networking.nftables.gen.enable
Whether to enable whether to enable these nftables rules.
Type: boolean
Default:
false
Example:
true
Declared by:
networking.nftables.gen.__rendered
Final nftables file string
Type: string
Default:
""
Declared by:
networking.nftables.gen.bridge.enable
Whether to enable enable bridge filtering integration.
Type: boolean
Default:
false
Example:
true
Declared by:
networking.nftables.gen.bridge.enableArp
Whether to enable allow arp between bridge devices.
Type: boolean
Default:
true
Example:
true
Declared by:
networking.nftables.gen.bridge.enablePing
Whether to enable allow ping between bridge devices.
Type: boolean
Default:
true
Example:
true
Declared by:
networking.nftables.gen.bridge.defaultPolicy
default policy inside forward table
Type: string
Default:
"drop"
Declared by:
networking.nftables.gen.bridge.interfaceMap
set of bridge devices to set allow list for
Type: attribute set of (submodule)
Default:
{ }
Example:
{
eth0 = {
to = "eth2";
};
eth1 = {
to = [
"eth0"
"eth2"
];
};
}
Declared by:
networking.nftables.gen.bridge.interfaceMap.<name>.from
interface to expect ip from
Type: string
Default:
"‹name›"
Example:
"eth0"
Declared by:
networking.nftables.gen.bridge.interfaceMap.<name>.to
list of interfaces to apply dnat from on host (optional)
Type: string or list of string
Default:
[ ]
Example:
"eth2"
Declared by:
networking.nftables.gen.bridge.table
inet nft table to apply NAT rules to
Type: string
Default:
"br"
Declared by:
networking.nftables.gen.dnat.enable
Whether to enable enable Desination NAT integration.
Type: boolean
Default:
false
Example:
true
Declared by:
networking.nftables.gen.dnat.gen
generate redirect rules for ports on packets arriving at this host to other IPs
Type: attribute set of (submodule)
Default:
{ }
Example:
{
forward-tls = {
port = 443;
protocols = [
"udp"
"tcp"
];
to = "127.0.0.1";
toPort = 8443;
};
forward-to-host = {
port = 8080;
to = "127.0.0.1";
};
}
Declared by:
networking.nftables.gen.dnat.gen.<name>.comment
comment to add to firewall rule
Type: string
Example:
"dnat for `name`"
Declared by:
networking.nftables.gen.dnat.gen.<name>.counter
whether to add counter to forwards
Type: boolean
Default:
true
Declared by:
networking.nftables.gen.dnat.gen.<name>.from
list of interfaces to apply dnat from on host (optional)
Type: list of string
Default:
[ ]
Example:
[
"eth0"
]
Declared by:
networking.nftables.gen.dnat.gen.<name>.port
port to DNAT from
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8080
Example:
8080
Declared by:
networking.nftables.gen.dnat.gen.<name>.protocols
protocols to DNAT
Type: list of (one of “tcp”, “udp”)
Default:
[
"tcp"
]
Declared by:
networking.nftables.gen.dnat.gen.<name>.to
IP address to redirect to
Type: string
Default:
"10.1.1.1"
Example:
"192.168.0.7"
Declared by:
networking.nftables.gen.dnat.gen.<name>.toPort
port to DNAT to
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
"8080"
Example:
8080
Declared by:
networking.nftables.gen.dnat.inetTable
inet nft table to apply NAT rules to
Type: string
Default:
"filter"
Declared by:
networking.nftables.gen.ignoreRegexSanityCheck
Whether to enable enable this to skip the sanity check which looks for re-replaced firewall rules like <-dmz-internal.rockpro->.
Type: boolean
Default:
false
Example:
true
Declared by:
networking.nftables.gen.overrideNixosNftables
Whether to enable remove nixos defined networking.nftables.tables and sets ruleset to generated rules from gen.
Type: boolean
Default:
true
Example:
true
Declared by:
networking.nftables.gen.profiles
profiles to enable
Type: list of value “default” (singular enum)
Default:
[
"default"
]
Declared by:
networking.nftables.gen.rules
shared/reusable rules
Type: attribute set of (submodule)
Default:
{ }
Declared by:
networking.nftables.gen.rules.<name>.enable
Whether to include rule in final rendered chain.
Type: boolean
Default:
true
Declared by:
networking.nftables.gen.rules.<name>.__final
End chain type string.
Type: string
Default:
""
Declared by:
networking.nftables.gen.rules.<name>.__name
Rule name, doesn’t influence rule except setting the comment by default
Type: string
Default:
"‹name›"
Declared by:
networking.nftables.gen.rules.<name>.comment
Comment to add to the end of the rule. Default: “”
Example: “allow all to host”
Type: string
Default:
"‹name›"
Example:
"jump another-chain"
Declared by:
networking.nftables.gen.rules.<name>.counter
Whether to add a counter before the verdict.
Type: boolean
Default:
false
Declared by:
networking.nftables.gen.rules.<name>.daddr
Filter by daddr
Type: list of string
Default:
[ ]
Example:
[
"10.1.1.1"
]
Declared by:
networking.nftables.gen.rules.<name>.iif
Filter by iif
Type: list of string
Default:
[ ]
Example:
[
"lan"
]
Declared by:
networking.nftables.gen.rules.<name>.iifname
Filter by iifname
Type: list of string
Default:
[ ]
Example:
[
"lan"
]
Declared by:
networking.nftables.gen.rules.<name>.log
Whether to add a log before the verdict.
Type: boolean
Default:
false
Declared by:
networking.nftables.gen.rules.<name>.main
Main action in rule.
{preset filters} {main} {debug flags} {verdict}
Type: string
Default:
""
Example:
"meta l4proto { icmp, iv6-icmp }"
Declared by:
networking.nftables.gen.rules.<name>.mapset
Mapset in table mapsets to match
Type: string
Default:
""
Declared by:
networking.nftables.gen.rules.<name>.n
Ordering of rule when evaluated by chain.
Default is: 100.
Type: signed integer
Default:
100
Declared by:
networking.nftables.gen.rules.<name>.oif
Filter by oif
Type: list of string
Default:
[ ]
Example:
[
"wan"
]
Declared by:
networking.nftables.gen.rules.<name>.oifname
Filter by oifname
Type: list of string
Default:
[ ]
Example:
[
"wan"
]
Declared by:
networking.nftables.gen.rules.<name>.pre
extra string snipet to add before auto-generated matchers
Type: string
Default:
""
Example:
"meta protocol ip"
Declared by:
networking.nftables.gen.rules.<name>.rewriteLists
string replacements run on rule to generate __final
Type: attribute set of list of string
Default:
{
match = [
"__name__"
"__iifname__"
"__oifname__"
"__iif__"
"__oif__"
"__saddr__"
"__daddr__"
];
replace = [
"‹name›"
"__iifname__"
"__oifname__"
"__iif__"
"__oif__"
"__saddr__"
"__daddr__"
];
}
Declared by:
networking.nftables.gen.rules.<name>.rule
Rule to lookup in networking.nftables.gen.rules and set values to.
Type: string
Default:
"‹name›"
Example:
"icmp-default"
Declared by:
networking.nftables.gen.rules.<name>.ruleReplaceMap
a list of string replacements to run to create final rule
Type: attribute set of (submodule)
Default:
{ }
Declared by:
networking.nftables.gen.rules.<name>.ruleReplaceMap.<name>.enable
Whether to enable enable string replacement.
Type: boolean
Default:
true
Example:
true
Declared by:
networking.nftables.gen.rules.<name>.ruleReplaceMap.<name>.replace
string replacement
Type: string
Default:
""
Declared by:
networking.nftables.gen.rules.<name>.ruleReplaceMap.<name>.stringMatch
string to match
Type: string
Default:
""
Declared by:
networking.nftables.gen.rules.<name>.saddr
Filter by saddr
Type: list of string
Default:
[ ]
Example:
[
"10.11.0.0/24"
]
Declared by:
networking.nftables.gen.rules.<name>.tcpDport
Filter by tcp dport
Type: list of signed integer
Default:
[ ]
Example:
[
53
67
]
Declared by:
networking.nftables.gen.rules.<name>.tcpSport
Filter by tcp sport
Type: list of signed integer
Default:
[ ]
Example:
[
53
67
]
Declared by:
networking.nftables.gen.rules.<name>.trace
Whether to set an nftrace before the verdict. nftrace set 1
Type: boolean
Default:
false
Declared by:
networking.nftables.gen.rules.<name>.udpDport
Filter by udp dport
Type: list of signed integer
Default:
[ ]
Example:
[
53
67
]
Declared by:
networking.nftables.gen.rules.<name>.udpSport
Filter by udp sport
Type: list of signed integer
Default:
[ ]
Example:
[
53
67
]
Declared by:
networking.nftables.gen.rules.<name>.verdict
What verdict to add to the end of the rule. Default: “”
Example: “accept”
Type: string
Default:
""
Example:
"jump another-chain"
Declared by:
networking.nftables.gen.snat.enable
Whether to enable enable Source NAT integration.
Type: boolean
Default:
false
Example:
true
Declared by:
networking.nftables.gen.snat.defaultEgress
default egress interfaces for snat interfaces
Type: string or list of string
Default:
[ ]
Declared by:
networking.nftables.gen.snat.maps
set of internal interfaces to do snat for
Type: attribute set of (submodule)
Default:
{ }
Example:
{
eth0 = { };
eth1.fromIP = "10.1.1.1";
}
Declared by:
networking.nftables.gen.snat.maps.<name>.from
interface to expect ip from
Type: string
Default:
"‹name›"
Example:
"eth0"
Declared by:
networking.nftables.gen.snat.maps.<name>.fromIP
IP address to redirect to
Type: string or list of string
Example:
"192.168.0.0/24"
Declared by:
networking.nftables.gen.snat.maps.<name>.to
list of interfaces to apply dnat from on host (optional)
Type: list of string
Default:
[ ]
Declared by:
networking.nftables.gen.tables
tables to generate
Type: attribute set of (attribute set of (string or (submodule)))
Default:
{ }
Declared by:
networking.nftables.gen.tables.<name>.__rendered
Table Module.
Type: strings concatenated with “\n”
Default:
''
## Table ‹name›
table inet ‹name› {
}
''
Declared by:
networking.nftables.gen.tables.<name>.__type
Table Module.
Type: one of “inet”, “ip”, “ip6”, “bridge”, “netdev”, “arp”
Default:
"inet"
Declared by:
networking.nftables.gen.tables.<name>.mapsets
define custom set/map/vmap
Type: attribute set of (submodule)
Default:
{ }
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.enable
Whether to include rule in final rendered chain.
Type: boolean
Default:
true
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.__final
End chain type string.
Type: string
Default:
""
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.__map
end element str
Type: string
Default:
""
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.counter
adds a counter to each element, only applicable to set type
Type: boolean
Default:
false
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.elements
element for map, can be a verdict
Type: list of (submodule)
Default:
[ ]
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.elements.*.__final
end element str
Type: string
Default:
""
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.elements.*.l
<lhs> of map element, required
Type: null or string or signed integer
Default:
null
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.elements.*.r
<rhs> of map element
Type: null or string or signed integer
Default:
null
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.elements.*.v
<verdict> of map element
Type: null or string or signed integer
Default:
null
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.extraConfig
extra config to add
Type: strings concatenated with “\n”
Default:
""
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.flags
Available options:
- constant - set content may not change while bound
- interval - set contains intervals
- timeout - elements can be added with a timeout
Type: list of (one of “constant”, “interval”, “timeout”)
Default:
[ ]
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.lhs
lhs in the map `<lhs> . <rhs>
Type: string
Default:
"ipv4_addr"
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.lhsType
type to be used for generating __map verdict
Type: null or string
Default:
null
Example:
"iifname"
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.name
name of map/set/vmap
Type: string
Default:
"‹name›"
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.rhs
rhs in the map `<lhs> . <rhs>
Type: null or string
Default:
null
Example:
"ifname"
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.rhsType
type to be used for generating __map verdict
Type: null or string
Default:
null
Example:
"oifname"
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.type
final type of set/map/vmap/natmap
-
set: list or generic sets of elements Nftables Sets
- list or generic sets
-
map: hashmap/attrs of elements Nftables maps
- often used with
dnat to,snat to, will never be selected by default
- often used with
-
vmap®: verdict maps Nftables verdict maps can be a
vmaporvmapr,vmaprreverses the mapping -[both] match : verdict ( lhs : verdict ) -[vmap] match . match : verdict ( lhs . rhs : verdict ) -[vmapr] match : match . match ( lhs : rhs . verdict ) example usage of vmapr Nftables examples
Type: one of “set”, “map”, “vmap”, “vmapr”
Default:
"set"
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.typeDef
final type of set/map/vmap
Type: string
Default:
""
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.typeName
type name to set when defining named map/set/vamp
Type: string
Default:
"set"
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.verdict
optional verdict in the map <lhs> : <verdict> or <lhs> . <rhs> : <verdict>
Type: null or string
Default:
null
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.verdictType
weird naming, only used for set type where 3 elements are concatenationed together, used to generate typeDef
Type: null or string
Default:
null
Example:
"oifname"
Declared by:
provision.core.earlyoom.enable
Whether to enable enable earlyoom.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.core.earlyoom.enableDebug
Whether to enable enable debug info.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.core.earlyoom.extraArgs
extra args to add to earlyoom
Type: list of string
Default:
[ ]
Declared by:
provision.core.earlyoom.memoryThreshold
threshold to 5% until killing processes
Type: signed integer
Default:
5
Declared by:
provision.core.earlyoom.settings
extra settings
Type: raw value
Default:
{
reportInterval = 0;
}
Declared by:
provision.core.env.enable
Whether to enable whether to enable env configuration.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.core.env.packages
systemPackages to import into environment
Type: list of package
Default:
[ ]
Declared by:
provision.core.env.editor
whether to enable env configuration
Type: string
Default:
"vim"
Declared by:
provision.core.env.fonts.packages
font packages to add
Type: list of package
Default:
[ ]
Declared by:
provision.core.env.fonts.extraConfig
extra config to merge with fonts
Type: raw value
Default:
{ }
Declared by:
provision.core.env.fonts.name
if set, adds font name in fontconfig default fonts
Type: null or string
Default:
null
Declared by:
provision.core.env.locale.default
default locale (i18m.defaultLocale)
Type: string
Default:
"en_GB.UTF-8"
Declared by:
provision.core.env.locale.keyMap
keyboard layout (console.keyMap)
Type: string
Default:
"uk"
Declared by:
provision.core.env.locale.swapEscape
Whether to enable swap escape and capslock in console + xserver settings.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.core.env.locale.timeZone
time zone (time.timeZone)
Type: string
Default:
"Europe/Amsterdam"
Declared by:
provision.core.env.locale.xkbLayout
xserver xkb layout
Type: string
Default:
"gb"
Declared by:
provision.core.shell.enable
Whether to enable enable basic shell integrations.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.core.shell.direnv.enable
Whether to enable enable direnv on bash/zsh.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.core.shell.starship.enable
Whether to enable enable starship integration.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.core.shell.starship.settings
starship settings
Type: raw value
Default:
{ }
Declared by:
provision.core.shell.zsh.enable
Whether to enable enable zsh.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.defaults.enable
Whether to enable Enable defaults to be set. Setting to false overrides all enables in this module…
Type: boolean
Default:
false
Example:
true
Declared by:
provision.defaults.debug.packages
large list of debug packages
Type: list of package
Default:
[ ]
Declared by:
provision.defaults.debug.systemImportPackages
Whether to enable enable to add all debug packages to systemPackages.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.defaults.security.doas.enable
Whether to enable enable doas.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.defaults.security.doas.extraRules
extra doas rules
Type: list of raw value
Default:
[ ]
Declared by:
provision.defaults.security.electron.enable
Whether to enable enables chromium suid sandbox.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.defaults.security.hardened_kernel.enable
Whether to enable enable latest hardened kernel.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.defaults.security.hardened_kernel.kernel
hardened kernel package
Type: package
Default:
<derivation linux-hardened-6.6.83>
Declared by:
provision.defaults.security.libre-only.enable
Whether to enable prevents redistribuation but not free firmware.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.defaults.security.namespacing.enable
Whether to enable enable unprivilegedUsernsClone.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.defaults.security.openssh.enable
Whether to enable enable ssh.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.defaults.sysctl.bumpInotifyLimits
Whether to enable Bump inotify limits, the defaults are very low.
Low settings here can cause many issues with:
- Failed to allocate directory watch: Too many open files
- systemd-nspawn: Initializing machine ID from container UUID. systemd-nspawn: Failed to create control group inotify object: Too many open files systemd-nspawn: Failed to allocate manager object: Too many open files systemd-nspawn: [!!!] Failed to allocate manager object. systemd-nspawn: Exiting PID 1…
This can also affect hungry desktop applications.
More info + potential upstream fix here: https://github.com/NixOS/nixpkgs/pull/126777/files .
Type: boolean
Default:
true
Example:
true
Declared by:
provision.defaults.sysctl.inotifyLimitsMultiple
Set the limits multiplier against the base (128) for inotify limits types.
Running many containers might require increasing this limit.
Current NixOS Upstream would be: 1 , which becomes 128.
Default (64): results in 64 * 128 = 8192.
Type: integer between 1 and 100000000 (both inclusive)
Default:
64
Example:
10000
Declared by:
provision.defaults.systemd.defaultTimeoutSec
Set the default timeout for systemd units. If null not set.
Type: null or integer between 5 and 10000000 (both inclusive)
Default:
null
Example:
30
Declared by:
provision.fs.automount
Whether to enable enable automount via devmon, udisks2 and gvfs.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.bcachefs.enable
Whether to enable enable bcachefs at boot.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.boot.enable
Whether to enable enable boot configuration, adds boot to supportedFilesystems.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.boot.configurationLimit
optionally set configuration limit
Type: null or signed integer
Default:
null
Declared by:
provision.fs.boot.device
set /boot to point to a vfat filesystem at device path
Type: null or string
Default:
null
Declared by:
provision.fs.boot.grub.enable
Whether to enable enable grub as bootloader.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.boot.grub.devices
device to set for bootloader
Type: list of string
Default:
[ ]
Declared by:
provision.fs.boot.grub.luks
Whether to enable sets enableCryptodisk.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.boot.systemd.enable
Whether to enable enable systemd-boot as bootloader (boot.loader.systemd-boot).
Type: boolean
Default:
true
Example:
true
Declared by:
provision.fs.boot.systemd.initrd.enable
Whether to enable enable systemd as initrd (boot.initrd.systemd).
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.boot.systemd.initrd.emergencyAccess
Whether to enable enable emergency access in initrd, useful for debugging.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.btrfs.enable
Whether to enable enable btrfs configuration, adds btrfs to supportedFilesystems.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.btrfs.gen
generate btrfs filesystem mounts
Type: attribute set of (submodule)
Default:
{ }
Example:
{
enc-root = {
defaultOptions = [
"compress=zstd"
];
devicePath = "/dev/disk/by-uuid/my-luks-decrupted-uuid";
subvolumes = {
home = { };
log = {
path = "/var/log";
};
nix = {
options = [
"compress=zstd,noatime"
];
};
root = {
path = "/";
};
};
};
}
Declared by:
provision.fs.btrfs.gen.<name>.defaultOptions
default options to add to all subvolumes, can be overridden
Type: list of string
Default:
[ ]
Example:
[
"compress=zstd"
]
Declared by:
provision.fs.btrfs.gen.<name>.devicePath
root fs path
Type: string
Default:
"/dev/mapper/‹name›"
Example:
"/dev/disk/by-label/nixos"
Declared by:
provision.fs.btrfs.gen.<name>.mntBase
root of this btrfs filesystem
Type: string
Default:
"/"
Declared by:
provision.fs.btrfs.gen.<name>.name
name of the filesystem, by default sets fs root path to `/dev/mapper/<name>
Type: string
Default:
"‹name›"
Declared by:
provision.fs.btrfs.gen.<name>.subvolumes
subvolumes under this btrfs filesystem
Type: attribute set of (submodule)
Default:
{ }
Declared by:
provision.fs.btrfs.gen.<name>.subvolumes.<name>.__devicePath
root fs path, normally inheritted by root
Type: string
Default:
"/dev/mapper/‹name›"
Declared by:
provision.fs.btrfs.gen.<name>.subvolumes.<name>.__mnt
final mount location
Type: string
Default:
"/‹name›"
Declared by:
provision.fs.btrfs.gen.<name>.subvolumes.<name>.__mntBase
base mountpoint of the filesystem
Type: string
Default:
"/"
Declared by:
provision.fs.btrfs.gen.<name>.subvolumes.<name>.__rootName
name of the root btrfs filesystem
Type: string
Default:
"‹name›"
Declared by:
provision.fs.btrfs.gen.<name>.subvolumes.<name>.isRoot
Whether to enable allow handling mounting root btrfs fs, not applicable if you have use a subvolume for root.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.btrfs.gen.<name>.subvolumes.<name>.mnt
mountpoint of the subvolume
Type: string
Default:
"‹name›"
Declared by:
provision.fs.btrfs.gen.<name>.subvolumes.<name>.opts
options to set on subvolume
Type: list of string
Default:
[ ]
Example:
[
"compress=zstd"
"noatime"
]
Declared by:
provision.fs.btrfs.gen.<name>.subvolumes.<name>.subvol
name of subvolume
Type: string
Default:
"‹name›"
Declared by:
provision.fs.btrfs.legacy.btrbk-core-root
Whether to enable import the legacy profile for btrbk/core-root, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.btrfs.legacy.btrbk-snapshot-root
Whether to enable import the legacy profile for btrbk/snapshot-root, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.btrfs.legacy.btrbk-snapshot-root-nix
Whether to enable import the legacy profile for btrbk/snapshot-root-nix, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.btrfs.legacy.initrd
Whether to enable import the legacy profile for initrd, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.btrfs.legacy.root-bios
Whether to enable import the legacy profile for root-bios, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.btrfs.legacy.root-uefi
Whether to enable import the legacy profile for root-uefi, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.disko.enable
Whether to enable enable disko extension wrapper.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.disko.devices
map of luks name -> device path to unlock
Type: attribute set of (submodule)
Default:
{ }
Example:
{
enc-root = {
device = "/dev/vda1";
profile = "btrfs-luks-uefi";
};
}
Declared by:
provision.fs.disko.devices.<name>.enable
Whether to enable enable disko device.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.fs.disko.devices.<name>.__profilePath
profile path to apply args to
Type: null or absolute path
Default:
null
Declared by:
provision.fs.disko.devices.<name>.args
Args to apply to disko profile
Type: raw value
Default:
{ }
Declared by:
provision.fs.disko.devices.<name>.device
device to apple disko profile to
Type: string
Default:
""
Declared by:
provision.fs.disko.devices.<name>.diskName
disk name to apply to profile
Type: string
Default:
"‹name›"
Declared by:
provision.fs.disko.devices.<name>.generated
generated disko config to import
Type: unspecified value
Default:
{ }
Declared by:
provision.fs.disko.devices.<name>.profile
profile to apply from provision.fs.disko.profiles
Type: string
Default:
""
Declared by:
provision.fs.disko.profiles
disko configuration snippets / profiles
Type: attribute set of absolute path
Default:
{
bcachefs-encrypted-uefi = disko/bcachefs-encrypted-uefi.nix;
bcachefs-luks-uefi = disko/bcachefs-luks-uefi.nix;
btrfs-luks-uefi = disko/btrfs-luks-uefi.nix;
btrfs-simple-uefi = disko/btrfs-simple-uefi.nix;
ext4-luks-bios-uefi = disko/ext4-luks-bios-uefi.nix;
ext4-simple-bios-uefi = disko/ext4-simple-bios-uefi.nix;
ext4-simple-uefi = disko/ext4-simple-uefi.nix;
zfs-mirror-luks = disko/zfs-mirror-luks.nix;
}
Declared by:
provision.fs.hddtemp.enable
Whether to enable enable hddtemp monitoring.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.hddtemp.automapBtrfs
Whether to enable automatically add all disko defined drives to monitoring.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.hddtemp.automapDisko
Whether to enable automatically add all disko defined drives to monitoring.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.fs.hddtemp.drives
drives to monitor
Type: list of string
Default:
[ ]
Declared by:
provision.fs.initrd.enable
Whether to enable enable initrd configuration, adds initrd to supportedFilesystems.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.initrd.legacy.network
Whether to enable import the legacy profile for network, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.initrd.legacy.test-keys
Whether to enable import the legacy profile for test-keys, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.initrd.netModules
extra network modules to add to boot.initrd.availableKernelModules
for network unlock you will likely need to add the kernel modules for your network cards you want to use in stage-1
you can find out the kernel driver in use with ethtool:
DRIVER=enp1s0
ethtool -i $DRIVER | grep driver
Type: list of string
Default:
[ ]
Example:
[
"e1000e"
"i40e"
"igc"
"8021q"
"r8169"
]
Declared by:
provision.fs.initrd.postCommands.enable
Whether to enable script used to decrypt system. this is not compatible with using systemd as an initrd.
is enabled by default if systemd’s initrd is not enabled .
Type: boolean
Default:
true
Example:
true
Declared by:
provision.fs.initrd.postCommands.command
Command used to unlock root filesystem (and any others you may also want to unlock).
This can be used with either grub or systemd-boot (but but with systemd-boot as an initrd).
Type: string
Default:
"echo 'cryptsetup-askpass' >> /root/.profile"
Declared by:
provision.fs.initrd.ssh.enable
Whether to enable enable SSH based auth.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.fs.initrd.ssh.authorizedKeyFiles
Authorized keys to access host during stage-1 boot.
These pubkey files exist unencrypted on the system’s boot drive.
Type: list of string
Default:
[ ]
Declared by:
provision.fs.initrd.ssh.hostKeys
Caution: Host SSH private key used for sshd during stage-1 boot only.
This key exists unencrypted on the system’s boot drive. Only use this key for this purpose!
Type: list of string
Default:
[
"/etc/initrd/ssh_host_ed25519_key"
]
Declared by:
provision.fs.initrd.ssh.port
SSH port sshd listens at during stage-1 boot
Type: signed integer
Default:
9797
Declared by:
provision.fs.initrd.ssh.usersImportKeyFiles
Users to import keyfiles from to allow unlocking encrypted disk.
Imports keys from config.users.users.openssh.authorizedKeys.keyFiles.
NOTE: does not import from keys option.
Type: list of string
Default:
[ ]
Declared by:
provision.fs.luks.enable
Whether to enable enable luks encryption, is read by provision.fs.initrd and provision.fs.boot.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.luks.devices
map of luks name -> device path to unlock
Type: attribute set of string
Default:
{ }
Example:
{
enc-root = "/dev/vda1";
}
Declared by:
provision.fs.nfs.client.enable
Whether to enable enable NFS integrations.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.nfs.client.localBase
default base directory for all NFS mounts
Type: string
Default:
"/mnt/remote"
Declared by:
provision.fs.nfs.client.mounts
NFS mounts to enable
Type: attribute set of (NFS submodule)
Default:
{ }
Declared by:
provision.fs.nfs.client.mounts.<name>.enable
Whether to enable enable ‹name› nfs mount.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.nfs.client.mounts.<name>.after
set systemd after only
Type: list of string
Default:
[ ]
Declared by:
provision.fs.nfs.client.mounts.<name>.before
set systemd before only
Type: list of string
Default:
[ ]
Declared by:
provision.fs.nfs.client.mounts.<name>.device
final device string
Type: string
Default:
":/export/‹name›"
Declared by:
provision.fs.nfs.client.mounts.<name>.extraOptions
extra options to add
Type: list of string
Default:
[ ]
Declared by:
provision.fs.nfs.client.mounts.<name>.hostPath
local host mount path
Type: string
Default:
"/mnt/remote/‹name›"
Declared by:
provision.fs.nfs.client.mounts.<name>.networkOnlineService
unit to automatically add an after+requires, set to null to disable
Type: null or string
Default:
"systemd-networkd-wait-online.service"
Declared by:
provision.fs.nfs.client.mounts.<name>.nfsVersion
nfs version to use
Type: string
Default:
"4.2"
Declared by:
provision.fs.nfs.client.mounts.<name>.options
final options to add to mountpoint
Type: list of string
Default:
[ ]
Declared by:
provision.fs.nfs.client.mounts.<name>.remotePath
remote host mount path
Type: string
Default:
"/export/‹name›"
Declared by:
provision.fs.nfs.client.mounts.<name>.remoteUrl
NFS ip / domain
Type: string
Default:
""
Declared by:
provision.fs.nfs.client.mounts.<name>.requiredBy
set systemd required by + after
Type: list of string
Default:
[ ]
Declared by:
provision.fs.nfs.client.mounts.<name>.requires
set systemd requires + after
Type: list of string
Default:
[ ]
Declared by:
provision.fs.nfs.client.nfsVersion
default NFS version to mount with
Type: string
Default:
"4.2"
Declared by:
provision.fs.nfs.client.remoteBase
default remote server base directory for all NFS mounts
Type: string
Default:
"/export"
Declared by:
provision.fs.nfs.client.remoteUrl
default remote server url / domain
Type: string
Default:
""
Declared by:
provision.fs.ntfs
Whether to enable enable ntfs3d driver.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.smartd.enable
Whether to enable enable smartd (smartmontools) hard drive monitoring/testing.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.smartd.autodetect.enable
Whether to enable monitor all devices found on startup.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.fs.smartd.autodetect.defaultMatch
See smartd.conf(5) man page for details about these options:
- “-a”: enable all checks
- “-o VALUE”: enable/disable automatic offline testing on device (on/off)
- “-s REGEXP”: do a short test every day at 3am and a long test every sunday at 3am.
Type: string
Default:
"-a -o on -s (S/../.././03|L/../../7/03)"
Declared by:
provision.fs.smartd.settings
extra settings to add to services.smartd
Type: raw value
Default:
{ }
Declared by:
provision.fs.zfs.enable
Whether to enable enable zfs configuration, adds zfs to supportedFilesystems.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.zfs.hostId
optionally set networking.hostId here, not required
Type: null or string
Default:
null
Declared by:
provision.fs.zfs.kernel.enable
Whether to enable sets the kernel to the latest compatible with ZFS.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.zfs.kernel.latest
latest linux kernel version that works with zfs
Type: raw value
Default:
self.channels.${pkgs.system}.nixpkgs-zfs.pkgs.linuxKernel.packages.linux_6_12
Example:
pkgs.linuxKernel.packages.linux_6_11
Declared by:
provision.fs.zfs.legacy.initrd
Whether to enable import the legacy profile for initrd, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.zfs.legacy.root-uefi
Whether to enable import the legacy profile for root-uefi, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.zfs.nativeEncryption
Whether to enable sets zfs to request encryption credentials and sets initrd postCommand to unlock zfs pools with native encryption .
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.zfs.scrub.auto
Whether to enable enable autoscrub.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.fs.zfs.snapshot.auto
Whether to enable enable auto snapshot.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.fs.zfs.snapshot.daily
keep this many daily snapshots
Type: signed integer
Default:
2
Declared by:
provision.fs.zfs.snapshot.frequent
keep this many 15minute snapshots
Type: signed integer
Default:
5
Declared by:
provision.fs.zfs.snapshot.monthly
keep this many monthly snapshots
Type: signed integer
Default:
1
Declared by:
provision.fs.zfs.snapshot.weekly
keep this many weekly snapshots
Type: signed integer
Default:
1
Declared by:
provision.fs.zfs.trim
Whether to enable enable trim.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.hardware.amdgpu.enable
Whether to enable enable amdgpu.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.hardware.amdgpu.addTools
Whether to enable add rocm/amd tools to system packages.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.hardware.amdgpu.headless
Whether to enable headless only amdgpu.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.hardware.amdgpu.opencl
Whether to enable enable opencl.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.hardware.amdgpu.vulkan
Whether to enable enable amd vulkan.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.hardware.android.enable
Whether to enable enable android udev.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.hardware.wifi.enable
Whether to enable enable wifi.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.hardware.zram.enable
Whether to enable enable zram.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.fail2ban.enable
Whether to enable enable fail2ban defaults.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.firewall.iptables.enable
Whether to enable enable iptables.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.networkd.enable
Whether to enable enable systemd-networkd.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.networkd.ethernetUseDhcp
Whether to enable add a basic unit which matches ethernet devices and enables DHCPv4.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.networking.networkd.waitInterfaces
interfaces to wait online for with systemd-networkd-wait-online
Type: list of string
Default:
[ ]
Declared by:
provision.networking.networkd.waitOnline
Whether to enable enable systemd-networkd-wait-online.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.ssh.enable
Whether to enable enable SSH.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.ssh.allowedInterfaces
opens firewall on allowed instances, overrides openFirewallAll
Type: list of string
Default:
[ ]
Declared by:
provision.networking.ssh.gpgAgentForwarding
Whether to enable enable gpg agent forwarding over SSH.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.ssh.hardened
Whether to enable enable hardened SSH opts.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.ssh.openFirewallAll
Whether to enable opens firewall on all interfaces at specified ports (default: 22), is ignored if allowedInterfaces is set.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.networking.ssh.ports
port for SSH (default: [22])
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
[
22
]
Example:
80
Declared by:
provision.networking.ssh.tor.enable
Whether to enable enable onion service that connects to local sshd.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.ssh.tor.internalSshAddress
internal ssh listen address
Type: string
Default:
"[::1]"
Declared by:
provision.networking.ssh.tor.internalSshPort
internal ssh listen port
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
22
Declared by:
provision.networking.ssh.tor.listenPort
listen port on tor
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
29420
Declared by:
provision.networking.static.enable
Whether to enable enable static IP.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.static.address
IPv4 address
Type: string
Default:
""
Example:
"45.89.126.43"
Declared by:
provision.networking.static.gateway
IPv4 gateway
Type: string
Default:
""
Example:
"45.89.126.1"
Declared by:
provision.networking.static.interface
network interface
Type: string
Default:
""
Declared by:
provision.networking.static.kernelArg
Kernel arg passed in, setting the IP statically during on kernel boot
Type: string
Default:
"ip=:::255.255.255.0:::off"
Declared by:
provision.networking.static.netmask
IPv4 address
Type: string
Default:
"255.255.255.0"
Declared by:
provision.networking.static.prefixLength
prefix length, must match netmask
Type: signed integer
Default:
24
Declared by:
provision.networking.tools.all.enable
Whether to enable enable iptables.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.tools.all.packages
all network debugging tools
Type: list of package
Default:
[ ]
Declared by:
provision.networking.tools.basic.enable
Whether to enable enable basic tools.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.tools.basic.packages
basic network debugging tools
Type: list of package
Default:
[ ]
Declared by:
provision.networking.vpn.mullvad-app
Whether to enable enable mullvad-vpn app.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.vpn.protonvpn
Whether to enable enable protonvpn (add cli).
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wifi.enable
Whether to enable enable wifi.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wifi.interface
wireless interface name
Type: string
Default:
"wlan0"
Declared by:
provision.networking.wireguard.p2p.enable
Whether to enable enable wireguard p2p between 2 peers.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.currHost.addAgenixToHost
Whether to enable Enable agenix integration for wireguard keys on current host.
Automatically adds a age.secrets.wg-<network> arg for each wireguard network
if the private key file location begins with /run/agenix.
.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.currHost.firewall.enable
Whether to enable Enable nftables firewall integration via nixos-nftables-firewall.
Normally used on gateway nodes only with a hub-and-spoke mode.
.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.currHost.firewall.type
which type of firewall to integrate with
Type: one of “provision”, “nnf”
Default:
"provision"
Declared by:
provision.networking.wireguard.p2p.currHost.firewall.verdict
default verdict for firewall
Type: string
Default:
"reject"
Declared by:
provision.networking.wireguard.p2p.currHost.name
current host’s user, looks host up in networks
Type: string
Default:
"basic"
Declared by:
provision.networking.wireguard.p2p.currHost.networks
(read-only) links to systemd network config and files
Type: attribute set of (submodule)
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.currHost.networks.<name>.info
(read-only) core information
Type: JSON value
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.currHost.networks.<name>.netdev
(read-only) nixos netdev link
Type: JSON value
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.currHost.networks.<name>.netdevUnit
(read-only) nixos netdev unit file
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.currHost.networks.<name>.network
(read-only) nixos network
Type: JSON value
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.currHost.networks.<name>.networkUnit
(read-only) nixos network unit file
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.currHost.networks.<name>.wgQuick
(read-only) wg-quick connection information
Type: JSON value
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.currHost.networks.<name>.wgQuickFile
(read-only) wg-quick connection information
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.hosts
wireguard networks to configure
Type: attribute set of (submodule)
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.enable
Whether to enable enable host.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.allowAll
Whether to enable allow all IPs / forward all traffic (adds 0.0.0.0/0 to {extraAllowedIPs}).
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.endpointIP
optional endpoint ip
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.extraAllowedIPs
extra allowed IPs
Type: list of string
Default:
[ ]
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.mtu
mtu bytes
Type: signed integer
Default:
1420
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.name
host name
Type: string
Default:
"‹name›"
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.networks
networks to attach host to
Type: attribute set of (submodule)
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.networks.<name>.enable
Whether to enable enable host in wireguard network, enabled if pubkey set.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.networks.<name>.allowAll
Whether to enable allow all IPs / forward all traffic (adds 0.0.0.0/0 to {extraAllowedIPs}).
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.networks.<name>.endpointIP
optional endpoint ip
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.networks.<name>.extraAllowedIPs
extra allowed IPs
Type: list of string
Default:
[ ]
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.networks.<name>.gateway.enable
force set gateway option, if enabled
Type: null or boolean
Default:
null
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.networks.<name>.mtu
mtu bytes
Type: signed integer
Default:
1420
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.networks.<name>.name
network name
Type: string
Default:
"‹name›"
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.networks.<name>.pubkey
public key for host
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.networks.<name>.subip
subip
Type: signed integer
Default:
300
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.subip
subip
Type: signed integer
Default:
300
Declared by:
provision.networking.wireguard.p2p.networks
wireguard networks to configure
Type: attribute set of (submodule)
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.networks.<name>.enable
Whether to enable enable wireguard network.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.networks.<name>.__allRendered
wireguard network module, contains peers
Type: unspecified value
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.networks.<name>.__renderedPeers
wireguard network module, contains peers
Type: unspecified value
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.networks.<name>.allowAll
Whether to enable allow all IPs / forward all traffic (adds 0.0.0.0/0 to {extraAllowedIPs}).
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.networks.<name>.destination
destination for ip route creation
Type: string
Default:
".0/24"
Declared by:
provision.networking.wireguard.p2p.networks.<name>.firewall.enable
Whether to enable enable firewall.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.networks.<name>.firewall.allowedHosts
Used to set default allowedHosts per host.
List of allowed hosts. If set to [“__all”] then allows all access, set to empty to disable.
Type: list of string
Default:
[
"__all"
]
Declared by:
provision.networking.wireguard.p2p.networks.<name>.firewall.extraRules
Extra rules to add to networking.nftables.firewall.objects.wg-<name>
Type: list of string
Default:
[ ]
Declared by:
provision.networking.wireguard.p2p.networks.<name>.firewall.interface
optional interface to limit wireguard port listen to
Type: null or string
Default:
null
Declared by:
provision.networking.wireguard.p2p.networks.<name>.hubId
when hub-and-spoke is enabled, specifies the id of the gateway in the subnet
Type: signed integer
Default:
1
Declared by:
provision.networking.wireguard.p2p.networks.<name>.listenPort
wireguard listen port
Type: signed integer
Default:
51819
Declared by:
provision.networking.wireguard.p2p.networks.<name>.mask
subnet mask
Type: signed integer
Default:
24
Declared by:
provision.networking.wireguard.p2p.networks.<name>.mode
Wireguard network name
Type: one of “hub-and-spoke”, “p2p”
Default:
"hub-and-spoke"
Declared by:
provision.networking.wireguard.p2p.networks.<name>.mtu
wireguard interface MTU bytes
Type: signed integer
Default:
1420
Declared by:
provision.networking.wireguard.p2p.networks.<name>.name
wireguard network name
Type: string
Default:
"‹name›"
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers
wireguard network module, contains peers
Type: attribute set of (submodule)
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.enable
Whether to enable enable host.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.addAgenixToHost
Whether to enable Adds agenix secret named wg-<network> expecting the private wireguard key for peer.
This is only relevant when evaluated on the actual peer for generating wireguard configuration files.
This is can be modified on the peer at {currHost.networks.<network>.addAgenixToHost} .
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.allowAll
Whether to enable allow all IPs / forward all traffic.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.allowedIPs
allowed IPs list
Type: list of string
Default:
[
"/32"
]
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.endpoint
optional endpoint + listen port combo
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.endpointIP
optional endpoint ip address
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.extraAllowedIPs
extra allowed IPs
Type: list of string
Default:
[ ]
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.firewall.allowedHosts
List of allowed hosts. If set to [“__all”] then allows all access.
Type: list of string
Default:
[
"__all"
]
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.gateway.enable
Whether to enable use this host as single gateway for network.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.gateway.destination
destination for ip route creation
Type: string
Default:
".0/24"
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.ip
wireguard ip address
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.listenPort
wireguard listen port
Type: signed integer
Default:
51819
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.mask
subnet mask
Type: signed integer
Default:
24
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.mtu
wireguard interface MTU bytes
Type: signed integer
Default:
1420
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.name
host name
Type: string
Default:
"‹name›"
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.network
wireguard network name
Type: string
Default:
"‹name›"
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.persistentKeepAlive
persistent keep alive
Type: signed integer
Default:
0
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.privateKeyFile
private key file location, not set if empty
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.pubkey
wireguard public key
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.routes
list of systemd network routes
Type: list of raw value
Default:
[ ]
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.subip
wireguard sub ip, combined with subnet, 300 if unused
Type: null or signed integer
Default:
null
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.subnet
wireguard subnet
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.networks.<name>.persistentKeepAlive
persistent keep alive
Type: signed integer
Default:
0
Declared by:
provision.networking.wireguard.p2p.networks.<name>.privateKeyFile
private key file location, must be set
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.networks.<name>.subnet
wireguard subnet e.g. 10.97.23
Type: string
Default:
""
Declared by:
provision.nix.basic
Whether to enable good defaults for most usecases.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.builder
Whether to enable good defaults for powerful building machines.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.develop
Whether to enable good defaults for developers.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.flakes.enable
Whether to enable enable basic flakes usage (–experimental-features).
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.flakes.inputs
Flake inputs to add to nix-path and registry
Type: attribute set of unspecified value
Default:
{ }
Example:
inputs
Declared by:
provision.nix.flakes.registry
registry entries to add, expects set(name -> input)
Type: attribute set of unspecified value
Default:
{ }
Declared by:
provision.nix.optimise.enable
Whether to enable optimise / deduplication store.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.optimise.dates
how often to run garbage collection
Type: string
Default:
"weekly"
Declared by:
provision.nix.optimise.gc
Whether to enable run garbage collection on a schedule.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.optimise.options
options to pass into nix-collect-garbage
Type: string
Default:
"--delete-older-than 30d"
Declared by:
provision.nix.server
Whether to enable good defaults for servers / edge devices etc…
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.substituters
easily set binary cache substituters and keys
Type: attribute set of (submodule)
Default:
{ }
Declared by:
provision.nix.substituters.<name>.enable
Whether to enable Whether to allow (but not enable by default) a substituter:
sets `trusted-substituters“ .
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.substituters.<name>.publicKey
Pubkey that signed substituter store paths, sets trusted-public-keys
Type: string
Default:
""
Declared by:
provision.nix.substituters.<name>.substituter
Substituter for binaries, sets trusted-public-keys
Type: string
Default:
""
Declared by:
provision.nix.substituters.<name>.use
Whether to enable use as a system substituter.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.trustWheel
Whether to enable add wheel as allowed + trusted users.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.trustedUsers
adds these users to allowed-users and trusted-users
Type: list of string
Default:
[ ]
Declared by:
provision.roles.desktop.enable
Whether to enable Enable desktop node default configuration.
Sets up:
- base shell + env
- systemd-networkd networking
- boot integrated, systemd-boot by default but can be changed
- initrd + SSH encrypted root unlock .
Type: boolean
Default:
false
Example:
true
Declared by:
provision.roles.desktop.initrdUnlockUsers
list of users to import SSH keyFiles from
Type: list of string
Default:
[ ]
Declared by:
provision.roles.desktop.nixTrustedUsers
trusted nix users (needed for deploy user at least)
Type: list of string
Default:
[ ]
Declared by:
provision.roles.edge.enable
Whether to enable Enable edge node default configuration.
Sets up:
- base shell + env
- garbage collected + optimised nix
- systemd-networkd networking
- boot integrated, systemd-boot by default but can be changed
- initrd + SSH encrypted root unlock .
Type: boolean
Default:
false
Example:
true
Declared by:
provision.roles.edge.bigMachine
Whether to enable When enabled, increases some base system limits. Can be required when running many containers or VMs. .
Type: boolean
Default:
false
Example:
true
Declared by:
provision.roles.edge.initrdNetModules
extra network modules to add to boot.initrd.availableKernelModules
Type: list of string
Default:
[ ]
Declared by:
provision.roles.edge.initrdUnlockUsers
users to add SSH keys into initrd ssh network root disk unlock
Type: list of string
Default:
[ ]
Declared by:
provision.roles.edge.nixTrustedUsers
trusted nix users (needed for deploy user at least)
Type: list of string
Default:
[ ]
Declared by:
provision.scripts
Generate scripts from different shells from string snippets, files, or nushell modules.
Enabled scripts are added to environment.systemPackages by name if scripts.addToPackages is set.
Type: submodule
Default:
{ }
Example:
{
provision.scripts = {
my-test-script.text = "ls -l";
my-test-script-bash-test.shell = "bash";
my-test-script-bash-test.text = "ls -la";
my-test-script-env-has.inputs = [pkgs.afetch];
my-test-script-env-has.text = ''
def main [ var ] {
print $"Env ($var) present: (envHas $var)"
afetch
}
'';
};
}
Declared by:
provision.scripts.enable
Whether to enable enable scripts integration.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.scripts.__enabledScripts
enabled scripts
Type: unspecified value (read only)
Default:
{ }
Declared by:
provision.scripts.__exportableScripts
enabled scripts, with some config removed, suitable for importing between scripts
Type: unspecified value (read only)
Default:
{ }
Declared by:
provision.scripts.addToPackages
Whether to enable adds all scripts to packages depending on module type
- flake:
packages.{system} - nixos:
environment.systemPackages - home:
home.packages.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.scripts.defaultLibDirs
optional script lib dir set for all nushell scripts
Type: null or absolute path
Default:
null
Declared by:
provision.scripts.defaultShell
set default shell for all scripts
Type: string
Default:
"nu"
Declared by:
provision.scripts.pkgs
Nixpkgs used to generate script. Influences shell runtime.
Type: Nixpkgs package set
Default:
pkgs
Declared by:
provision.scripts.scripts
Generate scripts from different shells from string snippets, files, or nushell modules.
Enabled scripts are added to packages.{system} by name if scripts.addToPackages is set.
Type: attribute set of (submodule)
Default:
{ }
Example:
{
my-test-script.text = "ls -l";
my-test-script-bash-test.shell = "bash";
my-test-script-bash-test.text = "ls -la";
my-test-script-env-has.inputs = [pkgs.afetch];
my-test-script-env-has.text = ''
def main [ var ] {
print $"Env ($var) present: (envHas $var)"
afetch
}
'';
}
Declared by:
provision.scripts.scripts.<name>.enable
Whether to enable enable script, auto-matically adds script to packages.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.scripts.scripts.<name>.package
package binary for running script
Type: package
Default:
""
Declared by:
provision.scripts.scripts.<name>.checkPhase
setting of writeShellApplication, if null runs a default bash one
Type: null or string
Default:
""
Declared by:
provision.scripts.scripts.<name>.env
runtime env to provide to script
Type: null or (attribute set of string)
Default:
null
Example:
{
ENV_VAR = "variable";
}
Declared by:
provision.scripts.scripts.<name>.extraConfig
extra config to add to `writeShellApplication
Type: attribute set of raw value
Default:
{ }
Example:
with pkgs; [
caddy
gnused
]
Declared by:
provision.scripts.scripts.<name>.file
optionally set script file path, recommended for script files which only contain a single main
Type: absolute path
Default:
builtins.toFile "‹name›.nu" config.text
Example:
./fill.nu
Declared by:
provision.scripts.scripts.<name>.inputs
runtime inputs to add to script
Type: list of package
Default:
[ ]
Example:
with pkgs; [
caddy
gnused
]
Declared by:
provision.scripts.scripts.<name>.name
script name, also used as name of binary
Type: string
Default:
"‹name›"
Declared by:
provision.scripts.scripts.<name>.nuLegacyModule
optional nu legacy module wrapper
Type: null or absolute path
Default:
null
Example:
./my-helpers.nu
Declared by:
provision.scripts.scripts.<name>.nuLibDirs
sets NU_LIB_DIRS in nushell scripts
Type: null or absolute path
Default:
null
Example:
./nu
Declared by:
provision.scripts.scripts.<name>.nuModule
optional nu module wrapper, very basic wrapper that exports a module to be called from cli
Type: null or absolute path
Default:
null
Example:
./my-helpers.nu
Declared by:
provision.scripts.scripts.<name>.runtimeShell
runtime shell package.
Type: package
Declared by:
provision.scripts.scripts.<name>.shell
runtime shell of script
Type: string
Default:
"nu"
Example:
"bash"
Declared by:
provision.scripts.scripts.<name>.text
nushell script
Type: string
Default:
""
Declared by:
provision.virt.build.arm
Whether to enable add aarch64-linux to binfmt for cross-compilation.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.containers.enable
Whether to enable enable containers.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.containers.docker.enable
Whether to enable enable docker.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.containers.docker.zfs
Whether to enable enable zfs dataset for docker storage.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.containers.docker.zfsDataset
zfs dataset to use as base for docker
Type: string
Default:
""
Declared by:
provision.virt.containers.legacy.netns
Whether to enable wip profile for docker netns.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.containers.podman.enable
Whether to enable enable podman.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.containers.podman.allowRootless
Whether to enable required security.unprivilegedUsernsClone to be set.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.containers.podman.dockerSocket
Whether to enable symlink rootful podman socket to rootful docker.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.virt.containers.podman.niceNetworkStack
Whether to enable set up a netavark, aardvark + slipnetns podman networking setup.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.virt.containers.registries.block
registries to block
Type: list of string
Default:
[ ]
Declared by:
provision.virt.containers.registries.search
registries to search
Type: list of string
Default:
[
"localhost"
"quay.io"
"nixery.dev"
]
Declared by:
provision.virt.containers.storageContainerOverlay
Whether to enable fuse mount /run/containers to /var/lib/containers.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.libvirt.enable
Whether to enable enable libvirt.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.libvirt.legacy.legacy-networking
Whether to enable import the legacy profile for legacy-networking, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.libvirt.legacy.libvirt-networking
Whether to enable import the legacy profile for legacy-networking, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.libvirt.legacy.networking
Whether to enable import the legacy profile for test-keys, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.microvm.host.enable
Whether to enable Enables microvm.host extensions .
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.microvm.host.network.basic.enable
Whether to enable enable base network interface.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.microvm.host.network.basic.ipv4Subnet
ipv4 range for bridge
Type: string
Default:
"10.213.0.1/24"
Declared by:
provision.virt.microvm.host.network.basic.ipv6Prefix
ipv6 local prefix for bridge
Type: string
Default:
"fd12:3456:789a::"
Declared by:
provision.virt.microvm.host.network.basic.name
bridge interface
Type: string
Default:
"microvm"
Declared by:
provision.virt.microvm.host.network.basic.tapTagMatch
networkd match tap interface name
Type: string
Default:
"vm*"
Declared by:
provision.virt.microvm.host.network.nat.enable
Whether to enable enable nat for bridge interface.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.microvm.host.qemu-bridge-fix
Whether to enable enable workaround for qemu-bridge-helper setuid.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.qemu.guestAgent
Whether to enable Common configuration for virtual machines running under QEMU (using virtio). .
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.qemu.smart.enable
Whether to enable enable smart-qemu quirks found somewhere online.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.qemu.smart.aarch64
Whether to enable enable 64bit arm emulation.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.qemu.smart.arm
Whether to enable enable 32bit arm emulation.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.qemu.smart.riscv64
Whether to enable enable 64bit riscv emulation.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.qemu.smart.supportedPlatforms
extra platforms that nix will run binaries for
Type: list of string
Default:
[ ]
Declared by: