networking.nftables.gen.enable
Whether to enable whether to enable these nftables rules.
Type: boolean
Default:
false
Example:
true
Declared by:
networking.nftables.gen.__rendered
Final nftables file string
Type: string
Default:
""
Declared by:
networking.nftables.gen.ignoreRegexSanityCheck
Whether to enable enable this to skip the sanity check which looks for re-replaced firewall rules like <-dmz-internal.rockpro->.
Type: boolean
Default:
false
Example:
true
Declared by:
networking.nftables.gen.profiles
profiles to enable
Type: list of value “default” (singular enum)
Default:
[
"default"
]
Declared by:
networking.nftables.gen.rules
shared/reusable rules
Type: attribute set of (submodule)
Default:
{ }
Declared by:
networking.nftables.gen.rules.<name>.enable
Whether to include rule in final rendered chain.
Type: boolean
Default:
true
Declared by:
networking.nftables.gen.rules.<name>.__final
End chain type string.
Type: string
Default:
""
Declared by:
networking.nftables.gen.rules.<name>.__name
Rule name, doesn’t influence rule except setting the comment by default
Type: string
Default:
"‹name›"
Declared by:
networking.nftables.gen.rules.<name>.comment
Comment to add to the end of the rule. Default: “”
Example: “allow all to host”
Type: string
Default:
"‹name›"
Example:
"jump another-chain"
Declared by:
networking.nftables.gen.rules.<name>.counter
Whether to add a counter before the verdict.
Type: boolean
Default:
false
Declared by:
networking.nftables.gen.rules.<name>.daddr
Filter by daddr
Type: list of string
Default:
[ ]
Example:
[
"10.1.1.1"
]
Declared by:
networking.nftables.gen.rules.<name>.iif
Filter by iif
Type: list of string
Default:
[ ]
Example:
[
"lan"
]
Declared by:
networking.nftables.gen.rules.<name>.iifname
Filter by iifname
Type: list of string
Default:
[ ]
Example:
[
"lan"
]
Declared by:
networking.nftables.gen.rules.<name>.log
Whether to add a log before the verdict.
Type: boolean
Default:
false
Declared by:
networking.nftables.gen.rules.<name>.main
Main action in rule.
{preset filters} {main} {debug flags} {verdict}
Type: string
Default:
""
Example:
"meta l4proto { icmp, iv6-icmp }"
Declared by:
networking.nftables.gen.rules.<name>.mapset
Mapset in table mapsets to match
Type: string
Default:
""
Declared by:
networking.nftables.gen.rules.<name>.n
Ordering of rule when evaluated by chain.
Default is: 100.
Type: signed integer
Default:
100
Declared by:
networking.nftables.gen.rules.<name>.oif
Filter by oif
Type: list of string
Default:
[ ]
Example:
[
"wan"
]
Declared by:
networking.nftables.gen.rules.<name>.oifname
Filter by oifname
Type: list of string
Default:
[ ]
Example:
[
"wan"
]
Declared by:
networking.nftables.gen.rules.<name>.pre
extra string snipet to add before auto-generated matchers
Type: string
Default:
""
Example:
"meta protocol ip"
Declared by:
networking.nftables.gen.rules.<name>.rewriteLists
string replacements run on rule to generate __final
Type: attribute set of list of string
Default:
{
match = [
"__name__"
"__iifname__"
"__oifname__"
"__iif__"
"__oif__"
"__saddr__"
"__daddr__"
];
replace = [
"‹name›"
"__iifname__"
"__oifname__"
"__iif__"
"__oif__"
"__saddr__"
"__daddr__"
];
}
Declared by:
networking.nftables.gen.rules.<name>.rule
Rule to lookup in networking.nftables.gen.rules and set values to.
Type: string
Default:
"‹name›"
Example:
"icmp-default"
Declared by:
networking.nftables.gen.rules.<name>.ruleReplaceMap
a list of string replacements to run to create final rule
Type: attribute set of (submodule)
Default:
{ }
Declared by:
networking.nftables.gen.rules.<name>.ruleReplaceMap.<name>.enable
Whether to enable enable string replacement.
Type: boolean
Default:
true
Example:
true
Declared by:
networking.nftables.gen.rules.<name>.ruleReplaceMap.<name>.replace
string replacement
Type: string
Default:
""
Declared by:
networking.nftables.gen.rules.<name>.ruleReplaceMap.<name>.stringMatch
string to match
Type: string
Default:
""
Declared by:
networking.nftables.gen.rules.<name>.saddr
Filter by saddr
Type: list of string
Default:
[ ]
Example:
[
"10.11.0.0/24"
]
Declared by:
networking.nftables.gen.rules.<name>.tcpDport
Filter by tcp dport
Type: list of signed integer
Default:
[ ]
Example:
[
53
67
]
Declared by:
networking.nftables.gen.rules.<name>.tcpSport
Filter by tcp sport
Type: list of signed integer
Default:
[ ]
Example:
[
53
67
]
Declared by:
networking.nftables.gen.rules.<name>.trace
Whether to set an nftrace before the verdict. nftrace set 1
Type: boolean
Default:
false
Declared by:
networking.nftables.gen.rules.<name>.udpDport
Filter by udp dport
Type: list of signed integer
Default:
[ ]
Example:
[
53
67
]
Declared by:
networking.nftables.gen.rules.<name>.udpSport
Filter by udp sport
Type: list of signed integer
Default:
[ ]
Example:
[
53
67
]
Declared by:
networking.nftables.gen.rules.<name>.verdict
What verdict to add to the end of the rule. Default: “”
Example: “accept”
Type: string
Default:
""
Example:
"jump another-chain"
Declared by:
networking.nftables.gen.tables
tables to generate
Type: attribute set of (attribute set of (string or (submodule)))
Default:
{ }
Declared by:
networking.nftables.gen.tables.<name>.__chains
Chains objects
Type: unspecified value
Default:
{ }
Declared by:
networking.nftables.gen.tables.<name>.__chainsStr
Chains rendered into a string
Type: strings concatenated with “\n”
Default:
""
Declared by:
networking.nftables.gen.tables.<name>.__rendered
Table Module.
Type: strings concatenated with “\n”
Default:
''
## Table ‹name›
table inet ‹name› {
}
''
Declared by:
networking.nftables.gen.tables.<name>.__type
Table Module.
Type: one of “inet”, “ip”, “ip6”, “bridge”, “netdev”, “arp”
Default:
"inet"
Declared by:
networking.nftables.gen.tables.<name>.mapsets
define custom set/map/vmap
Type: attribute set of (submodule)
Default:
{ }
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.enable
Whether to include rule in final rendered chain.
Type: boolean
Default:
true
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.__final
End chain type string.
Type: string
Default:
""
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.__map
end element str
Type: string
Default:
""
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.elements
element for map, can be a verdict
Type: list of (submodule)
Default:
[ ]
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.elements.*.__final
end element str
Type: string
Default:
""
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.elements.*.l
<lhs> of map element, required
Type: null or string
Default:
null
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.elements.*.r
<rhs> of map element
Type: null or string
Default:
null
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.elements.*.v
<verdict> of map element
Type: null or string
Default:
null
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.extraConfig
extra config to add
Type: strings concatenated with “\n”
Default:
""
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.flags
Available options:
- constant - set content may not change while bound
- interval - set contains intervals
- timeout - elements can be added with a timeout
Type: list of (one of “constant”, “interval”, “timeout”)
Default:
[ ]
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.lhs
lhs in the map `<lhs> . <rhs>
Type: string
Default:
"ipv4_addr"
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.lhsType
type to be used for generating __map verdict
Type: null or string
Default:
null
Example:
"iifname"
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.name
name of map/set/vmap
Type: string
Default:
"‹name›"
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.rhs
rhs in the map `<lhs> . <rhs>
Type: null or string
Default:
null
Example:
"ifname"
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.rhsType
type to be used for generating __map verdict
Type: null or string
Default:
null
Example:
"oifname"
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.type
final type of set/map/vmap/natmap
- set: list of elements Nftables Sets
- map: hashmap/attrs of elements Nftables maps
- vmap®: verdict maps Nftables verdict maps
can be a
vmaporvmapr,vmaprreverses the mapping -[both] match : verdict ( lhs : verdict ) -[vmap] match . match : verdict ( lhs . rhs : verdict ) -[vmapr] match : match . match ( lhs : rhs . verdict ) example usage of vmapr Nfatbles examples
Type: one of “set”, “map”, “vmap”, “vmapr”
Default:
"set"
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.typeDef
final type of set/map/vmap
Type: string
Default:
"ipv4_addr"
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.typeName
type name to set when defining named map/set/vamp
Type: string
Default:
"set"
Declared by:
networking.nftables.gen.tables.<name>.mapsets.<name>.verdict
optional verdict in the map <lhs> : <verdict> or <lhs> . <rhs> : <verdict>
Type: null or string
Default:
null
Declared by:
provision.core.earlyoom.enable
Whether to enable enable earlyoom.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.core.earlyoom.enableDebug
Whether to enable enable debug info.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.core.earlyoom.extraArgs
extra args to add to earlyoom
Type: list of string
Default:
[ ]
Declared by:
provision.core.earlyoom.memoryThreshold
threshold to 5% until killing processes
Type: signed integer
Default:
5
Declared by:
provision.core.earlyoom.settings
extra settings
Type: raw value
Default:
{
reportInterval = 0;
}
Declared by:
provision.core.env.enable
Whether to enable whether to enable env configuration.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.core.env.packages
systemPackages to import into environment
Type: list of package
Default:
[ ]
Declared by:
provision.core.env.editor
whether to enable env configuration
Type: string
Default:
"vim"
Declared by:
provision.core.env.fonts.packages
font packages to add
Type: list of package
Default:
[ ]
Declared by:
provision.core.env.fonts.extraConfig
extra config to merge with fonts
Type: raw value
Default:
{ }
Declared by:
provision.core.env.fonts.name
if set, adds font name in fontconfig default fonts
Type: null or string
Default:
null
Declared by:
provision.core.env.locale.default
default locale (i18m.defaultLocale)
Type: string
Default:
"en_GB.UTF-8"
Declared by:
provision.core.env.locale.keyMap
keyboard layout (console.keyMap)
Type: string
Default:
"uk"
Declared by:
provision.core.env.locale.timeZone
time zone (time.timeZone)
Type: string
Default:
"Europe/Amsterdam"
Declared by:
provision.core.shell.enable
Whether to enable enable basic shell integrations.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.core.shell.direnv.enable
Whether to enable enable direnv on bash/zsh.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.core.shell.starship.enable
Whether to enable enable starship integration.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.core.shell.starship.settings
starship settings
Type: raw value
Default:
{ }
Declared by:
provision.core.shell.zsh.enable
Whether to enable enable zsh.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.defaults.enable
Whether to enable Enable defaults to be set. Setting to false overrides all enables in this module…
Type: boolean
Default:
false
Example:
true
Declared by:
provision.defaults.debug.packages
large list of debug packages
Type: list of package
Default:
[ ]
Declared by:
provision.defaults.debug.systemImportPackages
Whether to enable enable to add all debug packages to systemPackages.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.defaults.security.doas.enable
Whether to enable enable doas.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.defaults.security.doas.extraRules
extra doas rules
Type: list of raw value
Default:
[ ]
Declared by:
provision.defaults.security.electron.enable
Whether to enable enables chromium suid sandbox.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.defaults.security.hardened_kernel.enable
Whether to enable enable latest hardened kernel.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.defaults.security.hardened_kernel.kernel
hardened kernel package
Type: package
Default:
<derivation linux-hardened-6.6.63>
Declared by:
provision.defaults.security.libre-only.enable
Whether to enable prevents redistribuation but not free firmware.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.defaults.security.namespacing.enable
Whether to enable enable unprivilegedUsernsClone.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.defaults.security.openssh.enable
Whether to enable enable ssh.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.defaults.sysctl.bumpInotifyLimits
Whether to enable Bump inotify limits, the defaults are very low.
Low settings here can cause many issues with:
- Failed to allocate directory watch: Too many open files
- systemd-nspawn: Initializing machine ID from container UUID. systemd-nspawn: Failed to create control group inotify object: Too many open files systemd-nspawn: Failed to allocate manager object: Too many open files systemd-nspawn: [!!!] Failed to allocate manager object. systemd-nspawn: Exiting PID 1…
This can also affect hungry desktop applications.
More info + potential upstream fix here: https://github.com/NixOS/nixpkgs/pull/126777/files .
Type: boolean
Default:
true
Example:
true
Declared by:
provision.defaults.sysctl.inotifyLimitsMultiple
Set the limits multiplier against the base (128) for inotify limits types.
Running many containers might require increasing this limit.
Current NixOS Upstream would be: 1 , which becomes 128.
Default (64): results in 64 * 128 = 8192.
Type: integer between 1 and 100000000 (both inclusive)
Default:
64
Example:
10000
Declared by:
provision.defaults.systemd.defaultTimeoutSec
Set the default timeout for systemd units. If null not set.
Type: null or integer between 5 and 10000000 (both inclusive)
Default:
null
Example:
30
Declared by:
provision.fs.automount
Whether to enable enable automount via devmon, udisks2 and gvfs.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.bcachefs.enable
Whether to enable enable bcachefs at boot.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.boot.enable
Whether to enable enable boot configuration, adds boot to supportedFilesystems.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.boot.configurationLimit
optionally set configuration limit
Type: null or signed integer
Default:
null
Declared by:
provision.fs.boot.device
set /boot to point to a vfat filesystem at device path
Type: null or string
Default:
null
Declared by:
provision.fs.boot.grub.enable
Whether to enable enable grub as bootloader.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.boot.grub.devices
device to set for bootloader
Type: list of string
Default:
[ ]
Declared by:
provision.fs.boot.grub.luks
Whether to enable sets enableCryptodisk.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.boot.systemd.enable
Whether to enable enable systemd-boot as bootloader (boot.loader.systemd-boot).
Type: boolean
Default:
true
Example:
true
Declared by:
provision.fs.boot.systemd.initrd.enable
Whether to enable enable systemd as initrd (boot.initrd.systemd).
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.boot.systemd.initrd.emergencyAccess
Whether to enable enable emergency access in initrd, useful for debugging.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.btrfs.enable
Whether to enable enable btrfs configuration, adds btrfs to supportedFilesystems.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.btrfs.gen
generate btrfs filesystem mounts
Type: attribute set of (submodule)
Default:
{ }
Example:
{
enc-root = {
defaultOptions = [
"compress=zstd"
];
devicePath = "/dev/disk/by-uuid/my-luks-decrupted-uuid";
subvolumes = {
home = { };
log = {
path = "/var/log";
};
nix = {
options = [
"compress=zstd,noatime"
];
};
root = {
path = "/";
};
};
};
}
Declared by:
provision.fs.btrfs.gen.<name>.defaultOptions
default options to add to all subvolumes, can be overridden
Type: list of string
Default:
[ ]
Example:
[
"compress=zstd"
]
Declared by:
provision.fs.btrfs.gen.<name>.devicePath
root fs path
Type: string
Default:
"/dev/mapper/‹name›"
Example:
"/dev/disk/by-label/nixos"
Declared by:
provision.fs.btrfs.gen.<name>.mntBase
root of this btrfs filesystem
Type: string
Default:
"/"
Declared by:
provision.fs.btrfs.gen.<name>.name
name of the filesystem, by default sets fs root path to `/dev/mapper/<name>
Type: string
Default:
"‹name›"
Declared by:
provision.fs.btrfs.gen.<name>.subvolumes
subvolumes under this btrfs filesystem
Type: attribute set of (submodule)
Default:
{ }
Declared by:
provision.fs.btrfs.gen.<name>.subvolumes.<name>.__devicePath
root fs path, normally inheritted by root
Type: string
Default:
"/dev/mapper/‹name›"
Declared by:
provision.fs.btrfs.gen.<name>.subvolumes.<name>.__mnt
final mount location
Type: string
Default:
"/‹name›"
Declared by:
provision.fs.btrfs.gen.<name>.subvolumes.<name>.__mntBase
base mountpoint of the filesystem
Type: string
Default:
"/"
Declared by:
provision.fs.btrfs.gen.<name>.subvolumes.<name>.__rootName
name of the root btrfs filesystem
Type: string
Default:
"‹name›"
Declared by:
provision.fs.btrfs.gen.<name>.subvolumes.<name>.isRoot
Whether to enable allow handling mounting root btrfs fs, not applicable if you have use a subvolume for root.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.btrfs.gen.<name>.subvolumes.<name>.mnt
mountpoint of the subvolume
Type: string
Default:
"‹name›"
Declared by:
provision.fs.btrfs.gen.<name>.subvolumes.<name>.opts
options to set on subvolume
Type: list of string
Default:
[ ]
Example:
[
"compress=zstd"
"noatime"
]
Declared by:
provision.fs.btrfs.gen.<name>.subvolumes.<name>.subvol
name of subvolume
Type: string
Default:
"‹name›"
Declared by:
provision.fs.btrfs.legacy.btrbk-core-root
Whether to enable import the legacy profile for btrbk/core-root, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.btrfs.legacy.btrbk-snapshot-root
Whether to enable import the legacy profile for btrbk/snapshot-root, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.btrfs.legacy.btrbk-snapshot-root-nix
Whether to enable import the legacy profile for btrbk/snapshot-root-nix, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.btrfs.legacy.initrd
Whether to enable import the legacy profile for initrd, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.btrfs.legacy.root-bios
Whether to enable import the legacy profile for root-bios, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.btrfs.legacy.root-uefi
Whether to enable import the legacy profile for root-uefi, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.disko.enable
Whether to enable enable disko extension wrapper.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.disko.devices
map of luks name -> device path to unlock
Type: attribute set of (submodule)
Default:
{ }
Example:
{
enc-root = {
device = "/dev/vda1";
profile = "btrfs-luks-uefi";
};
}
Declared by:
provision.fs.disko.devices.<name>.__profilePath
profile path to apply args to
Type: null or path
Default:
null
Declared by:
provision.fs.disko.devices.<name>.args
Args to apply to disko profile
Type: raw value
Default:
{ }
Declared by:
provision.fs.disko.devices.<name>.device
device to apple disko profile to
Type: string
Default:
""
Declared by:
provision.fs.disko.devices.<name>.diskName
disk name to apply to profile
Type: string
Default:
"‹name›"
Declared by:
provision.fs.disko.devices.<name>.generated
generated disko config to import
Type: unspecified value
Default:
{ }
Declared by:
provision.fs.disko.devices.<name>.profile
profile to apply from provision.fs.disko.profiles
Type: string
Default:
""
Declared by:
provision.fs.disko.profiles
disko configuration snippets / profiles
Type: attribute set of path
Default:
{
bcachefs-encrypted-uefi = disko/bcachefs-encrypted-uefi.nix;
bcachefs-luks-uefi = disko/bcachefs-luks-uefi.nix;
btrfs-luks-uefi = disko/btrfs-luks-uefi.nix;
btrfs-simple-uefi = disko/btrfs-simple-uefi.nix;
ext4-luks-bios-uefi = disko/ext4-luks-bios-uefi.nix;
ext4-simple-bios-uefi = disko/ext4-simple-bios-uefi.nix;
ext4-simple-uefi = disko/ext4-simple-uefi.nix;
zfs-mirror-luks = disko/zfs-mirror-luks.nix;
}
Declared by:
provision.fs.hddtemp.enable
Whether to enable enable hddtemp monitoring.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.hddtemp.automapBtrfs
Whether to enable automatically add all disko defined drives to monitoring.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.hddtemp.automapDisko
Whether to enable automatically add all disko defined drives to monitoring.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.fs.hddtemp.drives
drives to monitor
Type: list of string
Default:
[ ]
Declared by:
provision.fs.initrd.enable
Whether to enable enable initrd configuration, adds initrd to supportedFilesystems.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.initrd.legacy.network
Whether to enable import the legacy profile for network, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.initrd.legacy.test-keys
Whether to enable import the legacy profile for test-keys, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.initrd.netModules
extra network modules to add to boot.initrd.availableKernelModules
for network unlock you will likely need to add the kernel modules for your network cards you want to use in stage-1
you can find out the kernel driver in use with ethtool:
DRIVER=enp1s0
ethtool -i $DRIVER | grep driver
Type: list of string
Default:
[ ]
Example:
[
"e1000e"
"i40e"
"igc"
"8021q"
"r8169"
]
Declared by:
provision.fs.initrd.postCommands.enable
Whether to enable script used to decrypt system. this is not compatible with using systemd as an initrd.
is enabled by default if systemd’s initrd is not enabled .
Type: boolean
Default:
true
Example:
true
Declared by:
provision.fs.initrd.postCommands.command
Command used to unlock root filesystem (and any others you may also want to unlock).
This can be used with either grub or systemd-boot (but but with systemd-boot as an initrd).
Type: string
Default:
"echo 'cryptsetup-askpass' >> /root/.profile"
Declared by:
provision.fs.initrd.ssh.enable
Whether to enable enable SSH based auth.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.fs.initrd.ssh.authorizedKeyFiles
Authorized keys to access host during stage-1 boot.
These pubkey files exist unencrypted on the system’s boot drive.
Type: list of string
Default:
[ ]
Declared by:
provision.fs.initrd.ssh.hostKeys
Caution: Host SSH private key used for sshd during stage-1 boot only.
This key exists unencrypted on the system’s boot drive. Only use this key for this purpose!
Type: list of string
Default:
[
"/etc/initrd/ssh_host_ed25519_key"
]
Declared by:
provision.fs.initrd.ssh.port
SSH port sshd listens at during stage-1 boot
Type: signed integer
Default:
9797
Declared by:
provision.fs.initrd.ssh.usersImportKeyFiles
Users to import keyfiles from to allow unlocking encrypted disk.
Imports keys from config.users.users.openssh.authorizedKeys.keyFiles.
NOTE: does not import from keys option.
Type: list of string
Default:
[ ]
Declared by:
provision.fs.luks.enable
Whether to enable enable luks encryption, is read by provision.fs.initrd and provision.fs.boot.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.luks.devices
map of luks name -> device path to unlock
Type: attribute set of string
Default:
{ }
Example:
{
enc-root = "/dev/vda1";
}
Declared by:
provision.fs.nfs.client.enable
Whether to enable enable NFS integrations.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.nfs.client.localBase
default base directory for all NFS mounts
Type: string
Default:
"/mnt/remote"
Declared by:
provision.fs.nfs.client.mounts
NFS mounts to enable
Type: attribute set of (NFS submodule)
Default:
{ }
Declared by:
provision.fs.nfs.client.mounts.<name>.enable
Whether to enable enable ‹name› nfs mount.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.nfs.client.mounts.<name>.after
set systemd after only
Type: list of string
Default:
[ ]
Declared by:
provision.fs.nfs.client.mounts.<name>.before
set systemd before only
Type: list of string
Default:
[ ]
Declared by:
provision.fs.nfs.client.mounts.<name>.device
final device string
Type: string
Default:
":/export/‹name›"
Declared by:
provision.fs.nfs.client.mounts.<name>.extraOptions
extra options to add
Type: list of string
Default:
[ ]
Declared by:
provision.fs.nfs.client.mounts.<name>.hostPath
local host mount path
Type: string
Default:
"/mnt/remote/‹name›"
Declared by:
provision.fs.nfs.client.mounts.<name>.networkOnlineService
unit to automatically add an after+requires, set to null to disable
Type: null or string
Default:
"systemd-networkd-wait-online.service"
Declared by:
provision.fs.nfs.client.mounts.<name>.nfsVersion
nfs version to use
Type: string
Default:
"4.2"
Declared by:
provision.fs.nfs.client.mounts.<name>.options
final options to add to mountpoint
Type: list of string
Default:
[ ]
Declared by:
provision.fs.nfs.client.mounts.<name>.remotePath
remote host mount path
Type: string
Default:
"/export/‹name›"
Declared by:
provision.fs.nfs.client.mounts.<name>.remoteUrl
NFS ip / domain
Type: string
Default:
""
Declared by:
provision.fs.nfs.client.mounts.<name>.requiredBy
set systemd required by + after
Type: list of string
Default:
[ ]
Declared by:
provision.fs.nfs.client.mounts.<name>.requires
set systemd requires + after
Type: list of string
Default:
[ ]
Declared by:
provision.fs.nfs.client.nfsVersion
default NFS version to mount with
Type: string
Default:
"4.2"
Declared by:
provision.fs.nfs.client.remoteBase
default remote server base directory for all NFS mounts
Type: string
Default:
"/export"
Declared by:
provision.fs.nfs.client.remoteUrl
default remote server url / domain
Type: string
Default:
""
Declared by:
provision.fs.ntfs
Whether to enable enable ntfs3d driver.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.smartd.enable
Whether to enable enable smartd (smartmontools) hard drive monitoring/testing.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.smartd.autodetect.enable
Whether to enable monitor all devices found on startup.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.fs.smartd.autodetect.defaultMatch
See smartd.conf(5) man page for details about these options:
- “-a”: enable all checks
- “-o VALUE”: enable/disable automatic offline testing on device (on/off)
- “-s REGEXP”: do a short test every day at 3am and a long test every sunday at 3am.
Type: string
Default:
"-a -o on -s (S/../.././03|L/../../7/03)"
Declared by:
provision.fs.smartd.settings
extra settings to add to services.smartd
Type: raw value
Default:
{ }
Declared by:
provision.fs.zfs.enable
Whether to enable enable zfs configuration, adds zfs to supportedFilesystems.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.zfs.hostId
optionally set networking.hostId here, not required
Type: null or string
Default:
null
Declared by:
provision.fs.zfs.kernel.enable
Whether to enable sets the kernel to the latest compatible with ZFS.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.zfs.kernel.latest
latest linux kernel version that works with zfs
Type: raw value
Default:
self.channels.${pkgs.system}.nixpkgs-zfs.pkgs.linuxKernel.packages.linux_6_10
Declared by:
provision.fs.zfs.legacy.initrd
Whether to enable import the legacy profile for initrd, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.zfs.legacy.root-uefi
Whether to enable import the legacy profile for root-uefi, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.zfs.nativeEncryption
Whether to enable sets zfs to request encryption credentials and sets initrd postCommand to unlock zfs pools with native encryption .
Type: boolean
Default:
false
Example:
true
Declared by:
provision.fs.zfs.scrub.auto
Whether to enable enable autoscrub.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.fs.zfs.snapshot.auto
Whether to enable enable auto snapshot.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.fs.zfs.snapshot.daily
keep this many daily snapshots
Type: signed integer
Default:
2
Declared by:
provision.fs.zfs.snapshot.frequent
keep this many 15minute snapshots
Type: signed integer
Default:
5
Declared by:
provision.fs.zfs.snapshot.monthly
keep this many monthly snapshots
Type: signed integer
Default:
1
Declared by:
provision.fs.zfs.snapshot.weekly
keep this many weekly snapshots
Type: signed integer
Default:
1
Declared by:
provision.fs.zfs.trim
Whether to enable enable trim.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.hardware.amdgpu.enable
Whether to enable enable amdgpu.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.hardware.amdgpu.addTools
Whether to enable add rocm/amd tools to system packages.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.hardware.amdgpu.headless
Whether to enable headless only amdgpu.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.hardware.amdgpu.opencl
Whether to enable enable opencl.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.hardware.amdgpu.vulkan
Whether to enable enable amd vulkan.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.hardware.android.enable
Whether to enable enable android udev.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.hardware.wifi.enable
Whether to enable enable wifi.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.hardware.zram.enable
Whether to enable enable zram.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.fail2ban.enable
Whether to enable enable fail2ban defaults.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.firewall.iptables.enable
Whether to enable enable iptables.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.networkd.enable
Whether to enable enable systemd-networkd.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.networkd.ethernetUseDhcp
Whether to enable add a basic unit which matches ethernet devices and enables DHCPv4.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.networking.networkd.waitInterfaces
interfaces to wait online for with systemd-networkd-wait-online
Type: list of string
Default:
[ ]
Declared by:
provision.networking.networkd.waitOnline
Whether to enable enable systemd-networkd-wait-online.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.ssh.enable
Whether to enable enable SSH.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.ssh.allowedInterfaces
opens firewall on allowed instances, overrides openFirewallAll
Type: list of string
Default:
[ ]
Declared by:
provision.networking.ssh.gpgAgentForwarding
Whether to enable enable gpg agent forwarding over SSH.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.ssh.hardened
Whether to enable enable hardened SSH opts.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.ssh.openFirewallAll
Whether to enable opens firewall on all interfaces at specified ports (default: 22), is ignored if allowedInterfaces is set.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.networking.ssh.ports
port for SSH (default: [22])
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
[
22
]
Example:
80
Declared by:
provision.networking.ssh.tor.enable
Whether to enable enable onion service that connects to local sshd.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.ssh.tor.internalSshAddress
internal ssh listen address
Type: string
Default:
"[::1]"
Declared by:
provision.networking.ssh.tor.internalSshPort
internal ssh listen port
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
22
Declared by:
provision.networking.ssh.tor.listenPort
listen port on tor
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
29420
Declared by:
provision.networking.static.enable
Whether to enable enable static IP.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.static.address
IPv4 address
Type: string
Default:
""
Example:
"45.89.126.43"
Declared by:
provision.networking.static.gateway
IPv4 gateway
Type: string
Default:
""
Example:
"45.89.126.1"
Declared by:
provision.networking.static.interface
network interface
Type: string
Default:
""
Declared by:
provision.networking.static.kernelArg
Kernel arg passed in, setting the IP statically during on kernel boot
Type: string
Default:
"ip=:::255.255.255.0:::off"
Declared by:
provision.networking.static.netmask
IPv4 address
Type: string
Default:
"255.255.255.0"
Declared by:
provision.networking.static.prefixLength
prefix length, must match netmask
Type: signed integer
Default:
24
Declared by:
provision.networking.tools.all.enable
Whether to enable enable iptables.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.tools.all.packages
all network debugging tools
Type: list of package
Default:
[ ]
Declared by:
provision.networking.tools.basic.enable
Whether to enable enable basic tools.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.tools.basic.packages
basic network debugging tools
Type: list of package
Default:
[ ]
Declared by:
provision.networking.vpn.mullvad-app
Whether to enable enable mullvad-vpn app.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.vpn.protonvpn
Whether to enable enable protonvpn (add cli).
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wifi.enable
Whether to enable enable wifi.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wifi.interface
wireless interface name
Type: string
Default:
"wlan0"
Declared by:
provision.networking.wireguard.p2p.enable
Whether to enable enable wireguard p2p between 2 peers.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.currHost.enableAgenix
Whether to enable Enable agenix integration for wireguard keys on current host.
Automatically adds a age.secrets.wg-<network> arg for each wireguard network
if the private key file location begins with /run/agenix.
.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.currHost.firewall.enable
Whether to enable Enable nftables firewall integration via nixos-nftables-firewall.
Normally used on gateway nodes only with a hub-and-spoke mode.
.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.currHost.firewall.type
which type of firewall to integrate with
Type: one of “provision”, “nnf”
Default:
"provision"
Declared by:
provision.networking.wireguard.p2p.currHost.firewall.verdict
default verdict for firewall
Type: string
Default:
"reject"
Declared by:
provision.networking.wireguard.p2p.currHost.name
current host’s user, looks host up in networks
Type: string
Default:
"basic"
Declared by:
provision.networking.wireguard.p2p.currHost.networks
(read-only) links to systemd network config and files
Type: attribute set of (submodule)
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.currHost.networks.<name>.info
(read-only) core information
Type: raw value
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.currHost.networks.<name>.netdev
(read-only) nixos netdev link
Type: raw value
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.currHost.networks.<name>.netdevUnit
(read-only) nixos netdev unit file
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.currHost.networks.<name>.network
(read-only) nixos network
Type: raw value
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.currHost.networks.<name>.networkUnit
(read-only) nixos network unit file
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.currHost.networks.<name>.wgQuick
(read-only) wg-quick connection information
Type: raw value
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.currHost.networks.<name>.wgQuickFile
(read-only) wg-quick connection information
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.hosts
wireguard networks to configure
Type: attribute set of (submodule)
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.enable
Whether to enable enable host.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.endpointIP
optional endpoint ip
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.extraAllowedIPs
extra allowed IPs
Type: list of string
Default:
[ ]
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.mtu
mtu bytes
Type: signed integer
Default:
1420
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.name
host name
Type: string
Default:
"‹name›"
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.networks
networks to attach host to
Type: attribute set of (submodule)
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.networks.<name>.enable
Whether to enable enable host in wireguard network, enabled if pubkey set.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.networks.<name>.endpointIP
optional endpoint ip
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.networks.<name>.extraAllowedIPs
extra allowed IPs
Type: list of string
Default:
[ ]
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.networks.<name>.gateway.enable
force set gateway option, if enabled
Type: null or boolean
Default:
null
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.networks.<name>.mtu
mtu bytes
Type: signed integer
Default:
1420
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.networks.<name>.name
network name
Type: string
Default:
"‹name›"
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.networks.<name>.pubkey
public key for host
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.networks.<name>.subip
subip
Type: signed integer
Default:
300
Declared by:
provision.networking.wireguard.p2p.hosts.<name>.subip
subip
Type: signed integer
Default:
300
Declared by:
provision.networking.wireguard.p2p.networks
wireguard networks to configure
Type: attribute set of (submodule)
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.networks.<name>.enable
Whether to enable enable wireguard network.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.networks.<name>.__renderedPeers
wireguard network module, contains peers
Type: unspecified value
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.networks.<name>.allowAll
Whether to enable allow all IPs / forward all traffic.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.networks.<name>.destination
destination for ip route creation
Type: string
Default:
".0/24"
Declared by:
provision.networking.wireguard.p2p.networks.<name>.firewall.enable
Whether to enable enable firewall.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.networks.<name>.firewall.allowedHosts
Used to set default allowedHosts per host.
List of allowed hosts. If set to [“__all”] then allows all access, set to empty to disable.
Type: list of string
Default:
[
"__all"
]
Declared by:
provision.networking.wireguard.p2p.networks.<name>.firewall.extraRules
Extra rules to add to networking.nftables.firewall.objects.wg-<name>
Type: list of string
Default:
[ ]
Declared by:
provision.networking.wireguard.p2p.networks.<name>.firewall.interface
optional interface to limit wireguard port listen to
Type: null or string
Default:
null
Declared by:
provision.networking.wireguard.p2p.networks.<name>.hubId
when hub-and-spoke is enabled, specifies the id of the gateway in the subnet
Type: signed integer
Default:
1
Declared by:
provision.networking.wireguard.p2p.networks.<name>.listenPort
wireguard listen port
Type: signed integer
Default:
51819
Declared by:
provision.networking.wireguard.p2p.networks.<name>.mask
subnet mask
Type: signed integer
Default:
24
Declared by:
provision.networking.wireguard.p2p.networks.<name>.mode
Wireguard network name
Type: one of “hub-and-spoke”, “p2p”
Default:
"hub-and-spoke"
Declared by:
provision.networking.wireguard.p2p.networks.<name>.mtu
wireguard interface MTU bytes
Type: signed integer
Default:
1420
Declared by:
provision.networking.wireguard.p2p.networks.<name>.name
wireguard network name
Type: string
Default:
"‹name›"
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers
wireguard network module, contains peers
Type: attribute set of (submodule)
Default:
{ }
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.enable
Whether to enable enable host.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.allowAll
Whether to enable allow all IPs / forward all traffic.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.allowedIPs
allowed IPs list
Type: list of string
Default:
[
"/32"
]
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.endpoint
optional endpoint + listen port combo
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.endpointIP
optional endpoint ip address
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.extraAllowedIPs
extra allowed IPs
Type: list of string
Default:
[ ]
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.firewall.allowedHosts
List of allowed hosts. If set to [“__all”] then allows all access.
Type: list of string
Default:
[
"__all"
]
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.gateway.enable
Whether to enable use this host as single gateway for network.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.gateway.destination
destination for ip route creation
Type: string
Default:
".0/24"
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.ip
wireguard ip address
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.listenPort
wireguard listen port
Type: signed integer
Default:
51819
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.mask
subnet mask
Type: signed integer
Default:
24
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.mtu
wireguard interface MTU bytes
Type: signed integer
Default:
1420
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.name
host name
Type: string
Default:
"‹name›"
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.network
wireguard network name
Type: string
Default:
"‹name›"
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.persistentKeepAlive
persistent keep alive
Type: signed integer
Default:
0
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.privateKeyFile
private key file location, not set if empty
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.pubkey
wireguard public key
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.routes
list of systemd network routes
Type: list of raw value
Default:
[ ]
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.subip
wireguard sub ip, combined with subnet, 300 if unused
Type: null or signed integer
Default:
null
Declared by:
provision.networking.wireguard.p2p.networks.<name>.peers.<name>.subnet
wireguard subnet
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.networks.<name>.persistentKeepAlive
persistent keep alive
Type: signed integer
Default:
0
Declared by:
provision.networking.wireguard.p2p.networks.<name>.privateKeyFile
private key file location, must be set
Type: string
Default:
""
Declared by:
provision.networking.wireguard.p2p.networks.<name>.subnet
wireguard subnet e.g. 10.97.23
Type: string
Default:
""
Declared by:
provision.nix.basic
Whether to enable good defaults for most usecases.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.builder
Whether to enable good defaults for powerful building machines.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.develop
Whether to enable good defaults for developers.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.flakes.enable
Whether to enable enable basic flakes usage (–experimental-features).
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.flakes.inputs
Flake inputs to add to nix-path and registry
Type: attribute set of unspecified value
Default:
{ }
Example:
inputs
Declared by:
provision.nix.flakes.registry
registry entries to add, expects set(name -> input)
Type: attribute set of unspecified value
Default:
{ }
Declared by:
provision.nix.optimise.enable
Whether to enable optimise / deduplication store.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.optimise.dates
how often to run garbage collection
Type: string
Default:
"weekly"
Declared by:
provision.nix.optimise.gc
Whether to enable run garbage collection on a schedule.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.optimise.options
options to pass into nix-collect-garbage
Type: string
Default:
"--delete-older-than 30d"
Declared by:
provision.nix.server
Whether to enable good defaults for servers / edge devices etc…
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.substituters
easily set binary cache substituters and keys
Type: attribute set of (submodule)
Default:
{ }
Declared by:
provision.nix.substituters.<name>.enable
Whether to enable Whether to allow (but not enable by default) a substituter:
sets `trusted-substituters“ .
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.substituters.<name>.publicKey
Pubkey that signed substituter store paths, sets trusted-public-keys
Type: string
Default:
""
Declared by:
provision.nix.substituters.<name>.substituter
Substituter for binaries, sets trusted-public-keys
Type: string
Default:
""
Declared by:
provision.nix.substituters.<name>.use
Whether to enable use as a system substituter.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.trustWheel
Whether to enable add wheel as allowed + trusted users.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.nix.trustedUsers
adds these users to allowed-users and trusted-users
Type: list of string
Default:
[ ]
Declared by:
provision.roles.desktop.enable
Whether to enable Enable desktop node default configuration.
Sets up:
- base shell + env
- systemd-networkd networking
- boot integrated, systemd-boot by default but can be changed
- initrd + SSH encrypted root unlock .
Type: boolean
Default:
false
Example:
true
Declared by:
provision.roles.desktop.initrdUnlockUsers
list of users to import SSH keyFiles from
Type: list of string
Default:
[ ]
Declared by:
provision.roles.desktop.nixTrustedUsers
trusted nix users (needed for deploy user at least)
Type: list of string
Default:
[ ]
Declared by:
provision.roles.edge.enable
Whether to enable Enable edge node default configuration.
Sets up:
- base shell + env
- garbage collected + optimised nix
- systemd-networkd networking
- boot integrated, systemd-boot by default but can be changed
- initrd + SSH encrypted root unlock .
Type: boolean
Default:
false
Example:
true
Declared by:
provision.roles.edge.bigMachine
Whether to enable When enabled, increases some base system limits. Can be required when running many containers or VMs. .
Type: boolean
Default:
false
Example:
true
Declared by:
provision.roles.edge.initrdNetModules
extra network modules to add to boot.initrd.availableKernelModules
Type: list of string
Default:
[ ]
Declared by:
provision.roles.edge.initrdUnlockUsers
users to add SSH keys into initrd ssh network root disk unlock
Type: list of string
Default:
[ ]
Declared by:
provision.roles.edge.nixTrustedUsers
trusted nix users (needed for deploy user at least)
Type: list of string
Default:
[ ]
Declared by:
provision.scripts
Generate scripts from different shells from string snippets, files, or nushell modules.
Enabled scripts are added to environment.systemPackages by name if scripts.addToPackages is set.
Type: submodule
Default:
{ }
Example:
{
provision.scripts = {
my-test-script.text = "ls -l";
my-test-script-bash-test.shell = "bash";
my-test-script-bash-test.text = "ls -la";
my-test-script-env-has.inputs = [pkgs.afetch];
my-test-script-env-has.text = ''
def main [ var ] {
print $"Env ($var) present: (envHas $var)"
afetch
}
'';
};
}
Declared by:
provision.scripts.enable
Whether to enable enable scripts integration.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.scripts.__enabledScripts
enabled scripts
Type: unspecified value (read only)
Default:
{ }
Declared by:
provision.scripts.__exportableScripts
enabled scripts, with some config removed, suitable for importing between scripts
Type: unspecified value (read only)
Default:
{ }
Declared by:
provision.scripts.addToPackages
Whether to enable adds all scripts to packages depending on module type
- flake:
packages.{system} - nixos:
environment.systemPackages - home:
home.packages.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.scripts.defaultLibDirs
optional script lib dir set for all nushell scripts
Type: null or path
Default:
null
Declared by:
provision.scripts.defaultShell
set default shell for all scripts
Type: string
Default:
"nu"
Declared by:
provision.scripts.pkgs
Nixpkgs used to generate script. Influences shell runtime.
Type: Nixpkgs package set
Default:
pkgs
Declared by:
provision.scripts.scripts
Generate scripts from different shells from string snippets, files, or nushell modules.
Enabled scripts are added to packages.{system} by name if scripts.addToPackages is set.
Type: attribute set of (submodule)
Default:
{ }
Example:
{
my-test-script.text = "ls -l";
my-test-script-bash-test.shell = "bash";
my-test-script-bash-test.text = "ls -la";
my-test-script-env-has.inputs = [pkgs.afetch];
my-test-script-env-has.text = ''
def main [ var ] {
print $"Env ($var) present: (envHas $var)"
afetch
}
'';
}
Declared by:
provision.scripts.scripts.<name>.enable
Whether to enable enable script, auto-matically adds script to packages.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.scripts.scripts.<name>.package
package binary for running script
Type: package
Default:
""
Declared by:
provision.scripts.scripts.<name>.checkPhase
setting of writeShellApplication, if null runs a default bash one
Type: null or string
Default:
""
Declared by:
provision.scripts.scripts.<name>.env
runtime env to provide to script
Type: null or (attribute set of string)
Default:
null
Example:
{
ENV_VAR = "variable";
}
Declared by:
provision.scripts.scripts.<name>.extraConfig
extra config to add to `writeShellApplication
Type: attribute set of raw value
Default:
{ }
Example:
with pkgs; [
caddy
gnused
]
Declared by:
provision.scripts.scripts.<name>.file
optionally set script file path, recommended for script files which only contain a single main
Type: path
Default:
builtins.toFile "‹name›.nu" config.text
Example:
./fill.nu
Declared by:
provision.scripts.scripts.<name>.inputs
runtime inputs to add to script
Type: list of package
Default:
[ ]
Example:
with pkgs; [
caddy
gnused
]
Declared by:
provision.scripts.scripts.<name>.name
script name, also used as name of binary
Type: string
Default:
"‹name›"
Declared by:
provision.scripts.scripts.<name>.nuLegacyModule
optional nu legacy module wrapper
Type: null or path
Default:
null
Example:
./my-helpers.nu
Declared by:
provision.scripts.scripts.<name>.nuLibDirs
sets NU_LIB_DIRS in nushell scripts
Type: null or path
Default:
null
Example:
./nu
Declared by:
provision.scripts.scripts.<name>.nuModule
optional nu module wrapper, very basic wrapper that exports a module to be called from cli
Type: null or path
Default:
null
Example:
./my-helpers.nu
Declared by:
provision.scripts.scripts.<name>.runtimeShell
runtime shell package.
Type: package
Declared by:
provision.scripts.scripts.<name>.shell
runtime shell of script
Type: string
Default:
"nu"
Example:
"bash"
Declared by:
provision.scripts.scripts.<name>.text
nushell script
Type: string
Default:
""
Declared by:
provision.virt.build.arm
Whether to enable add aarch64-linux to binfmt for cross-compilation.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.containers.enable
Whether to enable enable containers.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.containers.docker.enable
Whether to enable enable docker.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.containers.docker.zfs
Whether to enable enable zfs dataset for docker storage.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.containers.docker.zfsDataset
zfs dataset to use as base for docker
Type: string
Default:
""
Declared by:
provision.virt.containers.legacy.netns
Whether to enable wip profile for docker netns.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.containers.podman.enable
Whether to enable enable podman.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.containers.podman.allowRootless
Whether to enable required security.unprivilegedUsernsClone to be set.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.containers.podman.dockerSocket
Whether to enable symlink rootful podman socket to rootful docker.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.virt.containers.podman.niceNetworkStack
Whether to enable set up a netavark, aardvark + slipnetns podman networking setup.
Type: boolean
Default:
true
Example:
true
Declared by:
provision.virt.containers.registries.block
registries to block
Type: list of string
Default:
[ ]
Declared by:
provision.virt.containers.registries.search
registries to search
Type: list of string
Default:
[
"localhost"
"quay.io"
"nixery.dev"
]
Declared by:
provision.virt.containers.storageContainerOverlay
Whether to enable fuse mount /run/containers to /var/lib/containers.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.libvirt.enable
Whether to enable enable libvirt.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.libvirt.legacy.legacy-networking
Whether to enable import the legacy profile for legacy-networking, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.libvirt.legacy.libvirt-networking
Whether to enable import the legacy profile for legacy-networking, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.libvirt.legacy.networking
Whether to enable import the legacy profile for test-keys, do not use unless already using.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.microvm.host.enable
Whether to enable Enables microvm.host extensions .
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.microvm.host.network.basic.enable
Whether to enable enable base network interface.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.microvm.host.network.basic.ipv4Subnet
ipv4 range for bridge
Type: string
Default:
"10.213.0.1/24"
Declared by:
provision.virt.microvm.host.network.basic.ipv6Prefix
ipv6 local prefix for bridge
Type: string
Default:
"fd12:3456:789a::"
Declared by:
provision.virt.microvm.host.network.basic.name
bridge interface
Type: string
Default:
"microvm"
Declared by:
provision.virt.microvm.host.network.basic.tapTagMatch
networkd match tap interface name
Type: string
Default:
"vm*"
Declared by:
provision.virt.microvm.host.network.nat.enable
Whether to enable enable nat for bridge interface.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.microvm.host.qemu-bridge-fix
Whether to enable enable workaround for qemu-bridge-helper setuid.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.qemu.guestAgent
Whether to enable Common configuration for virtual machines running under QEMU (using virtio). .
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.qemu.smart.enable
Whether to enable enable smart-qemu quirks found somewhere online.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.qemu.smart.aarch64
Whether to enable enable 64bit arm emulation.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.qemu.smart.arm
Whether to enable enable 32bit arm emulation.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.qemu.smart.riscv64
Whether to enable enable 64bit riscv emulation.
Type: boolean
Default:
false
Example:
true
Declared by:
provision.virt.qemu.smart.supportedPlatforms
extra platforms that nix will run binaries for
Type: list of string
Default:
[ ]
Declared by: