Whether to install files to support the AppStream metadata specification.

Type: boolean

Default: true

Declared by:

Whether to enable support for NixOS containers.

Type: boolean

Default: true

Declared by:

List of systems to emulate. Will also configure Nix to support your new systems.

Type: list of strings

Default: [ ]

Example: [ "wasm32-wasi" "x86_64-windows" "aarch64-linux" ]

Declared by:

Extra binary formats to register with the kernel. See https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html for more details.

Type: attribute set of submodules

Default: { }

Declared by:

Whether to open the interpreter file as soon as the registration is loaded, rather than waiting for a relevant file to be invoked.

See the description of the 'F' flag in the kernel docs for more details.

Type: boolean

Default: false

Declared by:

The interpreter to invoke to run the program.

Note that the actual registration will point to /run/binfmt/${name}, so the kernel interpreter length limit doesn't apply.

Type: path

Declared by:

The magic number or extension to match on.

Type: string

Declared by:

A mask to be ANDed with the byte sequence of the file before matching

Type: null or string

Default: null

Declared by:

Whether to launch with the credentials and security token of the binary, not the interpreter (e.g. setuid bit).

See the description of the 'C' flag in the kernel docs for more details.

Implies/requires openBinary = true.

Type: boolean

Default: false

Declared by:

The byte offset of the magic number used for recognition.

Type: null or signed integer

Default: null

Declared by:

Whether to pass the binary to the interpreter as an open file descriptor, instead of a path.

Type: boolean

Default: false

Declared by:

Whether to pass the original argv[0] to the interpreter.

See the description of the 'P' flag in the kernel docs for more details;

Type: boolean

Default: false

Declared by:

Whether to recognize executables by magic number or extension.

Type: one of "magic", "extension"

Default: "magic"

Declared by:

List of names of kernel modules that should not be loaded automatically by the hardware probing code.

Type: list of strings

Default: [ ]

Example: [ "cirrusfb" "i2c_piix4" ]

Declared by:

Whether to delete all files in /tmp during boot.

Type: boolean

Default: false

Declared by:

The kernel console loglevel. All Kernel Messages with a log level smaller than this setting will be printed to the console.

Type: signed integer

Default: 4

Declared by:

If enabled, NixOS will set up a kernel that will boot on crash, and leave the user in systemd rescue to be able to save the crashed kernel dump at /proc/vmcore. It also activates the NMI watchdog.

Type: boolean

Default: false

Declared by:

Parameters that will be passed to the kernel kexec-ed on crash.

Type: list of strings

Default: [ "1" "boot.shell_on_fail" ]

Declared by:

The amount of memory reserved for the crashdump kernel. If you choose a too high value, dmesg will mention "crashkernel reservation failed".

Type: unspecified

Default: "128M"

Declared by:

Size limit for the /dev/shm tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax.

Type: string

Default: "50%"

Example: "256m"

Declared by:

Size limit for the /dev tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax.

Type: string

Default: "5%"

Example: "32m"

Declared by:

Any additional configuration to be appended to the generated modprobe.conf. This is typically used to specify module options. See modprobe.conf(5) for details.

Type: strings concatenated with "\n"

Default: ""

Example:

''
options parport_pc io=0x378 irq=7 dma=1
''

Declared by:

A list of additional packages supplying kernel modules.

Type: list of packages

Default: [ ]

Example:

[ config.boot.kernelPackages.nvidia_x11 ]

Declared by:

Whether to enable grow the root partition on boot.

Type: boolean

Default: false

Example: true

Declared by:

Whether to try to load kernel modules for all detected hardware. Usually this does a good job of providing you with the modules you need, but sometimes it can crash the system or cause other nasty effects.

Type: boolean

Default: true

Declared by:

The set of kernel modules in the initial ramdisk used during the boot process. This set must include all modules necessary for mounting the root device. That is, it should include modules for the physical device (e.g., SCSI drivers) and for the file system (e.g., ext3). The set specified here is automatically closed under the module dependency relation, i.e., all dependencies of the modules list here are included automatically. The modules listed here are available in the initrd, but are only loaded on demand (e.g., the ext3 module is loaded automatically when an ext3 filesystem is mounted, and modules for PCI devices are loaded when they match the PCI ID of a device in your system). To force a module to be loaded, include it in boot.initrd.kernelModules.

Type: list of strings

Default: [ ]

Example: [ "sata_nv" "ext3" ]

Declared by:

Whether to run fsck on journaling filesystems such as ext3.

Type: boolean

Default: true

Declared by:

List of modules that are always loaded by the initrd.

Type: list of strings

Default: [ ]

Declared by:

A list of cryptographic kernel modules needed to decrypt the root device(s). The default includes all common modules.

Type: list of strings

Default: [ "aes" "aes_generic" "blowfish" "twofish" "serpent" "cbc" "xts" "lrw" "sha1" "sha256" "sha512" "af_alg" "algif_skcipher" "aes_x86_64" ]

Declared by:

The encrypted disk that should be opened before the root filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM setups are supported. The unencrypted devices can be accessed as /dev/mapper/name.

Type: list or attribute set of submodules

Default: { }

Example: { luksroot = { device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; } ; }

Declared by:

Whether to allow TRIM requests to the underlying device. This option has security implications; please read the LUKS documentation before activating it.

Type: boolean

Default: false

Declared by:

Path of the underlying encrypted block device.

Type: string

Example: "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"

Declared by:

Whether to fallback to interactive passphrase prompt if the keyfile cannot be found. This will prevent unattended boot should the keyfile go missing.

Type: boolean

Default: false

Declared by:

The FIDO2 credential ID.

Type: string

Default: null

Example: "f1d00200d8dc783f7fb1e10ace8da27f8312d72692abfca2f7e4960a73f48e82e1f7571f6ebfcee9fb434f9886ccc8fcc52a6614d8d2"

Declared by:

Time in seconds to wait for the FIDO2 key.

Type: signed integer

Default: 10

Declared by:

Defines whatever to use an empty string as a default salt.

Enable only when your device is PIN protected, such as Trezor.

Type: boolean

Default: false

Declared by:

The option to use this LUKS device with a GPG encrypted luks password by the GPG Smartcard. If null (the default), GPG-Smartcard will be disabled for this device.

Type: null or submodule

Default: null

Declared by:

Path to the GPG encrypted passphrase.

Type: path

Default: ""

Declared by:

Time in seconds to wait for the GPG Smartcard.

Type: signed integer

Default: 10

Declared by:

Path to the Public Key.

Type: path

Default: ""

Declared by:

The name of the file or block device that should be used as header for the encrypted device.

Type: null or string

Default: null

Example: "/root/header.img"

Declared by:

The name of the file (can be a raw device or a partition) that should be used as the decryption key for the encrypted device. If not specified, you will be prompted for a passphrase instead.

Type: null or string

Default: null

Example: "/dev/sdb1"

Declared by:

The offset of the key file. Use this in combination with keyFileSize to use part of a file as key file (often the case if a raw device or partition is used as a key file). If not specified, the key begins at the first byte of keyFile.

Type: null or signed integer

Default: null

Example: 4096

Declared by:

The size of the key file. Use this if only the beginning of the key file should be used as a key (often the case if a raw device or partition is used as key file). If not specified, the whole keyFile will be used decryption, instead of just the first keyFileSize bytes.

Type: null or signed integer

Default: null

Example: 4096

Declared by:

Whether the luksOpen will be attempted before LVM scan or after it.

Type: boolean

Default: true

Declared by:

The options to use for this LUKS device in Yubikey-PBA. If null (the default), Yubikey-PBA will be disabled for this device.

Type: null or submodule

Default: null

Declared by:

Time in seconds to wait for the Yubikey.

Type: signed integer

Default: 10

Declared by:

How much the iteration count for PBKDF2 is increased at each successful authentication.

Type: signed integer

Default: 0

Declared by:

Length of the LUKS slot key derived with PBKDF2 in byte.

Type: signed integer

Default: 64

Declared by:

Length of the new salt in byte (64 is the effective maximum).

Type: signed integer

Default: 16

Declared by:

Which slot on the Yubikey to challenge.

Type: signed integer

Default: 2

Declared by:

An unencrypted device that will temporarily be mounted in stage-1. Must contain the current salt to create the challenge for this LUKS device.

Type: path

Default: "/dev/sda1"

Declared by:

The filesystem of the unencrypted device.

Type: string

Default: "vfat"

Declared by:

Absolute path of the salt on the unencrypted device with that device's root directory as "/".

Type: string

Default: "/crypt-storage/default"

Declared by:

Whether to use a passphrase and a Yubikey (true), or only a Yubikey (false).

Type: boolean

Default: true

Declared by:

Enables support for authenticating with FIDO2 devices.

Type: boolean

Default: false

Declared by:

Enables support for authenticating with a GPG encrypted password.

Type: boolean

Default: false

Declared by:

Unless enabled, encryption keys can be easily recovered by an attacker with physical access to any machine with PCMCIA, ExpressCard, ThunderBolt or FireWire port. More information is available at http://en.wikipedia.org/wiki/DMA_attack.

This option blacklists FireWire drivers, but doesn't remove them. You can manually load the drivers if you need to use a FireWire device, but don't forget to unload them!

Type: boolean

Default: true

Declared by:

When opening a new LUKS device try reusing last successful passphrase.

Useful for mounting a number of devices that use the same passphrase without retyping it several times.

Such setup can be useful if you use cryptsetup luksSuspend. Different LUKS devices will still have different master keys even when using the same passphrase.

Type: boolean

Default: true

Declared by:

Enables support for authenticating with a Yubikey on LUKS devices. See the NixOS wiki for information on how to properly setup a LUKS device and a Yubikey to work with this feature.

Type: boolean

Default: false

Declared by:

Contents of /etc/mdadm.conf in stage 1.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Add network connectivity support to initrd. The network may be configured using the ip kernel parameter, as described in the kernel documentation. Otherwise, if networking.useDHCP is enabled, an IP address is acquired using DHCP.

You should add the module(s) required for your network card to boot.initrd.availableKernelModules. lspci -v | grep -iA8 'network\|ethernet' will tell you which.

Type: boolean

Default: false

Declared by:

Shell commands to be executed after stage 1 of the boot has initialised the network.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Start SSH service during initrd boot. It can be used to debug failing boot on a remote server, enter pasphrase for an encrypted partition etc. Service is killed when stage-1 boot is finished.

Type: boolean

Default: false

Declared by:

Authorized keys for the root user on initrd. Note that Dropbear doesn't support OpenSSH's Ed25519 key type.

Type: list of strings

Default: [ ]

Declared by:

DSS SSH private key file in the Dropbear format.

WARNING: Unless your bootloader supports initrd secrets, this key is contained insecurely in the global Nix store. Do NOT use your regular SSH host private keys for this purpose or you'll expose them to regular users!

Type: null or path

Default: null

Declared by:

ECDSA SSH private key file in the Dropbear format.

WARNING: Unless your bootloader supports initrd secrets, this key is contained insecurely in the global Nix store. Do NOT use your regular SSH host private keys for this purpose or you'll expose them to regular users!

Type: null or path

Default: null

Declared by:

RSA SSH private key file in the Dropbear format.

WARNING: Unless your bootloader supports initrd secrets, this key is contained insecurely in the global Nix store. Do NOT use your regular SSH host private keys for this purpose or you'll expose them to regular users!

Type: null or path

Default: null

Declared by:

Port on which SSH initrd service should listen.

Type: signed integer

Default: 22

Declared by:

Login shell of the remote user. Can be used to limit actions user can do.

Type: string

Default: "/bin/ash"

Declared by:

Additional command-line arguments passed verbatim to udhcpc if boot.initrd.network.enable and networking.useDHCP are enabled.

Type: list of strings

Default: [ ]

Declared by:

Shell commands to be executed immediately after stage 1 of the boot has loaded kernel modules and created device nodes in /dev.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Shell commands to be executed immediately after the stage 1 filesystems have been mounted.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Shell commands to be executed before udev is started to create device nodes.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Shell commands to be executed before the failure prompt is shown.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Shell commands to be executed immediately before LVM discovery.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Other initrd files to prepend to the final initrd we are building.

Type: list of strings

Default: [ ]

Declared by:

Names of supported filesystem types in the initial ramdisk.

Type: list of strings

Default: [ ]

Example: [ "btrfs" ]

Declared by:

Whether this NixOS machine is a lightweight container running in another NixOS system.

Type: boolean

Default: false

Declared by:

Provides a custom seed for the RANDSTRUCT security option of the Linux kernel. Note that RANDSTRUCT is only enabled in NixOS hardened kernels. Using a custom seed requires building the kernel and dependent packages locally, since this customization happens at build time.

Type: string

Default: ""

Example: "my secret seed"

Declared by:

Runtime parameters of the Linux kernel, as set by sysctl(8). Note that sysctl parameters names must be enclosed in quotes (e.g. "vm.swappiness" instead of vm.swappiness). The value of each parameter may be a string, integer, boolean, or null (signifying the option will not appear at all).

Type: attribute set of sysctl option values

Default: { }

Example:

{ "net.ipv4.tcp_syncookies" = false; "vm.swappiness" = 60; }

Declared by:

The set of kernel modules to be loaded in the second stage of the boot process. Note that modules that are needed to mount the root file system should be added to boot.initrd.availableKernelModules or boot.initrd.kernelModules.

Type: list of strings

Default: [ ]

Declared by:

This option allows you to override the Linux kernel used by NixOS. Since things like external kernel module packages are tied to the kernel you're using, it also overrides those. This option is a function that takes Nixpkgs as an argument (as a convenience), and returns an attribute set containing at the very least an attribute kernel. Additional attributes may be needed depending on your configuration. For instance, if you use the NVIDIA X driver, then it also needs to contain an attribute nvidia_x11.

Type: unspecified

Default: "pkgs.linuxPackages"

Example:

pkgs.linuxPackages_2_6_25

Declared by:

Parameters added to the kernel command line.

Type: list of strings

Default: [ ]

Declared by:

A list of additional patches to apply to the kernel.

Type: list of attribute sets

Default: [ ]

Example:

[ pkgs.kernelPatches.ubuntu_fan_4_4 ]

Declared by:

Whether the installation process is allowed to modify EFI boot variables.

Type: boolean

Default: false

Declared by:

Where the EFI System Partition is mounted.

Type: string

Default: "/boot"

Declared by:

Whether to create symlinks to the system generations under /boot. When enabled, /boot/default/kernel, /boot/default/initrd, etc., are updated to point to the current generation's kernel image, initial RAM disk, and other bootstrap files.

This optional is not necessary with boot loaders such as GNU GRUB for which the menu is updated to point to the latest bootstrap files. However, it is needed for U-Boot on platforms where the boot command line is stored in flash memory rather than in a menu file.

Type: boolean

Default: false

Declared by:

Whether copy the necessary boot files into /boot, so /nix/store is not needed by the boot loader.

Type: boolean

Default: false

Declared by:

Whether to generate an extlinux-compatible configuration file under /boot/extlinux.conf. For instance, U-Boot's generic distro boot support uses this file format.

See U-boot's documentation for more information.

Type: boolean

Default: false

Declared by:

Maximum number of configurations in the boot menu.

Type: signed integer

Default: 20

Example: 10

Declared by:

Whether to enable the GNU GRUB boot loader.

Type: boolean

Default: true

Declared by:

Enable support for encrypted partitions. GRUB should automatically unlock the correct encrypted partition and look for filesystems.

Type: boolean

Default: false

Declared by:

Background color to be used for GRUB to fill the areas the image isn't filling.

Type: null or string

Default: null

Example: "#7EBAE4"

Declared by:

Maximum of configurations in boot menu. GRUB has problems when there are too many entries.

Type: signed integer

Default: 100

Example: 120

Declared by:

GRUB entry name instead of default.

Type: string

Default: ""

Example: "Stable 2.6.21"

Declared by:

Whether the GRUB menu builder should copy kernels and initial ramdisks to /boot. This is done automatically if /boot is on a different partition than /.

Type: boolean

Default: false

Declared by:

Index of the default menu item to be booted.

Type: signed integer or string

Default: "0"

Declared by:

The device on which the GRUB boot loader will be installed. The special value nodev means that a GRUB boot menu will be generated, but GRUB itself will not actually be installed. To install GRUB on multiple devices, use boot.loader.grub.devices.

Type: string

Default: ""

Example: "/dev/disk/by-id/wwn-0x500001234567890a"

Declared by:

The devices on which the boot loader, GRUB, will be installed. Can be used instead of device to install GRUB onto multiple devices.

Type: list of strings

Default: [ ]

Example: [ "/dev/disk/by-id/wwn-0x500001234567890a" ]

Declared by:

Whether to invoke grub-install with --removable.

Unless you turn this on, GRUB will install itself somewhere in boot.loader.efi.efiSysMountPoint (exactly where depends on other config variables). If you've set boot.loader.efi.canTouchEfiVariables *AND* you are currently booted in UEFI mode, then GRUB will use efibootmgr to modify the boot order in the EFI variables of your firmware to include this location. If you are *not* booted in UEFI mode at the time GRUB is being installed, the NVRAM will not be modified, and your system will not find GRUB at boot time. However, GRUB will still return success so you may miss the warning that gets printed ("efibootmgr: EFI variables are not supported on this system.").

If you turn this feature on, GRUB will install itself in a special location within efiSysMountPoint (namely EFI/boot/boot$arch.efi) which the firmwares are hardcoded to try first, regardless of NVRAM EFI variables.

To summarize, turn this on if:

Type: boolean

Default: false

Declared by:

Whether GRUB should be built with EFI support. EFI support is only available for GRUB v2. This option is ignored for GRUB v1.

Type: boolean

Default: false

Declared by:

Additional GRUB commands inserted in the configuration file just before the menu entries.

Type: strings concatenated with "\n"

Default: ""

Example: "serial; terminal_output.serial"

Declared by:

Any additional entries you want added to the GRUB boot menu.

Type: strings concatenated with "\n"

Default: ""

Example:

''
# GRUB 1 example (not GRUB 2 compatible)
title Windows
  chainloader (hd0,1)+1

# GRUB 2 example
menuentry "Windows 7" {
  chainloader (hd0,4)+1
}

# GRUB 2 with UEFI example, chainloading another distro
menuentry "Fedora" {
  set root=(hd1,1)
  chainloader /efi/fedora/grubx64.efi
}
''

Declared by:

Whether extraEntries are included before the default option.

Type: boolean

Default: false

Declared by:

A set of files to be copied to /boot. Each attribute name denotes the destination file name in /boot, while the corresponding attribute value specifies the source file.

Type: attribute set of paths

Default: { }

Example:

{ "memtest.bin" = "${pkgs.memtest86plus}/memtest.bin"; }

Declared by:

The path to a second initramfs to be supplied to the kernel. This ramfs will not be copied to the store, so that it can contain secrets such as LUKS keyfiles or ssh keys. This implies that rolling back to a previous configuration won't rollback the state of this file.

Type: null or path

Default: null

Example: "/boot/extra_initramfs.gz"

Declared by:

Additional GRUB commands inserted in the configuration file at the start of each NixOS menu entry.

Type: strings concatenated with "\n"

Default: ""

Example: "root (hd0)"

Declared by:

Additional bash commands to be run at the script that prepares the GRUB menu entries.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Path to a TrueType, OpenType, or pf2 font to be used by Grub.

Type: null or path

Default: ''"''${pkgs.grub2}/share/grub/unicode.pf2"''

Declared by:

Font size for the grub menu. Ignored unless font is set to a ttf or otf font.

Type: null or signed integer

Default: null

Example:

Declared by:

Whether to try and forcibly install GRUB even if problems are detected. It is not recommended to enable this unless you know what you are doing.

Type: boolean

Default: false

Declared by:

Whether to force the use of a ia32 boot loader on x64 systems. Required to install and run NixOS on 64bit x86 systems with 32bit (U)EFI.

Type: boolean

Default: false

Declared by:

Determines how GRUB will identify devices when generating the configuration file. A value of uuid / label signifies that grub will always resolve the uuid or label of the device before using it in the configuration. A value of provided means that GRUB will use the device name as show in df or mount. Note, zfs zpools / datasets are ignored and will always be mounted using their labels.

Type: one of "uuid", "label", "provided"

Default: "uuid"

Declared by:

The gfxmode to pass to GRUB when loading a graphical boot interface under BIOS.

Type: string

Default: "1024x768"

Example: "auto"

Declared by:

The gfxmode to pass to GRUB when loading a graphical boot interface under EFI.

Type: string

Default: "auto"

Example: "1024x768"

Declared by:

The gfxpayload to pass to GRUB when loading a graphical boot interface under BIOS.

Type: string

Default: "text"

Example: "keep"

Declared by:

The gfxpayload to pass to GRUB when loading a graphical boot interface under EFI.

Type: string

Default: "keep"

Example: "text"

Declared by:

Set of iPXE scripts available for booting from the GRUB boot menu.

Type: attribute set of path or strings

Default: { }

Example:

{ demo = ''
    #!ipxe
    dhcp
    chain http://boot.ipxe.org/demo/boot.php
  '';
}

Declared by:

Make Memtest86+ (or MemTest86 if EFI support is enabled), a memory testing program, available from the GRUB boot menu. MemTest86 is an unfree program, so this requires allowUnfree to be set to true.

Type: boolean

Default: false

Declared by:

Parameters added to the Memtest86+ command line. As of memtest86+ 5.01 the following list of (apparently undocumented) parameters are accepted:

This list of command line options was obtained by reading the Memtest86+ source code.

Type: list of strings

Default: [ ]

Example: [ "console=ttyS0,115200" ]

Declared by:

Mirror the boot configuration to multiple partitions and install grub to the respective devices corresponding to those partitions.

Type: list of submodules

Default: [ ]

Example: [ { devices = [ "/dev/disk/by-id/wwn-0x500001234567890a" ] ; path = "/boot1"; } { devices = [ "/dev/disk/by-id/wwn-0x500009876543210a" ] ; path = "/boot2"; } ]

Declared by:

The path to the devices which will have the GRUB MBR written. Note these are typically device paths and not paths to partitions.

Type: list of strings

Default: [ ]

Example: [ "/dev/disk/by-id/wwn-0x500001234567890a" "/dev/disk/by-id/wwn-0x500009876543210a" ]

Declared by:

The id of the bootloader to store in efi nvram. The default is to name it NixOS and append the path or efiSysMountPoint. This is only used if boot.loader.efi.canTouchEfiVariables is true.

Type: null or string

Default: null

Example: "NixOS-fsid"

Declared by:

The path to the efi system mount point. Usually this is the same partition as the above path and can be left as null.

Type: null or string

Default: null

Example: "/boot1/efi"

Declared by:

The path to the boot directory where GRUB will be written. Generally this boot path should double as an EFI path.

Type: string

Example: "/boot1"

Declared by:

Background image used for GRUB. Set to null to run GRUB in text mode.

Type: null or path

Example:

./my-background.png

Declared by:

Whether to stretch the image or show the image in the top-left corner unstretched.

Type: one of "normal", "stretch"

Default: "stretch"

Declared by:

Path to the Nix store when looking for kernels at boot. Only makes sense when copyKernels is false.

Type: string

Default: "/nix/store"

Declared by:

Enable trusted boot. GRUB will measure all critical components during the boot process to offer TCG (TPM) support.

Type: boolean

Default: false

Declared by:

Use a special version of TrustedGRUB that is needed by some HP laptops and works only for the HP laptops.

Type: boolean

Default: false

Declared by:

Assertion that the target system has an activated TPM. It is a safety check before allowing the activation of 'trustedBoot.enable'. TrustedBoot WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available.

Type: string

Default: ""

Example: "YES_TPM_is_activated"

Declared by:

If set to true, append entries for other OSs detected by os-prober.

Type: boolean

Default: false

Declared by:

The version of GRUB to use: 1 for GRUB Legacy (versions 0.9x), or 2 (the default) for GRUB 2.

Type: signed integer

Default: 2

Example: 1

Declared by:

Whether GRUB should be built against libzfs. ZFS support is only available for GRUB v2. This option is ignored for GRUB v1.

Type: boolean

Default: false

Declared by:

Some systems require a /sbin/init script which is started. Or having it makes starting NixOS easier. This applies to some kind of hosting services and user mode linux.

Additionally this script will create /boot/init-other-configurations-contents.txt containing contents of remaining configurations. You can copy paste them into /sbin/init manually running a rescue system or such.

Type: boolean

Default: false

Declared by:

Whether to create files with the system generations in /boot. /boot/old will hold files from old generations.

Type: boolean

Default: false

Declared by:

Extra options that will be appended to /boot/config.txt file. For possible values, see: https://www.raspberrypi.org/documentation/configuration/config-txt/

Type: null or strings concatenated with "\n"

Default: null

Declared by:

Enable using uboot as bootmanager for the raspberry pi.

Type: boolean

Default: false

Declared by:

Maximum number of configurations in the boot menu.

Type: signed integer

Default: 20

Example: 10

Declared by:

Type: one of 0, 1, 2, 3, 4

Default: 2

Declared by:

Whether to enable the systemd-boot (formerly gummiboot) EFI boot manager

Type: boolean

Default: false

Declared by:

Maximum number of latest generations in the boot menu. Useful to prevent boot partition running out of disk space.

null means no limit i.e. all generations that were not garbage collected yet.

Type: null or signed integer

Default: null

Example: 120

Declared by:

The resolution of the console. The following values are valid:

Type: one of "0", "1", "2", "auto", "max", "keep"

Default: "keep"

Declared by:

Whether to allow editing the kernel command-line before boot. It is recommended to set this to false, as it allows gaining root access by passing init=/bin/sh as a kernel parameter. However, it is enabled by default for backwards compatibility.

Type: boolean

Default: true

Declared by:

Make MemTest86 available from the systemd-boot menu. MemTest86 is a program for testing memory. MemTest86 is an unfree program, so this requires allowUnfree to be set to true.

Type: boolean

Default: false

Declared by:

Timeout (in seconds) until loader boots the default menu item. Use null if the loader menu should be displayed indefinitely.

Type: null or signed integer

Default: 5

Declared by:

Whether to enable Plymouth boot splash screen.

Type: boolean

Default: false

Example: true

Declared by:

Literal string to append to configFile and the config file generated by the plymouth module.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Logo which is displayed on the splash screen.

Type: path

Default:

''
pkgs.fetchurl {
          url = "https://nixos.org/logo/nixos-hires.png";
          sha256 = "1ivzgd7iz0i06y36p8m5w48fd8pjqwxhdaavc0pxs7w1g7mcy5si";
        }''

Declared by:

Splash screen theme.

Type: string

Default: "breeze"

Declared by:

Extra theme packages for plymouth.

Type: list of packages

Default: [ (build of breeze-plymouth-5.17.5) ]

Declared by:

Shell commands to be executed just before systemd is started.

Type: strings concatenated with "\n"

Default: ""

Example: "rm -f /var/log/messages"

Declared by:

Device for manual resume attempt during boot. This should be used primarily if you want to resume from file. If left empty, the swap partitions are used. Specify here the device where the file resides. You should also use boot.kernelParams to specify resume_offset.

Type: string

Default: ""

Example: "/dev/sda3"

Declared by:

Size limit for the /run tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax.

Type: string

Default: "25%"

Example: "256m"

Declared by:

Location of the device.

Type: null or string (with check: non-empty)

Default: null

Example: "/dev/sda"

Declared by:

Type of the file system.

Type: string (with check: non-empty)

Default: "auto"

Example: "ext3"

Declared by:

Location of the mounted the file system.

Type: string (with check: non-empty)

Example: "/mnt/usb"

Declared by:

Options used to mount the file system.

Type: list of string (with check: non-empty)s

Default: [ "defaults" ]

Example: [ "data=journal" ]

Declared by:

Names of supported filesystem types.

Type: list of strings

Default: [ ]

Example: [ "btrfs" ]

Declared by:

Whether to mount a tmpfs on /tmp during boot.

Type: boolean

Default: false

Declared by:

Whether to activate VESA video mode on boot.

Type: boolean

Default: false

Declared by:

Use the unstable zfs package. This might be an option, if the latest kernel is not yet supported by a published release of ZFS. Enabling this option will install a development version of ZFS on Linux. The version will have already passed an extensive test suite, but it is more likely to hit an undiscovered bug compared to running a released version of ZFS on Linux.

Type: boolean

Default: false

Declared by:

Name of directory from which to import ZFS devices.

This should be a path under /dev containing stable names for all devices needed, as import may fail if device nodes are renamed concurrently with a device failing.

Type: path

Default: "/dev/disk/by-id"

Example: "/dev/disk/by-id"

Declared by:

Name or GUID of extra ZFS pools that you wish to import during boot.

Usually this is not necessary. Instead, you should set the mountpoint property of ZFS filesystems to legacy and add the ZFS filesystems to NixOS's fileSystems option, which makes NixOS automatically import the associated pool.

However, in some cases (e.g. if you have many filesystems) it may be preferable to exclusively use ZFS commands to manage filesystems. If so, since NixOS/systemd will not be managing those filesystems, you will need to specify the ZFS pool here so that NixOS automatically imports it on every boot.

Type: list of strings

Default: [ ]

Example: [ "tank" "data" ]

Declared by:

Forcibly import all ZFS pool(s).

This is enabled by default for backwards compatibility purposes, but it is highly recommended to disable this option, as it bypasses some of the safeguards ZFS uses to protect your ZFS pools.

If you set this option to false and NixOS subsequently fails to import your non-root ZFS pool(s), you should manually import each pool with "zpool import -f <pool-name>", and then reboot. You should only need to do this once.

Type: boolean

Default: true

Declared by:

Forcibly import the ZFS root pool(s) during early boot.

This is enabled by default for backwards compatibility purposes, but it is highly recommended to disable this option, as it bypasses some of the safeguards ZFS uses to protect your ZFS pools.

If you set this option to false and NixOS subsequently fails to boot because it cannot import the root pool, you should boot with the zfs_force=1 option as a kernel parameter (e.g. by manually editing the kernel params in grub during boot). You should only need to do this once.

Type: boolean

Default: true

Declared by:

Request encryption keys or passwords for all encrypted datasets on import. For root pools the encryption key can be supplied via both an interactive prompt (keylocation=prompt) and from a file (keylocation=file://). Note that for data pools the encryption key can be only loaded from a file and not via interactive prompt since the import is processed in a background systemd service.

Type: boolean

Default: true

Declared by:

List of additional packages that provide console fonts, keymaps and other resources for virtual consoles use.

Type: list of packages

Default: "with pkgs.kbdKeymaps; [ dvp neo ]"

Declared by:

The 16 colors palette used by the virtual consoles. Leave empty to use the default colors. Colors must be in hexadecimal format and listed in order from color 0 to color 15.

Type: list of strings

Default: [ ]

Example: [ "002b36" "dc322f" "859900" "b58900" "268bd2" "d33682" "2aa198" "eee8d5" "002b36" "cb4b16" "586e75" "657b83" "839496" "6c71c4" "93a1a1" "fdf6e3" ]

Declared by:

Enable setting virtual console options as early as possible (in initrd).

Type: boolean

Default: false

Declared by:

TTY (virtual console) devices, in addition to the consoles on which mingetty and syslogd run, that must be initialised. Only useful if you have some program that you want to run on some fixed console. For example, the NixOS installation CD opens the manual in a web browser on console 7, so it sets console.extraTTYs to ["tty7"].

Type: list of strings

Default: [ ]

Example: [ "tty8" "tty9" ]

Declared by:

The font used for the virtual consoles. Leave empty to use whatever the setfont program considers the default font.

Type: string

Default: "Lat2-Terminus16"

Example: "LatArCyrHeb-16"

Declared by:

The keyboard mapping table for the virtual consoles.

Type: string or path

Default: "us"

Example: "fr"

Declared by:

If set, configure the virtual console keymap from the xserver keyboard settings.

Type: boolean

Default: false

Declared by:

A set of NixOS system configurations to be run as lightweight containers. Each container appears as a service container-name on the host system, allowing it to be started and stopped via systemctl.

Type: attribute set of submodules

Default: { }

Example:

{ webserver =
    { path = "/nix/var/nix/profiles/webserver";
    };
  database =
    { config =
        { config, pkgs, ... }:
        { services.postgresql.enable = true;
          services.postgresql.package = pkgs.postgresql_9_6;

          system.stateVersion = "17.03";
        };
    };
}

Declared by:

Allows the container to create and setup tunnel interfaces by granting the NET_ADMIN capability and enabling access to /dev/net/tun.

Type: boolean

Default: false

Declared by:

Grant additional capabilities to the container. See the capabilities(7) and systemd-nspawn(1) man pages for more information.

Type: list of strings

Default: [ ]

Example: [ "CAP_NET_ADMIN" "CAP_MKNOD" ]

Declared by:

A list of device nodes to which the containers has access to.

Type: list of submodules

Default: [ ]

Example: [ { modifier = "rw"; node = "/dev/net/tun"; } ]

Declared by:

Device node access modifier. Takes a combination r (read), w (write), and m (mknod). See the systemd.resource-control(5) man page for more information.

Type: string

Example: "rw"

Declared by:

Path to device node

Type: string

Example: "/dev/net/tun"

Declared by:

Whether the container is automatically started at boot-time.

Type: boolean

Default: false

Declared by:

An extra list of directories that is bound to the container.

Type: list or attribute set of submodules

Default: { }

Example: { /home = { hostPath = "/home/alice"; isReadOnly = false; } ; }

Declared by:

Location of the host path to be mounted.

Type: null or string

Default: null

Example: "/home/alice"

Declared by:

Determine whether the mounted path will be accessed in read-only mode.

Type: boolean

Default: true

Declared by:

Mount point on the container file system.

Type: string

Example: "/mnt/usb"

Declared by:

A specification of the desired configuration of this container, as a NixOS module.

Type: Toplevel NixOS config

Declared by:

Runs container in ephemeral mode with the empty root filesystem at boot. This way container will be bootstrapped from scratch on each boot and will be cleaned up on shutdown leaving no traces behind. Useful for completely stateless, reproducible containers.

Note that this option might require to do some adjustments to the container configuration, e.g. you might want to set systemd.network.networks.$interface.dhcpConfig.ClientIdentifier to "mac" if you use macvlans option. This way dhcp client identifier will be stable between the container restarts.

Note that the container journal will not be linked to the host if this option is enabled.

Type: boolean

Default: false

Declared by:

Extra flags passed to the systemd-nspawn command. See systemd-nspawn(1) for details.

Type: list of strings

Default: [ ]

Example: [ "--drop-capability=CAP_SYS_CHROOT" ]

Declared by:

Extra veth-pairs to be created for the container

Type: attribute set of submodules

Default: { }

Declared by:

List of forwarded ports from host to container. Each forwarded port is specified by protocol, hostPort and containerPort. By default, protocol is tcp and hostPort and containerPort are assumed to be the same if containerPort is not explicitly given.

Type: list of submodules

Default: [ ]

Example: [ { containerPort = 80; hostPort = 8080; protocol = "tcp"; } ]

Declared by:

Target port of container

Type: null or signed integer

Default: null

Declared by:

Source port of the external interface on host

Type: signed integer

Declared by:

The protocol specifier for port forwarding between host and container

Type: string

Default: "tcp"

Declared by:

The IPv4 address assigned to the host interface. (Not used when hostBridge is set.)

Type: null or string

Default: null

Example: "10.231.136.1"

Declared by:

The IPv6 address assigned to the host interface. (Not used when hostBridge is set.)

Type: null or string

Default: null

Example: "fc00::1"

Declared by:

Put the host-side of the veth-pair into the named bridge. Only one of hostAddress* or hostBridge can be given.

Type: null or string

Default: null

Example: "br0"

Declared by:

The IPv4 address assigned to the interface in the container. If a hostBridge is used, this should be given with netmask to access the whole network. Otherwise the default netmask is /32 and routing is set up from localAddress to hostAddress and back.

Type: null or string

Default: null

Example: "10.231.136.2"

Declared by:

The IPv6 address assigned to the interface in the container. If a hostBridge is used, this should be given with netmask to access the whole network. Otherwise the default netmask is /128 and routing is set up from localAddress6 to hostAddress6 and back.

Type: null or string

Default: null

Example: "fc00::2"

Declared by:

List of forwarded ports from host to container. Each forwarded port is specified by protocol, hostPort and containerPort. By default, protocol is tcp and hostPort and containerPort are assumed to be the same if containerPort is not explicitly given.

Type: list of submodules

Default: [ ]

Example: [ { containerPort = 80; hostPort = 8080; protocol = "tcp"; } ]

Declared by:

Target port of container

Type: null or signed integer

Default: null

Declared by:

Source port of the external interface on host

Type: signed integer

Declared by:

The protocol specifier for port forwarding between host and container

Type: string

Default: "tcp"

Declared by:

The IPv4 address assigned to the host interface. (Not used when hostBridge is set.)

Type: null or string

Default: null

Example: "10.231.136.1"

Declared by:

The IPv6 address assigned to the host interface. (Not used when hostBridge is set.)

Type: null or string

Default: null

Example: "fc00::1"

Declared by:

Put the host-side of the veth-pair into the named bridge. Only one of hostAddress* or hostBridge can be given.

Type: null or string

Default: null

Example: "br0"

Declared by:

The list of interfaces to be moved into the container.

Type: list of strings

Default: [ ]

Example: [ "eth1" "eth2" ]

Declared by:

The IPv4 address assigned to the interface in the container. If a hostBridge is used, this should be given with netmask to access the whole network. Otherwise the default netmask is /32 and routing is set up from localAddress to hostAddress and back.

Type: null or string

Default: null

Example: "10.231.136.2"

Declared by:

The IPv6 address assigned to the interface in the container. If a hostBridge is used, this should be given with netmask to access the whole network. Otherwise the default netmask is /128 and routing is set up from localAddress6 to hostAddress6 and back.

Type: null or string

Default: null

Example: "fc00::2"

Declared by:

The list of host interfaces from which macvlans will be created. For each interface specified, a macvlan interface will be created and moved to the container.

Type: list of strings

Default: [ ]

Example: [ "eth1" "eth2" ]

Declared by:

As an alternative to specifying config, you can specify the path to the evaluated NixOS system configuration, typically a symlink to a system profile.

Type: path

Example: "/nix/var/nix/profiles/containers/webserver"

Declared by:

Whether to give the container its own private virtual Ethernet interface. The interface is called eth0, and is hooked up to the interface ve-container-name on the host. If this option is not set, then the container shares the network interfaces of the host, and can bind to any port on any interface.

Type: boolean

Default: false

Declared by:

Time for the container to start. In case of a timeout, the container processes get killed. See systemd.time(7) for more information about the format.

Type: string

Default: "1min"

Declared by:

Mounts a set of tmpfs file systems into the container. Multiple paths can be specified. Valid items must conform to the --tmpfs argument of systemd-nspawn. See systemd-nspawn(1) for details.

Type: list of strings

Default: [ ]

Example: [ "/var" ]

Declared by:

Docker containers to run as systemd services.

Type: attribute set of submodules

Default: { }

Declared by:

Commandline arguments to pass to the image's entrypoint.

Type: list of strings

Default: [ ]

Example:

["--port=9000"]

Declared by:

Define which other containers this one depends on. They will be added to both After and Requires for the unit.

Use the same name as the attribute under services.docker-containers.

Type: list of strings

Default: [ ]

Example:

services.docker-containers = {
  node1 = {};
  node2 = {
    dependsOn = [ "node1" ];
  }
}

Declared by:

Override the default entrypoint of the image.

Type: null or string

Default: null

Example: "/bin/my-app"

Declared by:

Environment variables to set for this container.

Type: attribute set of strings

Default: { }

Example:

{
  DATABASE_HOST = "db.example.com";
  DATABASE_PORT = "3306";
}

Declared by:

Extra options for docker run.

Type: list of strings

Default: [ ]

Example:

["--network=host"]

Declared by:

Docker image to run.

Type: string

Example: "library/hello-world"

Declared by:

Path to an image file to load instead of pulling from a registry. If defined, do not pull from registry.

You still need to set the image attribute, as it will be used as the image name for docker to start a container.

Type: null or package

Default: null

Example:

pkgs.dockerTools.buildDockerImage {...};

Declared by:

Logging driver for the container. The default of "none" means that the container's logs will be handled as part of the systemd unit. Setting this to "journald" will result in duplicate logging, but the container's logs will be visible to the docker logs command.

For more details and a full list of logging drivers, refer to the Docker engine documentation

Type: string

Default: "none"

Declared by:

Network ports to publish from the container to the outer host.

Valid formats:

Both hostPort and containerPort can be specified as a range of ports. When specifying ranges for both, the number of container ports in the range must match the number of host ports in the range. Example: 1234-1236:1234-1236/tcp

When specifying a range for hostPort only, the containerPort must not be a range. In this case, the container port is published somewhere within the specified hostPort range. Example: 1234-1236:1234/tcp

Refer to the Docker engine documentation for full details.

Type: list of strings

Default: [ ]

Example:

[
  "8080:9000"
]

Declared by:

Override the username or UID (and optionally groupname or GID) used in the container.

Type: null or string

Default: null

Example: "nobody:nogroup"

Declared by:

List of volumes to attach to this container.

Note that this is a list of "src:dst" strings to allow for src to refer to /nix/store paths, which would be difficult with an attribute set. There are also a variety of mount options available as a third field; please refer to the docker engine documentation for details.

Type: list of strings

Default: [ ]

Example:

[
  "volume_name:/path/inside/container"
  "/path/on/host:/path/inside/container"
]

Declared by:

Override the default working directory for the container.

Type: null or string

Default: null

Example: "/var/lib/hello_world"

Declared by:

Whether to install documentation of packages from environment.systemPackages into the generated system path.

See "Multiple-output packages" chapter in the nixpkgs manual for more info.

Type: boolean

Default: true

Declared by:

Whether to install documentation targeted at developers.

Type: boolean

Default: false

Declared by:

Whether to install documentation distributed in packages' /share/doc. Usually plain text and/or HTML. This also includes "doc" outputs.

Type: boolean

Default: true

Declared by:

Whether to install info pages and the info command. This also includes "info" outputs.

Type: boolean

Default: true

Declared by:

Whether to install manual pages and the man command. This also includes "man" outputs.

Type: boolean

Default: true

Declared by:

Whether to install NixOS's own documentation.

Type: boolean

Default: true

Declared by:

Which extra NixOS module paths the generated NixOS's documentation should strip from options.

Type: list of path or strings

Default: [ ]

Example:

# e.g. with options from modules in ${pkgs.customModules}/nix:
[ pkgs.customModules ]

Declared by:

Whether the generated NixOS's documentation should include documentation for all the options from all the NixOS modules included in the current configuration.nix. Disabling this will make the manual generator to ignore options defined outside of baseModules.

Type: boolean

Default: false

Declared by:

Whether to enable Dysnomia

Type: boolean

Default: false

Declared by:

Whether to publish privacy-sensitive authentication credentials

Type: boolean

Default: false

Declared by:

The Dysnomia package

Type: path

Declared by:

An atttribute set in which each key represents a container and each value an attribute set in which each key represents a component and each value a derivation constructing its initial state

Type: unspecified

Default: { }

Declared by:

An attribute set in which each key represents a container and each value an attribute set providing its configuration properties

Type: unspecified

Default: { }

Declared by:

A list of paths containing additional container configurations that are added to the search folders

Type: unspecified

Default: [ ]

Declared by:

An attribute set providing additional container settings in addition to the default properties

Type: unspecified

Default: { }

Declared by:

A list of paths containing additional modules that are added to the search folders

Type: unspecified

Default: [ ]

Declared by:

An attribute set in which each attribute represents a machine property. Optionally, these values can be shell substitutions.

Type: unspecified

Default: { }

Declared by:

Some NixOS packages provide debug symbols. However, these are not included in the system closure by default to save disk space. Enabling this option causes the debug symbols to appear in /run/current-system/sw/lib/debug/.build-id, where tools such as gdb can find them. If you need debug symbols for a package that doesn't provide them by default, you can enable them as follows:

nixpkgs.config.packageOverrides = pkgs: {
  hello = pkgs.hello.overrideAttrs (oldAttrs: {
    separateDebugInfo = true;
  });
};

Type: boolean

Default: false

Declared by:

Alias of _module.check.

Type: boolean

Declared by:

Set of files that have to be linked in /etc.

Type: list or attribute set of submodules

Default: { }

Example:

{ example-configuration-file =
    { source = "/nix/store/.../etc/dir/file.conf.example";
      mode = "0440";
    };
  "default/useradd".text = "GROUP=100 ...";
}

Declared by:

Whether this /etc file should be generated. This option allows specific /etc files to be disabled.

Type: boolean

Default: true

Declared by:

GID of created file. Only takes affect when the file is copied (that is, the mode is not 'symlink').

Type: signed integer

Default: 0

Declared by:

Group name of created file. Only takes affect when the file is copied (that is, the mode is not 'symlink'). Changing this option takes precedence over gid.

Type: string

Default: "+0"

Declared by:

If set to something else than symlink, the file is copied instead of symlinked, with the given file mode.

Type: string

Default: "symlink"

Example: "0600"

Declared by:

Path of the source file.

Type: path

Declared by:

Name of symlink (relative to /etc). Defaults to the attribute name.

Type: string

Declared by:

Text of the file.

Type: null or strings concatenated with "\n"

Default: null

Declared by:

UID of created file. Only takes affect when the file is copied (that is, the mode is not 'symlink').

Type: signed integer

Default: 0

Declared by:

User name of created file. Only takes affect when the file is copied (that is, the mode is not 'symlink'). Changing this option takes precedence over uid.

Type: string

Default: "+0"

Declared by:

Shell script code called during global environment initialisation after all variables and profileVariables have been set. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: strings concatenated with "\n"

Default: ""

Declared by:

List of additional package outputs to be symlinked into /run/current-system/sw.

Type: list of strings

Default: [ ]

Example: [ "doc" "info" "devdoc" ]

Declared by:

Shell fragments to be run after the system environment has been created. This should only be used for things that need to modify the internals of the environment, e.g. generating MIME caches. The environment being built can be accessed at $out.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Configure freetds database entries. Each attribute denotes a section within freetds.conf, and the value (a string) is the config content for that section. When at least one entry is configured the global environment variables FREETDSCONF, FREETDS and SYBASE will be configured to allow the programs that use freetds to find the library and config.

Type: attribute set of strings

Default: { }

Example:

{ MYDATABASE = ''
    host = 10.0.2.100
    port = 1433
    tds version = 7.2
  '';
}

Declared by:

Which packages gnome should exclude from the default environment

Type: list of packages

Default: [ ]

Example:

[ pkgs.gnome3.totem ]

Declared by:

Include ~/bin/ in $PATH.

Type: boolean

Default: false

Declared by:

Shell script code called during interactive shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Shell script code called during login shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: strings concatenated with "\n"

Default: ""

Declared by:

Which LXQt packages to exclude from the default environment

Type: list of packages

Default: [ ]

Example:

[ pkgs.lxqt.qterminal ]

Declared by:

Which MATE packages to exclude from the default environment

Type: list of packages

Default: [ ]

Example:

[ pkgs.mate.mate-terminal pkgs.mate.pluma ]

Declared by:

The system-wide memory allocator.

Briefly, the system-wide memory allocator providers are:

Type: one of "libc", "graphene-hardened", "jemalloc", "scudo"

Default: "libc"

Declared by:

Switch off the options in the default configuration that require X11 libraries. This includes client-side font configuration and SSH forwarding of X11 authentication in. Thus, you probably do not want to enable this option if you want to run X11 programs on this machine via SSH.

Type: boolean

Default: false

Declared by:

Which packages pantheon should exclude from the default environment

Type: list of packages

Default: [ ]

Example:

[ pkgs.pantheon.elementary-camera ]

Declared by:

List of directories to be symlinked in /run/current-system/sw.

Type: list of strings

Default: [ ]

Example: [ "/" ]

Declared by:

Attribute set of environment variable. Each attribute maps to a list of relative paths. Each relative path is appended to the each profile of environment.profiles to form the content of the corresponding environment variable.

Type: attribute set of list of stringss

Example: { MANPATH = [ "/man" "/share/man" ] ; PATH = [ "/bin" ] ; }

Declared by:

Attribute set of environment variable used in the global environment. These variables will be set by PAM early in the login process.

Variable substitution is available as described in pam_env.conf(5).

Each attribute maps to a list of relative paths. Each relative path is appended to the each profile of environment.profiles to form the content of the corresponding environment variable.

Also, these variables are merged into environment.profileRelativeEnvVars and it is therefore not possible to use PAM style variables such as @{HOME}.

Type: attribute set of list of stringss

Example: { MANPATH = [ "/man" "/share/man" ] ; PATH = [ "/bin" ] ; }

Declared by:

A list of profiles used to setup the global environment.

Type: list of strings

Default: [ ]

Declared by:

A set of environment variables used in the global environment. These variables will be set by PAM early in the login process.

The value of each session variable can be either a string or a list of strings. The latter is concatenated, interspersed with colon characters.

Note, due to limitations in the PAM format values may not contain the " character.

Also, these variables are merged into environment.variables and it is therefore not possible to use PAM style variables such as @{HOME}.

Type: attribute set of string or list of stringss

Default: { }

Declared by:

An attribute set that maps aliases (the top level attribute names in this option) to command strings or directly to build outputs. The aliases are added to all users' shells. Aliases mapped to null are ignored.

Type: attribute set of null or string or paths

Example: { l = null; ll = "ls -l"; }

Declared by:

Shell script code called during shell initialisation. This code is assumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: strings concatenated with "\n"

Default: ""

Declared by:

A list of permissible login shells for user accounts. No need to mention /bin/sh here, it is placed into this list implicitly.

Type: list of package or paths

Default: [ ]

Example:

[ pkgs.bashInteractive pkgs.zsh ]

Declared by:

The set of packages that appear in /run/current-system/sw. These packages are automatically available to all users, and are automatically updated every time you rebuild the system configuration. (The latter is the main difference with installing them in the default profile, /nix/var/nix/profiles/default.

Type: list of packages

Default: [ ]

Example:

[ pkgs.firefox pkgs.thunderbird ]

Declared by:

Specifies Unix ODBC drivers to be registered in /etc/odbcinst.ini. You may also want to add pkgs.unixODBC to the system path to get a command line client to connect to ODBC databases.

Type: list of packages

Default: [ ]

Example:

with pkgs.unixODBCDrivers; [ sqlite psql ]

Declared by:

A set of environment variables used in the global environment. These variables will be set on shell initialisation (e.g. in /etc/profile). The value of each variable can be either a string or a list of strings. The latter is concatenated, interspersed with colon characters.

Type: attribute set of string or list of stringss

Default: { }

Example: { EDITOR = "nvim"; VISUAL = "nvim"; }

Declared by:

The file systems to be mounted. It must include an entry for the root directory (mountPoint = "/"). Each entry in the list is an attribute set with the following fields: mountPoint, device, fsType (a file system type recognised by mount; defaults to "auto"), and options (the mount options passed to mount using the -o flag; defaults to [ "defaults" ]).

Instead of specifying device, you can also specify a volume label (label) for file systems that support it, such as ext2/ext3 (see mke2fs -L).

Type: list or attribute set of submodules

Default: { }

Example:

{
  "/".device = "/dev/hda1";
  "/data" = {
    device = "/dev/hda2";
    fsType = "ext3";
    options = [ "data=journal" ];
  };
  "/bigdisk".label = "bigdisk";
}

Declared by:

If the device does not currently contain a filesystem (as determined by blkid, then automatically format it with the filesystem type specified in fsType. Use with caution.

Type: boolean

Default: false

Declared by:

If set, the filesystem is grown to its maximum size before being mounted. (This is typically the size of the containing partition.) This is currently only supported for ext2/3/4 filesystems that are mounted during early boot.

Type: boolean

Default: false

Declared by:

Location of the device.

Type: null or string (with check: non-empty)

Default: null

Example: "/dev/sda"

Declared by:

The block device is backed by an encrypted one, adds this device as a initrd luks entry.

Type: boolean

Default: false

Declared by:

Location of the backing encrypted device.

Type: null or string

Default: null

Example: "/dev/sda1"

Declared by:

File system location of keyfile. This unlocks the drive after the root has been mounted to /mnt-root.

Type: null or string

Default: null

Example: "/mnt-root/root/.swapkey"

Declared by:

Label of the unlocked encrypted device. Set fileSystems.<name?>.device to /dev/mapper/<label> to mount the unlocked device.

Type: null or string

Default: null

Example: "rootfs"

Declared by:

If autoFormat option is set specifies extra options passed to mkfs.

Type: string

Default: ""

Declared by:

Type of the file system.

Type: string (with check: non-empty)

Default: "auto"

Example: "ext3"

Declared by:

Label of the device (if any).

Type: null or string (with check: non-empty)

Default: null

Example: "root-partition"

Declared by:

Location of the mounted the file system.

Type: string (with check: non-empty)

Example: "/mnt/usb"

Declared by:

If set, this file system will be mounted in the initial ramdisk. By default, this applies to the root file system and to the file system containing /nix/store.

Type: boolean

Default: false

Declared by:

Disable running fsck on this filesystem.

Type: boolean

Default: false

Declared by:

Options used to mount the file system.

Type: list of string (with check: non-empty)s

Default: [ "defaults" ]

Example: [ "data=journal" ]

Declared by:

Enable a basic set of fonts providing several font styles and families and reasonable coverage of Unicode.

Type: boolean

Default: false

Declared by:

Whether to create a directory with links to all fonts in /run/current-system/sw/share/X11-fonts.

Type: boolean

Default: false

Declared by:

Whether to add the fonts provided by Ghostscript (such as various URW fonts and the “Base-14” Postscript fonts) to the list of system fonts, making them available to X11 applications.

Type: boolean

Default: false

Declared by:

If enabled, a Fontconfig configuration file will be built pointing to a set of default fonts. If you don't care about running X11 applications or any other program that uses Fontconfig, you can turn this option off and prevent a dependency on all those fonts.

Type: boolean

Default: true

Declared by:

Allow bitmap fonts. Set to false to ban all bitmap fonts.

Type: boolean

Default: true

Declared by:

Allow Type-1 fonts. Default is false because of poor rendering.

Type: boolean

Default: false

Declared by:

Enable font antialiasing. At high resolution (> 200 DPI), antialiasing has no visible effect; users of such displays may want to disable this option.

Type: boolean

Default: true

Declared by:

Generate system fonts cache for 32-bit applications.

Type: boolean

Default: false

Declared by:

System-wide default emoji font(s). Multiple fonts may be listed in case a font does not support all emoji.

Note that fontconfig matches color emoji fonts preferentially, so if you want to use a black and white font while having a color font installed (eg. Noto Color Emoji installed alongside Noto Emoji), fontconfig will still choose the color font even when it is later in the list.

Type: list of strings

Default: [ "Noto Color Emoji" ]

Declared by:

System-wide default monospace font(s). Multiple fonts may be listed in case multiple languages must be supported.

Type: list of strings

Default: [ "DejaVu Sans Mono" ]

Declared by:

System-wide default sans serif font(s). Multiple fonts may be listed in case multiple languages must be supported.

Type: list of strings

Default: [ "DejaVu Sans" ]

Declared by:

System-wide default serif font(s). Multiple fonts may be listed in case multiple languages must be supported.

Type: list of strings

Default: [ "DejaVu Serif" ]

Declared by:

Force DPI setting. Setting to 0 disables DPI forcing; the DPI detected for the display will be used.

Type: signed integer

Default: 0

Declared by:

Enable font hinting. Hinting aligns glyphs to pixel boundaries to improve rendering sharpness at low resolution. At high resolution (> 200 dpi) hinting will do nothing (at best); users of such displays may want to disable this option.

Type: boolean

Default: true

Declared by:

Enable the autohinter in place of the default interpreter. The results are usually lower quality than correctly-hinted fonts, but better than unhinted fonts.

Type: boolean

Default: false

Declared by:

Include the user configuration from ~/.config/fontconfig/fonts.conf or ~/.config/fontconfig/conf.d.

Type: boolean

Default: true

Declared by: