boot.zfs.latestCompatibleKernel

Whether to use the latest ZFS compatible kernel.

Type: boolean

Default: false

Declared by:

boot.zfs.recommendedDefaults

Whether to enable recommended ZFS settings.

Type: boolean

Default: false

Declared by:

hardware.intelGPU

Whether to add drivers for intel hardware acceleration.

Type: boolean

Default: false

Example: true

Declared by:

nix.deleteChannels

Whether to delete all channels on a system switch.

Type: boolean

Default: false

Example: true

Declared by:

nix.deleteUserProfiles

Whether to delete all user profiles on a system switch.

Type: boolean

Default: false

Example: true

Declared by:

nix.diffSystem

Whether to system closure diffing on updates.

Type: boolean

Default: false

Declared by:

nix.recommendedDefaults

Whether to set recommended default settings.

Type: boolean

Default: false

Declared by:

nix.remoteBuilder.enable

Whether to enable restricted nix remote builder.

Type: boolean

Default: false

Example: true

Declared by:

nix.remoteBuilder.name

Name of the user used for remote building.

Type: string (read only)

Default: "nix-remote-builder"

Declared by:

nix.remoteBuilder.sshPublicKeys

SSH public keys accepted by the remote build user.

Type: list of string

Declared by:

opinionatedDefaults

Whether to enable opinionated defaults.

Type: boolean

Default: false

Example: true

Declared by:

programs.ssh.addPopularKnownHosts

Whether to add ssh public keys of popular websites to known_hosts.

Type: boolean

Default: false

Declared by:

programs.ssh.recommendedDefaults

Whether to set recommend and secure default settings.

Type: boolean

Default: false

Declared by:

programs.tmux.recommendedDefaults

Whether to set recommended default settings.

Type: boolean

Default: false

Declared by:

security.acme.staging

If set to true, use Let’s Encrypt’s staging environment instead of the production one. The staging environment has much higher rate limits but does not generate fully signed certificates. This is great for testing when the normla rate limit is hit fast and impacts other people on the same IP. See <literal>https://letsencrypt.org/docs/staging-environment</literal> for more detail.

Type: boolean

Default: false

Declared by:

security.ldap

LDAP options used in other services.

Type: submodule

Default: { }

Declared by:

security.ldap.bindDN

The DN of the service user used by services. The user base dn will be automatically appended.

Type: null or string

Default: null

Example: "uid=search"

Declared by:

security.ldap.domainComponent

Domain component(s) (dc) represented as a list of strings.

Each entry will be prefixed with dc= and all are concatinated with ,, except the last one. The example would be concatinated to dc=example,dc=com

Type: list of string

Example:

[
  "example"
  "com"
]

Declared by:

security.ldap.domainName

The domain name to connect to the ldap server.

Type: string

Example: "auth.example.com"

Declared by:

security.ldap.givenNameField

The attribute of the user object where to find its given name.

Type: string

Example: "givenName"

Declared by:

security.ldap.groupFilter

A function that returns a group filter that matches the first argument against the names of the groups the user is part of.

Type: function that evaluates to a(n) string

Example: group: "(&(objectclass=person)(isMemberOf=cn=${group},${config.security.ldap.roleBaseDN}"

Declared by:

security.ldap.mailField

The attribute of the user object where to find its email.

Type: string

Example: "mail"

Declared by:

security.ldap.port

The port the ldap server listens on. Usually this is 389 for ldap and 636 for ldaps.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Example: "636"

Declared by:

security.ldap.roleBaseDN

The directory path where applications should search for users. Domain component will be automatically appended.

Type: string

Example: "ou=groups"

Declared by:

security.ldap.roleField

The attribute where the user account is listed in a group.

Type: string

Example: "cn"

Declared by:

security.ldap.roleFilter

Filter to get the groups of an user object.

Type: string

Example: "(&(objectclass=groupOfNames)(member=%s))"

Declared by:

security.ldap.roleValue

The attribute of the user object where to find its distinguished name.

Type: string

Example: "dn"

Declared by:

security.ldap.searchFilterWithGroupFilter

A function that returns a search filter that may include a group filter. The first argument may be the group that is filtered upon or null. If set to null no additional filtering is done. If set the supplied filter is combined with the user filter. The second argument must be the user filter including the applications placeholders or ideally the userFilter option.

Type: function that evaluates to a(n) function that evaluates to a(n) string

Example: userFilterGroup: userFilter: if (userFilterGroup != null) then "(&${config.security.ldap.groupFilter userFilterGroup})" else userFilter

Declared by:

security.ldap.searchUID

The uid of the service user used by services, often referred as search user.

Type: null or string

Default: null

Example: "search"

Declared by:

security.ldap.sshPublicKeyField

The attribute of the user object where to find its ssh public key.

Type: string

Example: "sshPublicKey"

Declared by:

security.ldap.surnameField

The attribute of the user object where to find its surname.

Type: string

Example: "sn"

Declared by:

security.ldap.userBaseDN

The directory path where applications should search for users. Domain component will be automatically appended.

Type: string

Example: "ou=users"

Declared by:

security.ldap.userField

The attribute of the user object where to find its username.

Type: string

Example: "uid"

Declared by:

security.ldap.userFilter

A function that returns a user search filter that uses the first argument as the placeholder.

Type: function that evaluates to a(n) string

Example: "param: \"(&(objectclass=person)(|(uid=\${param})(mail=\${param})))\""

Declared by:

services.gitea.ldap.enable

Whether to enable login via ldap.

Type: boolean

Default: false

Example: true

Declared by:

services.gitea.ldap.adminGroup

Name of the ldap group that grants admin access in gitea.

Type: null or string

Default: null

Example: "gitea-admins"

Declared by:

services.gitea.ldap.options.admin-filter

This option has no description.

Type: null or string

Default: null

Declared by:

services.gitea.ldap.options.bind-dn

This option has no description.

Type: null or string

Default: null

Declared by:

services.gitea.ldap.options.bind-password

This option has no description.

Type: null or string

Default: null

Declared by:

services.gitea.ldap.options.email-attribute

This option has no description.

Type: null or string

Default: null

Declared by:

services.gitea.ldap.options.firstname-attribute

This option has no description.

Type: null or string

Default: null

Declared by:

services.gitea.ldap.options.host

This option has no description.

Type: null or string

Default: null

Declared by:

services.gitea.ldap.options.id

This option has no description.

Type: unsigned integer, meaning >=0

Default: 1

Declared by:

services.gitea.ldap.options.name

This option has no description.

Type: null or string

Default: null

Declared by:

services.gitea.ldap.options.port

This option has no description.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default: null

Declared by:

services.gitea.ldap.options.public-ssh-key-attribute

This option has no description.

Type: null or string

Default: null

Declared by:

services.gitea.ldap.options.security-protocol

This option has no description.

Type: null or string

Default: null

Declared by:

services.gitea.ldap.options.surname-attribute

This option has no description.

Type: null or string

Default: null

Declared by:

services.gitea.ldap.options.user-filter

This option has no description.

Type: null or string

Default: null

Declared by:

services.gitea.ldap.options.user-search-base

This option has no description.

Type: null or string

Default: null

Declared by:

services.gitea.ldap.options.username-attribute

This option has no description.

Type: null or string

Default: null

Declared by:

services.gitea.ldap.searchUserPasswordFile

Path to a file containing the password for the search/bind user.

Type: null or string

Default: null

Example: "/var/lib/secrets/search-user-password"

Declared by:

services.gitea.ldap.userGroup

Restrict logins to users in this group

Type: null or string

Default: null

Declared by:

services.gitea.recommendedDefaults

Whether to set recommended, secure default settings.

Type: boolean

Default: false

Declared by:

services.grafana.configureNginx

Wether to configure Nginx.

Type: boolean

Default: false

Declared by:

services.grafana.oauth.enable

Whether to enable login only via OAuth2.

Type: boolean

Default: false

Example: true

Declared by:

services.grafana.oauth.enableViewerRole

Wether to enable the fallback Viewer role when users do not have the user- or adminGroup.

Type: boolean

Default: false

Declared by:

services.grafana.oauth.adminGroup

Restrict logins to users in this group

Type: null or string

Default: null

Declared by:

services.grafana.oauth.userGroup

Restrict logins to users in this group

Type: null or string

Default: null

Declared by:

services.grafana.recommendedDefaults

Whether to set recommended and secure default settings.

Type: boolean

Default: false

Declared by:

services.harmonia.configureNginx

Whether to configure nginx.

Type: boolean

Default: false

Declared by:

services.harmonia.domain

Domain under which harmonia should be available.

Type: string

Declared by:

services.harmonia.port

Port on which harmonia should internally listen on.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Declared by:

services.harmonia.recommendedDefaults

Whether to set recommended default settings.

Type: boolean

Default: false

Declared by:

services.hedgedoc.ldap.enable

Whether to enable login only via LDAP. Use service.hedgedoc.environmentFile in format bindCredentials=password to set the credentials used by the search user .

Type: boolean

Default: false

Example: true

Declared by:

services.hedgedoc.ldap.userGroup

Restrict logins to users in this group

Type: null or string

Default: null

Declared by:

services.home-assistant.blueprints

This option has no description.

Type: list of package

Default: [ ]

Example:

[
  (pkgs.fetchFromGitHub {
    owner = "...";
    repo = "...";
    rev = "...";
    hash = "...";
    passthru = {
      path = "../...yaml";
      domain = "automation"; # or script
      author = "...";
    };
  })
]

Declared by:

services.home-assistant.ldap.enable

Whether to enable login only via LDAP

      ::: {.note}
      Only enable this after completing the onboarding!
      :::

.

Type: boolean

Default: false

Example: true

Declared by:

services.home-assistant.ldap.adminGroup

Name of the ldap group that grants admin access in Home-Assistant.

Type: null or string

Default: null

Example: "home-assistant-admins"

Declared by:

services.home-assistant.ldap.userGroup

Restrict logins to users in this group

Type: null or string

Default: null

Declared by:

services.home-assistant.recommendedDefaults

Whether to set recommended default settings.

Type: boolean

Default: false

Declared by:

services.hydra.ldap.enable

Whether to enable login only via LDAP. The bind user password must be placed at /var/lib/hydra/ldap-password.conf in the format bindpw = "PASSWORD" It is recommended to use a password without special characters because the perl config parser has weird escaping rule like that comment characters #` must be escape with backslash .

Type: boolean

Default: false

Example: true

Declared by:

services.hydra.ldap.roleMappings

Map LDAP groups to hydra permissions. See upstream doc, especially role_mapping.

Type: list of attribute set of string

Default: [ ]

Example:

[
  {
    hydra-admins = "admins";
  }
]

Declared by:

services.hydra.ldap.userGroup

Restrict logins to users in this group

Type: null or string

Default: null

Declared by:

services.mastodon.enableBirdUITheme

Whether to enable Bird UI Theme.

Type: boolean

Default: false

Example: true

Declared by:

services.mastodon.ldap.enable

Whether to enable login only via LDAP.

Type: boolean

Default: false

Example: true

Declared by:

services.mastodon.ldap.userGroup

Restrict logins to users in this group

Type: null or string

Default: null

Declared by:

services.matrix-synapse.addAdditionalOembedProvider

Whether to add additional oembed providers from oembed.com.

Type: boolean

Default: false

Declared by:

services.matrix-synapse.element-web.enable

Whether to enable the element-web client.

Type: boolean

Default: false

Example: true

Declared by:

services.matrix-synapse.element-web.enableConfigFeatures

Whether to enable most features available via config.json.

Type: boolean

Default: false

Declared by:

services.matrix-synapse.element-web.package

The element-web package to use.

Type: package

Default: pkgs.element-web

Declared by:

services.matrix-synapse.element-web.domain

The domain that element-web will use.

Type: string

Example: "element.example.org"

Declared by:

services.matrix-synapse.ldap.enable

Whether to enable login via ldap.

Type: boolean

Default: false

Example: true

Declared by:

services.matrix-synapse.ldap.searchUserPasswordFile

Path to a file containing the password for the search/bind user.

Type: string

Example: "/var/lib/secrets/search-user-password"

Declared by:

services.matrix-synapse.ldap.userGroup

Restrict logins to users in this group

Type: null or string

Default: null

Declared by:

services.matrix-synapse.recommendedDefaults

Whether to set recommended and secure default settings.

Type: boolean

Default: false

Declared by:

services.nextcloud.configureImaginary

Whether to configure and use Imaginary for preview generation.

Type: boolean

Default: false

Declared by:

services.nextcloud.configureMemories

Whether to configure dependencies for Memories App.

Type: boolean

Default: false

Declared by:

services.nextcloud.configureMemoriesVaapi

Wether to configure Memories App to use an Intel iGPU for hardware acceleration.

Type: boolean

Default: "config.hardware.intelGPU"

Declared by:

services.nextcloud.configurePreviewSettings

Wether to configure the preview settings to be more optimised for real world usage. By default this is enabled, when Imaginary is configured.

Type: boolean

Default: "config.services.nextcloud.configureImaginary"

Declared by:

services.nextcloud.configureRecognize

Whether to configure dependencies for Recognize App.

Type: boolean

Default: false

Declared by:

services.nextcloud.recommendedDefaults

Whether to set recommended default settings.

Type: boolean

Default: false

Declared by:

services.nginx.allRecommendOptions

Whether to set all upstream options starting with recommended.

Type: boolean

Default: false

Declared by:

services.nginx.commonServerConfig

Shared configuration snipped added to every virtualHosts’ extraConfig.

Type: strings concatenated with “\n”

Default: ""

Declared by:

services.nginx.configureQuic

Whether to enable quic support in nginx.

Type: boolean

Default: false

Example: true

Declared by:

services.nginx.default404Server.enable

Wether to add a default server which always responds with 404. This is useful when using a wildcard cname with a wildcard certitificate to not return the first server entry in the config on unknown subdomains or to do the same for an old and not fully removed domain. The addresses to listen on are derived from services.nginx.defaultListenAddresses.

Type: boolean

Default: false

Declared by:

services.nginx.default404Server.acmeHost

The acme host to use for the default 404 server.

Type: string

Declared by:

services.nginx.generateDhparams

Whether to generate more secure, 2048 bits dhparams replacing the default 1024 bits.

Type: boolean

Default: false

Declared by:

services.nginx.openFirewall

Whether to open the firewall port for the http (80/tcp), https (443/tcp) and if enabled quic (443/udp) ports.

Type: boolean

Default: false

Declared by:

services.nginx.recommendedDefaults

Whether to set recommended performance options not grouped into other settings.

Type: boolean

Default: false

Declared by:

services.nginx.resolverAddrFromNameserver

Whether to set resolver address to environment.nameservers.

Type: boolean

Default: false

Declared by:

services.nginx.rotateLogsFaster

Whether to keep logs only for 7 days and rotate them daily.

Type: boolean

Default: false

Declared by:

services.nginx.setHSTSHeader

Whether to add the HSTS header to all virtual hosts.

Type: boolean

Default: false

Declared by:

services.nginx.tcpFastOpen

Whether to enable tcp fast open.

Type: boolean

Default: false

Declared by:

services.nginx.virtualHosts

This option has no description.

Type: attribute set of (submodule)

Declared by:

services.nginx.virtualHosts.<name>.commonLocationsConfig

Shared configuration snipped added to every locations’ extraConfig.

Note: This option mainly exists because nginx’ add_header and headers_more’s more_set_headers function do not support inheritance to lower levels.

Type: strings concatenated with “\n”

Default: ""

Declared by:

services.nginx.virtualHosts.<name>.locations

This option has no description.

Type: attribute set of (submodule)

Declared by:

services.nginx.virtualHosts.<name>.locations.<name>.extraConfig

This option has no description.

Type: unspecified value

Declared by:

services.openssh.fixPermissions

Whether to fix host key permissions to prevent lock outs.

Type: boolean

Default: false

Declared by:

services.portunus.addToHosts

Whether to add a hosts entry for the portunus domain pointing to externalIp

Type: boolean

Default: false

Declared by:

services.portunus.configureOAuth2Proxy

Wether to configure OAuth2 Proxy with Portunus’ Dex.

Use services.oauth2_proxy.nginx.virtualHosts to configure the nginx virtual hosts that should require authentication.

To properly function this requires the services.oauth2_proxy.nginx.domain option from https://github.com/NixOS/nixpkgs/pull/273234.

Type: boolean

Default: false

Declared by:

services.portunus.internalIp4

Internal IPv4 of portunus instance. This is used in the addToHosts option.

Type: null or string

Default: null

Declared by:

services.portunus.internalIp6

Internal IPv6 of portunus instance. This is used in the addToHosts option.

Type: null or string

Default: null

Declared by:

services.portunus.ldapPreset

Whether to set config.security.ldap to portunus specific settings.

Type: boolean

Default: false

Declared by:

services.portunus.removeAddGroup

When enabled, remove the function to add new Groups via the web ui, to enforce seeding usage.

Type: boolean

Default: false

Declared by:

services.portunus.seedGroups

Wether to seed groups configured in services as not member managed groups.

Type: boolean

Default: false

Declared by:

services.postgresql.recommendedDefaults

Whether to set recommended default settings.

Type: boolean

Default: false

Declared by:

services.postgresql.upgrade.enable

Whether to install the upgrade-pg-cluster script to update postgres.

Type: boolean

Default: false

Declared by:

services.postgresql.upgrade.extraArgs

Extra arguments to pass to pg_upgrade. See https://www.postgresql.org/docs/current/pgupgrade.html for doc.

Type: list of string

Default:

[
  "--link"
  "--jobs=$(nproc)"
]

Declared by:

services.postgresql.upgrade.newPackage

The postgres package to which should be updated. After running upgrade-pg-cluster this must be set to services.postgresql.package to complete the update.

Type: package

Default: pkgs.postgresql_16

Declared by:

services.postgresql.upgrade.stopServices

Systemd services to stop when upgrade is started.

Type: list of string

Default: [ ]

Example:

[
  "hedgedoc"
  "hydra"
  "nginx"
]

Declared by:

services.vaultwarden.configureNginx

Whether to configure nginx for the configured domain.

Type: boolean

Default: false

Declared by:

services.vaultwarden.domain

The domain under which vaultwarden will be reachable.

Type: null or string

Default: null

Declared by:

services.vaultwarden.recommendedDefaults

Whether to set recommended default settings.

Type: boolean

Default: false

Declared by:

simd.enable

Whether to enable optimized builds with simd instructions.

Type: boolean

Default: false

Example: true

Declared by:

simd.arch

Microarchitecture string for nixpkgs.hostPlatform.gcc.march and to generate system-features. Can be determined with: nix shell nixpkgs#gcc -c gcc -march=native -Q --help=target | grep march

Type: null or string

Default: null

Declared by:

slim.enable

Whether to disable some usual rarely used things to slim down the system.

Type: boolean

Default: false

Declared by:

virtualisation.docker.aggresiveAutoPrune

Whether to configure aggresive auto prune which removes everything unreferenced by running containers. This includes named volumes and mounts should be used instead.

Type: boolean

Default: false

Declared by:

virtualisation.docker.recommendedDefaults

Whether to set recommended and maintenance reducing default settings.

Type: boolean

Default: false

Declared by:

virtualisation.podman.recommendedDefaults

Whether to set recommended and maintenance reducing default settings.

Type: boolean

Default: false

Declared by: