boot.zfs.latestCompatibleKernel
Whether to use the latest ZFS compatible kernel.
Type: boolean
Default:
false
Declared by:
boot.zfs.recommendedDefaults
Whether to enable recommended ZFS settings.
Type: boolean
Default:
false
Declared by:
hardware.intelGPU
Whether to add drivers for intel hardware acceleration.
Type: boolean
Default:
false
Example:
true
Declared by:
nix.deleteChannels
Whether to delete all channels on a system switch.
Type: boolean
Default:
false
Example:
true
Declared by:
nix.deleteUserProfiles
Whether to delete all user profiles on a system switch.
Type: boolean
Default:
false
Example:
true
Declared by:
nix.diffSystem
Whether to system closure diffing on updates.
Type: boolean
Default:
false
Declared by:
nix.recommendedDefaults
Whether to set recommended default settings.
Type: boolean
Default:
false
Declared by:
nix.remoteBuilder.enable
Whether to enable restricted nix remote builder.
Type: boolean
Default:
false
Example:
true
Declared by:
nix.remoteBuilder.name
Name of the user used for remote building.
Type: string (read only)
Default:
"nix-remote-builder"
Declared by:
nix.remoteBuilder.sshPublicKeys
SSH public keys accepted by the remote build user.
Type: list of string
Declared by:
opinionatedDefaults
Whether to enable opinionated defaults.
Type: boolean
Default:
false
Example:
true
Declared by:
programs.ssh.addPopularKnownHosts
Whether to add ssh public keys of popular websites to known_hosts.
Type: boolean
Default:
false
Declared by:
programs.ssh.recommendedDefaults
Whether to set recommend and secure default settings.
Type: boolean
Default:
false
Declared by:
programs.tmux.recommendedDefaults
Whether to set recommended default settings.
Type: boolean
Default:
false
Declared by:
security.acme.staging
If set to true, use Let’s Encrypt’s staging environment instead of the production one. The staging environment has much higher rate limits but does not generate fully signed certificates. This is great for testing when the normla rate limit is hit fast and impacts other people on the same IP. See <literal>https://letsencrypt.org/docs/staging-environment</literal> for more detail.
Type: boolean
Default:
false
Declared by:
security.ldap
LDAP options used in other services.
Type: submodule
Default:
{ }
Declared by:
security.ldap.bindDN
The DN of the service user used by services. The user base dn will be automatically appended.
Type: null or string
Default:
null
Example:
"uid=search"
Declared by:
security.ldap.domainComponent
Domain component(s) (dc) represented as a list of strings.
Each entry will be prefixed with dc=
and all are concatinated with ,
, except the last one.
The example would be concatinated to dc=example,dc=com
Type: list of string
Example:
[
"example"
"com"
]
Declared by:
security.ldap.domainName
The domain name to connect to the ldap server.
Type: string
Example:
"auth.example.com"
Declared by:
security.ldap.givenNameField
The attribute of the user object where to find its given name.
Type: string
Example:
"givenName"
Declared by:
security.ldap.groupFilter
A function that returns a group filter that matches the first argument against the names of the groups the user is part of.
Type: function that evaluates to a(n) string
Example:
group: "(&(objectclass=person)(isMemberOf=cn=${group},${config.security.ldap.roleBaseDN}"
Declared by:
security.ldap.mailField
The attribute of the user object where to find its email.
Type: string
Example:
"mail"
Declared by:
security.ldap.port
The port the ldap server listens on. Usually this is 389 for ldap and 636 for ldaps.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Example:
"636"
Declared by:
security.ldap.roleBaseDN
The directory path where applications should search for users. Domain component will be automatically appended.
Type: string
Example:
"ou=groups"
Declared by:
security.ldap.roleField
The attribute where the user account is listed in a group.
Type: string
Example:
"cn"
Declared by:
security.ldap.roleFilter
Filter to get the groups of an user object.
Type: string
Example:
"(&(objectclass=groupOfNames)(member=%s))"
Declared by:
security.ldap.roleValue
The attribute of the user object where to find its distinguished name.
Type: string
Example:
"dn"
Declared by:
security.ldap.searchFilterWithGroupFilter
A function that returns a search filter that may include a group filter. The first argument may be the group that is filtered upon or null. If set to null no additional filtering is done. If set the supplied filter is combined with the user filter. The second argument must be the user filter including the applications placeholders or ideally the userFilter option.
Type: function that evaluates to a(n) function that evaluates to a(n) string
Example:
userFilterGroup: userFilter: if (userFilterGroup != null) then "(&${config.security.ldap.groupFilter userFilterGroup})" else userFilter
Declared by:
security.ldap.searchUID
The uid of the service user used by services, often referred as search user.
Type: null or string
Default:
null
Example:
"search"
Declared by:
security.ldap.sshPublicKeyField
The attribute of the user object where to find its ssh public key.
Type: string
Example:
"sshPublicKey"
Declared by:
security.ldap.surnameField
The attribute of the user object where to find its surname.
Type: string
Example:
"sn"
Declared by:
security.ldap.userBaseDN
The directory path where applications should search for users. Domain component will be automatically appended.
Type: string
Example:
"ou=users"
Declared by:
security.ldap.userField
The attribute of the user object where to find its username.
Type: string
Example:
"uid"
Declared by:
security.ldap.userFilter
A function that returns a user search filter that uses the first argument as the placeholder.
Type: function that evaluates to a(n) string
Example:
"param: \"(&(objectclass=person)(|(uid=\${param})(mail=\${param})))\""
Declared by:
services.gitea.ldap.enable
Whether to enable login via ldap.
Type: boolean
Default:
false
Example:
true
Declared by:
services.gitea.ldap.adminGroup
Name of the ldap group that grants admin access in gitea.
Type: null or string
Default:
null
Example:
"gitea-admins"
Declared by:
services.gitea.ldap.options.admin-filter
This option has no description.
Type: null or string
Default:
null
Declared by:
services.gitea.ldap.options.bind-dn
This option has no description.
Type: null or string
Default:
null
Declared by:
services.gitea.ldap.options.bind-password
This option has no description.
Type: null or string
Default:
null
Declared by:
services.gitea.ldap.options.email-attribute
This option has no description.
Type: null or string
Default:
null
Declared by:
services.gitea.ldap.options.firstname-attribute
This option has no description.
Type: null or string
Default:
null
Declared by:
services.gitea.ldap.options.host
This option has no description.
Type: null or string
Default:
null
Declared by:
services.gitea.ldap.options.id
This option has no description.
Type: unsigned integer, meaning >=0
Default:
1
Declared by:
services.gitea.ldap.options.name
This option has no description.
Type: null or string
Default:
null
Declared by:
services.gitea.ldap.options.port
This option has no description.
Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
null
Declared by:
services.gitea.ldap.options.public-ssh-key-attribute
This option has no description.
Type: null or string
Default:
null
Declared by:
services.gitea.ldap.options.security-protocol
This option has no description.
Type: null or string
Default:
null
Declared by:
services.gitea.ldap.options.surname-attribute
This option has no description.
Type: null or string
Default:
null
Declared by:
services.gitea.ldap.options.user-filter
This option has no description.
Type: null or string
Default:
null
Declared by:
services.gitea.ldap.options.user-search-base
This option has no description.
Type: null or string
Default:
null
Declared by:
services.gitea.ldap.options.username-attribute
This option has no description.
Type: null or string
Default:
null
Declared by:
services.gitea.ldap.searchUserPasswordFile
Path to a file containing the password for the search/bind user.
Type: null or string
Default:
null
Example:
"/var/lib/secrets/search-user-password"
Declared by:
services.gitea.ldap.userGroup
Restrict logins to users in this group
Type: null or string
Default:
null
Declared by:
services.gitea.recommendedDefaults
Whether to set recommended, secure default settings.
Type: boolean
Default:
false
Declared by:
services.grafana.configureNginx
Wether to configure Nginx.
Type: boolean
Default:
false
Declared by:
services.grafana.oauth.enable
Whether to enable login only via OAuth2.
Type: boolean
Default:
false
Example:
true
Declared by:
services.grafana.oauth.enableViewerRole
Wether to enable the fallback Viewer role when users do not have the user- or adminGroup.
Type: boolean
Default:
false
Declared by:
services.grafana.oauth.adminGroup
Restrict logins to users in this group
Type: null or string
Default:
null
Declared by:
services.grafana.oauth.userGroup
Restrict logins to users in this group
Type: null or string
Default:
null
Declared by:
services.grafana.recommendedDefaults
Whether to set recommended and secure default settings.
Type: boolean
Default:
false
Declared by:
services.harmonia.configureNginx
Whether to configure nginx.
Type: boolean
Default:
false
Declared by:
services.harmonia.domain
Domain under which harmonia should be available.
Type: string
Declared by:
services.harmonia.port
Port on which harmonia should internally listen on.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Declared by:
services.harmonia.recommendedDefaults
Whether to set recommended default settings.
Type: boolean
Default:
false
Declared by:
services.hedgedoc.ldap.enable
Whether to enable login only via LDAP.
Use service.hedgedoc.environmentFile
in format bindCredentials=password
to set the credentials used by the search user
.
Type: boolean
Default:
false
Example:
true
Declared by:
services.hedgedoc.ldap.userGroup
Restrict logins to users in this group
Type: null or string
Default:
null
Declared by:
services.home-assistant.blueprints
This option has no description.
Type: list of package
Default:
[ ]
Example:
[
(pkgs.fetchFromGitHub {
owner = "...";
repo = "...";
rev = "...";
hash = "...";
passthru = {
path = "../...yaml";
domain = "automation"; # or script
author = "...";
};
})
]
Declared by:
services.home-assistant.ldap.enable
Whether to enable login only via LDAP
::: {.note}
Only enable this after completing the onboarding!
:::
.
Type: boolean
Default:
false
Example:
true
Declared by:
services.home-assistant.ldap.adminGroup
Name of the ldap group that grants admin access in Home-Assistant.
Type: null or string
Default:
null
Example:
"home-assistant-admins"
Declared by:
services.home-assistant.ldap.userGroup
Restrict logins to users in this group
Type: null or string
Default:
null
Declared by:
services.home-assistant.recommendedDefaults
Whether to set recommended default settings.
Type: boolean
Default:
false
Declared by:
services.hydra.ldap.enable
Whether to enable login only via LDAP.
The bind user password must be placed at /var/lib/hydra/ldap-password.conf
in the format bindpw = "PASSWORD" It is recommended to use a password without special characters because the perl config parser has weird escaping rule like that comment characters
#` must be escape with backslash
.
Type: boolean
Default:
false
Example:
true
Declared by:
services.hydra.ldap.roleMappings
Map LDAP groups to hydra permissions. See upstream doc, especially role_mapping.
Type: list of attribute set of string
Default:
[ ]
Example:
[
{
hydra-admins = "admins";
}
]
Declared by:
services.hydra.ldap.userGroup
Restrict logins to users in this group
Type: null or string
Default:
null
Declared by:
services.mastodon.enableBirdUITheme
Whether to enable Bird UI Theme.
Type: boolean
Default:
false
Example:
true
Declared by:
services.mastodon.ldap.enable
Whether to enable login only via LDAP.
Type: boolean
Default:
false
Example:
true
Declared by:
services.mastodon.ldap.userGroup
Restrict logins to users in this group
Type: null or string
Default:
null
Declared by:
services.matrix-synapse.addAdditionalOembedProvider
Whether to add additional oembed providers from oembed.com.
Type: boolean
Default:
false
Declared by:
services.matrix-synapse.element-web.enable
Whether to enable the element-web client.
Type: boolean
Default:
false
Example:
true
Declared by:
services.matrix-synapse.element-web.enableConfigFeatures
Whether to enable most features available via config.json.
Type: boolean
Default:
false
Declared by:
services.matrix-synapse.element-web.package
The element-web package to use.
Type: package
Default:
pkgs.element-web
Declared by:
services.matrix-synapse.element-web.domain
The domain that element-web will use.
Type: string
Example:
"element.example.org"
Declared by:
services.matrix-synapse.ldap.enable
Whether to enable login via ldap.
Type: boolean
Default:
false
Example:
true
Declared by:
services.matrix-synapse.ldap.searchUserPasswordFile
Path to a file containing the password for the search/bind user.
Type: string
Example:
"/var/lib/secrets/search-user-password"
Declared by:
services.matrix-synapse.ldap.userGroup
Restrict logins to users in this group
Type: null or string
Default:
null
Declared by:
services.matrix-synapse.recommendedDefaults
Whether to set recommended and secure default settings.
Type: boolean
Default:
false
Declared by:
services.nextcloud.configureImaginary
Whether to configure and use Imaginary for preview generation.
Type: boolean
Default:
false
Declared by:
services.nextcloud.configureMemories
Whether to configure dependencies for Memories App.
Type: boolean
Default:
false
Declared by:
services.nextcloud.configureMemoriesVaapi
Wether to configure Memories App to use an Intel iGPU for hardware acceleration.
Type: boolean
Default:
"config.hardware.intelGPU"
Declared by:
services.nextcloud.configurePreviewSettings
Wether to configure the preview settings to be more optimised for real world usage. By default this is enabled, when Imaginary is configured.
Type: boolean
Default:
"config.services.nextcloud.configureImaginary"
Declared by:
services.nextcloud.configureRecognize
Whether to configure dependencies for Recognize App.
Type: boolean
Default:
false
Declared by:
services.nextcloud.recommendedDefaults
Whether to set recommended default settings.
Type: boolean
Default:
false
Declared by:
services.nginx.allRecommendOptions
Whether to set all upstream options starting with recommended
.
Type: boolean
Default:
false
Declared by:
services.nginx.commonServerConfig
Shared configuration snipped added to every virtualHosts’ extraConfig.
Type: strings concatenated with “\n”
Default:
""
Declared by:
services.nginx.configureQuic
Whether to enable quic support in nginx.
Type: boolean
Default:
false
Example:
true
Declared by:
services.nginx.default404Server.enable
Wether to add a default server which always responds with 404. This is useful when using a wildcard cname with a wildcard certitificate to not return the first server entry in the config on unknown subdomains or to do the same for an old and not fully removed domain. The addresses to listen on are derived from services.nginx.defaultListenAddresses.
Type: boolean
Default:
false
Declared by:
services.nginx.default404Server.acmeHost
The acme host to use for the default 404 server.
Type: string
Declared by:
services.nginx.generateDhparams
Whether to generate more secure, 2048 bits dhparams replacing the default 1024 bits.
Type: boolean
Default:
false
Declared by:
services.nginx.openFirewall
Whether to open the firewall port for the http (80/tcp), https (443/tcp) and if enabled quic (443/udp) ports.
Type: boolean
Default:
false
Declared by:
services.nginx.recommendedDefaults
Whether to set recommended performance options not grouped into other settings.
Type: boolean
Default:
false
Declared by:
services.nginx.resolverAddrFromNameserver
Whether to set resolver address to environment.nameservers.
Type: boolean
Default:
false
Declared by:
services.nginx.rotateLogsFaster
Whether to keep logs only for 7 days and rotate them daily.
Type: boolean
Default:
false
Declared by:
services.nginx.setHSTSHeader
Whether to add the HSTS header to all virtual hosts.
Type: boolean
Default:
false
Declared by:
services.nginx.tcpFastOpen
Whether to enable tcp fast open.
Type: boolean
Default:
false
Declared by:
services.nginx.virtualHosts
This option has no description.
Type: attribute set of (submodule)
Declared by:
services.nginx.virtualHosts.<name>.commonLocationsConfig
Shared configuration snipped added to every locations’ extraConfig.
Note: This option mainly exists because nginx’ add_header and headers_more’s more_set_headers function do not support inheritance to lower levels.
Type: strings concatenated with “\n”
Default:
""
Declared by:
services.nginx.virtualHosts.<name>.locations
This option has no description.
Type: attribute set of (submodule)
Declared by:
services.nginx.virtualHosts.<name>.locations.<name>.extraConfig
This option has no description.
Type: unspecified value
Declared by:
services.openssh.fixPermissions
Whether to fix host key permissions to prevent lock outs.
Type: boolean
Default:
false
Declared by:
services.portunus.addToHosts
Whether to add a hosts entry for the portunus domain pointing to externalIp
Type: boolean
Default:
false
Declared by:
services.portunus.configureOAuth2Proxy
Wether to configure OAuth2 Proxy with Portunus’ Dex.
Use services.oauth2_proxy.nginx.virtualHosts
to configure the nginx virtual hosts that should require authentication.
To properly function this requires the services.oauth2_proxy.nginx.domain option from https://github.com/NixOS/nixpkgs/pull/273234.
Type: boolean
Default:
false
Declared by:
services.portunus.internalIp4
Internal IPv4 of portunus instance. This is used in the addToHosts option.
Type: null or string
Default:
null
Declared by:
services.portunus.internalIp6
Internal IPv6 of portunus instance. This is used in the addToHosts option.
Type: null or string
Default:
null
Declared by:
services.portunus.ldapPreset
Whether to set config.security.ldap to portunus specific settings.
Type: boolean
Default:
false
Declared by:
services.portunus.removeAddGroup
When enabled, remove the function to add new Groups via the web ui, to enforce seeding usage.
Type: boolean
Default:
false
Declared by:
services.portunus.seedGroups
Wether to seed groups configured in services as not member managed groups.
Type: boolean
Default:
false
Declared by:
services.postgresql.recommendedDefaults
Whether to set recommended default settings.
Type: boolean
Default:
false
Declared by:
services.postgresql.upgrade.enable
Whether to install the upgrade-pg-cluster script to update postgres.
Type: boolean
Default:
false
Declared by:
services.postgresql.upgrade.extraArgs
Extra arguments to pass to pg_upgrade. See https://www.postgresql.org/docs/current/pgupgrade.html for doc.
Type: list of string
Default:
[
"--link"
"--jobs=$(nproc)"
]
Declared by:
services.postgresql.upgrade.newPackage
The postgres package to which should be updated. After running upgrade-pg-cluster this must be set to services.postgresql.package to complete the update.
Type: package
Default:
pkgs.postgresql_16
Declared by:
services.postgresql.upgrade.stopServices
Systemd services to stop when upgrade is started.
Type: list of string
Default:
[ ]
Example:
[
"hedgedoc"
"hydra"
"nginx"
]
Declared by:
services.vaultwarden.configureNginx
Whether to configure nginx for the configured domain.
Type: boolean
Default:
false
Declared by:
services.vaultwarden.domain
The domain under which vaultwarden will be reachable.
Type: null or string
Default:
null
Declared by:
services.vaultwarden.recommendedDefaults
Whether to set recommended default settings.
Type: boolean
Default:
false
Declared by:
simd.enable
Whether to enable optimized builds with simd instructions.
Type: boolean
Default:
false
Example:
true
Declared by:
simd.arch
Microarchitecture string for nixpkgs.hostPlatform.gcc.march and to generate system-features.
Can be determined with: nix shell nixpkgs#gcc -c gcc -march=native -Q --help=target | grep march
Type: null or string
Default:
null
Declared by:
slim.enable
Whether to disable some usual rarely used things to slim down the system.
Type: boolean
Default:
false
Declared by:
virtualisation.docker.aggresiveAutoPrune
Whether to configure aggresive auto prune which removes everything unreferenced by running containers. This includes named volumes and mounts should be used instead.
Type: boolean
Default:
false
Declared by:
virtualisation.docker.recommendedDefaults
Whether to set recommended and maintenance reducing default settings.
Type: boolean
Default:
false
Declared by:
virtualisation.podman.recommendedDefaults
Whether to set recommended and maintenance reducing default settings.
Type: boolean
Default:
false
Declared by: