatically.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.redis.host

Redis server address.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.redis.name

Name of the redis server. Only used if createLocally is set to true.

Type: string

Default: "zammad"

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.redis.port

Port of the redis server.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6379

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.secretKeyBaseFile

The path to a file containing the secret_key_base secret.

Zammad uses secret_key_base to encrypt the cookie store, which contains session data, and to digest user auth tokens.

Needs to be a 64 byte long string of hexadecimal characters. You can generate one by running

openssl rand -hex 64 >/path/to/secret_key_base_file

This should be a string, not a nix path, since nix paths are copied into the world-readable nix store.

Type: null or path

Default: null

Example: "/run/keys/secret_key_base"

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.user

Name of the Zammad user.

Type: string

Default: "zammad"

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zammad.websocketPort

Websocket service port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6042

Declared by:

<nixpkgs/nixos/modules/services/development/zammad.nix>
services.zapret.enable

Whether to enable the Zapret DPI bypass service…

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/zapret.nix>
services.zapret.package

The zapret package to use.

Type: package

Default: pkgs.zapret

Declared by:

<nixpkgs/nixos/modules/services/networking/zapret.nix>
services.zapret.blacklist

Specify a list of domains NOT to bypass. All other domains will be bypassed. You can specify either whitelist or blacklist, but not both. If neither are specified, then bypass all domains.

Type: list of string

Default: [ ]

Example:

''
  [
    "example.com"
  ]
''

Declared by:

<nixpkgs/nixos/modules/services/networking/zapret.nix>
services.zapret.configureFirewall

Whether to setup firewall routing so that system http(s) traffic is forwarded via this service. Disable if you want to set it up manually.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/zapret.nix>
services.zapret.httpMode

By default this service only changes the first packet sent, which is enough in most cases. But there are DPIs that monitor the whole traffic within a session. That requires full processing of every packet, which increases the CPU usage.

Set the mode to full if http doesn’t work.

Type: one of “first”, “full”

Default: "first"

Example: "full"

Declared by:

<nixpkgs/nixos/modules/services/networking/zapret.nix>
services.zapret.httpSupport

Whether to route http traffic on port 80. Http bypass rarely works and you might want to disable it if you don’t utilise http connections.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/zapret.nix>
services.zapret.params

Specify the bypass parameters for Zapret binary. There are no universal parameters as they vary between different networks, so you’ll have to find them yourself.

This can be done by running the blockcheck binary from zapret package, i.e. nix-shell -p zapret --command blockcheck. It’ll try different params and then tell you which params are working for your network.

Type: list of string

Default: [ ]

Example:

''
  [
    "--dpi-desync=fake,disorder2"
    "--dpi-desync-ttl=1"
    "--dpi-desync-autottl=2"
  ]
''

Declared by:

<nixpkgs/nixos/modules/services/networking/zapret.nix>
services.zapret.qnum

Routing queue number. Only change this if you already use the default queue number somewhere else.

Type: signed integer

Default: 200

Declared by:

<nixpkgs/nixos/modules/services/networking/zapret.nix>
services.zapret.udpPorts

List of UDP ports to route. Port ranges are delimited with a colon like this “50000:50099”.

Type: list of string

Default: [ ]

Example:

''
  [
    "50000:50099"
    "1234"
  ]
''

Declared by:

<nixpkgs/nixos/modules/services/networking/zapret.nix>
services.zapret.udpSupport

Enable UDP routing. This requires you to specify udpPorts and --dpi-desync-any-protocol parameter.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/zapret.nix>
services.zapret.whitelist

Specify a list of domains to bypass. All other domains will be ignored. You can specify either whitelist or blacklist, but not both. If neither are specified, then bypass all domains.

It is recommended to specify the whitelist. This will make sure that other resources won’t be affected by this service.

Type: list of string

Default: [ ]

Example:

''
  [
    "youtube.com"
    "googlevideo.com"
    "ytimg.com"
    "youtu.be"
  ]
''

Declared by:

<nixpkgs/nixos/modules/services/networking/zapret.nix>
services.zeitgeist.enable

Whether to enable zeitgeist, a service which logs the users’ activities and events.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/desktops/zeitgeist.nix>
services.zerobin.enable

Whether to enable 0bin.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/zerobin.nix>
services.zerobin.dataDir

Path to the 0bin data directory

Type: string

Default: "/var/lib/zerobin"

Declared by:

<nixpkgs/nixos/modules/services/networking/zerobin.nix>
services.zerobin.extraConfig

Extra configuration to be appended to the 0bin config file (see https://0bin.readthedocs.org/en/latest/en/options.html)

Type: strings concatenated with “\n”

Default: ""

Example:

''
  MENU = (
  ('Home', '/'),
  )
  COMPRESSED_STATIC_FILE = True
''

Declared by:

<nixpkgs/nixos/modules/services/networking/zerobin.nix>
services.zerobin.group

The group 0bin should run as

Type: string

Default: "zerobin"

Declared by:

<nixpkgs/nixos/modules/services/networking/zerobin.nix>
services.zerobin.listenAddress

The address zerobin should listen to

Type: string

Default: "localhost"

Example: "127.0.0.1"

Declared by:

<nixpkgs/nixos/modules/services/networking/zerobin.nix>
services.zerobin.listenPort

The port zerobin should listen on

Type: signed integer

Default: 8000

Example: 1357

Declared by:

<nixpkgs/nixos/modules/services/networking/zerobin.nix>
services.zerobin.user

The user 0bin should run as

Type: string

Default: "zerobin"

Declared by:

<nixpkgs/nixos/modules/services/networking/zerobin.nix>
services.zeronet.enable

Whether to enable zeronet.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/zeronet.nix>
services.zeronet.package

The zeronet package to use.

Type: package

Default: pkgs.zeronet

Declared by:

<nixpkgs/nixos/modules/services/networking/zeronet.nix>
services.zeronet.fileserverPort

Zeronet fileserver port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 12261

Declared by:

<nixpkgs/nixos/modules/services/networking/zeronet.nix>
services.zeronet.port

Optional zeronet web UI port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 43110

Declared by:

<nixpkgs/nixos/modules/services/networking/zeronet.nix>
services.zeronet.settings

zeronet.conf configuration. Refer to https://zeronet.readthedocs.io/en/latest/faq/#is-it-possible-to-use-a-configuration-file for details on supported values;

Type: attribute set of attribute set of (string or signed integer or boolean or list of string)

Default: { }

Example: { global.tor = enable; }

Declared by:

<nixpkgs/nixos/modules/services/networking/zeronet.nix>
services.zeronet.tor

Use TOR for zeronet traffic where possible.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/zeronet.nix>
services.zeronet.torAlways

Use TOR for all zeronet traffic.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/zeronet.nix>
services.zeronsd.servedNetworks

ZeroTier Networks to start zeronsd instances for.

Type: attribute set of (submodule)

Default: { }

Example:

{
  a8a2c3c10c1a68de = {
    settings = {
      token = "/var/lib/zeronsd/apitoken";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/zeronsd.nix>
services.zeronsd.servedNetworks.<name>.package

The zeronsd package to use.

Type: package

Default: pkgs.zeronsd

Declared by:

<nixpkgs/nixos/modules/services/networking/zeronsd.nix>
services.zeronsd.servedNetworks.<name>.settings

Settings for zeronsd

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/networking/zeronsd.nix>
services.zeronsd.servedNetworks.<name>.settings.domain

Domain under which ZeroTier records will be available.

Type: (optionally newline-terminated) single-line string

Default: "home.arpa"

Declared by:

<nixpkgs/nixos/modules/services/networking/zeronsd.nix>
services.zeronsd.servedNetworks.<name>.settings.log_level

Log Level.

Type: one of “off”, “error”, “warn”, “info”, “debug”, “trace”

Default: "warn"

Declared by:

<nixpkgs/nixos/modules/services/networking/zeronsd.nix>
services.zeronsd.servedNetworks.<name>.settings.token

Path to a file containing the API Token for ZeroTier Central.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/networking/zeronsd.nix>
services.zeronsd.servedNetworks.<name>.settings.wildcard

Whether to serve a wildcard record for ZeroTier Nodes.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/zeronsd.nix>
services.zerotierone.enable

Whether to enable ZeroTierOne.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/zerotierone.nix>
services.zerotierone.package

The zerotierone package to use.

Type: package

Default: pkgs.zerotierone

Declared by:

<nixpkgs/nixos/modules/services/networking/zerotierone.nix>
services.zerotierone.joinNetworks

List of ZeroTier Network IDs to join on startup. Note that networks are only ever joined, but not automatically left after removing them from the list. To remove networks, use the ZeroTier CLI: zerotier-cli leave <network-id>

Type: list of string

Default: [ ]

Example:

[
  "a8a2c3c10c1a68de"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/zerotierone.nix>
services.zerotierone.localConf

Optional configuration to be written to the Zerotier JSON-based local.conf. If set, the configuration will be symlinked to /var/lib/zerotier-one/local.conf at build time. To understand the configuration format, refer to https://docs.zerotier.com/config/#local-configuration-options.

Type: JSON value

Default: { }

Example:

{
  settings = {
    allowTcpFallbackRelay = false;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/zerotierone.nix>
services.zerotierone.port

Network port used by ZeroTier.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 9993

Declared by:

<nixpkgs/nixos/modules/services/networking/zerotierone.nix>
services.zeyple.enable

Whether to enable Zeyple, an utility program to automatically encrypt outgoing emails with GPG.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/mail/zeyple.nix>
services.zeyple.group

Group to use to run Zeyple.

Note

If left as the default value this group will automatically be created on system activation, otherwise the sysadmin is responsible for ensuring the user exists.

Type: string

Default: "zeyple"

Declared by:

<nixpkgs/nixos/modules/services/mail/zeyple.nix>
services.zeyple.keys

List of public key files that will be imported by gpg.

Type: list of path

Declared by:

<nixpkgs/nixos/modules/services/mail/zeyple.nix>
services.zeyple.rotateLogs

Whether to enable rotation of log files.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/mail/zeyple.nix>
services.zeyple.settings

Zeyple configuration. refer to https://github.com/infertux/zeyple/blob/master/zeyple/zeyple.conf.example for details on supported values.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/mail/zeyple.nix>
services.zeyple.user

User to run Zeyple as.

Note

If left as the default value this user will automatically be created on system activation, otherwise the sysadmin is responsible for ensuring the user exists.

Type: string

Default: "zeyple"

Declared by:

<nixpkgs/nixos/modules/services/mail/zeyple.nix>
services.zfs.autoReplication.enable

Whether to enable ZFS snapshot replication.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/zfs-replication.nix>
services.zfs.autoReplication.followDelete

Remove remote snapshots that don’t have a local correspondent.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/backup/zfs-replication.nix>
services.zfs.autoReplication.host

Remote host where snapshots should be sent. lz4 is expected to be installed on this host.

Type: string

Example: "example.com"

Declared by:

<nixpkgs/nixos/modules/services/backup/zfs-replication.nix>
services.zfs.autoReplication.identityFilePath

Path to SSH key used to login to host.

Type: path

Example: "/home/username/.ssh/id_rsa"

Declared by:

<nixpkgs/nixos/modules/services/backup/zfs-replication.nix>
services.zfs.autoReplication.localFilesystem

Local ZFS filesystem from which snapshots should be sent. Defaults to the attribute name.

Type: string

Example: "pool/file/path"

Declared by:

<nixpkgs/nixos/modules/services/backup/zfs-replication.nix>
services.zfs.autoReplication.recursive

Recursively discover snapshots to send.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/backup/zfs-replication.nix>
services.zfs.autoReplication.remoteFilesystem

Remote ZFS filesystem where snapshots should be sent.

Type: string

Example: "pool/file/path"

Declared by:

<nixpkgs/nixos/modules/services/backup/zfs-replication.nix>
services.zfs.autoReplication.username

Username used by SSH to login to remote host.

Type: string

Example: "username"

Declared by:

<nixpkgs/nixos/modules/services/backup/zfs-replication.nix>
services.zfs.autoScrub.enable

Whether to enable periodic scrubbing of ZFS pools.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
services.zfs.autoScrub.interval

Systemd calendar expression when to scrub ZFS pools. See systemd.time(7).

Type: string

Default: "monthly"

Example: "quarterly"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
services.zfs.autoScrub.pools

List of ZFS pools to periodically scrub. If empty, all pools will be scrubbed.

Type: list of string

Default: [ ]

Example:

[
  "tank"
]

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
services.zfs.autoScrub.randomizedDelaySec

Add a randomized delay before each ZFS autoscrub. The delay will be chosen between zero and this value. This value must be a time span in the format specified by systemd.time(7)

Type: string

Default: "6h"

Example: "12h"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
services.zfs.autoSnapshot.enable

Enable the (OpenSolaris-compatible) ZFS auto-snapshotting service. Note that you must set the com.sun:auto-snapshot property to true on all datasets which you wish to auto-snapshot.

You can override a child dataset to use, or not use auto-snapshotting by setting its flag with the given interval: zfs set com.sun:auto-snapshot:weekly=false DATASET

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
services.zfs.autoSnapshot.daily

Number of daily auto-snapshots that you wish to keep.

Type: signed integer

Default: 7

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
services.zfs.autoSnapshot.flags

Flags to pass to the zfs-auto-snapshot command.

Run zfs-auto-snapshot (without any arguments) to see available flags.

If it’s not too inconvenient for snapshots to have timestamps in UTC, it is suggested that you append --utc to the list of default options (see example).

Otherwise, snapshot names can cause name conflicts or apparent time reversals due to daylight savings, timezone or other date/time changes.

Type: string

Default: "-k -p"

Example: "-k -p --utc"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
services.zfs.autoSnapshot.frequent

Number of frequent (15-minute) auto-snapshots that you wish to keep.

Type: signed integer

Default: 4

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
services.zfs.autoSnapshot.hourly

Number of hourly auto-snapshots that you wish to keep.

Type: signed integer

Default: 24

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
services.zfs.autoSnapshot.monthly

Number of monthly auto-snapshots that you wish to keep.

Type: signed integer

Default: 12

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
services.zfs.autoSnapshot.weekly

Number of weekly auto-snapshots that you wish to keep.

Type: signed integer

Default: 4

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
services.zfs.expandOnBoot

After importing, expand each device in the specified pools.

Set the value to the plain string “all” to expand all pools on boot:

services.zfs.expandOnBoot = "all";

or set the value to a list of pools to expand the disks of specific pools:

services.zfs.expandOnBoot = [ "tank" "dozer" ];

Type: one of “disabled”, “all” or list of string

Default: "disabled"

Example:

[
  "tank"
  "dozer"
]

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
services.zfs.trim.enable

Whether to enable periodic TRIM on all ZFS pools.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
services.zfs.trim.interval

How often we run trim. For most desktop and server systems a sufficient trimming frequency is once a week.

The format is described in systemd.time(7).

Type: string

Default: "weekly"

Example: "daily"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
services.zfs.trim.randomizedDelaySec

Add a randomized delay before each ZFS trim. The delay will be chosen between zero and this value. This value must be a time span in the format specified by systemd.time(7)

Type: string

Default: "6h"

Example: "12h"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
services.zfs.zed.enableMail

Whether to enable ZED’s ability to send emails.

Type: boolean

Default:

config.services.mail.sendmailSetuidWrapper != null

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
services.zfs.zed.settings

ZFS Event Daemon /etc/zfs/zed.d/zed.rc content

See zed(8) for details on ZED and the scripts in /etc/zfs/zed.d to find the possible variables

Type: attribute set of (string or signed integer or boolean or list of string)

Example:

{
  ZED_DEBUG_LOG = "/tmp/zed.debug.log";

  ZED_EMAIL_ADDR = [ "root" ];
  ZED_EMAIL_PROG = "mail";
  ZED_EMAIL_OPTS = "-s '@SUBJECT@' @ADDRESS@";

  ZED_NOTIFY_INTERVAL_SECS = 3600;
  ZED_NOTIFY_VERBOSE = false;

  ZED_USE_ENCLOSURE_LEDS = true;
  ZED_SCRUB_AFTER_RESILVER = false;
}

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/zfs.nix>
services.zigbee2mqtt.enable

Whether to enable zigbee2mqtt service.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/home-automation/zigbee2mqtt.nix>
services.zigbee2mqtt.package

The zigbee2mqtt package to use.

Type: package

Default: pkgs.zigbee2mqtt

Declared by:

<nixpkgs/nixos/modules/services/home-automation/zigbee2mqtt.nix>
services.zigbee2mqtt.dataDir

Zigbee2mqtt data directory

Type: path

Default: "/var/lib/zigbee2mqtt"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/zigbee2mqtt.nix>
services.zigbee2mqtt.settings

Your configuration.yaml as a Nix attribute set. Check the documentation for possible options.

Type: YAML value

Default: { }

Example:

{
  homeassistant = config.services.home-assistant.enable;
  permit_join = true;
  serial = {
    port = "/dev/ttyACM1";
  };
}

Declared by:

<nixpkgs/nixos/modules/services/home-automation/zigbee2mqtt.nix>
services.zitadel.enable

Whether to enable ZITADEL, a user and identity access management platform.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zitadel.nix>
services.zitadel.package

The ZITADEL package to use.

Type: package

Default: pkgs.zitadel

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zitadel.nix>
services.zitadel.extraSettingsPaths

A list of paths to extra settings files. These will override the values set in settings. Useful if you want to keep sensitive secrets out of the Nix store.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zitadel.nix>
services.zitadel.extraStepsPaths

A list of paths to extra steps files. These will override the values set in steps. Useful if you want to keep sensitive secrets out of the Nix store.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zitadel.nix>
services.zitadel.group

The group to run ZITADEL under.

Type: string

Default: "zitadel"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zitadel.nix>
services.zitadel.masterKeyFile

Path to a file containing a master encryption key for ZITADEL. The key must be 32 bytes.

Type: path

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zitadel.nix>
services.zitadel.openFirewall

Whether to open the port specified in listenPort in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zitadel.nix>
services.zitadel.settings

Contents of the runtime configuration file. See https://zitadel.com/docs/self-hosting/manage/configure for more details.

Type: YAML value

Default: { }

Example:

{
  Port = 8123;
  ExternalDomain = "example.com";
  TLS = {
    CertPath = "/path/to/cert.pem";
    KeyPath = "/path/to/cert.key";
  };
  Database.cockroach.Host = "db.example.com";
};

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zitadel.nix>
services.zitadel.settings.Port

The port that ZITADEL listens on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8080

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zitadel.nix>
services.zitadel.settings.TLS.Cert

The TLS certificate, as a base64-encoded string.

Note that the contents of this option will be added to the Nix store as world-readable plain text. Set CertPath instead if this is undesired.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zitadel.nix>
services.zitadel.settings.TLS.CertPath

Path to the TLS certificate.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zitadel.nix>
services.zitadel.settings.TLS.Key

The TLS certificate private key, as a base64-encoded string.

Note that the contents of this option will be added to the Nix store as world-readable plain text. Set KeyPath instead if this is undesired.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zitadel.nix>
services.zitadel.settings.TLS.KeyPath

Path to the TLS certificate private key.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zitadel.nix>
services.zitadel.steps

Contents of the database initialization config file. See https://zitadel.com/docs/self-hosting/manage/configure for more details.

Type: YAML value

Default: { }

Example:

{
  FirstInstance = {
    InstanceName = "Example";
    Org.Human = {
      UserName = "foobar";
      FirstName = "Foo";
      LastName = "Bar";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zitadel.nix>
services.zitadel.tlsMode

The TLS mode to use. Options are:

  • enabled: ZITADEL accepts HTTPS connections directly. You must configure TLS if this option is selected.

  • external: ZITADEL forces HTTPS connections, with TLS terminated at a reverse proxy.

  • disabled: ZITADEL accepts HTTP connections only. Should only be used for testing.

Type: one of “external”, “enabled”, “disabled”

Default: "external"

Example: "enabled"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zitadel.nix>
services.zitadel.user

The user to run ZITADEL under.

Type: string

Default: "zitadel"

Declared by:

<nixpkgs/nixos/modules/services/web-apps/zitadel.nix>
services.znapzend.enable

Whether to enable ZnapZend ZFS backup daemon.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.autoCreation

Automatically create the destination dataset if it does not exist.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.features.compressed

Whether to enable compressed feature which adds the options -Lce to the zfs send command. When this is enabled, make sure that both the sending and receiving pool have the same relevant features enabled. Using -c will skip unnecessary decompress-compress stages, -L is for large block support and -e is for embedded data support. see znapzend(1) and zfs(8) for more info .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.features.lowmemRecurse

Whether to enable use lowmemRecurse on systems where you have too many datasets, so a recursive listing of attributes to find backup plans exhausts the memory available to znapzend: instead, go the slower way to first list all impacted dataset names, and then query their configs one by one .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.features.oracleMode

Whether to enable destroying snapshots one by one instead of using one long argument list. If source and destination are out of sync for a long time, you may have so many snapshots to destroy that the argument gets is too long and the command fails .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.features.recvu

Whether to enable recvu feature which uses -u on the receiving end to keep the destination filesystem unmounted .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.features.sendRaw

Whether to enable sendRaw feature which adds the options -w to the zfs send command. For encrypted source datasets this instructs zfs not to decrypt before sending which results in a remote backup that can’t be read without the encryption key/passphrase, useful when the remote isn’t fully trusted or not physically secure. This option must be used consistently, raw incrementals cannot be based on non-raw snapshots and vice versa .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.features.skipIntermediates

Whether to enable the skipIntermediates feature to send a single increment between latest common snapshot and the newly made one. It may skip several source snaps if the destination was offline for some time, and it should skip snapshots not managed by znapzend. Normally for online destinations, the new snapshot is sent as soon as it is created on the source, so there are no automatic increments to skip .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.features.zfsGetType

Whether to enable using zfsGetType if your zfs get supports a -t argument for filtering by dataset type at all AND lists properties for snapshots by default when recursing, so that there is too much data to process while searching for backup plans. If these two conditions apply to your system, the time needed for a --recursive search for backup plans can literally differ by hundreds of times (depending on the amount of snapshots in that dataset tree… and a decent backup plan will ensure you have a lot of those), so you would benefit from requesting this feature .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.logLevel

The log level when logging to file. Any of debug, info, warning, err, alert. Default in daemonized form is debug.

Type: one of “debug”, “info”, “warning”, “err”, “alert”

Default: "debug"

Example: "warning"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.logTo

Where to log to (syslog::<facility> or <filepath>).

Type: string

Default: "syslog::daemon"

Example: "/var/log/znapzend.log"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.mailErrorSummaryTo

Email address to send a summary to if “send task(s) failed”.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.noDestroy

Does all changes to the filesystem except destroy.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.pure

Do not persist any stateful znapzend setups. If this option is enabled, your previously set znapzend setups will be cleared and only the ones defined with this module will be applied.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup

Znapzend configuration.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "tank/home" = {
    # Make snapshots of tank/home every hour, keep those for 1 day,
    # keep every days snapshot for 1 month, etc.
    plan = "1d=>1h,1m=>1d,1y=>1m";
    recursive = true;
    # Send all those snapshots to john@example.com:rtank/john as well
    destinations.remote = {
      host = "john@example.com";
      dataset = "rtank/john";
    };
  };
};

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.enable

Whether to enable this source.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.dataset

The dataset to use for this source.

Type: string

Example: "tank/home"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.destinations

Additional destinations.

Type: attribute set of (submodule)

Default: { }

Example:

{
  local = {
    dataset = "btank/backup";
    presend = "zpool import -N btank";
    postsend = "zpool export btank";
  };
  remote = {
    host = "john@example.com";
    dataset = "tank/john";
  };
};

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.destinations.<name>.dataset

Dataset name to send snapshots to.

Type: string

Example: "tank/main"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.destinations.<name>.host

Host to use for the destination dataset. Can be prefixed with user@ to specify the ssh user.

Type: null or string

Default: null

Example: "john@example.com"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.destinations.<name>.label

Label for this destination. Defaults to the attribute name.

Type: string

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.destinations.<name>.plan

The znapzend backup plan to use for the source.

The plan specifies how often to backup and for how long to keep the backups. It consists of a series of retention periods to interval associations:

  retA=>intA,retB=>intB,...

Both intervals and retention periods are expressed in standard units of time or multiples of them. You can use both the full name or a shortcut according to the following listing:

  second|sec|s, minute|min, hour|h, day|d, week|w, month|mon|m, year|y

See znapzendzetup(1) for more info.

Type: string

Example: "1h=>10min,1d=>1h,1w=>1d,1m=>1w,1y=>1m"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.destinations.<name>.postsend

Command to run after sending the snapshot to the destination. Intended to run a remote script via ssh on the destination, e.g. to bring up a backup disk or server or to put a zpool online/offline. See also presend.

Type: null or string

Default: null

Example: "ssh root@bserv zpool export tank"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.destinations.<name>.presend

Command to run before sending the snapshot to the destination. Intended to run a remote script via ssh on the destination, e.g. to bring up a backup disk or server or to put a zpool online/offline. See also postsend.

Type: null or string

Default: null

Example: "ssh root@bserv zpool import -Nf tank"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.mbuffer.enable

Whether to use mbuffer.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.mbuffer.port

Port to use for mbuffer.

If this is null, it will run mbuffer through ssh.

If this is not null, it will run mbuffer directly through TCP, which is not encrypted but faster. In that case the given port needs to be open on the destination host.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.mbuffer.size

The size for mbuffer. Supports the units b, k, M, G.

Type: string of the form number{b|k|M|G}

Default: "1G"

Example: "128M"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.plan

The znapzend backup plan to use for the source.

The plan specifies how often to backup and for how long to keep the backups. It consists of a series of retention periods to interval associations:

  retA=>intA,retB=>intB,...

Both intervals and retention periods are expressed in standard units of time or multiples of them. You can use both the full name or a shortcut according to the following listing:

  second|sec|s, minute|min, hour|h, day|d, week|w, month|mon|m, year|y

See znapzendzetup(1) for more info.

Type: string

Example: "1h=>10min,1d=>1h,1w=>1d,1m=>1w,1y=>1m"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.postsnap

Command to run after snapshots are taken on the source dataset, e.g. for database unlocking. See also presnap.

Type: null or string

Default: null

Example:

"${pkgs.coreutils}/bin/kill `${pkgs.coreutils}/bin/cat /tmp/mariadblock.pid`;${pkgs.coreutils}/bin/rm /tmp/mariadblock.pid"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.presnap

Command to run before snapshots are taken on the source dataset, e.g. for database locking/flushing. See also postsnap.

Type: null or string

Default: null

Example:

''${pkgs.mariadb}/bin/mysql -e "set autocommit=0;flush tables with read lock;\\! ${pkgs.coreutils}/bin/sleep 600" &  ${pkgs.coreutils}/bin/echo $! > /tmp/mariadblock.pid ; sleep 10''

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.recursive

Whether to do recursive snapshots.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.sendDelay

Specify delay (in seconds) before sending snaps to the destination. May be useful if you want to control sending time.

Type: signed integer

Default: 0

Example: 60

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znapzend.zetup.<name>.timestampFormat

The timestamp format to use for constructing snapshot names. The syntax is strftime-like. The string must consist of the mandatory %Y %m %d %H %M %S. Optionally - _ . : characters as well as any alphanumeric character are allowed. If suffixed by a Z, times will be in UTC.

Type: string containing all of the characters %Y, %m, %d, %H, %M, %S

Default: "%Y-%m-%d-%H%M%S"

Example: "znapzend-%m.%d.%Y-%H%M%SZ"

Declared by:

<nixpkgs/nixos/modules/services/backup/znapzend.nix>
services.znc.enable

Whether to enable ZNC.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/default.nix>
services.znc.confOptions.extraZncConf

Extra config to znc.conf file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/options.nix>
services.znc.confOptions.modules

A list of modules to include in the znc.conf file.

Type: list of string

Default:

[
  "webadmin"
  "adminlog"
]

Example:

[
  "partyline"
  "webadmin"
  "adminlog"
  "log"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/options.nix>
services.znc.confOptions.networks

IRC networks to connect the user to.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "libera" = {
    server = "irc.libera.chat";
    port = 6697;
    useSSL = true;
    modules = [ "simple_away" ];
  };
};

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/options.nix>
services.znc.confOptions.networks.<name>.channels

IRC channels to join.

Type: list of string

Default: [ ]

Example:

[
  "nixos"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/options.nix>
services.znc.confOptions.networks.<name>.extraConf

Extra config for the network. Consider using services.znc.config instead.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  Encoding = ^UTF-8
  FloodBurst = 4
  FloodRate = 1.00
  IRCConnectEnabled = true
  Ident = johntron
  JoinDelay = 0
  Nick = johntron
''

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/options.nix>
services.znc.confOptions.networks.<name>.hasBitlbeeControlChannel

Whether to add the special Bitlbee operations channel.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/options.nix>
services.znc.confOptions.networks.<name>.modules

ZNC network modules to load.

Type: list of string

Default:

[
  "simple_away"
]

Example: [ "simple_away" "sasl" ]

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/options.nix>
services.znc.confOptions.networks.<name>.password

IRC server password, such as for a Slack gateway.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/options.nix>
services.znc.confOptions.networks.<name>.port

IRC server port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 6697

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/options.nix>
services.znc.confOptions.networks.<name>.server

IRC server address.

Type: string

Example: "irc.libera.chat"

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/options.nix>
services.znc.confOptions.networks.<name>.useSSL

Whether to use SSL to connect to the IRC server.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/options.nix>
services.znc.confOptions.nick

The IRC nick.

Type: string

Default: "znc-user"

Example: "john"

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/options.nix>
services.znc.confOptions.passBlock

Generate with nix-shell -p znc --command "znc --makepass". This is the password used to log in to the ZNC web admin interface. You can also set this through services.znc.config.User.<username>.Pass.Method and co.

Type: string

Example:

''
  &lt;Pass password&gt;
     Method = sha256
     Hash = e2ce303c7ea75c571d80d8540a8699b46535be6a085be3414947d638e48d9e93
     Salt = l5Xryew4g*!oa(ECfX2o
  &lt;/Pass&gt;
''

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/options.nix>
services.znc.confOptions.port

Specifies the port on which to listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 5000

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/options.nix>
services.znc.confOptions.uriPrefix

An optional URI prefix for the ZNC web interface. Can be used to make ZNC available behind a reverse proxy.

Type: null or string

Default: null

Example: "/znc/"

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/options.nix>
services.znc.confOptions.useSSL

Indicates whether the ZNC server should use SSL when listening on the specified port. A self-signed certificate will be generated.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/options.nix>
services.znc.confOptions.userModules

A list of user modules to include in the znc.conf file.

Type: list of string

Default:

[
  "chansaver"
  "controlpanel"
]

Example:

[
  "chansaver"
  "controlpanel"
  "fish"
  "push"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/options.nix>
services.znc.confOptions.userName

The user name used to log in to the ZNC web admin interface.

Type: string

Default: "znc"

Example: "johntron"

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/options.nix>
services.znc.config

Configuration for ZNC, see https://wiki.znc.in/Configuration for details. The Nix value declared here will be translated directly to the xml-like format ZNC expects. This is much more flexible than the legacy options under services.znc.confOptions.*, but also can’t do any type checking.

You can use nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.services.znc.config to view the current value. By default it contains a listener for port 5000 with SSL enabled.

Nix attributes called extraConfig will be inserted verbatim into the resulting config file.

If services.znc.useLegacyConfig is turned on, the option values in services.znc.confOptions.* will be gracefully be applied to this option.

If you intend to update the configuration through this option, be sure to disable services.znc.mutable, otherwise none of the changes here will be applied after the initial deploy.

Type: attribute set of (znc values (null, atoms (str, int, bool), list of atoms, or attrsets of znc values))

Default: { }

Example:

{
  LoadModule = [ "webadmin" "adminlog" ];
  User.paul = {
    Admin = true;
    Nick = "paul";
    AltNick = "paul1";
    LoadModule = [ "chansaver" "controlpanel" ];
    Network.libera = {
      Server = "irc.libera.chat +6697";
      LoadModule = [ "simple_away" ];
      Chan = {
        "#nixos" = { Detached = false; };
        "##linux" = { Disabled = true; };
      };
    };
    Pass.password = {
      Method = "sha256";
      Hash = "e2ce303c7ea75c571d80d8540a8699b46535be6a085be3414947d638e48d9e93";
      Salt = "l5Xryew4g*!oa(ECfX2o";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/default.nix>
services.znc.configFile

Configuration file for ZNC. It is recommended to use the config option instead.

Setting this option will override any auto-generated config file through the confOptions or config options.

Type: path

Example: ~/.znc/configs/znc.conf

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/default.nix>
services.znc.dataDir

The state directory for ZNC. The config and the modules will be linked to from this directory as well.

Type: path

Default: "/var/lib/znc"

Example: "/home/john/.znc"

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/default.nix>
services.znc.extraFlags

Extra arguments to use for executing znc.

Type: list of string

Default: [ ]

Example:

[
  "--debug"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/default.nix>
services.znc.group

Group to own the ZNC process.

Type: string

Default: "znc"

Example: "users"

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/default.nix>
services.znc.modulePackages

A list of global znc module packages to add to znc.

Type: list of package

Default: [ ]

Example: [ pkgs.zncModules.fish pkgs.zncModules.push ]

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/default.nix>
services.znc.mutable

Indicates whether to allow the contents of the dataDir directory to be changed by the user at run-time.

If enabled, modifications to the ZNC configuration after its initial creation are not overwritten by a NixOS rebuild. If disabled, the ZNC configuration is rebuilt on every NixOS rebuild.

If the user wants to manage the ZNC service using the web admin interface, this option should be enabled.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/default.nix>
services.znc.openFirewall

Whether to open ports in the firewall for ZNC. Does work with ports for listeners specified in services.znc.config.Listener.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/default.nix>
services.znc.useLegacyConfig

Whether to propagate the legacy options under services.znc.confOptions.* to the znc config. If this is turned on, the znc config will contain a user with the default name “znc”, global modules “webadmin” and “adminlog” will be enabled by default, and more, all controlled through the services.znc.confOptions.* options. You can use nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.services.znc.config to view the current value of the config.

In any case, if you need more flexibility, services.znc.config can be used to override/add to all of the legacy options.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/options.nix>
services.znc.user

The name of an existing user account to use to own the ZNC server process. If not specified, a default user will be created.

Type: string

Default: "znc"

Example: "john"

Declared by:

<nixpkgs/nixos/modules/services/networking/znc/default.nix>
services.zoneminder.enable

Whether to enable ZoneMinder.

If you intend to run the database locally, you should set config.services.zoneminder.database.createLocally to true. Otherwise, when set to false (the default), you will have to create the database and database user as well as populate the database yourself. Additionally, you will need to run zmupdate.pl yourself when upgrading to a newer version .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/zoneminder.nix>
services.zoneminder.cameras

Set this to the number of cameras you expect to support.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/misc/zoneminder.nix>
services.zoneminder.database.createLocally

Create the database and database user locally.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/zoneminder.nix>
services.zoneminder.database.host

Hostname hosting the database.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/misc/zoneminder.nix>
services.zoneminder.database.name

Name of database.

Type: string

Default: "zm"

Declared by:

<nixpkgs/nixos/modules/services/misc/zoneminder.nix>
services.zoneminder.database.password

Username for accessing the database. Not used if createLocally is set.

Type: string

Default: "zmpass"

Declared by:

<nixpkgs/nixos/modules/services/misc/zoneminder.nix>
services.zoneminder.database.username

Username for accessing the database.

Type: string

Default: "zmuser"

Declared by:

<nixpkgs/nixos/modules/services/misc/zoneminder.nix>
services.zoneminder.extraConfig

Additional configuration added verbatim to the configuration file.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/services/misc/zoneminder.nix>
services.zoneminder.hostname

The hostname on which to listen.

Type: string

Default: "localhost"

Declared by:

<nixpkgs/nixos/modules/services/misc/zoneminder.nix>
services.zoneminder.openFirewall

Open the firewall port(s).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/services/misc/zoneminder.nix>
services.zoneminder.port

The port on which to listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 8095

Declared by:

<nixpkgs/nixos/modules/services/misc/zoneminder.nix>
services.zoneminder.storageDir

ZoneMinder can generate quite a lot of data, so in case you don’t want to use the default /var/lib/zoneminder, you can override the path here.

Type: null or string

Default: null

Example: "/storage/tank"

Declared by:

<nixpkgs/nixos/modules/services/misc/zoneminder.nix>
services.zoneminder.webserver

The webserver to configure for the PHP frontend.

Set it to none if you want to configure it yourself. PRs are welcome for support for other web servers.

Type: one of “nginx”, “none”

Default: "nginx"

Declared by:

<nixpkgs/nixos/modules/services/misc/zoneminder.nix>
services.zookeeper.enable

Whether to enable Zookeeper.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/misc/zookeeper.nix>
services.zookeeper.package

The zookeeper package to use.

Type: package

Default: pkgs.zookeeper

Declared by:

<nixpkgs/nixos/modules/services/misc/zookeeper.nix>
services.zookeeper.dataDir

Data directory for Zookeeper

Type: path

Default: "/var/lib/zookeeper"

Declared by:

<nixpkgs/nixos/modules/services/misc/zookeeper.nix>
services.zookeeper.extraCmdLineOptions

Extra command line options for the Zookeeper launcher.

Type: list of string

Default:

[
  "-Dcom.sun.management.jmxremote"
  "-Dcom.sun.management.jmxremote.local.only=true"
]

Example:

[
  "-Djava.net.preferIPv4Stack=true"
  "-Dcom.sun.management.jmxremote"
  "-Dcom.sun.management.jmxremote.local.only=true"
]

Declared by:

<nixpkgs/nixos/modules/services/misc/zookeeper.nix>
services.zookeeper.extraConf

Extra configuration for Zookeeper.

Type: strings concatenated with “\n”

Default:

''
  initLimit=5
  syncLimit=2
  tickTime=2000
''

Declared by:

<nixpkgs/nixos/modules/services/misc/zookeeper.nix>
services.zookeeper.id

Zookeeper ID.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/services/misc/zookeeper.nix>
services.zookeeper.jre

The JRE with which to run Zookeeper

Type: package

Default: pkgs.zookeeper.jre

Example: pkgs.jre

Declared by:

<nixpkgs/nixos/modules/services/misc/zookeeper.nix>
services.zookeeper.logging

Zookeeper logging configuration.

Type: strings concatenated with “\n”

Default:

''
  zookeeper.root.logger=INFO, CONSOLE
  log4j.rootLogger=INFO, CONSOLE
  log4j.logger.org.apache.zookeeper.audit.Log4jAuditLogger=INFO, CONSOLE
  log4j.appender.CONSOLE=org.apache.log4j.ConsoleAppender
  log4j.appender.CONSOLE.layout=org.apache.log4j.PatternLayout
  log4j.appender.CONSOLE.layout.ConversionPattern=[myid:%X{myid}] - %-5p [%t:%C{1}@%L] - %m%n
''

Declared by:

<nixpkgs/nixos/modules/services/misc/zookeeper.nix>
services.zookeeper.port

Zookeeper Client port.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 2181

Declared by:

<nixpkgs/nixos/modules/services/misc/zookeeper.nix>
services.zookeeper.preferIPv4

Add the -Djava.net.preferIPv4Stack=true flag to the Zookeeper server.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/services/misc/zookeeper.nix>
services.zookeeper.purgeInterval

The time interval in hours for which the purge task has to be triggered. Set to a positive integer (1 and above) to enable the auto purging.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/services/misc/zookeeper.nix>
services.zookeeper.servers

All Zookeeper Servers.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  server.0=host0:2888:3888
  server.1=host1:2888:3888
  server.2=host2:2888:3888
''

Declared by:

<nixpkgs/nixos/modules/services/misc/zookeeper.nix>
services.zram-generator.enable

Whether to enable Systemd unit generator for zram devices.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/system/zram-generator.nix>
services.zram-generator.package

The zram-generator package to use.

Type: package

Default: pkgs.zram-generator

Declared by:

<nixpkgs/nixos/modules/services/system/zram-generator.nix>
services.zram-generator.settings

Configuration for zram-generator, see https://github.com/systemd/zram-generator for documentation.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/system/zram-generator.nix>
services.zrepl.enable

Whether to enable zrepl.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/backup/zrepl.nix>
services.zrepl.package

The zrepl package to use.

Type: package

Default: pkgs.zrepl

Declared by:

<nixpkgs/nixos/modules/services/backup/zrepl.nix>
services.zrepl.settings

Configuration for zrepl. See https://zrepl.github.io/configuration.html for more information.

Type: YAML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/backup/zrepl.nix>
services.zwave-js.enable

Whether to enable the zwave-js server on boot.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/services/home-automation/zwave-js.nix>
services.zwave-js.package

The zwave-js-server package to use.

Type: package

Default: pkgs.zwave-js-server

Declared by:

<nixpkgs/nixos/modules/services/home-automation/zwave-js.nix>
services.zwave-js.extraFlags

Extra flags to pass to command

Type: list of string

Default: [ ]

Example:

[
  "--mock-driver"
]

Declared by:

<nixpkgs/nixos/modules/services/home-automation/zwave-js.nix>
services.zwave-js.port

Port for the server to listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 3000

Declared by:

<nixpkgs/nixos/modules/services/home-automation/zwave-js.nix>
services.zwave-js.secretsConfigFile

JSON file containing secret keys. A dummy example:

{
  "securityKeys": {
    "S0_Legacy": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
    "S2_Unauthenticated": "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB",
    "S2_Authenticated": "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC",
    "S2_AccessControl": "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"
  }
}

See https://zwave-js.github.io/node-zwave-js/#/getting-started/security-s2 for details. This file will be merged with the module-generated config file (taking precedence).

Z-Wave keys can be generated with:

< /dev/urandom tr -dc A-F0-9 | head -c32 ;echo

Warning

A file in the nix store should not be used since it will be readable to all users.

Type: path

Example: "/secrets/zwave-js-keys.json"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/zwave-js.nix>
services.zwave-js.serialPort

Serial port device path for Z-Wave controller.

Type: path

Example: "/dev/ttyUSB0"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/zwave-js.nix>
services.zwave-js.settings

Configuration settings for the generated config file.

Type: JSON value

Default: { }

Declared by:

<nixpkgs/nixos/modules/services/home-automation/zwave-js.nix>
services.zwave-js.settings.storage.cacheDir

Cache directory

Type: path (read only)

Default: "/var/cache/zwave-js"

Declared by:

<nixpkgs/nixos/modules/services/home-automation/zwave-js.nix>
specialisation

Additional configurations to build. If inheritParentConfig is true, the system will be based on the overall system configuration.

To switch to a specialised configuration (e.g. fewJobsManyCores) at runtime, run:

sudo /run/current-system/specialisation/fewJobsManyCores/bin/switch-to-configuration test

Type: attribute set of (submodule)

Default: { }

Example: { fewJobsManyCores.configuration = { nix.settings = { core = 0; max-jobs = 1; }; }; }

Declared by:

<nixpkgs/nixos/modules/system/activation/specialisation.nix>
specialisation.<name>.configuration

Arbitrary NixOS configuration.

Anything you can add to a normal NixOS configuration, you can add here, including imports and config values, although nested specialisations will be ignored.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/activation/specialisation.nix>
specialisation.<name>.inheritParentConfig

Include the entire system’s configuration. Set to false to make a completely differently configured system.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/activation/specialisation.nix>
swapDevices

The swap devices and swap files. These must have been initialised using mkswap. Each element should be an attribute set specifying either the path of the swap device or file (device) or the label of the swap device (label, see mkswap -L). Using a label is recommended.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    device = "/dev/hda7";
  }
  {
    device = "/var/swapfile";
  }
  {
    label = "bigswap";
  }
]

Declared by:

<nixpkgs/nixos/modules/tasks/encrypted-devices.nix>
<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.device

Path of the device or swap file.

Type: non-empty string

Example: "/dev/sda3"

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.discardPolicy

Specify the discard policy for the swap device. If “once”, then the whole swap space is discarded at swapon invocation. If “pages”, asynchronous discard on freed pages is performed, before returning to the available pages pool. With “both”, both policies are activated. See swapon(8) for more information.

Type: null or one of “once”, “pages”, “both”

Default: null

Example: "once"

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.encrypted.enable

The block device is backed by an encrypted one, adds this device as a initrd luks entry.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/encrypted-devices.nix>
swapDevices.*.encrypted.blkDev

Location of the backing encrypted device.

Type: null or string

Default: null

Example: "/dev/sda1"

Declared by:

<nixpkgs/nixos/modules/tasks/encrypted-devices.nix>
swapDevices.*.encrypted.keyFile

Path to a keyfile used to unlock the backing encrypted device. When systemd stage 1 is not enabled, at the time this keyfile is accessed, the neededForBoot filesystems (see utils.fsNeededForBoot) will have been mounted under /mnt-root, so the keyfile path should usually start with “/mnt-root/”. When systemd stage 1 is enabled, fsNeededForBoot file systems will be mounted as needed under /sysroot, and the keyfile will not be accessed until its requisite mounts are done.

Type: null or string

Default: null

Example: "/mnt-root/root/.swapkey"

Declared by:

<nixpkgs/nixos/modules/tasks/encrypted-devices.nix>
swapDevices.*.encrypted.label

Label of the unlocked encrypted device. Set fileSystems.<name?>.device to /dev/mapper/<label> to mount the unlocked device.

Type: null or string

Default: null

Example: "rootfs"

Declared by:

<nixpkgs/nixos/modules/tasks/encrypted-devices.nix>
swapDevices.*.label

Label of the device. Can be used instead of device.

Type: string

Example: "swap"

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.options

Options used to mount the swap.

Type: list of non-empty string

Default:

[
  "defaults"
]

Example:

[
  "nofail"
]

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.priority

Specify the priority of the swap device. Priority is a value between 0 and 32767. Higher numbers indicate higher priority. null lets the kernel choose a priority, which will show up as a negative value.

Type: null or signed integer

Default: null

Example: 2048

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.randomEncryption

Encrypt swap device with a random key. This way you won’t have a persistent swap device.

HINT: run “cryptsetup benchmark” to test cipher performance on your machine.

WARNING: Don’t try to hibernate when you have at least one swap partition with this option enabled! We have no way to set the partition into which hibernation image is saved, so if your image ends up on an encrypted one you would lose it!

WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device when using randomEncryption as the UUIDs and labels will get erased on every boot when the partition is encrypted. Best to use /dev/disk/by-partuuid/…

Type: (submodule) or boolean convertible to it

Default: false

Example:

{
  cipher = "serpent-xts-plain64";
  enable = true;
  source = "/dev/random";
}

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.randomEncryption.enable

Encrypt swap device with a random key. This way you won’t have a persistent swap device.

WARNING: Don’t try to hibernate when you have at least one swap partition with this option enabled! We have no way to set the partition into which hibernation image is saved, so if your image ends up on an encrypted one you would lose it!

WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device when using randomEncryption as the UUIDs and labels will get erased on every boot when the partition is encrypted. Best to use /dev/disk/by-partuuid/…

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.randomEncryption.allowDiscards

Whether to allow TRIM requests to the underlying device. This option has security implications; please read the LUKS documentation before activating it.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.randomEncryption.cipher

Use specified cipher for randomEncryption.

Hint: Run “cryptsetup benchmark” to see which one is fastest on your machine.

Type: string

Default: "aes-xts-plain64"

Example: "serpent-xts-plain64"

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.randomEncryption.keySize

Set the encryption key size for the plain device.

If not specified, the amount of data to read from source will be determined by cryptsetup.

See cryptsetup-open(8) for details.

Type: null or signed integer

Default: null

Example: "512"

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.randomEncryption.sectorSize

Set the sector size for the plain encrypted device type.

If not specified, the default sector size is determined from the underlying block device.

See cryptsetup-open(8) for details.

Type: null or signed integer

Default: null

Example: "4096"

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.randomEncryption.source

Define the source of randomness to obtain a random key for encryption.

Type: string

Default: "/dev/urandom"

Example: "/dev/random"

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
swapDevices.*.size

If this option is set, ‘device’ is interpreted as the path of a swapfile that will be created automatically with the indicated size (in megabytes).

Type: null or signed integer

Default: null

Example: 2048

Declared by:

<nixpkgs/nixos/modules/config/swap.nix>
system.activatable

Whether to add the activation script to the system profile.

The default, to have the script available all the time, is what we normally do, but for image based systems, this may not be needed or not be desirable.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/activation/activatable-system.nix>
system.activationScripts

A set of shell script fragments that are executed when a NixOS system configuration is activated. Examples are updating /etc, creating accounts, and so on. Since these are executed every time you boot the system or run nixos-rebuild, it’s important that they are idempotent and fast.

Type: attribute set of (string or (submodule))

Default: { }

Example:

{
  stdio = {
    # Run after /dev has been mounted
    deps = [ "specialfs" ];
    text =
      ''
        # Needed by some programs.
        ln -sfn /proc/self/fd /dev/fd
        ln -sfn /proc/self/fd/0 /dev/stdin
        ln -sfn /proc/self/fd/1 /dev/stdout
        ln -sfn /proc/self/fd/2 /dev/stderr
      '';
  };
}

Declared by:

<nixpkgs/nixos/modules/system/activation/activation-script.nix>
system.autoUpgrade.enable

Whether to periodically upgrade NixOS to the latest version. If enabled, a systemd timer will run nixos-rebuild switch --upgrade once a day.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/auto-upgrade.nix>
system.autoUpgrade.allowReboot

Reboot the system into the new generation instead of a switch if the new generation uses a different kernel, kernel modules or initrd than the booted system. See rebootWindow for configuring the times at which a reboot is allowed.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/auto-upgrade.nix>
system.autoUpgrade.channel

The URI of the NixOS channel to use for automatic upgrades. By default, this is the channel set using nix-channel (run nix-channel --list to see the current value).

Type: null or string

Default: null

Example: "https://nixos.org/channels/nixos-14.12-small"

Declared by:

<nixpkgs/nixos/modules/tasks/auto-upgrade.nix>
system.autoUpgrade.dates

How often or when upgrade occurs. For most desktop and server systems a sufficient upgrade frequency is once a day.

The format is described in systemd.time(7).

Type: string

Default: "04:40"

Example: "daily"

Declared by:

<nixpkgs/nixos/modules/tasks/auto-upgrade.nix>
system.autoUpgrade.fixedRandomDelay

Make the randomized delay consistent between runs. This reduces the jitter between automatic upgrades. See randomizedDelaySec for configuring the randomized delay.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/tasks/auto-upgrade.nix>
system.autoUpgrade.flags

Any additional flags passed to nixos-rebuild.

If you are using flakes and use a local repo you can add [ "--update-input" "nixpkgs" "--commit-lock-file" ] to update nixpkgs.

Type: list of string

Default: [ ]

Example:

[
  "-I"
  "stuff=/home/alice/nixos-stuff"
  "--option"
  "extra-binary-caches"
  "http://my-cache.example.org/"
]

Declared by:

<nixpkgs/nixos/modules/tasks/auto-upgrade.nix>
system.autoUpgrade.flake

The Flake URI of the NixOS configuration to build. Disables the option system.autoUpgrade.channel.

Type: null or string

Default: null

Example: "github:kloenk/nix"

Declared by:

<nixpkgs/nixos/modules/tasks/auto-upgrade.nix>
system.autoUpgrade.operation

Whether to run nixos-rebuild switch --upgrade or run nixos-rebuild boot --upgrade

Type: one of “switch”, “boot”

Default: "switch"

Example: "boot"

Declared by:

<nixpkgs/nixos/modules/tasks/auto-upgrade.nix>
system.autoUpgrade.persistent

Takes a boolean argument. If true, the time when the service unit was last triggered is stored on disk. When the timer is activated, the service unit is triggered immediately if it would have been triggered at least once during the time when the timer was inactive. Such triggering is nonetheless subject to the delay imposed by RandomizedDelaySec=. This is useful to catch up on missed runs of the service when the system was powered down.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/tasks/auto-upgrade.nix>
system.autoUpgrade.randomizedDelaySec

Add a randomized delay before each automatic upgrade. The delay will be chosen between zero and this value. This value must be a time span in the format specified by systemd.time(7)

Type: string

Default: "0"

Example: "45min"

Declared by:

<nixpkgs/nixos/modules/tasks/auto-upgrade.nix>
system.autoUpgrade.rebootWindow

Define a lower and upper time value (in HH:MM format) which constitute a time window during which reboots are allowed after an upgrade. This option only has an effect when allowReboot is enabled. The default value of null means that reboots are allowed at any time.

Type: null or (submodule)

Default: null

Example:

{
  lower = "01:00";
  upper = "05:00";
}

Declared by:

<nixpkgs/nixos/modules/tasks/auto-upgrade.nix>
system.autoUpgrade.rebootWindow.lower

Lower limit of the reboot window

Type: string matching the pattern [[:digit:]]{2}:[[:digit:]]{2}

Example: "01:00"

Declared by:

<nixpkgs/nixos/modules/tasks/auto-upgrade.nix>
system.autoUpgrade.rebootWindow.upper

Upper limit of the reboot window

Type: string matching the pattern [[:digit:]]{2}:[[:digit:]]{2}

Example: "05:00"

Declared by:

<nixpkgs/nixos/modules/tasks/auto-upgrade.nix>
system.build

Attribute set of derivations used to set up the system.

Type: lazy attribute set of unspecified value

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/build.nix>
<nixpkgs/nixos/modules/system/activation/top-level.nix>
<nixpkgs/nixos/modules/system/activation/activation-script.nix>
<nixpkgs/nixos/modules/system/activation/activatable-system.nix>
<nixpkgs/nixos/modules/image/images.nix>
system.build.images

Different target images generated for this NixOS configuration.

Type: lazy attribute set of raw value (read only)

Declared by:

<nixpkgs/nixos/modules/image/images.nix>
system.build.separateActivationScript

A separate activation script package that’s not part of the system profile.

This is useful for configurations where system.activatable is false. Otherwise, you can just use system.build.toplevel.

Type: package

Declared by:

<nixpkgs/nixos/modules/system/activation/activatable-system.nix>
system.build.toplevel

This option contains the store path that typically represents a NixOS system.

You can read this path in a custom deployment tool for example.

Type: package (read only)

Declared by:

<nixpkgs/nixos/modules/system/activation/top-level.nix>
system.checks

Packages that are added as dependencies of the system’s build, usually for the purpose of validating some part of the configuration.

Unlike system.extraDependencies, these store paths do not become part of the built system configuration.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/activation/top-level.nix>
system.configurationRevision

The Git revision of the top-level flake from which this configuration was built.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/misc/version.nix>
system.copySystemConfiguration

If enabled, copies the NixOS configuration file (usually /etc/nixos/configuration.nix) and links it from the resulting system (getting to /run/current-system/configuration.nix). Note that only this single file is copied, even if it imports others.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/activation/top-level.nix>
system.etc.overlay.enable

Mount /etc as an overlayfs instead of generating it via a perl script.

Note: This is currently experimental. Only enable this option if you’re confident that you can recover your system if it breaks.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
system.etc.overlay.mutable

Whether to mount /etc mutably (i.e. read-write) or immutably (i.e. read-only).

If this is false, only the immutable lowerdir is mounted. If it is true, a writable upperdir is mounted on top.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/etc/etc.nix>
system.extraDependencies

A list of paths that should be included in the system closure but generally not visible to users.

This option has also been used for build-time checks, but the system.checks option is more appropriate for that purpose as checks should not leave a trace in the built system configuration.

Type: list of path in the Nix store

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/activation/top-level.nix>
system.forbiddenDependenciesRegexes

POSIX Extended Regular Expressions that match store paths that should not appear in the system closure, with the exception of system.extraDependencies, which is not checked.

Type: list of string

Default: [ ]

Example:

[
  "-dev$"
]

Declared by:

<nixpkgs/nixos/modules/system/activation/top-level.nix>
system.image.id

Image identifier.

This corresponds to the IMAGE_ID field in os-release. See the upstream docs for more details on valid characters for this field: https://www.freedesktop.org/software/systemd/man/latest/os-release.html#IMAGE_ID=

You would only want to set this option if you’re build NixOS appliance images.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/misc/version.nix>
system.image.version

Image version.

This corresponds to the IMAGE_VERSION field in os-release. See the upstream docs for more details on valid characters for this field: https://www.freedesktop.org/software/systemd/man/latest/os-release.html#IMAGE_VERSION=

You would only want to set this option if you’re build NixOS appliance images.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/misc/version.nix>
system.includeBuildDependencies

Whether to include the build closure of the whole system in its runtime closure. This can be useful for making changes fully offline, as it includes all sources, patches, and intermediate outputs required to build all the derivations that the system depends on.

Note that this includes all the derivations, down from the included applications to their sources, the compilers used to build them, and even the bootstrap compiler used to compile the compilers. This increases the size of the system and the time needed to download its dependencies drastically: a minimal configuration with no extra services enabled grows from ~670MiB in size to 13.5GiB, and takes proportionally longer to download.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/activation/top-level.nix>
system.name

The name of the system used in the system.build.toplevel derivation.

That derivation has the following name: "nixos-system-${config.system.name}-${config.system.nixos.label}"

Type: string

Default:

if config.networking.hostName == ""
then "unnamed"
else config.networking.hostName;

Declared by:

<nixpkgs/nixos/modules/system/activation/top-level.nix>
system.nixos.codeName

The NixOS release code name (e.g. Emu).

Type: string (read only)

Default: "Warbler"

Declared by:

<nixpkgs/nixos/modules/misc/version.nix>
system.nixos.label

NixOS version name to be used in the names of generated outputs and boot labels.

If you ever wanted to influence the labels in your GRUB menu, this is the option for you.

It can only contain letters, numbers and the following symbols: :, _, . and -.

The default is system.nixos.tags separated by “-” + “-” + NIXOS_LABEL_VERSION environment variable (defaults to the value of system.nixos.version).

Can be overridden by setting NIXOS_LABEL.

Useful for not loosing track of configurations built from different nixos branches/revisions, e.g.:

#!/bin/sh
today=`date +%Y%m%d`
branch=`(cd nixpkgs ; git branch 2>/dev/null | sed -n '/^\* / { s|^\* ||; p; }')`
revision=`(cd nixpkgs ; git rev-parse HEAD)`
export NIXOS_LABEL_VERSION="$today.$branch-${revision:0:7}"
nixos-rebuild switch

Type: string matching the pattern [a-zA-Z0-9:_\.-]*

Declared by:

<nixpkgs/nixos/modules/misc/label.nix>
system.nixos.release

The NixOS release (e.g. 16.03).

Type: string (read only)

Default: "25.05"

Declared by:

<nixpkgs/nixos/modules/misc/version.nix>
system.nixos.tags

Strings to prefix to the default system.nixos.label.

Useful for not losing track of configurations built with different options, e.g.:

{
  system.nixos.tags = [ "with-xen" ];
  virtualisation.xen.enable = true;
}

Type: list of string

Default: [ ]

Example:

[
  "with-xen"
]

Declared by:

<nixpkgs/nixos/modules/misc/label.nix>
system.nixos.variantName

A string identifying a specific variant or edition of the operating system suitable for presentation to the user

Type: null or string

Default: null

Example: "NixOS Installer Image"

Declared by:

<nixpkgs/nixos/modules/misc/version.nix>
system.nixos.variant_id

A lower-case string identifying a specific variant or edition of the operating system

Type: null or string matching the pattern ^[a-z0-9._-]+$

Default: null

Example: "installer"

Declared by:

<nixpkgs/nixos/modules/misc/version.nix>
system.nssDatabases.group

List of group entries to configure in /etc/nsswitch.conf.

Note that “files” is always prepended while “systemd” is appended if nscd is enabled.

This option only takes effect if nscd is enabled.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/nsswitch.nix>
system.nssDatabases.hosts

List of hosts entries to configure in /etc/nsswitch.conf.

Note that “files” is always prepended, and “dns” and “myhostname” are always appended.

This option only takes effect if nscd is enabled.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/nsswitch.nix>
system.nssDatabases.passwd

List of passwd entries to configure in /etc/nsswitch.conf.

Note that “files” is always prepended while “systemd” is appended if nscd is enabled.

This option only takes effect if nscd is enabled.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/nsswitch.nix>
system.nssDatabases.services

List of services entries to configure in /etc/nsswitch.conf.

Note that “files” is always prepended.

This option only takes effect if nscd is enabled.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/nsswitch.nix>
system.nssDatabases.shadow

List of shadow entries to configure in /etc/nsswitch.conf.

Note that “files” is always prepended.

This option only takes effect if nscd is enabled.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/nsswitch.nix>
system.nssDatabases.sudoers

List of sudoers entries to configure in /etc/nsswitch.conf.

Note that “files” is always prepended.

This option only takes effect if nscd is enabled.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/nsswitch.nix>
system.preSwitchChecks

A set of shell script fragments that are executed before the switch to a new NixOS system configuration. A failure in any of these fragments will cause the switch to fail and exit early.

Type: attribute set of string

Default: { }

Example:

{ failsEveryTime =
  ''
    false
  '';
}

Declared by:

<nixpkgs/nixos/modules/system/activation/pre-switch-check.nix>
system.rebuild.enableNg

Whether to use ‘nixos-rebuild-ng’ in place of ‘nixos-rebuild’, the Python-based re-implementation of the original in Bash.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/installer/tools/tools.nix>
system.replaceDependencies.cutoffPackages

Packages to which no replacements should be applied. The initrd is matched by default, because its structure renders the replacement process ineffective and prone to breakage.

Type: list of package

Default: [ config.system.build.initialRamdisk ]

Declared by:

<nixpkgs/nixos/modules/system/activation/top-level.nix>
system.replaceDependencies.replacements

List of packages to override without doing a full rebuild. The original derivation and replacement derivation must have the same name length, and ideally should have close-to-identical directory layout.

Type: list of (submodule)

Default: [ ]

Example: [ ({ oldDependency = pkgs.openssl; newDependency = pkgs.callPackage /path/to/openssl { }; }) ]

Declared by:

<nixpkgs/nixos/modules/system/activation/top-level.nix>
system.replaceDependencies.replacements.*.newDependency

The replacement package.

Type: package

Declared by:

<nixpkgs/nixos/modules/system/activation/top-level.nix>
system.replaceDependencies.replacements.*.oldDependency

The original package to override.

Type: package

Declared by:

<nixpkgs/nixos/modules/system/activation/top-level.nix>
system.stateVersion

This option defines the first version of NixOS you have installed on this particular machine, and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.

For example, if NixOS version XX.YY ships with AwesomeDB version N by default, and is then upgraded to version XX.YY+1, which ships AwesomeDB version N+1, the existing databases may no longer be compatible, causing applications to fail, or even leading to data loss.

The stateVersion mechanism avoids this situation by making the default version of such packages conditional on the first version of NixOS you’ve installed (encoded in stateVersion), instead of simply always using the latest one.

Note that this generally only affects applications that can’t upgrade their data automatically - applications and services supporting automatic migrations will remain on latest versions when you upgrade.

Most users should never change this value after the initial install, for any reason, even if you’ve upgraded your system to a new NixOS release.

This value does not affect the Nixpkgs version your packages and OS are pulled from, so changing it will not upgrade your system.

This value being lower than the current NixOS release does not mean your system is out of date, out of support, or vulnerable.

Do not change this value unless you have manually inspected all the changes it would make to your configuration, and migrated your data accordingly.

Type: string

Default: config.system.nixos.release

Declared by:

<nixpkgs/nixos/modules/misc/version.nix>
system.switch.enable

Whether to include the capability to switch configurations.

Disabling this makes the system unable to be reconfigured via nixos-rebuild.

This is good for image based appliances where updates are handled outside the image. Reducing features makes the image lighter and slightly more secure.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/activation/switchable-system.nix>
system.switch.enableNg

Whether to use switch-to-configuration-ng, the Rust-based re-implementation of the original Perl switch-to-configuration.

Type: boolean

Default: config.system.switch.enable

Declared by:

<nixpkgs/nixos/modules/system/activation/switchable-system.nix>
system.tools.nixos-build-vms.enable

Whether to enable nixos-build-vms script.

Type: boolean

Default: "config.nix.enable && !config.system.disableInstallerTools"

Example: true

Declared by:

<nixpkgs/nixos/modules/installer/tools/tools.nix>
system.tools.nixos-enter.enable

Whether to enable nixos-enter script.

Type: boolean

Default: "config.nix.enable && !config.system.disableInstallerTools"

Example: true

Declared by:

<nixpkgs/nixos/modules/installer/tools/tools.nix>
system.tools.nixos-generate-config.enable

Whether to enable nixos-generate-config script.

Type: boolean

Default: "config.nix.enable && !config.system.disableInstallerTools"

Example: true

Declared by:

<nixpkgs/nixos/modules/installer/tools/tools.nix>
system.tools.nixos-install.enable

Whether to enable nixos-install script.

Type: boolean

Default: "config.nix.enable && !config.system.disableInstallerTools"

Example: true

Declared by:

<nixpkgs/nixos/modules/installer/tools/tools.nix>
system.tools.nixos-option.enable

Whether to enable nixos-option script.

Type: boolean

Default: "config.nix.enable && !config.system.disableInstallerTools"

Example: true

Declared by:

<nixpkgs/nixos/modules/installer/tools/tools.nix>
system.tools.nixos-rebuild.enable

Whether to enable nixos-rebuild script.

Type: boolean

Default: "config.nix.enable && !config.system.disableInstallerTools"

Example: true

Declared by:

<nixpkgs/nixos/modules/installer/tools/tools.nix>
system.tools.nixos-version.enable

Whether to enable nixos-version script.

Type: boolean

Default: "config.nix.enable && !config.system.disableInstallerTools"

Example: true

Declared by:

<nixpkgs/nixos/modules/installer/tools/tools.nix>
system.userActivationScripts

A set of shell script fragments that are executed by a systemd user service when a NixOS system configuration is activated. Examples are rebuilding the .desktop file cache for showing applications in the menu. Since these are executed every time you run nixos-rebuild, it’s important that they are idempotent and fast.

Type: attribute set of (string or (submodule))

Default: { }

Example:

{ plasmaSetup = {
    text = ''
      ${pkgs.libsForQt5.kservice}/bin/kbuildsycoca5"
    '';
    deps = [];
  };
}

Declared by:

<nixpkgs/nixos/modules/system/activation/activation-script.nix>
systemd.enableCgroupAccounting

Whether to enable cgroup accounting; see cgroups(7).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.enableEmergencyMode

Whether to enable emergency mode, which is an sulogin shell started on the console if mounting a filesystem fails. Since some machines (like EC2 instances) have no console of any kind, emergency mode doesn’t make sense, and it’s better to continue with the boot insofar as possible.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/emergency-mode.nix>
systemd.enableStrictShellChecks

Whether to run shellcheck on the generated scripts for systemd units.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.package

The systemd package to use.

Type: package

Default: pkgs.systemd

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.packages

Packages providing systemd units and hooks.

Type: list of package

Default: [ ]

Example: [ pkgs.systemd-cryptsetup-generator ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.additionalUpstreamSystemUnits

Additional units shipped with systemd that shall be enabled.

Type: list of string

Default: [ ]

Example:

[
  "debug-shell.service"
  "systemd-quotacheck.service"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts

Definition of systemd automount units; see systemd.automount(5).

This is a list instead of an attrSet, because systemd mandates the names to be derived from the where attribute.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.enable

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.after

If the specified units are started at the same time as this unit, delay this unit until they have started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.aliases

Aliases of that unit.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.automountConfig

Each attribute in this set specifies an option in the [Automount] section of the unit. See systemd.automount(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  DirectoryMode = "0775";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.before

If the specified units are started at the same time as this unit, delay them until this unit has started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.bindsTo

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.conflicts

If the specified units are started, then this unit is stopped and vice versa.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.description

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.documentation

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.name

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.onFailure

A list of one or more units that are activated when this unit enters the “failed” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.onSuccess

A list of one or more units that are activated when this unit enters the “inactive” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.overrideStrategy

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise a drop-in file name overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.partOf

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.reloadTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.requiredBy

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.requires

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.requisite

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.restartTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.startLimitBurst

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.startLimitIntervalSec

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.unitConfig

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  RequiresMountsFor = "/data";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.upheldBy

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.upholds

Keeps the specified running while this unit is running. A continuous version of wants.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.wantedBy

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.wants

Start the specified units when this unit is started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.automounts.*.where

Absolute path of a directory of the mount point. Will be created if it doesn’t exist. (Mandatory)

Type: string

Example: "/mnt"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.coredump.enable

Whether core dumps should be processed by systemd-coredump. If disabled, core dumps appear in the current directory of the crashing process.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/coredump.nix>
systemd.coredump.extraConfig

Extra config options for systemd-coredump. See coredump.conf(5) man page for available options.

Type: strings concatenated with “\n”

Default: ""

Example: "Storage=journal"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/coredump.nix>
systemd.ctrlAltDelUnit

Target that should be started when Ctrl-Alt-Delete is pressed; see systemd.special(7).

Type: string

Default: "reboot.target"

Example: "poweroff.target"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.defaultUnit

Default unit started when the system boots; see systemd.special(7).

Type: string

Default: "multi-user.target"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.extraConfig

Extra config options for systemd. See systemd-system.conf(5) man page for available options.

Type: strings concatenated with “\n”

Default: ""

Example: "DefaultLimitCORE=infinity"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.generators

Definition of systemd generators; see systemd.generator(5).

For each NAME = VALUE pair of the attrSet, a link is generated from /etc/systemd/system-generators/NAME to VALUE.

Type: attribute set of path

Default: { }

Example:

{
  systemd-gpt-auto-generator = "/dev/null";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.globalEnvironment

Environment variables passed to all systemd units.

Type: attribute set of (null or string or path or package)

Default: { }

Example:

{
  TZ = "CET";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.managerEnvironment

Environment variables of PID 1. These variables are not passed to started units.

Type: attribute set of (null or string or path or package)

Default: { }

Example:

{
  SYSTEMD_LOG_LEVEL = "debug";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts

Definition of systemd mount units; see systemd.mount(5).

This is a list instead of an attrSet, because systemd mandates the names to be derived from the where attribute.

Type: list of (submodule)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.enable

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.after

If the specified units are started at the same time as this unit, delay this unit until they have started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.aliases

Aliases of that unit.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.before

If the specified units are started at the same time as this unit, delay them until this unit has started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.bindsTo

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.conflicts

If the specified units are started, then this unit is stopped and vice versa.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.description

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.documentation

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.mountConfig

Each attribute in this set specifies an option in the [Mount] section of the unit. See systemd.mount(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  DirectoryMode = "0775";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.name

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.onFailure

A list of one or more units that are activated when this unit enters the “failed” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.onSuccess

A list of one or more units that are activated when this unit enters the “inactive” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.options

Options used to mount the file system.

Type: strings concatenated with “,”

Default: ""

Example: "noatime"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.overrideStrategy

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise a drop-in file name overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.partOf

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.reloadTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.requiredBy

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.requires

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.requisite

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.restartTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.startLimitBurst

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.startLimitIntervalSec

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.type

File system type.

Type: string

Default: ""

Example: "ext4"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.unitConfig

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  RequiresMountsFor = "/data";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.upheldBy

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.upholds

Keeps the specified running while this unit is running. A continuous version of wants.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.wantedBy

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.wants

Start the specified units when this unit is started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.what

Absolute path of device node, file or other resource. (Mandatory)

Type: string

Example: "/dev/sda1"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.mounts.*.where

Absolute path of a directory of the mount point. Will be created if it doesn’t exist. (Mandatory)

Type: string

Example: "/mnt"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.network.enable

Whether to enable networkd or not.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.config

Definition of global systemd network config.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.config.addRouteTablesToIPRoute2

If true and routeTables are set, then the specified route tables will also be installed into /etc/iproute2/rt_tables.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.config.dhcpV4Config

Each attribute in this set specifies an option in the [DHCPv4] section of the networkd config. See networkd.conf(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  DUIDType = "vendor";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.config.dhcpV6Config

Each attribute in this set specifies an option in the [DHCPv6] section of the networkd config. See networkd.conf(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  DUIDType = "vendor";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.config.networkConfig

Each attribute in this set specifies an option in the [Network] section of the networkd config. See networkd.conf(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  ManageForeignRoutingPolicyRules = false;
  SpeedMeter = true;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.config.routeTables

Defines route table names as an attrset of name to number. See networkd.conf(5) for details.

Type: attribute set of signed integer

Default: { }

Example:

{
  foo = 27;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.links

Definition of systemd network links.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.links.<name>.enable

Whether to enable this .link unit. It’s handled by udev no matter if systemd-networkd is enabled or not

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.links.<name>.extraConfig

Extra configuration append to unit

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.links.<name>.linkConfig

Each attribute in this set specifies an option in the [Link] section of the unit. See systemd.link(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  MACAddress = "00:ff:ee:aa:cc:dd";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.links.<name>.matchConfig

Each attribute in this set specifies an option in the [Match] section of the unit. See systemd.link(5) systemd.netdev(5) systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Name = "eth0";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs

Definition of systemd network devices.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.enable

Whether to manage network configuration using systemd-network.

This also enables systemd.networkd.enable.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.batmanAdvancedConfig

Each attribute in this set specifies an option in the [BatmanAdvanced] section of the unit. See systemd.netdev(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  GatewayMode = "server";
  RoutingAlgorithm = "batman-v";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.bondConfig

Each attribute in this set specifies an option in the [Bond] section of the unit. See systemd.netdev(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Mode = "802.3ad";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.bridgeConfig

Each attribute in this set specifies an option in the [Bridge] section of the unit. See systemd.netdev(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  STP = true;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.extraConfig

Extra configuration append to unit

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.fooOverUDPConfig

Each attribute in this set specifies an option in the [FooOverUDP] section of the unit. See systemd.netdev(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Port = 9001;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.ipvlanConfig

Each attribute in this set specifies an option in the [IPVLAN] section of the unit. See systemd.netdev(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Flags = "private";
  Mode = "L2";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.ipvtapConfig

Each attribute in this set specifies an option in the [IPVTAP] section of the unit. See systemd.netdev(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Flags = "vepa";
  Mode = "L3";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.l2tpConfig

Each attribute in this set specifies an option in the [L2TP] section of the unit. See systemd.netdev(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  EncapsulationType = "ip";
  Local = "static";
  PeerTunnelId = 12;
  Remote = "192.168.30.101";
  TunnelId = 10;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.l2tpSessions

Each item in this array specifies an option in the [L2TPSession] section of the unit. See systemd.netdev(5) for details.

Type: list of attribute set of (systemd option)

Default: [ ]

Example:

[
  {
    Name = "l2tp-sess";
    PeerSessionId = 26;
    SessionId = 25;
  }
]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.macvlanConfig

Each attribute in this set specifies an option in the [MACVLAN] section of the unit. See systemd.netdev(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Mode = "private";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.matchConfig

Each attribute in this set specifies an option in the [Match] section of the unit. See systemd.link(5) systemd.netdev(5) systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Name = "eth0";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.netdevConfig

Each attribute in this set specifies an option in the [Netdev] section of the unit. See systemd.netdev(5) for details.

Type: attribute set of (systemd option)

Example:

{
  Kind = "bridge";
  Name = "mybridge";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.peerConfig

Each attribute in this set specifies an option in the [Peer] section of the unit. See systemd.netdev(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Name = "veth2";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.tapConfig

Each attribute in this set specifies an option in the [Tap] section of the unit. See systemd.netdev(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  User = "openvpn";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.tunConfig

Each attribute in this set specifies an option in the [Tun] section of the unit. See systemd.netdev(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  User = "openvpn";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.tunnelConfig

Each attribute in this set specifies an option in the [Tunnel] section of the unit. See systemd.netdev(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Remote = "192.168.1.1";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.vlanConfig

Each attribute in this set specifies an option in the [VLAN] section of the unit. See systemd.netdev(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Id = 4;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.vrfConfig

Each attribute in this set specifies an option in the [VRF] section of the unit. See systemd.netdev(5) for details. A detailed explanation about how VRFs work can be found in the kernel docs.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Table = 2342;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.vxlanConfig

Each attribute in this set specifies an option in the [VXLAN] section of the unit. See systemd.netdev(5) for details.

Type: attribute set of (systemd option)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.wireguardConfig

Each attribute in this set specifies an option in the [WireGuard] section of the unit. See systemd.netdev(5) for details. Use PrivateKeyFile instead of PrivateKey: the nix store is world-readable.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  FirewallMark = 42;
  ListenPort = 51820;
  PrivateKeyFile = "/etc/wireguard/secret.key";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.wireguardPeers

Each item in this array specifies an option in the [WireGuardPeer] section of the unit. See systemd.netdev(5) for details. Use PresharedKeyFile instead of PresharedKey: the nix store is world-readable.

Type: list of attribute set of (systemd option)

Default: [ ]

Example:

[
  {
    AllowedIPs = [
      "10.0.0.1/32"
    ];
    Endpoint = "192.168.1.1:51820";
    PersistentKeepalive = 15;
    PresharedKeyFile = "/etc/wireguard/psk.key";
    PublicKey = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g=";
  }
]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.wlanConfig

Each attribute in this set specifies an option in the [WLAN] section of the unit. See systemd.netdev(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  PhysicalDevice = 0;
  Type = "station";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.netdevs.<name>.xfrmConfig

Each attribute in this set specifies an option in the [Xfrm] section of the unit. See systemd.netdev(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  InterfaceId = 1;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks

Definition of systemd networks.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.enable

Whether to manage network configuration using systemd-network.

This also enables systemd.networkd.enable.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.DHCP

Whether to enable DHCP on the interfaces matched.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.address

A list of addresses to be added to the network section of the unit. See systemd.network(5) for details.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.addresses

A list of address sections to be added to the unit. See systemd.network(5) for details.

Type: list of attribute set of (systemd option)

Default: [ ]

Example:

[
  {
    Address = "192.168.0.100/24";
  }
]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.bfifoConfig

Each attribute in this set specifies an option in the [BFIFO] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  LimitBytes = "20K";
  Parent = "ingress";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.bond

A list of bond interfaces to be added to the network section of the unit. See systemd.network(5) for details.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.bridge

A list of bridge interfaces to be added to the network section of the unit. See systemd.network(5) for details.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.bridgeConfig

Each attribute in this set specifies an option in the [Bridge] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Cost = 20;
  MulticastFlood = false;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.bridgeFDBs

A list of BridgeFDB sections to be added to the unit. See systemd.network(5) for details.

Type: list of attribute set of (systemd option)

Default: [ ]

Example:

[
  {
    Destination = "192.168.100.4";
    MACAddress = "90:e2:ba:43:fc:71";
    VNI = 3600;
  }
]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.bridgeMDBs

A list of BridgeMDB sections to be added to the unit. See systemd.network(5) for details.

Type: list of attribute set of (systemd option)

Default: [ ]

Example:

[
  {
    MulticastGroupAddress = "ff02::1:2:3:4";
    VLANId = 10;
  }
]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.bridgeVLANs

A list of BridgeVLAN sections to be added to the unit. See systemd.network(5) for details.

Type: list of attribute set of (systemd option)

Default: [ ]

Example:

[
  {
    VLAN = "10-20";
  }
]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.cakeConfig

Each attribute in this set specifies an option in the [CAKE] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Bandwidth = "40M";
  CompensationMode = "ptm";
  OverheadBytes = 8;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.canConfig

Each attribute in this set specifies an option in the [CAN] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.controlledDelayConfig

Each attribute in this set specifies an option in the [ControlledDelay] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Parent = "ingress";
  TargetSec = "20msec";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.deficitRoundRobinSchedulerClassConfig

Each attribute in this set specifies an option in the [DeficitRoundRobinSchedulerClass] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Parent = "root";
  QuantumBytes = "300k";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.deficitRoundRobinSchedulerConfig

Each attribute in this set specifies an option in the [DeficitRoundRobinScheduler] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Parent = "root";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.dhcpPrefixDelegationConfig

Each attribute in this set specifies an option in the [DHCPPrefixDelegation] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Announce = true;
  SubnetId = "auto";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.dhcpServerConfig

Each attribute in this set specifies an option in the [DHCPServer] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  EmitDNS = false;
  PoolOffset = 50;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.dhcpServerStaticLeases

A list of DHCPServerStaticLease sections to be added to the unit. See systemd.network(5) for details.

Type: list of attribute set of (systemd option)

Default: [ ]

Example:

[
  {
    Address = "192.168.1.42";
    MACAddress = "65:43:4a:5b:d8:5f";
  }
]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.dhcpV4Config

Each attribute in this set specifies an option in the [DHCPv4] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  UseDNS = true;
  UseRoutes = true;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.dhcpV6Config

Each attribute in this set specifies an option in the [DHCPv6] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  UseDNS = true;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.dns

A list of dns servers to be added to the network section of the unit. See systemd.network(5) for details.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.domains

A list of domains to pass to the network config.

Type: null or (list of string)

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.enhancedTransmissionSelectionConfig

Each attribute in this set specifies an option in the [EnhancedTransmissionSelection] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Bands = 3;
  Parent = "root";
  PriorityMap = "100 200 300";
  QuantumBytes = "300k";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.extraConfig

Extra configuration append to unit

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.fairQueueingConfig

Each attribute in this set specifies an option in the [FairQueueing] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  FlowLimit = 5;
  Parent = "root";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.fairQueueingControlledDelayConfig

Each attribute in this set specifies an option in the [FairQueueingControlledDelay] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Flows = 5;
  Parent = "root";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.flowQueuePIEConfig

Each attribute in this set specifies an option in the [FlowQueuePIE] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  PacketLimit = "3847";
  Parent = "ingress";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.gateway

A list of gateways to be added to the network section of the unit. See systemd.network(5) for details.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.genericRandomEarlyDetectionConfig

Each attribute in this set specifies an option in the [GenericRandomEarlyDetection] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  DefaultVirtualQueue = 3;
  Parent = "root";
  VirtualQueues = 5;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.heavyHitterFilterConfig

Each attribute in this set specifies an option in the [HeavyHitterFilter] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  PacketLimit = 10000;
  Parent = "root";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.hierarchyTokenBucketClassConfig

Each attribute in this set specifies an option in the [HierarchyTokenBucketClass] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Parent = "root";
  Rate = "10M";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.hierarchyTokenBucketConfig

Each attribute in this set specifies an option in the [HierarchyTokenBucket] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Parent = "root";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.ipoIBConfig

Each attribute in this set specifies an option in the [IPoIB] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.ipv6AcceptRAConfig

Each attribute in this set specifies an option in the [IPv6AcceptRA] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  DHCPv6Client = "always";
  UseDNS = true;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.ipv6PREF64Prefixes

A list of IPv6PREF64Prefix sections to be added to the unit. See systemd.network(5) for details.

Type: list of attribute set of (systemd option)

Default: [ ]

Example:

[
  {
    Prefix = "64:ff9b::/96";
  }
]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.ipv6Prefixes

A list of ipv6Prefix sections to be added to the unit. See systemd.network(5) for details.

Type: list of attribute set of (systemd option)

Default: [ ]

Example:

[
  {
    AddressAutoconfiguration = true;
    OnLink = true;
  }
]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.ipv6RoutePrefixes

A list of ipv6RoutePrefix sections to be added to the unit. See systemd.network(5) for details.

Type: list of attribute set of (systemd option)

Default: [ ]

Example:

[
  {
    LifetimeSec = 3600;
    Route = "fd00::/64";
  }
]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.ipv6SendRAConfig

Each attribute in this set specifies an option in the [IPv6SendRA] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  EmitDNS = true;
  Managed = true;
  OtherInformation = true;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.linkConfig

Each attribute in this set specifies an option in the [Link] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Unmanaged = true;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.lldpConfig

Each attribute in this set specifies an option in the [LLDP] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  MUDURL = "https://things.example.org/product_abc123/v5";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.macvlan

A list of macvlan interfaces to be added to the network section of the unit. See systemd.network(5) for details.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.macvtap

A list of macvtap interfaces to be added to the network section of the unit. See systemd.network(5) for details.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.matchConfig

Each attribute in this set specifies an option in the [Match] section of the unit. See systemd.link(5) systemd.netdev(5) systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Name = "eth0";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.name

The name of the network interface to match against.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.networkConfig

Each attribute in this set specifies an option in the [Network] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Description = "My Network";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.networkEmulatorConfig

Each attribute in this set specifies an option in the [NetworkEmulator] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  DelaySec = "20msec";
  Parent = "ingress";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.ntp

A list of ntp servers to be added to the network section of the unit. See systemd.network(5) for details.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.pfifoConfig

Each attribute in this set specifies an option in the [PFIFO] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  PacketLimit = "300";
  Parent = "ingress";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.pfifoFastConfig

Each attribute in this set specifies an option in the [PFIFOFast] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Parent = "ingress";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.pfifoHeadDropConfig

Each attribute in this set specifies an option in the [PFIFOHeadDrop] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  PacketLimit = "300";
  Parent = "ingress";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.pieConfig

Each attribute in this set specifies an option in the [PIE] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  PacketLimit = "3847";
  Parent = "ingress";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.qdiscConfig

Each attribute in this set specifies an option in the [QDisc] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Parent = "ingress";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.quickFairQueueingConfig

Each attribute in this set specifies an option in the [QuickFairQueueing] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Parent = "root";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.quickFairQueueingConfigClass

Each attribute in this set specifies an option in the [QuickFairQueueingClass] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Parent = "root";
  Weight = 133;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.routes

A list of route sections to be added to the unit. See systemd.network(5) for details.

Type: list of attribute set of (systemd option)

Default: [ ]

Example:

[
  {
    Gateway = "192.168.0.1";
  }
]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.routingPolicyRules

A list of routing policy rules sections to be added to the unit. See systemd.network(5) for details.

Type: list of attribute set of (systemd option)

Default: [ ]

Example:

[
  {
    Family = "both";
    IncomingInterface = "eth1";
    Table = 10;
  }
]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.stochasticFairBlueConfig

Each attribute in this set specifies an option in the [StochasticFairBlue] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  PacketLimit = "3847";
  Parent = "ingress";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.stochasticFairnessQueueingConfig

Each attribute in this set specifies an option in the [StochasticFairnessQueueing] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Parent = "ingress";
  PerturbPeriodSec = "30";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.tokenBucketFilterConfig

Each attribute in this set specifies an option in the [TokenBucketFilter] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Parent = "ingress";
  Rate = "100k";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.trivialLinkEqualizerConfig

Each attribute in this set specifies an option in the [TrivialLinkEqualizer] section of the unit. See systemd.network(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Id = 0;
  Parent = "root";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.tunnel

A list of tunnel interfaces to be added to the network section of the unit. See systemd.network(5) for details.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.vlan

A list of vlan interfaces to be added to the network section of the unit. See systemd.network(5) for details.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.vrf

A list of vrf interfaces to be added to the network section of the unit. See systemd.network(5) for details.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.vxlan

A list of vxlan interfaces to be added to the network section of the unit. See systemd.network(5) for details.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.networks.<name>.xfrm

A list of xfrm interfaces to be added to the network section of the unit. See systemd.network(5) for details.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.wait-online.enable

Whether to enable the systemd-networkd-wait-online service.

systemd-networkd-wait-online can timeout and fail if there are no network interfaces available for it to manage. When systemd-networkd is enabled but a different service is responsible for managing the system’s internet connection (for example, NetworkManager or connman are used to manage WiFi connections), this service is unnecessary and can be disabled.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.wait-online.anyInterface

Whether to consider the network online when any interface is online, as opposed to all of them. This is useful on portable machines with a wired and a wireless interface, for example.

This is on by default if networking.useDHCP is enabled.

Type: boolean

Default: "config.networking.useDHCP"

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.wait-online.extraArgs

Extra command-line arguments to pass to systemd-networkd-wait-online. These also affect per-interface systemd-network-wait-online@ services.

See systemd-networkd-wait-online.service(8) for all available options.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.wait-online.ignoredInterfaces

Network interfaces to be ignored when deciding if the system is online.

Type: list of string

Default: [ ]

Example:

[
  "wg0"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.network.wait-online.timeout

Time to wait for the network to come online, in seconds. Set to 0 to disable.

Type: unsigned integer, meaning >=0

Default: 120

Example: 0

Declared by:

<nixpkgs/nixos/modules/system/boot/networkd.nix>
systemd.nspawn

Definition of systemd-nspawn configurations.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/nspawn.nix>
systemd.nspawn.<name>.enable

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/nspawn.nix>
systemd.nspawn.<name>.execConfig

Each attribute in this set specifies an option in the [Exec] section of this unit. See systemd.nspawn(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Parameters = "/bin/sh";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/nspawn.nix>
systemd.nspawn.<name>.filesConfig

Each attribute in this set specifies an option in the [Files] section of this unit. See systemd.nspawn(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Bind = [
    "/home/alice"
  ];
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/nspawn.nix>
systemd.nspawn.<name>.networkConfig

Each attribute in this set specifies an option in the [Network] section of this unit. See systemd.nspawn(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  Private = false;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/nspawn.nix>
systemd.oomd.enable

Whether to enable the systemd-oomd OOM killer.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/oomd.nix>
systemd.oomd.enableRootSlice

Whether to enable oomd on the root slice (-.slice).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/oomd.nix>
systemd.oomd.enableSystemSlice

Whether to enable oomd on the system slice (system.slice).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/oomd.nix>
systemd.oomd.enableUserSlices

Whether to enable oomd on all user slices (user@.slice) and all user owned slices.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/oomd.nix>
systemd.oomd.extraConfig

Extra config options for systemd-oomd. See man oomd.conf for available options.

Type: attribute set of (string or signed integer or boolean)

Default: { }

Example: { DefaultMemoryPressureDurationSec = "20s"; }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/oomd.nix>
systemd.paths

Definition of systemd path units; see systemd.path(5).

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.enable

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.after

If the specified units are started at the same time as this unit, delay this unit until they have started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.aliases

Aliases of that unit.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.before

If the specified units are started at the same time as this unit, delay them until this unit has started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.bindsTo

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.conflicts

If the specified units are started, then this unit is stopped and vice versa.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.description

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.documentation

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.name

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.onFailure

A list of one or more units that are activated when this unit enters the “failed” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.onSuccess

A list of one or more units that are activated when this unit enters the “inactive” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.overrideStrategy

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise a drop-in file name overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.partOf

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.pathConfig

Each attribute in this set specifies an option in the [Path] section of the unit. See systemd.path(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  PathChanged = "/some/path";
  Unit = "changedpath.service";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.reloadTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.requiredBy

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.requires

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.requisite

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.restartTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.startLimitBurst

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.startLimitIntervalSec

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.unitConfig

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  RequiresMountsFor = "/data";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.upheldBy

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.upholds

Keeps the specified running while this unit is running. A continuous version of wants.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.wantedBy

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.paths.<name>.wants

Start the specified units when this unit is started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.repart.enable

Grow and add partitions to a partition table. systemd-repart only works with GPT partition tables.

To run systemd-repart while in the initrd, see options.boot.initrd.systemd.repart.enable.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/repart.nix>
systemd.repart.partitions

Specify partitions as a set of the names of the definition files as the key and the partition configuration as its value. The partition configuration can use all upstream options. See <link xlink:href=“https://www.freedesktop.org/software/systemd/man/repart.d.html”/> for all available options.

Type: attribute set of attribute set of (string or signed integer or boolean)

Default: { }

Example:

{
  "10-root" = {
    Type = "root";
  };
  "20-home" = {
    SizeMaxBytes = "2G";
    SizeMinBytes = "512M";
    Type = "home";
  };
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/repart.nix>
systemd.services

Definition of systemd service units; see systemd.service(5).

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/testing/service-runner.nix>
<nixpkgs/nixos/modules/system/boot/systemd.nix>
<nixpkgs/nixos/modules/security/systemd-confinement.nix>
systemd.services.<name>.enable

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.enableStrictShellChecks

Enable running shellcheck on the generated scripts for this unit.

Type: boolean

Default: config.systemd.enableStrictShellChecks

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.after

If the specified units are started at the same time as this unit, delay this unit until they have started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.aliases

Aliases of that unit.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.before

If the specified units are started at the same time as this unit, delay them until this unit has started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.bindsTo

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.confinement.enable

If set, all the required runtime store paths for this service are bind-mounted into a tmpfs-based chroot(2).

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/systemd-confinement.nix>
systemd.services.<name>.confinement.packages

Additional packages or strings with context to add to the closure of the chroot. By default, this includes all the packages from the serviceConfig.ExecReload, serviceConfig.ExecStartPost, serviceConfig.ExecStartPre, serviceConfig.ExecStop, serviceConfig.ExecStopPost and serviceConfig.ExecStart options. If you want to have all the dependencies of this systemd unit, you can use confinement.fullUnit.

Note

The store paths listed in path are not included in the closure as well as paths from other options except those listed above.

Type: list of (string or package)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/security/systemd-confinement.nix>
systemd.services.<name>.confinement.binSh

The program to make available as /bin/sh inside the chroot. If this is set to null, no /bin/sh is provided at all.

This is useful for some applications, which for example use the system(3) library function to execute commands.

Type: null or path

Default: config.environment.binsh

Example: "${pkgs.dash}/bin/dash"

Declared by:

<nixpkgs/nixos/modules/security/systemd-confinement.nix>
systemd.services.<name>.confinement.fullUnit

Whether to include the full closure of the systemd unit file into the chroot, instead of just the dependencies for the executables.

Warning

While it may be tempting to just enable this option to make things work quickly, please be aware that this might add paths to the closure of the chroot that you didn’t anticipate. It’s better to use confinement.packages to explicitly add additional store paths to the chroot.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/security/systemd-confinement.nix>
systemd.services.<name>.confinement.mode

The value full-apivfs (the default) sets up private /dev, /proc, /sys, /tmp and /var/tmp file systems in a separate user name space.

If this is set to chroot-only, only the file system name space is set up along with the call to chroot(2).

In all cases, unless serviceConfig.PrivateTmp=true is set, both /tmp and /var/tmp paths are added to InaccessiblePaths=. This is to overcome options like DynamicUser=true implying PrivateTmp=true without letting it being turned off. Beware however that giving processes the CAP_SYS_ADMIN and @mount privileges can let them undo the effects of InaccessiblePaths=.

Note

This doesn’t cover network namespaces and is solely for file system level isolation.

Type: one of “full-apivfs”, “chroot-only”

Default: "full-apivfs"

Declared by:

<nixpkgs/nixos/modules/security/systemd-confinement.nix>
systemd.services.<name>.conflicts

If the specified units are started, then this unit is stopped and vice versa.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.description

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.documentation

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.environment

Environment variables passed to the service’s processes.

Type: attribute set of (null or string or path or package)

Default: { }

Example:

{
  LANG = "nl_NL.UTF-8";
  PATH = "/foo/bar/bin";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.name

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.onFailure

A list of one or more units that are activated when this unit enters the “failed” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.onSuccess

A list of one or more units that are activated when this unit enters the “inactive” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.overrideStrategy

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise a drop-in file name overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.partOf

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.path

Packages added to the service’s PATH environment variable. Both the bin and sbin subdirectories of each package are added.

Type: list of (package or string)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.postStart

Shell commands executed after the service’s main process is started.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.postStop

Shell commands executed after the service’s main process has exited.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.preStart

Shell commands executed before the service’s main process is started.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.preStop

Shell commands executed to stop the service.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.reload

Shell commands executed when the service’s main process is reloaded.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.reloadIfChanged

Whether the service should be reloaded during a NixOS configuration switch if its definition has changed. If enabled, the value of restartIfChanged is ignored.

This option should not be used anymore in favor of reloadTriggers which allows more granular control of when a service is reloaded and when a service is restarted.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.reloadTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.requiredBy

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.requires

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.requisite

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.restartIfChanged

Whether the service should be restarted during a NixOS configuration switch if its definition has changed.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.restartTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.script

Shell commands executed as the service’s main process.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.scriptArgs

Arguments passed to the main process script. Can contain specifiers (% placeholders expanded by systemd, see systemd.unit(5)).

Type: string

Default: ""

Example: "%i"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.serviceConfig

Each attribute in this set specifies an option in the [Service] section of the unit. See systemd.service(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  RestartSec = 5;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.startAt

Automatically start this unit at the given date/time, which must be in the format described in systemd.time(7). This is equivalent to adding a corresponding timer unit with OnCalendar set to the value given here.

Type: string or list of string

Default: [ ]

Example: "Sun 14:00:00"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.startLimitBurst

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.startLimitIntervalSec

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.stopIfChanged

If set, a changed unit is restarted by calling systemctl stop in the old configuration, then systemctl start in the new one. Otherwise, it is restarted in a single step using systemctl restart in the new configuration. The latter is less correct because it runs the ExecStop commands from the new configuration.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.unitConfig

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  RequiresMountsFor = "/data";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.upheldBy

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.upholds

Keeps the specified running while this unit is running. A continuous version of wants.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.wantedBy

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.services.<name>.wants

Start the specified units when this unit is started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.shutdown

Definition of systemd shutdown executables. For each NAME = VALUE pair of the attrSet, a link is generated from /etc/systemd/system-shutdown/NAME to VALUE.

Type: attribute set of path

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.shutdownRamfs.enable

Whether to enable pivoting back to an initramfs for shutdown.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/shutdown.nix>
systemd.shutdownRamfs.contents

Set of files that have to be linked into the shutdown ramfs

Type: attribute set of (submodule)

Example:

{
  "/lib/systemd/system-shutdown/zpool-sync-shutdown".source = writeShellScript "zpool" "exec ${zfs}/bin/zpool sync"
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/shutdown.nix>
systemd.shutdownRamfs.contents.<name>.enable

Whether to enable copying of this file and symlinking it.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/shutdown.nix>
systemd.shutdownRamfs.contents.<name>.dlopen.features

Features to enable via dlopen ELF notes. These will be in addition to anything included via ‘usePriority’, regardless of their priority.

Type: list of (optionally newline-terminated) single-line string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/shutdown.nix>
systemd.shutdownRamfs.contents.<name>.dlopen.usePriority

Priority of dlopen ELF notes to include. “required” is minimal, “recommended” includes “required”, and “suggested” includes “recommended”.

See: https://systemd.io/ELF_DLOPEN_METADATA/

Type: one of “required”, “recommended”, “suggested”

Default: "recommended"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/shutdown.nix>
systemd.shutdownRamfs.contents.<name>.source

Path of the source file.

Type: path

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/shutdown.nix>
systemd.shutdownRamfs.contents.<name>.target

Path of the symlink.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/shutdown.nix>
systemd.shutdownRamfs.contents.<name>.text

Text of the file.

Type: null or strings concatenated with “\n”

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/shutdown.nix>
systemd.shutdownRamfs.storePaths

Store paths to copy into the shutdown ramfs as well.

Type: list of ((submodule) or ((optionally newline-terminated) single-line string or package) convertible to it)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/shutdown.nix>
systemd.shutdownRamfs.storePaths.*.enable

Whether to enable copying of this file and symlinking it.

Type: boolean

Default: true

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/shutdown.nix>
systemd.shutdownRamfs.storePaths.*.dlopen.features

Features to enable via dlopen ELF notes. These will be in addition to anything included via ‘usePriority’, regardless of their priority.

Type: list of (optionally newline-terminated) single-line string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/shutdown.nix>
systemd.shutdownRamfs.storePaths.*.dlopen.usePriority

Priority of dlopen ELF notes to include. “required” is minimal, “recommended” includes “required”, and “suggested” includes “recommended”.

See: https://systemd.io/ELF_DLOPEN_METADATA/

Type: one of “required”, “recommended”, “suggested”

Default: "recommended"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/shutdown.nix>
systemd.shutdownRamfs.storePaths.*.source

Path of the source file.

Type: path

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/shutdown.nix>
systemd.shutdownRamfs.storePaths.*.target

Path of the symlink.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/shutdown.nix>
systemd.sleep.extraConfig

Extra config options for systemd sleep state logic. See sleep.conf.d(5) man page for available options.

Type: strings concatenated with “\n”

Default: ""

Example: "HibernateDelaySec=1h"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices

Definition of slice configurations; see systemd.slice(5).

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.enable

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.after

If the specified units are started at the same time as this unit, delay this unit until they have started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.aliases

Aliases of that unit.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.before

If the specified units are started at the same time as this unit, delay them until this unit has started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.bindsTo

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.conflicts

If the specified units are started, then this unit is stopped and vice versa.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.description

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.documentation

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.name

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.onFailure

A list of one or more units that are activated when this unit enters the “failed” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.onSuccess

A list of one or more units that are activated when this unit enters the “inactive” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.overrideStrategy

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise a drop-in file name overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.partOf

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.reloadTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.requiredBy

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.requires

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.requisite

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.restartTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.sliceConfig

Each attribute in this set specifies an option in the [Slice] section of the unit. See systemd.slice(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  MemoryMax = "2G";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.startLimitBurst

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.startLimitIntervalSec

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.unitConfig

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  RequiresMountsFor = "/data";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.upheldBy

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.upholds

Keeps the specified running while this unit is running. A continuous version of wants.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.wantedBy

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.slices.<name>.wants

Start the specified units when this unit is started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets

Definition of systemd socket units; see systemd.socket(5).

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.enable

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.after

If the specified units are started at the same time as this unit, delay this unit until they have started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.aliases

Aliases of that unit.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.before

If the specified units are started at the same time as this unit, delay them until this unit has started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.bindsTo

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.conflicts

If the specified units are started, then this unit is stopped and vice versa.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.description

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.documentation

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.listenDatagrams

For each item in this list, a ListenDatagram option in the [Socket] section will be created.

Type: list of string

Default: [ ]

Example:

[
  "0.0.0.0:993"
  "/run/my-socket"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.listenStreams

For each item in this list, a ListenStream option in the [Socket] section will be created.

Type: list of string

Default: [ ]

Example:

[
  "0.0.0.0:993"
  "/run/my-socket"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.name

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.onFailure

A list of one or more units that are activated when this unit enters the “failed” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.onSuccess

A list of one or more units that are activated when this unit enters the “inactive” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.overrideStrategy

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise a drop-in file name overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.partOf

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.reloadTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.requiredBy

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.requires

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.requisite

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.restartTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.socketConfig

Each attribute in this set specifies an option in the [Socket] section of the unit. See systemd.socket(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  ListenStream = "/run/my-socket";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.startLimitBurst

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.startLimitIntervalSec

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.unitConfig

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  RequiresMountsFor = "/data";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.upheldBy

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.upholds

Keeps the specified running while this unit is running. A continuous version of wants.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.wantedBy

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sockets.<name>.wants

Start the specified units when this unit is started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.suppressedSystemUnits

A list of units to skip when generating system systemd configuration directory. This has priority over upstream units, systemd.units, and systemd.additionalUpstreamSystemUnits. The main purpose of this is to prevent a upstream systemd unit from being added to the initrd with any modifications made to it by other NixOS modules.

Type: list of string

Default: [ ]

Example:

[
  "systemd-backlight@.service"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.sysupdate.enable

Atomically update the host OS, container images, portable service images or other sources.

If enabled, updates are triggered in regular intervals via a systemd.timer unit.

Please see https://www.freedesktop.org/software/systemd/man/systemd-sysupdate.html for more details.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/sysupdate.nix>
systemd.sysupdate.reboot.enable

Whether to automatically reboot after an update.

If set to true, the system will automatically reboot via a systemd.timer unit but only after a new version was installed.

This uses a unit completely separate from the one performing the update because it is typically advisable to download updates regularly while the system is up, but delay reboots until the appropriate time (i.e. typically at night).

Set this to false if you do not want to reboot after an update. This is useful when you update a container image or another source where rebooting is not necessary in order to finalize the update.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/sysupdate.nix>
systemd.sysupdate.reboot.timerConfig

The timer configuration for rebooting after an update.

By default, the upstream configuration is used: https://github.com/systemd/systemd/blob/main/units/systemd-sysupdate-reboot.timer

Type: attribute set of (systemd option)

Default: { }

Example:

{
  OnCalendar = "Sun 14:00:00";
  Unit = "foo.service";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/sysupdate.nix>
systemd.sysupdate.timerConfig

The timer configuration for performing the update.

By default, the upstream configuration is used: https://github.com/systemd/systemd/blob/main/units/systemd-sysupdate.timer

Type: attribute set of (systemd option)

Default: { }

Example:

{
  OnCalendar = "Sun 14:00:00";
  Unit = "foo.service";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/sysupdate.nix>
systemd.sysupdate.transfers

Specify transfers as a set of the names of the transfer files as the key and the configuration as its value. The configuration can use all upstream options. See https://www.freedesktop.org/software/systemd/man/sysupdate.d.html for all available options.

Type: attribute set of attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string) or a non-empty list of them)

Default: { }

Example:

{
  "10-uki" = {
    Source = {
      MatchPattern = [
        "nixos_@v+@l-@d.efi"
        "nixos_@v+@l.efi"
        "nixos_@v.efi"
      ];
      Path = "https://download.example.com/";
      Type = "url-file";
    };
    Target = {
      InstancesMax = 2;
      MatchPattern = ''
        nixos_@v+@l-@d.efi"; \
        nixos_@v+@l.efi \
        nixos_@v.efi
      '';
      Mode = "0444";
      Path = "/EFI/Linux";
      PathRelativeTo = "boot";
      TriesDone = 0;
      TriesLeft = 3;
      Type = "regular-file";
    };
    Transfer = {
      ProtectVersion = "%A";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/sysupdate.nix>
systemd.sysusers.enable

If enabled, users are created with systemd-sysusers instead of with the custom update-users-groups.pl script.

Note: This is experimental.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/sysusers.nix>
systemd.targets

Definition of systemd target units; see systemd.target(5)

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.enable

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.after

If the specified units are started at the same time as this unit, delay this unit until they have started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.aliases

Aliases of that unit.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.before

If the specified units are started at the same time as this unit, delay them until this unit has started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.bindsTo

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.conflicts

If the specified units are started, then this unit is stopped and vice versa.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.description

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.documentation

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.name

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.onFailure

A list of one or more units that are activated when this unit enters the “failed” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.onSuccess

A list of one or more units that are activated when this unit enters the “inactive” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.overrideStrategy

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise a drop-in file name overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.partOf

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.reloadTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.requiredBy

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.requires

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.requisite

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.restartTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.startLimitBurst

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.startLimitIntervalSec

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.unitConfig

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  RequiresMountsFor = "/data";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.upheldBy

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.upholds

Keeps the specified running while this unit is running. A continuous version of wants.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.wantedBy

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.targets.<name>.wants

Start the specified units when this unit is started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers

Definition of systemd timer units; see systemd.timer(5).

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.enable

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.after

If the specified units are started at the same time as this unit, delay this unit until they have started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.aliases

Aliases of that unit.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.before

If the specified units are started at the same time as this unit, delay them until this unit has started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.bindsTo

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.conflicts

If the specified units are started, then this unit is stopped and vice versa.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.description

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.documentation

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.name

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.onFailure

A list of one or more units that are activated when this unit enters the “failed” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.onSuccess

A list of one or more units that are activated when this unit enters the “inactive” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.overrideStrategy

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise a drop-in file name overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.partOf

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.reloadTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.requiredBy

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.requires

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.requisite

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.restartTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.startLimitBurst

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.startLimitIntervalSec

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.timerConfig

Each attribute in this set specifies an option in the [Timer] section of the unit. See systemd.timer(5) and systemd.time(7) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  OnCalendar = "Sun 14:00:00";
  Unit = "foo.service";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.unitConfig

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  RequiresMountsFor = "/data";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.upheldBy

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.upholds

Keeps the specified running while this unit is running. A continuous version of wants.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.wantedBy

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.timers.<name>.wants

Start the specified units when this unit is started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.tmpfiles.packages

List of packages containing systemd-tmpfiles rules.

All files ending in .conf found in «pkg»/lib/tmpfiles.d will be included. If this folder does not exist or does not contain any files an error will be returned instead.

If a lib output is available, rules are searched there and only there. If there is no lib output it will fall back to out and if that does not exist either, the default output will be used.

Type: list of package

Default: [ ]

Example: [ pkgs.lvm2 ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/tmpfiles.nix>
systemd.tmpfiles.rules

Rules for creation, deletion and cleaning of volatile and temporary files automatically. See tmpfiles.d(5) for the exact format.

Type: list of string

Default: [ ]

Example:

[
  "d /tmp 1777 root root 10d"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/tmpfiles.nix>
systemd.tmpfiles.settings

Declare systemd-tmpfiles rules to create, delete, and clean up volatile and temporary files and directories.

Even though the service is called *tmp*files you can also create persistent files.

Type: attribute set of attribute set of attribute set of (submodule)

Default: { }

Example:

{
  "10-mypackage" = {
    "/var/lib/my-service/statefolder" = {
      d = {
        group = "root";
        mode = "0755";
        user = "root";
      };
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/tmpfiles.nix>
systemd.tmpfiles.settings.<config-name>.<tmpfiles-type>.<path>.age

Delete a file when it reaches a certain age.

If a file or directory is older than the current time minus the age field, it is deleted.

If set to "-" no automatic clean-up is done.

Type: string

Default: "-"

Example: "10d"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/tmpfiles.nix>
systemd.tmpfiles.settings.<config-name>.<tmpfiles-type>.<path>.argument

An argument whose meaning depends on the type of operation.

Please see the upstream documentation for the meaning of this parameter in different situations: https://www.freedesktop.org/software/systemd/man/tmpfiles.d

Type: string

Default: ""

Example: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/tmpfiles.nix>
systemd.tmpfiles.settings.<config-name>.<tmpfiles-type>.<path>.group

The group of the file.

This may either be a numeric ID or a user/group name.

If omitted or when set to "-", the user and group of the user who invokes systemd-tmpfiles is used.

Type: string

Default: "-"

Example: "root"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/tmpfiles.nix>
systemd.tmpfiles.settings.<config-name>.<tmpfiles-type>.<path>.mode

The file access mode to use when creating this file or directory.

Type: string

Default: "-"

Example: "0755"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/tmpfiles.nix>
systemd.tmpfiles.settings.<config-name>.<tmpfiles-type>.<path>.type

The type of operation to perform on the file.

The type consists of a single letter and optionally one or more modifier characters.

Please see the upstream documentation for the available types and more details: https://www.freedesktop.org/software/systemd/man/tmpfiles.d

Type: string

Default: "‹name›"

Example: "d"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/tmpfiles.nix>
systemd.tmpfiles.settings.<config-name>.<tmpfiles-type>.<path>.user

The user of the file.

This may either be a numeric ID or a user/group name.

If omitted or when set to "-", the user and group of the user who invokes systemd-tmpfiles is used.

Type: string

Default: "-"

Example: "root"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/tmpfiles.nix>
systemd.tpm2.enable

Whether to enable systemd TPM2 support.

Type: boolean

Default: "systemd.package.withTpm2Tss"

Example: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/tpm2.nix>
systemd.units

Definition of systemd units; see systemd.unit(5).

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.units.<name>.enable

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.units.<name>.aliases

Aliases of that unit.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.units.<name>.name

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.units.<name>.overrideStrategy

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise a drop-in file name overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.units.<name>.requiredBy

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.units.<name>.text

Text of this systemd unit.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.units.<name>.upheldBy

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.units.<name>.wantedBy

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.user.extraConfig

Extra config options for systemd user instances. See systemd-user.conf(5) for available options.

Type: strings concatenated with “\n”

Default: ""

Example: "DefaultCPUAccounting=yes"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.generators

Definition of systemd generators; see systemd.generator(5).

For each NAME = VALUE pair of the attrSet, a link is generated from /etc/systemd/user-generators/NAME to VALUE.

Type: attribute set of path

Default: { }

Example:

{
  systemd-gpt-auto-generator = "/dev/null";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths

Definition of systemd per-user path units.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.enable

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.after

If the specified units are started at the same time as this unit, delay this unit until they have started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.aliases

Aliases of that unit.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.before

If the specified units are started at the same time as this unit, delay them until this unit has started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.bindsTo

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.conflicts

If the specified units are started, then this unit is stopped and vice versa.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.description

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.documentation

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.name

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.onFailure

A list of one or more units that are activated when this unit enters the “failed” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.onSuccess

A list of one or more units that are activated when this unit enters the “inactive” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.overrideStrategy

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise a drop-in file name overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.partOf

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.pathConfig

Each attribute in this set specifies an option in the [Path] section of the unit. See systemd.path(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  PathChanged = "/some/path";
  Unit = "changedpath.service";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.reloadTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.requiredBy

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.requires

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.requisite

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.restartTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.startLimitBurst

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.startLimitIntervalSec

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.unitConfig

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  RequiresMountsFor = "/data";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.upheldBy

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.upholds

Keeps the specified running while this unit is running. A continuous version of wants.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.wantedBy

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.paths.<name>.wants

Start the specified units when this unit is started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services

Definition of systemd per-user service units.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.enable

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.enableStrictShellChecks

Enable running shellcheck on the generated scripts for this unit.

Type: boolean

Default: config.systemd.enableStrictShellChecks

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.after

If the specified units are started at the same time as this unit, delay this unit until they have started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.aliases

Aliases of that unit.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.before

If the specified units are started at the same time as this unit, delay them until this unit has started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.bindsTo

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.conflicts

If the specified units are started, then this unit is stopped and vice versa.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.description

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.documentation

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.environment

Environment variables passed to the service’s processes.

Type: attribute set of (null or string or path or package)

Default: { }

Example:

{
  LANG = "nl_NL.UTF-8";
  PATH = "/foo/bar/bin";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.name

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.onFailure

A list of one or more units that are activated when this unit enters the “failed” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.onSuccess

A list of one or more units that are activated when this unit enters the “inactive” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.overrideStrategy

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise a drop-in file name overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.partOf

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.path

Packages added to the service’s PATH environment variable. Both the bin and sbin subdirectories of each package are added.

Type: list of (package or string)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.postStart

Shell commands executed after the service’s main process is started.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.postStop

Shell commands executed after the service’s main process has exited.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.preStart

Shell commands executed before the service’s main process is started.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.preStop

Shell commands executed to stop the service.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.reload

Shell commands executed when the service’s main process is reloaded.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.reloadIfChanged

Whether the service should be reloaded during a NixOS configuration switch if its definition has changed. If enabled, the value of restartIfChanged is ignored.

This option should not be used anymore in favor of reloadTriggers which allows more granular control of when a service is reloaded and when a service is restarted.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.reloadTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.requiredBy

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.requires

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.requisite

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.restartIfChanged

Whether the service should be restarted during a NixOS configuration switch if its definition has changed.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.restartTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.script

Shell commands executed as the service’s main process.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.scriptArgs

Arguments passed to the main process script. Can contain specifiers (% placeholders expanded by systemd, see systemd.unit(5)).

Type: string

Default: ""

Example: "%i"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.serviceConfig

Each attribute in this set specifies an option in the [Service] section of the unit. See systemd.service(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  RestartSec = 5;
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.startAt

Automatically start this unit at the given date/time, which must be in the format described in systemd.time(7). This is equivalent to adding a corresponding timer unit with OnCalendar set to the value given here.

Type: string or list of string

Default: [ ]

Example: "Sun 14:00:00"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.startLimitBurst

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.startLimitIntervalSec

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.stopIfChanged

If set, a changed unit is restarted by calling systemctl stop in the old configuration, then systemctl start in the new one. Otherwise, it is restarted in a single step using systemctl restart in the new configuration. The latter is less correct because it runs the ExecStop commands from the new configuration.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.unitConfig

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  RequiresMountsFor = "/data";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.upheldBy

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.upholds

Keeps the specified running while this unit is running. A continuous version of wants.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.wantedBy

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.services.<name>.wants

Start the specified units when this unit is started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices

Definition of systemd per-user slice units.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.enable

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.after

If the specified units are started at the same time as this unit, delay this unit until they have started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.aliases

Aliases of that unit.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.before

If the specified units are started at the same time as this unit, delay them until this unit has started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.bindsTo

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.conflicts

If the specified units are started, then this unit is stopped and vice versa.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.description

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.documentation

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.name

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.onFailure

A list of one or more units that are activated when this unit enters the “failed” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.onSuccess

A list of one or more units that are activated when this unit enters the “inactive” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.overrideStrategy

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise a drop-in file name overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.partOf

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.reloadTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.requiredBy

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.requires

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.requisite

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.restartTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.sliceConfig

Each attribute in this set specifies an option in the [Slice] section of the unit. See systemd.slice(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  MemoryMax = "2G";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.startLimitBurst

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.startLimitIntervalSec

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.unitConfig

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  RequiresMountsFor = "/data";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.upheldBy

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.upholds

Keeps the specified running while this unit is running. A continuous version of wants.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.wantedBy

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.slices.<name>.wants

Start the specified units when this unit is started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets

Definition of systemd per-user socket units.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.enable

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.after

If the specified units are started at the same time as this unit, delay this unit until they have started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.aliases

Aliases of that unit.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.before

If the specified units are started at the same time as this unit, delay them until this unit has started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.bindsTo

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.conflicts

If the specified units are started, then this unit is stopped and vice versa.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.description

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.documentation

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.listenDatagrams

For each item in this list, a ListenDatagram option in the [Socket] section will be created.

Type: list of string

Default: [ ]

Example:

[
  "0.0.0.0:993"
  "/run/my-socket"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.listenStreams

For each item in this list, a ListenStream option in the [Socket] section will be created.

Type: list of string

Default: [ ]

Example:

[
  "0.0.0.0:993"
  "/run/my-socket"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.name

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.onFailure

A list of one or more units that are activated when this unit enters the “failed” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.onSuccess

A list of one or more units that are activated when this unit enters the “inactive” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.overrideStrategy

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise a drop-in file name overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.partOf

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.reloadTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.requiredBy

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.requires

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.requisite

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.restartTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.socketConfig

Each attribute in this set specifies an option in the [Socket] section of the unit. See systemd.socket(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  ListenStream = "/run/my-socket";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.startLimitBurst

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.startLimitIntervalSec

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.unitConfig

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  RequiresMountsFor = "/data";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.upheldBy

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.upholds

Keeps the specified running while this unit is running. A continuous version of wants.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.wantedBy

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.sockets.<name>.wants

Start the specified units when this unit is started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets

Definition of systemd per-user target units.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.enable

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.after

If the specified units are started at the same time as this unit, delay this unit until they have started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.aliases

Aliases of that unit.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.before

If the specified units are started at the same time as this unit, delay them until this unit has started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.bindsTo

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.conflicts

If the specified units are started, then this unit is stopped and vice versa.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.description

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.documentation

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.name

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.onFailure

A list of one or more units that are activated when this unit enters the “failed” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.onSuccess

A list of one or more units that are activated when this unit enters the “inactive” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.overrideStrategy

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise a drop-in file name overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.partOf

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.reloadTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.requiredBy

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.requires

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.requisite

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.restartTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.startLimitBurst

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.startLimitIntervalSec

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.unitConfig

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  RequiresMountsFor = "/data";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.upheldBy

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.upholds

Keeps the specified running while this unit is running. A continuous version of wants.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.wantedBy

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.targets.<name>.wants

Start the specified units when this unit is started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers

Definition of systemd per-user timer units.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.enable

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.after

If the specified units are started at the same time as this unit, delay this unit until they have started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.aliases

Aliases of that unit.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.before

If the specified units are started at the same time as this unit, delay them until this unit has started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.bindsTo

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.conflicts

If the specified units are started, then this unit is stopped and vice versa.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.description

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.documentation

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.name

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.onFailure

A list of one or more units that are activated when this unit enters the “failed” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.onSuccess

A list of one or more units that are activated when this unit enters the “inactive” state.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.overrideStrategy

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise a drop-in file name overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.partOf

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.reloadTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.requiredBy

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.requires

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.requisite

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.restartTriggers

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.startLimitBurst

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.startLimitIntervalSec

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.timerConfig

Each attribute in this set specifies an option in the [Timer] section of the unit. See systemd.timer(5) and systemd.time(7) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  OnCalendar = "Sun 14:00:00";
  Unit = "foo.service";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.unitConfig

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  RequiresMountsFor = "/data";
}

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.upheldBy

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.upholds

Keeps the specified running while this unit is running. A continuous version of wants.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.wantedBy

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.timers.<name>.wants

Start the specified units when this unit is started.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.tmpfiles.rules

Global user rules for creation, deletion and cleaning of volatile and temporary files automatically. See tmpfiles.d(5) for the exact format.

Type: list of string

Default: [ ]

Example:

[
  "D %C - - - 7d"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.tmpfiles.users

Per-user rules for creation, deletion and cleaning of volatile and temporary files automatically.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.tmpfiles.users.<name>.rules

Per-user rules for creation, deletion and cleaning of volatile and temporary files automatically. See tmpfiles.d(5) for the exact format.

Type: list of string

Default: [ ]

Example:

[
  "D %C - - - 7d"
]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.units

Definition of systemd per-user units.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.units.<name>.enable

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.units.<name>.aliases

Aliases of that unit.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.units.<name>.name

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.units.<name>.overrideStrategy

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise a drop-in file name overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.units.<name>.requiredBy

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.units.<name>.text

Text of this systemd unit.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.units.<name>.upheldBy

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.user.units.<name>.wantedBy

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd/user.nix>
systemd.watchdog.device

The path to a hardware watchdog device which will be managed by systemd. If not specified, systemd will default to /dev/watchdog.

Type: null or path

Default: null

Example: "/dev/watchdog"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.watchdog.kexecTime

The amount of time which can elapse when kexec is being executed before a watchdog hardware device will automatically reboot the system. This option should only be enabled if reloadTime is also enabled; see kexec(8).

Valid time units include “ms”, “s”, “min”, “h”, “d”, and “w”; see also systemd.time(7).

Type: null or string

Default: null

Example: "10m"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.watchdog.rebootTime

The amount of time which can elapse after a reboot has been triggered before a watchdog hardware device will automatically reboot the system. If left null, systemd will use its default of 10 minutes; see systemd-system.conf(5).

Valid time units include “ms”, “s”, “min”, “h”, “d”, and “w”; see also systemd.time(7).

Type: null or string

Default: null

Example: "10m"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
systemd.watchdog.runtimeTime

The amount of time which can elapse before a watchdog hardware device will automatically reboot the system.

Valid time units include “ms”, “s”, “min”, “h”, “d”, and “w”; see systemd.time(7).

Type: null or string

Default: null

Example: "30s"

Declared by:

<nixpkgs/nixos/modules/system/boot/systemd.nix>
time.hardwareClockInLocalTime

If set, keep the hardware clock in local time instead of UTC.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/locale.nix>
time.timeZone

The time zone used when displaying times and dates. See https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for a comprehensive list of possible values for this setting.

If null, the timezone will default to UTC and can be set imperatively using timedatectl.

Type: null or string without spaces

Default: null

Example: "America/New_York"

Declared by:

<nixpkgs/nixos/modules/config/locale.nix>
users.allowNoPasswordLogin

Disable checking that at least the root user or a user in the wheel group can log in using a password or an SSH key.

WARNING: enabling this can lock you out of your system. Enable this only if you know what are you doing.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.defaultUserShell

This option defines the default shell assigned to user accounts. This can be either a full system path or a shell package.

This must not be a store path, since the path is used outside the store (in particular in /etc/passwd).

Type: path or package

Example: pkgs.zsh

Declared by:

<nixpkgs/nixos/modules/programs/shadow.nix>
users.enforceIdUniqueness

Whether to require that no two users/groups share the same uid/gid.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraGroups

Alias of users.groups.

Type: attribute set of (submodule)

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraGroups.<name>.gid

The group GID. If the GID is null, a free GID is picked on activation.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraGroups.<name>.members

The user names of the group members, added to the /etc/group file.

Type: list of (string, not containing newlines or colons)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraGroups.<name>.name

The name of the group. If undefined, the name of the attribute set will be used.

Type: string, not containing newlines or colons

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers

Alias of users.users.

Type: attribute set of (submodule)

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.packages

The set of packages that should be made available to the user. This is in contrast to environment.systemPackages, which adds packages to all users.

Type: list of package

Default: [ ]

Example: [ pkgs.firefox pkgs.thunderbird ]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.autoSubUidGidRange

Automatically allocate subordinate user and group ids for this user. Allocated range is currently always of size 65536.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.createHome

Whether to create the home directory and ensure ownership as well as permissions to match the user.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.cryptHomeLuks

Path to encrypted luks device that contains the user’s home directory.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.description

A short description of the user account, typically the user’s full name. This is actually the “GECOS” or “comment” field in /etc/passwd.

Type: string, not containing newlines or colons

Default: ""

Example: "Alice Q. User"

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.expires

Set the date on which the user’s account will no longer be accessible. The date is expressed in the format YYYY-MM-DD, or null to disable the expiry. A user whose account is locked must contact the system administrator before being able to use the system again.

Type: null or string matching the pattern [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.extraGroups

The user’s auxiliary groups.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.group

The user’s primary group.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.hashedPassword

Specifies the hashed password for the user. The options hashedPassword, password and hashedPasswordFile controls what password is set for the user. hashedPassword overrides both password and hashedPasswordFile. password overrides hashedPasswordFile. If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option users.mutableUsers is true, the password defined in one of the three options will only be set when the user is created for the first time. After that, you are free to change the password with the ordinary user management commands. If users.mutableUsers is false, you cannot change user passwords, they will always be set according to the password options.

To generate a hashed password run mkpasswd.

If set to an empty string (""), this user will be able to log in without being asked for a password (but not via remote services such as SSH, or indirectly via su or sudo). This should only be used for e.g. bootable live systems. Note: this is different from setting an empty password, which can be achieved using users.users.<name?>.password.

If set to null (default) this user will not be able to log in using a password (i.e. via login command).

Type: null or (string, not containing newlines or colons)

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.hashedPasswordFile

The full path to a file that contains the hash of the user’s password. The password file is read on each system activation. The file should contain exactly one line, which should be the password in an encrypted form that is suitable for the chpasswd -e command. The options hashedPassword, password and hashedPasswordFile controls what password is set for the user. hashedPassword overrides both password and hashedPasswordFile. password overrides hashedPasswordFile. If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option users.mutableUsers is true, the password defined in one of the three options will only be set when the user is created for the first time. After that, you are free to change the password with the ordinary user management commands. If users.mutableUsers is false, you cannot change user passwords, they will always be set according to the password options.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.home

The user’s home directory.

Type: path, not containing newlines or colons

Default: "/var/empty"

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.homeMode

The user’s home directory mode in numeric format. See chmod(1). The mode is only applied if users.users.<name>.createHome is true.

Type: string matching the pattern [0-7]{1,5}

Default: "700"

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.ignoreShellProgramCheck

By default, nixos will check that programs.SHELL.enable is set to true if the user has a custom shell specified. If that behavior isn’t required and there are custom overrides in place to make sure that the shell is functional, set this to true.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.initialHashedPassword

Specifies the initial hashed password for the user, i.e. the hashed password assigned if the user does not already exist. If users.mutableUsers is true, the password can be changed subsequently using the passwd command. Otherwise, it’s equivalent to setting the hashedPassword option.

Note that the hashedPassword option will override this option if both are set.

To generate a hashed password run mkpasswd.

If set to an empty string (""), this user will be able to log in without being asked for a password (but not via remote services such as SSH, or indirectly via su or sudo). This should only be used for e.g. bootable live systems. Note: this is different from setting an empty password, which can be achieved using users.users.<name?>.password.

If set to null (default) this user will not be able to log in using a password (i.e. via login command).

Type: null or (string, not containing newlines or colons)

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.initialPassword

Specifies the initial password for the user, i.e. the password assigned if the user does not already exist. If users.mutableUsers is true, the password can be changed subsequently using the passwd command. Otherwise, it’s equivalent to setting the password option. The same caveat applies: the password specified here is world-readable in the Nix store, so it should only be used for guest accounts or passwords that will be changed promptly.

Note that the password option will override this option if both are set.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.isNormalUser

Indicates whether this is an account for a “real” user. This automatically sets group to users, createHome to true, home to /home/«username», useDefaultShell to true, and isSystemUser to false. Exactly one of isNormalUser and isSystemUser must be true.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.isSystemUser

Indicates if the user is a system user or not. This option only has an effect if uid is null, in which case it determines whether the user’s UID is allocated in the range for system users (below 1000) or in the range for normal users (starting at 1000). Exactly one of isNormalUser and isSystemUser must be true.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.linger

Whether to enable lingering for this user. If true, systemd user units will start at boot, rather than starting at login and stopping at logout. This is the declarative equivalent of running loginctl enable-linger for this user.

If false, user units will not be started until the user logs in, and may be stopped on logout depending on the settings in logind.conf.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.name

The name of the user account. If undefined, the name of the attribute set will be used.

Type: string, not containing newlines or colons

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.openssh.authorizedKeys.keyFiles

A list of files each containing one OpenSSH public key that should be added to the user’s authorized keys. The contents of the files are read at build time and added to a file that the SSH daemon reads in addition to the the user’s authorized_keys file. You can combine the keyFiles and keys options.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
users.extraUsers.<name>.openssh.authorizedKeys.keys

A list of verbatim OpenSSH public keys that should be added to the user’s authorized keys. The keys are added to a file that the SSH daemon reads in addition to the the user’s authorized_keys file. You can combine the keys and keyFiles options. Warning: If you are using NixOps then don’t use this option since it will replace the key required for deployment via ssh.

Type: list of (optionally newline-terminated) single-line string

Default: [ ]

Example:

[
  "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host"
  "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
users.extraUsers.<name>.openssh.authorizedPrincipals

A list of verbatim principal names that should be added to the user’s authorized principals.

Type: list of (optionally newline-terminated) single-line string

Default: [ ]

Example:

[
  "example@host"
  "foo@bar"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
users.extraUsers.<name>.pamMount

Attributes for user’s entry in pam_mount.conf.xml. Useful attributes might include path, options, fstype, and server. See https://pam-mount.sourceforge.net/pam_mount.conf.5.html for more information.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.password

Specifies the (clear text) password for the user. Warning: do not set confidential information here because it is world-readable in the Nix store. This option should only be used for public accounts. The options hashedPassword, password and hashedPasswordFile controls what password is set for the user. hashedPassword overrides both password and hashedPasswordFile. password overrides hashedPasswordFile. If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option users.mutableUsers is true, the password defined in one of the three options will only be set when the user is created for the first time. After that, you are free to change the password with the ordinary user management commands. If users.mutableUsers is false, you cannot change user passwords, they will always be set according to the password options.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.shell

The path to the user’s shell. Can use shell derivations, like pkgs.bashInteractive. Don’t forget to enable your shell in programs if necessary, like programs.zsh.enable = true;.

Type: null or package or (path, not containing newlines or colons)

Default: pkgs.shadow

Example: pkgs.bashInteractive

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.subGidRanges

Subordinate group ids that user is allowed to use. They are set into /etc/subgid and are used by newgidmap for user namespaces.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    count = 1;
    startGid = 100;
  }
  {
    count = 999;
    startGid = 1001;
  }
]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.subGidRanges.*.count

Count of subordinate group ids

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.subGidRanges.*.startGid

Start of the range of subordinate group ids that user is allowed to use.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.subUidRanges

Subordinate user ids that user is allowed to use. They are set into /etc/subuid and are used by newuidmap for user namespaces.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    count = 1;
    startUid = 1000;
  }
  {
    count = 65534;
    startUid = 100001;
  }
]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.subUidRanges.*.count

Count of subordinate user ids

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.subUidRanges.*.startUid

Start of the range of subordinate user ids that user is allowed to use.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.uid

The account UID. If the UID is null, a free UID is picked on activation.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.extraUsers.<name>.useDefaultShell

If true, the user’s shell will be set to users.defaultUserShell.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.groups

Additional groups to be created automatically by the system.

Type: attribute set of (submodule)

Default: { }

Example:

{
  hackers = { };
  students = {
    gid = 1001;
  };
}

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.groups.<name>.gid

The group GID. If the GID is null, a free GID is picked on activation.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.groups.<name>.members

The user names of the group members, added to the /etc/group file.

Type: list of (string, not containing newlines or colons)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.groups.<name>.name

The name of the group. If undefined, the name of the attribute set will be used.

Type: string, not containing newlines or colons

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.ldap.enable

Whether to enable authentication against an LDAP server.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.base

The distinguished name of the search base.

Type: string

Example: "dc=example,dc=org"

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.bind.distinguishedName

The distinguished name to bind to the LDAP server with. If this is not specified, an anonymous bind will be done.

Type: string

Default: ""

Example: "cn=admin,dc=example,dc=com"

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.bind.passwordFile

The path to a file containing the credentials to use when binding to the LDAP server (if not binding anonymously).

Type: string

Default: "/etc/ldap/bind.password"

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.bind.policy

Specifies the policy to use for reconnecting to an unavailable LDAP server. The default is hard_open, which reconnects if opening the connection to the directory server failed. By contrast, hard_init reconnects if initializing the connection failed. Initializing may not actually contact the directory server, and it is possible that a malformed configuration file will trigger reconnection. If soft is specified, then nss_ldap will return immediately on server failure. All hard reconnect policies block with exponential backoff before retrying.

Type: one of “hard_open”, “hard_init”, “soft”

Default: "hard_open"

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.bind.timeLimit

Specifies the time limit (in seconds) to use when connecting to the directory server. This is distinct from the time limit specified in users.ldap.timeLimit and affects the initial server connection only.

Type: signed integer

Default: 30

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.daemon.enable

Whether to let the nslcd daemon (nss-pam-ldapd) handle the LDAP lookups for NSS and PAM. This can improve performance, and if you need to bind to the LDAP server with a password, it increases security, since only the nslcd user needs to have access to the bindpw file, not everyone that uses NSS and/or PAM. If this option is enabled, a local nscd user is created automatically, and the nslcd service is started automatically when the network get up.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.daemon.extraConfig

Extra configuration options that will be added verbatim at the end of the nslcd configuration file (nslcd.conf(5)).

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.daemon.rootpwmoddn

The distinguished name to use to bind to the LDAP server when the root user tries to modify a user’s password.

Type: string

Default: ""

Example: "cn=admin,dc=example,dc=com"

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.daemon.rootpwmodpwFile

The path to a file containing the credentials with which to bind to the LDAP server if the root user tries to change a user’s password.

Type: string

Default: ""

Example: "/run/keys/nslcd.rootpwmodpw"

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.extraConfig

Extra configuration options that will be added verbatim at the end of the ldap configuration file (ldap.conf(5)). If users.ldap.daemon is enabled, this configuration will not be used. In that case, use users.ldap.daemon.extraConfig instead.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.loginPam

Whether to include authentication against LDAP in login PAM.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.nsswitch

Whether to include lookup against LDAP in NSS.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.server

The URL of the LDAP server.

Type: string

Example: "ldap://ldap.example.org/"

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.timeLimit

Specifies the time limit (in seconds) to use when performing searches. A value of zero (0), which is the default, is to wait indefinitely for searches to be completed.

Type: signed integer

Default: 0

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.ldap.useTLS

If enabled, use TLS (encryption) over an LDAP (port 389) connection. The alternative is to specify an LDAPS server (port 636) in users.ldap.server or to forego security.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/ldap.nix>
users.motd

Message of the day shown to users when they log in.

Type: strings concatenated with “\n”

Default: ""

Example: "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178."

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
users.motdFile

A file containing the message of the day shown to users when they log in.

Type: null or path

Default: null

Example: "/etc/motd"

Declared by:

<nixpkgs/nixos/modules/security/pam.nix>
users.mutableUsers

If set to true, you are free to add new users and groups to the system with the ordinary useradd and groupadd commands. On system activation, the existing contents of the /etc/passwd and /etc/group files will be merged with the contents generated from the users.users and users.groups options. The initial password for a user will be set according to users.users, but existing passwords will not be changed.

Warning

If set to false, the contents of the user and group files will simply be replaced on system activation. This also holds for the user passwords; all changed passwords will be reset according to the users.users configuration on activation.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.mysql.enable

Whether to enable authentication against a MySQL/MariaDB database.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.database

The name of the database containing the users

Type: string

Example: "auth"

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.host

The hostname of the MySQL/MariaDB server

Type: string

Example: "localhost"

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.nss

Settings for libnss-mysql.

All examples are from the minimal example of libnss-mysql, but they are modified with NixOS paths for bash.

Type: submodule

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.nss.getgrent

SQL query for the getgrent syscall.

Type: null or string

Default: null

Example:

SELECT name,password,gid FROM groups

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.nss.getgrgid

SQL query for the getgrgid syscall.

Type: null or string

Default: null

Example:

SELECT name,password,gid FROM groups WHERE gid='%1$u' LIMIT 1

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.nss.getgrnam

SQL query for the getgrnam syscall.

Type: null or string

Default: null

Example:

SELECT name,password,gid FROM groups WHERE name='%1$s' LIMIT 1

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.nss.getpwent

SQL query for the getpwent syscall.

Type: null or string

Default: null

Example:

SELECT username,'x',uid,'5000','MySQL User', CONCAT('/home/',username),'/run/sw/current-system/bin/bash' FROM users

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.nss.getpwnam

SQL query for the getpwnam syscall.

Type: null or string

Default: null

Example:

SELECT username,'x',uid,'5000','MySQL User', CONCAT('/home/',username),'/run/sw/current-system/bin/bash' \
FROM users \
WHERE username='%1$s' \
LIMIT 1

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.nss.getpwuid

SQL query for the getpwuid syscall.

Type: null or string

Default: null

Example:

SELECT username,'x',uid,'5000','MySQL User', CONCAT('/home/',username),'/run/sw/current-system/bin/bash' \
FROM users \
WHERE uid='%1$u' \
LIMIT 1

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.nss.getspent

SQL query for the getspent syscall.

Type: null or string

Default: null

Example:

SELECT username,password,'1','0','99999','0','0','-1','0' FROM users

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.nss.getspnam

SQL query for the getspnam syscall.

Type: null or string

Default: null

Example:

SELECT username,password,'1','0','99999','0','0','-1','0' \
FROM users \
WHERE username='%1$s' \
LIMIT 1

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.nss.gidsbymem

SQL query for the gidsbymem syscall.

Type: null or string

Default: null

Example:

SELECT gid FROM grouplist WHERE username='%1$s'

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.nss.memsbygid

SQL query for the memsbygid syscall.

Type: null or string

Default: null

Example:

SELECT username FROM grouplist WHERE gid='%1$u'

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.pam

Settings for pam_mysql

Type: submodule

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.pam.cryptDefault

The default encryption method to use for passwordCrypt = 1.

Type: null or one of “md5”, “sha256”, “sha512”, “blowfish”

Default: null

Example: "blowfish"

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.pam.disconnectEveryOperation

By default, pam_mysql keeps the connection to the MySQL database until the session is closed. If this option is set to true it disconnects every time the PAM operation has finished. This option may be useful in case the session lasts quite long.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.pam.logging.enable

Enables logging of authentication attempts in the MySQL database.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.pam.logging.hostColumn

The name of the column in the log table to which the name of the user being authenticated is stored.

Type: string

Example: "host"

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.pam.logging.msgColumn

The name of the column in the log table to which the description of the performed operation is stored.

Type: string

Example: "msg"

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.pam.logging.pidColumn

The name of the column in the log table to which the pid of the process utilising the pam_mysql authentication service is stored.

Type: string

Example: "pid"

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.pam.logging.rHostColumn

The name of the column in the log table to which the name of the remote host that initiates the session is stored. The value is supposed to be set by the PAM-aware application with pam_set_item(PAM_RHOST).

Type: string

Example: "rhost"

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.pam.logging.table

The name of the table to which logs are written.

Type: string

Example: "logs"

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.pam.logging.timeColumn

The name of the column in the log table to which the timestamp of the log entry is stored.

Type: string

Example: "timestamp"

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.pam.logging.userColumn

The name of the column in the log table to which the name of the user being authenticated is stored.

Type: string

Example: "user"

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.pam.passwordColumn

The name of the column that contains a (encrypted) password string.

Type: string

Example: "password"

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.pam.passwordCrypt

The method to encrypt the user’s password:

  • 0 (or "plain"): No encryption. Passwords are stored in plaintext. HIGHLY DISCOURAGED.

  • 1 (or "Y"): Use crypt(3) function.

  • 2 (or "mysql"): Use the MySQL PASSWORD() function. It is possible that the encryption function used by pam_mysql is different from that of the MySQL server, as pam_mysql uses the function defined in MySQL’s C-client API instead of using PASSWORD() SQL function in the query.

  • 3 (or "md5"): Use plain hex MD5.

  • 4 (or "sha1"): Use plain hex SHA1.

  • 5 (or "drupal7"): Use Drupal7 salted passwords.

  • 6 (or "joomla15"): Use Joomla15 salted passwords.

  • 7 (or "ssha"): Use ssha hashed passwords.

  • 8 (or "sha512"): Use sha512 hashed passwords.

  • 9 (or "sha256"): Use sha256 hashed passwords.

Type: one of “0”, “plain”, “1”, “Y”, “2”, “mysql”, “3”, “md5”, “4”, “sha1”, “5”, “drupal7”, “6”, “joomla15”, “7”, “ssha”, “8”, “sha512”, “9”, “sha256”

Example: "2"

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.pam.statusColumn

The name of the column or an SQL expression that indicates the status of the user. The status is expressed by the combination of two bitfields shown below:

  • bit 0 (0x01): if flagged, pam_mysql deems the account to be expired and returns PAM_ACCT_EXPIRED. That is, the account is supposed to no longer be available. Note this doesn’t mean that pam_mysql rejects further authentication operations.

  • bit 1 (0x02): if flagged, pam_mysql deems the authentication token (password) to be expired and returns PAM_NEW_AUTHTOK_REQD. This ends up requiring that the user enter a new password.

Type: null or string

Default: null

Example: "status"

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.pam.table

The name of table that maps unique login names to the passwords.

Type: string

Example: "users"

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.pam.updateTable

The name of the table used for password alteration. If not defined, the value of the table option will be used instead.

Type: null or string

Default: null

Example: "users_updates"

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.pam.userColumn

The name of the column that contains a unix login name.

Type: string

Example: "username"

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.pam.verbose

If enabled, produces logs with detailed messages that describes what pam_mysql is doing. May be useful for debugging.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.pam.where

Additional criteria for the query.

Type: null or string

Default: null

Example: "host.name='web' AND user.active=1"

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.passwordFile

The path to the file containing the password for the user

Type: path

Example: "/run/secrets/mysql-auth-db-passwd"

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.mysql.user

The username to use when connecting to the database

Type: string

Example: "nss-user"

Declared by:

<nixpkgs/nixos/modules/config/mysql.nix>
users.users

Additional user accounts to be created automatically by the system. This can also be used to set options for root.

Type: attribute set of (submodule)

Default: { }

Example:

{
  alice = {
    createHome = true;
    description = "Alice Q. User";
    extraGroups = [
      "wheel"
    ];
    group = "users";
    home = "/home/alice";
    shell = "/bin/sh";
    uid = 1234;
  };
}

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.packages

The set of packages that should be made available to the user. This is in contrast to environment.systemPackages, which adds packages to all users.

Type: list of package

Default: [ ]

Example: [ pkgs.firefox pkgs.thunderbird ]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.autoSubUidGidRange

Automatically allocate subordinate user and group ids for this user. Allocated range is currently always of size 65536.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.createHome

Whether to create the home directory and ensure ownership as well as permissions to match the user.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.cryptHomeLuks

Path to encrypted luks device that contains the user’s home directory.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.description

A short description of the user account, typically the user’s full name. This is actually the “GECOS” or “comment” field in /etc/passwd.

Type: string, not containing newlines or colons

Default: ""

Example: "Alice Q. User"

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.expires

Set the date on which the user’s account will no longer be accessible. The date is expressed in the format YYYY-MM-DD, or null to disable the expiry. A user whose account is locked must contact the system administrator before being able to use the system again.

Type: null or string matching the pattern [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.extraGroups

The user’s auxiliary groups.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.group

The user’s primary group.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.hashedPassword

Specifies the hashed password for the user. The options hashedPassword, password and hashedPasswordFile controls what password is set for the user. hashedPassword overrides both password and hashedPasswordFile. password overrides hashedPasswordFile. If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option users.mutableUsers is true, the password defined in one of the three options will only be set when the user is created for the first time. After that, you are free to change the password with the ordinary user management commands. If users.mutableUsers is false, you cannot change user passwords, they will always be set according to the password options.

To generate a hashed password run mkpasswd.

If set to an empty string (""), this user will be able to log in without being asked for a password (but not via remote services such as SSH, or indirectly via su or sudo). This should only be used for e.g. bootable live systems. Note: this is different from setting an empty password, which can be achieved using users.users.<name?>.password.

If set to null (default) this user will not be able to log in using a password (i.e. via login command).

Type: null or (string, not containing newlines or colons)

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.hashedPasswordFile

The full path to a file that contains the hash of the user’s password. The password file is read on each system activation. The file should contain exactly one line, which should be the password in an encrypted form that is suitable for the chpasswd -e command. The options hashedPassword, password and hashedPasswordFile controls what password is set for the user. hashedPassword overrides both password and hashedPasswordFile. password overrides hashedPasswordFile. If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option users.mutableUsers is true, the password defined in one of the three options will only be set when the user is created for the first time. After that, you are free to change the password with the ordinary user management commands. If users.mutableUsers is false, you cannot change user passwords, they will always be set according to the password options.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.home

The user’s home directory.

Type: path, not containing newlines or colons

Default: "/var/empty"

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.homeMode

The user’s home directory mode in numeric format. See chmod(1). The mode is only applied if users.users.<name>.createHome is true.

Type: string matching the pattern [0-7]{1,5}

Default: "700"

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.ignoreShellProgramCheck

By default, nixos will check that programs.SHELL.enable is set to true if the user has a custom shell specified. If that behavior isn’t required and there are custom overrides in place to make sure that the shell is functional, set this to true.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.initialHashedPassword

Specifies the initial hashed password for the user, i.e. the hashed password assigned if the user does not already exist. If users.mutableUsers is true, the password can be changed subsequently using the passwd command. Otherwise, it’s equivalent to setting the hashedPassword option.

Note that the hashedPassword option will override this option if both are set.

To generate a hashed password run mkpasswd.

If set to an empty string (""), this user will be able to log in without being asked for a password (but not via remote services such as SSH, or indirectly via su or sudo). This should only be used for e.g. bootable live systems. Note: this is different from setting an empty password, which can be achieved using users.users.<name?>.password.

If set to null (default) this user will not be able to log in using a password (i.e. via login command).

Type: null or (string, not containing newlines or colons)

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.initialPassword

Specifies the initial password for the user, i.e. the password assigned if the user does not already exist. If users.mutableUsers is true, the password can be changed subsequently using the passwd command. Otherwise, it’s equivalent to setting the password option. The same caveat applies: the password specified here is world-readable in the Nix store, so it should only be used for guest accounts or passwords that will be changed promptly.

Note that the password option will override this option if both are set.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.isNormalUser

Indicates whether this is an account for a “real” user. This automatically sets group to users, createHome to true, home to /home/«username», useDefaultShell to true, and isSystemUser to false. Exactly one of isNormalUser and isSystemUser must be true.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.isSystemUser

Indicates if the user is a system user or not. This option only has an effect if uid is null, in which case it determines whether the user’s UID is allocated in the range for system users (below 1000) or in the range for normal users (starting at 1000). Exactly one of isNormalUser and isSystemUser must be true.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.linger

Whether to enable lingering for this user. If true, systemd user units will start at boot, rather than starting at login and stopping at logout. This is the declarative equivalent of running loginctl enable-linger for this user.

If false, user units will not be started until the user logs in, and may be stopped on logout depending on the settings in logind.conf.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.name

The name of the user account. If undefined, the name of the attribute set will be used.

Type: string, not containing newlines or colons

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.openssh.authorizedKeys.keyFiles

A list of files each containing one OpenSSH public key that should be added to the user’s authorized keys. The contents of the files are read at build time and added to a file that the SSH daemon reads in addition to the the user’s authorized_keys file. You can combine the keyFiles and keys options.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
users.users.<name>.openssh.authorizedKeys.keys

A list of verbatim OpenSSH public keys that should be added to the user’s authorized keys. The keys are added to a file that the SSH daemon reads in addition to the the user’s authorized_keys file. You can combine the keys and keyFiles options. Warning: If you are using NixOps then don’t use this option since it will replace the key required for deployment via ssh.

Type: list of (optionally newline-terminated) single-line string

Default: [ ]

Example:

[
  "ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host"
  "ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
users.users.<name>.openssh.authorizedPrincipals

A list of verbatim principal names that should be added to the user’s authorized principals.

Type: list of (optionally newline-terminated) single-line string

Default: [ ]

Example:

[
  "example@host"
  "foo@bar"
]

Declared by:

<nixpkgs/nixos/modules/services/networking/ssh/sshd.nix>
users.users.<name>.pamMount

Attributes for user’s entry in pam_mount.conf.xml. Useful attributes might include path, options, fstype, and server. See https://pam-mount.sourceforge.net/pam_mount.conf.5.html for more information.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.password

Specifies the (clear text) password for the user. Warning: do not set confidential information here because it is world-readable in the Nix store. This option should only be used for public accounts. The options hashedPassword, password and hashedPasswordFile controls what password is set for the user. hashedPassword overrides both password and hashedPasswordFile. password overrides hashedPasswordFile. If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins. If the option users.mutableUsers is true, the password defined in one of the three options will only be set when the user is created for the first time. After that, you are free to change the password with the ordinary user management commands. If users.mutableUsers is false, you cannot change user passwords, they will always be set according to the password options.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.shell

The path to the user’s shell. Can use shell derivations, like pkgs.bashInteractive. Don’t forget to enable your shell in programs if necessary, like programs.zsh.enable = true;.

Type: null or package or (path, not containing newlines or colons)

Default: pkgs.shadow

Example: pkgs.bashInteractive

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.subGidRanges

Subordinate group ids that user is allowed to use. They are set into /etc/subgid and are used by newgidmap for user namespaces.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    count = 1;
    startGid = 100;
  }
  {
    count = 999;
    startGid = 1001;
  }
]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.subGidRanges.*.count

Count of subordinate group ids

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.subGidRanges.*.startGid

Start of the range of subordinate group ids that user is allowed to use.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.subUidRanges

Subordinate user ids that user is allowed to use. They are set into /etc/subuid and are used by newuidmap for user namespaces.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    count = 1;
    startUid = 1000;
  }
  {
    count = 65534;
    startUid = 100001;
  }
]

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.subUidRanges.*.count

Count of subordinate user ids

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.subUidRanges.*.startUid

Start of the range of subordinate user ids that user is allowed to use.

Type: signed integer

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.uid

The account UID. If the UID is null, a free UID is picked on activation.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
users.users.<name>.useDefaultShell

If true, the user’s shell will be set to users.defaultUserShell.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/users-groups.nix>
virtualisation.additionalPaths

A list of paths whose closure should be made available to the VM.

When 9p is used, the closure is registered in the Nix database in the VM. All other paths in the host Nix store appear in the guest Nix store as well, but are considered garbage (because they are not registered in the Nix database of the guest).

When virtualisation.useNixStoreImage is set, the closure is copied to the Nix store image.

Type: list of path

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.anbox.enable

Whether to enable Anbox.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/anbox.nix>
virtualisation.anbox.extraInit

Extra shell commands to be run inside the container image during init.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/virtualisation/anbox.nix>
virtualisation.anbox.image

Base android image for Anbox.

Type: package

Default: pkgs.anbox.image

Declared by:

<nixpkgs/nixos/modules/virtualisation/anbox.nix>
virtualisation.anbox.imageModifications

Commands to edit the image filesystem.

This can be used to e.g. bundle a privileged F-Droid.

Commands are ran with PWD being at the root of the filesystem.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/virtualisation/anbox.nix>
virtualisation.anbox.ipv4.container.address

IPv4 Container address.

Type: string

Default: "192.168.250.2"

Declared by:

<nixpkgs/nixos/modules/virtualisation/anbox.nix>
virtualisation.anbox.ipv4.container.prefixLength

Subnet mask of the Container address, specified as the number of bits in the prefix (24).

Type: signed integer

Default: 24

Declared by:

<nixpkgs/nixos/modules/virtualisation/anbox.nix>
virtualisation.anbox.ipv4.dns

Container DNS server.

Type: string

Default: "1.1.1.1"

Declared by:

<nixpkgs/nixos/modules/virtualisation/anbox.nix>
virtualisation.anbox.ipv4.gateway.address

IPv4 Host address.

Type: string

Default: "192.168.250.1"

Declared by:

<nixpkgs/nixos/modules/virtualisation/anbox.nix>
virtualisation.anbox.ipv4.gateway.prefixLength

Subnet mask of the Host address, specified as the number of bits in the prefix (24).

Type: signed integer

Default: 24

Declared by:

<nixpkgs/nixos/modules/virtualisation/anbox.nix>
virtualisation.appvm.enable

This enables AppVMs and related virtualisation settings.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/appvm.nix>
virtualisation.appvm.user

AppVM user login. Currently only AppVMs are supported for a single user only.

Type: string

Declared by:

<nixpkgs/nixos/modules/virtualisation/appvm.nix>
virtualisation.bios

An alternate BIOS (such as qboot) with which to start the VM. Should contain a file named bios.bin. If null, QEMU’s builtin SeaBIOS will be used.

Type: null or package

Default: null

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.bootLoaderDevice

The path (inside th VM) to the device to boot from when legacy booting.

Type: path

Default: /dev/disk/by-id/virtio-root

Example: "/dev/disk/by-id/virtio-boot-loader-device"

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.bootPartition

The path (inside the VM) to the device containing the EFI System Partition (ESP).

If you are not booting from a UEFI firmware, this value is, by default, null. The ESP is mounted to boot.loader.efi.efiSysMountpoint.

Type: null or path

Default: if cfg.useEFIBoot then "/dev/disk/by-label/ESP" else null

Example: "/dev/disk/by-label/esp"

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.containerd.enable

Whether to enable containerd container runtime.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/containerd.nix>
virtualisation.containerd.args

extra args to append to the containerd cmdline

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/containerd.nix>
virtualisation.containerd.configFile

Path to containerd config file. Setting this option will override any configuration applied by the settings option.

Type: null or path

Default: null

Declared by:

<nixpkgs/nixos/modules/virtualisation/containerd.nix>
virtualisation.containerd.settings

Verbatim lines to add to containerd.toml

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/containerd.nix>
virtualisation.containers.enable

This option enables the common /etc/containers configuration module.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/containers.nix>
virtualisation.containers.containersConf.cniPlugins

CNI plugins to install on the system.

Type: list of package

Default:

[
  pkgs.cni-plugins
]

Example:

[
  pkgs.cniPlugins.dnsname
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/containers.nix>
virtualisation.containers.containersConf.settings

containers.conf configuration

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/containers.nix>
virtualisation.containers.ociSeccompBpfHook.enable

Enable the OCI seccomp BPF hook

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/containers.nix>
virtualisation.containers.policy

Signature verification policy file. If this option is empty the default policy file from skopeo will be used.

Type: attribute set

Default: { }

Example:

{
  default = [ { type = "insecureAcceptAnything"; } ];
  transports = {
    docker-daemon = {
      "" = [ { type = "insecureAcceptAnything"; } ];
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/virtualisation/containers.nix>
virtualisation.containers.registries.block

List of blocked repositories.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/virtualisation/containers.nix>
virtualisation.containers.registries.insecure

List of insecure repositories.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/virtualisation/containers.nix>
virtualisation.containers.registries.search

List of repositories to search.

Type: list of string

Default:

[
  "docker.io"
  "quay.io"
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/containers.nix>
virtualisation.containers.storage.settings

storage.conf configuration

Type: TOML value

Declared by:

<nixpkgs/nixos/modules/virtualisation/containers.nix>
virtualisation.cores

Specify the number of cores the guest is permitted to use. The number can be higher than the available cores on the host system.

Type: positive integer, meaning >0

Default: 1

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.cri-o.enable

Whether to enable Container Runtime Interface for OCI (CRI-O).

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/cri-o.nix>
virtualisation.cri-o.extraPackages

Extra packages to be installed in the CRI-O wrapper.

Type: list of package

Default: [ ]

Example:

[
  pkgs.gvisor
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/cri-o.nix>
virtualisation.cri-o.logLevel

Log level to be used

Type: one of “trace”, “debug”, “info”, “warn”, “error”, “fatal”

Default: "info"

Declared by:

<nixpkgs/nixos/modules/virtualisation/cri-o.nix>
virtualisation.cri-o.pauseCommand

Override the default pause command

Type: null or string

Default: null

Example: "/pause"

Declared by:

<nixpkgs/nixos/modules/virtualisation/cri-o.nix>
virtualisation.cri-o.pauseImage

Override the default pause image for pod sandboxes

Type: null or string

Default: null

Example: "k8s.gcr.io/pause:3.2"

Declared by:

<nixpkgs/nixos/modules/virtualisation/cri-o.nix>
virtualisation.cri-o.runtime

Override the default runtime

Type: null or string

Default: null

Example: "crun"

Declared by:

<nixpkgs/nixos/modules/virtualisation/cri-o.nix>
virtualisation.cri-o.settings

Configuration for cri-o, see https://github.com/cri-o/cri-o/blob/master/docs/crio.conf.5.md.

Type: TOML value

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/cri-o.nix>
virtualisation.cri-o.storageDriver

Storage driver to be used

Type: one of “aufs”, “btrfs”, “devmapper”, “overlay”, “vfs”, “zfs”

Default: "overlay"

Declared by:

<nixpkgs/nixos/modules/virtualisation/cri-o.nix>
virtualisation.directBoot.enable

If enabled, the virtual machine will boot directly into the kernel instead of through a bootloader. Read more about this feature in the QEMU documentation on Direct Linux Boot

This is enabled by default. If you want to test netboot, consider disabling this option. Enable a bootloader with virtualisation.useBootLoader if you need.

Relevant parameters such as those set in boot.initrd and boot.kernelParams are also passed to QEMU. Additional parameters can be supplied on invocation through the environment variable $QEMU_KERNEL_PARAMS. They are added to the -append option, see QEMU User Documentation for details For example, to let QEMU use the parent terminal as the serial console, set QEMU_KERNEL_PARAMS="console=ttyS0".

This will not (re-)boot correctly into a system that has switched to a different configuration on disk.

Type: boolean

Default: "!cfg.useBootLoader"

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.directBoot.initrd

In direct boot situations, you may want to influence the initrd to load to use your own customized payload.

This is useful if you want to test the netboot image without testing the firmware or the loading part.

Type: string

Default: "\${config.system.build.initialRamdisk}/\${config.system.boot.loader.initrdFile}"

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.diskImage

Path to the disk image containing the root filesystem. The image will be created on startup if it does not exist.

If null, a tmpfs will be used as the root filesystem and the VM’s state will not be persistent.

Type: null or string

Default: "./${config.system.name}.qcow2"

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.diskSize

The disk size in megabytes of the virtual machine.

Type: value “auto” (singular enum) or (positive integer, meaning >0)

Default: if virtualisation.diskSizeAutoSupported then "auto" else 1024

Declared by:

<nixpkgs/nixos/modules/virtualisation/disk-size-option.nix>
virtualisation.docker.enable

This option enables docker, a daemon that manages linux containers. Users in the “docker” group can interact with the daemon (e.g. to start or stop containers) using the docker command line tool.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/docker.nix>
virtualisation.docker.enableNvidia

Deprecated, please use hardware.nvidia-container-toolkit.enable instead.

Enable nvidia-docker wrapper, supporting NVIDIA GPUs inside docker containers.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/docker.nix>
virtualisation.docker.enableOnBoot

When enabled dockerd is started on boot. This is required for containers which are created with the --restart=always flag to work. If this option is disabled, docker might be started on demand by socket activation.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/docker.nix>
virtualisation.docker.package

The docker package to use.

Type: package

Default: pkgs.docker

Declared by:

<nixpkgs/nixos/modules/virtualisation/docker.nix>
virtualisation.docker.autoPrune.enable

Whether to periodically prune Docker resources. If enabled, a systemd timer will run docker system prune -f as specified by the dates option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/docker.nix>
virtualisation.docker.autoPrune.dates

Specification (in the format described by systemd.time(7)) of the time at which the prune will occur.

Type: string

Default: "weekly"

Declared by:

<nixpkgs/nixos/modules/virtualisation/docker.nix>
virtualisation.docker.autoPrune.flags

Any additional flags passed to docker system prune.

Type: list of string

Default: [ ]

Example:

[
  "--all"
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/docker.nix>
virtualisation.docker.daemon.settings

Configuration for docker daemon. The attributes are serialized to JSON used as daemon.conf. See https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file

Type: JSON value

Default: { }

Example:

{
  fixed-cidr-v6 = "fd00::/80";
  ipv6 = true;
  live-restore = true;
}

Declared by:

<nixpkgs/nixos/modules/virtualisation/docker.nix>
virtualisation.docker.daemon.settings.live-restore

Allow dockerd to be restarted without affecting running container. This option is incompatible with docker swarm.

Type: boolean

Default: lib.versionOlder config.system.stateVersion "24.11"

Declared by:

<nixpkgs/nixos/modules/virtualisation/docker.nix>
virtualisation.docker.extraOptions

The extra command-line options to pass to docker daemon.

Type: strings concatenated with " "

Default: ""

Declared by:

<nixpkgs/nixos/modules/virtualisation/docker.nix>
virtualisation.docker.extraPackages

Extra packages to add to PATH for the docker daemon process.

Type: list of package

Default: [ ]

Example: with pkgs; [ criu ]

Declared by:

<nixpkgs/nixos/modules/virtualisation/docker.nix>
virtualisation.docker.listenOptions

A list of unix and tcp docker should listen to. The format follows ListenStream as described in systemd.socket(5).

Type: list of string

Default:

[
  "/run/docker.sock"
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/docker.nix>
virtualisation.docker.liveRestore

Alias of virtualisation.docker.daemon.settings.live-restore.

Type: submodule

Declared by:

<nixpkgs/nixos/modules/virtualisation/docker.nix>
virtualisation.docker.logDriver

This option determines which Docker log driver to use.

Type: one of “none”, “json-file”, “syslog”, “journald”, “gelf”, “fluentd”, “awslogs”, “splunk”, “etwlogs”, “gcplogs”, “local”

Default: "journald"

Declared by:

<nixpkgs/nixos/modules/virtualisation/docker.nix>
virtualisation.docker.rootless.enable

This option enables docker in a rootless mode, a daemon that manages linux containers. To interact with the daemon, one needs to set DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/docker-rootless.nix>
virtualisation.docker.rootless.package

The docker package to use.

Type: package

Default: pkgs.docker

Declared by:

<nixpkgs/nixos/modules/virtualisation/docker-rootless.nix>
virtualisation.docker.rootless.daemon.settings

Configuration for docker daemon. The attributes are serialized to JSON used as daemon.conf. See https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file

Type: JSON value

Default: { }

Example:

{
  fixed-cidr-v6 = "fd00::/80";
  ipv6 = true;
}

Declared by:

<nixpkgs/nixos/modules/virtualisation/docker-rootless.nix>
virtualisation.docker.rootless.setSocketVariable

Point DOCKER_HOST to rootless Docker instance for normal users by default.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/docker-rootless.nix>
virtualisation.docker.storageDriver

This option determines which Docker storage driver to use. By default it lets docker automatically choose the preferred storage driver. However, it is recommended to specify a storage driver explicitly, as docker’s default varies over versions.

Warning

Changing the storage driver will cause any existing containers and images to become inaccessible.

Type: null or one of “aufs”, “btrfs”, “devicemapper”, “overlay”, “overlay2”, “zfs”

Default: null

Declared by:

<nixpkgs/nixos/modules/virtualisation/docker.nix>
virtualisation.efi.OVMF

OVMF firmware package, defaults to OVMF configured with secure boot if needed.

Type: package

Default:

''
  (pkgs.OVMF.override {
            secureBoot = cfg.useSecureBoot;
          }).fd''

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.efi.firmware

Firmware binary for EFI implementation, defaults to OVMF.

Type: path

Default: cfg.efi.OVMF.firmware

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.efi.keepVariables

Whether to keep EFI variable values from the generated system image

Type: boolean

Default: cfg.useBootLoader

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.efi.variables

Platform-specific flash binary for EFI variables, implementation-dependent to the EFI firmware. Defaults to OVMF.

Type: path

Default: cfg.efi.OVMF.variables

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.emptyDiskImages

Additional disk images to provide to the VM. The value is a list of size in megabytes of each disk. These disks are writeable by the VM.

Type: list of (positive integer, meaning >0)

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.fileSystems

The file systems to be mounted. It must include an entry for the root directory (mountPoint = "/"). Each entry in the list is an attribute set with the following fields: mountPoint, device, fsType (a file system type recognised by mount; defaults to "auto"), and options (the mount options passed to mount using the -o flag; defaults to [ "defaults" ]).

Instead of specifying device, you can also specify a volume label (label) for file systems that support it, such as ext2/ext3 (see mke2fs -L).

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/".device = "/dev/hda1";
  "/data" = {
    device = "/dev/hda2";
    fsType = "ext3";
    options = [ "data=journal" ];
  };
  "/bigdisk".label = "bigdisk";
}

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.fileSystems.<name>.autoFormat

If the device does not currently contain a filesystem (as determined by blkid), then automatically format it with the filesystem type specified in fsType. Use with caution.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
virtualisation.fileSystems.<name>.autoResize

If set, the filesystem is grown to its maximum size before being mounted. (This is typically the size of the containing partition.) This is currently only supported for ext2/3/4 filesystems that are mounted during early boot.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
virtualisation.fileSystems.<name>.depends

List of paths that should be mounted before this one. This filesystem’s device and mountPoint are always checked and do not need to be included explicitly. If a path is added to this list, any other filesystem whose mount point is a parent of the path will be mounted before this filesystem. The paths do not need to actually be the mountPoint of some other filesystem.

Type: list of string (with check: non-empty without trailing slash)

Default: [ ]

Example:

[
  "/persist"
]

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
virtualisation.fileSystems.<name>.device

Location of the device.

Type: null or string (with check: non-empty)

Default: null

Example: "/dev/sda"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
virtualisation.fileSystems.<name>.encrypted.enable

The block device is backed by an encrypted one, adds this device as a initrd luks entry.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/encrypted-devices.nix>
virtualisation.fileSystems.<name>.encrypted.blkDev

Location of the backing encrypted device.

Type: null or string

Default: null

Example: "/dev/sda1"

Declared by:

<nixpkgs/nixos/modules/tasks/encrypted-devices.nix>
virtualisation.fileSystems.<name>.encrypted.keyFile

Path to a keyfile used to unlock the backing encrypted device. When systemd stage 1 is not enabled, at the time this keyfile is accessed, the neededForBoot filesystems (see utils.fsNeededForBoot) will have been mounted under /mnt-root, so the keyfile path should usually start with “/mnt-root/”. When systemd stage 1 is enabled, fsNeededForBoot file systems will be mounted as needed under /sysroot, and the keyfile will not be accessed until its requisite mounts are done.

Type: null or string

Default: null

Example: "/mnt-root/root/.swapkey"

Declared by:

<nixpkgs/nixos/modules/tasks/encrypted-devices.nix>
virtualisation.fileSystems.<name>.encrypted.label

Label of the unlocked encrypted device. Set fileSystems.<name?>.device to /dev/mapper/<label> to mount the unlocked device.

Type: null or string

Default: null

Example: "rootfs"

Declared by:

<nixpkgs/nixos/modules/tasks/encrypted-devices.nix>
virtualisation.fileSystems.<name>.fsType

Type of the file system.

Type: string (with check: non-empty)

Default: "auto"

Example: "ext3"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
virtualisation.fileSystems.<name>.label

Label of the device (if any).

Type: null or string (with check: non-empty)

Default: null

Example: "root-partition"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
virtualisation.fileSystems.<name>.mountPoint

Location of the mounted file system.

Type: string (with check: non-empty without trailing slash)

Example: "/mnt/usb"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
virtualisation.fileSystems.<name>.neededForBoot

If set, this file system will be mounted in the initial ramdisk. Note that the file system will always be mounted in the initial ramdisk if its mount point is one of the following: /, /nix, /nix/store, /var, /var/log, /var/lib, /var/lib/nixos, /etc, /usr.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/system/boot/stage-1.nix>
virtualisation.fileSystems.<name>.noCheck

Disable running fsck on this filesystem.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
virtualisation.fileSystems.<name>.options

Options used to mount the file system.

Type: non-empty (list of string (with check: non-empty))

Default:

[
  "defaults"
]

Example:

[
  "data=journal"
]

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
virtualisation.fileSystems.<name>.overlay.lowerdir

The list of path(s) to the lowerdir(s).

To create a writable overlay, you MUST provide an upperdir and a workdir.

You can create a read-only overlay when you provide multiple (at least 2!) lowerdirs and neither an upperdir nor a workdir.

Type: null or (non-empty (list of (string or path in the Nix store)))

Default: null

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/overlayfs.nix>
virtualisation.fileSystems.<name>.overlay.upperdir

The path to the upperdir.

If this is null, a read-only overlay is created using the lowerdir.

If you set this to some value you MUST also set workdir.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/overlayfs.nix>
virtualisation.fileSystems.<name>.overlay.workdir

The path to the workdir.

This MUST be set if you set upperdir.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems/overlayfs.nix>
virtualisation.fileSystems.<name>.stratis.poolUuid

UUID of the stratis pool that the fs is located in

Type: null or string

Default: null

Example: "04c68063-90a5-4235-b9dd-6180098a20d9"

Declared by:

<nixpkgs/nixos/modules/tasks/filesystems.nix>
virtualisation.forwardPorts

When using the SLiRP user networking (default), this option allows to forward ports to/from the host/guest.

Warning

If the NixOS firewall on the virtual machine is enabled, you also have to open the guest ports to enable the traffic between host and guest.

Note

Currently QEMU supports only IPv4 forwarding.

Type: list of (submodule)

Default: [ ]

Example:

[ # forward local port 2222 -> 22, to ssh into the VM
  { from = "host"; host.port = 2222; guest.port = 22; }

  # forward local port 80 -> 10.0.2.10:80 in the VLAN
  { from = "guest";
    guest.address = "10.0.2.10"; guest.port = 80;
    host.address = "127.0.0.1"; host.port = 80;
  }
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.forwardPorts.*.from

Controls the direction in which the ports are mapped:

  • "host" means traffic from the host ports is forwarded to the given guest port.

  • "guest" means traffic from the guest ports is forwarded to the given host port.

Type: one of “host”, “guest”

Default: "host"

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.forwardPorts.*.guest.address

The IPv4 address on the guest VLAN.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.forwardPorts.*.guest.port

The guest port to be mapped.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.forwardPorts.*.host.address

The IPv4 address of the host.

Type: string

Default: ""

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.forwardPorts.*.host.port

The host port to be mapped.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.forwardPorts.*.proto

The protocol to forward.

Type: one of “tcp”, “udp”

Default: "tcp"

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.graphics

Whether to run QEMU with a graphics window, or in nographic mode. Serial console will be enabled on both settings, but this will change the preferred console.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.host.pkgs

Package set to use for the host-specific packages of the VM runner. Changing this to e.g. a Darwin package set allows running NixOS VMs on Darwin.

Type: An evaluation of Nixpkgs; the top level attribute set of packages

Default: pkgs

Example:

import pkgs.path { system = "x86_64-darwin"; }

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.hypervGuest.enable

Whether to enable Hyper-V Guest Support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/hyperv-guest.nix>
virtualisation.hypervGuest.videoMode

Resolution at which to initialize the video adapter.

Supports screen resolution up to Full HD 1920x1080 with 32 bit color on Windows Server 2012, and 1600x1200 with 16 bit color on Windows Server 2008 R2 or earlier.

Type: string

Default: "1152x864"

Example: "1024x768"

Declared by:

<nixpkgs/nixos/modules/virtualisation/hyperv-guest.nix>
virtualisation.incus.enable

Whether to enable incusd, a daemon that manages containers and virtual machines.

Users in the “incus-admin” group can interact with the daemon (e.g. to start or stop containers) using the incus command line tool, among others. Users in the “incus” group can also interact with the daemon, but with lower permissions (i.e. administrative operations are forbidden). .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/incus.nix>
virtualisation.incus.package

The incus-lts package to use.

Type: package

Default: pkgs.incus-lts

Declared by:

<nixpkgs/nixos/modules/virtualisation/incus.nix>
virtualisation.incus.agent.enable

Whether to enable Incus agent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/incus-agent.nix>
virtualisation.incus.clientPackage

The incus client package to use. This package is added to PATH.

Type: package

Default: config.virtualisation.incus.package.client

Declared by:

<nixpkgs/nixos/modules/virtualisation/incus.nix>
virtualisation.incus.lxcPackage

The lxc package to use.

Type: package

Default: config.virtualisation.lxc.package

Declared by:

<nixpkgs/nixos/modules/virtualisation/incus.nix>
virtualisation.incus.preseed

Configuration for Incus preseed, see https://linuxcontainers.org/incus/docs/main/howto/initialize/#non-interactive-configuration for supported values.

Changes to this will be re-applied to Incus which will overwrite existing entities or create missing ones, but entities will not be removed by preseed.

Type: null or (YAML value)

Default: null

Example:

{
  networks = [
    {
      config = {
        "ipv4.address" = "10.0.100.1/24";
        "ipv4.nat" = "true";
      };
      name = "incusbr0";
      type = "bridge";
    }
  ];
  profiles = [
    {
      devices = {
        eth0 = {
          name = "eth0";
          network = "incusbr0";
          type = "nic";
        };
        root = {
          path = "/";
          pool = "default";
          size = "35GiB";
          type = "disk";
        };
      };
      name = "default";
    }
  ];
  storage_pools = [
    {
      config = {
        source = "/var/lib/incus/storage-pools/default";
      };
      driver = "dir";
      name = "default";
    }
  ];
}

Declared by:

<nixpkgs/nixos/modules/virtualisation/incus.nix>
virtualisation.incus.socketActivation

Whether to enable socket-activation for starting incus.service. Enabling this option will stop incus.service from starting automatically on boot. .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/incus.nix>
virtualisation.incus.softDaemonRestart

Allow for incus.service to be stopped without affecting running instances.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/incus.nix>
virtualisation.incus.startTimeout

Time to wait (in seconds) for incusd to become ready to process requests. If incusd does not reply within the configured time, incus.service will be considered failed and systemd will attempt to restart it.

Type: unsigned integer, meaning >=0

Default: 600

Declared by:

<nixpkgs/nixos/modules/virtualisation/incus.nix>
virtualisation.incus.ui.enable

Whether to enable (experimental) Incus UI.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/incus.nix>
virtualisation.incus.ui.package

The ui package to use.

Type: package

Default: pkgs.incus.ui

Declared by:

<nixpkgs/nixos/modules/virtualisation/incus.nix>
virtualisation.installBootLoader

Install boot loader to target image.

This is best-effort and may break with unconventional partition setups. Use virtualisation.useDefaultFilesystems for a known-working configuration.

Type: boolean

Default: "cfg.useBootLoader && cfg.useDefaultFilesystems"

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.interfaces

Network interfaces to add to the VM.

Type: attribute set of (submodule)

Default: { }

Example:

{
  enp1s0 = {
    vlan = 1;
  };
}

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.interfaces.<name>.assignIP

Automatically assign an IP address to the network interface using the same scheme as virtualisation.vlans.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.interfaces.<name>.vlan

VLAN to which the network interface is connected.

Type: unsigned integer, meaning >=0

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.kvmgt.enable

Whether to enable KVMGT (iGVT-g) VGPU support. Allows Qemu/KVM guests to share host’s Intel integrated graphics card. Currently only one graphical device can be shared. To allow users to access the device without root add them to the kvm group: users.extraUsers.<yourusername>.extraGroups = [ "kvm" ]; .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/kvmgt.nix>
virtualisation.kvmgt.device

PCI ID of graphics card. You can figure it with ls /sys/class/mdev_bus.

Type: string

Default: "0000:00:02.0"

Declared by:

<nixpkgs/nixos/modules/virtualisation/kvmgt.nix>
virtualisation.kvmgt.vgpus

Virtual GPUs to be used in Qemu. You can find devices via ls /sys/bus/pci/devices/*/mdev_supported_types and find info about device via cat /sys/bus/pci/devices/*/mdev_supported_types/i915-GVTg_V5_4/description

Type: attribute set of (submodule)

Default: { }

Example:

{
  i915-GVTg_V5_8 = {
    uuid = [
      "a297db4a-f4c2-11e6-90f6-d3b88d6c9525"
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/virtualisation/kvmgt.nix>
virtualisation.kvmgt.vgpus.<name>.uuid

UUID(s) of VGPU device. You can generate one with libossp_uuid.

Type: list of string

Declared by:

<nixpkgs/nixos/modules/virtualisation/kvmgt.nix>
virtualisation.libvirtd.enable

This option enables libvirtd, a daemon that manages virtual machines. Users in the “libvirtd” group can interact with the daemon (e.g. to start or stop VMs) using the virsh command line tool, among others.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.package

The libvirt package to use.

Type: package

Default: pkgs.libvirt

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.allowedBridges

List of bridge devices that can be used by qemu:///session

Type: list of string

Default:

[
  "virbr0"
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.extraConfig

Extra contents appended to the libvirtd configuration file, libvirtd.conf.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.extraOptions

Extra command line arguments passed to libvirtd on startup.

Type: list of string

Default: [ ]

Example:

[
  "--verbose"
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.hooks

Hooks related options.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.hooks.daemon

Hooks that will be placed under /var/lib/libvirt/hooks/daemon.d/ and called for daemon start/shutdown/SIGHUP events. Please see https://libvirt.org/hooks.html for documentation.

Type: attribute set of path

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.hooks.libxl

Hooks that will be placed under /var/lib/libvirt/hooks/libxl.d/ and called for libxl-handled xen domains begin/end events. Please see https://libvirt.org/hooks.html for documentation.

Type: attribute set of path

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.hooks.lxc

Hooks that will be placed under /var/lib/libvirt/hooks/lxc.d/ and called for lxc domains begin/end events. Please see https://libvirt.org/hooks.html for documentation.

Type: attribute set of path

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.hooks.network

Hooks that will be placed under /var/lib/libvirt/hooks/lxc.d/ and called for networks begin/end events. Please see https://libvirt.org/hooks.html for documentation.

Type: attribute set of path

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.hooks.qemu

Hooks that will be placed under /var/lib/libvirt/hooks/qemu.d/ and called for qemu domains begin/end/migrate events. Please see https://libvirt.org/hooks.html for documentation.

Type: attribute set of path

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.nss

libvirt NSS module options.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.nss.enable

This option enables the older libvirt NSS module. This method uses DHCP server records, therefore is dependent on the hostname provided by the guest. Please see https://libvirt.org/nss.html for more information.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.nss.enableGuest

This option enables the newer libvirt_guest NSS module. This module uses the libvirt guest name instead of the hostname of the guest. Please see https://libvirt.org/nss.html for more information.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.onBoot

Specifies the action to be done to / on the guests when the host boots. The “start” option starts all guests that were running prior to shutdown regardless of their autostart settings. The “ignore” option will not start the formerly running guest on boot. However, any guest marked as autostart will still be automatically started by libvirtd.

Type: one of “start”, “ignore”

Default: "start"

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.onShutdown

When shutting down / restarting the host what method should be used to gracefully halt the guests. Setting to “shutdown” will cause an ACPI shutdown of each guest. “suspend” will attempt to save the state of the guests ready to restore on boot.

Type: one of “shutdown”, “suspend”

Default: "suspend"

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.parallelShutdown

Number of guests that will be shutdown concurrently, taking effect when onShutdown is set to “shutdown”. If set to 0, guests will be shutdown one after another. Number of guests on shutdown at any time will not exceed number set in this variable.

Type: unsigned integer, meaning >=0

Default: 0

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.qemu

QEMU related options.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.qemu.package

The qemu package to use. pkgs.qemu can emulate alien architectures (e.g. aarch64 on x86) pkgs.qemu_kvm saves disk space allowing to emulate only host architectures.

Type: package

Default: pkgs.qemu

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.qemu.ovmf

QEMU’s OVMF options.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.qemu.ovmf.enable

Allows libvirtd to take advantage of OVMF when creating new QEMU VMs with UEFI boot.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.qemu.ovmf.packages

List of OVMF packages to use. Each listed package must contain files names FV/OVMF_CODE.fd and FV/OVMF_VARS.fd or FV/AAVMF_CODE.fd and FV/AAVMF_VARS.fd

Type: list of package

Default: [ pkgs.OVMF.fd ]

Example: [ pkgs.OVMFFull.fd pkgs.pkgsCross.aarch64-multiplatform.OVMF.fd ]

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.qemu.runAsRoot

If true, libvirtd runs qemu as root. If false, libvirtd runs qemu as unprivileged user qemu-libvirtd. Changing this option to false may cause file permission issues for existing guests. To fix these, manually change ownership of affected files in /var/lib/libvirt/qemu to qemu-libvirtd.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.qemu.swtpm

QEMU’s swtpm options.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.qemu.swtpm.enable

Allows libvirtd to use swtpm to create an emulated TPM.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.qemu.swtpm.package

The swtpm package to use.

Type: package

Default: pkgs.swtpm

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.qemu.verbatimConfig

Contents written to the qemu configuration file, qemu.conf. Make sure to include a proper namespace configuration when supplying custom configuration.

Type: strings concatenated with “\n”

Default:

''
  namespaces = []
''

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.qemu.vhostUserPackages

Packages containing out-of-tree vhost-user drivers.

Type: list of package

Default: [ ]

Example: [ pkgs.virtiofsd ]

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.shutdownTimeout

Number of seconds we’re willing to wait for a guest to shut down. If parallel shutdown is enabled, this timeout applies as a timeout for shutting down all guests on a single URI defined in the variable URIS. If this is 0, then there is no time out (use with caution, as guests might not respond to a shutdown request).

Type: unsigned integer, meaning >=0

Default: 300

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.sshProxy

Weither to configure OpenSSH to use the SSH Proxy.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.libvirtd.startDelay

Number of seconds to wait between each guest start. If set to 0, all guests will start up in parallel.

Type: unsigned integer, meaning >=0

Default: 0

Declared by:

<nixpkgs/nixos/modules/virtualisation/libvirtd.nix>
virtualisation.lxc.enable

This enables Linux Containers (LXC), which provides tools for creating and managing system or application containers on Linux.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxc.nix>
virtualisation.lxc.package

The lxc package to use.

Type: package

Default: pkgs.lxc

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxc.nix>
virtualisation.lxc.bridgeConfig

This is the config file for override lxc-net bridge default settings.

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxc.nix>
virtualisation.lxc.defaultConfig

Default config (default.conf) for new containers, i.e. for network config. See lxc.container.conf(5).

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxc.nix>
virtualisation.lxc.lxcfs.enable

This enables LXCFS, a FUSE filesystem for LXC. To use lxcfs in include the following configuration in your container configuration:

virtualisation.lxc.defaultConfig = "lxc.include = ${pkgs.lxcfs}/share/lxc/config/common.conf.d/00-lxcfs.conf";

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxcfs.nix>
virtualisation.lxc.systemConfig

This is the system-wide LXC config. See lxc.system.conf(5).

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxc.nix>
virtualisation.lxc.unprivilegedContainers

Whether to enable support for unprivileged users to launch containers.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxc.nix>
virtualisation.lxc.usernetConfig

This is the config file for managing unprivileged user network administration access in LXC. See lxc-usernet(5).

Type: strings concatenated with “\n”

Default: ""

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxc.nix>
virtualisation.lxd.enable

This option enables lxd, a daemon that manages containers. Users in the “lxd” group can interact with the daemon (e.g. to start or stop containers) using the lxc command line tool, among others.

Most of the time, you’ll also want to start lxcfs, so that containers can “see” the limits:

virtualisation.lxc.lxcfs.enable = true;

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxd.nix>
virtualisation.lxd.package

The lxd-lts package to use.

Type: package

Default: pkgs.lxd-lts

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxd.nix>
virtualisation.lxd.agent.enable

Whether to enable LXD agent.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxd-agent.nix>
virtualisation.lxd.lxcPackage

The lxc package to use.

Type: package

Default: config.virtualisation.lxc.package

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxd.nix>
virtualisation.lxd.preseed

Configuration for LXD preseed, see https://documentation.ubuntu.com/lxd/en/latest/howto/initialize/#initialize-preseed for supported values.

Changes to this will be re-applied to LXD which will overwrite existing entities or create missing ones, but entities will not be removed by preseed.

Type: null or (YAML value)

Default: null

Example:

{
  networks = [
    {
      name = "lxdbr0";
      type = "bridge";
      config = {
        "ipv4.address" = "10.0.100.1/24";
        "ipv4.nat" = "true";
      };
    }
  ];
  profiles = [
    {
      name = "default";
      devices = {
        eth0 = {
          name = "eth0";
          network = "lxdbr0";
          type = "nic";
        };
        root = {
          path = "/";
          pool = "default";
          size = "35GiB";
          type = "disk";
        };
      };
    }
  ];
  storage_pools = [
    {
      name = "default";
      driver = "dir";
      config = {
        source = "/var/lib/lxd/storage-pools/default";
      };
    }
  ];
}

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxd.nix>
virtualisation.lxd.recommendedSysctlSettings

Enables various settings to avoid common pitfalls when running containers requiring many file operations. Fixes errors like “Too many open files” or “neighbour: ndisc_cache: neighbor table overflow!”. See https://lxd.readthedocs.io/en/latest/production-setup/ for details.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxd.nix>
virtualisation.lxd.startTimeout

Time to wait (in seconds) for LXD to become ready to process requests. If LXD does not reply within the configured time, lxd.service will be considered failed and systemd will attempt to restart it.

Type: signed integer

Default: 600

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxd.nix>
virtualisation.lxd.ui.enable

Whether to enable (experimental) LXD UI.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxd.nix>
virtualisation.lxd.ui.package

The lxd-ui package to use.

Type: package

Default: pkgs.lxd-ui

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxd.nix>
virtualisation.lxd.zfsSupport

Enables lxd to use zfs as a storage for containers.

This option is enabled by default if a zfs pool is configured with nixos.

Type: boolean

Default: config.boot.zfs.enabled

Declared by:

<nixpkgs/nixos/modules/virtualisation/lxd.nix>
virtualisation.memorySize

The memory size in megabytes of the virtual machine.

Type: positive integer, meaning >0

Default: 1024

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.mountHostNixStore

Mount the host Nix store as a 9p mount.

Type: boolean

Default: !cfg.useNixStoreImage && !cfg.useBootLoader

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.msize

The msize (maximum packet size) option passed to 9p file systems, in bytes. Increasing this should increase performance significantly, at the cost of higher RAM usage.

Type: positive integer, meaning >0

Default: 16384

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.multipass.enable

Whether to enable Multipass, a simple manager for virtualised Ubuntu instances.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/multipass.nix>
virtualisation.multipass.package

The multipass package to use.

Type: package

Default: pkgs.multipass

Declared by:

<nixpkgs/nixos/modules/virtualisation/multipass.nix>
virtualisation.multipass.logLevel

The logging verbosity of the multipassd binary.

Type: one of “error”, “warning”, “info”, “debug”, “trace”

Default: "debug"

Declared by:

<nixpkgs/nixos/modules/virtualisation/multipass.nix>
virtualisation.oci-containers.backend

The underlying Docker implementation to use.

Type: one of “podman”, “docker”

Default: "podman"

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers

OCI (Docker) containers to run as systemd services.

Type: attribute set of (submodule)

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.autoStart

When enabled, the container is automatically started on boot. If this option is set to false, the container has to be started on-demand via its service.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.capabilities

Capabilities to configure for the container. When set to true, capability is added to the container. When set to false, capability is dropped from the container. When null, default runtime settings apply.

Type: lazy attribute set of (null or boolean)

Default: { }

Example:

{
  SYS_ADMIN = true;
  SYS_WRITE = false;
{

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.cmd

Commandline arguments to pass to the image’s entrypoint.

Type: list of string

Default: [ ]

Example:

["--port=9000"]

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.dependsOn

Define which other containers this one depends on. They will be added to both After and Requires for the unit.

Use the same name as the attribute under virtualisation.oci-containers.containers.

Type: list of string

Default: [ ]

Example:

virtualisation.oci-containers.containers = {
  node1 = {};
  node2 = {
    dependsOn = [ "node1" ];
  }
}

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.devices

List of devices to attach to this container.

Type: list of string

Default: [ ]

Example:

[
  "/dev/dri:/dev/dri"
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.entrypoint

Override the default entrypoint of the image.

Type: null or string

Default: null

Example: "/bin/my-app"

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.environment

Environment variables to set for this container.

Type: attribute set of string

Default: { }

Example:

{
  DATABASE_HOST = "db.example.com";
  DATABASE_PORT = "3306";
}

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.environmentFiles

Environment files for this container.

Type: list of path

Default: [ ]

Example:

[
  /path/to/.env
  /path/to/.env.secret
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.extraOptions

Extra options for podman run.

Type: list of string

Default: [ ]

Example:

["--network=host"]

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.hostname

The hostname of the container.

Type: null or string

Default: null

Example: "hello-world"

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.image

OCI image to run.

Type: string

Example: "library/hello-world"

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.imageFile

Path to an image file to load before running the image. This can be used to bypass pulling the image from the registry.

The image attribute must match the name and tag of the image contained in this file, as they will be used to run the container with that image. If they do not match, the image will be pulled from the registry as usual.

Type: null or package

Default: null

Example: pkgs.dockerTools.buildImage {...};

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.imageStream

Path to a script that streams the desired image on standard output.

This option is mainly intended for use with pkgs.dockerTools.streamLayeredImage so that the intermediate image archive does not need to be stored in the Nix store. For larger images this optimization can significantly reduce Nix store churn compared to using the imageFile option, because you don’t have to store a new copy of the image archive in the Nix store every time you change the image. Instead, if you stream the image then you only need to build and store the layers that differ from the previous image.

Type: null or package

Default: null

Example: pkgs.dockerTools.streamLayeredImage {...};

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.labels

Labels to attach to the container at runtime.

Type: attribute set of string

Default: { }

Example:

{
  "traefik.https.routers.example.rule" = "Host(`example.container`)";
}

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.log-driver

Logging driver for the container. The default of "journald" means that the container’s logs will be handled as part of the systemd unit.

For more details and a full list of logging drivers, refer to respective backends documentation.

For Docker: Docker engine documentation

For Podman: Refer to the docker-run(1) man page.

Type: string

Default: "journald"

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.login.passwordFile

Path to file containing password.

Type: null or string

Default: null

Example: "/etc/nixos/dockerhub-password.txt"

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.login.registry

Registry where to login to.

Type: null or string

Default: null

Example: "https://docker.pkg.github.com"

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.login.username

Username for login.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.networks

Networks to attach the container to

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.ports

Network ports to publish from the container to the outer host.

Valid formats:

  • <ip>:<hostPort>:<containerPort>

  • <ip>::<containerPort>

  • <hostPort>:<containerPort>

  • <containerPort>

Both hostPort and containerPort can be specified as a range of ports. When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. Example: 1234-1236:1234-1236/tcp

When specifying a range for hostPort only, the containerPort must not be a range. In this case, the container port is published somewhere within the specified hostPort range. Example: 1234-1236:1234/tcp

Publishing a port bypasses the NixOS firewall. If the port is not supposed to be shared on the network, make sure to publish the port to localhost. Example: 127.0.0.1:1234:1234

Refer to the Docker engine documentation for full details.

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1:8080:9000"
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.preRunExtraOptions

Extra options for podman that go before the run argument.

Type: list of string

Default: [ ]

Example:

[
  "--runtime"
  "runsc"
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.privileged

Give extended privileges to the container

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.pull

Image pull policy for the container. Must be one of: always, missing, never, newer

Type: one of “always”, “missing”, “never”, “newer”

Default: "missing"

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.user

Override the username or UID (and optionally groupname or GID) used in the container.

Type: null or string

Default: null

Example: "nobody:nogroup"

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.volumes

List of volumes to attach to this container.

Note that this is a list of "src:dst" strings to allow for src to refer to /nix/store paths, which would be difficult with an attribute set. There are also a variety of mount options available as a third field; please refer to the docker engine documentation for details.

Type: list of string

Default: [ ]

Example:

[
  "volume_name:/path/inside/container"
  "/path/on/host:/path/inside/container"
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.oci-containers.containers.<name>.workdir

Override the default working directory for the container.

Type: null or string

Default: null

Example: "/var/lib/hello_world"

Declared by:

<nixpkgs/nixos/modules/virtualisation/oci-containers.nix>
virtualisation.podman.enable

This option enables Podman, a daemonless container engine for developing, managing, and running OCI Containers on your Linux System.

It is a drop-in replacement for the docker command.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/podman/default.nix>
virtualisation.podman.enableNvidia

Deprecated, please use hardware.nvidia-container-toolkit.enable instead.

Enable use of Nvidia GPUs from within podman containers.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/podman/default.nix>
virtualisation.podman.autoPrune.enable

Whether to periodically prune Podman resources. If enabled, a systemd timer will run podman system prune -f as specified by the dates option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/podman/default.nix>
virtualisation.podman.autoPrune.dates

Specification (in the format described by systemd.time(7)) of the time at which the prune will occur.

Type: string

Default: "weekly"

Declared by:

<nixpkgs/nixos/modules/virtualisation/podman/default.nix>
virtualisation.podman.autoPrune.flags

Any additional flags passed to podman system prune.

Type: list of string

Default: [ ]

Example:

[
  "--all"
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/podman/default.nix>
virtualisation.podman.defaultNetwork.settings

Settings for podman’s default network.

Type: JSON value

Default: { }

Example: { dns_enabled = true; }

Declared by:

<nixpkgs/nixos/modules/virtualisation/podman/default.nix>
virtualisation.podman.dockerCompat

Create an alias mapping docker to podman.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/podman/default.nix>
virtualisation.podman.dockerSocket.enable

Make the Podman socket available in place of the Docker socket, so Docker tools can find the Podman socket.

Podman implements the Docker API.

Users must be in the podman group in order to connect. As with Docker, members of this group can gain root access.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/podman/default.nix>
virtualisation.podman.extraPackages

Extra packages to be installed in the Podman wrapper.

Type: list of package

Default: [ ]

Example:

[
  pkgs.gvisor
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/podman/default.nix>
virtualisation.podman.networkSocket.enable

Make the Podman and Docker compatibility API available over the network with TLS client certificate authentication.

This allows Docker clients to connect with the equivalents of the Docker CLI -H and --tls* family of options.

For certificate setup, see https://docs.docker.com/engine/security/protect-access/

This option is independent of virtualisation.podman.dockerSocket.enable.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/podman/network-socket.nix>
virtualisation.podman.networkSocket.listenAddress

Interface address for receiving TLS connections.

Type: string

Default: "0.0.0.0"

Declared by:

<nixpkgs/nixos/modules/virtualisation/podman/network-socket.nix>
virtualisation.podman.networkSocket.openFirewall

Whether to open the port in the firewall.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/podman/network-socket.nix>
virtualisation.podman.networkSocket.port

TCP port number for receiving TLS connections.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 2376

Declared by:

<nixpkgs/nixos/modules/virtualisation/podman/network-socket.nix>
virtualisation.podman.networkSocket.server

Choice of TLS proxy server.

Type: value “ghostunnel” (singular enum)

Example: "ghostunnel"

Declared by:

<nixpkgs/nixos/modules/virtualisation/podman/network-socket-ghostunnel.nix>
<nixpkgs/nixos/modules/virtualisation/podman/network-socket.nix>
virtualisation.podman.networkSocket.tls.cacert

Path to CA certificate to use for client authentication.

Type: path

Declared by:

<nixpkgs/nixos/modules/virtualisation/podman/network-socket.nix>
virtualisation.podman.networkSocket.tls.cert

Path to certificate describing the server.

Type: path

Declared by:

<nixpkgs/nixos/modules/virtualisation/podman/network-socket.nix>
virtualisation.podman.networkSocket.tls.key

Path to the private key corresponding to the server certificate.

Use a string for this setting. Otherwise it will be copied to the Nix store first, where it is readable by any system process.

Type: path

Declared by:

<nixpkgs/nixos/modules/virtualisation/podman/network-socket.nix>
virtualisation.qemu.package

QEMU package to use.

Type: package

Default: if hostPkgs.stdenv.hostPlatform.qemuArch == pkgs.stdenv.hostPlatform.qemuArch then config.virtualisation.host.pkgs.qemu_kvm else config.virtualisation.host.pkgs.qemu

Example: pkgs.qemu_test

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.qemu.consoles

The output console devices to pass to the kernel command line via the console parameter, the primary console is the last item of this list.

By default it enables both serial console and tty0. The preferred console (last one) is based on the value of virtualisation.graphics.

Type: list of string

Default:

[
  "ttyS0,115200n8"
  "tty0"
]

Example:

[
  "console=tty1"
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.qemu.diskInterface

The interface used for the virtual hard disks.

Type: one of “virtio”, “scsi”, “ide”

Default: "virtio"

Example: "scsi"

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.qemu.drives

Drives passed to qemu.

Type: list of (submodule)

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.qemu.drives.*.deviceExtraOpts

Extra options passed to device flag.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.qemu.drives.*.driveExtraOpts

Extra options passed to drive flag.

Type: attribute set of string

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.qemu.drives.*.file

The file image used for this drive.

Type: string

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.qemu.drives.*.name

A name for the drive. Must be unique in the drives list. Not passed to qemu.

Type: null or string

Default: null

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.qemu.guestAgent.enable

Enable the Qemu guest agent.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.qemu.networkingOptions

Networking-related command-line options that should be passed to qemu. The default is to use userspace networking (SLiRP). See the QEMU Wiki on Networking for details.

If you override this option, be advised to keep ${QEMU_NET_OPTS:+,$QEMU_NET_OPTS} (as seen in the example) to keep the default runtime behaviour.

Type: list of string

Default: [ ]

Example:

[
  "-net nic,netdev=user.0,model=virtio"
  "-netdev user,id=user.0,\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.qemu.options

Options passed to QEMU. See QEMU User Documentation for a complete list.

Type: list of string

Default: [ ]

Example:

[
  "-vga std"
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.qemu.virtioKeyboard

Enable the virtio-keyboard device.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.resolution

The resolution of the virtual machine display.

Type: attribute set

Default:

{
  x = 1024;
  y = 768;
}

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.restrictNetwork

If this option is enabled, the guest will be isolated, i.e. it will not be able to contact the host and no guest IP packets will be routed over the host to the outside. This option does not affect any explicitly set forwarding rules.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.rootDevice

The path (inside the VM) to the device containing the root filesystem.

Type: null or path

Default: /dev/disk/by-label/nixos

Example: "/dev/disk/by-label/nixos"

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.rosetta.enable

Whether to enable Rosetta support.

This feature requires the system to be a virtualised guest on an Apple silicon host.

The default settings are suitable for the UTM virtualisation package. Make sure to select ‘Apple Virtualization’ as the virtualisation engine and then tick the ‘Enable Rosetta’ option.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/rosetta.nix>
virtualisation.rosetta.mountTag

The VirtioFS mount tag for the Rosetta runtime, exposed by the host’s virtualisation software.

If supported, your virtualisation software should provide instructions on how register the Rosetta runtime inside Linux guests. These instructions should mention the name of the mount tag used for the VirtioFS directory share that contains the Rosetta runtime.

Type: string

Default: "rosetta"

Declared by:

<nixpkgs/nixos/modules/virtualisation/rosetta.nix>
virtualisation.sharedDirectories

An attributes set of directories that will be shared with the virtual machine using VirtFS (9P filesystem over VirtIO). The attribute name will be used as the 9P mount tag.

Type: attribute set of (submodule)

Default: { }

Example:

{
  my-share = {
    source = "/path/to/be/shared";
    target = "/mnt/shared";
  };
}

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.sharedDirectories.<name>.securityModel

The security model to use for this share:

  • passthrough: files are stored using the same credentials as they are created on the guest (this requires QEMU to run as root)

  • mapped-xattr: some of the file attributes like uid, gid, mode bits and link target are stored as file attributes

  • mapped-file: the attributes are stored in the hidden .virtfs_metadata directory. Directories exported by this security model cannot interact with other unix tools

  • none: same as “passthrough” except the sever won’t report failures if it fails to set file attributes like ownership

Type: one of “passthrough”, “mapped-xattr”, “mapped-file”, “none”

Default: "mapped-xattr"

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.sharedDirectories.<name>.source

The path of the directory to share, can be a shell variable

Type: string

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.sharedDirectories.<name>.target

The mount point of the directory inside the virtual machine

Type: path

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.spiceUSBRedirection.enable

Install the SPICE USB redirection helper with setuid privileges. This allows unprivileged users to pass USB devices connected to this machine to libvirt VMs, both local and remote. Note that this allows users arbitrary access to USB devices.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/spice-usb-redirection.nix>
virtualisation.tpm.enable

Whether to enable a TPM device in the virtual machine with a driver, using swtpm.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.tpm.package

The swtpm package to use.

Type: package

Default: pkgs.swtpm

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.tpm.deviceModel

QEMU device model for the TPM, uses the appropriate default based on th guest platform system and the package passed.

Type: string

Default:

''
  Based on the guest platform Linux system:
  
  - `tpm-tis` for (i686, x86_64)
  - `tpm-spapr` for ppc64
  - `tpm-tis-device` for (armv7, aarch64)
''

Example: "tpm-tis-device"

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.useBootLoader

Use a boot loader to boot the system. This allows, among other things, testing the boot loader.

If disabled, the kernel and initrd are directly booted, forgoing any bootloader.

Check the documentation on virtualisation.directBoot.enable for details.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.useDefaultFilesystems

If enabled, the boot disk of the virtual machine will be formatted and mounted with the default filesystems for testing. Swap devices and LUKS will be disabled.

If disabled, a root filesystem has to be specified and formatted (for example in the initial ramdisk).

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.useEFIBoot

If enabled, the virtual machine will provide a EFI boot manager. useEFIBoot is ignored if useBootLoader == false.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.useHostCerts

If enabled, when NIX_SSL_CERT_FILE is set on the host, pass the CA certificates from the host to the VM.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.useNixStoreImage

Build and use a disk image for the Nix store, instead of accessing the host’s one through 9p.

For applications which do a lot of reads from the store, this can drastically improve performance, but at the cost of disk space and image build time.

The Nix store image is built just-in-time right before the VM is started. Because it does not produce another derivation, the image is not cached between invocations and never lands in the store or binary cache.

If you want a full disk image with a partition table and a root filesystem instead of only a store image, enable virtualisation.useBootLoader instead.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.useSecureBoot

Enable Secure Boot support in the EFI firmware.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.virtualbox.guest.enable

Whether to enable the VirtualBox service and other guest additions.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>
virtualisation.virtualbox.guest.clipboard

Whether to enable clipboard support.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>
virtualisation.virtualbox.guest.dragAndDrop

Whether to enable drag and drop support.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>
virtualisation.virtualbox.guest.seamless

Whether to enable seamless mode. When activated windows from the guest appear next to the windows of the host.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>
virtualisation.virtualbox.host.enable

Whether to enable VirtualBox.

Note

In order to pass USB devices from the host to the guests, the user needs to be in the vboxusers group.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix>
virtualisation.virtualbox.host.enableExtensionPack

Whether to install the Oracle Extension Pack for VirtualBox.

Important

You must set nixpkgs.config.allowUnfree = true in order to use this. This requires you accept the VirtualBox PUEL.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix>
virtualisation.virtualbox.host.enableHardening

Enable hardened VirtualBox, which ensures that only the binaries in the system path get access to the devices exposed by the kernel modules instead of all users in the vboxusers group.

Important

Disabling this can put your system’s security at risk, as local users in the vboxusers group can tamper with the VirtualBox device files.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix>
virtualisation.virtualbox.host.enableKvm

Enable KVM support for VirtualBox. This increases compatibility with Linux kernel versions, because the VirtualBox kernel modules are not required.

This option is incompatible with addNetworkInterface.

Note: This is experimental. Please check https://github.com/cyberus-technology/virtualbox-kvm/issues.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix>
virtualisation.virtualbox.host.enableWebService

Build VirtualBox web service tool (vboxwebsrv) to allow managing VMs via other webpage frontend tools. Useful for headless servers.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix>
virtualisation.virtualbox.host.package

The virtualbox package to use.

Type: package

Default: pkgs.virtualbox

Declared by:

<nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix>
virtualisation.virtualbox.host.addNetworkInterface

Automatically set up a vboxnet0 host-only network interface.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix>
virtualisation.virtualbox.host.headless

Use VirtualBox installation without GUI and Qt dependency. Useful to enable on servers and when virtual machines are controlled only via SSH.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/virtualbox-host.nix>
virtualisation.vlans

Virtual networks to which the VM is connected. Each number «N» in this list causes the VM to have a virtual Ethernet interface attached to a separate virtual network on which it will be assigned IP address 192.168.«N».«M», where «M» is the index of this VM in the list of VMs.

Type: list of (unsigned integer, meaning >=0)

Default: if config.virtualisation.interfaces == {} then [ 1 ] else [ ]

Example:

[
  1
  2
]

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.vmVariant

Machine configuration to be added for the vm script produced by nixos-rebuild build-vm.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/build-vm.nix>
virtualisation.vmVariantWithBootLoader

Machine configuration to be added for the vm script produced by nixos-rebuild build-vm-with-bootloader.

Type: submodule

Default: { }

Declared by:

<nixpkgs/nixos/modules/virtualisation/build-vm.nix>
virtualisation.vmware.guest.enable

Whether to enable VMWare Guest Support.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/vmware-guest.nix>
virtualisation.vmware.guest.package

Package providing open-vm-tools.

Type: package

Default: if config.virtualisation.vmware.headless then pkgs.open-vm-tools-headless else pkgs.open-vm-tools;

Example: pkgs.open-vm-tools

Declared by:

<nixpkgs/nixos/modules/virtualisation/vmware-guest.nix>
virtualisation.vmware.guest.headless

Whether to disable X11-related features.

Type: boolean

Default: !config.services.xserver.enable

Declared by:

<nixpkgs/nixos/modules/virtualisation/vmware-guest.nix>
virtualisation.vmware.host.enable

This enables VMware host virtualisation for running VMs.

Important

vmware-vmx will cause kcompactd0 due to Transparent Hugepages feature in kernel. Apply [ "transparent_hugepage=never" ] in option boot.kernelParams to disable them.

Note

If that didn’t work disable TRANSPARENT_HUGEPAGE, COMPACTION configs and recompile kernel.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/vmware-host.nix>
virtualisation.vmware.host.package

The vmware-workstation package to use.

Type: package

Default: pkgs.vmware-workstation

Declared by:

<nixpkgs/nixos/modules/virtualisation/vmware-host.nix>
virtualisation.vmware.host.extraConfig

Add extra config to /etc/vmware/config

Type: strings concatenated with “\n”

Default: ""

Example:

''
  # Allow unsupported device's OpenGL and Vulkan acceleration for guest vGPU
  mks.gl.allowUnsupportedDrivers = "TRUE"
  mks.vk.allowUnsupportedDevices = "TRUE"
''

Declared by:

<nixpkgs/nixos/modules/virtualisation/vmware-host.nix>
virtualisation.vmware.host.extraPackages

Extra packages to be used with VMware host.

Type: list of package

Default: [ ]

Example: "with pkgs; [ ntfs3g ]"

Declared by:

<nixpkgs/nixos/modules/virtualisation/vmware-host.nix>
virtualisation.vswitch.enable

Whether to enable Open vSwitch. A configuration daemon (ovs-server) will be started.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/openvswitch.nix>
virtualisation.vswitch.package

The openvswitch package to use.

Type: package

Default: pkgs.openvswitch

Declared by:

<nixpkgs/nixos/modules/virtualisation/openvswitch.nix>
virtualisation.vswitch.resetOnStart

Whether to reset the Open vSwitch configuration database to a default configuration on every start of the systemd ovsdb.service.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/openvswitch.nix>
virtualisation.waydroid.enable

Whether to enable Waydroid.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/waydroid.nix>
virtualisation.writableStore

If enabled, the Nix store in the VM is made writable by layering an overlay filesystem on top of the host’s Nix store.

By default, this is enabled if you mount a host Nix store.

Type: boolean

Default: cfg.mountHostNixStore

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.writableStoreUseTmpfs

Use a tmpfs for the writable store instead of writing to the VM’s own filesystem.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
virtualisation.xen.enable

Whether to enable the Xen Project Hypervisor, a virtualisation technology defined as a type-1 hypervisor, which allows multiple virtual machines, known as domains, to run concurrently on the physical machine. NixOS runs as the privileged Domain 0. This option requires a reboot into a Xen kernel to take effect.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.package

The Xen Hypervisor package to use.

Type: package

Default: pkgs.xen

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.bootParams

Xen Command Line parameters passed to Domain 0 at boot time. Note: these are different from boot.kernelParams. See the Xen documentation for more information.

Type: list of string

Default: [ ]

Example:

''
  [
    "iommu=force:true,qinval:true,debug:true"
    "noreboot=true"
    "vga=ask"
  ]
''

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.debug

Whether to enable Xen debug features for Domain 0. This option enables some hidden debugging tests and features, and should not be used in production.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.dom0Resources.maxMemory

Maximum amount of memory (in MiB) that Domain 0 can dynamically allocate to itself. Does nothing if set to the same amount as virtualisation.xen.memory, or if that option is set to 0.

Type: unsigned integer, meaning >=0

Default: config.virtualisation.xen.dom0Resources.memory

Example: 1024

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.dom0Resources.maxVCPUs

Amount of virtual CPU cores allocated to Domain 0 on boot. If set to 0, all cores are assigned to Domain 0, and unprivileged domains will compete with Domain 0 for CPU time.

Type: unsigned integer, meaning >=0

Default: 0

Example: 4

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.dom0Resources.memory

Amount of memory (in MiB) allocated to Domain 0 on boot. If set to 0, all memory is assigned to Domain 0, and unprivileged domains will compete with Domain 0 for free RAM.

Type: unsigned integer, meaning >=0

Default: 0

Example: 512

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.domains.extraConfig

Options defined here will override the defaults for xendomains. The default options can be seen in the file included from /etc/default/xendomains.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  XENDOMAINS_SAVE=/persist/xen/save
  XENDOMAINS_RESTORE=false
  XENDOMAINS_CREATE_USLEEP=10000000
''

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.efi.bootBuilderVerbosity

The EFI boot entry builder script should be called with exactly one of the following arguments in order to specify its verbosity:

  • quiet supresses all messages.

  • default adds a simple “Installing Xen Project Hypervisor boot entries…done.” message to the script.

  • info is the same as default, but it also prints a diff with information on which generations were altered.

    • This option adds two extra dependencies to the script: diffutils and bat.

  • debug prints information messages for every single step of the script.

This option does not alter the actual functionality of the script, just the number of messages printed when rebuilding the system.

Type: one of “default”, “info”, “debug”, “quiet”

Default: "default"

Example: "info"

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.efi.path

Path to xen.efi. pkgs.xen is patched to install the xen.efi file on $boot/boot/xen.efi, but an unpatched Xen build may install it somewhere else, such as $out/boot/efi/efi/nixos/xen.efi. Unless you’re building your own Xen derivation, you should leave this option as the default value.

Type: path

Default: ${config.virtualisation.xen.package.boot}/${config.virtualisation.xen.package.efi}

Example: ${config.virtualisation.xen.package}/boot/efi/efi/nixos/xen-${config.virtualisation.xen.package.version}.efi

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.qemu.package

The QEMU (with Xen Hypervisor support) package to use.

Type: package

Default: pkgs.qemu_xen

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.qemu.pidFile

Path to the QEMU PID file.

Type: path

Default: "/run/xen/qemu-dom0.pid"

Example: "/var/run/xen/qemu-dom0.pid"

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.path

Path to the Xen Store Daemon. This option is useful to switch between the legacy C-based Xen Store Daemon, and the newer OCaml-based Xen Store Daemon, oxenstored.

Type: path

Default: ${config.virtualisation.xen.package}/bin/oxenstored

Example: ${config.virtualisation.xen.package}/bin/xenstored

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings

The OCaml-based Xen Store Daemon configuration. This option does nothing with the C-based xenstored.

Type: submodule

Default: { }

Example:

{
  conflict = {
    burstLimit = 15.0;
    maxHistorySeconds = 0.12;
  };
  enableMerge = false;
  quota = {
    enable = true;
    maxWatchEvents = 2048;
  };
  xenstored = {
    log = {
      file = "/dev/null";
      level = "info";
    };
  };
}

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.enableMerge

Whether to enable transaction merge support.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.conflict.burstLimit

Limits applied to domains whose writes cause other domains’ transaction commits to fail. Must include decimal point.

The burst limit is the number of conflicts a domain can cause to fail in a short period; this value is used for both the initial and the maximum value of each domain’s conflict-credit, which falls by one point for each conflict caused, and when it reaches zero the domain’s requests are ignored.

Type: nonnegative floating point number, meaning >=0

Default: 5.0

Example: 15.0

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.conflict.maxHistorySeconds

Limits applied to domains whose writes cause other domains’ transaction commits to fail. Must include decimal point.

The conflict-credit is replenished over time: one point is issued after each conflict.maxHistorySeconds, so this is the minimum pause-time during which a domain will be ignored.

Type: nonnegative floating point number, meaning >=0

Default: 0.05

Example: 1.0

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.conflict.rateLimitIsAggregate

If the conflict.rateLimitIsAggregate option is true, then after each tick one point of conflict-credit is given to just one domain: the one at the front of the queue. If false, then after each tick each domain gets a point of conflict-credit.

In environments where it is known that every transaction will involve a set of nodes that is writable by at most one other domain, then it is safe to set this aggregate limit flag to false for better performance. (This can be determined by considering the layout of the xenstore tree and permissions, together with the content of the transactions that require protection.)

A transaction which involves a set of nodes which can be modified by multiple other domains can suffer conflicts caused by any of those domains, so the flag must be set to true.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.perms.enable

Whether to enable the node permission system.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.perms.enableWatch

Whether to enable the watch permission system.

When this is set to true, unprivileged guests can only get watch events for xenstore entries that they would’ve been able to read.

When this is set to false, unprivileged guests may get watch events for xenstore entries that they cannot read. The watch event contains only the entry name, not the value. This restores behaviour prior to XSA-115.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.persistent

Whether to activate the filed base backend.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.pidFile

Path to the Xen Store Daemon PID file.

Type: path

Default: "/run/xen/xenstored.pid"

Example: "/var/run/xen/xenstored.pid"

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.quota.enable

Whether to enable the quota system.

Type: boolean

Default: true

Example: false

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.quota.maxEntity

Entity limit for transactions.

Type: positive integer, meaning >0

Default: 1000

Example: 1024

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.quota.maxOutstanding

Maximum outstanding requests, i.e. in-flight requests / domain.

Type: positive integer, meaning >0

Default: 1024

Example: 1024

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.quota.maxPath

Path limit for the quota system.

Type: positive integer, meaning >0

Default: 1024

Example: 1024

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.quota.maxRequests

Maximum number of requests per transaction.

Type: positive integer, meaning >0

Default: 1024

Example: 1024

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.quota.maxSize

Size limit for transactions.

Type: positive integer, meaning >0

Default: 2048

Example: 4096

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.quota.maxWatch

Maximum number of watches by the Xenstore Watchdog.

Type: positive integer, meaning >0

Default: 100

Example: 256

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.quota.maxWatchEvents

Maximum number of outstanding watch events per watch.

Type: positive integer, meaning >0

Default: 1024

Example: 2048

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.quota.transaction

Maximum number of transactions.

Type: positive integer, meaning >0

Default: 10

Example: 50

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.ringScanInterval

Perodic scanning for all the rings as a safenet for lazy clients. Define the interval in seconds; set to a negative integer to disable.

Type: nonzero signed integer, meaning !=0

Default: 20

Example: 30

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.xenstored.accessLog.file

Path to the Xen Store access log file.

Type: path

Default: "/var/log/xen/xenstored-access.log"

Example: "/var/log/security/xenstored-access.log"

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.xenstored.log.file

Path to the Xen Store log file.

Type: path

Default: "/var/log/xen/xenstored.log"

Example: "/dev/null"

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.store.settings.xenstored.log.level

Logging level for the Xen Store.

Type: null or one of “debug”, “info”, “warn”, “error”

Default: if (config.virtualisation.xen.trace == true) then "debug" else null

Example: "error"

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
virtualisation.xen.trace

Whether to enable Xen debug tracing and logging for Domain 0.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/virtualisation/xen-dom0.nix>
xdg.autostart.enable

Whether to install files to support the XDG Autostart specification.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/xdg/autostart.nix>
xdg.icons.enable

Whether to install files to support the XDG Icon Theme specification.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/xdg/icons.nix>
xdg.icons.fallbackCursorThemes

Names of the fallback cursor themes, in order of preference, to be used when no other icon source can be found. Set to [] to disable the fallback entirely.

Type: list of string

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/xdg/icons.nix>
xdg.menus.enable

Whether to install files to support the XDG Desktop Menu specification.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/xdg/menus.nix>
xdg.mime.enable

Whether to install files to support the XDG Shared MIME-info specification and the XDG MIME Applications specification.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/xdg/mime.nix>
xdg.mime.addedAssociations

Adds associations between mimetypes and applications. See the specifications for more information.

Type: attribute set of (string or ((list of string) or string) convertible to it)

Default: { }

Example:

{
  "application/pdf" = "firefox.desktop";
  "text/xml" = [
    "nvim.desktop"
    "codium.desktop"
  ];
}

Declared by:

<nixpkgs/nixos/modules/config/xdg/mime.nix>
xdg.mime.defaultApplications

Sets the default applications for given mimetypes. See the specifications for more information.

Type: attribute set of (string or ((list of string) or string) convertible to it)

Default: { }

Example:

{
  "application/pdf" = "firefox.desktop";
  "image/png" = [
    "sxiv.desktop"
    "gimp.desktop"
  ];
}

Declared by:

<nixpkgs/nixos/modules/config/xdg/mime.nix>
xdg.mime.removedAssociations

Removes associations between mimetypes and applications. See the specifications for more information.

Type: attribute set of (string or ((list of string) or string) convertible to it)

Default: { }

Example:

{
  "audio/mp3" = [
    "mpv.desktop"
    "umpv.desktop"
  ];
  "inode/directory" = "codium.desktop";
}

Declared by:

<nixpkgs/nixos/modules/config/xdg/mime.nix>
xdg.portal.enable

Whether to enable xdg desktop integration.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/config/xdg/portal.nix>
xdg.portal.config

Sets which portal backend should be used to provide the implementation for the requested interface. For details check portals.conf(5).

Configs will be linked to /etc/xdg/xdg-desktop-portal/ with the name $desktop-portals.conf for xdg.portal.config.$desktop and portals.conf for xdg.portal.config.common as an exception.

Type: attribute set of attribute set of (string or ((list of string) or string) convertible to it)

Default: { }

Example:

{
  common = {
    default = [
      "gtk"
    ];
  };
  pantheon = {
    default = [
      "pantheon"
      "gtk"
    ];
    "org.freedesktop.impl.portal.Secret" = [
      "gnome-keyring"
    ];
  };
  x-cinnamon = {
    default = [
      "xapp"
      "gtk"
    ];
  };
}

Declared by:

<nixpkgs/nixos/modules/config/xdg/portal.nix>
xdg.portal.configPackages

List of packages that provide XDG desktop portal configuration, usually in the form of share/xdg-desktop-portal/$desktop-portals.conf.

Note that configs in xdg.portal.config will be preferred if set.

Type: list of package

Default: [ ]

Example: [ pkgs.gnome-session ]

Declared by:

<nixpkgs/nixos/modules/config/xdg/portal.nix>
xdg.portal.extraPortals

List of additional portals to add to path. Portals allow interaction with system, like choosing files or taking screenshots. At minimum, a desktop portal implementation should be listed. GNOME and KDE already adds xdg-desktop-portal-gtk; and xdg-desktop-portal-kde respectively. On other desktop environments you probably want to add them yourself.

Type: list of package

Default: [ ]

Declared by:

<nixpkgs/nixos/modules/config/xdg/portal.nix>
xdg.portal.lxqt.enable

Whether to enable the desktop portal for the LXQt desktop environment.

This will add the lxqt.xdg-desktop-portal-lxqt package (with the extra Qt styles) into the xdg.portal.extraPortals option .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/config/xdg/portals/lxqt.nix>
xdg.portal.lxqt.styles

Extra Qt styles that will be available to the lxqt.xdg-desktop-portal-lxqt.

Type: list of package

Default: [ ]

Example:

[
        pkgs.libsForQt5.qtstyleplugin-kvantum
        pkgs.breeze-qt5
        pkgs.qtcurve
      ];

Declared by:

<nixpkgs/nixos/modules/config/xdg/portals/lxqt.nix>
xdg.portal.wlr.enable

Whether to enable desktop portal for wlroots-based desktops.

This will add the xdg-desktop-portal-wlr package into the xdg.portal.extraPortals option, and provide the configuration file .

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/config/xdg/portals/wlr.nix>
xdg.portal.wlr.settings

Configuration for xdg-desktop-portal-wlr.

See xdg-desktop-portal-wlr(5) for supported values.

Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))

Default: { }

Example:

{
  screencast = {
    output_name = "HDMI-A-1";
    max_fps = 30;
    exec_before = "disable_notifications.sh";
    exec_after = "enable_notifications.sh";
    chooser_type = "simple";
    chooser_cmd = "${pkgs.slurp}/bin/slurp -f %o -or";
  };
}

Declared by:

<nixpkgs/nixos/modules/config/xdg/portals/wlr.nix>
xdg.portal.xdgOpenUsePortal

Sets environment variable NIXOS_XDG_OPEN_USE_PORTAL to 1 This will make xdg-open use the portal to open programs, which resolves bugs involving programs opening inside FHS envs or with unexpected env vars set from wrappers. See #160923 for more info.

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/xdg/portal.nix>
xdg.sounds.enable

Whether to install files to support the XDG Sound Theme specification.

Type: boolean

Default: true

Declared by:

<nixpkgs/nixos/modules/config/xdg/sounds.nix>
xdg.terminal-exec.enable

Whether to enable xdg-terminal-exec, the proposed Default Terminal Execution Specification.

Type: boolean

Default: false

Example: true

Declared by:

<nixpkgs/nixos/modules/config/xdg/terminal-exec.nix>
xdg.terminal-exec.package

The xdg-terminal-exec package to use.

Type: package

Default: pkgs.xdg-terminal-exec

Declared by:

<nixpkgs/nixos/modules/config/xdg/terminal-exec.nix>
xdg.terminal-exec.settings

Configuration options for the Default Terminal Execution Specification.

The keys are the desktop environments that are matched (case-insensitively) against $XDG_CURRENT_DESKTOP, or default which is used when the current desktop environment is not found in the configuration. The values are a list of terminals’ desktop file IDs to try in order of decreasing priority.

Type: attribute set of list of string

Default: { }

Example:

{
  GNOME = [
    "com.raggesilver.BlackBox.desktop"
    "org.gnome.Terminal.desktop"
  ];
  default = [
    "kitty.desktop"
  ];
}

Declared by:

<nixpkgs/nixos/modules/config/xdg/terminal-exec.nix>
zramSwap.enable

Enable in-memory compressed devices and swap space provided by the zram kernel module. See https://www.kernel.org/doc/Documentation/blockdev/zram.txt .

Type: boolean

Default: false

Declared by:

<nixpkgs/nixos/modules/config/zram.nix>
zramSwap.algorithm

Compression algorithm. lzo has good compression, but is slow. lz4 has bad compression, but is fast. zstd is both good compression and fast, but requires newer kernel. You can check what other algorithms are supported by your zram device with cat /sys/class/block/zram*/comp_algorithm

Type: one of “842”, “lzo”, “lzo-rle”, “lz4”, “lz4hc”, “zstd” or string

Default: "zstd"

Example: "lz4"

Declared by:

<nixpkgs/nixos/modules/config/zram.nix>
zramSwap.memoryMax

Maximum total amount of memory (in bytes) that can be stored in the zram swap devices. This doesn’t define how much memory will be used by the zram swap devices.

Type: null or signed integer

Default: null

Declared by:

<nixpkgs/nixos/modules/config/zram.nix>
zramSwap.memoryPercent

Maximum total amount of memory that can be stored in the zram swap devices (as a percentage of your total memory). Defaults to 1/2 of your total RAM. Run zramctl to check how good memory is compressed. This doesn’t define how much memory will be used by the zram swap devices.

Type: signed integer

Default: 50

Declared by:

<nixpkgs/nixos/modules/config/zram.nix>
zramSwap.priority

Priority of the zram swap devices. It should be a number higher than the priority of your disk-based swap devices (so that the system will fill the zram swap devices before falling back to disk swap).

Type: signed integer

Default: 5

Declared by:

<nixpkgs/nixos/modules/config/zram.nix>
zramSwap.swapDevices

Number of zram devices to be used as swap, recommended is 1.

Type: signed integer

Default: 1

Declared by:

<nixpkgs/nixos/modules/config/zram.nix>
zramSwap.writebackDevice

Write incompressible pages to this device, as there’s no gain from keeping them in RAM.

Type: null or path

Default: null

Example: "/dev/zvol/tarta-zoot/swap-writeback"

Declared by:

<nixpkgs/nixos/modules/config/zram.nix>