All Module Options¶
This page contains the complete auto-generated reference for all available module options. For a curated overview of the most commonly used options, see Module Options.
Auto-generated
This documentation is automatically generated from the Nix module definitions using nixosOptionsDoc.
_module.args¶
Additional arguments passed to each module in addition to ones
like lib, config,
and pkgs, modulesPath.
This option is also available to all submodules. Submodules do not
inherit args from their parent module, nor do they provide args to
their parent module or sibling submodules. The sole exception to
this is the argument name which is provided by
parent modules to a submodule and contains the attribute name
the submodule is bound to, or a unique generated name if it is
not bound to an attribute.
Some arguments are already passed by default, of which the following cannot be changed with this option:
-
lib: The nixpkgs library. -
config: The results of all options after merging the values from all modules together. -
options: The options declared in all modules. -
specialArgs: ThespecialArgsargument passed toevalModules. -
All attributes of
specialArgs
Whereas option values can generally depend on other option values
thanks to laziness, this does not apply to imports, which
must be computed statically before anything else.
For this reason, callers of the module system can provide specialArgs
which are available during import resolution.
For NixOS, specialArgs includes
modulesPath, which allows you to import
extra modules from the nixpkgs package tree without having to
somehow make the module aware of the location of the
nixpkgs or NixOS directories.
For NixOS, the default value for this option includes at least this argument:
pkgs: The nixpkgs package set according to thenixpkgs.pkgsoption.
Type: lazy attribute set of raw value
Declared by:
- \
boot¶
This option has no description.
Type: raw value
Declared by:
- \
build.etc.entries¶
This option has no description.
Type: attribute set of raw value
Declared by:
- \
build.etc.staticEnv¶
This option has no description.
Type: package
Declared by:
- \
build.scripts¶
This option has no description.
Type: attribute set of package
Declared by:
- \
build.services¶
This option has no description.
Type: attribute set of raw value
Declared by:
- \
build.toplevel¶
This option has no description.
Type: path in the Nix store (read only)
Declared by:
- \
environment.etc¶
Set of files that have to be linked in /etc.
Type: attribute set of (submodule)
Default:
Example:
Declared by:
- \
environment.etc.\.enable¶
Whether this /etc file should be generated. This option allows specific /etc files to be disabled.
Type: boolean
Default:
Declared by:
- \
environment.etc.\.gid¶
GID of created file. Only takes effect when the file is copied (that is, the mode is not ‘symlink’).
Type: signed integer
Default:
Declared by:
- \
environment.etc.\.group¶
Group name of created file.
Only takes effect when the file is copied (that is, the mode is not ‘symlink’).
Changing this option takes precedence over gid.
Type: string
Default:
Declared by:
- \
environment.etc.\.mode¶
If set to something else than symlink,
the file is copied instead of symlinked, with the given
file mode.
Type: string
Default:
Example:
Declared by:
- \
environment.etc.\.replaceExisting¶
Whether to replace a pre-existing file at the target path.
When enabled, the existing file is backed up to
{file}\
Type: boolean
Default:
Declared by:
- \
environment.etc.\.source¶
Path of the source file.
Type: absolute path
Declared by:
- \
environment.etc.\.target¶
Name of symlink (relative to
/etc). Defaults to the attribute
name.
Type: string
Declared by:
- \
environment.etc.\.text¶
Text of the file.
Type: null or strings concatenated with “\n”
Default:
Declared by:
- \
environment.etc.\.uid¶
UID of created file. Only takes effect when the file is copied (that is, the mode is not ‘symlink’).
Type: signed integer
Default:
Declared by:
- \
environment.etc.\.user¶
User name of created file.
Only takes effect when the file is copied (that is, the mode is not ‘symlink’).
Changing this option takes precedence over uid.
Type: string
Default:
Declared by:
- \
environment.pathsToLink¶
This option has no description.
Type: list of string
Default:
Declared by:
- \
environment.systemPackages¶
This option has no description.
Type: list of package
Default:
Declared by:
- \
meta.maintainers¶
List of maintainers of each module. This option should be defined at most once per module.
The option value is not a list of maintainers, but an attribute set that maps module file names to lists of maintainers.
Type: list of (maintainer)
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/modules/generic/meta-maintainers.nix
networking.enableIPv6¶
Whether to enable IPv6.
Type: boolean
Default:
Example:
Declared by:
- \
networking.firewall.enable¶
Whether to enable the firewall. Defaults to false in system-manager since firewall rules are managed by the host distribution.
Type: boolean
Default:
Declared by:
- \
networking.firewall.allowPing¶
Whether to respond to incoming ICMPv4 echo requests.
Type: boolean
Default:
Declared by:
- \
networking.firewall.allowedTCPPortRanges¶
A range of TCP ports on which incoming connections are accepted.
Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
Example:
Declared by:
- \
networking.firewall.allowedTCPPorts¶
List of TCP ports on which incoming connections are accepted.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
Example:
Declared by:
- \
networking.firewall.allowedUDPPortRanges¶
Range of open UDP ports.
Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
Example:
Declared by:
- \
networking.firewall.allowedUDPPorts¶
List of open UDP ports.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
Example:
Declared by:
- \
networking.firewall.autoLoadConntrackHelpers¶
Whether to auto-load connection-tracking helpers.
Type: boolean
Default:
Declared by:
- \
networking.firewall.checkReversePath¶
Performs a reverse path filter test on a packet.
Type: boolean or one of “strict”, “loose”
Default:
Declared by:
- \
networking.firewall.connectionTrackingModules¶
List of connection-tracking helpers that are auto-loaded.
Type: list of string
Default:
Declared by:
- \
networking.firewall.extraPackages¶
Additional packages to be included in the environment of the system.
Type: list of package
Default:
Declared by:
- \
networking.firewall.filterForward¶
Enable filtering in IP forwarding.
Type: boolean
Default:
Declared by:
- \
networking.firewall.interfaces¶
Interface-specific open ports.
Type: attribute set of (submodule)
Default:
Declared by:
- \
networking.firewall.interfaces.\.allowedTCPPortRanges¶
A range of TCP ports on which incoming connections are accepted.
Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
Example:
Declared by:
- \
networking.firewall.interfaces.\.allowedTCPPorts¶
List of TCP ports on which incoming connections are accepted.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
Example:
Declared by:
- \
networking.firewall.interfaces.\.allowedUDPPortRanges¶
Range of open UDP ports.
Type: list of attribute set of 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
Example:
Declared by:
- \
networking.firewall.interfaces.\.allowedUDPPorts¶
List of open UDP ports.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
Example:
Declared by:
- \
networking.firewall.logRefusedConnections¶
Whether to log rejected or dropped incoming connections.
Type: boolean
Default:
Declared by:
- \
networking.firewall.logRefusedPackets¶
Whether to log all rejected or dropped incoming packets.
Type: boolean
Default:
Declared by:
- \
networking.firewall.logRefusedUnicastsOnly¶
If logRefusedPackets is enabled, only log unicast packets.
Type: boolean
Default:
Declared by:
- \
networking.firewall.logReversePathDrops¶
Logs dropped packets failing the reverse path filter test.
Type: boolean
Default:
Declared by:
- \
networking.firewall.pingLimit¶
If pings are allowed, this allows setting rate limits on them.
Type: null or strings concatenated with " "
Default:
Declared by:
- \
networking.firewall.rejectPackets¶
If set, refused packets are rejected rather than dropped.
Type: boolean
Default:
Declared by:
- \
networking.firewall.trustedInterfaces¶
Traffic coming in from these interfaces will be accepted unconditionally.
Type: list of string
Default:
Example:
Declared by:
- \
nix.enable¶
Whether to enable Nix. Disabling Nix makes the system hard to modify and the Nix programs and configuration will not be made available by NixOS itself.
Type: boolean
Default:
Declared by:
- \
nix.package¶
This option specifies the Nix package instance to use throughout the system.
Type: package
Default:
Declared by:
- \
nix.checkAllErrors¶
If enabled, checks the nix.conf parsing for any kind of error. When disabled, checks only for unknown settings.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/config/nix.nix
nix.checkConfig¶
If enabled, checks that Nix can parse the generated nix.conf.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/config/nix.nix
nix.extraOptions¶
Additional text appended to nix.conf.
Type: strings concatenated with “\n”
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/config/nix.nix
nix.settings¶
Configuration for Nix, see
https://nixos.org/manual/nix/stable/command-ref/conf-file.html or
nix.conf(5) for available options.
The value declared here will be translated directly to the key-value pairs Nix expects.
You can use nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings
to view the current value. By default it is empty.
Nix configurations defined under nix.* will be translated and applied to this
option. In addition, configuration specified in nix.extraOptions will be appended
verbatim to the resulting config file.
Type: open submodule of attribute set of (Nix config atom (null, bool, int, float, str, path or package) or list of (Nix config atom (null, bool, int, float, str, path or package)))
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/config/nix.nix
nix.settings.allowed-users¶
A list of names of users (separated by whitespace) that are
allowed to connect to the Nix daemon. As with
nix.settings.trusted-users, you can specify groups by
prefixing them with @. Also, you can
allow all users by specifying *. The
default is *. Note that trusted users are
always allowed to connect.
Type: list of string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/config/nix.nix
nix.settings.auto-optimise-store¶
If set to true, Nix automatically detects files in the store that have identical contents, and replaces them with hard links to a single copy. This saves disk space. If set to false (the default), you can still run nix-store --optimise to get rid of duplicate files.
Type: boolean
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/config/nix.nix
nix.settings.cores¶
This option defines the maximum number of concurrent tasks during one build. It affects, e.g., -j option for make. The special value 0 means that the builder should use all available CPU cores in the system. Some builds may become non-deterministic with this option; use with care! Packages will only be affected if enableParallelBuilding is set for them.
Type: signed integer
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/config/nix.nix
nix.settings.extra-sandbox-paths¶
Directories from the host filesystem to be included in the sandbox.
Type: list of string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/config/nix.nix
nix.settings.max-jobs¶
This option defines the maximum number of jobs that Nix will try to build in parallel. The default is auto, which means it will use all available logical cores. It is recommend to set it to the total number of logical cores in your system (e.g., 16 for two CPUs with 4 cores each and hyper-threading).
Type: signed integer or value “auto” (singular enum)
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/config/nix.nix
nix.settings.require-sigs¶
If enabled (the default), Nix will only download binaries from binary caches if
they are cryptographically signed with any of the keys listed in
nix.settings.trusted-public-keys. If disabled, signatures are neither
required nor checked, so it’s strongly recommended that you use only
trustworthy caches and https to prevent man-in-the-middle attacks.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/config/nix.nix
nix.settings.sandbox¶
If set, Nix will perform builds in a sandboxed environment that it will set up automatically for each build. This prevents impurities in builds by disallowing access to dependencies outside of the Nix store by using network and mount namespaces in a chroot environment.
This is enabled by default even though it has a possible performance impact due to the initial setup time of a sandbox for each build. It doesn’t affect derivation hashes, so changing this option will not trigger a rebuild of packages.
When set to “relaxed”, this option permits derivations that set
__noChroot = true; to run outside of the sandboxed environment.
Exercise caution when using this mode of operation! It is intended to
be a quick hack when building with packages that are not easily setup
to be built reproducibly.
Type: boolean or value “relaxed” (singular enum)
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/config/nix.nix
nix.settings.substituters¶
List of binary cache URLs used to obtain pre-built binaries of Nix packages.
By default https://cache.nixos.org/ is added.
Type: list of string
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/config/nix.nix
nix.settings.system-features¶
The set of features supported by the machine. Derivations
can express dependencies on system features through the
requiredSystemFeatures attribute.
Type: list of string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/config/nix.nix
nix.settings.trusted-public-keys¶
List of public keys used to sign binary caches. If
nix.settings.trusted-public-keys is enabled,
then Nix will use a binary from a binary cache if and only
if it is signed by any of the keys
listed here. By default, only the key for
cache.nixos.org is included.
Type: list of string
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/config/nix.nix
nix.settings.trusted-substituters¶
List of binary cache URLs that non-root users can use (in
addition to those specified using
nix.settings.substituters) by passing
--option binary-caches to Nix commands.
Type: list of string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/config/nix.nix
nix.settings.trusted-users¶
A list of names of users that have additional rights when
connecting to the Nix daemon, such as the ability to specify
additional binary caches, or to import unsigned NARs. You
can also specify groups by prefixing them with
@; for instance,
@wheel means all users in the wheel
group.
Type: list of string
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/config/nix.nix
nixpkgs.buildPlatform¶
This option has no description.
Type: string
Default:
Example:
Declared by:
- \
nixpkgs.config¶
Configuration used to instantiate nixpkgs.
Type: attribute set
Default:
Declared by:
- \
nixpkgs.hostPlatform¶
The platform for which to build the system configuration.
Type: string or (attribute set)
Default:
Example:
Declared by:
- \
nixpkgs.overlays¶
This option has no description.
Type: list of anything
Default:
Declared by:
- \
security.acme.acceptTerms¶
Accept the CA’s terms of service. The default provider is Let’s Encrypt, you can find their ToS at https://letsencrypt.org/repository/.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs¶
Attribute set of certificates to get signed and renewed. Creates
acme-${cert}.{service,timer} systemd units for
each certificate defined here. Other services can add dependencies
to those units if they rely on the certificates being present,
or trigger restarts of the service if certificates get renewed.
Type: attribute set of (submodule)
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.enableDebugLogs¶
Whether to enable debug logging for this certificate.
Type: boolean
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.credentialFiles¶
Environment variables suffixed by “_FILE” to set for the cert’s service for your selected dnsProvider. To find out what values you need to set, consult the documentation at https://go-acme.github.io/lego/dns/ for the corresponding dnsProvider. This allows to securely pass credential files to lego by leveraging systemd credentials.
Type: attribute set of absolute path
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.csr¶
Path to a certificate signing request to apply when fetching the certificate.
Type: null or string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.csrKey¶
Path to the private key to the matching certificate signing request.
Type: null or string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.directory¶
Directory where certificate and other state is stored.
Type: string (read only)
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.dnsPropagationCheck¶
Toggles lego DNS propagation check, which is used alongside DNS-01 challenge to ensure the DNS entries required are available.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.dnsProvider¶
DNS Challenge provider. For a list of supported providers, see the “code” field of the DNS providers listed at https://go-acme.github.io/lego/dns/.
Type: null or string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.dnsResolver¶
Set the resolver to use for performing recursive DNS queries. Supported: host:port. The default is to use the system resolvers, or Google’s DNS resolvers if the system’s cannot be determined.
Type: null or string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.domain¶
Domain to fetch certificate for (defaults to the entry name).
Type: string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.email¶
Email address for account creation and correspondence from the CA. It is recommended to use the same email for all certs to avoid account creation limits.
Type: null or string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.environmentFile¶
Path to an EnvironmentFile for the cert’s service containing any required and optional environment variables for your selected dnsProvider. To find out what values you need to set, consult the documentation at https://go-acme.github.io/lego/dns/ for the corresponding dnsProvider.
Type: null or absolute path
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.extraDomainNames¶
A list of extra domain names, which are included in the one certificate to be issued.
Type: list of string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.extraLegoFlags¶
Additional global flags to pass to all lego commands.
Type: list of string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.extraLegoRenewFlags¶
Additional flags to pass to lego renew.
Type: list of string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.extraLegoRunFlags¶
Additional flags to pass to lego run.
Type: list of string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.group¶
Group running the ACME client.
Type: string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.inheritDefaults¶
Whether to inherit values set in security.acme.defaults or not.
Type: boolean
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.keyType¶
Key type to use for private keys. For an up to date list of supported values check the --key-type option at https://go-acme.github.io/lego/usage/cli/options/.
Type: string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.listenHTTP¶
Interface and port to listen on to solve HTTP challenges
in the form [INTERFACE]:PORT.
If you use a port other than 80, you must proxy port 80 to this port.
Type: null or string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.ocspMustStaple¶
Turns on the OCSP Must-Staple TLS extension. Make sure you know what you’re doing! See:
- https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/
- https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.postRun¶
Commands to run after new certificates go live. Note that these commands run as the root user.
Executed in the same directory with the new certificate.
Type: strings concatenated with “\n”
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.profile¶
The certificate profile to choose if the CA offers multiple profiles.
Type: null or string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.reloadServices¶
The list of systemd services to call systemctl try-reload-or-restart
on.
Type: list of string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.renewInterval¶
Systemd calendar expression when to check for renewal. See
systemd.time(7).
Type: string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.s3Bucket¶
S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket.
Type: null or string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.server¶
ACME Directory Resource URI. Defaults to Let’s Encrypt’s production endpoint. For testing Let’s Encrypt’s staging endpoint should be used to avoid the rather tight rate limit on the production endpoint.
Type: null or string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.validMinDays¶
Minimum remaining validity before renewal in days.
Type: signed integer
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.certs.\.webroot¶
Where the webroot of the HTTP vhost is located.
.well-known/acme-challenge/ directory
will be created below the webroot if it doesn’t exist.
http://example.org/.well-known/acme-challenge/ must also
be available (notice unencrypted HTTP).
Type: null or string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults¶
Default values inheritable by all configured certs. You can
use this to define options shared by all your certs. These defaults
can also be ignored on a per-cert basis using the
security.acme.certs.${cert}.inheritDefaults option.
Type: submodule
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.enableDebugLogs¶
Whether to enable debug logging for this certificate.
Type: boolean
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.credentialFiles¶
Environment variables suffixed by “_FILE” to set for the cert’s service for your selected dnsProvider. To find out what values you need to set, consult the documentation at https://go-acme.github.io/lego/dns/ for the corresponding dnsProvider. This allows to securely pass credential files to lego by leveraging systemd credentials.
Type: attribute set of absolute path
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.dnsPropagationCheck¶
Toggles lego DNS propagation check, which is used alongside DNS-01 challenge to ensure the DNS entries required are available.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.dnsProvider¶
DNS Challenge provider. For a list of supported providers, see the “code” field of the DNS providers listed at https://go-acme.github.io/lego/dns/.
Type: null or string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.dnsResolver¶
Set the resolver to use for performing recursive DNS queries. Supported: host:port. The default is to use the system resolvers, or Google’s DNS resolvers if the system’s cannot be determined.
Type: null or string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.email¶
Email address for account creation and correspondence from the CA. It is recommended to use the same email for all certs to avoid account creation limits.
Type: null or string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.environmentFile¶
Path to an EnvironmentFile for the cert’s service containing any required and optional environment variables for your selected dnsProvider. To find out what values you need to set, consult the documentation at https://go-acme.github.io/lego/dns/ for the corresponding dnsProvider.
Type: null or absolute path
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.extraLegoFlags¶
Additional global flags to pass to all lego commands.
Type: list of string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.extraLegoRenewFlags¶
Additional flags to pass to lego renew.
Type: list of string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.extraLegoRunFlags¶
Additional flags to pass to lego run.
Type: list of string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.group¶
Group running the ACME client.
Type: string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.keyType¶
Key type to use for private keys. For an up to date list of supported values check the --key-type option at https://go-acme.github.io/lego/usage/cli/options/.
Type: string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.listenHTTP¶
Interface and port to listen on to solve HTTP challenges
in the form [INTERFACE]:PORT.
If you use a port other than 80, you must proxy port 80 to this port.
Type: null or string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.ocspMustStaple¶
Turns on the OCSP Must-Staple TLS extension. Make sure you know what you’re doing! See:
- https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/
- https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.postRun¶
Commands to run after new certificates go live. Note that these commands run as the root user.
Executed in the same directory with the new certificate.
Type: strings concatenated with “\n”
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.profile¶
The certificate profile to choose if the CA offers multiple profiles.
Type: null or string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.reloadServices¶
The list of systemd services to call systemctl try-reload-or-restart
on.
Type: list of string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.renewInterval¶
Systemd calendar expression when to check for renewal. See
systemd.time(7).
Type: string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.server¶
ACME Directory Resource URI. Defaults to Let’s Encrypt’s production endpoint. For testing Let’s Encrypt’s staging endpoint should be used to avoid the rather tight rate limit on the production endpoint.
Type: null or string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.validMinDays¶
Minimum remaining validity before renewal in days.
Type: signed integer
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.defaults.webroot¶
Where the webroot of the HTTP vhost is located.
.well-known/acme-challenge/ directory
will be created below the webroot if it doesn’t exist.
http://example.org/.well-known/acme-challenge/ must also
be available (notice unencrypted HTTP).
Type: null or string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.maxConcurrentRenewals¶
Maximum number of concurrent certificate generation or renewal jobs. All other jobs will queue and wait running jobs to finish. Reduces the system load of certificate generation.
Set to 0 to allow unlimited number of concurrent job runs."
Type: signed integer
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
security.acme.useRoot¶
Whether to use the root user when generating certs. This is not recommended for security + compatibility reasons. If a service requires root owned certificates consider following the guide on “Using ACME with services demanding root owned certificates” in the NixOS manual, and only using this as a fallback or for testing.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/security/acme/
services.nginx.enable¶
Whether to enable Nginx Web Server.
Type: boolean
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.enableQuicBPF¶
Enables routing of QUIC packets using eBPF. When enabled, this allows
to support QUIC connection migration. The directive is only supported
on Linux 5.7+.
Note that enabling this option will make nginx run with extended
capabilities that are usually limited to processes running as root
namely CAP_SYS_ADMIN and CAP_NET_ADMIN.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.enableReload¶
Reload nginx when configuration file changes (instead of restart).
The configuration file is exposed at /etc/nginx/nginx.conf.
See also systemd.services.*.restartIfChanged.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.package¶
Nginx package to use. This defaults to the stable version. Note
that the nginx team recommends to use the mainline version which
available in nixpkgs as nginxMainline.
Supported Nginx forks include angie, openresty and tengine.
Type: package
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.additionalModules¶
Additional third-party nginx modules
to install. Packaged modules are available in pkgs.nginxModules.
Type: list of attribute set of anything
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.appendConfig¶
Configuration lines appended to the generated Nginx
configuration file. Commonly used by different modules
providing http snippets. appendConfig
can be specified more than once and its value will be
concatenated (contrary to config which
can be set only once).
Type: strings concatenated with “\n”
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.appendHttpConfig¶
Configuration lines to be appended to the generated http block. This is mutually exclusive with using config and httpConfig for specifying the whole http block verbatim.
Type: strings concatenated with “\n”
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.clientMaxBodySize¶
Set nginx global client_max_body_size.
Type: string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.commonHttpConfig¶
With nginx you must provide common http context definitions before they are used, e.g. log_format, resolver, etc. inside of server or location contexts. Use this attribute to set these definitions at the appropriate location.
Type: strings concatenated with “\n”
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.config¶
Verbatim nginx.conf configuration.
This is mutually exclusive to any other config option for
nginx.conf except for
If additional verbatim config in addition to other options is needed, should be used instead.
Type: string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.defaultHTTPListenPort¶
If vhosts do not specify listen.port, use these ports for HTTP by default.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.defaultListen¶
If vhosts do not specify listen, use these addresses by default.
This option takes precedence over defaultListenAddresses and
other listen-related defaults options.
Type: list of (submodule)
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.defaultListen.*.addr¶
IP address.
Type: string
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.defaultListen.*.extraParameters¶
Extra parameters of this listen directive.
Type: list of string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.defaultListen.*.port¶
Port number.
Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.defaultListen.*.proxyProtocol¶
Enable PROXY protocol.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.defaultListen.*.ssl¶
Enable SSL.
Type: null or boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.defaultListenAddresses¶
If vhosts do not specify listenAddresses, use these addresses by default.
This is akin to writing defaultListen = [ { addr = "0.0.0.0" } ].
Type: list of string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.defaultMimeTypes¶
Default MIME types for NGINX, as MIME types definitions from NGINX are very incomplete, we use by default the ones bundled in the mailcap package, used by most of the other Linux distributions.
Type: absolute path
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.defaultSSLListenPort¶
If vhosts do not specify listen.port, use these ports for SSL by default.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.eventsConfig¶
Configuration lines to be set inside the events block.
Type: strings concatenated with “\n”
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.experimentalZstdSettings¶
Enable alpha quality zstd module with recommended settings. Learn more about compression in Zstd format here.
This adds pkgs.nginxModules.zstd to services.nginx.additionalModules.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.group¶
Group account under which nginx runs.
Type: string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.httpConfig¶
Configuration lines to be set inside the http block. This is mutually exclusive with the structured configuration via virtualHosts and the recommendedXyzSettings configuration options. See appendHttpConfig for appending to the generated http block.
Type: strings concatenated with “\n”
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.logError¶
Configures logging. The first parameter defines a file that will store the log. The special value stderr selects the standard error file. Logging to syslog can be configured by specifying the “syslog:” prefix. The second parameter determines the level of logging, and can be one of the following: debug, info, notice, warn, error, crit, alert, or emerg. Log levels above are listed in the order of increasing severity. Setting a certain log level will cause all messages of the specified and more severe log levels to be logged. If this parameter is omitted then error is used.
Type: string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.mapHashBucketSize¶
Sets the bucket size for the map variables hash tables. Default value depends on the processor’s cache line size.
Refer to the nginx docs on hashes for more information.
Type: null or (positive integer, meaning >0)
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.mapHashMaxSize¶
Sets the maximum size of the map variables hash tables.
Type: null or (positive integer, meaning >0)
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.preStart¶
Shell commands executed before the service’s nginx is started.
Type: strings concatenated with “\n”
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.prependConfig¶
Configuration lines prepended to the generated Nginx
configuration file. Can for example be used to load modules.
prependConfig can be specified more than once
and its value will be concatenated (contrary to config
which can be set only once).
Type: strings concatenated with “\n”
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.proxyCachePath¶
Configure a proxy cache path entry. See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path for documentation.
Type: attribute set of (submodule)
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.proxyCachePath.\.enable¶
Whether to enable this proxy cache path entry.
Type: boolean
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.proxyCachePath.\.inactive¶
Cached data that has not been accessed for the time specified by the inactive parameter is removed from the cache, regardless of its freshness.
Type: string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.proxyCachePath.\.keysZoneName¶
Set name to shared memory zone.
Type: string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.proxyCachePath.\.keysZoneSize¶
Set size to shared memory zone.
Type: string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.proxyCachePath.\.levels¶
The levels parameter defines structure of subdirectories in cache: from
1 to 3, each level accepts values 1 or 2. Can be used any combination of
1 and 2 in these formats: x, x:x and x
x.
Type: string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.proxyCachePath.\.maxSize¶
Set maximum cache size
Type: string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.proxyCachePath.\.useTempPath¶
Nginx first writes files that are destined for the cache to a temporary storage area, and the use_temp_path=off directive instructs Nginx to write them to the same directories where they will be cached. Recommended that you set this parameter to off to avoid unnecessary copying of data between file systems.
Type: boolean
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.proxyResolveWhileRunning¶
Resolves domains of proxyPass targets at runtime and not only at startup. This can be used as a workaround if nginx fails to start because of not-yet-working DNS.
:::{.warn}
services.nginx.resolver must be set for this option to work.
:::
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.proxyTimeout¶
Change the proxy related timeouts in recommendedProxySettings.
Type: string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.recommendedBrotliSettings¶
Enable recommended brotli settings. Learn more about compression in Brotli format here.
This adds pkgs.nginxModules.brotli to services.nginx.additionalModules.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.recommendedGzipSettings¶
Enable recommended gzip settings. Learn more about compression in Gzip format here.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.recommendedOptimisation¶
Enable recommended optimisation settings.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.recommendedProxySettings¶
Whether to enable recommended proxy settings if a vhost does not specify the option manually.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.recommendedTlsSettings¶
Enable recommended TLS settings.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.recommendedUwsgiSettings¶
Whether to enable recommended uwsgi settings if a vhost does not specify the option manually.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.resolver¶
Configures name servers used to resolve names of upstream servers into addresses
Type: submodule
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.resolver.addresses¶
List of resolvers to use
Type: list of string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.resolver.ipv4¶
By default, nginx will look up both IPv4 and IPv6 addresses while resolving. If looking up of IPv4 addresses is not desired, the ipv4=off parameter can be specified.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.resolver.ipv6¶
By default, nginx will look up both IPv4 and IPv6 addresses while resolving. If looking up of IPv6 addresses is not desired, the ipv6=off parameter can be specified.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.resolver.valid¶
By default, nginx caches answers using the TTL value of a response. An optional valid parameter allows overriding it
Type: string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.serverNamesHashBucketSize¶
Sets the bucket size for the server names hash tables. Default value depends on the processor’s cache line size.
Type: null or (positive integer, meaning >0)
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.serverNamesHashMaxSize¶
Sets the maximum size of the server names hash tables.
Type: null or (positive integer, meaning >0)
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.serverTokens¶
Show nginx version in headers and error pages.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.sslCiphers¶
Ciphers to choose from when negotiating TLS handshakes.
Type: null or string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.sslDhparam¶
Path to DH parameters file.
Type: null or absolute path
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.sslProtocols¶
Allowed TLS protocol versions.
Type: string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.statusPage¶
Enable status page reachable from localhost on http://127.0.0.1/nginx_status.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.streamConfig¶
Configuration lines to be set inside the stream block.
Type: strings concatenated with “\n”
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.typesHashMaxSize¶
Sets the maximum size of the types hash tables (types_hash_max_size).
It is recommended that the minimum size possible size is used.
If recommendedOptimisation is disabled, nginx would otherwise
fail to start since the mailmap mime.types database has more entries
than the nginx default value 1024.
Type: positive integer, meaning >0
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.upstreams¶
Defines a group of servers to use as proxy target.
Type: attribute set of (submodule)
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.upstreams.\.extraConfig¶
These lines go to the end of the upstream verbatim.
Type: strings concatenated with “\n”
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.upstreams.\.servers¶
Defines the address and other parameters of the upstream servers. See the documentation for the available parameters.
Type: attribute set of (open submodule of attribute set of (boolean or signed integer or string))
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.upstreams.\.servers.\.backup¶
Marks the server as a backup server. It will be passed requests when the primary servers are unavailable.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.user¶
User account under which nginx runs.
Type: string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.uwsgiResolveWhileRunning¶
Resolves domains of uwsgi targets at runtime and not only at start, you have to set services.nginx.resolver, too.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.uwsgiTimeout¶
Change the uwsgi related timeouts in recommendedUwsgiSettings.
Type: string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.validateConfigFile¶
Whether to enable validating configuration with pkgs.writeNginxConfig.
Type: boolean
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts¶
Declarative vhost config
Type: attribute set of (submodule)
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.enableACME¶
Whether to ask Let’s Encrypt to sign a certificate for this vhost.
Alternately, you can use an existing certificate through useACMEHost.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.acmeFallbackHost¶
Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.
With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.
Type: null or string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.acmeRoot¶
Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.
Type: null or string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.addSSL¶
Whether to enable HTTPS in addition to plain HTTP. This will set defaults for
listen to listen on all interfaces on the respective default
ports (80, 443).
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.basicAuth¶
Basic Auth protection for a vhost.
WARNING: This is implemented to store the password in plain text in the Nix store.
Type: attribute set of string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.basicAuthFile¶
Basic Auth password file for a vhost.
Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.
Type: null or absolute path
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.default¶
Makes this vhost the default.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.extraConfig¶
These lines go to the end of the vhost verbatim.
Type: strings concatenated with “\n”
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.forceSSL¶
Whether to add a separate nginx server block that redirects (defaults
to 301, configurable with redirectCode) all plain HTTP traffic to
HTTPS. This will set defaults for listen to listen on all interfaces
on the respective default ports (80, 443), where the non-SSL listens
are used for the redirect vhosts.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.globalRedirect¶
If set, all requests for this host are redirected (defaults to 301,
configurable with redirectCode) to the given hostname.
Type: null or string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.http2¶
Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.http3¶
Whether to enable the HTTP/3 protocol.
This requires activating the QUIC transport protocol
services.nginx.virtualHosts.<name>.quic = true;.
Note that HTTP/3 support is experimental and not yet recommended for production.
Read more at https://quic.nginx.org/
HTTP/3 availability must be manually advertised, preferably in each location block.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.http3_hq¶
Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests.
This requires activating the QUIC transport protocol
services.nginx.virtualHosts.<name>.quic = true;.
Note that special application protocol support is experimental and not yet recommended for production.
Read more at https://quic.nginx.org/
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.kTLS¶
Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.listen¶
Listen addresses and ports for this virtual host.
IPv6 addresses must be enclosed in square brackets.
Note: this option overrides addSSL
and onlySSL.
If you only want to set the addresses manually and not
the ports, take a look at listenAddresses.
Type: list of (submodule)
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.listen.*.addr¶
Listen address.
Type: string
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.listen.*.extraParameters¶
Extra parameters of this listen directive.
Type: list of string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.listen.*.port¶
Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.
Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.listen.*.proxyProtocol¶
Enable PROXY protocol.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.listen.*.ssl¶
Enable SSL.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.listenAddresses¶
Listen addresses for this virtual host.
Compared to listen this only sets the addresses
and the ports are chosen automatically.
Note: This option overrides networking.enableIPv6
Type: list of string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.locations¶
Declarative location config
Type: attribute set of (submodule)
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.locations.\.alias¶
Alias directory for requests.
Type: null or absolute path
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.locations.\.basicAuth¶
Basic Auth protection for a vhost.
WARNING: This is implemented to store the password in plain text in the Nix store.
Type: attribute set of string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.locations.\.basicAuthFile¶
Basic Auth password file for a vhost.
Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.
Type: null or absolute path
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.locations.\.extraConfig¶
These lines go to the end of the location verbatim.
Type: strings concatenated with “\n”
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.locations.\.fastcgiParams¶
FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.
Type: attribute set of (string or absolute path)
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.locations.\.index¶
Adds index directive.
Type: null or string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.locations.\.priority¶
Order of this location block in relation to the others in the vhost.
The semantics are the same as with lib.mkOrder. Smaller values have
a greater priority.
Type: signed integer
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.locations.\.proxyPass¶
Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.
Type: null or string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.locations.\.proxyWebsockets¶
Whether to support proxying websocket connections with HTTP/1.1.
Type: boolean
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.locations.\.recommendedProxySettings¶
Enable recommended proxy settings.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.locations.\.recommendedUwsgiSettings¶
Enable recommended uwsgi settings.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.locations.\.return¶
Adds a return directive, for e.g. redirections.
Type: null or string or signed integer
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.locations.\.root¶
Root directory for requests.
Type: null or absolute path
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.locations.\.tryFiles¶
Adds try_files directive.
Type: null or string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.locations.\.uwsgiPass¶
Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.
Type: null or string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.onlySSL¶
Whether to enable HTTPS and reject plain HTTP connections. This will set
defaults for listen to listen on all interfaces on port 443.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.quic¶
Whether to enable the QUIC transport protocol. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.redirectCode¶
HTTP status used by globalRedirect and forceSSL. Possible usecases
include temporary (302, 307) redirects, keeping the request method and
body (307, 308), or explicitly resetting the method to GET (303).
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.
Type: integer between 300 and 399 (both inclusive)
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.rejectSSL¶
Whether to listen for and reject all HTTPS connections to this vhost. Useful in
default
server blocks to avoid serving the certificate for another vhost. Uses the
ssl_reject_handshake directive available in nginx versions
1.19.4 and above.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.reuseport¶
Create an individual listening socket . It is required to specify only once on one of the hosts.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.root¶
The path of the web root directory.
Type: null or absolute path
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.serverAliases¶
Additional names of virtual hosts served by this virtual host configuration.
Type: list of string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.serverName¶
Name of this virtual host. Defaults to attribute name in virtualHosts.
Type: null or string
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.sslCertificate¶
Path to server SSL certificate.
Type: absolute path
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.sslCertificateKey¶
Path to server SSL certificate key.
Type: absolute path
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.sslTrustedCertificate¶
Path to root SSL certificate for stapling and client certificates.
Type: null or absolute path
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.nginx.virtualHosts.\.useACMEHost¶
A host of an existing Let’s Encrypt certificate to use.
This is useful if you have many subdomains and want to avoid hitting the
rate limit.
Alternately, you can generate a certificate through enableACME.
Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using .
Type: null or string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/web-servers/nginx/
services.openssh.enable¶
This option has no description.
Type: boolean
Default:
Declared by:
- \
services.openssh.hostKeys¶
This option has no description.
Type: list of (submodule)
Default:
Declared by:
- \
services.openssh.hostKeys.*.path¶
This option has no description.
Type: absolute path
Declared by:
- \
services.openssh.hostKeys.*.type¶
This option has no description.
Type: string
Declared by:
- \
services.userborn.enable¶
Whether to enable userborn.
Type: boolean
Default:
Example:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/system/userborn.nix
services.userborn.package¶
The userborn package to use.
Type: package
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/system/userborn.nix
services.userborn.passwordFilesLocation¶
The location of the original password files.
If this is not /etc, the files are symlinked from this location to /etc.
The primary motivation for this is an immutable /etc, where we cannot
write the files directly to /etc.
However this an also serve other use cases, e.g. when /etc is on a tmpfs.
Type: string
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/system/userborn.nix
services.userborn.static¶
Whether to generate the password files at build time and store them directly in the system closure, without requiring any services at boot time.
This is STRICTLY intended for embedded appliance images that only have system users with manually managed static user IDs, and CANNOT be used with generation updates.
WARNING: In this mode, you MUST statically manage user IDs yourself, carefully. Beware, UID reuse is a serious security issue and it’s your responsibility to avoid it over the entire lifetime of the system.
Type: boolean
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/services/system/userborn.nix
system.activationScripts.generate-age-key¶
This option has no description.
Type: raw value
Default:
Declared by:
- \
system.activationScripts.setupSecrets¶
This option has no description.
Type: raw value
Default:
Declared by:
- \
system.activationScripts.setupSecretsForUsers¶
This option has no description.
Type: raw value
Default:
Declared by:
- \
system.activationScripts.users¶
This option has no description.
Type: string
Default:
Declared by:
- \
system.build¶
Attribute set of derivations used to set up the system.
Type: open submodule of lazy attribute set of unspecified value
Default:
Declared by: - /nix/store/wqdyni4i7qpca90b7p323gqynr78lrvk-dx2qikyb4dyb6hbdfywbmsyla0z5a1h3-source/nixos/modules/system/build.nix
system.etc.overlay.enable¶
If enabled, users are created with systemd-sysusers instead of with
the custom update-users-groups.pl script.
Note: This is experimental.
Type: boolean
Default:
Example:
Declared by:
- \
system-manager.allowAnyDistro¶
Whether to enable the usage of system-manager on untested distributions.
Type: boolean
Default:
Example:
Declared by:
- \
system-manager.preActivationAssertions¶
This option has no description.
Type: attribute set of (submodule)
Default:
Declared by:
- \
system-manager.preActivationAssertions.\.enable¶
Whether to enable the assertion.
Type: boolean
Default:
Example:
Declared by:
- \
system-manager.preActivationAssertions.\.name¶
This option has no description.
Type: string
Default:
Declared by:
- \
system-manager.preActivationAssertions.\.script¶
This option has no description.
Type: string
Declared by:
- \
systemd.enableStrictShellChecks¶
Whether to enable running shellcheck on the generated scripts for systemd units…
Type: boolean
Default:
Example:
Declared by:
- \
systemd.package¶
This option has no description.
Type: string or absolute path or package
Default:
Declared by:
- \
systemd.packages¶
Packages providing systemd units and hooks.
Type: list of package
Default:
Example:
Declared by:
- \
systemd.automounts¶
Definition of systemd automount units. This is a list instead of an attrSet, because systemd mandates the names to be derived from the ‘where’ attribute.
Type: list of (submodule)
Default:
Declared by:
- \
systemd.automounts.*.enable¶
If set to false, this unit will be a symlink to
/dev/null. This is primarily useful to prevent specific
template instances
(e.g. serial-getty@ttyS0) from being
started. Note that enable=true does not
make a unit start by default at boot; if you want that, see
wantedBy.
Type: boolean
Default:
Declared by:
- \
systemd.automounts.*.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.automounts.*.aliases¶
Aliases of that unit.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.automounts.*.automountConfig¶
Each attribute in this set specifies an option in the
[Automount] section of the unit. See
systemd.automount(5) for details.
Type: attribute set of (systemd option)
Default:
Example:
Declared by:
- \
systemd.automounts.*.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.automounts.*.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.automounts.*.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.automounts.*.description¶
Description of this unit used in systemd messages and progress indicators.
Type: (optionally newline-terminated) single-line string
Default:
Declared by:
- \
systemd.automounts.*.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of string
Default:
Declared by:
- \
systemd.automounts.*.name¶
The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.
Type: string
Declared by:
- \
systemd.automounts.*.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.automounts.*.onSuccess¶
A list of one or more units that are activated when this unit enters the “inactive” state.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.automounts.*.overrideStrategy¶
Defines how unit configuration is provided for systemd:
asDropinIfExists creates a unit file when no unit file is provided by the package
otherwise it creates a drop-in file named overrides.conf.
asDropin creates a drop-in file named overrides.conf.
Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).
See also systemd.unit(5).
Type: one of “asDropinIfExists”, “asDropin”
Default:
Declared by:
- \
systemd.automounts.*.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.automounts.*.reloadTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.
Type: list of (systemd option)
Default:
Declared by:
- \
systemd.automounts.*.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit.
As discussed in the wantedBy option description this also creates
.requires symlinks automatically.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.automounts.*.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.automounts.*.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.automounts.*.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecified value
Default:
Declared by:
- \
systemd.automounts.*.startLimitBurst¶
Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
- \
systemd.automounts.*.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
- \
systemd.automounts.*.unitConfig¶
Each attribute in this set specifies an option in the
[Unit] section of the unit. See
systemd.unit(5) for details.
Type: attribute set of (systemd option)
Default:
Example:
Declared by:
- \
systemd.automounts.*.upheldBy¶
Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.automounts.*.upholds¶
Keeps the specified running while this unit is running. A continuous version of wants.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.automounts.*.wantedBy¶
Units that want (i.e. depend on) this unit. The default method for
starting a unit by default at boot time is to set this option to
["multi-user.target"] for system services. Likewise for user units
(systemd.user.<name>.*) set it to ["default.target"] to make a unit
start by default when the user <name> logs on.
This option creates a .wants symlink in the given target that exists
statelessly without the need for running systemctl enable.
The [Install] section described in systemd.unit(5) however is
not supported because it is a stateful process that does not fit well
into the NixOS design.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.automounts.*.wants¶
Start the specified units when this unit is started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.automounts.*.where¶
Absolute path of a directory of the mount point. Will be created if it doesn’t exist. (Mandatory)
Type: string
Example:
Declared by:
- \
systemd.generators¶
Definition of systemd generators.
For each NAME = VALUE pair of the attrSet, a link is generated from
/etc/systemd/system-generators/NAME to VALUE.
Type: attribute set of absolute path
Default:
Example:
Declared by:
- \
systemd.globalEnvironment¶
Environment variables passed to all systemd units.
Type: attribute set of (null or string or absolute path or package)
Default:
Example:
Declared by:
- \
systemd.maskedUnits¶
Units to mask by symlinking to /dev/null. Use this for
distro-shipped units; for units you define, use enable = false
Type: list of string
Default:
Example:
Declared by:
- \
systemd.mounts¶
Definition of systemd mount units. This is a list instead of an attrSet, because systemd mandates the names to be derived from the ‘where’ attribute.
Type: list of (submodule)
Default:
Declared by:
- \
systemd.mounts.*.enable¶
If set to false, this unit will be a symlink to
/dev/null. This is primarily useful to prevent specific
template instances
(e.g. serial-getty@ttyS0) from being
started. Note that enable=true does not
make a unit start by default at boot; if you want that, see
wantedBy.
Type: boolean
Default:
Declared by:
- \
systemd.mounts.*.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.mounts.*.aliases¶
Aliases of that unit.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.mounts.*.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.mounts.*.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.mounts.*.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.mounts.*.description¶
Description of this unit used in systemd messages and progress indicators.
Type: (optionally newline-terminated) single-line string
Default:
Declared by:
- \
systemd.mounts.*.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of string
Default:
Declared by:
- \
systemd.mounts.*.mountConfig¶
Each attribute in this set specifies an option in the
[Mount] section of the unit. See
systemd.mount(5) for details.
Type: attribute set of (systemd option)
Default:
Example:
Declared by:
- \
systemd.mounts.*.name¶
The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.
Type: string
Declared by:
- \
systemd.mounts.*.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.mounts.*.onSuccess¶
A list of one or more units that are activated when this unit enters the “inactive” state.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.mounts.*.options¶
Options used to mount the file system.
Type: strings concatenated with “,”
Default:
Example:
Declared by:
- \
systemd.mounts.*.overrideStrategy¶
Defines how unit configuration is provided for systemd:
asDropinIfExists creates a unit file when no unit file is provided by the package
otherwise it creates a drop-in file named overrides.conf.
asDropin creates a drop-in file named overrides.conf.
Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).
See also systemd.unit(5).
Type: one of “asDropinIfExists”, “asDropin”
Default:
Declared by:
- \
systemd.mounts.*.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.mounts.*.reloadTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.
Type: list of (systemd option)
Default:
Declared by:
- \
systemd.mounts.*.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit.
As discussed in the wantedBy option description this also creates
.requires symlinks automatically.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.mounts.*.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.mounts.*.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.mounts.*.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecified value
Default:
Declared by:
- \
systemd.mounts.*.startLimitBurst¶
Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
- \
systemd.mounts.*.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
- \
systemd.mounts.*.type¶
File system type.
Type: string
Default:
Example:
Declared by:
- \
systemd.mounts.*.unitConfig¶
Each attribute in this set specifies an option in the
[Unit] section of the unit. See
systemd.unit(5) for details.
Type: attribute set of (systemd option)
Default:
Example:
Declared by:
- \
systemd.mounts.*.upheldBy¶
Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.mounts.*.upholds¶
Keeps the specified running while this unit is running. A continuous version of wants.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.mounts.*.wantedBy¶
Units that want (i.e. depend on) this unit. The default method for
starting a unit by default at boot time is to set this option to
["multi-user.target"] for system services. Likewise for user units
(systemd.user.<name>.*) set it to ["default.target"] to make a unit
start by default when the user <name> logs on.
This option creates a .wants symlink in the given target that exists
statelessly without the need for running systemctl enable.
The [Install] section described in systemd.unit(5) however is
not supported because it is a stateful process that does not fit well
into the NixOS design.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.mounts.*.wants¶
Start the specified units when this unit is started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.mounts.*.what¶
Absolute path of device node, file or other resource. (Mandatory)
Type: string
Example:
Declared by:
- \
systemd.mounts.*.where¶
Absolute path of a directory of the mount point. Will be created if it doesn’t exist. (Mandatory)
Type: string
Example:
Declared by:
- \
systemd.paths¶
Definition of systemd path units.
Type: attribute set of (submodule)
Default:
Declared by:
- \
systemd.paths.\.enable¶
If set to false, this unit will be a symlink to
/dev/null. This is primarily useful to prevent specific
template instances
(e.g. serial-getty@ttyS0) from being
started. Note that enable=true does not
make a unit start by default at boot; if you want that, see
wantedBy.
Type: boolean
Default:
Declared by:
- \
systemd.paths.\.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.paths.\.aliases¶
Aliases of that unit.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.paths.\.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.paths.\.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.paths.\.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.paths.\.description¶
Description of this unit used in systemd messages and progress indicators.
Type: (optionally newline-terminated) single-line string
Default:
Declared by:
- \
systemd.paths.\.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of string
Default:
Declared by:
- \
systemd.paths.\.name¶
The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.
Type: string
Declared by:
- \
systemd.paths.\.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.paths.\.onSuccess¶
A list of one or more units that are activated when this unit enters the “inactive” state.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.paths.\.overrideStrategy¶
Defines how unit configuration is provided for systemd:
asDropinIfExists creates a unit file when no unit file is provided by the package
otherwise it creates a drop-in file named overrides.conf.
asDropin creates a drop-in file named overrides.conf.
Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).
See also systemd.unit(5).
Type: one of “asDropinIfExists”, “asDropin”
Default:
Declared by:
- \
systemd.paths.\.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.paths.\.pathConfig¶
Each attribute in this set specifies an option in the
[Path] section of the unit. See
systemd.path(5) for details.
Type: attribute set of (systemd option)
Default:
Example:
Declared by:
- \
systemd.paths.\.reloadTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.
Type: list of (systemd option)
Default:
Declared by:
- \
systemd.paths.\.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit.
As discussed in the wantedBy option description this also creates
.requires symlinks automatically.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.paths.\.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.paths.\.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.paths.\.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecified value
Default:
Declared by:
- \
systemd.paths.\.startLimitBurst¶
Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
- \
systemd.paths.\.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
- \
systemd.paths.\.unitConfig¶
Each attribute in this set specifies an option in the
[Unit] section of the unit. See
systemd.unit(5) for details.
Type: attribute set of (systemd option)
Default:
Example:
Declared by:
- \
systemd.paths.\.upheldBy¶
Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.paths.\.upholds¶
Keeps the specified running while this unit is running. A continuous version of wants.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.paths.\.wantedBy¶
Units that want (i.e. depend on) this unit. The default method for
starting a unit by default at boot time is to set this option to
["multi-user.target"] for system services. Likewise for user units
(systemd.user.<name>.*) set it to ["default.target"] to make a unit
start by default when the user <name> logs on.
This option creates a .wants symlink in the given target that exists
statelessly without the need for running systemctl enable.
The [Install] section described in systemd.unit(5) however is
not supported because it is a stateful process that does not fit well
into the NixOS design.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.paths.\.wants¶
Start the specified units when this unit is started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.services¶
Definition of systemd service units.
Type: attribute set of (submodule)
Default:
Declared by:
- \
systemd.services.\.enable¶
If set to false, this unit will be a symlink to
/dev/null. This is primarily useful to prevent specific
template instances
(e.g. serial-getty@ttyS0) from being
started. Note that enable=true does not
make a unit start by default at boot; if you want that, see
wantedBy.
Type: boolean
Default:
Declared by:
- \
systemd.services.\.enableDefaultPath¶
Whether to append a minimal default PATH environment variable to the service, containing common system utilities.
Type: boolean
Default:
Declared by:
- \
systemd.services.\.enableStrictShellChecks¶
Enable running shellcheck on the generated scripts for this unit.
When enabled, scripts generated by the unit will be checked with
shellcheck and any errors or warnings will cause the build to
fail.
This affects all scripts that have been created through the
script, reload, preStart, postStart, preStop and
postStop options for systemd services. This does not affect
command lines passed directly to ExecStart, ExecReload,
ExecStartPre, ExecStartPost, ExecStop or ExecStopPost.
Type: boolean
Default:
Declared by:
- \
systemd.services.\.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.services.\.aliases¶
Aliases of that unit.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.services.\.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.services.\.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.services.\.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.services.\.description¶
Description of this unit used in systemd messages and progress indicators.
Type: (optionally newline-terminated) single-line string
Default:
Declared by:
- \
systemd.services.\.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of string
Default:
Declared by:
- \
systemd.services.\.environment¶
Environment variables passed to the service’s processes.
Type: attribute set of (null or string or absolute path or package)
Default:
Example:
Declared by:
- \
systemd.services.\.name¶
The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.
Type: string
Declared by:
- \
systemd.services.\.notSocketActivated¶
If set, a changed unit is never assumed to be socket-activated on configuration switch, even if it might have associated socket units. Instead, the unit will be restarted (or stopped/started) as if it had no associated sockets.
Type: boolean
Default:
Declared by:
- \
systemd.services.\.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.services.\.onSuccess¶
A list of one or more units that are activated when this unit enters the “inactive” state.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.services.\.overrideStrategy¶
Defines how unit configuration is provided for systemd:
asDropinIfExists creates a unit file when no unit file is provided by the package
otherwise it creates a drop-in file named overrides.conf.
asDropin creates a drop-in file named overrides.conf.
Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).
See also systemd.unit(5).
Type: one of “asDropinIfExists”, “asDropin”
Default:
Declared by:
- \
systemd.services.\.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.services.\.path¶
Packages added to the service’s PATH
environment variable. Both the bin
and sbin subdirectories of each
package are added.
Type: list of (package or string)
Default:
Declared by:
- \
systemd.services.\.postStart¶
Shell commands executed after the service’s main process is started.
Type: strings concatenated with “\n”
Default:
Declared by:
- \
systemd.services.\.postStop¶
Shell commands executed after the service’s main process has exited.
Type: strings concatenated with “\n”
Default:
Declared by:
- \
systemd.services.\.preStart¶
Shell commands executed before the service’s main process is started.
Type: strings concatenated with “\n”
Default:
Declared by:
- \
systemd.services.\.preStop¶
Shell commands executed to stop the service.
Type: strings concatenated with “\n”
Default:
Declared by:
- \
systemd.services.\.reload¶
Shell commands executed when the service’s main process is reloaded.
Type: strings concatenated with “\n”
Default:
Declared by:
- \
systemd.services.\.reloadIfChanged¶
Whether the service should be reloaded during a NixOS
configuration switch if its definition has changed. If
enabled, the value of restartIfChanged is
ignored.
This option should not be used anymore in favor of
reloadTriggers which allows more granular
control of when a service is reloaded and when a service
is restarted.
Type: boolean
Default:
Declared by:
- \
systemd.services.\.reloadTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.
Type: list of (systemd option)
Default:
Declared by:
- \
systemd.services.\.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit.
As discussed in the wantedBy option description this also creates
.requires symlinks automatically.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.services.\.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.services.\.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.services.\.restartIfChanged¶
Whether the service should be restarted during a NixOS configuration switch if its definition has changed.
Type: boolean
Default:
Declared by:
- \
systemd.services.\.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecified value
Default:
Declared by:
- \
systemd.services.\.script¶
Shell commands executed as the service’s main process.
Type: strings concatenated with “\n”
Default:
Declared by:
- \
systemd.services.\.scriptArgs¶
Arguments passed to the main process script.
Can contain specifiers (% placeholders expanded by systemd, see systemd.unit(5)).
Type: string
Default:
Example:
Declared by:
- \
systemd.services.\.serviceConfig¶
Each attribute in this set specifies an option in the
[Service] section of the unit. See
systemd.service(5) for details.
Type: attribute set of (systemd option)
Default:
Example:
Declared by:
- \
systemd.services.\.startAt¶
Automatically start this unit at the given date/time, which
must be in the format described in
systemd.time(7). This is equivalent
to adding a corresponding timer unit with
OnCalendar set to the value given here.
Type: string or list of string
Default:
Example:
Declared by:
- \
systemd.services.\.startLimitBurst¶
Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
- \
systemd.services.\.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
- \
systemd.services.\.stopIfChanged¶
If set, a changed unit is restarted by calling
systemctl stop in the old configuration,
then systemctl start in the new one.
Otherwise, it is restarted in a single step using
systemctl restart in the new configuration.
The latter is less correct because it runs the
ExecStop commands from the new
configuration.
Type: boolean
Default:
Declared by:
- \
systemd.services.\.unitConfig¶
Each attribute in this set specifies an option in the
[Unit] section of the unit. See
systemd.unit(5) for details.
Type: attribute set of (systemd option)
Default:
Example:
Declared by:
- \
systemd.services.\.upheldBy¶
Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.services.\.upholds¶
Keeps the specified running while this unit is running. A continuous version of wants.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.services.\.wantedBy¶
Units that want (i.e. depend on) this unit. The default method for
starting a unit by default at boot time is to set this option to
["multi-user.target"] for system services. Likewise for user units
(systemd.user.<name>.*) set it to ["default.target"] to make a unit
start by default when the user <name> logs on.
This option creates a .wants symlink in the given target that exists
statelessly without the need for running systemctl enable.
The [Install] section described in systemd.unit(5) however is
not supported because it is a stateful process that does not fit well
into the NixOS design.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.services.\.wants¶
Start the specified units when this unit is started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.shutdown¶
Definition of systemd shutdown executables.
For each NAME = VALUE pair of the attrSet, a link is generated from
/etc/systemd/system-shutdown/NAME to VALUE.
Type: attribute set of absolute path
Default:
Declared by:
- \
systemd.slices¶
Definition of slice configurations.
Type: attribute set of (submodule)
Default:
Declared by:
- \
systemd.slices.\.enable¶
If set to false, this unit will be a symlink to
/dev/null. This is primarily useful to prevent specific
template instances
(e.g. serial-getty@ttyS0) from being
started. Note that enable=true does not
make a unit start by default at boot; if you want that, see
wantedBy.
Type: boolean
Default:
Declared by:
- \
systemd.slices.\.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.slices.\.aliases¶
Aliases of that unit.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.slices.\.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.slices.\.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.slices.\.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.slices.\.description¶
Description of this unit used in systemd messages and progress indicators.
Type: (optionally newline-terminated) single-line string
Default:
Declared by:
- \
systemd.slices.\.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of string
Default:
Declared by:
- \
systemd.slices.\.name¶
The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.
Type: string
Declared by:
- \
systemd.slices.\.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.slices.\.onSuccess¶
A list of one or more units that are activated when this unit enters the “inactive” state.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.slices.\.overrideStrategy¶
Defines how unit configuration is provided for systemd:
asDropinIfExists creates a unit file when no unit file is provided by the package
otherwise it creates a drop-in file named overrides.conf.
asDropin creates a drop-in file named overrides.conf.
Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).
See also systemd.unit(5).
Type: one of “asDropinIfExists”, “asDropin”
Default:
Declared by:
- \
systemd.slices.\.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.slices.\.reloadTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.
Type: list of (systemd option)
Default:
Declared by:
- \
systemd.slices.\.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit.
As discussed in the wantedBy option description this also creates
.requires symlinks automatically.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.slices.\.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.slices.\.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.slices.\.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecified value
Default:
Declared by:
- \
systemd.slices.\.sliceConfig¶
Each attribute in this set specifies an option in the
[Slice] section of the unit. See
systemd.slice(5) for details.
Type: attribute set of (systemd option)
Default:
Example:
Declared by:
- \
systemd.slices.\.startLimitBurst¶
Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
- \
systemd.slices.\.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
- \
systemd.slices.\.unitConfig¶
Each attribute in this set specifies an option in the
[Unit] section of the unit. See
systemd.unit(5) for details.
Type: attribute set of (systemd option)
Default:
Example:
Declared by:
- \
systemd.slices.\.upheldBy¶
Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.slices.\.upholds¶
Keeps the specified running while this unit is running. A continuous version of wants.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.slices.\.wantedBy¶
Units that want (i.e. depend on) this unit. The default method for
starting a unit by default at boot time is to set this option to
["multi-user.target"] for system services. Likewise for user units
(systemd.user.<name>.*) set it to ["default.target"] to make a unit
start by default when the user <name> logs on.
This option creates a .wants symlink in the given target that exists
statelessly without the need for running systemctl enable.
The [Install] section described in systemd.unit(5) however is
not supported because it is a stateful process that does not fit well
into the NixOS design.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.slices.\.wants¶
Start the specified units when this unit is started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.sockets¶
Definition of systemd socket units.
Type: attribute set of (submodule)
Default:
Declared by:
- \
systemd.sockets.\.enable¶
If set to false, this unit will be a symlink to
/dev/null. This is primarily useful to prevent specific
template instances
(e.g. serial-getty@ttyS0) from being
started. Note that enable=true does not
make a unit start by default at boot; if you want that, see
wantedBy.
Type: boolean
Default:
Declared by:
- \
systemd.sockets.\.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.sockets.\.aliases¶
Aliases of that unit.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.sockets.\.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.sockets.\.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.sockets.\.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.sockets.\.description¶
Description of this unit used in systemd messages and progress indicators.
Type: (optionally newline-terminated) single-line string
Default:
Declared by:
- \
systemd.sockets.\.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of string
Default:
Declared by:
- \
systemd.sockets.\.listenDatagrams¶
For each item in this list, a ListenDatagram
option in the [Socket] section will be created.
Type: list of string
Default:
Example:
Declared by:
- \
systemd.sockets.\.listenStreams¶
For each item in this list, a ListenStream
option in the [Socket] section will be created.
Type: list of string
Default:
Example:
Declared by:
- \
systemd.sockets.\.name¶
The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.
Type: string
Declared by:
- \
systemd.sockets.\.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.sockets.\.onSuccess¶
A list of one or more units that are activated when this unit enters the “inactive” state.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.sockets.\.overrideStrategy¶
Defines how unit configuration is provided for systemd:
asDropinIfExists creates a unit file when no unit file is provided by the package
otherwise it creates a drop-in file named overrides.conf.
asDropin creates a drop-in file named overrides.conf.
Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).
See also systemd.unit(5).
Type: one of “asDropinIfExists”, “asDropin”
Default:
Declared by:
- \
systemd.sockets.\.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.sockets.\.reloadTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.
Type: list of (systemd option)
Default:
Declared by:
- \
systemd.sockets.\.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit.
As discussed in the wantedBy option description this also creates
.requires symlinks automatically.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.sockets.\.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.sockets.\.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.sockets.\.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecified value
Default:
Declared by:
- \
systemd.sockets.\.socketConfig¶
Each attribute in this set specifies an option in the
[Socket] section of the unit. See
systemd.socket(5) for details.
Type: attribute set of (systemd option)
Default:
Example:
Declared by:
- \
systemd.sockets.\.startLimitBurst¶
Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
- \
systemd.sockets.\.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
- \
systemd.sockets.\.unitConfig¶
Each attribute in this set specifies an option in the
[Unit] section of the unit. See
systemd.unit(5) for details.
Type: attribute set of (systemd option)
Default:
Example:
Declared by:
- \
systemd.sockets.\.upheldBy¶
Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.sockets.\.upholds¶
Keeps the specified running while this unit is running. A continuous version of wants.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.sockets.\.wantedBy¶
Units that want (i.e. depend on) this unit. The default method for
starting a unit by default at boot time is to set this option to
["multi-user.target"] for system services. Likewise for user units
(systemd.user.<name>.*) set it to ["default.target"] to make a unit
start by default when the user <name> logs on.
This option creates a .wants symlink in the given target that exists
statelessly without the need for running systemctl enable.
The [Install] section described in systemd.unit(5) however is
not supported because it is a stateful process that does not fit well
into the NixOS design.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.sockets.\.wants¶
Start the specified units when this unit is started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.sysusers.enable¶
If enabled, users are created with systemd-sysusers instead of with
the custom update-users-groups.pl script.
Note: This is experimental.
Type: boolean
Default:
Example:
Declared by:
- \
systemd.targets¶
Definition of systemd target units.
Type: attribute set of (submodule)
Default:
Declared by:
- \
systemd.targets.\.enable¶
If set to false, this unit will be a symlink to
/dev/null. This is primarily useful to prevent specific
template instances
(e.g. serial-getty@ttyS0) from being
started. Note that enable=true does not
make a unit start by default at boot; if you want that, see
wantedBy.
Type: boolean
Default:
Declared by:
- \
systemd.targets.\.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.targets.\.aliases¶
Aliases of that unit.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.targets.\.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.targets.\.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.targets.\.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.targets.\.description¶
Description of this unit used in systemd messages and progress indicators.
Type: (optionally newline-terminated) single-line string
Default:
Declared by:
- \
systemd.targets.\.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of string
Default:
Declared by:
- \
systemd.targets.\.name¶
The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.
Type: string
Declared by:
- \
systemd.targets.\.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.targets.\.onSuccess¶
A list of one or more units that are activated when this unit enters the “inactive” state.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.targets.\.overrideStrategy¶
Defines how unit configuration is provided for systemd:
asDropinIfExists creates a unit file when no unit file is provided by the package
otherwise it creates a drop-in file named overrides.conf.
asDropin creates a drop-in file named overrides.conf.
Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).
See also systemd.unit(5).
Type: one of “asDropinIfExists”, “asDropin”
Default:
Declared by:
- \
systemd.targets.\.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.targets.\.reloadTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.
Type: list of (systemd option)
Default:
Declared by:
- \
systemd.targets.\.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit.
As discussed in the wantedBy option description this also creates
.requires symlinks automatically.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.targets.\.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.targets.\.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.targets.\.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecified value
Default:
Declared by:
- \
systemd.targets.\.startLimitBurst¶
Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
- \
systemd.targets.\.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
- \
systemd.targets.\.unitConfig¶
Each attribute in this set specifies an option in the
[Unit] section of the unit. See
systemd.unit(5) for details.
Type: attribute set of (systemd option)
Default:
Example:
Declared by:
- \
systemd.targets.\.upheldBy¶
Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.targets.\.upholds¶
Keeps the specified running while this unit is running. A continuous version of wants.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.targets.\.wantedBy¶
Units that want (i.e. depend on) this unit. The default method for
starting a unit by default at boot time is to set this option to
["multi-user.target"] for system services. Likewise for user units
(systemd.user.<name>.*) set it to ["default.target"] to make a unit
start by default when the user <name> logs on.
This option creates a .wants symlink in the given target that exists
statelessly without the need for running systemctl enable.
The [Install] section described in systemd.unit(5) however is
not supported because it is a stateful process that does not fit well
into the NixOS design.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.targets.\.wants¶
Start the specified units when this unit is started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.timers¶
Definition of systemd timer units.
Type: attribute set of (submodule)
Default:
Declared by:
- \
systemd.timers.\.enable¶
If set to false, this unit will be a symlink to
/dev/null. This is primarily useful to prevent specific
template instances
(e.g. serial-getty@ttyS0) from being
started. Note that enable=true does not
make a unit start by default at boot; if you want that, see
wantedBy.
Type: boolean
Default:
Declared by:
- \
systemd.timers.\.after¶
If the specified units are started at the same time as this unit, delay this unit until they have started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.timers.\.aliases¶
Aliases of that unit.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.timers.\.before¶
If the specified units are started at the same time as this unit, delay them until this unit has started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.timers.\.bindsTo¶
Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.timers.\.conflicts¶
If the specified units are started, then this unit is stopped and vice versa.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.timers.\.description¶
Description of this unit used in systemd messages and progress indicators.
Type: (optionally newline-terminated) single-line string
Default:
Declared by:
- \
systemd.timers.\.documentation¶
A list of URIs referencing documentation for this unit or its configuration.
Type: list of string
Default:
Declared by:
- \
systemd.timers.\.name¶
The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.
Type: string
Declared by:
- \
systemd.timers.\.onFailure¶
A list of one or more units that are activated when this unit enters the “failed” state.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.timers.\.onSuccess¶
A list of one or more units that are activated when this unit enters the “inactive” state.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.timers.\.overrideStrategy¶
Defines how unit configuration is provided for systemd:
asDropinIfExists creates a unit file when no unit file is provided by the package
otherwise it creates a drop-in file named overrides.conf.
asDropin creates a drop-in file named overrides.conf.
Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).
See also systemd.unit(5).
Type: one of “asDropinIfExists”, “asDropin”
Default:
Declared by:
- \
systemd.timers.\.partOf¶
If the specified units are stopped or restarted, then this unit is stopped or restarted as well.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.timers.\.reloadTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.
Type: list of (systemd option)
Default:
Declared by:
- \
systemd.timers.\.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit.
As discussed in the wantedBy option description this also creates
.requires symlinks automatically.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.timers.\.requires¶
Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.timers.\.requisite¶
Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.timers.\.restartTriggers¶
An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.
Type: list of unspecified value
Default:
Declared by:
- \
systemd.timers.\.startLimitBurst¶
Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
- \
systemd.timers.\.startLimitIntervalSec¶
Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.
Type: signed integer
Declared by:
- \
systemd.timers.\.timerConfig¶
Each attribute in this set specifies an option in the
[Timer] section of the unit. See
systemd.timer(5) and
systemd.time(7) for details.
Type: attribute set of (systemd option)
Default:
Example:
Declared by:
- \
systemd.timers.\.unitConfig¶
Each attribute in this set specifies an option in the
[Unit] section of the unit. See
systemd.unit(5) for details.
Type: attribute set of (systemd option)
Default:
Example:
Declared by:
- \
systemd.timers.\.upheldBy¶
Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.timers.\.upholds¶
Keeps the specified running while this unit is running. A continuous version of wants.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.timers.\.wantedBy¶
Units that want (i.e. depend on) this unit. The default method for
starting a unit by default at boot time is to set this option to
["multi-user.target"] for system services. Likewise for user units
(systemd.user.<name>.*) set it to ["default.target"] to make a unit
start by default when the user <name> logs on.
This option creates a .wants symlink in the given target that exists
statelessly without the need for running systemctl enable.
The [Install] section described in systemd.unit(5) however is
not supported because it is a stateful process that does not fit well
into the NixOS design.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.timers.\.wants¶
Start the specified units when this unit is started.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.tmpfiles.packages¶
List of packages containing systemd-tmpfiles rules.
All files ending in .conf found in
«pkg»/lib/tmpfiles.d
will be included.
If this folder does not exist or does not contain any files an error will be returned instead.
If a lib output is available, rules are searched there and only there.
If there is no lib output it will fall back to out
and if that does not exist either, the default output will be used.
Type: list of package
Default:
Example:
Declared by:
- \
systemd.tmpfiles.rules¶
Rules for creation, deletion and cleaning of volatile and temporary files
automatically. See
tmpfiles.d(5)
for the exact format.
Type: list of string
Default:
Example:
Declared by:
- \
systemd.tmpfiles.settings¶
Declare systemd-tmpfiles rules to create, delete, and clean up volatile and temporary files and directories.
Even though the service is called *tmp*files you can also create
persistent files.
Type: attribute set of attribute set of attribute set of (submodule)
Default:
Example:
Declared by:
- \
systemd.tmpfiles.settings.\.\.\.age¶
Delete a file when it reaches a certain age.
If a file or directory is older than the current time minus the age field, it is deleted.
If set to "-" no automatic clean-up is done.
Type: string
Default:
Example:
Declared by:
- \
systemd.tmpfiles.settings.\.\.\.argument¶
An argument whose meaning depends on the type of operation.
Please see the upstream documentation for the meaning of this parameter in different situations: https://www.freedesktop.org/software/systemd/man/tmpfiles.d
Type: string
Default:
Example:
Declared by:
- \
systemd.tmpfiles.settings.\.\.\.group¶
The group of the file.
This may either be a numeric ID or a user/group name.
If omitted or when set to "-", the user and group of the user who
invokes systemd-tmpfiles is used.
Type: string
Default:
Example:
Declared by:
- \
systemd.tmpfiles.settings.\.\.\.mode¶
The file access mode to use when creating this file or directory.
Type: string
Default:
Example:
Declared by:
- \
systemd.tmpfiles.settings.\.\.\.type¶
The type of operation to perform on the file.
The type consists of a single letter and optionally one or more modifier characters.
Please see the upstream documentation for the available types and more details: https://www.freedesktop.org/software/systemd/man/tmpfiles.d
Type: string
Default:
Example:
Declared by:
- \
systemd.tmpfiles.settings.\.\.\.user¶
The user of the file.
This may either be a numeric ID or a user/group name.
If omitted or when set to "-", the user and group of the user who
invokes systemd-tmpfiles is used.
Type: string
Default:
Example:
Declared by:
- \
systemd.units¶
Definition of systemd units.
Type: attribute set of (submodule)
Default:
Declared by:
- \
systemd.units.\.enable¶
If set to false, this unit will be a symlink to
/dev/null. This is primarily useful to prevent specific
template instances
(e.g. serial-getty@ttyS0) from being
started. Note that enable=true does not
make a unit start by default at boot; if you want that, see
wantedBy.
Type: boolean
Default:
Declared by:
- \
systemd.units.\.aliases¶
Aliases of that unit.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.units.\.name¶
The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.
Type: string
Declared by:
- \
systemd.units.\.overrideStrategy¶
Defines how unit configuration is provided for systemd:
asDropinIfExists creates a unit file when no unit file is provided by the package
otherwise it creates a drop-in file named overrides.conf.
asDropin creates a drop-in file named overrides.conf.
Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).
See also systemd.unit(5).
Type: one of “asDropinIfExists”, “asDropin”
Default:
Declared by:
- \
systemd.units.\.requiredBy¶
Units that require (i.e. depend on and need to go down with) this unit.
As discussed in the wantedBy option description this also creates
.requires symlinks automatically.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.units.\.text¶
Text of this systemd unit.
Type: null or string
Default:
Declared by:
- \
systemd.units.\.upheldBy¶
Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
systemd.units.\.wantedBy¶
Units that want (i.e. depend on) this unit. The default method for
starting a unit by default at boot time is to set this option to
["multi-user.target"] for system services. Likewise for user units
(systemd.user.<name>.*) set it to ["default.target"] to make a unit
start by default when the user <name> logs on.
This option creates a .wants symlink in the given target that exists
statelessly without the need for running systemctl enable.
The [Install] section described in systemd.unit(5) however is
not supported because it is a stateful process that does not fit well
into the NixOS design.
Type: list of string matching the pattern [a-zA-Z0-9@%:_.\-]+[.](service|socket|device|mount|automount|swap|target|path|timer|scope|slice)
Default:
Declared by:
- \
users.allowNoPasswordLogin¶
Disable checking that at least the root user or a user in the wheel group can log in using
a password or an SSH key.
WARNING: enabling this can lock you out of your system. Enable this only if you know what are you doing.
Type: boolean
Default:
Declared by:
- \
users.defaultUserShell¶
This option defines the default shell assigned to user accounts. This can be either a full system path or a shell package.
This must not be a store path, since the path is used outside the store (in particular in /etc/passwd).
Type: absolute path or package
Example:
Declared by:
- \
users.enforceIdUniqueness¶
Whether to require that no two users/groups share the same uid/gid.
Type: boolean
Default:
Declared by:
- \
users.extraGroups¶
Alias of users.groups.
Type: attribute set of (submodule)
Declared by:
- \
users.extraGroups.\.gid¶
The group GID. If the GID is null, a free GID is picked on activation.
Type: null or signed integer
Default:
Declared by:
- \
users.extraGroups.\.members¶
The user names of the group members, added to the
/etc/group file.
Type: list of (string, not containing newlines or colons)
Default:
Declared by:
- \
users.extraGroups.\.name¶
The name of the group. If undefined, the name of the attribute set will be used.
Type: string, not containing newlines or colons
Declared by:
- \
users.extraUsers¶
Alias of users.users.
Type: attribute set of (submodule)
Declared by:
- \
users.extraUsers.\.enable¶
If set to false, the user account will not be created. This is useful for when you wish to conditionally disable user accounts.
Type: boolean
Default:
Example:
Declared by:
- \
users.extraUsers.\.packages¶
The set of packages that should be made available to the user.
This is in contrast to environment.systemPackages,
which adds packages to all users.
Type: list of package
Default:
Example:
Declared by:
- \
users.extraUsers.\.autoSubUidGidRange¶
Automatically allocate subordinate user and group ids for this user. Allocated range is currently always of size 65536.
Type: boolean
Default:
Example:
Declared by:
- \
users.extraUsers.\.createHome¶
Whether to create the home directory and ensure ownership as well as permissions to match the user.
Type: boolean
Default:
Declared by:
- \
users.extraUsers.\.cryptHomeLuks¶
Path to encrypted luks device that contains the user’s home directory.
Type: null or string
Default:
Declared by:
- \
users.extraUsers.\.description¶
A short description of the user account, typically the
user’s full name. This is actually the “GECOS” or “comment”
field in /etc/passwd.
Type: string, not containing newlines or colons
Default:
Example:
Declared by:
- \
users.extraUsers.\.expires¶
Set the date on which the user’s account will no longer be accessible. The date is expressed in the format YYYY-MM-DD, or null to disable the expiry. A user whose account is locked must contact the system administrator before being able to use the system again.
Type: null or string matching the pattern [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}
Default:
Declared by:
- \
users.extraUsers.\.extraGroups¶
The user’s auxiliary groups.
Type: list of string
Default:
Declared by:
- \
users.extraUsers.\.group¶
The user’s primary group.
Type: string
Default:
Declared by:
- \
users.extraUsers.\.hashedPassword¶
Specifies the hashed password for the user.
The initialHashedPassword, hashedPassword,
initialPassword, password and
hashedPasswordFile options all control what password is set for
the user.
In a system where is false, typically
only one of hashedPassword, password, or
hashedPasswordFile will be set.
In a system where is true, typically
only one of initialPassword, initialHashedPassword,
or hashedPasswordFile will be set.
If the option users.mutableUsers is true, the password defined
in one of the above password options will only be set when the user is
created for the first time. After that, you are free to change the
password with the ordinary user management commands. If
users.mutableUsers is false, you cannot change user passwords,
they will always be set according to the password options.
If none of the password options are set, then no password is assigned to the user, and the user will not be able to do password-based logins.
If multiple of these password options are set at the same time then a
specific order of precedence is followed, which can lead to surprising
results. The order of precedence differs depending on whether the
users.mutableUsers option is set.
If the option users.mutableUsers is
false, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> hashedPassword -> initialPassword -> password -> hashedPasswordFile
If the option users.mutableUsers is
true, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> initialPassword -> hashedPassword -> password -> hashedPasswordFile
To generate a hashed password run mkpasswd.
If set to an empty string (""), this user will be able to log in without
being asked for a password (but not via remote services such as SSH, or
indirectly via su or sudo). This should only be used
for e.g. bootable live systems. Note: this is different from setting an
empty password, which can be achieved using
users.users.<name?>.password.
If set to null (default) this user will not be able to log in using a
password (i.e. via login command).
Type: null or (string, not containing newlines or colons)
Default:
Declared by:
- \
users.extraUsers.\.hashedPasswordFile¶
The full path to a file that contains the hash of the user’s
password. The password file is read on each system activation. The
file should contain exactly one line, which should be the password in
an encrypted form that is suitable for the chpasswd -e command.
The initialHashedPassword, hashedPassword,
initialPassword, password and
hashedPasswordFile options all control what password is set for
the user.
In a system where is false, typically
only one of hashedPassword, password, or
hashedPasswordFile will be set.
In a system where is true, typically
only one of initialPassword, initialHashedPassword,
or hashedPasswordFile will be set.
If the option users.mutableUsers is true, the password defined
in one of the above password options will only be set when the user is
created for the first time. After that, you are free to change the
password with the ordinary user management commands. If
users.mutableUsers is false, you cannot change user passwords,
they will always be set according to the password options.
If none of the password options are set, then no password is assigned to the user, and the user will not be able to do password-based logins.
If multiple of these password options are set at the same time then a
specific order of precedence is followed, which can lead to surprising
results. The order of precedence differs depending on whether the
users.mutableUsers option is set.
If the option users.mutableUsers is
false, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> hashedPassword -> initialPassword -> password -> hashedPasswordFile
If the option users.mutableUsers is
true, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> initialPassword -> hashedPassword -> password -> hashedPasswordFile
Type: null or string
Default:
Declared by:
- \
users.extraUsers.\.home¶
The user’s home directory.
Type: absolute path, not containing newlines or colons
Default:
Declared by:
- \
users.extraUsers.\.homeMode¶
The user’s home directory mode in numeric format. See chmod(1). The mode is only applied if users.users.<name>.createHome is true.
Type: string matching the pattern [0-7]{1,5}
Default:
Declared by:
- \
users.extraUsers.\.ignoreShellProgramCheck¶
By default, nixos will check that programs.SHELL.enable is set to true if the user has a custom shell specified. If that behavior isn’t required and there are custom overrides in place to make sure that the shell is functional, set this to true.
Type: boolean
Default:
Declared by:
- \
users.extraUsers.\.initialHashedPassword¶
Specifies the initial hashed password for the user, i.e. the
hashed password assigned if the user does not already
exist. If users.mutableUsers is true, the
password can be changed subsequently using the
passwd command. Otherwise, it’s
equivalent to setting the hashedPassword option.
The initialHashedPassword, hashedPassword,
initialPassword, password and
hashedPasswordFile options all control what password is set for
the user.
In a system where is false, typically
only one of hashedPassword, password, or
hashedPasswordFile will be set.
In a system where is true, typically
only one of initialPassword, initialHashedPassword,
or hashedPasswordFile will be set.
If the option users.mutableUsers is true, the password defined
in one of the above password options will only be set when the user is
created for the first time. After that, you are free to change the
password with the ordinary user management commands. If
users.mutableUsers is false, you cannot change user passwords,
they will always be set according to the password options.
If none of the password options are set, then no password is assigned to the user, and the user will not be able to do password-based logins.
If multiple of these password options are set at the same time then a
specific order of precedence is followed, which can lead to surprising
results. The order of precedence differs depending on whether the
users.mutableUsers option is set.
If the option users.mutableUsers is
false, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> hashedPassword -> initialPassword -> password -> hashedPasswordFile
If the option users.mutableUsers is
true, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> initialPassword -> hashedPassword -> password -> hashedPasswordFile
To generate a hashed password run mkpasswd.
If set to an empty string (""), this user will be able to log in without
being asked for a password (but not via remote services such as SSH, or
indirectly via su or sudo). This should only be used
for e.g. bootable live systems. Note: this is different from setting an
empty password, which can be achieved using
users.users.<name?>.password.
If set to null (default) this user will not be able to log in using a
password (i.e. via login command).
Type: null or (string, not containing newlines or colons)
Default:
Declared by:
- \
users.extraUsers.\.initialPassword¶
Specifies the initial password for the user, i.e. the
password assigned if the user does not already exist. If
users.mutableUsers is true, the password
can be changed subsequently using the
passwd command. Otherwise, it’s
equivalent to setting the password
option. The same caveat applies: the password specified here
is world-readable in the Nix store, so it should only be
used for guest accounts or passwords that will be changed
promptly.
The initialHashedPassword, hashedPassword,
initialPassword, password and
hashedPasswordFile options all control what password is set for
the user.
In a system where is false, typically
only one of hashedPassword, password, or
hashedPasswordFile will be set.
In a system where is true, typically
only one of initialPassword, initialHashedPassword,
or hashedPasswordFile will be set.
If the option users.mutableUsers is true, the password defined
in one of the above password options will only be set when the user is
created for the first time. After that, you are free to change the
password with the ordinary user management commands. If
users.mutableUsers is false, you cannot change user passwords,
they will always be set according to the password options.
If none of the password options are set, then no password is assigned to the user, and the user will not be able to do password-based logins.
If multiple of these password options are set at the same time then a
specific order of precedence is followed, which can lead to surprising
results. The order of precedence differs depending on whether the
users.mutableUsers option is set.
If the option users.mutableUsers is
false, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> hashedPassword -> initialPassword -> password -> hashedPasswordFile
If the option users.mutableUsers is
true, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> initialPassword -> hashedPassword -> password -> hashedPasswordFile
Type: null or string
Default:
Declared by:
- \
users.extraUsers.\.isNormalUser¶
Indicates whether this is an account for a “real” user.
This automatically sets group to users,
createHome to true,
home to /home/«username»,
useDefaultShell to true,
and isSystemUser to false.
Exactly one of isNormalUser and isSystemUser must be true.
Type: boolean
Default:
Declared by:
- \
users.extraUsers.\.isSystemUser¶
Indicates if the user is a system user or not. This option
only has an effect if uid is
null, in which case it determines whether
the user’s UID is allocated in the range for system users
(below 1000) or in the range for normal users (starting at
1000).
Exactly one of isNormalUser and
isSystemUser must be true.
Type: boolean
Default:
Declared by:
- \
users.extraUsers.\.linger¶
Whether to enable lingering for this user. If true, systemd user
units will start at boot, rather than starting at login and stopping
at logout. This is the declarative equivalent of running
loginctl enable-linger for this user.
If false, user units will not be started until the user logs in, and
may be stopped on logout depending on the settings in logind.conf.
Type: boolean
Default:
Declared by:
- \
users.extraUsers.\.name¶
The name of the user account. If undefined, the name of the attribute set will be used.
Type: string, not containing newlines or colons
Declared by:
- \
users.extraUsers.\.pamMount¶
Attributes for user’s entry in
pam_mount.conf.xml.
Useful attributes might include path,
options, fstype, and server.
See https://pam-mount.sourceforge.net/pam_mount.conf.5.html
for more information.
Type: attribute set of string
Default:
Declared by:
- \
users.extraUsers.\.password¶
Specifies the (clear text) password for the user. Warning: do not set confidential information here because it is world-readable in the Nix store. This option should only be used for public accounts.
The initialHashedPassword, hashedPassword,
initialPassword, password and
hashedPasswordFile options all control what password is set for
the user.
In a system where is false, typically
only one of hashedPassword, password, or
hashedPasswordFile will be set.
In a system where is true, typically
only one of initialPassword, initialHashedPassword,
or hashedPasswordFile will be set.
If the option users.mutableUsers is true, the password defined
in one of the above password options will only be set when the user is
created for the first time. After that, you are free to change the
password with the ordinary user management commands. If
users.mutableUsers is false, you cannot change user passwords,
they will always be set according to the password options.
If none of the password options are set, then no password is assigned to the user, and the user will not be able to do password-based logins.
If multiple of these password options are set at the same time then a
specific order of precedence is followed, which can lead to surprising
results. The order of precedence differs depending on whether the
users.mutableUsers option is set.
If the option users.mutableUsers is
false, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> hashedPassword -> initialPassword -> password -> hashedPasswordFile
If the option users.mutableUsers is
true, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> initialPassword -> hashedPassword -> password -> hashedPasswordFile
Type: null or string
Default:
Declared by:
- \
users.extraUsers.\.shell¶
The path to the user’s shell. Can use shell derivations,
like pkgs.bashInteractive. Don’t
forget to enable your shell in
programs if necessary,
like programs.zsh.enable = true;.
Type: null or package or (absolute path, not containing newlines or colons)
Default:
Example:
Declared by:
- \
users.extraUsers.\.subGidRanges¶
Subordinate group ids that user is allowed to use.
They are set into /etc/subgid and are used
by newgidmap for user namespaces.
Type: list of (submodule)
Default:
Example:
Declared by:
- \
users.extraUsers.\.subGidRanges.*.count¶
Count of subordinate group ids
Type: signed integer
Default:
Declared by:
- \
users.extraUsers.\.subGidRanges.*.startGid¶
Start of the range of subordinate group ids that user is allowed to use.
Type: signed integer
Declared by:
- \
users.extraUsers.\.subUidRanges¶
Subordinate user ids that user is allowed to use.
They are set into /etc/subuid and are used
by newuidmap for user namespaces.
Type: list of (submodule)
Default:
Example:
Declared by:
- \
users.extraUsers.\.subUidRanges.*.count¶
Count of subordinate user ids
Type: signed integer
Default:
Declared by:
- \
users.extraUsers.\.subUidRanges.*.startUid¶
Start of the range of subordinate user ids that user is allowed to use.
Type: signed integer
Declared by:
- \
users.extraUsers.\.uid¶
The account UID. If the UID is null, a free UID is picked on activation.
Type: null or signed integer
Default:
Declared by:
- \
users.extraUsers.\.useDefaultShell¶
If true, the user’s shell will be set to
users.defaultUserShell.
Type: boolean
Default:
Declared by:
- \
users.groups¶
Additional groups to be created automatically by the system.
Type: attribute set of (submodule)
Default:
Example:
Declared by:
- \
users.groups.\.gid¶
The group GID. If the GID is null, a free GID is picked on activation.
Type: null or signed integer
Default:
Declared by:
- \
users.groups.\.members¶
The user names of the group members, added to the
/etc/group file.
Type: list of (string, not containing newlines or colons)
Default:
Declared by:
- \
users.groups.\.name¶
The name of the group. If undefined, the name of the attribute set will be used.
Type: string, not containing newlines or colons
Declared by:
- \
users.mutableUsers¶
If set to true, you are free to add new users and groups to the system
with the ordinary useradd and
groupadd commands. On system activation, the
existing contents of the /etc/passwd and
/etc/group files will be merged with the
contents generated from the users.users and
users.groups options.
The initial password for a user will be set
according to users.users, but existing passwords
will not be changed.
Warning: If set to false, the contents of the user and
group files will simply be replaced on system activation. This also
holds for the user passwords; all changed
passwords will be reset according to the
users.users configuration on activation.
Type: boolean
Default:
Declared by:
- \
users.users¶
Additional user accounts to be created automatically by the system. This can also be used to set options for root.
Type: attribute set of (submodule)
Default:
Example:
Declared by:
- \
users.users.\.enable¶
If set to false, the user account will not be created. This is useful for when you wish to conditionally disable user accounts.
Type: boolean
Default:
Example:
Declared by:
- \
users.users.\.packages¶
The set of packages that should be made available to the user.
This is in contrast to environment.systemPackages,
which adds packages to all users.
Type: list of package
Default:
Example:
Declared by:
- \
users.users.\.autoSubUidGidRange¶
Automatically allocate subordinate user and group ids for this user. Allocated range is currently always of size 65536.
Type: boolean
Default:
Example:
Declared by:
- \
users.users.\.createHome¶
Whether to create the home directory and ensure ownership as well as permissions to match the user.
Type: boolean
Default:
Declared by:
- \
users.users.\.cryptHomeLuks¶
Path to encrypted luks device that contains the user’s home directory.
Type: null or string
Default:
Declared by:
- \
users.users.\.description¶
A short description of the user account, typically the
user’s full name. This is actually the “GECOS” or “comment”
field in /etc/passwd.
Type: string, not containing newlines or colons
Default:
Example:
Declared by:
- \
users.users.\.expires¶
Set the date on which the user’s account will no longer be accessible. The date is expressed in the format YYYY-MM-DD, or null to disable the expiry. A user whose account is locked must contact the system administrator before being able to use the system again.
Type: null or string matching the pattern [[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}
Default:
Declared by:
- \
users.users.\.extraGroups¶
The user’s auxiliary groups.
Type: list of string
Default:
Declared by:
- \
users.users.\.group¶
The user’s primary group.
Type: string
Default:
Declared by:
- \
users.users.\.hashedPassword¶
Specifies the hashed password for the user.
The initialHashedPassword, hashedPassword,
initialPassword, password and
hashedPasswordFile options all control what password is set for
the user.
In a system where is false, typically
only one of hashedPassword, password, or
hashedPasswordFile will be set.
In a system where is true, typically
only one of initialPassword, initialHashedPassword,
or hashedPasswordFile will be set.
If the option users.mutableUsers is true, the password defined
in one of the above password options will only be set when the user is
created for the first time. After that, you are free to change the
password with the ordinary user management commands. If
users.mutableUsers is false, you cannot change user passwords,
they will always be set according to the password options.
If none of the password options are set, then no password is assigned to the user, and the user will not be able to do password-based logins.
If multiple of these password options are set at the same time then a
specific order of precedence is followed, which can lead to surprising
results. The order of precedence differs depending on whether the
users.mutableUsers option is set.
If the option users.mutableUsers is
false, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> hashedPassword -> initialPassword -> password -> hashedPasswordFile
If the option users.mutableUsers is
true, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> initialPassword -> hashedPassword -> password -> hashedPasswordFile
To generate a hashed password run mkpasswd.
If set to an empty string (""), this user will be able to log in without
being asked for a password (but not via remote services such as SSH, or
indirectly via su or sudo). This should only be used
for e.g. bootable live systems. Note: this is different from setting an
empty password, which can be achieved using
users.users.<name?>.password.
If set to null (default) this user will not be able to log in using a
password (i.e. via login command).
Type: null or (string, not containing newlines or colons)
Default:
Declared by:
- \
users.users.\.hashedPasswordFile¶
The full path to a file that contains the hash of the user’s
password. The password file is read on each system activation. The
file should contain exactly one line, which should be the password in
an encrypted form that is suitable for the chpasswd -e command.
The initialHashedPassword, hashedPassword,
initialPassword, password and
hashedPasswordFile options all control what password is set for
the user.
In a system where is false, typically
only one of hashedPassword, password, or
hashedPasswordFile will be set.
In a system where is true, typically
only one of initialPassword, initialHashedPassword,
or hashedPasswordFile will be set.
If the option users.mutableUsers is true, the password defined
in one of the above password options will only be set when the user is
created for the first time. After that, you are free to change the
password with the ordinary user management commands. If
users.mutableUsers is false, you cannot change user passwords,
they will always be set according to the password options.
If none of the password options are set, then no password is assigned to the user, and the user will not be able to do password-based logins.
If multiple of these password options are set at the same time then a
specific order of precedence is followed, which can lead to surprising
results. The order of precedence differs depending on whether the
users.mutableUsers option is set.
If the option users.mutableUsers is
false, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> hashedPassword -> initialPassword -> password -> hashedPasswordFile
If the option users.mutableUsers is
true, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> initialPassword -> hashedPassword -> password -> hashedPasswordFile
Type: null or string
Default:
Declared by:
- \
users.users.\.home¶
The user’s home directory.
Type: absolute path, not containing newlines or colons
Default:
Declared by:
- \
users.users.\.homeMode¶
The user’s home directory mode in numeric format. See chmod(1). The mode is only applied if users.users.<name>.createHome is true.
Type: string matching the pattern [0-7]{1,5}
Default:
Declared by:
- \
users.users.\.ignoreShellProgramCheck¶
By default, nixos will check that programs.SHELL.enable is set to true if the user has a custom shell specified. If that behavior isn’t required and there are custom overrides in place to make sure that the shell is functional, set this to true.
Type: boolean
Default:
Declared by:
- \
users.users.\.initialHashedPassword¶
Specifies the initial hashed password for the user, i.e. the
hashed password assigned if the user does not already
exist. If users.mutableUsers is true, the
password can be changed subsequently using the
passwd command. Otherwise, it’s
equivalent to setting the hashedPassword option.
The initialHashedPassword, hashedPassword,
initialPassword, password and
hashedPasswordFile options all control what password is set for
the user.
In a system where is false, typically
only one of hashedPassword, password, or
hashedPasswordFile will be set.
In a system where is true, typically
only one of initialPassword, initialHashedPassword,
or hashedPasswordFile will be set.
If the option users.mutableUsers is true, the password defined
in one of the above password options will only be set when the user is
created for the first time. After that, you are free to change the
password with the ordinary user management commands. If
users.mutableUsers is false, you cannot change user passwords,
they will always be set according to the password options.
If none of the password options are set, then no password is assigned to the user, and the user will not be able to do password-based logins.
If multiple of these password options are set at the same time then a
specific order of precedence is followed, which can lead to surprising
results. The order of precedence differs depending on whether the
users.mutableUsers option is set.
If the option users.mutableUsers is
false, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> hashedPassword -> initialPassword -> password -> hashedPasswordFile
If the option users.mutableUsers is
true, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> initialPassword -> hashedPassword -> password -> hashedPasswordFile
To generate a hashed password run mkpasswd.
If set to an empty string (""), this user will be able to log in without
being asked for a password (but not via remote services such as SSH, or
indirectly via su or sudo). This should only be used
for e.g. bootable live systems. Note: this is different from setting an
empty password, which can be achieved using
users.users.<name?>.password.
If set to null (default) this user will not be able to log in using a
password (i.e. via login command).
Type: null or (string, not containing newlines or colons)
Default:
Declared by:
- \
users.users.\.initialPassword¶
Specifies the initial password for the user, i.e. the
password assigned if the user does not already exist. If
users.mutableUsers is true, the password
can be changed subsequently using the
passwd command. Otherwise, it’s
equivalent to setting the password
option. The same caveat applies: the password specified here
is world-readable in the Nix store, so it should only be
used for guest accounts or passwords that will be changed
promptly.
The initialHashedPassword, hashedPassword,
initialPassword, password and
hashedPasswordFile options all control what password is set for
the user.
In a system where is false, typically
only one of hashedPassword, password, or
hashedPasswordFile will be set.
In a system where is true, typically
only one of initialPassword, initialHashedPassword,
or hashedPasswordFile will be set.
If the option users.mutableUsers is true, the password defined
in one of the above password options will only be set when the user is
created for the first time. After that, you are free to change the
password with the ordinary user management commands. If
users.mutableUsers is false, you cannot change user passwords,
they will always be set according to the password options.
If none of the password options are set, then no password is assigned to the user, and the user will not be able to do password-based logins.
If multiple of these password options are set at the same time then a
specific order of precedence is followed, which can lead to surprising
results. The order of precedence differs depending on whether the
users.mutableUsers option is set.
If the option users.mutableUsers is
false, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> hashedPassword -> initialPassword -> password -> hashedPasswordFile
If the option users.mutableUsers is
true, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> initialPassword -> hashedPassword -> password -> hashedPasswordFile
Type: null or string
Default:
Declared by:
- \
users.users.\.isNormalUser¶
Indicates whether this is an account for a “real” user.
This automatically sets group to users,
createHome to true,
home to /home/«username»,
useDefaultShell to true,
and isSystemUser to false.
Exactly one of isNormalUser and isSystemUser must be true.
Type: boolean
Default:
Declared by:
- \
users.users.\.isSystemUser¶
Indicates if the user is a system user or not. This option
only has an effect if uid is
null, in which case it determines whether
the user’s UID is allocated in the range for system users
(below 1000) or in the range for normal users (starting at
1000).
Exactly one of isNormalUser and
isSystemUser must be true.
Type: boolean
Default:
Declared by:
- \
users.users.\.linger¶
Whether to enable lingering for this user. If true, systemd user
units will start at boot, rather than starting at login and stopping
at logout. This is the declarative equivalent of running
loginctl enable-linger for this user.
If false, user units will not be started until the user logs in, and
may be stopped on logout depending on the settings in logind.conf.
Type: boolean
Default:
Declared by:
- \
users.users.\.name¶
The name of the user account. If undefined, the name of the attribute set will be used.
Type: string, not containing newlines or colons
Declared by:
- \
users.users.\.pamMount¶
Attributes for user’s entry in
pam_mount.conf.xml.
Useful attributes might include path,
options, fstype, and server.
See https://pam-mount.sourceforge.net/pam_mount.conf.5.html
for more information.
Type: attribute set of string
Default:
Declared by:
- \
users.users.\.password¶
Specifies the (clear text) password for the user. Warning: do not set confidential information here because it is world-readable in the Nix store. This option should only be used for public accounts.
The initialHashedPassword, hashedPassword,
initialPassword, password and
hashedPasswordFile options all control what password is set for
the user.
In a system where is false, typically
only one of hashedPassword, password, or
hashedPasswordFile will be set.
In a system where is true, typically
only one of initialPassword, initialHashedPassword,
or hashedPasswordFile will be set.
If the option users.mutableUsers is true, the password defined
in one of the above password options will only be set when the user is
created for the first time. After that, you are free to change the
password with the ordinary user management commands. If
users.mutableUsers is false, you cannot change user passwords,
they will always be set according to the password options.
If none of the password options are set, then no password is assigned to the user, and the user will not be able to do password-based logins.
If multiple of these password options are set at the same time then a
specific order of precedence is followed, which can lead to surprising
results. The order of precedence differs depending on whether the
users.mutableUsers option is set.
If the option users.mutableUsers is
false, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> hashedPassword -> initialPassword -> password -> hashedPasswordFile
If the option users.mutableUsers is
true, then the order of precedence is as shown
below, where values on the left are overridden by values on the right:
initialHashedPassword -> initialPassword -> hashedPassword -> password -> hashedPasswordFile
Type: null or string
Default:
Declared by:
- \
users.users.\.shell¶
The path to the user’s shell. Can use shell derivations,
like pkgs.bashInteractive. Don’t
forget to enable your shell in
programs if necessary,
like programs.zsh.enable = true;.
Type: null or package or (absolute path, not containing newlines or colons)
Default:
Example:
Declared by:
- \
users.users.\.subGidRanges¶
Subordinate group ids that user is allowed to use.
They are set into /etc/subgid and are used
by newgidmap for user namespaces.
Type: list of (submodule)
Default:
Example:
Declared by:
- \
users.users.\.subGidRanges.*.count¶
Count of subordinate group ids
Type: signed integer
Default:
Declared by:
- \
users.users.\.subGidRanges.*.startGid¶
Start of the range of subordinate group ids that user is allowed to use.
Type: signed integer
Declared by:
- \
users.users.\.subUidRanges¶
Subordinate user ids that user is allowed to use.
They are set into /etc/subuid and are used
by newuidmap for user namespaces.
Type: list of (submodule)
Default:
Example:
Declared by:
- \
users.users.\.subUidRanges.*.count¶
Count of subordinate user ids
Type: signed integer
Default:
Declared by:
- \
users.users.\.subUidRanges.*.startUid¶
Start of the range of subordinate user ids that user is allowed to use.
Type: signed integer
Declared by:
- \
users.users.\.uid¶
The account UID. If the UID is null, a free UID is picked on activation.
Type: null or signed integer
Default:
Declared by:
- \
users.users.\.useDefaultShell¶
If true, the user’s shell will be set to
users.defaultUserShell.
Type: boolean
Default:
Declared by:
- \