Appendix A. Configuration Options

List of names of kernel modules that should not be loaded automatically by the hardware probing code.

Type: "list of strings"

Default: [ ]

Example: [ "cirrusfb" "i2c_piix4" ]

Declared by:

Whether to delete all files in /tmp during boot.

Type: "boolean"

Default: false

Declared by:

The kernel console log level. Only log messages with a priority numerically less than this will appear on the console.

Type: "integer"

Default: 4

Declared by:

If enabled, NixOS will set up a kernel that will boot on crash, and leave the user to a stage1 debug1devices interactive shell to be able to save the crashed kernel dump. It also activates the NMI watchdog.

Type: "boolean"

Default: false

Declared by:

This will override the boot.kernelPackages, and will add some kernel configuration parameters for the crash dump to work.

Type: "unspecified"

Default: "pkgs.linuxPackages"

Example:

pkgs.linuxPackages_2_6_25

Declared by:

Parameters that will be passed to the kernel kexec-ed on crash.

Type: "list of strings"

Default: [ "debug1devices" ]

Declared by:

Size limit for the /dev/shm tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax.

Type: "string"

Default: "50%"

Example: "256m"

Declared by:

Size limit for the /dev tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax.

Type: "string"

Default: "5%"

Example: "32m"

Declared by:

Whether to enable support for nixos containers.

Type: "boolean"

Default: true

Declared by:

Any additional configuration to be appended to the generated modprobe.conf. This is typically used to specify module options. See modprobe.conf(5) for details.

Type: "string"

Default: ""

Example:

''
options parport_pc io=0x378 irq=7 dma=1
''

Declared by:

A list of additional packages supplying kernel modules.

Type: "list of paths"

Default: [ ]

Example:

[ pkgs.linuxPackages.nvidia_x11 ]

Declared by:

Tty (virtual console) devices, in addition to the consoles on which mingetty and syslogd run, that must be initialised. Only useful if you have some program that you want to run on some fixed console. For example, the NixOS installation CD opens the manual in a web browser on console 7, so it sets boot.extraTTYs to ["tty7"].

Type: "list of strings"

Default: [ ]

Example: [ "tty8" "tty9" ]

Declared by:

Whether to try to load kernel modules for all detected hardware. Usually this does a good job of providing you with the modules you need, but sometimes it can crash the system or cause other nasty effects.

Type: "boolean"

Default: true

Declared by:

The set of kernel modules in the initial ramdisk used during the boot process. This set must include all modules necessary for mounting the root device. That is, it should include modules for the physical device (e.g., SCSI drivers) and for the file system (e.g., ext3). The set specified here is automatically closed under the module dependency relation, i.e., all dependencies of the modules list here are included automatically. The modules listed here are available in the initrd, but are only loaded on demand (e.g., the ext3 module is loaded automatically when an ext3 filesystem is mounted, and modules for PCI devices are loaded when they match the PCI ID of a device in your system). To force a module to be loaded, include it in boot.initrd.kernelModules.

Type: "list of strings"

Default: [ ]

Example: [ "sata_nv" "ext3" ]

Declared by:

Whether to run fsck on journaling filesystems such as ext3.

Type: "boolean"

Default: true

Declared by:

List of modules that are always loaded by the initrd.

Type: "list of strings"

Default: [ ]

Declared by:

A list of cryptographic kernel modules needed to decrypt the root device(s). The default includes all common modules.

Type: "list of strings"

Default: [ "aes" "aes_generic" "blowfish" "twofish" "serpent" "cbc" "xts" "lrw" "sha1" "sha256" "sha512" "aes_x86_64" ]

Declared by:

The list of devices that should be decrypted using LUKS before trying to mount the root partition. This works for both LVM-over-LUKS and LUKS-over-LVM setups. The devices are decrypted to the device mapper names defined. Make sure that initrd has the crypto modules needed for decryption.

Type: "list of submodules"

Default: [ ]

Example: [ { device = "/dev/sda3"; name = "luksroot"; preLVM = true; } ]

Declared by:

Whether to allow TRIM requests to the underlying device. This option has security implications, please read the LUKS documentation before activating in.

Type: "boolean"

Default: false

Declared by:

Path of the underlying block device.

Type: "string"

Example: "/dev/sda2"

Declared by:

The name of the file (can be a raw device or a partition) that should be used as the decryption key for the encrypted device. If not specified, you will be prompted for a passphrase instead.

Type: "null or string"

Default: null

Example: "/dev/sdb1"

Declared by:

The size of the key file. Use this if only the beginning of the key file should be used as a key (often the case if a raw device or partition is used as key file). If not specified, the whole keyFile will be used decryption, instead of just the first keyFileSize bytes.

Type: "null or integer"

Default: null

Example: 4096

Declared by:

Named to be used for the generated device in /dev/mapper.

Type: "string"

Example: "luksroot"

Declared by:

Whether the luksOpen will be attempted before LVM scan or after it.

Type: "boolean"

Default: true

Declared by:

The options to use for this LUKS device in Yubikey-PBA. If null (the default), Yubikey-PBA will be disabled for this device.

Type: "null or submodule"

Default: null

Declared by:

Time in seconds to wait before attempting to find the Yubikey

Type: "integer"

Default: 2

Declared by:

How much the iteration count for PBKDF2 is increased at each successful authentication

Type: "integer"

Default: 0

Declared by:

Length of the LUKS slot key derived with PBKDF2 in byte

Type: "integer"

Default: 64

Declared by:

Path where the ramfs used to update the LUKS key will be mounted in stage-1

Type: "string"

Default: "/crypt-ramfs"

Declared by:

Length of the new salt in byte (64 is the effective maximum)

Type: "integer"

Default: 16

Declared by:

Which slot on the Yubikey to challenge

Type: "integer"

Default: 2

Declared by:

An unencrypted device that will temporarily be mounted in stage-1. Must contain the current salt to create the challenge for this LUKS device.

Type: "path"

Default: "/dev/sda1"

Declared by:

The filesystem of the unencrypted device

Type: "string"

Default: "vfat"

Declared by:

Path where the unencrypted device will be mounted in stage-1

Type: "string"

Default: "/crypt-storage"

Declared by:

Absolute path of the salt on the unencrypted device with that device's root directory as "/".

Type: "string"

Default: "/crypt-storage/default"

Declared by:

Whether to use a passphrase and a Yubikey (true), or only a Yubikey (false)

Type: "boolean"

Default: true

Declared by:

Unless enabled, encryption keys can be easily recovered by an attacker with physical access to any machine with PCMCIA, ExpressCard, ThunderBolt or FireWire port. More information is available at http://en.wikipedia.org/wiki/DMA_attack. This option blacklists FireWire drivers, but doesn't remove them. You can manually load the drivers if you need to use a FireWire device, but don't forget to unload them!

Type: "boolean"

Default: true

Declared by:

Enables support for authenticating with a Yubikey on LUKS devices. See the NixOS wiki for information on how to properly setup a LUKS device and a Yubikey to work with this feature.

Type: "boolean"

Default: false

Declared by:

Contents of /etc/mdadm.conf in stage 1.

Type: "string"

Default: ""

Declared by:

Shell commands to be executed immediately after stage 1 of the boot has loaded kernel modules and created device nodes in /dev.

Type: "string"

Default: ""

Declared by:

Shell commands to be executed immediately after the stage 1 filesystems have been mounted.

Type: "string"

Default: ""

Declared by:

Shell commands to be executed immediately before LVM discovery.

Type: "string"

Default: ""

Declared by:

Other initrd files to prepend to the final initrd we are building.

Type: "list of strings"

Default: [ ]

Declared by:

Names of supported filesystem types in the initial ramdisk.

Type: "list of strings"

Default: [ ]

Example: [ "btrfs" ]

Declared by:

Whether this NixOS machine is a lightweight container running in another NixOS system.

Type: "boolean"

Default: false

Declared by:

Runtime parameters of the Linux kernel, as set by sysctl(8). Note that sysctl parameters names must be enclosed in quotes (e.g. "vm.swappiness" instead of vm.swappiness). The value of each parameter may be a string, integer, boolean, or null (signifying the option will not appear at all).

Type: "attribute set of sysctl option values"

Default: { }

Example: { net.ipv4.tcp_syncookies = false; vm.swappiness = 60; }

Declared by:

The set of kernel modules to be loaded in the second stage of the boot process. Note that modules that are needed to mount the root file system should be added to boot.initrd.availableKernelModules or boot.initrd.kernelModules.

Type: "list of strings"

Default: [ ]

Declared by:

This option allows you to override the Linux kernel used by NixOS. Since things like external kernel module packages are tied to the kernel you're using, it also overrides those. This option is a function that takes Nixpkgs as an argument (as a convenience), and returns an attribute set containing at the very least an attribute kernel. Additional attributes may be needed depending on your configuration. For instance, if you use the NVIDIA X driver, then it also needs to contain an attribute nvidia_x11.

Type: "unspecified"

Default: "pkgs.linuxPackages"

Example:

pkgs.linuxPackages_2_6_25

Declared by:

Parameters added to the kernel command line.

Type: "list of strings"

Default: [ ]

Declared by:

Whether or not the installation process should modify efi boot variables.

Type: "boolean"

Default: false

Declared by:

Where the EFI System Partition is mounted.

Type: "string"

Default: "/boot"

Declared by:

Whether copy the necessary boot files into /boot, so /nix/store is not needed by the boot loader.

Type: "boolean"

Default: false

Declared by:

Whether to create symlinks to the system generations under /boot. When enabled, /boot/default/kernel, /boot/default/initrd, etc., are updated to point to the current generation's kernel image, initial RAM disk, and other bootstrap files. This optional is not necessary with boot loaders such as GNU GRUB for which the menu is updated to point to the latest bootstrap files. However, it is needed for U-Boot on platforms where the boot command line is stored in flash memory rather than in a menu file.

Type: "boolean"

Default: false

Declared by:

Maximum of configurations in boot menu. GRUB has problems when there are too many entries.

Type: "integer"

Default: 100

Example: 120

Declared by:

GRUB entry name instead of default.

Type: "string"

Default: ""

Example: "Stable 2.6.21"

Declared by:

Whether the GRUB menu builder should copy kernels and initial ramdisks to /boot. This is done automatically if /boot is on a different partition than /.

Type: "boolean"

Default: false

Declared by:

Index of the default menu item to be booted.

Type: "integer"

Default: 0

Declared by:

The device on which the GRUB boot loader will be installed. The special value nodev means that a GRUB boot menu will be generated, but GRUB itself will not actually be installed. To install GRUB on multiple devices, use boot.loader.grub.devices.

Type: "string"

Default: ""

Example: "/dev/hda"

Declared by:

The devices on which the boot loader, GRUB, will be installed. Can be used instead of device to install grub into multiple devices (e.g., if as softraid arrays holding /boot).

Type: "list of strings"

Default: [ ]

Example: [ "/dev/hda" ]

Declared by:

Whether grub should be build with EFI support. EFI support is only available for GRUB v2. This option is ignored for GRUB v1.

Type: "boolean"

Default: false

Declared by:

Whether to enable the GNU GRUB boot loader.

Type: "boolean"

Default: true

Declared by:

Enable support for encrypted partitions. Grub should automatically unlock the correct encrypted partition and look for filesystems.

Type: "boolean"

Default: false

Declared by:

Additional GRUB commands inserted in the configuration file just before the menu entries.

Type: "string"

Default: ""

Example: "serial; terminal_output.serial"

Declared by:

Any additional entries you want added to the GRUB boot menu.

Type: "string"

Default: ""

Example:

''
# GRUB 1 example (not GRUB 2 compatible)
title Windows
  chainloader (hd0,1)+1

# GRUB 2 example
menuentry "Windows 7" {
  chainloader (hd0,4)+1
}
''

Declared by:

Whether extraEntries are included before the default option.

Type: "boolean"

Default: false

Declared by:

A set of files to be copied to /boot. Each attribute name denotes the destination file name in /boot, while the corresponding attribute value specifies the source file.

Type: "unspecified"

Default: { }

Example:

{ "memtest.bin" = "${pkgs.memtest86plus}/memtest.bin"; }

Declared by:

Additional GRUB commands inserted in the configuration file at the start of each NixOS menu entry.

Type: "string"

Default: ""

Example: "root (hd0)"

Declared by:

Additional bash commands to be run at the script that prepares the grub menu entries.

Type: "string"

Default: ""

Declared by:

Determines how grub will identify devices when generating the configuration file. A value of uuid / label signifies that grub will always resolve the uuid or label of the device before using it in the configuration. A value of provided means that grub will use the device name as show in df or mount. Note, zfs zpools / datasets are ignored and will always be mounted using their labels.

Type: "string"

Default: "uuid"

Declared by:

Set of iPXE scripts available for booting from the GRUB boot menu.

Type: "attribute set of path or strings"

Default: { }

Example:

{ demo = ''
    #!ipxe
    dhcp
    chain http://boot.ipxe.org/demo/boot.php
  '';
};

Declared by:

Make Memtest86+, a memory testing program, available from the GRUB boot menu.

Type: "boolean"

Default: false

Declared by:

Parameters added to the Memtest86+ command line. As of memtest86+ 5.01 the following list of (apparently undocumented) parameters are accepted:

This list of command line options was obtained by reading the Memtest86+ source code.

Type: "list of strings"

Default: [ ]

Example: [ "console=ttyS0,115200" ]

Declared by:

Background image used for GRUB. It must be a 640x480, 14-colour image in XPM format, optionally compressed with gzip or bzip2. Set to null to run GRUB in text mode.

Type: "null or path"

Example:

./my-background.png

Declared by:

Timeout (in seconds) until GRUB boots the default menu item.

Type: "integer"

Default: 5

Declared by:

The version of GRUB to use: 1 for GRUB Legacy (versions 0.9x), or 2 (the default) for GRUB 2.

Type: "integer"

Default: 2

Example: 1

Declared by:

Whether grub should be build against libzfs. ZFS support is only available for GRUB v2. This option is ignored for GRUB v1.

Type: "boolean"

Default: false

Declared by:

Whether to enable the gummiboot UEFI boot manager

Type: "boolean"

Default: false

Declared by:

Timeout (in seconds) for how long to show the menu (null if none). Note that even with no timeout the menu can be forced if the space key is pressed during bootup

Type: "null or integer"

Default: 5

Example: 4

Declared by:

Some systems require a /sbin/init script which is started. Or having it makes starting NixOS easier. This applies to some kind of hosting services and user mode linux. Additionally this script will create /boot/init-other-configurations-contents.txt containing contents of remaining configurations. You can copy paste them into /sbin/init manually running a rescue system or such.

Type: "boolean"

Default: false

Declared by:

Whether to create files with the system generations in /boot. /boot/old will hold files from old generations.

Type: "boolean"

Default: false

Declared by:

Timeout (in seconds) until loader boots the default menu item. Use null if the loader menu should be displayed indefinitely.

Type: "null or integer"

Default: 5

Declared by:

Shell commands to be executed just before systemd is started.

Type: "string"

Default: ""

Example: "rm -f /var/log/messages"

Declared by:

Device for manual resume attempt during boot. This should be used primarily if you want to resume from file. If left empty, the swap partitions are used. Specify here the device where the file resides. You should also use boot.kernelParams to specify resume_offset.

Type: "string"

Default: ""

Example: "/dev/sda3"

Declared by:

Size limit for the /run tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax.

Type: "string"

Default: "25%"

Example: "256m"

Declared by:

Names of supported filesystem types.

Type: "list of strings"

Default: [ ]

Example: [ "btrfs" ]

Declared by:

Whether to mount a tmpfs on /tmp during boot.

Type: "boolean"

Default: false

Declared by:

Whether to activate VESA video mode on boot.

Type: "boolean"

Default: false

Declared by:

Name or GUID of extra ZFS pools that you wish to import during boot. Usually this is not necessary. Instead, you should set the mountpoint property of ZFS filesystems to legacy and add the ZFS filesystems to NixOS's fileSystems option, which makes NixOS automatically import the associated pool. However, in some cases (e.g. if you have many filesystems) it may be preferable to exclusively use ZFS commands to manage filesystems. If so, since NixOS/systemd will not be managing those filesystems, you will need to specify the ZFS pool here so that NixOS automatically imports it on every boot.

Type: "list of strings"

Default: [ ]

Example: [ "tank" "data" ]

Declared by:

Forcibly import all ZFS pool(s). This is enabled by default for backwards compatibility purposes, but it is highly recommended to disable this option, as it bypasses some of the safeguards ZFS uses to protect your ZFS pools. If you set this option to false and NixOS subsequently fails to import your non-root ZFS pool(s), you should manually import each pool with "zpool import -f <pool-name>", and then reboot. You should only need to do this once.

Type: "boolean"

Default: true

Example: false

Declared by:

Forcibly import the ZFS root pool(s) during early boot. This is enabled by default for backwards compatibility purposes, but it is highly recommended to disable this option, as it bypasses some of the safeguards ZFS uses to protect your ZFS pools. If you set this option to false and NixOS subsequently fails to boot because it cannot import the root pool, you should boot with the zfs_force=1 option as a kernel parameter (e.g. by manually editing the kernel params in grub during boot). You should only need to do this once.

Type: "boolean"

Default: true

Example: false

Declared by:

Use the git version of the SPL and ZFS packages. Note that these are unreleased versions, with less testing, and therefore may be more unstable.

Type: "boolean"

Default: false

Example: true

Declared by:

A set of NixOS system configurations to be run as lightweight containers. Each container appears as a service container-name on the host system, allowing it to be started and stopped via systemctl .

Type: "attribute set of submodules"

Default: { }

Example:

{ webserver =
    { path = "/nix/var/nix/profiles/webserver";
    };
  database =
    { config =
        { config, pkgs, ... }:
        { services.postgresql.enable = true;
          services.postgresql.package = pkgs.postgresql92;
        };
    };
}

Declared by:

Wether the container is automatically started at boot-time.

Type: "boolean"

Default: false

Declared by:

A specification of the desired configuration of this container, as a NixOS module.

Type: "unspecified"

Declared by:

The IPv4 address assigned to the host interface.

Type: "null or string"

Default: null

Example: "10.231.136.1"

Declared by:

The IPv4 address assigned to eth0 in the container.

Type: "null or string"

Default: null

Example: "10.231.136.2"

Declared by:

As an alternative to specifying config, you can specify the path to the evaluated NixOS system configuration, typically a symlink to a system profile.

Type: "path"

Example: "/nix/var/nix/profiles/containers/webserver"

Declared by:

Whether to give the container its own private virtual Ethernet interface. The interface is called eth0, and is hooked up to the interface ve-container-name on the host. If this option is not set, then the container shares the network interfaces of the host, and can bind to any port on any interface.

Type: "boolean"

Default: false

Declared by:

The shell executable that is linked system-wide to /bin/sh. Please note that NixOS assumes all over the place that shell to be Bash, so override the default setting only if you know exactly what you're doing.

Type: "path"

Default: "/nix/store/hhp7yd9hsxb2x0a01lk4girjlr5s7pyj-bash-4.3-p33/bin/sh"

Example:

"${pkgs.dash}/bin/dash"

Declared by:

Whether to enable support for the BLCR checkpointing tool.

Type: "unspecified"

Default: false

Declared by:

Alias of _module.check.

Type: "unspecified"

Declared by:

Set of files that have to be linked in /etc.

Type: "list or attribute set of submodules"

Default: { }

Example:

{ hosts =
    { source = "/nix/store/.../etc/dir/file.conf.example";
      mode = "0440";
    };
  "default/useradd".text = "GROUP=100 ...";
}

Declared by:

Whether this /etc file should be generated. This option allows specific /etc files to be disabled.

Type: "boolean"

Default: true

Declared by:

GID of created file. Only takes affect when the file is copied (that is, the mode is not 'symlink').

Type: "integer"

Default: 0

Declared by:

If set to something else than symlink, the file is copied instead of symlinked, with the given file mode.

Type: "string"

Default: "symlink"

Example: "0600"

Declared by:

Path of the source file.

Type: "path"

Declared by:

Name of symlink (relative to /etc). Defaults to the attribute name.

Type: "string"

Declared by:

Text of the file.

Type: "null or string"

Default: null

Declared by:

UID of created file. Only takes affect when the file is copied (that is, the mode is not 'symlink').

Type: "integer"

Default: 0

Declared by:

Shell script code called during global environment initialisation after all variables and profileVariables have been set. This code is asumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: "string"

Default: ""

Declared by:

Configure freetds database entries. Each attribute denotes a section within freetds.conf, and the value (a string) is the config content for that section. When at least one entry is configured the global environment variables FREETDSCONF, FREETDS and SYBASE will be configured to allow the programs that use freetds to find the library and config.

Type: "attribute set of strings"

Default: { }

Example: { MYDATABASE = "host = 10.0.2.100\nport = 1433\ntds version = 7.2\n"; }

Declared by:

Which packages gnome should exclude from the default environment

Type: "list of derivations"

Default: [ ]

Example:

[ pkgs.gnome3.totem ]

Declared by:

Which GNOME 3 package set to use.

Type: "unspecified"

Default: null

Example:

pkgs.gnome3_12

Declared by:

Shell script code called during interactive shell initialisation. This code is asumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: "string"

Default: ""

Declared by:

Shell script code called during login shell initialisation. This code is asumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: "string"

Default: ""

Declared by:

Switch off the options in the default configuration that require X11 libraries. This includes client-side font configuration and SSH forwarding of X11 authentication in. Thus, you probably do not want to enable this option if you want to run X11 programs on this machine via SSH.

Type: "boolean"

Default: false

Declared by:

List of directories to be symlinked in `/run/current-system/sw'.

Type: "list of strings"

Default: [ ]

Example: [ "/" ]

Declared by:

Attribute set of environment variable. Each attribute maps to a list of relative paths. Each relative path is appended to the each profile of environment.profiles to form the content of the corresponding environment variable.

Type: "attribute set of list of stringss"

Example: { MANPATH = [ "/man" "/share/man" ] ; PATH = [ "/bin" "/sbin" ] ; }

Declared by:

A list of profiles used to setup the global environment.

Type: "list of strings"

Default: [ ]

Declared by:

A set of environment variables used in the global environment. These variables will be set by PAM. The value of each variable can be either a string or a list of strings. The latter is concatenated, interspersed with colon characters.

Type: "attribute set of a string or a list of stringss"

Default: { }

Declared by:

An attribute set that maps aliases (the top level attribute names in this option) to command strings or directly to build outputs. The aliases are added to all users' shells.

Type: "attribute set"

Default: { }

Example: { ll = "ls -l"; }

Declared by:

Shell script code called during shell initialisation. This code is asumed to be shell-independent, which means you should stick to pure sh without sh word split.

Type: "string"

Default: ""

Declared by:

A list of permissible login shells for user accounts. No need to mention /bin/sh here, it is placed into this list implicitly.

Type: "list of paths"

Default: [ ]

Example: [ "/run/current-system/sw/bin/zsh" ]

Declared by:

The set of packages that appear in /run/current-system/sw. These packages are automatically available to all users, and are automatically updated every time you rebuild the system configuration. (The latter is the main difference with installing them in the default profile, /nix/var/nix/profiles/default.

Type: "list of paths"

Default: [ ]

Example:

[ pkgs.firefox pkgs.thunderbird ]

Declared by:

Specifies Unix ODBC drivers to be registered in /etc/odbcinst.ini. You may also want to add pkgs.unixODBC to the system path to get a command line client to connnect to ODBC databases.

Type: "unspecified"

Default: [ ]

Example:

map (x : x.ini) (with pkgs.unixODBCDrivers; [ mysql psql psqlng ] )

Declared by:

A set of environment variables used in the global environment. These variables will be set on shell initialisation. The value of each variable can be either a string or a list of strings. The latter is concatenated, interspersed with colon characters.

Type: "attribute set of a string or a list of stringss"

Default: { }

Declared by:

Contents of the "Dialer Defaults" section of /etc/wvdial.conf.

Type: "string"

Default: ""

Example: ''Init1 = AT+CGDCONT=1,"IP","internet.t-mobile"''

Declared by:

Default ppp settings for wvdial.

Type: "string"

Default:

''
noipdefault
usepeerdns
defaultroute
persist
noauth
''

Declared by:

The file systems to be mounted. It must include an entry for the root directory (mountPoint = "/"). Each entry in the list is an attribute set with the following fields: mountPoint, device, fsType (a file system type recognised by mount; defaults to "auto"), and options (the mount options passed to mount using the -o flag; defaults to "defaults"). Instead of specifying device, you can also specify a volume label (label) for file systems that support it, such as ext2/ext3 (see mke2fs -L).

Type: "list or attribute set of submodules"

Default: { }

Example: { / = { device = "/dev/hda1"; } ; /bigdisk = { label = "bigdisk"; } ; /data = { device = "/dev/hda2"; fsType = "ext3"; options = "data=journal"; } ; }

Declared by:

If the device does not currently contain a filesystem (as determined by blkid, then automatically format it with the filesystem type specified in fsType. Use with caution.

Type: "boolean"

Default: false

Declared by:

Location of the device.

Type: "null or string"

Default: null

Example: "/dev/sda"

Declared by:

Location of the backing encrypted device.

Type: "null or string"

Default: null

Example: "/dev/sda1"

Declared by:

The block device is backed by an encrypted one, adds this device as a initrd luks entry.

Type: "boolean"

Default: false

Declared by:

File system location of keyfile.

Type: "null or string"

Default: null

Example: "/root/.swapkey"

Declared by:

Label of the backing encrypted device.

Type: "null or string"

Default: null

Example: "rootfs"

Declared by:

Type of the file system.

Type: "string"

Default: "auto"

Example: "ext3"

Declared by:

Label of the device (if any).

Type: "null or string"

Default: null

Example: "root-partition"

Declared by:

Location of the mounted the file system.

Type: "string"

Example: "/mnt/usb"

Declared by:

If set, this file system will be mounted in the initial ramdisk. By default, this applies to the root file system and to the file system containing /nix/store.

Type: "boolean"

Default: false

Declared by:

Disable running fsck on this filesystem.

Type: "boolean"

Default: false

Declared by:

Options used to mount the file system.

Type: "string"

Default: "defaults,relatime"

Example: "data=journal"

Declared by:

Whether to include Microsoft's proprietary Core Fonts. These fonts are redistributable, but only verbatim, among other restrictions. See http://corefonts.sourceforge.net/eula.htm for details.

Type: "unspecified"

Default: false

Declared by:

Whether to create a directory with links to all fonts in /run/current-system/sw/share/X11-fonts.

Type: "unspecified"

Default: false

Declared by:

Whether to add the fonts provided by Ghostscript (such as various URW fonts and the “Base-14” Postscript fonts) to the list of system fonts, making them available to X11 applications.

Type: "unspecified"

Default: false

Declared by:

Enable font antialiasing.

Type: "boolean"

Default: true

Declared by:

System-wide default monospace font(s). Multiple fonts may be listed in case multiple languages must be supported.

Type: "list of strings"

Default: [ "DejaVu Sans Mono" ]

Declared by:

System-wide default sans serif font(s). Multiple fonts may be listed in case multiple languages must be supported.

Type: "list of strings"

Default: [ "DejaVu Sans" ]

Declared by:

System-wide default serif font(s). Multiple fonts may be listed in case multiple languages must be supported.

Type: "list of strings"

Default: [ "DejaVu Serif" ]

Declared by:

Force DPI setting. Setting to 0 disables DPI forcing; the DPI detected for the display will be used.

Type: "integer"

Default: 0

Declared by:

If enabled, a Fontconfig configuration file will be built pointing to a set of default fonts. If you don't care about running X11 applications or any other program that uses Fontconfig, you can turn this option off and prevent a dependency on all those fonts.

Type: "boolean"

Default: true

Declared by:

Enable the autohinter, which provides hinting for otherwise un-hinted fonts. The results are usually lower quality than correctly-hinted fonts.

Type: "boolean"

Default: true

Declared by:

Enable TrueType hinting.

Type: "boolean"

Default: true

Declared by:

TrueType hinting style, one of none, slight, medium, or full.

Type: "string"

Default: "full"

Declared by:

Include the user configuration from ~/.config/fontconfig/fonts.conf or ~/.config/fontconfig/conf.d.

Type: "boolean"

Default: true

Declared by:

FreeType LCD filter, one of none, default, light, or legacy.

Type: "string"

Default: "default"

Declared by:

Subpixel order, one of none, rgb, bgr, vrgb, or vbgr.

Type: "string"

Default: "rgb"

Declared by:

Allow bitmap fonts. Set to false to ban all bitmap fonts.

Type: "boolean"

Default: true

Declared by:

Allow Type-1 fonts. Default is false because of poor rendering.

Type: "boolean"

Default: false

Declared by:

Enable fontconfig-ultimate settings (formerly known as Infinality). Besides the customizable settings in this NixOS module, fontconfig-ultimate also provides many font-specific rendering tweaks.

Type: "boolean"

Default: true

Declared by:

Force use of the TrueType Autohinter. Useful for debugging or free-software purists.

Type: "boolean"

Default: false

Declared by:

Render some monospace TTF fonts as bitmaps.

Type: "boolean"

Default: false

Declared by:

FreeType rendering settings presets. The default is pkgs.fontconfig-ultimate.rendering.ultimate. The other available styles are: ultimate-lighter, ultimate-darker, ultimate-lightest, ultimate-darkest, default (the original Infinality default), osx, ipad, ubuntu, linux, winxplight, win7light, winxp, win7, vanilla, classic, nudge, push, shove, sharpened, infinality. Any of the presets may be customized by editing the attributes. To disable, set this option to the empty attribute set {}.

Type: "attribute set"

Default: { INFINALITY_FT_CHROMEOS_STYLE_SHARPENING_STRENGTH = "20"; INFINALITY_FT_FILTER_PARAMS = "08 24 36 24 08"; INFINALITY_FT_FRINGE_FILTER_STRENGTH = "50"; INFINALITY_FT_USE_VARIOUS_TWEAKS = "true"; }

Declared by:

Font substitutions to replace common Type 1 fonts with nicer TrueType fonts. free uses free fonts, ms uses Microsoft fonts, combi uses a combination, and none disables the substitutions.

Type: "string"

Default: "free"

Declared by:

Use embedded bitmaps in fonts like Calibri.

Type: "boolean"

Default: false

Declared by:

List of primary font paths.

Type: "list of paths"

Example:

[ pkgs.dejavu_fonts ]

Declared by:

When enabled, GNU software is chosen by default whenever a there is a choice between GNU and non-GNU software (e.g., GNU lsh vs. OpenSSH).

Type: "boolean"

Default: false

Declared by:

Plugin packages for GTK+ such as input methods.

Type: "list of paths"

Default: [ ]

Declared by:

Completely disable the AMD graphics card and use the integrated graphics processor instead.

Type: "boolean"

Default: false

Declared by:

Whether to enable support for Bluetooth.

Type: "boolean"

Default: false

Declared by:

Set to true if you intend to connect your discrete card to a monitor. This option will set up your Nvidia card for EDID discovery and to turn on the monitor signal. Only nvidia driver is supported so far.

Type: "boolean"

Default: false

Declared by:

Enable the bumblebee daemon to manage Optimus hybrid video cards. This should power off secondary GPU until its use is requested by running an application with optirun. Only nvidia driver is supported so far.

Type: "boolean"

Default: false

Declared by:

Group for bumblebee socket

Type: "string"

Default: "wheel"

Example: "video"

Declared by:

Update the CPU microcode for AMD processors.

Type: "boolean"

Default: false

Declared by:

Update the CPU microcode for Intel processors.

Type: "boolean"

Default: false

Declared by:

Turn on this option if you want to enable all the firmware shipped in linux-firmware.

Type: "boolean"

Default: false

Declared by:

Whether to enable Kernel Same-Page Merging.

Type: "boolean"

Default: false

Example: true

Declared by:

List of directories containing firmware files. Such files will be loaded automatically if the kernel asks for them (i.e., when it has detected specific hardware that requires firmware to function). If more than one path contains a firmware file with the same name, the first path in the list takes precedence. Note that you must rebuild your system if you add files to any of these directories. For quick testing, put firmware files in /root/test-firmware and add that directory to the list. Note that you can also add firmware packages to this list as these are directories in the nix store.

Type: "list of paths"

Default: [ ]

Declared by:

Completely disable the NVIDIA graphics card and use the integrated graphics processor instead.

Type: "boolean"

Default: false

Declared by:

Whether to enable accelerated OpenGL rendering through the Direct Rendering Interface (DRI).

Type: "boolean"

Default: true

Declared by:

On 64-bit systems, whether to support Direct Rendering for 32-bit applications (such as Wine). This is currently only supported for the nvidia and ati_unfree drivers, as well as Mesa.

Type: "boolean"

Default: false

Declared by:

Make S3TC(S3 Texture Compression) via libtxc_dxtn available to OpenGL drivers instead of the patent-free S2TC replacement. Using this library may require a patent license depending on your location.

Type: "boolean"

Default: false

Declared by:

This enables Parallel Tools for Linux guests, along with provided video, mouse and other hardware drivers.

Type: "boolean"

Default: false

Declared by:

Path to the configuration file which maps the memory, IRQs and ports used by the PCMCIA hardware.

Type: "unspecified"

Default: null

Declared by:

Enable this option to support PCMCIA card.

Type: "boolean"

Default: false

Declared by:

List of firmware used to handle specific PCMCIA card.

Type: "list of paths"

Default: [ ]

Declared by:

The path to the configuration the PulseAudio server should use. By default, the "default.pa" configuration from the PulseAudio distribution is used.

Type: "path"

Declared by:

The log level that the system-wide pulseaudio daemon should use, if activated.

Type: "string"

Default: "notice"

Declared by:

Whether to enable the PulseAudio sound server.

Type: "boolean"

Default: false

Declared by:

If false, a PulseAudio server is launched automatically for each user that tries to use the sound system. The server runs with user privileges. This is the recommended and most secure way to use PulseAudio. If true, one system-wide PulseAudio server is launched on boot, running as the user "pulse". Please read the PulseAudio documentation for more details.

Type: "boolean"

Default: false

Declared by:

The value of SANE_CONFIG_DIR.

Type: "string"

Default: "/nix/store/b8zzz0shp9m561c0zbbfky6angymqzj6-sane-config/etc/sane.d"

Declared by:

Enable support for SANE scanners.

Type: "boolean"

Default: false

Declared by:

Packages providing extra SANE backends to enable.

Type: "list of paths"

Default: [ ]

Declared by:

Use a development snapshot of SANE scanner drivers.

Type: "boolean"

Default: false

Declared by:

Enable scrolling while holding the middle mouse button.

Type: "boolean"

Default: false

Declared by:

Enable sensitivity and speed configuration for trackpoints.

Type: "boolean"

Default: false

Declared by:

Configure the trackpoint sensitivity. By default, the kernel configures 128.

Type: "integer"

Default: 128

Example: 255

Declared by:

Configure the trackpoint sensitivity. By default, the kernel configures 97.

Type: "integer"

Default: 97

Example: 255

Declared by:

The font used for the virtual consoles. Leave empty to use whatever the setfont program considers the default font.

Type: "string"

Default: "lat9w-16"

Example: "LatArCyrHeb-16"

Declared by:

The keyboard mapping table for the virtual consoles.

Type: "string or path"

Default: "us"

Example: "fr"

Declared by:

The default locale. It determines the language for program messages, the format for dates and times, sort order, and so on. It also determines the character set, such as UTF-8.

Type: "string"

Default: "en_US.UTF-8"

Example: "nl_NL.UTF-8"

Declared by:

List of locales that the system should support. The value "all" means that all locales supported by Glibc will be installed. A full list of supported locales can be found at http://sourceware.org/cgi-bin/cvsweb.cgi/libc/localedata/SUPPORTED?cvsroot=glibc.

Type: "list of strings"

Default: [ "all" ]

Example: [ "en_US.UTF-8/UTF-8" "nl_NL.UTF-8/UTF-8" "nl_NL/ISO-8859-1" ]

Declared by:

This option is a legacy method to define system services, dating from the era where NixOS used Upstart instead of systemd. You should use systemd.services instead. Services defined using jobs are mapped automatically to systemd.services, but may not work perfectly; in particular, most startOn conditions are not supported.

Type: "list or attribute set of submodules"

Default: { }

Declared by:

If the specified units are started at the same time as this unit, delay this unit until they have started.

Type: "list of strings"

Default: [ ]

Declared by:

If the specified units are started at the same time as this unit, delay them until this unit has started.

Type: "list of strings"

Default: [ ]

Declared by:

Like ‘requires’, but in addition, if the specified units unexpectedly disappear, this unit will be stopped as well.

Type: "list of strings"

Default: [ ]

Declared by:

If the specified units are started, then this unit is stopped and vice versa.

Type: "list of strings"

Default: [ ]

Declared by:

Determines how systemd detects when a daemon should be considered “running”. The value none means that the daemon is considered ready immediately. The value fork means that the daemon will fork once. The value daemon means that the daemon will fork twice. The value stop means that the daemon will raise the SIGSTOP signal to indicate readiness.

Type: "string"

Default: "none"

Declared by:

Description of this unit used in systemd messages and progress indicators.

Type: "string"

Default: ""

Declared by:

If set to false, this unit will be a symlink to /dev/null. This is primarily useful to prevent specific template instances (e.g. serial-getty@ttyS0) from being started.

Type: "boolean"

Default: true

Declared by:

Environment variables passed to the service's processes.

Type: "attribute set"

Default: { }

Example: { LANG = "nl_NL.UTF-8"; PATH = "/foo/bar/bin"; }

Declared by:

Command to start the job's main process. If empty, the job has no main process, but can still have pre/post-start and pre/post-stop scripts, and is considered “running” until it is stopped.

Type: "string"

Default: ""

Declared by:

Name of the job, mapped to the systemd unit name.service.

Type: "string"

Example: "sshd"

Declared by:

If the specified units are stopped or restarted, then this unit is stopped or restarted as well.

Type: "list of strings"

Default: [ ]

Declared by:

Packages added to the job's PATH environment variable. Both the bin and sbin subdirectories of each package are added.

Type: "unspecified"

Default: [ ]

Declared by:

Shell commands executed after the job is started (i.e. after the job's main process is started), but before the job is considered “running”.

Type: "string"

Default: ""

Declared by:

Shell commands executed after the job has stopped (i.e. after the job's main process has terminated).

Type: "string"

Default: ""

Declared by:

Shell commands executed before the service's main process is started.

Type: "string"

Default: ""

Declared by:

Shell commands executed before the job is stopped (i.e. before systemd kills the job's main process). This can be used to cleanly shut down a daemon.

Type: "string"

Default: ""

Declared by:

Shell commands executed when the service's main process is reloaded.

Type: "string"

Default: ""

Declared by:

Whether the service should be reloaded during a NixOS configuration switch if its definition has changed. If enabled, the value of restartIfChanged is ignored.

Type: "boolean"

Default: false

Declared by:

Units that require (i.e. depend on and need to go down with) this unit.

Type: "list of strings"

Default: [ ]

Declared by:

Start the specified units when this unit is started, and stop this unit when the specified units are stopped or fail.

Type: "list of strings"

Default: [ ]

Declared by:

Similar to requires. However if the units listed are not started, they will not be started and the transaction will fail.

Type: "list of strings"

Default: [ ]

Declared by:

Whether to restart the job automatically if its process ends unexpectedly.

Type: "boolean"

Default: true

Declared by:

Whether the service should be restarted during a NixOS configuration switch if its definition has changed.

Type: "boolean"

Default: true

Declared by:

An arbitrary list of items such as derivations. If any item in the list changes between reconfigurations, the service will be restarted.

Type: "list of unspecifieds"

Default: [ ]

Declared by:

Shell commands executed as the service's main process.

Type: "string"

Default: ""

Declared by:

Arguments passed to the main process script.

Type: "string"

Default: ""

Declared by:

Each attribute in this set specifies an option in the [Service] section of the unit. See systemd.service(5) for details.

Type: "attribute set of systemd options"

Default: { }

Example: { RestartSec = 5; StartLimitInterval = 10; }

Declared by:

Run the daemon as a different group.

Type: "string"

Default: ""

Declared by:

Run the daemon as a different user.

Type: "string"

Default: ""

Declared by:

Automatically start this unit at the given date/time, which must be in the format described in systemd.time(5). This is equivalent to adding a corresponding timer unit with OnCalendar set to the value given here.

Type: "string"

Default: ""

Example: "Sun 14:00:00"

Declared by:

The Upstart event that triggers this job to be started. Some are mapped to systemd dependencies; otherwise you will get a warning. If empty, the job will not start automatically.

Type: "unspecified"

Default: ""

Declared by:

If set, a changed unit is restarted by calling systemctl stop in the old configuration, then systemctl start in the new one. Otherwise, it is restarted in a single step using systemctl restart in the new configuration. The latter is less correct because it runs the ExecStop commands from the new configuration.

Type: "boolean"

Default: true

Declared by:

Ignored; this was the Upstart event that triggers this job to be stopped.

Type: "string"

Default: "starting shutdown"

Declared by:

Whether this job is a task rather than a service. Tasks are executed only once, while services are restarted when they exit.

Type: "boolean"

Default: false

Declared by:

Generated definition of the systemd unit corresponding to this job.

Type: "unspecified"

Default: { after = [ ] ; before = [ ] ; description = ""; environment = { } ; partOf = [ ] ; path = [ ] ; requires = [ ] ; restartIfChanged = true; serviceConfig = { RemainAfterExit = true; Type = "oneshot"; } ; unitConfig = { } ; wantedBy = [ ] ; wants = [ ] ; }

Declared by:

Each attribute in this set specifies an option in the [Unit] section of the unit. See systemd.unit(5) for details.

Type: "attribute set of systemd options"

Default: { }

Example: { RequiresMountsFor = "/data"; }

Declared by:

Units that want (i.e. depend on) this unit.

Type: "list of strings"

Default: [ ]

Declared by:

Start the specified units when this unit is started.

Type: "list of strings"

Default: [ ]

Declared by:

Default realm.

Type: "unspecified"

Default: "ATENA.MIT.EDU"

Declared by:

Default domain realm.

Type: "unspecified"

Default: "atena.mit.edu"

Declared by:

Whether to enable Kerberos V.

Type: "unspecified"

Default: false

Declared by:

Kerberos Domain Controller.

Type: "unspecified"

Default: "kerberos.mit.edu"

Declared by:

Kerberos Admin Server.

Type: "unspecified"

Default: "kerberos.mit.edu"

Declared by:

This option allows modules to define helper functions, constants, etc.

Type: "attribute set of attribute sets"

Default: { }

Declared by:

Additional configurations to build.

Type: "unspecified"

Default: [ ]

Declared by:

Additional configurations to build based on the current configuration which then has a lower priority.

Type: "unspecified"

Default: [ ]

Declared by:

Obsolete. Use networking.wireless.interfaces instead.

Type: "unspecified"

Default: ""

Declared by:

This option allows you to define bond devices that aggregate multiple, underlying networking interfaces together. The value of this option is an attribute set. Each attribute specifies a bond, with the attribute name specifying the name of the bond's network interface

Type: "attribute set of submodules"

Default: { }

Example: { bond0 = { interfaces = [ "eth0" "wlan0" ] ; miimon = 100; mode = "active-backup"; } ; fatpipe = { interfaces = [ "enp4s0f0" "enp4s0f1" "enp5s0f0" "enp5s0f1" ] ; } ; }

Declared by:

The interfaces to bond together

Type: "list of strings"

Example: [ "enp4s0f0" "enp4s0f1" "wlan0" ]

Declared by:

Option specifying the rate in which we'll ask our link partner to transmit LACPDU packets in 802.3ad mode.

Type: "null or string"

Default: null

Example: "fast"

Declared by:

Miimon is the number of millisecond in between each round of polling by the device driver for failed links. By default polling is not enabled and the driver is trusted to properly detect and handle failure scenarios.

Type: "null or integer"

Default: null

Example: 100

Declared by:

The mode which the bond will be running. The default mode for the bonding driver is balance-rr, optimizing for throughput. More information about valid modes can be found at https://www.kernel.org/doc/Documentation/networking/bonding.txt

Type: "null or string"

Default: null

Example: "active-backup"

Declared by:

Selects the transmit hash policy to use for slave selection in balance-xor, 802.3ad, and tlb modes.

Type: "null or string"

Default: null

Example: "layer2+3"

Declared by:

This option allows you to define Ethernet bridge devices that connect physical networks together. The value of this option is an attribute set. Each attribute specifies a bridge, with the attribute name specifying the name of the bridge's network interface.

Type: "attribute set of submodules"

Default: { }

Example: { br0 = { interfaces = [ "eth0" "eth1" ] ; } ; br1 = { interfaces = [ "eth2" "wlan0" ] ; } ; }

Declared by:

The physical network interfaces connected by the bridge.

Type: "list of strings"

Example: [ "eth0" "eth1" ]

Declared by:

Whether the bridge interface should enable rstp.

Type: "boolean"

Default: false

Example: true

Declared by:

Whether to use ConnMan for managing your network connections.

Type: "boolean"

Default: false

Declared by:

The default gateway. It can be left empty if it is auto-detected through DHCP.

Type: "null or string"

Default: null

Example: "131.211.84.1"

Declared by:

The default ipv6 gateway. It can be left empty if it is auto-detected through DHCP.

Type: "null or string"

Default: null

Example: "2001:4d0:1e04:895::1"

Declared by:

The window size of the default gateway. It limits maximal data bursts that TCP peers are allowed to send to us.

Type: "null or integer"

Default: null

Example: 524288

Declared by:

Password used for SMTP auth. (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)

Type: "string"

Default: ""

Example: "correctHorseBatteryStaple"

Declared by:

Username used for SMTP auth. Leave blank to disable.

Type: "string"

Default: ""

Example: "foo@example.org"

Declared by:

Use the trivial Mail Transfer Agent (MTA) ssmtp package to allow programs to send e-mail. If you don't want to run a “real” MTA like sendmail or postfix on your machine, set this option to true, and set the option networking.defaultMailServer.hostName to the host name of your preferred mail server.

Type: "boolean"

Default: false

Example: true

Declared by:

The domain from which mail will appear to be sent.

Type: "string"

Default: ""

Example: "example.org"

Declared by:

The host name of the default mail server to use to deliver e-mail.

Type: "string"

Example: "mail.example.org"

Declared by:

The e-mail to which mail for users with UID < 1000 is forwarded.

Type: "string"

Default: ""

Example: "root@example.org"

Declared by:

Whether the STARTTLS should be used to connect to the default mail server. (This is needed for TLS-capable mail servers running on the default SMTP port 25.)

Type: "boolean"

Default: false

Example: true

Declared by:

Whether TLS should be used to connect to the default mail server.

Type: "boolean"

Default: false

Example: true

Declared by:

Enable the DHCP client for any interface whose name matches any of the shell glob patterns in this list. Any interface not explicitly matched by this pattern will be denied. This pattern only applies when non-null.

Type: "null or list of strings"

Default: null

Declared by:

Disable the DHCP client for any interface whose name matches any of the shell glob patterns in this list. The purpose of this option is to blacklist virtual interfaces such as those created by Xen, libvirt, LXC, etc.

Type: "list of strings"

Default: [ ]

Declared by:

Literal string to append to the config file generated for dhcpcd.

Type: "string"

Default: ""

Declared by:

Whenever to leave interfaces configured on dhcpcd daemon shutdown. Set to true if you have your root or store mounted over the network or this machine accepts SSH connections through DHCP interfaces and clients should be notified when it shuts down.

Type: "boolean"

Default: false

Declared by:

Shell code that will be run after all other hooks. See `man dhcpcd-run-hooks` for details on what is possible.

Type: "string"

Default: ""

Example: "if [[ \$reason =~ BOUND ]]; then echo \$interface: Routers are \$new_routers - were \$old_routers; fi"

Declared by:

Recent versions of glibc will issue both ipv4 (A) and ipv6 (AAAA) address queries at the same time, from the same port. Sometimes upstream routers will systemically drop the ipv4 queries. The symptom of this problem is that 'getent hosts example.com' only returns ipv6 (or perhaps only ipv4) addresses. The workaround for this is to specify the option 'single-request' in /etc/resolv.conf. This option enables that.

Type: "boolean"

Default: false

Declared by:

The domain. It can be left empty if it is auto-detected through DHCP.

Type: "null or string"

Default: null

Example: "home"

Declared by:

Turn on this option if you want firmware for the NICs supported by the b43 module.

Type: "boolean"

Default: false

Declared by:

Whether to enable support for IPv6.

Type: "boolean"

Default: true

Declared by:

Turn on this option if you want firmware for the Intel PRO/Wireless 2100BG to be loaded automatically. This is required if you want to use this device.

Type: "boolean"

Default: false

Declared by:

Turn on this option if you want firmware for the Intel PRO/Wireless 2200BG to be loaded automatically. This is required if you want to use this device.

Type: "boolean"

Default: false

Declared by:

This option enables automatic loading of the firmware for the Intel PRO/Wireless 3945ABG.

Type: "boolean"

Default: false

Declared by:

Turn on this option if you want firmware for the RTL8192c (and related) NICs.

Type: "boolean"

Default: false

Declared by:

Turn on this option if you want firmware for the RT73 NIC.

Type: "boolean"

Default: false

Declared by:

Additional entries to be appended to /etc/hosts.

Type: "string"

Default: ""

Example: "192.168.0.1 lanlocalhost"

Declared by:

Whether to respond to incoming ICMPv4 echo requests ("pings"). ICMPv6 pings are always allowed because the larger address space of IPv6 makes network scanning much less effective.

Type: "boolean"

Default: false

Declared by:

A range of TCP ports on which incoming connections are accepted.

Type: "list of attribute set of integerss"

Default: [ ]

Example: [ { from = 8999; to = 9003; } ]

Declared by:

List of TCP ports on which incoming connections are accepted.

Type: "list of integers"

Default: [ ]

Example: [ 22 80 ]

Declared by:

Range of open UDP ports.

Type: "list of attribute set of integerss"

Default: [ ]

Example: [ { from = 60000; to = 61000; } ]

Declared by:

List of open UDP ports.

Type: "list of integers"

Default: [ ]

Example: [ 53 ]

Declared by:

Whether to auto-load connection-tracking helpers. See the description at networking.firewall.connectionTrackingModules (needs kernel 3.5+)

Type: "boolean"

Default: true

Declared by:

Performs a reverse path filter test on a packet. If a reply to the packet would not be sent via the same interface that the packet arrived on, it is refused. If using asymmetric routing or other complicated routing, disable this setting and setup your own counter-measures. (needs kernel 3.3+)

Type: "boolean"

Default: true

Declared by:

List of connection-tracking helpers that are auto-loaded. The complete list of possible values is given in the example. As helpers can pose as a security risk, it is advised to set this to an empty list and disable the setting networking.firewall.autoLoadConntrackHelpers Loading of helpers is recommended to be done through the new CT target. More info: https://home.regit.org/netfilter-en/secure-use-of-helpers/

Type: "list of strings"

Default: [ "ftp" ]

Example: [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]

Declared by:

Whether to enable the firewall. This is a simple stateful firewall that blocks connection attempts to unauthorised TCP or UDP ports on this machine. It does not affect packet forwarding.

Type: "boolean"

Default: true

Declared by:

Additional shell commands executed as part of the firewall initialisation script. These are executed just before the final "reject" firewall rule is added, so they can be used to allow packets that would otherwise be refused.

Type: "string"

Default: ""

Example: "iptables -A INPUT -p icmp -j ACCEPT"

Declared by:

Additional shell commands executed as part of the firewall shutdown script. These are executed just after the removal of the nixos input rule, or if the service enters a failed state.

Type: "string"

Default: ""

Example: "iptables -P INPUT ACCEPT"

Declared by:

Whether to log rejected or dropped incoming connections.

Type: "boolean"

Default: true

Declared by:

Whether to log all rejected or dropped incoming packets. This tends to give a lot of log messages, so it's mostly useful for debugging.

Type: "boolean"

Default: false

Declared by:

If networking.firewall.logRefusedPackets and this option are enabled, then only log packets specifically directed at this machine, i.e., not broadcasts or multicasts.

Type: "boolean"

Default: true

Declared by:

If pings are allowed, this allows setting rate limits on them. If non-null, this option should be in the form of flags like "--limit 1/minute --limit-burst 5"

Type: "null or string"

Default: null

Declared by:

If set, forbidden packets are rejected rather than dropped (ignored). This means that an ICMP "port unreachable" error message is sent back to the client. Rejecting packets makes port scanning somewhat easier.

Type: "boolean"

Default: false

Declared by:

Traffic coming in from these interfaces will be accepted unconditionally.

Type: "list of strings"

Declared by:

The 32-bit host ID of the machine, formatted as 8 hexadecimal characters. You should try to make this ID unique among your machines. You can generate a random 32-bit ID using the following commands: cksum /etc/machine-id | while read c rest; do printf "%x" $c; done (this derives it from the machine-id that systemd generates) or head -c4 /dev/urandom | od -A none -t x4

Type: "null or string"

Default: null

Example: "4e98920d"

Declared by:

The name of the machine. Leave it empty if you want to obtain it from a DHCP server (if using DHCP).

Type: "string"

Default: "nixos"

Declared by:

If true, beep when an Ethernet cable is plugged in or unplugged.

Type: "boolean"

Default: false

Declared by:

Shell commands to be executed when the link status of an interface changes. On invocation, the shell variable iface contains the name of the interface, while the variable status contains either up or down to indicate the new status.

Type: "string"

Default: ""

Declared by:

If true, monitor Ethernet interfaces for cables being plugged in or unplugged. When this occurs, the commands specified in networking.interfaceMonitor.commands are executed.

Type: "boolean"

Default: false

Declared by:

The configuration for each network interface. If networking.useDHCP is true, then every interface not listed here will be configured using DHCP.

Type: "list or attribute set of submodules"

Default: { }

Example: { eth0 = { ip4 = [ { address = "131.211.84.78"; prefixLength = 25; } ] ; } ; }

Declared by: