All Module Options¶

This page contains the complete auto-generated reference for all available module options. For a curated overview of the most commonly used options, see Module Options.

Auto-generated

This documentation is automatically generated from the Nix module definitions using nixosOptionsDoc.

_module.args¶

Additional arguments passed to each module in addition to ones like lib, config, and pkgs, modulesPath.

This option is also available to all submodules. Submodules do not inherit args from their parent module, nor do they provide args to their parent module or sibling submodules. The sole exception to this is the argument name which is provided by parent modules to a submodule and contains the attribute name the submodule is bound to, or a unique generated name if it is not bound to an attribute.

Some arguments are already passed by default, of which the following cannot be changed with this option:

lib: The nixpkgs library.
config: The results of all options after merging the values from all modules together.
options: The options declared in all modules.
specialArgs: The specialArgs argument passed to evalModules.
All attributes of specialArgs

Whereas option values can generally depend on other option values thanks to laziness, this does not apply to imports, which must be computed statically before anything else.

For this reason, callers of the module system can provide specialArgs which are available during import resolution.

For NixOS, specialArgs includes modulesPath, which allows you to import extra modules from the nixpkgs package tree without having to somehow make the module aware of the location of the nixpkgs or NixOS directories.

{ modulesPath, ... }: {
  imports = [
    (modulesPath + "/profiles/minimal.nix")
  ];
}

For NixOS, the default value for this option includes at least this argument:

pkgs: The nixpkgs package set according to the nixpkgs.pkgs option.

Type: lazy attribute set of raw value

Declared by: - \

boot¶

This option has no description.

Type: raw value

Declared by: - \

build.etc.entries¶

This option has no description.

Type: attribute set of raw value

Declared by: - \

build.etc.staticEnv¶

This option has no description.

Type: package

Declared by: - \

build.scripts¶

This option has no description.

Type: attribute set of package

Declared by: - \

build.services¶

This option has no description.

Type: attribute set of raw value

Declared by: - \

build.toplevel¶

This option has no description.

Type: path in the Nix store (read only)

Declared by: - \

environment.etc¶

Set of files that have to be linked in /etc.

Type: attribute set of (submodule)

Default: { }

Example:

{ example-configuration-file =
    { source = "/nix/store/.../etc/dir/file.conf.example";
      mode = "0440";
    };
  "default/useradd".text = "GROUP=100 ...";
}

Declared by: - \

environment.etc.\.enable¶

Whether this /etc file should be generated. This option allows specific /etc files to be disabled.

Type: boolean

Default: true

Declared by: - \

environment.etc.\.gid¶

GID of created file. Only takes effect when the file is copied (that is, the mode is not ‘symlink’).

Type: signed integer

Default: 0

Declared by: - \

environment.etc.\.group¶

Group name of created file. Only takes effect when the file is copied (that is, the mode is not ‘symlink’). Changing this option takes precedence over gid.

Type: string

Default: "+0"

Declared by: - \

environment.etc.\.mode¶

If set to something else than symlink, the file is copied instead of symlinked, with the given file mode.

Type: string

Default: "symlink"

Example: "0600"

Declared by: - \

environment.etc.\.source¶

Path of the source file.

Type: absolute path

Declared by: - \

environment.etc.\.target¶

Name of symlink (relative to /etc). Defaults to the attribute name.

Type: string

Declared by: - \

environment.etc.\.text¶

Text of the file.

Type: null or strings concatenated with “\n”

Default: null

Declared by: - \

environment.etc.\.uid¶

UID of created file. Only takes effect when the file is copied (that is, the mode is not ‘symlink’).

Type: signed integer

Default: 0

Declared by: - \

environment.etc.\.user¶

User name of created file. Only takes effect when the file is copied (that is, the mode is not ‘symlink’). Changing this option takes precedence over uid.

Type: string

Default: "+0"

Declared by: - \

environment.pathsToLink¶

This option has no description.

Type: list of string

Default: [ ]

Declared by: - \

environment.systemPackages¶

This option has no description.

Type: list of package

Default: [ ]

Declared by: - \

meta.maintainers¶

List of maintainers of each module. This option should be defined at most once per module.

The option value is not a list of maintainers, but an attribute set that maps module file names to lists of maintainers.

Type: list of (maintainer)

Default: [ ]

Example: [ lib.maintainers.alice lib.maintainers.bob ]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/modules/generic/meta-maintainers.nix

networking.enableIPv6¶

Whether to enable IPv6.

Type: boolean

Default: true

Example: true

Declared by: - \

nix.enable¶

Whether to enable Nix. Disabling Nix makes the system hard to modify and the Nix programs and configuration will not be made available by NixOS itself.

Type: boolean

Default: true

Declared by: - \

nix.package¶

This option specifies the Nix package instance to use throughout the system.

Type: package

Default: pkgs.nix

Declared by: - \

nix.checkAllErrors¶

If enabled, checks the nix.conf parsing for any kind of error. When disabled, checks only for unknown settings.

Type: boolean

Default: true

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/config/nix.nix

nix.checkConfig¶

If enabled, checks that Nix can parse the generated nix.conf.

Type: boolean

Default: true

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/config/nix.nix

nix.extraOptions¶

Additional text appended to nix.conf.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  keep-outputs = true
  keep-derivations = true
''

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/config/nix.nix

nix.settings¶

Configuration for Nix, see https://nixos.org/manual/nix/stable/command-ref/conf-file.html or nix.conf(5) for available options. The value declared here will be translated directly to the key-value pairs Nix expects.

You can use nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings to view the current value. By default it is empty.

Nix configurations defined under nix.* will be translated and applied to this option. In addition, configuration specified in nix.extraOptions will be appended verbatim to the resulting config file.

Type: open submodule of attribute set of (Nix config atom (null, bool, int, float, str, path or package) or list of (Nix config atom (null, bool, int, float, str, path or package)))

Default: { }

Example:

{
  use-sandbox = true;
  show-trace = true;

  sandbox-paths = [ "/bin/sh=${pkgs.busybox-sandbox-shell.out}/bin/busybox" ];
}

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/config/nix.nix

nix.settings.allowed-users¶

A list of names of users (separated by whitespace) that are allowed to connect to the Nix daemon. As with nix.settings.trusted-users, you can specify groups by prefixing them with @. Also, you can allow all users by specifying *. The default is *. Note that trusted users are always allowed to connect.

Type: list of string

Default:

1
2
3

[
  "*"
]

Example:

[
  "@wheel"
  "@builders"
  "alice"
  "bob"
]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/config/nix.nix

nix.settings.auto-optimise-store¶

If set to true, Nix automatically detects files in the store that have identical contents, and replaces them with hard links to a single copy. This saves disk space. If set to false (the default), you can still run nix-store --optimise to get rid of duplicate files.

Type: boolean

Default: false

Example: true

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/config/nix.nix

nix.settings.cores¶

This option defines the maximum number of concurrent tasks during one build. It affects, e.g., -j option for make. The special value 0 means that the builder should use all available CPU cores in the system. Some builds may become non-deterministic with this option; use with care! Packages will only be affected if enableParallelBuilding is set for them.

Type: signed integer

Default: 0

Example: 64

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/config/nix.nix

nix.settings.extra-sandbox-paths¶

Directories from the host filesystem to be included in the sandbox.

Type: list of string

Default: [ ]

Example:

[
  "/dev"
  "/proc"
]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/config/nix.nix

nix.settings.max-jobs¶

This option defines the maximum number of jobs that Nix will try to build in parallel. The default is auto, which means it will use all available logical cores. It is recommend to set it to the total number of logical cores in your system (e.g., 16 for two CPUs with 4 cores each and hyper-threading).

Type: signed integer or value “auto” (singular enum)

Default: "auto"

Example: 64

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/config/nix.nix

nix.settings.require-sigs¶

If enabled (the default), Nix will only download binaries from binary caches if they are cryptographically signed with any of the keys listed in nix.settings.trusted-public-keys. If disabled, signatures are neither required nor checked, so it’s strongly recommended that you use only trustworthy caches and https to prevent man-in-the-middle attacks.

Type: boolean

Default: true

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/config/nix.nix

nix.settings.sandbox¶

If set, Nix will perform builds in a sandboxed environment that it will set up automatically for each build. This prevents impurities in builds by disallowing access to dependencies outside of the Nix store by using network and mount namespaces in a chroot environment.

This is enabled by default even though it has a possible performance impact due to the initial setup time of a sandbox for each build. It doesn’t affect derivation hashes, so changing this option will not trigger a rebuild of packages.

When set to “relaxed”, this option permits derivations that set __noChroot = true; to run outside of the sandboxed environment. Exercise caution when using this mode of operation! It is intended to be a quick hack when building with packages that are not easily setup to be built reproducibly.

Type: boolean or value “relaxed” (singular enum)

Default: true

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/config/nix.nix

nix.settings.substituters¶

List of binary cache URLs used to obtain pre-built binaries of Nix packages.

By default https://cache.nixos.org/ is added.

Type: list of string

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/config/nix.nix

nix.settings.system-features¶

The set of features supported by the machine. Derivations can express dependencies on system features through the requiredSystemFeatures attribute.

Type: list of string

Default: [ "nixos-test" "benchmark" "big-parallel" "kvm" "gccarch-<arch>" ]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/config/nix.nix

nix.settings.trusted-public-keys¶

List of public keys used to sign binary caches. If nix.settings.trusted-public-keys is enabled, then Nix will use a binary from a binary cache if and only if it is signed by any of the keys listed here. By default, only the key for cache.nixos.org is included.

Type: list of string

Example:

1
2
3

[
  "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs="
]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/config/nix.nix

nix.settings.trusted-substituters¶

List of binary cache URLs that non-root users can use (in addition to those specified using nix.settings.substituters) by passing --option binary-caches to Nix commands.

Type: list of string

Default: [ ]

Example:

1
2
3

[
  "https://hydra.nixos.org/"
]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/config/nix.nix

nix.settings.trusted-users¶

A list of names of users that have additional rights when connecting to the Nix daemon, such as the ability to specify additional binary caches, or to import unsigned NARs. You can also specify groups by prefixing them with @; for instance, @wheel means all users in the wheel group.

Type: list of string

Example:

[
  "root"
  "alice"
  "@wheel"
]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/config/nix.nix

nixpkgs.buildPlatform¶

This option has no description.

Type: string

Default: "x86_64-linux"

Example: "x86_64-linux"

Declared by: - \

nixpkgs.config¶

Configuration used to instantiate nixpkgs.

Type: attribute set

Default: { }

Declared by: - \

nixpkgs.hostPlatform¶

The platform for which to build the system configuration.

Type: string or (attribute set)

Default: "x86_64-linux"

Example: "x86_64-linux"

Declared by: - \

nixpkgs.overlays¶

This option has no description.

Type: list of anything

Default: [ ]

Declared by: - \

security.acme.acceptTerms¶

Accept the CA’s terms of service. The default provider is Let’s Encrypt, you can find their ToS at https://letsencrypt.org/repository/.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs¶

Attribute set of certificates to get signed and renewed. Creates acme-${cert}.{service,timer} systemd units for each certificate defined here. Other services can add dependencies to those units if they rely on the certificates being present, or trigger restarts of the service if certificates get renewed.

Type: attribute set of (submodule)

Default: { }

Example:

{
  "example.com" = {
    webroot = "/var/lib/acme/acme-challenge/";
    email = "foo@example.com";
    extraDomainNames = [ "www.example.com" "foo.example.com" ];
  };
  "bar.example.com" = {
    webroot = "/var/lib/acme/acme-challenge/";
    email = "bar@example.com";
  };
}

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.enableDebugLogs¶

Whether to enable debug logging for this certificate.

Type: boolean

Default: config.security.acme.defaults.enableDebugLogs

Example: true

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.credentialFiles¶

Environment variables suffixed by “_FILE” to set for the cert’s service for your selected dnsProvider. To find out what values you need to set, consult the documentation at https://go-acme.github.io/lego/dns/ for the corresponding dnsProvider. This allows to securely pass credential files to lego by leveraging systemd credentials.

Type: attribute set of absolute path

Default: config.security.acme.defaults.credentialFiles

Example:

1
2
3

{
  "RFC2136_TSIG_SECRET_FILE" = "/run/secrets/tsig-secret-example.org";
}

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.csr¶

Path to a certificate signing request to apply when fetching the certificate.

Type: null or string

Default: null

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.csrKey¶

Path to the private key to the matching certificate signing request.

Type: null or string

Default: null

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.directory¶

Directory where certificate and other state is stored.

Type: string (read only)

Default: "/var/lib/acme/‹name›"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.dnsPropagationCheck¶

Toggles lego DNS propagation check, which is used alongside DNS-01 challenge to ensure the DNS entries required are available.

Type: boolean

Default: config.security.acme.defaults.dnsPropagationCheck

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.dnsProvider¶

DNS Challenge provider. For a list of supported providers, see the “code” field of the DNS providers listed at https://go-acme.github.io/lego/dns/.

Type: null or string

Default: config.security.acme.defaults.dnsProvider

Example: "route53"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.dnsResolver¶

Set the resolver to use for performing recursive DNS queries. Supported: host:port. The default is to use the system resolvers, or Google’s DNS resolvers if the system’s cannot be determined.

Type: null or string

Default: config.security.acme.defaults.dnsResolver

Example: "1.1.1.1:53"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.domain¶

Domain to fetch certificate for (defaults to the entry name).

Type: string

Default: "‹name›"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.email¶

Email address for account creation and correspondence from the CA. It is recommended to use the same email for all certs to avoid account creation limits.

Type: null or string

Default: config.security.acme.defaults.email

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.environmentFile¶

Path to an EnvironmentFile for the cert’s service containing any required and optional environment variables for your selected dnsProvider. To find out what values you need to set, consult the documentation at https://go-acme.github.io/lego/dns/ for the corresponding dnsProvider.

Type: null or absolute path

Default: config.security.acme.defaults.environmentFile

Example: "/var/src/secrets/example.org-route53-api-token"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.extraDomainNames¶

A list of extra domain names, which are included in the one certificate to be issued.

Type: list of string

Default: [ ]

Example:

[
  "example.org"
  "mydomain.org"
]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.extraLegoFlags¶

Additional global flags to pass to all lego commands.

Type: list of string

Default: config.security.acme.defaults.extraLegoFlags

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.extraLegoRenewFlags¶

Additional flags to pass to lego renew.

Type: list of string

Default: config.security.acme.defaults.extraLegoRenewFlags

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.extraLegoRunFlags¶

Additional flags to pass to lego run.

Type: list of string

Default: config.security.acme.defaults.extraLegoRunFlags

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.group¶

Group running the ACME client.

Type: string

Default: config.security.acme.defaults.group

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.inheritDefaults¶

Whether to inherit values set in security.acme.defaults or not.

Type: boolean

Default: true

Example: true

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.keyType¶

Key type to use for private keys. For an up to date list of supported values check the --key-type option at https://go-acme.github.io/lego/usage/cli/options/.

Type: string

Default: config.security.acme.defaults.keyType

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.listenHTTP¶

Interface and port to listen on to solve HTTP challenges in the form [INTERFACE]:PORT. If you use a port other than 80, you must proxy port 80 to this port.

Type: null or string

Default: config.security.acme.defaults.listenHTTP

Example: ":1360"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.ocspMustStaple¶

Turns on the OCSP Must-Staple TLS extension. Make sure you know what you’re doing! See:

Type: boolean

Default: config.security.acme.defaults.ocspMustStaple

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.postRun¶

Commands to run after new certificates go live. Note that these commands run as the root user.

Executed in the same directory with the new certificate.

Type: strings concatenated with “\n”

Default: config.security.acme.defaults.postRun

Example: "cp full.pem backup.pem"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.profile¶

The certificate profile to choose if the CA offers multiple profiles.

Type: null or string

Default: config.security.acme.defaults.profile

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.reloadServices¶

The list of systemd services to call systemctl try-reload-or-restart on.

Type: list of string

Default: config.security.acme.defaults.reloadServices

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.renewInterval¶

Systemd calendar expression when to check for renewal. See systemd.time(7).

Type: string

Default: config.security.acme.defaults.renewInterval

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.s3Bucket¶

S3 bucket name to use for HTTP-01 based challenges. Challenges will be written to the S3 bucket.

Type: null or string

Default: null

Example: "acme"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.server¶

ACME Directory Resource URI. Defaults to Let’s Encrypt’s production endpoint. For testing Let’s Encrypt’s staging endpoint should be used to avoid the rather tight rate limit on the production endpoint.

Type: null or string

Default: config.security.acme.defaults.server

Example: "https://acme-staging-v02.api.letsencrypt.org/directory"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.validMinDays¶

Minimum remaining validity before renewal in days.

Type: signed integer

Default: config.security.acme.defaults.validMinDays

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.certs.\.webroot¶

Where the webroot of the HTTP vhost is located. .well-known/acme-challenge/ directory will be created below the webroot if it doesn’t exist. http://example.org/.well-known/acme-challenge/ must also be available (notice unencrypted HTTP).

Type: null or string

Default: config.security.acme.defaults.webroot

Example: "/var/lib/acme/acme-challenge"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults¶

Default values inheritable by all configured certs. You can use this to define options shared by all your certs. These defaults can also be ignored on a per-cert basis using the security.acme.certs.${cert}.inheritDefaults option.

Type: submodule

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.enableDebugLogs¶

Whether to enable debug logging for this certificate.

Type: boolean

Default: true

Example: true

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.credentialFiles¶

Environment variables suffixed by “_FILE” to set for the cert’s service for your selected dnsProvider. To find out what values you need to set, consult the documentation at https://go-acme.github.io/lego/dns/ for the corresponding dnsProvider. This allows to securely pass credential files to lego by leveraging systemd credentials.

Type: attribute set of absolute path

Default: { }

Example:

1
2
3

{
  "RFC2136_TSIG_SECRET_FILE" = "/run/secrets/tsig-secret-example.org";
}

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.dnsPropagationCheck¶

Toggles lego DNS propagation check, which is used alongside DNS-01 challenge to ensure the DNS entries required are available.

Type: boolean

Default: true

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.dnsProvider¶

DNS Challenge provider. For a list of supported providers, see the “code” field of the DNS providers listed at https://go-acme.github.io/lego/dns/.

Type: null or string

Default: null

Example: "route53"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.dnsResolver¶

Set the resolver to use for performing recursive DNS queries. Supported: host:port. The default is to use the system resolvers, or Google’s DNS resolvers if the system’s cannot be determined.

Type: null or string

Default: null

Example: "1.1.1.1:53"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.email¶

Email address for account creation and correspondence from the CA. It is recommended to use the same email for all certs to avoid account creation limits.

Type: null or string

Default: null

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.environmentFile¶

Path to an EnvironmentFile for the cert’s service containing any required and optional environment variables for your selected dnsProvider. To find out what values you need to set, consult the documentation at https://go-acme.github.io/lego/dns/ for the corresponding dnsProvider.

Type: null or absolute path

Default: null

Example: "/var/src/secrets/example.org-route53-api-token"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.extraLegoFlags¶

Additional global flags to pass to all lego commands.

Type: list of string

Default: [ ]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.extraLegoRenewFlags¶

Additional flags to pass to lego renew.

Type: list of string

Default: [ ]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.extraLegoRunFlags¶

Additional flags to pass to lego run.

Type: list of string

Default: [ ]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.group¶

Group running the ACME client.

Type: string

Default: "acme"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.keyType¶

Key type to use for private keys. For an up to date list of supported values check the --key-type option at https://go-acme.github.io/lego/usage/cli/options/.

Type: string

Default: "ec256"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.listenHTTP¶

Interface and port to listen on to solve HTTP challenges in the form [INTERFACE]:PORT. If you use a port other than 80, you must proxy port 80 to this port.

Type: null or string

Default: null

Example: ":1360"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.ocspMustStaple¶

Turns on the OCSP Must-Staple TLS extension. Make sure you know what you’re doing! See:

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.postRun¶

Commands to run after new certificates go live. Note that these commands run as the root user.

Executed in the same directory with the new certificate.

Type: strings concatenated with “\n”

Default: ""

Example: "cp full.pem backup.pem"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.profile¶

The certificate profile to choose if the CA offers multiple profiles.

Type: null or string

Default: null

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.reloadServices¶

The list of systemd services to call systemctl try-reload-or-restart on.

Type: list of string

Default: [ ]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.renewInterval¶

Systemd calendar expression when to check for renewal. See systemd.time(7).

Type: string

Default: "daily"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.server¶

ACME Directory Resource URI. Defaults to Let’s Encrypt’s production endpoint. For testing Let’s Encrypt’s staging endpoint should be used to avoid the rather tight rate limit on the production endpoint.

Type: null or string

Default: "https://acme-v02.api.letsencrypt.org/directory"

Example: "https://acme-staging-v02.api.letsencrypt.org/directory"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.validMinDays¶

Minimum remaining validity before renewal in days.

Type: signed integer

Default: 30

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.defaults.webroot¶

Where the webroot of the HTTP vhost is located. .well-known/acme-challenge/ directory will be created below the webroot if it doesn’t exist. http://example.org/.well-known/acme-challenge/ must also be available (notice unencrypted HTTP).

Type: null or string

Default: null

Example: "/var/lib/acme/acme-challenge"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.maxConcurrentRenewals¶

Maximum number of concurrent certificate generation or renewal jobs. All other jobs will queue and wait running jobs to finish. Reduces the system load of certificate generation.

Set to 0 to allow unlimited number of concurrent job runs."

Type: signed integer

Default: 5

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

security.acme.useRoot¶

Whether to use the root user when generating certs. This is not recommended for security + compatibility reasons. If a service requires root owned certificates consider following the guide on “Using ACME with services demanding root owned certificates” in the NixOS manual, and only using this as a fallback or for testing.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/security/acme/

services.nginx.enable¶

Whether to enable Nginx Web Server.

Type: boolean

Default: false

Example: true

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.enableQuicBPF¶

Enables routing of QUIC packets using eBPF. When enabled, this allows to support QUIC connection migration. The directive is only supported on Linux 5.7+. Note that enabling this option will make nginx run with extended capabilities that are usually limited to processes running as root namely CAP_SYS_ADMIN and CAP_NET_ADMIN.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.enableReload¶

Reload nginx when configuration file changes (instead of restart). The configuration file is exposed at /etc/nginx/nginx.conf. See also systemd.services.*.restartIfChanged.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.package¶

Nginx package to use. This defaults to the stable version. Note that the nginx team recommends to use the mainline version which available in nixpkgs as nginxMainline. Supported Nginx forks include angie, openresty and tengine.

Type: package

Default: pkgs.nginxStable

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.additionalModules¶

Additional third-party nginx modules to install. Packaged modules are available in pkgs.nginxModules.

Type: list of attribute set of anything

Default: [ ]

Example: [ pkgs.nginxModules.echo ]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.appendConfig¶

Configuration lines appended to the generated Nginx configuration file. Commonly used by different modules providing http snippets. appendConfig can be specified more than once and its value will be concatenated (contrary to config which can be set only once).

Type: strings concatenated with “\n”

Default: ""

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.appendHttpConfig¶

Configuration lines to be appended to the generated http block. This is mutually exclusive with using config and httpConfig for specifying the whole http block verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.clientMaxBodySize¶

Set nginx global client_max_body_size.

Type: string

Default: "10m"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.commonHttpConfig¶

With nginx you must provide common http context definitions before they are used, e.g. log_format, resolver, etc. inside of server or location contexts. Use this attribute to set these definitions at the appropriate location.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  resolver 127.0.0.1 valid=5s;

  log_format myformat '$remote_addr - $remote_user [$time_local] '
                      '"$request" $status $body_bytes_sent '
                      '"$http_referer" "$http_user_agent"';
''

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.config¶

Verbatim nginx.conf configuration. This is mutually exclusive to any other config option for nginx.conf except for

If additional verbatim config in addition to other options is needed, should be used instead.

Type: string

Default: ""

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.defaultHTTPListenPort¶

If vhosts do not specify listen.port, use these ports for HTTP by default.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 80

Example: 8080

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.defaultListen¶

If vhosts do not specify listen, use these addresses by default. This option takes precedence over defaultListenAddresses and other listen-related defaults options.

Type: list of (submodule)

Default: [ ]

Example:

[
  { addr = "10.0.0.12"; proxyProtocol = true; ssl = true; }
  { addr = "0.0.0.0"; }
  { addr = "[::0]"; }
]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.defaultListen.*.addr¶

IP address.

Type: string

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.defaultListen.*.extraParameters¶

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.defaultListen.*.port¶

Port number.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.defaultListen.*.proxyProtocol¶

Enable PROXY protocol.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.defaultListen.*.ssl¶

Enable SSL.

Type: null or boolean

Default: null

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.defaultListenAddresses¶

If vhosts do not specify listenAddresses, use these addresses by default. This is akin to writing defaultListen = [ { addr = "0.0.0.0" } ].

Type: list of string

Default: [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]"

Example: [ "10.0.0.12" "[2002:a00:1::]" ]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.defaultMimeTypes¶

Default MIME types for NGINX, as MIME types definitions from NGINX are very incomplete, we use by default the ones bundled in the mailcap package, used by most of the other Linux distributions.

Type: absolute path

Default: $''{pkgs.mailcap}/etc/nginx/mime.types

Example: $''{pkgs.nginx}/conf/mime.types

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.defaultSSLListenPort¶

If vhosts do not specify listen.port, use these ports for SSL by default.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: 443

Example: 8443

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.eventsConfig¶

Configuration lines to be set inside the events block.

Type: strings concatenated with “\n”

Default: ""

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.experimentalZstdSettings¶

Enable alpha quality zstd module with recommended settings. Learn more about compression in Zstd format here.

This adds pkgs.nginxModules.zstd to services.nginx.additionalModules.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.group¶

Group account under which nginx runs.

Type: string

Default: "nginx"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.httpConfig¶

Configuration lines to be set inside the http block. This is mutually exclusive with the structured configuration via virtualHosts and the recommendedXyzSettings configuration options. See appendHttpConfig for appending to the generated http block.

Type: strings concatenated with “\n”

Default: ""

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.logError¶

Configures logging. The first parameter defines a file that will store the log. The special value stderr selects the standard error file. Logging to syslog can be configured by specifying the “syslog:” prefix. The second parameter determines the level of logging, and can be one of the following: debug, info, notice, warn, error, crit, alert, or emerg. Log levels above are listed in the order of increasing severity. Setting a certain log level will cause all messages of the specified and more severe log levels to be logged. If this parameter is omitted then error is used.

Type: string

Default: "stderr"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.mapHashBucketSize¶

Sets the bucket size for the map variables hash tables. Default value depends on the processor’s cache line size.

Refer to the nginx docs on hashes for more information.

Type: null or (positive integer, meaning >0)

Default: null

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.mapHashMaxSize¶

Sets the maximum size of the map variables hash tables.

Type: null or (positive integer, meaning >0)

Default: null

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.preStart¶

Shell commands executed before the service’s nginx is started.

Type: strings concatenated with “\n”

Default: ""

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.prependConfig¶

Configuration lines prepended to the generated Nginx configuration file. Can for example be used to load modules. prependConfig can be specified more than once and its value will be concatenated (contrary to config which can be set only once).

Type: strings concatenated with “\n”

Default: ""

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.proxyCachePath¶

Configure a proxy cache path entry. See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path for documentation.

Type: attribute set of (submodule)

Default: { }

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.proxyCachePath.\.enable¶

Whether to enable this proxy cache path entry.

Type: boolean

Default: false

Example: true

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.proxyCachePath.\.inactive¶

Cached data that has not been accessed for the time specified by the inactive parameter is removed from the cache, regardless of its freshness.

Type: string

Default: "10m"

Example: "1d"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.proxyCachePath.\.keysZoneName¶

Set name to shared memory zone.

Type: string

Default: "cache"

Example: "my_cache"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.proxyCachePath.\.keysZoneSize¶

Set size to shared memory zone.

Type: string

Default: "10m"

Example: "32m"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.proxyCachePath.\.levels¶

The levels parameter defines structure of subdirectories in cache: from 1 to 3, each level accepts values 1 or 2. Can be used any combination of 1 and 2 in these formats: x, x:x and xx.

Type: string

Default: "1:2"

Example: "1:2:2"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.proxyCachePath.\.maxSize¶

Set maximum cache size

Type: string

Default: "1g"

Example: "2048m"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.proxyCachePath.\.useTempPath¶

Nginx first writes files that are destined for the cache to a temporary storage area, and the use_temp_path=off directive instructs Nginx to write them to the same directories where they will be cached. Recommended that you set this parameter to off to avoid unnecessary copying of data between file systems.

Type: boolean

Default: false

Example: true

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.proxyResolveWhileRunning¶

Resolves domains of proxyPass targets at runtime and not only at startup. This can be used as a workaround if nginx fails to start because of not-yet-working DNS.

:::{.warn} services.nginx.resolver must be set for this option to work. :::

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.proxyTimeout¶

Change the proxy related timeouts in recommendedProxySettings.

Type: string

Default: "60s"

Example: "20s"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.recommendedBrotliSettings¶

Enable recommended brotli settings. Learn more about compression in Brotli format here.

This adds pkgs.nginxModules.brotli to services.nginx.additionalModules.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.recommendedGzipSettings¶

Enable recommended gzip settings. Learn more about compression in Gzip format here.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.recommendedOptimisation¶

Enable recommended optimisation settings.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.recommendedProxySettings¶

Whether to enable recommended proxy settings if a vhost does not specify the option manually.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.recommendedTlsSettings¶

Enable recommended TLS settings.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.recommendedUwsgiSettings¶

Whether to enable recommended uwsgi settings if a vhost does not specify the option manually.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.resolver¶

Configures name servers used to resolve names of upstream servers into addresses

Type: submodule

Default: { }

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.resolver.addresses¶

List of resolvers to use

Type: list of string

Default: [ ]

Example: [ "[::1]" "127.0.0.1:5353" ]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.resolver.ipv4¶

By default, nginx will look up both IPv4 and IPv6 addresses while resolving. If looking up of IPv4 addresses is not desired, the ipv4=off parameter can be specified.

Type: boolean

Default: true

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.resolver.ipv6¶

By default, nginx will look up both IPv4 and IPv6 addresses while resolving. If looking up of IPv6 addresses is not desired, the ipv6=off parameter can be specified.

Type: boolean

Default: config.networking.enableIPv6

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.resolver.valid¶

By default, nginx caches answers using the TTL value of a response. An optional valid parameter allows overriding it

Type: string

Default: ""

Example: "30s"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.serverNamesHashBucketSize¶

Sets the bucket size for the server names hash tables. Default value depends on the processor’s cache line size.

Type: null or (positive integer, meaning >0)

Default: null

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.serverNamesHashMaxSize¶

Sets the maximum size of the server names hash tables.

Type: null or (positive integer, meaning >0)

Default: null

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.serverTokens¶

Show nginx version in headers and error pages.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.sslCiphers¶

Ciphers to choose from when negotiating TLS handshakes.

Type: null or string

Default: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.sslDhparam¶

Path to DH parameters file.

Type: null or absolute path

Default: null

Example: "/path/to/dhparams.pem"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.sslProtocols¶

Allowed TLS protocol versions.

Type: string

Default: "TLSv1.2 TLSv1.3"

Example: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.statusPage¶

Enable status page reachable from localhost on http://127.0.0.1/nginx_status.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.streamConfig¶

Configuration lines to be set inside the stream block.

Type: strings concatenated with “\n”

Default: ""

Example:

''
  server {
    listen 127.0.0.1:53 udp reuseport;
    proxy_timeout 20s;
    proxy_pass 192.168.0.1:53535;
  }
''

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.typesHashMaxSize¶

Sets the maximum size of the types hash tables (types_hash_max_size). It is recommended that the minimum size possible size is used. If recommendedOptimisation is disabled, nginx would otherwise fail to start since the mailmap mime.types database has more entries than the nginx default value 1024.

Type: positive integer, meaning >0

Default: if config.services.nginx.defaultMimeTypes == "${pkgs.mailcap}/etc/nginx/mime.types" then 2688 else 1024

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.upstreams¶

Defines a group of servers to use as proxy target.

Type: attribute set of (submodule)

Default: { }

Example:

{
  backend = {
    extraConfig = ''
      keepalive 16;
    '';
    servers = {
      "backend1.example.com:8080" = {
        weight = 5;
      };
      "backend2.example.com" = {
        fail_timeout = "30s";
        max_fails = 3;
      };
      "backend3.example.com" = { };
      "backup1.example.com" = {
        backup = true;
      };
      "backup2.example.com" = {
        backup = true;
      };
    };
  };
  memcached = {
    servers = {
      "unix:/run/memcached/memcached.sock" = { };
    };
  };
}

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.upstreams.\.extraConfig¶

These lines go to the end of the upstream verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.upstreams.\.servers¶

Defines the address and other parameters of the upstream servers. See the documentation for the available parameters.

Type: attribute set of (open submodule of attribute set of (boolean or signed integer or string))

Default: { }

Example: see

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.upstreams.\.servers.\.backup¶

Marks the server as a backup server. It will be passed requests when the primary servers are unavailable.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.user¶

User account under which nginx runs.

Type: string

Default: "nginx"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.uwsgiResolveWhileRunning¶

Resolves domains of uwsgi targets at runtime and not only at start, you have to set services.nginx.resolver, too.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.uwsgiTimeout¶

Change the uwsgi related timeouts in recommendedUwsgiSettings.

Type: string

Default: "60s"

Example: "20s"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.validateConfigFile¶

Whether to enable validating configuration with pkgs.writeNginxConfig.

Type: boolean

Default: true

Example: true

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts¶

Declarative vhost config

Type: attribute set of (submodule)

Default:

1
2
3

{
  localhost = { };
}

Example:

{
  "hydra.example.com" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://localhost:3000";
    };
  };
};

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.enableACME¶

Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through useACMEHost.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.acmeFallbackHost¶

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Type: null or string

Default: null

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.acmeRoot¶

Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.

Type: null or string

Default: "/var/lib/acme/acme-challenge"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.addSSL¶

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.basicAuth¶

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

1
2
3

{
  user = "password";
};

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.basicAuthFile¶

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or absolute path

Default: null

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.default¶

Makes this vhost the default.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.extraConfig¶

These lines go to the end of the vhost verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.forceSSL¶

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.globalRedirect¶

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Type: null or string

Default: null

Example: "newserver.example.org"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.http2¶

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Type: boolean

Default: true

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.http3¶

Whether to enable the HTTP/3 protocol. This requires activating the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Type: boolean

Default: true

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.http3_hq¶

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires activating the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.kTLS¶

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.listen¶

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Type: list of (submodule)

Default: [ ]

Example:

[
  {
    addr = "195.154.1.1";
    port = 443;
    ssl = true;
  }
  {
    addr = "192.154.1.1";
    port = 80;
  }
  {
    addr = "unix:/var/run/nginx.sock";
  }
]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.listen.*.addr¶

Listen address.

Type: string

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.listen.*.extraParameters¶

Extra parameters of this listen directive.

Type: list of string

Default: [ ]

Example:

[
  "backlog=1024"
  "deferred"
]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.listen.*.port¶

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.listen.*.proxyProtocol¶

Enable PROXY protocol.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.listen.*.ssl¶

Enable SSL.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.listenAddresses¶

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides networking.enableIPv6

Type: list of string

Default: [ ]

Example:

[
  "127.0.0.1"
  "[::1]"
]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.locations¶

Declarative location config

Type: attribute set of (submodule)

Default: { }

Example:

{
  "/" = {
    proxyPass = "http://localhost:3000";
  };
};

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.locations.\.alias¶

Alias directory for requests.

Type: null or absolute path

Default: null

Example: "/your/alias/directory"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.locations.\.basicAuth¶

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Type: attribute set of string

Default: { }

Example:

1
2
3

{
  user = "password";
};

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.locations.\.basicAuthFile¶

Basic Auth password file for a vhost. Can be created by running nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Type: null or absolute path

Default: null

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.locations.\.extraConfig¶

These lines go to the end of the location verbatim.

Type: strings concatenated with “\n”

Default: ""

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.locations.\.fastcgiParams¶

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.

Type: attribute set of (string or absolute path)

Default: { }

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.locations.\.index¶

Adds index directive.

Type: null or string

Default: null

Example: "index.php index.html"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.locations.\.priority¶

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Type: signed integer

Default: 1000

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.locations.\.proxyPass¶

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Type: null or string

Default: null

Example: "http://www.example.org/"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.locations.\.proxyWebsockets¶

Whether to support proxying websocket connections with HTTP/1.1.

Type: boolean

Default: false

Example: true

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.locations.\.recommendedProxySettings¶

Enable recommended proxy settings.

Type: boolean

Default: config.services.nginx.recommendedProxySettings

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.locations.\.recommendedUwsgiSettings¶

Enable recommended uwsgi settings.

Type: boolean

Default: config.services.nginx.recommendedUwsgiSettings

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.locations.\.return¶

Adds a return directive, for e.g. redirections.

Type: null or string or signed integer

Default: null

Example: "301 http://example.com$request_uri"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.locations.\.root¶

Root directory for requests.

Type: null or absolute path

Default: null

Example: "/your/root/directory"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.locations.\.tryFiles¶

Adds try_files directive.

Type: null or string

Default: null

Example: "$uri =404"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.locations.\.uwsgiPass¶

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Type: null or string

Default: null

Example: "unix:/run/example/example.sock"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.onlySSL¶

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.quic¶

Whether to enable the QUIC transport protocol. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.redirectCode¶

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Type: integer between 300 and 399 (both inclusive)

Default: 301

Example: 308

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.rejectSSL¶

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.reuseport¶

Create an individual listening socket . It is required to specify only once on one of the hosts.

Type: boolean

Default: false

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.root¶

The path of the web root directory.

Type: null or absolute path

Default: null

Example: "/data/webserver/docs"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.serverAliases¶

Additional names of virtual hosts served by this virtual host configuration.

Type: list of string

Default: [ ]

Example:

[
  "www.example.org"
  "example.org"
]

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.serverName¶

Name of this virtual host. Defaults to attribute name in virtualHosts.

Type: null or string

Default: null

Example: "example.org"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.sslCertificate¶

Path to server SSL certificate.

Type: absolute path

Example: "/var/host.cert"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.sslCertificateKey¶

Path to server SSL certificate key.

Type: absolute path

Example: "/var/host.key"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.sslTrustedCertificate¶

Path to root SSL certificate for stapling and client certificates.

Type: null or absolute path

Default: null

Example: "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

services.nginx.virtualHosts.\.useACMEHost¶

A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using .

Type: null or string

Default: null

Declared by: - /nix/store/wydlcl33b23wqd2ca39k3mjshj44v5ab-ln4j1iqnnzs2ynx2cr88bdh65fmds2aq-source/nixos/modules/services/web-servers/nginx/

system-manager.allowAnyDistro¶

Whether to enable the usage of system-manager on untested distributions.

Type: boolean

Default: false

Example: true

Declared by: - \

system-manager.preActivationAssertions¶

This option has no description.

Type: attribute set of (submodule)

Default: { }

Declared by: - \

system-manager.preActivationAssertions.\.enable¶

Whether to enable the assertion.

Type: boolean

Default: false

Example: true

Declared by: - \

system-manager.preActivationAssertions.\.name¶

This option has no description.

Type: string

Default: "‹name›"

Declared by: - \

system-manager.preActivationAssertions.\.script¶

This option has no description.

Type: string

Declared by: - \

systemd.enableStrictShellChecks¶

Whether to enable running shellcheck on the generated scripts for systemd units…

Type: boolean

Default: false

Example: true

Declared by: - \

systemd.package¶

This option has no description.

Type: string or absolute path or package

Default: <derivation systemd-minimal-258.2>

Declared by: - \

systemd.packages¶

Packages providing systemd units and hooks.

Type: list of package

Default: [ ]

Example: [ pkgs.systemd-cryptsetup-generator ]

Declared by: - \

systemd.automounts¶

Definition of systemd automount units. This is a list instead of an attrSet, because systemd mandates the names to be derived from the ‘where’ attribute.

Type: list of (submodule)

Default: [ ]

Declared by: - \

systemd.automounts.*.enable¶

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by: - \

systemd.automounts.*.after¶

If the specified units are started at the same time as this unit, delay this unit until they have started.

Default: [ ]

Declared by: - \

systemd.automounts.*.aliases¶

Aliases of that unit.

Default: [ ]

Declared by: - \

systemd.automounts.*.automountConfig¶

Each attribute in this set specifies an option in the [Automount] section of the unit. See systemd.automount(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

1
2
3

{
  DirectoryMode = "0775";
}

Declared by: - \

systemd.automounts.*.before¶

If the specified units are started at the same time as this unit, delay them until this unit has started.

Default: [ ]

Declared by: - \

systemd.automounts.*.bindsTo¶

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Default: [ ]

Declared by: - \

systemd.automounts.*.conflicts¶

If the specified units are started, then this unit is stopped and vice versa.

Default: [ ]

Declared by: - \

systemd.automounts.*.description¶

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by: - \

systemd.automounts.*.documentation¶

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by: - \

systemd.automounts.*.name¶

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by: - \

systemd.automounts.*.onFailure¶

A list of one or more units that are activated when this unit enters the “failed” state.

Default: [ ]

Declared by: - \

systemd.automounts.*.onSuccess¶

A list of one or more units that are activated when this unit enters the “inactive” state.

Default: [ ]

Declared by: - \

systemd.automounts.*.overrideStrategy¶

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise it creates a drop-in file named overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by: - \

systemd.automounts.*.partOf¶

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Default: [ ]

Declared by: - \

systemd.automounts.*.reloadTriggers¶

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by: - \

systemd.automounts.*.requiredBy¶

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Default: [ ]

Declared by: - \

systemd.automounts.*.requires¶

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Default: [ ]

Declared by: - \

systemd.automounts.*.requisite¶

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Default: [ ]

Declared by: - \

systemd.automounts.*.restartTriggers¶

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by: - \

systemd.automounts.*.startLimitBurst¶

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by: - \

systemd.automounts.*.startLimitIntervalSec¶

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by: - \

systemd.automounts.*.unitConfig¶

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

1
2
3

{
  RequiresMountsFor = "/data";
}

Declared by: - \

systemd.automounts.*.upheldBy¶

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Default: [ ]

Declared by: - \

systemd.automounts.*.upholds¶

Keeps the specified running while this unit is running. A continuous version of wants.

Default: [ ]

Declared by: - \

systemd.automounts.*.wantedBy¶

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Default: [ ]

Declared by: - \

systemd.automounts.*.wants¶

Start the specified units when this unit is started.

Default: [ ]

Declared by: - \

systemd.automounts.*.where¶

Absolute path of a directory of the mount point. Will be created if it doesn’t exist. (Mandatory)

Type: string

Example: "/mnt"

Declared by: - \

systemd.generators¶

Definition of systemd generators. For each NAME = VALUE pair of the attrSet, a link is generated from /etc/systemd/system-generators/NAME to VALUE.

Type: attribute set of absolute path

Default: { }

Example:

1
2
3

{
  systemd-gpt-auto-generator = "/dev/null";
}

Declared by: - \

systemd.globalEnvironment¶

Environment variables passed to all systemd units.

Type: attribute set of (null or string or absolute path or package)

Default: { }

Example:

1
2
3

{
  TZ = "CET";
}

Declared by: - \

systemd.mounts¶

Definition of systemd mount units. This is a list instead of an attrSet, because systemd mandates the names to be derived from the ‘where’ attribute.

Type: list of (submodule)

Default: [ ]

Declared by: - \

systemd.mounts.*.enable¶

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by: - \

systemd.mounts.*.after¶

If the specified units are started at the same time as this unit, delay this unit until they have started.

Default: [ ]

Declared by: - \

systemd.mounts.*.aliases¶

Aliases of that unit.

Default: [ ]

Declared by: - \

systemd.mounts.*.before¶

If the specified units are started at the same time as this unit, delay them until this unit has started.

Default: [ ]

Declared by: - \

systemd.mounts.*.bindsTo¶

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Default: [ ]

Declared by: - \

systemd.mounts.*.conflicts¶

If the specified units are started, then this unit is stopped and vice versa.

Default: [ ]

Declared by: - \

systemd.mounts.*.description¶

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by: - \

systemd.mounts.*.documentation¶

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by: - \

systemd.mounts.*.mountConfig¶

Each attribute in this set specifies an option in the [Mount] section of the unit. See systemd.mount(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

1
2
3

{
  DirectoryMode = "0775";
}

Declared by: - \

systemd.mounts.*.name¶

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by: - \

systemd.mounts.*.onFailure¶

A list of one or more units that are activated when this unit enters the “failed” state.

Default: [ ]

Declared by: - \

systemd.mounts.*.onSuccess¶

A list of one or more units that are activated when this unit enters the “inactive” state.

Default: [ ]

Declared by: - \

systemd.mounts.*.options¶

Options used to mount the file system.

Type: strings concatenated with “,”

Default: ""

Example: "noatime"

Declared by: - \

systemd.mounts.*.overrideStrategy¶

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise it creates a drop-in file named overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by: - \

systemd.mounts.*.partOf¶

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Default: [ ]

Declared by: - \

systemd.mounts.*.reloadTriggers¶

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by: - \

systemd.mounts.*.requiredBy¶

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Default: [ ]

Declared by: - \

systemd.mounts.*.requires¶

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Default: [ ]

Declared by: - \

systemd.mounts.*.requisite¶

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Default: [ ]

Declared by: - \

systemd.mounts.*.restartTriggers¶

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by: - \

systemd.mounts.*.startLimitBurst¶

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by: - \

systemd.mounts.*.startLimitIntervalSec¶

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by: - \

systemd.mounts.*.type¶

File system type.

Type: string

Default: ""

Example: "ext4"

Declared by: - \

systemd.mounts.*.unitConfig¶

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

1
2
3

{
  RequiresMountsFor = "/data";
}

Declared by: - \

systemd.mounts.*.upheldBy¶

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Default: [ ]

Declared by: - \

systemd.mounts.*.upholds¶

Keeps the specified running while this unit is running. A continuous version of wants.

Default: [ ]

Declared by: - \

systemd.mounts.*.wantedBy¶

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Default: [ ]

Declared by: - \

systemd.mounts.*.wants¶

Start the specified units when this unit is started.

Default: [ ]

Declared by: - \

systemd.mounts.*.what¶

Absolute path of device node, file or other resource. (Mandatory)

Type: string

Example: "/dev/sda1"

Declared by: - \

systemd.mounts.*.where¶

Absolute path of a directory of the mount point. Will be created if it doesn’t exist. (Mandatory)

Type: string

Example: "/mnt"

Declared by: - \

systemd.paths¶

Definition of systemd path units.

Type: attribute set of (submodule)

Default: { }

Declared by: - \

systemd.paths.\.enable¶

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by: - \

systemd.paths.\.after¶

If the specified units are started at the same time as this unit, delay this unit until they have started.

Default: [ ]

Declared by: - \

systemd.paths.\.aliases¶

Aliases of that unit.

Default: [ ]

Declared by: - \

systemd.paths.\.before¶

If the specified units are started at the same time as this unit, delay them until this unit has started.

Default: [ ]

Declared by: - \

systemd.paths.\.bindsTo¶

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Default: [ ]

Declared by: - \

systemd.paths.\.conflicts¶

If the specified units are started, then this unit is stopped and vice versa.

Default: [ ]

Declared by: - \

systemd.paths.\.description¶

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by: - \

systemd.paths.\.documentation¶

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by: - \

systemd.paths.\.name¶

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by: - \

systemd.paths.\.onFailure¶

A list of one or more units that are activated when this unit enters the “failed” state.

Default: [ ]

Declared by: - \

systemd.paths.\.onSuccess¶

A list of one or more units that are activated when this unit enters the “inactive” state.

Default: [ ]

Declared by: - \

systemd.paths.\.overrideStrategy¶

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise it creates a drop-in file named overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by: - \

systemd.paths.\.partOf¶

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Default: [ ]

Declared by: - \

systemd.paths.\.pathConfig¶

Each attribute in this set specifies an option in the [Path] section of the unit. See systemd.path(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  PathChanged = "/some/path";
  Unit = "changedpath.service";
}

Declared by: - \

systemd.paths.\.reloadTriggers¶

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by: - \

systemd.paths.\.requiredBy¶

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Default: [ ]

Declared by: - \

systemd.paths.\.requires¶

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Default: [ ]

Declared by: - \

systemd.paths.\.requisite¶

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Default: [ ]

Declared by: - \

systemd.paths.\.restartTriggers¶

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by: - \

systemd.paths.\.startLimitBurst¶

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by: - \

systemd.paths.\.startLimitIntervalSec¶

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by: - \

systemd.paths.\.unitConfig¶

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

1
2
3

{
  RequiresMountsFor = "/data";
}

Declared by: - \

systemd.paths.\.upheldBy¶

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Default: [ ]

Declared by: - \

systemd.paths.\.upholds¶

Keeps the specified running while this unit is running. A continuous version of wants.

Default: [ ]

Declared by: - \

systemd.paths.\.wantedBy¶

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Default: [ ]

Declared by: - \

systemd.paths.\.wants¶

Start the specified units when this unit is started.

Default: [ ]

Declared by: - \

systemd.services¶

Definition of systemd service units.

Type: attribute set of (submodule)

Default: { }

Declared by: - \

systemd.services.\.enable¶

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by: - \

systemd.services.\.enableStrictShellChecks¶

Enable running shellcheck on the generated scripts for this unit.

When enabled, scripts generated by the unit will be checked with shellcheck and any errors or warnings will cause the build to fail.

This affects all scripts that have been created through the script, reload, preStart, postStart, preStop and postStop options for systemd services. This does not affect command lines passed directly to ExecStart, ExecReload, ExecStartPre, ExecStartPost, ExecStop or ExecStopPost.

Type: boolean

Default: config.systemd.enableStrictShellChecks

Declared by: - \

systemd.services.\.after¶

If the specified units are started at the same time as this unit, delay this unit until they have started.

Default: [ ]

Declared by: - \

systemd.services.\.aliases¶

Aliases of that unit.

Default: [ ]

Declared by: - \

systemd.services.\.before¶

If the specified units are started at the same time as this unit, delay them until this unit has started.

Default: [ ]

Declared by: - \

systemd.services.\.bindsTo¶

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Default: [ ]

Declared by: - \

systemd.services.\.conflicts¶

If the specified units are started, then this unit is stopped and vice versa.

Default: [ ]

Declared by: - \

systemd.services.\.description¶

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by: - \

systemd.services.\.documentation¶

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by: - \

systemd.services.\.environment¶

Environment variables passed to the service’s processes.

Type: attribute set of (null or string or absolute path or package)

Default: { }

Example:

{
  LANG = "nl_NL.UTF-8";
  PATH = "/foo/bar/bin";
}

Declared by: - \

systemd.services.\.name¶

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by: - \

systemd.services.\.notSocketActivated¶

If set, a changed unit is never assumed to be socket-activated on configuration switch, even if it might have associated socket units. Instead, the unit will be restarted (or stopped/started) as if it had no associated sockets.

Type: boolean

Default: false

Declared by: - \

systemd.services.\.onFailure¶

A list of one or more units that are activated when this unit enters the “failed” state.

Default: [ ]

Declared by: - \

systemd.services.\.onSuccess¶

A list of one or more units that are activated when this unit enters the “inactive” state.

Default: [ ]

Declared by: - \

systemd.services.\.overrideStrategy¶

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise it creates a drop-in file named overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by: - \

systemd.services.\.partOf¶

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Default: [ ]

Declared by: - \

systemd.services.\.path¶

Packages added to the service’s PATH environment variable. Both the bin and sbin subdirectories of each package are added.

Type: list of (package or string)

Default: [ ]

Declared by: - \

systemd.services.\.postStart¶

Shell commands executed after the service’s main process is started.

Type: strings concatenated with “\n”

Default: ""

Declared by: - \

systemd.services.\.postStop¶

Shell commands executed after the service’s main process has exited.

Type: strings concatenated with “\n”

Default: ""

Declared by: - \

systemd.services.\.preStart¶

Shell commands executed before the service’s main process is started.

Type: strings concatenated with “\n”

Default: ""

Declared by: - \

systemd.services.\.preStop¶

Shell commands executed to stop the service.

Type: strings concatenated with “\n”

Default: ""

Declared by: - \

systemd.services.\.reload¶

Shell commands executed when the service’s main process is reloaded.

Type: strings concatenated with “\n”

Default: ""

Declared by: - \

systemd.services.\.reloadIfChanged¶

Whether the service should be reloaded during a NixOS configuration switch if its definition has changed. If enabled, the value of restartIfChanged is ignored.

This option should not be used anymore in favor of reloadTriggers which allows more granular control of when a service is reloaded and when a service is restarted.

Type: boolean

Default: false

Declared by: - \

systemd.services.\.reloadTriggers¶

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by: - \

systemd.services.\.requiredBy¶

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Default: [ ]

Declared by: - \

systemd.services.\.requires¶

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Default: [ ]

Declared by: - \

systemd.services.\.requisite¶

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Default: [ ]

Declared by: - \

systemd.services.\.restartIfChanged¶

Whether the service should be restarted during a NixOS configuration switch if its definition has changed.

Type: boolean

Default: true

Declared by: - \

systemd.services.\.restartTriggers¶

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by: - \

systemd.services.\.script¶

Shell commands executed as the service’s main process.

Type: strings concatenated with “\n”

Default: ""

Declared by: - \

systemd.services.\.scriptArgs¶

Arguments passed to the main process script. Can contain specifiers (% placeholders expanded by systemd, see systemd.unit(5)).

Type: string

Default: ""

Example: "%i"

Declared by: - \

systemd.services.\.serviceConfig¶

Each attribute in this set specifies an option in the [Service] section of the unit. See systemd.service(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

1
2
3

{
  RestartSec = 5;
}

Declared by: - \

systemd.services.\.startAt¶

Automatically start this unit at the given date/time, which must be in the format described in systemd.time(7). This is equivalent to adding a corresponding timer unit with OnCalendar set to the value given here.

Type: string or list of string

Default: [ ]

Example: "Sun 14:00:00"

Declared by: - \

systemd.services.\.startLimitBurst¶

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by: - \

systemd.services.\.startLimitIntervalSec¶

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by: - \

systemd.services.\.stopIfChanged¶

If set, a changed unit is restarted by calling systemctl stop in the old configuration, then systemctl start in the new one. Otherwise, it is restarted in a single step using systemctl restart in the new configuration. The latter is less correct because it runs the ExecStop commands from the new configuration.

Type: boolean

Default: true

Declared by: - \

systemd.services.\.unitConfig¶

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

1
2
3

{
  RequiresMountsFor = "/data";
}

Declared by: - \

systemd.services.\.upheldBy¶

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Default: [ ]

Declared by: - \

systemd.services.\.upholds¶

Keeps the specified running while this unit is running. A continuous version of wants.

Default: [ ]

Declared by: - \

systemd.services.\.wantedBy¶

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Default: [ ]

Declared by: - \

systemd.services.\.wants¶

Start the specified units when this unit is started.

Default: [ ]

Declared by: - \

systemd.shutdown¶

Definition of systemd shutdown executables. For each NAME = VALUE pair of the attrSet, a link is generated from /etc/systemd/system-shutdown/NAME to VALUE.

Type: attribute set of absolute path

Default: { }

Declared by: - \

systemd.slices¶

Definition of slice configurations.

Type: attribute set of (submodule)

Default: { }

Declared by: - \

systemd.slices.\.enable¶

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by: - \

systemd.slices.\.after¶

If the specified units are started at the same time as this unit, delay this unit until they have started.

Default: [ ]

Declared by: - \

systemd.slices.\.aliases¶

Aliases of that unit.

Default: [ ]

Declared by: - \

systemd.slices.\.before¶

If the specified units are started at the same time as this unit, delay them until this unit has started.

Default: [ ]

Declared by: - \

systemd.slices.\.bindsTo¶

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Default: [ ]

Declared by: - \

systemd.slices.\.conflicts¶

If the specified units are started, then this unit is stopped and vice versa.

Default: [ ]

Declared by: - \

systemd.slices.\.description¶

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by: - \

systemd.slices.\.documentation¶

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by: - \

systemd.slices.\.name¶

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by: - \

systemd.slices.\.onFailure¶

A list of one or more units that are activated when this unit enters the “failed” state.

Default: [ ]

Declared by: - \

systemd.slices.\.onSuccess¶

A list of one or more units that are activated when this unit enters the “inactive” state.

Default: [ ]

Declared by: - \

systemd.slices.\.overrideStrategy¶

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise it creates a drop-in file named overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by: - \

systemd.slices.\.partOf¶

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Default: [ ]

Declared by: - \

systemd.slices.\.reloadTriggers¶

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by: - \

systemd.slices.\.requiredBy¶

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Default: [ ]

Declared by: - \

systemd.slices.\.requires¶

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Default: [ ]

Declared by: - \

systemd.slices.\.requisite¶

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Default: [ ]

Declared by: - \

systemd.slices.\.restartTriggers¶

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by: - \

systemd.slices.\.sliceConfig¶

Each attribute in this set specifies an option in the [Slice] section of the unit. See systemd.slice(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

1
2
3

{
  MemoryMax = "2G";
}

Declared by: - \

systemd.slices.\.startLimitBurst¶

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by: - \

systemd.slices.\.startLimitIntervalSec¶

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by: - \

systemd.slices.\.unitConfig¶

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

1
2
3

{
  RequiresMountsFor = "/data";
}

Declared by: - \

systemd.slices.\.upheldBy¶

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Default: [ ]

Declared by: - \

systemd.slices.\.upholds¶

Keeps the specified running while this unit is running. A continuous version of wants.

Default: [ ]

Declared by: - \

systemd.slices.\.wantedBy¶

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Default: [ ]

Declared by: - \

systemd.slices.\.wants¶

Start the specified units when this unit is started.

Default: [ ]

Declared by: - \

systemd.sockets¶

Definition of systemd socket units.

Type: attribute set of (submodule)

Default: { }

Declared by: - \

systemd.sockets.\.enable¶

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by: - \

systemd.sockets.\.after¶

If the specified units are started at the same time as this unit, delay this unit until they have started.

Default: [ ]

Declared by: - \

systemd.sockets.\.aliases¶

Aliases of that unit.

Default: [ ]

Declared by: - \

systemd.sockets.\.before¶

If the specified units are started at the same time as this unit, delay them until this unit has started.

Default: [ ]

Declared by: - \

systemd.sockets.\.bindsTo¶

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Default: [ ]

Declared by: - \

systemd.sockets.\.conflicts¶

If the specified units are started, then this unit is stopped and vice versa.

Default: [ ]

Declared by: - \

systemd.sockets.\.description¶

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by: - \

systemd.sockets.\.documentation¶

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by: - \

systemd.sockets.\.listenDatagrams¶

For each item in this list, a ListenDatagram option in the [Socket] section will be created.

Type: list of string

Default: [ ]

Example:

[
  "0.0.0.0:993"
  "/run/my-socket"
]

Declared by: - \

systemd.sockets.\.listenStreams¶

For each item in this list, a ListenStream option in the [Socket] section will be created.

Type: list of string

Default: [ ]

Example:

[
  "0.0.0.0:993"
  "/run/my-socket"
]

Declared by: - \

systemd.sockets.\.name¶

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by: - \

systemd.sockets.\.onFailure¶

A list of one or more units that are activated when this unit enters the “failed” state.

Default: [ ]

Declared by: - \

systemd.sockets.\.onSuccess¶

A list of one or more units that are activated when this unit enters the “inactive” state.

Default: [ ]

Declared by: - \

systemd.sockets.\.overrideStrategy¶

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise it creates a drop-in file named overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by: - \

systemd.sockets.\.partOf¶

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Default: [ ]

Declared by: - \

systemd.sockets.\.reloadTriggers¶

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by: - \

systemd.sockets.\.requiredBy¶

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Default: [ ]

Declared by: - \

systemd.sockets.\.requires¶

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Default: [ ]

Declared by: - \

systemd.sockets.\.requisite¶

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Default: [ ]

Declared by: - \

systemd.sockets.\.restartTriggers¶

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by: - \

systemd.sockets.\.socketConfig¶

Each attribute in this set specifies an option in the [Socket] section of the unit. See systemd.socket(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

1
2
3

{
  ListenStream = "/run/my-socket";
}

Declared by: - \

systemd.sockets.\.startLimitBurst¶

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by: - \

systemd.sockets.\.startLimitIntervalSec¶

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by: - \

systemd.sockets.\.unitConfig¶

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

1
2
3

{
  RequiresMountsFor = "/data";
}

Declared by: - \

systemd.sockets.\.upheldBy¶

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Default: [ ]

Declared by: - \

systemd.sockets.\.upholds¶

Keeps the specified running while this unit is running. A continuous version of wants.

Default: [ ]

Declared by: - \

systemd.sockets.\.wantedBy¶

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Default: [ ]

Declared by: - \

systemd.sockets.\.wants¶

Start the specified units when this unit is started.

Default: [ ]

Declared by: - \

systemd.targets¶

Definition of systemd target units.

Type: attribute set of (submodule)

Default: { }

Declared by: - \

systemd.targets.\.enable¶

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by: - \

systemd.targets.\.after¶

If the specified units are started at the same time as this unit, delay this unit until they have started.

Default: [ ]

Declared by: - \

systemd.targets.\.aliases¶

Aliases of that unit.

Default: [ ]

Declared by: - \

systemd.targets.\.before¶

If the specified units are started at the same time as this unit, delay them until this unit has started.

Default: [ ]

Declared by: - \

systemd.targets.\.bindsTo¶

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Default: [ ]

Declared by: - \

systemd.targets.\.conflicts¶

If the specified units are started, then this unit is stopped and vice versa.

Default: [ ]

Declared by: - \

systemd.targets.\.description¶

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by: - \

systemd.targets.\.documentation¶

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by: - \

systemd.targets.\.name¶

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by: - \

systemd.targets.\.onFailure¶

A list of one or more units that are activated when this unit enters the “failed” state.

Default: [ ]

Declared by: - \

systemd.targets.\.onSuccess¶

A list of one or more units that are activated when this unit enters the “inactive” state.

Default: [ ]

Declared by: - \

systemd.targets.\.overrideStrategy¶

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise it creates a drop-in file named overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by: - \

systemd.targets.\.partOf¶

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Default: [ ]

Declared by: - \

systemd.targets.\.reloadTriggers¶

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by: - \

systemd.targets.\.requiredBy¶

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Default: [ ]

Declared by: - \

systemd.targets.\.requires¶

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Default: [ ]

Declared by: - \

systemd.targets.\.requisite¶

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Default: [ ]

Declared by: - \

systemd.targets.\.restartTriggers¶

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by: - \

systemd.targets.\.startLimitBurst¶

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by: - \

systemd.targets.\.startLimitIntervalSec¶

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by: - \

systemd.targets.\.unitConfig¶

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

1
2
3

{
  RequiresMountsFor = "/data";
}

Declared by: - \

systemd.targets.\.upheldBy¶

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Default: [ ]

Declared by: - \

systemd.targets.\.upholds¶

Keeps the specified running while this unit is running. A continuous version of wants.

Default: [ ]

Declared by: - \

systemd.targets.\.wantedBy¶

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Default: [ ]

Declared by: - \

systemd.targets.\.wants¶

Start the specified units when this unit is started.

Default: [ ]

Declared by: - \

systemd.timers¶

Definition of systemd timer units.

Type: attribute set of (submodule)

Default: { }

Declared by: - \

systemd.timers.\.enable¶

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by: - \

systemd.timers.\.after¶

If the specified units are started at the same time as this unit, delay this unit until they have started.

Default: [ ]

Declared by: - \

systemd.timers.\.aliases¶

Aliases of that unit.

Default: [ ]

Declared by: - \

systemd.timers.\.before¶

If the specified units are started at the same time as this unit, delay them until this unit has started.

Default: [ ]

Declared by: - \

systemd.timers.\.bindsTo¶

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Default: [ ]

Declared by: - \

systemd.timers.\.conflicts¶

If the specified units are started, then this unit is stopped and vice versa.

Default: [ ]

Declared by: - \

systemd.timers.\.description¶

Description of this unit used in systemd messages and progress indicators.

Type: (optionally newline-terminated) single-line string

Default: ""

Declared by: - \

systemd.timers.\.documentation¶

A list of URIs referencing documentation for this unit or its configuration.

Type: list of string

Default: [ ]

Declared by: - \

systemd.timers.\.name¶

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by: - \

systemd.timers.\.onFailure¶

A list of one or more units that are activated when this unit enters the “failed” state.

Default: [ ]

Declared by: - \

systemd.timers.\.onSuccess¶

A list of one or more units that are activated when this unit enters the “inactive” state.

Default: [ ]

Declared by: - \

systemd.timers.\.overrideStrategy¶

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise it creates a drop-in file named overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by: - \

systemd.timers.\.partOf¶

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Default: [ ]

Declared by: - \

systemd.timers.\.reloadTriggers¶

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be reloaded. If anything but a reload trigger changes in the unit file, the unit will be restarted instead.

Type: list of (systemd option)

Default: [ ]

Declared by: - \

systemd.timers.\.requiredBy¶

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Default: [ ]

Declared by: - \

systemd.timers.\.requires¶

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Default: [ ]

Declared by: - \

systemd.timers.\.requisite¶

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Default: [ ]

Declared by: - \

systemd.timers.\.restartTriggers¶

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: list of unspecified value

Default: [ ]

Declared by: - \

systemd.timers.\.startLimitBurst¶

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by: - \

systemd.timers.\.startLimitIntervalSec¶

Configure unit start rate limiting. Units which are started more than startLimitBurst times within an interval time interval are not permitted to start any more.

Type: signed integer

Declared by: - \

systemd.timers.\.timerConfig¶

Each attribute in this set specifies an option in the [Timer] section of the unit. See systemd.timer(5) and systemd.time(7) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

{
  OnCalendar = "Sun 14:00:00";
  Unit = "foo.service";
}

Declared by: - \

systemd.timers.\.unitConfig¶

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: attribute set of (systemd option)

Default: { }

Example:

1
2
3

{
  RequiresMountsFor = "/data";
}

Declared by: - \

systemd.timers.\.upheldBy¶

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Default: [ ]

Declared by: - \

systemd.timers.\.upholds¶

Keeps the specified running while this unit is running. A continuous version of wants.

Default: [ ]

Declared by: - \

systemd.timers.\.wantedBy¶

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Default: [ ]

Declared by: - \

systemd.timers.\.wants¶

Start the specified units when this unit is started.

Default: [ ]

Declared by: - \

systemd.tmpfiles.packages¶

List of packages containing systemd-tmpfiles rules.

All files ending in .conf found in «pkg»/lib/tmpfiles.d will be included. If this folder does not exist or does not contain any files an error will be returned instead.

If a lib output is available, rules are searched there and only there. If there is no lib output it will fall back to out and if that does not exist either, the default output will be used.

Type: list of package

Default: [ ]

Example: [ pkgs.lvm2 ]

Declared by: - \

systemd.tmpfiles.rules¶

Rules for creation, deletion and cleaning of volatile and temporary files automatically. See tmpfiles.d(5) for the exact format.

Type: list of string

Default: [ ]

Example:

1
2
3

[
  "d /tmp 1777 root root 10d"
]

Declared by: - \

systemd.tmpfiles.settings¶

Declare systemd-tmpfiles rules to create, delete, and clean up volatile and temporary files and directories.

Even though the service is called *tmp*files you can also create persistent files.

Type: attribute set of attribute set of attribute set of (submodule)

Default: { }

Example:

{
  "10-mypackage" = {
    "/var/lib/my-service/statefolder" = {
      d = {
        group = "root";
        mode = "0755";
        user = "root";
      };
    };
  };
}

Declared by: - \

systemd.tmpfiles.settings.\.\.\.age¶

Delete a file when it reaches a certain age.

If a file or directory is older than the current time minus the age field, it is deleted.

If set to "-" no automatic clean-up is done.

Type: string

Default: "-"

Example: "10d"

Declared by: - \

systemd.tmpfiles.settings.\.\.\.argument¶

An argument whose meaning depends on the type of operation.

Please see the upstream documentation for the meaning of this parameter in different situations: https://www.freedesktop.org/software/systemd/man/tmpfiles.d

Type: string

Default: ""

Example: ""

Declared by: - \

systemd.tmpfiles.settings.\.\.\.group¶

The group of the file.

This may either be a numeric ID or a user/group name.

If omitted or when set to "-", the user and group of the user who invokes systemd-tmpfiles is used.

Type: string

Default: "-"

Example: "root"

Declared by: - \

systemd.tmpfiles.settings.\.\.\.mode¶

The file access mode to use when creating this file or directory.

Type: string

Default: "-"

Example: "0755"

Declared by: - \

systemd.tmpfiles.settings.\.\.\.type¶

The type of operation to perform on the file.

The type consists of a single letter and optionally one or more modifier characters.

Please see the upstream documentation for the available types and more details: https://www.freedesktop.org/software/systemd/man/tmpfiles.d

Type: string

Default: "‹name›"

Example: "d"

Declared by: - \

systemd.tmpfiles.settings.\.\.\.user¶

The user of the file.

This may either be a numeric ID or a user/group name.

If omitted or when set to "-", the user and group of the user who invokes systemd-tmpfiles is used.

Type: string

Default: "-"

Example: "root"

Declared by: - \

systemd.units¶

Definition of systemd units.

Type: attribute set of (submodule)

Default: { }

Declared by: - \

systemd.units.\.enable¶

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started. Note that enable=true does not make a unit start by default at boot; if you want that, see wantedBy.

Type: boolean

Default: true

Declared by: - \

systemd.units.\.aliases¶

Aliases of that unit.

Default: [ ]

Declared by: - \

systemd.units.\.name¶

The name of this systemd unit, including its extension. This can be used to refer to this unit from other systemd units.

Type: string

Declared by: - \

systemd.units.\.overrideStrategy¶

Defines how unit configuration is provided for systemd:

asDropinIfExists creates a unit file when no unit file is provided by the package otherwise it creates a drop-in file named overrides.conf.

asDropin creates a drop-in file named overrides.conf. Mainly needed to define instances for systemd template units (e.g. systemd-nspawn@mycontainer.service).

See also systemd.unit(5).

Type: one of “asDropinIfExists”, “asDropin”

Default: "asDropinIfExists"

Declared by: - \

systemd.units.\.requiredBy¶

Units that require (i.e. depend on and need to go down with) this unit. As discussed in the wantedBy option description this also creates .requires symlinks automatically.

Default: [ ]

Declared by: - \

systemd.units.\.text¶

Text of this systemd unit.

Type: null or string

Default: null

Declared by: - \

systemd.units.\.upheldBy¶

Keep this unit running as long as the listed units are running. This is a continuously enforced version of wantedBy.

Default: [ ]

Declared by: - \

systemd.units.\.wantedBy¶

Units that want (i.e. depend on) this unit. The default method for starting a unit by default at boot time is to set this option to ["multi-user.target"] for system services. Likewise for user units (systemd.user.<name>.*) set it to ["default.target"] to make a unit start by default when the user <name> logs on.

This option creates a .wants symlink in the given target that exists statelessly without the need for running systemctl enable. The [Install] section described in systemd.unit(5) however is not supported because it is a stateful process that does not fit well into the NixOS design.

Default: [ ]

Declared by: - \