W
C
I
I
T
SLAM(5) File Formats Manual SLAM(5)
slamSLAM configuration options

System Layer Abstraction Modules is a collection of Nix modules for composing an operating base layer as well as high-level subsystems. Each SLAM import provides a set of configuration options, a set of derived configuration values, or both.

This manual covers configuration options. It covers only the modules imported at the moment it was generated and the set of available options is variable and depends on which modules are imported.

Additional arguments passed to each module in addition to ones like lib, config, pkgs, and modulesPath.

This option is also available to all submodules. Submodules do not inherit args from their parent module, nor do they provide args to their parent module or sibling submodules. The sole exception to this is the argument name which is provided by parent modules to a submodule and contains the attribute name the submodule is bound to, or a unique generated name if it is not bound to an attribute.

Some arguments are already passed by default, of which the following be changed with this option:

lib
The Nixpkgs library.
config
The results of all options after merging the values from all modules together.
options
The options declared in all modules.
specialArgs
The specialArgs argument passed to lib.evalModules.
pkgs
The Nixpkgs package set.
All attributes of specialArgs
Whereas option values can generally depend on other option values thanks to laziness, this does not apply to imports, which must be computed statically before anything else.

For this reason, callers of the module system can provide specialArgs which are available during import resolution.

specialArgs includes slamPath which is the location of the modules directory within the SLAM repositiory and modulesPath which is the location of the modules directory within the NixOS repository.

lazy attribute set of raw value
lib/modules.nix

Whether to enable the validation of bootspec documents for each build. This will introduce Go in the build-time closure as we are relying on Cuelang for schema validation. Enable this option if you want to ascertain that your documents are correct

boolean
false
true
<SLAM>/modules/boot/bootspec.nix

User-defined data that extends the bootspec document.

To reduce incompatibility and prevent names from clashing between applications, it is to use a unique namespace for your extensions.

attribute set of anything
{ }
<SLAM>/modules/boot/bootspec.nix

The package to use for bootspec.

package
pkgs.bootspec
<SLAM>/modules/boot/bootspec.nix

A list of additional packages supplying kernel modules.

list of package
[ ]
[ config.boot.kernelPackages.nvidia_x11 ]
<SLAM>/modules/boot/kernel.nix

Which hardware-manager to start on boot.

one of mdevd, udev

The PID 1 command line as a closure-list.

attribute set of (submodule)
<SLAM>/modules/boot/init.nix

List of argument groups that must precede this one.

list of string
[ ]
<SLAM>/modules/boot/init.nix

Group of arguments for the pid1 command-line.

string or list of (string or absolute path)
<SLAM>/modules/boot/init.nix

Environment variables to start PID 1 with.

attribute set of string
{ }
<SLAM>/modules/boot/init.nix

Stage 2 boot script.

read-only absolute path
<SLAM>/modules/boot/init.nix

The set of kernel modules in the initial ramdisk used during the boot process. This set must include all modules necessary for mounting the root device. That is, it should include modules for the physical device (e.g., SCSI drivers) and for the file system (e.g., ext3). The set specified here is automatically closed under the module dependency relation, i.e., all dependencies of the modules list here are included automatically. The modules listed here are available in the initrd, but are only loaded on demand (e.g., the ext3 module is loaded automatically when an ext3 filesystem is mounted, and modules for PCI devices are loaded when they match the PCI ID of a device in your system). To force a module to be loaded, include it in boot.initrd.kernelModules.

list of string
[ ]
[
  "sata_nv"
  "ext3"
]
<SLAM>/modules/boot/kernel.nix

The compressor to use on the initrd image. May be any of:

  • The name of one of the predefined compressors, see pkgs/build-support/kernel/initrd-compressor-meta.nix for the definitions.
  • A function which, given the nixpkgs package set, returns the path to a compressor tool, e.g. ‘pkgs: ${pkgs.pigz}/bin/pigz’ - (not recommended, because it does not work when cross-compiling) the full path to a compressor tool, e.g. ‘${pkgs.pigz}/bin/pigz
The given program should read data from stdin and write it to stdout compressed.
string or function that evaluates to a(n) string
if the kernel supports it (5.9+), gzip if not
"xz"
<SLAM>/modules/boot/initrd

Arguments to pass to the compressor for the initrd image, or null to use the compressor's defaults.

null or (list of string)
null
<SLAM>/modules/boot/initrd

Contents of the initrd.

list of (submodule)
<SLAM>/modules/boot/initrd

Source of file content to inserting into the initrd.

absolute path
<SLAM>/modules/boot/initrd

Location of file content within the initrd.

null or string
null
<SLAM>/modules/boot/initrd

Whether to enable the NixOS initial RAM disk (initrd). This may be needed to perform some initialisation tasks (like mounting network/encrypted file systems) before continuing the boot process.

boolean
true
<SLAM>/modules/boot/initrd

List of modules that are always loaded by the initrd.

list of string
[ ]
<SLAM>/modules/boot/kernel.nix

Composite mount script.

read-only unspecified value
Concatenated execline.
<SLAM>/modules/boot/initrd

Execline snippets for mounting file-systems during stage 1.

attribute set of (submodule)
{ }
<SLAM>/modules/boot/initrd

List of dependencies. The script will run after these.

list of string
[ ]
<SLAM>/modules/boot/initrd

Execline script to be enclosed by an "if" block.

strings concatenated with 0
{ }
<SLAM>/modules/boot/initrd

the initrd to use for your system... use a module to build one

package
<SLAM>/modules/boot/initrd

Whether to enable the 9P protocol.

boolean
false
true
<SLAM>/modules/filesystems/9p.nix

Whether to enable btrfs.

boolean
false
true
<SLAM>/modules/filesystems/btrfs.nix

Support packages for btrfs.

list of package
[ pkgs.btrfs-progs ]
<SLAM>/modules/filesystems/btrfs.nix

Whether to enable EROFS.

boolean
false
true
<SLAM>/modules/filesystems/erofs.nix

Whether to enable ext2.

boolean
false
true
<SLAM>/modules/filesystems/ext2.nix

Support packages for ext2.

list of package
[ pkgs.e2fsprogs ]
<SLAM>/modules/filesystems/ext2.nix

Whether to enable ext4.

boolean
false
true
<SLAM>/modules/filesystems/ext4.nix

Support packages for ext4.

list of package
[ pkgs.e2fsprogs ]
<SLAM>/modules/filesystems/ext4.nix

Whether to enable f2fs.

boolean
false
true
<SLAM>/modules/filesystems/f2fs.nix

Support packages for f2fs.

list of package
[ pkgs.f2fs-tools ]
<SLAM>/modules/filesystems/f2fs.nix

Whether to enable FUSE.

boolean
false
true
<SLAM>/modules/filesystems/fuse.nix

Whether to enable the file-system placeholder.

boolean
true
true
<SLAM>/modules/filesystems/special.nix

Whether to enable overlayfs.

boolean
false
true
<SLAM>/modules/filesystems/overlayfs.nix

Whether to enable tmpfs.

boolean
true
true
<SLAM>/modules/filesystems/tmpfs.nix

Whether to enable FAT.

boolean
false
true
<SLAM>/modules/filesystems/vfat.nix

Support packages for FAT file-systems.

list of package
<SLAM>/modules/filesystems/vfat.nix

Whether to enable XFS.

boolean
false
true
<SLAM>/modules/filesystems/xfs.nix

Support packages for XFS.

list of package
[ pkgs.xfsprogs.bin ]
<SLAM>/modules/filesystems/xfs.nix

Whether to enable ZFS.

boolean
false
true
<SLAM>/modules/filesystems/zfs.nix

Support packages for ZFS.

list of package
[ pkgs.zfs ]
<SLAM>/modules/filesystems/zfs.nix

Whether to enable the Linux kernel. This is useful for systemd-like containers which do not require a kernel.

boolean
true
true
<SLAM>/modules/boot/kernel.nix

Provides a custom seed for the RANDSTRUCT security option of the Linux kernel. Note that RANDSTRUCT is only enabled in NixOS hardened kernels. Using a custom seed requires building the kernel and dependent packages locally, since this customization happens at build time.

string
""
"my secret seed"
<SLAM>/modules/boot/kernel.nix

Runtime parameters of the Linux kernel, as set by sysctl(8). Note that sysctl parameters names must be enclosed in quotes (e.g. ‘vm.swappiness’ instead of ‘vm.swappiness’). The value of each parameter may be a string, integer, boolean, or null (signifying the option will not appear at all).

open submodule of attribute set of (sysctl option value)
{ }
{ "net.ipv4.tcp_syncookies" = false; "vm.swappiness" = 60; }
<SLAM>/modules/boot/sysctl.nix

The maximum receive socket buffer size in bytes. In case of conflicting values, the highest will be used.

null or (unsigned integer, meaning >=0)
null
<SLAM>/modules/boot/sysctl.nix

The maximum send socket buffer size in bytes. In case of conflicting values, the highest will be used.

null or (unsigned integer, meaning >=0)
null
<SLAM>/modules/boot/sysctl.nix

The maximum number of memory map areas a process may have. In case of conflicting values, the highest will be used.

null or (unsigned integer, meaning >=0)
null
<SLAM>/modules/boot/sysctl.nix

The set of kernel modules to be loaded in the second stage of the boot process. Note that modules that are needed to mount the root file system should be added to boot.initrd.availableKernelModules or boot.initrd.kernelModules.

list of string
[ ]
<SLAM>/modules/boot/kernel.nix

This option allows you to override the Linux kernel used by NixOS. Since things like external kernel module packages are tied to the kernel you're using, it also overrides those. This option is a function that takes Nixpkgs as an argument (as a convenience), and returns an attribute set containing at the very least an attribute kernel. Additional attributes may be needed depending on your configuration. For instance, if you use the NVIDIA X driver, then it also needs to contain an attribute nvidia_x11.

Please note that we strictly support kernel versions that are maintained by the Linux developers only. More information on the availability of kernel versions is documented in the Linux section of the manual.

raw value
pkgs.linuxPackages
pkgs.linuxKernel.packages.linux_5_10
<SLAM>/modules/boot/kernel.nix

Parameters added to the kernel command line.

list of string, with spaces inside double quotes
[ ]
<SLAM>/modules/boot/kernel.nix

A list of additional patches to apply to the kernel.

Every item should be an attribute set with the following attributes:

{
  # descriptive name, required
  name = "foo";

  # path or derivation that contains the patch source
  # (required, but can be null if only config changes
  # are needed)
  patch = ./foo.patch;

  # attrset of extra configuration parameters without the CONFIG_ prefix
  # (optional) values should generally be lib.kernel.yes,
  # lib.kernel.no or lib.kernel.module
  extraStructuredConfig = {
    FOO = lib.kernel.yes;
  };

  # attrset of extra "features" the kernel is considered to have
  # (may be checked by other NixOS modules, optional)
  features = {
    foo = true;
  };

  # extra configuration options in string form without the CONFIG_ prefix
  # (optional, multiple lines allowed to specify multiple options)
  # (deprecated, use extraStructuredConfig instead)
  extraConfig = "FOO y";
}

There's a small set of existing kernel patches in Nixpkgs, available as ‘pkgs.kernelPatches’, that follow this format and can be used directly.

list of (attribute set)
[ ]
[
  {
    name = "foo";
    patch = ./foo.patch;
    extraStructuredConfig.FOO = lib.kernel.yes;
    features.foo = true;
  }
  {
    name = "foo-ml-mbox";
    patch = (fetchurl {
      url = "https://lore.kernel.org/lkml/19700205182810.58382-1-email@domain/t.mbox.gz";
      hash = "sha256-...";
    });
  }
]
<SLAM>/modules/boot/kernel.nix

Execline scripts for bootloader installation.

attribute set of ((submodule) or string convertible to it)
{ }
<SLAM>/modules/boot/loader.nix

List of dependencies. The script will run after these.

list of string
[ ]
<SLAM>/modules/boot/loader.nix

Execline script to be enclosed by an "if" block. The following variables will be substituted before execution: - $toplevel The top-level derivation being installed. - $boot The boot directory of the system installation.

strings concatenated with 0
{ }
<SLAM>/modules/boot/loader.nix

Whether to enable modprobe config. This is useful for systems like containers which do not require a kernel.

boolean
true
<SLAM>/modules/boot/modprobe.nix

Whether to enable the 9P protocol.

boolean
false
true
<SLAM>/modules/filesystems/9p.nix

Whether to enable btrfs.

boolean
false
true
<SLAM>/modules/filesystems/btrfs.nix

Support packages for btrfs.

list of package
[ pkgs.btrfs-progs ]
<SLAM>/modules/filesystems/btrfs.nix

Whether to enable EFI varfs.

boolean
false
true
<SLAM>/modules/filesystems/efivarfs.nix

Whether to enable EROFS.

boolean
false
true
<SLAM>/modules/filesystems/erofs.nix

Whether to enable ext2.

boolean
false
true
<SLAM>/modules/filesystems/ext2.nix

Support packages for ext2.

list of package
[ pkgs.e2fsprogs ]
<SLAM>/modules/filesystems/ext2.nix

Whether to enable ext4.

boolean
false
true
<SLAM>/modules/filesystems/ext4.nix

Support packages for ext4.

list of package
[ pkgs.e2fsprogs ]
<SLAM>/modules/filesystems/ext4.nix

Whether to enable f2fs.

boolean
false
true
<SLAM>/modules/filesystems/f2fs.nix

Support packages for f2fs.

list of package
[ pkgs.f2fs-tools ]
<SLAM>/modules/filesystems/f2fs.nix

Whether to enable FUSE.

boolean
true
true
<SLAM>/modules/filesystems/fuse.nix

Whether to enable mergefs.

boolean
false
true
<SLAM>/modules/filesystems/fuse.mergerfs.nix

Whether to enable the file-system placeholder.

boolean
true
true
<SLAM>/modules/filesystems/special.nix

Whether to enable overlayfs.

boolean
false
true
<SLAM>/modules/filesystems/overlayfs.nix

Whether to enable tmpfs.

boolean
true
true
<SLAM>/modules/filesystems/tmpfs.nix

Whether to enable FAT.

boolean
false
true
<SLAM>/modules/filesystems/vfat.nix

Support packages for FAT file-systems.

list of package
<SLAM>/modules/filesystems/vfat.nix

Whether to enable XFS.

boolean
false
true
<SLAM>/modules/filesystems/xfs.nix

Support packages for XFS.

list of package
[ pkgs.xfsprogs.bin ]
<SLAM>/modules/filesystems/xfs.nix

Whether to enable ZFS.

boolean
false
true
<SLAM>/modules/filesystems/zfs.nix

Support packages for ZFS.

list of package
[ pkgs.zfs ]
<SLAM>/modules/filesystems/zfs.nix

List of ZFS pools to import at boot. Defaults to the pools necessary for booting.

list of string
[
  "jug"
  "bucket"
]
<SLAM>/modules/filesystems/zfs.nix

List of ZFS dataset names to load keys for during boot.

list of string
[ ]
<SLAM>/modules/filesystems/zfs.nix

Whether to enable install developer documentation.

boolean
false
true

Whether to install share/doc directories into the system environment.

unspecified value
"config.documentation.enable"

Whether to enable install system documentation.

boolean
true
true

Whether to install info pages into the system environment.

unspecified value
"config.documentation.enable"

Whether to install manual pages into the system environment.

unspecified value
"config.documentation.enable"

Package providing the man program.

package
pkgs.man

Package of this manual.

read-only unspecified value

Set of files that have to be linked in /etc.

attribute set of (submodule)
{ }
{ example-configuration-file =
    { source = "/nix/store/.../etc/dir/file.conf.example";
      mode = "0440";
    };
  "default/useradd".text = "GROUP=100 ...";
}
<SLAM>/modules/environment/etc/options.nix

Whether this /etc file should be generated. This option allows specific /etc files to be disabled.

boolean
true
<SLAM>/modules/environment/etc/options.nix

GID of created file. Only takes effect when the file is copied (that is, the mode is not ‘symlink’).

signed integer
0
<SLAM>/modules/environment/etc/options.nix

Group name of created file. Only takes effect when the file is copied (that is, the mode is not ‘symlink’ ). Changing this option takes precedence over gid.

string
"+0"
<SLAM>/modules/environment/etc/options.nix

If set to something else than ‘symlink’, the file is copied instead of symlinked, with the given file mode.

string
"symlink"
"0600"
<SLAM>/modules/environment/etc/options.nix

Path of the source file.

absolute path
<SLAM>/modules/environment/etc/options.nix

Name of symlink (relative to /etc). Defaults to the attribute name.

string
<SLAM>/modules/environment/etc/options.nix

Text of the file.

null or strings concatenated with 0
null
<SLAM>/modules/environment/etc/options.nix

UID of created file. Only takes effect when the file is copied (that is, the mode is not ‘symlink’ ).

signed integer
0
<SLAM>/modules/environment/etc/options.nix

User name of created file. Only takes effect when the file is copied (that is, the mode is not ‘symlink’). Changing this option takes precedence over uid.

string
"+0"
<SLAM>/modules/environment/etc/options.nix

List of package outputs to install. If not specified then only the default outputs are installed and outputs such as "doc" or "man" are not.

list of string
[ ]
[
  "man"
]
<SLAM>/modules/environment/path

Shell fragments to be run after the system environment has been created. This should only be used for things that need to modify the internals of the environment, e.g. generating MIME caches. The environment being built can be accessed at the out environment variable.

strings concatenated with 0
""
<SLAM>/modules/environment/path

List of directories to symlink into /lib.

list of absolute path
[ ]
<SLAM>/modules/environment/links.nix

Composite package produced by buildEnv.

read-only absolute path
<SLAM>/modules/environment/path

List of directories to be symlinked in /run/current-system/sw.

list of string
[ ]
[
  "/"
]
<SLAM>/modules/environment/path

List of packages to register in /etc/shells.

list of (package or absolute path)
[ ]
<SLAM>/modules/environment/shells

List of packages available in the standard system environment.

list of package
{ }
<SLAM>/modules/environment/path

The file systems to be mounted. It must include an entry for the root directory ( ‘mountPoint = /’ ). Each entry in the list is an attribute set with the following fields: mountPoint, device, fsType (a file system type recognised by mount; defaults to auto,) and options (the mount options passed to mount using the -o flag; defaults to ‘[ defaults ]’).

Instead of specifying device, you can also specify a volume label ( label) for file systems that support it, such as ext2/ext3 (see mke2fs(8) ).

attribute set of (submodule)
{ }
{
  "/".device = "/dev/hda1";
  "/data" = {
    device = "/dev/hda2";
    fsType = "ext3";
    options = [ "data=journal" ];
  };
  "/bigdisk".label = "bigdisk";
}
<SLAM>/modules/filesystems/overlayfs.nix <SLAM>/modules/filesystems/options.nix

List of paths that should be mounted before this one. This filesystem's device and mountPoint are always checked and do not need to be included explicitly. If a path is added to this list, any other filesystem whose mount point is a parent of the path will be mounted before this filesystem. The paths do not need to actually be the mountPoint of some other filesystem.

list of string (with check: non-empty without trailing slash)
[ ]
[
  "/persist"
]
<SLAM>/modules/filesystems/options.nix

Location of the device.

null or non-empty string
null
"/dev/sda"
<SLAM>/modules/filesystems/options.nix

Type of the file system.

non-empty string
"auto"
"ext3"
<SLAM>/modules/filesystems/options.nix

Label of the device (if any).

null or non-empty string
null
"root-partition"
<SLAM>/modules/filesystems/options.nix

Location of the mounted file system.

string (with check: non-empty without trailing slash)
"/mnt/usb"
<SLAM>/modules/filesystems/options.nix

Whether this file-system must be mounted before entering stage 2 of booting.

boolean
false
<SLAM>/modules/filesystems/options.nix

Disable running fsck on this filesystem.

boolean
false
<SLAM>/modules/filesystems/options.nix

Options used to mount the file system.

non-empty (list of non-empty string)
[
  "defaults"
]
[
  "data=journal"
]
<SLAM>/modules/filesystems/options.nix

The list of path(s) to the lowerdir(s).

To create a writable overlay, you MUST provide a upperdir and a workdir.

You can create a read-only overlay when you provide multiple (at least 2!) lowerdirs and neither an upperdir nor a workdir.

null or (non-empty (list of (string or path in the Nix store)))
null
<SLAM>/modules/filesystems/overlayfs.nix

The path to the upperdir.

If this is null, a read-only overlay is created using the lowerdir.

If the filesystem is neededForBoot, this will be prefixed with /sysroot, unless useStage1BaseDirectories is set to ‘true’.

If you set this to some value you MUST also set workdir.

null or string
null
<SLAM>/modules/filesystems/overlayfs.nix

If enabled, lowerdir, upperdir and workdir will be prefixed with /sysroot.

Disabling this can be useful to create an overlay over directories which aren't on the real root.

Disabling this does not work with the scripted (i.e. non-systemd) initrd.

boolean
true
<SLAM>/modules/filesystems/overlayfs.nix

The path to the workdir.

If the filesystem is neededForBoot, this will be prefixed with /sysroot, unless useStage1BaseDirectories is set to ‘true’.

This MUST be set if you set upperdir.

null or string
null
<SLAM>/modules/filesystems/overlayfs.nix

An attribute set of cgroups (v2) that will be created by `finit`.

See [upstream documentation](https://github.com/troglobit/finit/blob/master/doc/config.md#cgroups) for additional details.

attribute set of (submodule)
{ }

The name of the cgroup to create.

string
"‹name›"

Settings to apply to this cgroup.

See [kernel documentation](https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html) for additional details.

attribute set of (atom (null, bool, int, float or string))
{ }
{
  "cpu.weight" = 100;
}

Whether to enable [finit](https://troglobit.com/projects/finit/) as the system service manager and pid `1`.

read-only boolean
config.system.serviceManager == "finit"

Environment variables passed to *all* `finit` services.

attribute set of string
{ }

The package to use for `finit`.

package
pkgs.finit

Packages added to the `finit` PATH environment variable.

list of (absolute path or string)
[ ]

In this mode of operation, every service needs to explicitly declare their readiness notification

one of none, pid
"none"

An attribute set of resource limits that will be apply by `finit`.

See [upstream documentation](https://github.com/troglobit/finit/tree/master/doc/config.md#resource-limits) for additional details.

attribute set of (value unlimited (singular enum) or signed integer or (submodule))
{ }

An attribute set of one-shot commands to run in sequence when entering a runlevel. `run` commands are guaranteed to be completed before running the next command. Useful when serialization is required.

See [upstream documentation](https://github.com/troglobit/finit/tree/master/doc#one-shot-commands-sequence) for additional details.

attribute set of (submodule)
{ }

Allow services to run with minimal required privileges instead of running as `root`.

(list of non-empty string) or non-empty string convertible to it
[ ]
[
  "^cap_net_bind_service"
]

For services that need to create their own child `cgroups` (container runtimes like `docker`, `podman`, `systemd-nspawn`, `lxc`, etc...).

See [ustream documentation](https://finit-project.github.io/config/cgroups/#cgroup-delegation) for details.

boolean
false

The name of the cgroup to place this process under.

string
"system"

The cgroup settings to apply to this process.

See [kernel documentation](https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html) for additional details.

attribute set of (atom (null, bool, int, float or string))
{ }

A script which will be called when the service is removed.

null or main program, path or command
null

Command to run.

main program, path or command

See [upstream documentation](https://github.com/troglobit/finit/blob/master/doc/conditions.md) for details.

(list of non-empty string) or non-empty string convertible to it
[ ]
"pid/syslog"

If you have conflicting services and want to prevent them from starting.

(list of non-empty string) or non-empty string convertible to it
[ ]

Service description.

null or string
null

Whether to enable this service.

boolean
true
true

either a path or a path prefixed with a '-' to indicate a missing file is fine.

null or string or absolute path
null

Environment variables passed to this service.

attribute set of (atom (null, bool, int, float or string))
{ }
{
  TZ = "CET";
}

A place for `finit` configuration options which have not been added to the `nix` module yet.

strings concatenated with 
""
""

The group this service should be executed as.

null or string
null

Service id.

read-only null or string

The delay in seconds between `finit` sending a `SIGTERM` and a `SIGKILL`.

null or integer between 1 and 300 (both inclusive)
"3"

Redirect `stderr` and `stdout` of the application to a file or `syslog` using the native `logit` tool. This is useful for programs that do not support `syslog` on their own, which is sometimes the case when running in the foreground.

See [upstream documentation](https://github.com/troglobit/finit/tree/master/doc#redirecting-output) for additional details.

boolean or non-empty string
false

If a service should not be automatically started, it can be configured as manual. The service can then be started at any time by running `initctl start <service>`.

boolean
false

Service name.

read-only string

Whether this service supports reload on SIGHUP.

boolean
false

See [upstream documentation](https://github.com/troglobit/finit/tree/master/doc#service-synchronization) for details.

null or one of pid, systemd, s6, none
config.finit.readiness

- `reboot` - when all retries have failed, and the service has crashed, if this option is set the system is rebooted. - `script` - similarly, but instead of rebooting, call the `post:script` action if set.

null or one of reboot, script
null

Packages added to the `PATH` environment variable of this service.

list of (package or string)
[ ]

See [upstream documentation](https://github.com/troglobit/finit/blob/master/doc/service.md) for details.

null or string
null

A script which will be called after the service has stopped.

null or main program, path or command
null

A script which will be called before the service is started.

null or main program, path or command
null

Order of this `run` command in relation to the others. The semantics are the same as with `lib.mkOrder`. Smaller values have a greater priority.

signed integer
1000

A script which will be called when the service is ready.

null or main program, path or command
null

Some services do not support `SIGHUP` but may have other ways to update the configuration of a running daemon. When `reload` is defined it is preferred over `SIGHUP`. Like `systemd`, `finit` sets ``$MAINPID` as a convenience to scripts, which in effect also allow setting `reload` to `kill -HUP $MAINPID`.

::: {.note} `reload` is called as PID 1, without any timeout! Meaning, it is up to you to ensure the script is not blocking for seconds at a time or never terminates. :::

null or main program, path or command
null
"kill -HUP $MAINPID"

The number of times `finit` tries to restart a crashing service. When this limit is reached the service is marked crashed and must be restarted manually with `initctl restart NAME`.

integer between -1 and 255 (both inclusive)
10

The number of seconds before Finit tries to restart a crashing service, default: `2` seconds for the first five retries, then back-off to `5` seconds. The maximum of this configured value and the above (`2` and `5`) will be used.

null or (unsigned integer, meaning >=0)
null

See [upstream documentation](https://github.com/troglobit/finit?tab=readme-ov-file#runlevels) for details.

string
"234"

Some services may require alternate methods to be stopped. If `stop` is defined it is preferred over `SIGTERM`. Similar to `reload`, `finit` sets `$MAINPID`.

::: {.note} `stop` is called as PID 1, without any timeout! Meaning, it is up to you to ensure the script is not blocking for seconds at a time or never terminates. :::

null or main program, path or command
null

Explicitly specify supplementary groups, in addition to reading group membership from {file}`/etc/group`.

list of string
[ ]

Service type.

null or value forking (singular enum)
null

The user this service should be executed as.

null or string
null

The runlevel to start after bootstrap, `S`.

integer between 0 and 9 (both inclusive)
2

An attribute set of services, or daemons, to be monitored and automatically restarted if they exit prematurely.

See [upstream documentation](https://github.com/troglobit/finit/tree/master/doc#services) for additional details.

attribute set of (submodule)
{ }

Allow services to run with minimal required privileges instead of running as `root`.

(list of non-empty string) or non-empty string convertible to it
[ ]
[
  "^cap_net_bind_service"
]

For services that need to create their own child `cgroups` (container runtimes like `docker`, `podman`, `systemd-nspawn`, `lxc`, etc...).

See [ustream documentation](https://finit-project.github.io/config/cgroups/#cgroup-delegation) for details.

boolean
false

The name of the cgroup to place this process under.

string
"system"

The cgroup settings to apply to this process.

See [kernel documentation](https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html) for additional details.

attribute set of (atom (null, bool, int, float or string))
{ }

A script which will be called when the service is removed.

null or main program, path or command
null

Command to run.

main program, path or command

See [upstream documentation](https://github.com/troglobit/finit/blob/master/doc/conditions.md) for details.

(list of non-empty string) or non-empty string convertible to it
[ ]
"pid/syslog"

If you have conflicting services and want to prevent them from starting.

(list of non-empty string) or non-empty string convertible to it
[ ]

Service description.

null or string
null

Whether to enable this service.

boolean
true
true

either a path or a path prefixed with a '-' to indicate a missing file is fine.

null or string or absolute path
null

Environment variables passed to this service.

attribute set of (atom (null, bool, int, float or string))
{ }
{
  TZ = "CET";
}

A place for `finit` configuration options which have not been added to the `nix` module yet.

strings concatenated with 
""
""

The group this service should be executed as.

null or string
null

Service id.

read-only null or string

The delay in seconds between `finit` sending a `SIGTERM` and a `SIGKILL`.

null or integer between 1 and 300 (both inclusive)
"3"

Redirect `stderr` and `stdout` of the application to a file or `syslog` using the native `logit` tool. This is useful for programs that do not support `syslog` on their own, which is sometimes the case when running in the foreground.

See [upstream documentation](https://github.com/troglobit/finit/tree/master/doc#redirecting-output) for additional details.

boolean or non-empty string
false

If a service should not be automatically started, it can be configured as manual. The service can then be started at any time by running `initctl start <service>`.

boolean
false

Service name.

read-only string

Whether this service supports reload on SIGHUP.

boolean
false

See [upstream documentation](https://github.com/troglobit/finit/tree/master/doc#service-synchronization) for details.

null or one of pid, systemd, s6, none
config.finit.readiness

- `reboot` - when all retries have failed, and the service has crashed, if this option is set the system is rebooted. - `script` - similarly, but instead of rebooting, call the `post:script` action if set.

null or one of reboot, script
null

Packages added to the `PATH` environment variable of this service.

list of (package or string)
[ ]

See [upstream documentation](https://github.com/troglobit/finit/blob/master/doc/service.md) for details.

null or string
null

A script which will be called after the service has stopped.

null or main program, path or command
null

A script which will be called before the service is started.

null or main program, path or command
null

A script which will be called when the service is ready.

null or main program, path or command
null

Some services do not support `SIGHUP` but may have other ways to update the configuration of a running daemon. When `reload` is defined it is preferred over `SIGHUP`. Like `systemd`, `finit` sets ``$MAINPID` as a convenience to scripts, which in effect also allow setting `reload` to `kill -HUP $MAINPID`.

::: {.note} `reload` is called as PID 1, without any timeout! Meaning, it is up to you to ensure the script is not blocking for seconds at a time or never terminates. :::

null or main program, path or command
null
"kill -HUP $MAINPID"

The number of times `finit` tries to restart a crashing service. When this limit is reached the service is marked crashed and must be restarted manually with `initctl restart NAME`.

integer between -1 and 255 (both inclusive)
10

The number of seconds before Finit tries to restart a crashing service, default: `2` seconds for the first five retries, then back-off to `5` seconds. The maximum of this configured value and the above (`2` and `5`) will be used.

null or (unsigned integer, meaning >=0)
null

An attribute set of resource limits that will be apply by `finit`.

See [upstream documentation](https://github.com/troglobit/finit/tree/master/doc/config.md#resource-limits) for additional details.

attribute set of (value unlimited (singular enum) or signed integer or (submodule))
{ }

See [upstream documentation](https://github.com/troglobit/finit?tab=readme-ov-file#runlevels) for details.

string
"234"

Some services may require alternate methods to be stopped. If `stop` is defined it is preferred over `SIGTERM`. Similar to `reload`, `finit` sets `$MAINPID`.

::: {.note} `stop` is called as PID 1, without any timeout! Meaning, it is up to you to ensure the script is not blocking for seconds at a time or never terminates. :::

null or main program, path or command
null

Explicitly specify supplementary groups, in addition to reading group membership from {file}`/etc/group`.

list of string
[ ]

Service type.

null or value forking (singular enum)
null

The user this service should be executed as.

null or string
null

An attribute set of one-shot commands to be executed by `finit`.

See [upstream documentation](https://github.com/troglobit/finit/tree/master/doc#one-shot-commands-parallel) for additional details.

attribute set of (submodule)
{ }

Allow services to run with minimal required privileges instead of running as `root`.

(list of non-empty string) or non-empty string convertible to it
[ ]
[
  "^cap_net_bind_service"
]

For services that need to create their own child `cgroups` (container runtimes like `docker`, `podman`, `systemd-nspawn`, `lxc`, etc...).

See [ustream documentation](https://finit-project.github.io/config/cgroups/#cgroup-delegation) for details.

boolean
false

The name of the cgroup to place this process under.

string
"system"

The cgroup settings to apply to this process.

See [kernel documentation](https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html) for additional details.

attribute set of (atom (null, bool, int, float or string))
{ }

A script which will be called when the service is removed.

null or main program, path or command
null

Command to run.

main program, path or command

See [upstream documentation](https://github.com/troglobit/finit/blob/master/doc/conditions.md) for details.

(list of non-empty string) or non-empty string convertible to it
[ ]
"pid/syslog"

If you have conflicting services and want to prevent them from starting.

(list of non-empty string) or non-empty string convertible to it
[ ]

Service description.

null or string
null

Whether to enable this service.

boolean
true
true

either a path or a path prefixed with a '-' to indicate a missing file is fine.

null or string or absolute path
null

Environment variables passed to this service.

attribute set of (atom (null, bool, int, float or string))
{ }
{
  TZ = "CET";
}

A place for `finit` configuration options which have not been added to the `nix` module yet.

strings concatenated with 
""
""

The group this service should be executed as.

null or string
null

Service id.

read-only null or string

The delay in seconds between `finit` sending a `SIGTERM` and a `SIGKILL`.

null or integer between 1 and 300 (both inclusive)
"3"

Redirect `stderr` and `stdout` of the application to a file or `syslog` using the native `logit` tool. This is useful for programs that do not support `syslog` on their own, which is sometimes the case when running in the foreground.

See [upstream documentation](https://github.com/troglobit/finit/tree/master/doc#redirecting-output) for additional details.

boolean or non-empty string
false

If a service should not be automatically started, it can be configured as manual. The service can then be started at any time by running `initctl start <service>`.

boolean
false

Service name.

read-only string

Whether this service supports reload on SIGHUP.

boolean
false

See [upstream documentation](https://github.com/troglobit/finit/tree/master/doc#service-synchronization) for details.

null or one of pid, systemd, s6, none
config.finit.readiness

- `reboot` - when all retries have failed, and the service has crashed, if this option is set the system is rebooted. - `script` - similarly, but instead of rebooting, call the `post:script` action if set.

null or one of reboot, script
null

Packages added to the `PATH` environment variable of this service.

list of (package or string)
[ ]

See [upstream documentation](https://github.com/troglobit/finit/blob/master/doc/service.md) for details.

null or string
null

A script which will be called after the service has stopped.

null or main program, path or command
null

A script which will be called before the service is started.

null or main program, path or command
null

A script which will be called when the service is ready.

null or main program, path or command
null

Some services do not support `SIGHUP` but may have other ways to update the configuration of a running daemon. When `reload` is defined it is preferred over `SIGHUP`. Like `systemd`, `finit` sets ``$MAINPID` as a convenience to scripts, which in effect also allow setting `reload` to `kill -HUP $MAINPID`.

::: {.note} `reload` is called as PID 1, without any timeout! Meaning, it is up to you to ensure the script is not blocking for seconds at a time or never terminates. :::

null or main program, path or command
null
"kill -HUP $MAINPID"

The number of times `finit` tries to restart a crashing service. When this limit is reached the service is marked crashed and must be restarted manually with `initctl restart NAME`.

integer between -1 and 255 (both inclusive)
10

The number of seconds before Finit tries to restart a crashing service, default: `2` seconds for the first five retries, then back-off to `5` seconds. The maximum of this configured value and the above (`2` and `5`) will be used.

null or (unsigned integer, meaning >=0)
null

An attribute set of resource limits that will be apply by `finit`.

See [upstream documentation](https://github.com/troglobit/finit/tree/master/doc/config.md#resource-limits) for additional details.

attribute set of (value unlimited (singular enum) or signed integer or (submodule))
{ }

See [upstream documentation](https://github.com/troglobit/finit?tab=readme-ov-file#runlevels) for details.

string
"234"

Some services may require alternate methods to be stopped. If `stop` is defined it is preferred over `SIGTERM`. Similar to `reload`, `finit` sets `$MAINPID`.

::: {.note} `stop` is called as PID 1, without any timeout! Meaning, it is up to you to ensure the script is not blocking for seconds at a time or never terminates. :::

null or main program, path or command
null

Explicitly specify supplementary groups, in addition to reading group membership from {file}`/etc/group`.

list of string
[ ]

Service type.

null or value forking (singular enum)
null

The user this service should be executed as.

null or string
null

An attribute set of TTYs that `finit` should manage.

See [upstream documentation](https://github.com/troglobit/finit/tree/master/doc#ttys-and-consoles) for additional details.

attribute set of (submodule)
{ }

Baud rate.

null or non-empty string
null

Allow services to run with minimal required privileges instead of running as `root`.

(list of non-empty string) or non-empty string convertible to it
[ ]
[
  "^cap_net_bind_service"
]

For services that need to create their own child `cgroups` (container runtimes like `docker`, `podman`, `systemd-nspawn`, `lxc`, etc...).

See [ustream documentation](https://finit-project.github.io/config/cgroups/#cgroup-delegation) for details.

boolean
false

The name of the cgroup to place this process under.

string
"system"

The cgroup settings to apply to this process.

See [kernel documentation](https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html) for additional details.

attribute set of (atom (null, bool, int, float or string))
{ }

Specify an external `getty`, like `agetty` or the BusyBox `getty`.

null or main program, path or command
null

See [upstream documentation](https://github.com/troglobit/finit/blob/master/doc/conditions.md) for details.

(list of non-empty string) or non-empty string convertible to it
[ ]
"pid/syslog"

Service description.

null or string
null

Embedded systems may want to enable automatic `device` by supplying the special `@console` device. This works regardless weather the system uses `ttyS0`, `ttyAMA0`, `ttyMXC0`, or anything else. `finit` figures it out by querying sysfs: `/sys/class/tty/console/active`.

null or non-empty string
null

Whether to enable this service.

boolean
true
true

A place for `finit` configuration options which have not been added to the `nix` module yet.

strings concatenated with 
""
""

Disables clearing the TTY after each session. Clearing the TTY when a user logs out is usually preferable.

boolean
false

Disables `getty` and `/bin/login`, and gives the user a `root` (login) shell on the given TTY `device` immediately. Needless to say, this is a rather insecure option, but can be very useful for developer builds, during board bringup, or similar.

boolean
false

Disables the press `Enter to activate console` message before actually starting the `getty` program.

boolean
false

See [upstream documentation](https://github.com/troglobit/finit?tab=readme-ov-file#runlevels) for details.

string
"234"

null or non-empty string
null

Enable a basic set of fonts providing several styles and families and reasonable coverage of Unicode.

boolean
false
/nix/store/ci5r8q32x2y8zcab0bha5yj7474ysr76-source/nixos/modules/config/fonts/packages.nix

Allow bitmap fonts. Set to ‘false’ to ban all bitmap fonts.

boolean
true
<SLAM>/modules/fonts/fontconfig.nix

Allow Type-1 fonts. Default is ‘false’ because of poor rendering.

boolean
false
<SLAM>/modules/fonts/fontconfig.nix

Enable font antialiasing. At high resolution (> 200 DPI), antialiasing has no visible effect; users of such displays may want to disable this option.

boolean
true
<SLAM>/modules/fonts/fontconfig.nix

Generate system fonts cache for 32-bit applications.

boolean
false
<SLAM>/modules/fonts/fontconfig.nix

System-wide default emoji font(s). Multiple fonts may be listed in case a font does not support all emoji.

Note that fontconfig matches color emoji fonts preferentially, so if you want to use a black and white font while having a color font installed (eg. Noto Color Emoji installed alongside Noto Emoji), fontconfig will still choose the color font even when it is later in the list.

list of string
[
  "Noto Color Emoji"
]
<SLAM>/modules/fonts/fontconfig.nix

System-wide default monospace font(s). Multiple fonts may be listed in case multiple languages must be supported.

list of string
[
  "DejaVu Sans Mono"
]
<SLAM>/modules/fonts/fontconfig.nix

System-wide default sans serif font(s). Multiple fonts may be listed in case multiple languages must be supported.

list of string
[
  "DejaVu Sans"
]
<SLAM>/modules/fonts/fontconfig.nix

System-wide default serif font(s). Multiple fonts may be listed in case multiple languages must be supported.

list of string
[
  "DejaVu Serif"
]
<SLAM>/modules/fonts/fontconfig.nix

If enabled, a Fontconfig configuration file will be built pointing to a set of default fonts. If you don't care about running X11 applications or any other program that uses Fontconfig, you can leave this option off and prevent a dependency on all those fonts.

boolean
false
<SLAM>/modules/fonts/fontconfig.nix

Enable the autohinter in place of the default interpreter. The results are usually lower quality than correctly-hinted fonts, but better than unhinted fonts.

boolean
false
<SLAM>/modules/fonts/fontconfig.nix

Enable font hinting. Hinting aligns glyphs to pixel boundaries to improve rendering sharpness at low resolution. At high resolution (> 200 dpi) hinting will do nothing (at best); users of such displays may want to disable this option.

boolean
true
<SLAM>/modules/fonts/fontconfig.nix

Hintstyle is the amount of font reshaping done to line up to the grid.

slight will make the font more fuzzy to line up to the grid but will be better in retaining font shape, while full will be a crisp font that aligns well to the pixel grid but will lose a greater amount of font shape.

one of none, slight, medium, full
"slight"
<SLAM>/modules/fonts/fontconfig.nix

Include the user configuration from ~/.config/fontconfig/fonts.conf or ~/.config/fontconfig/conf.d.

boolean
true
<SLAM>/modules/fonts/fontconfig.nix

System-wide customization file contents, has higher priority than defaultFonts settings.

strings concatenated with 0
""
<SLAM>/modules/fonts/fontconfig.nix

FreeType LCD filter. At high resolution (> 200 DPI), LCD filtering has no visible effect; users of such displays may want to select none.

one of none, default, light, legacy
"default"
<SLAM>/modules/fonts/fontconfig.nix

Subpixel order. The overwhelming majority of displays are rgb in their normal orientation. Select vrgb for mounting such a display 90 degrees clockwise from its normal orientation or vbgr for mounting 90 degrees counter-clockwise. Select bgr in the unlikely event of mounting 180 degrees from the normal orientation. Reverse these directions in the improbable event that the display's native subpixel order is bgr.

one of rgb, bgr, vrgb, vbgr, none
"none"
<SLAM>/modules/fonts/fontconfig.nix

Use embedded bitmaps in fonts like Calibri.

boolean
false
<SLAM>/modules/fonts/fontconfig.nix

List of primary font packages.

list of absolute path
[ ]
[ pkgs.dejavu_fonts ]
/nix/store/ci5r8q32x2y8zcab0bha5yj7474ysr76-source/nixos/modules/config/fonts/packages.nix

Binary keymap file. If unset then this is generated from the hardware.console.keyMap option.

absolute path
"Binary form of hardware.console.keyMap."
<SLAM>/modules/hardware/console.nix

Whether to configure the console at boot.

boolean
true
<SLAM>/modules/hardware/console.nix

The keyboard mapping table for the virtual consoles. This option may have no effect if hardware.console.binaryKeyMap is set.

string or absolute path
"defkeymap"
<SLAM>/modules/hardware/console.nix

Turn VESA screen blanking on or off.

boolean
true
<SLAM>/modules/hardware/console.nix

List of packages containing firmware files. Such files will be loaded automatically if the kernel asks for them (i.e., when it has detected specific hardware that requires firmware to function). If multiple packages contain firmware files with the same name, the first package in the list takes precedence. Note that you must rebuild your system if you add files to any of these directories.

list of package
[ ]

Whether to enable hardware accelerated graphics drivers.

This is required to allow most graphical applications and environments to use hardware rendering, video encode/decode acceleration, etc.

This option should be enabled by default by the corresponding modules, so you do not usually have to set it yourself.

boolean
false
<SLAM>/modules/hardware/graphics.nix

On 64-bit systems, whether to also install 32-bit drivers for 32-bit applications (such as Wine).

boolean
false
<SLAM>/modules/hardware/graphics.nix

Additional packages to add to the default graphics driver lookup path. This can be used to add OpenCL drivers, VA-API/VDPAU drivers, etc.

intel-media-driver supports hardware Broadwell (2014) or newer. Older hardware should use the mostly unmaintained intel-vaapi-driver driver.
list of package
[ ]
with pkgs; [ intel-media-driver intel-ocl intel-vaapi-driver ]
<SLAM>/modules/hardware/graphics.nix

Additional packages to add to 32-bit graphics driver lookup path on 64-bit systems. Used when enable32Bit is set. This can be used to add OpenCL drivers, VA-API/VDPAU drivers, etc.

intel-media-driver supports hardware Broadwell (2014) or newer. Older hardware should use the mostly unmaintained intel-vaapi-driver driver.
list of package
[ ]
with pkgs.pkgsi686Linux; [ intel-media-driver intel-vaapi-driver ]
<SLAM>/modules/hardware/graphics.nix

Whether to enable support for i2c devices. Access to these devices is granted to users in the hardware.i2c.group group.

boolean
false
<SLAM>/modules/hardware/i2c.nix

Group to own the /dev/i2c-* devices.

If you want non-root users to be able to access these i2c devices, add them to this group.
If left as the default value this group will automatically be created on system activation, otherwise you are responsible for ensuring the group exists before system activation has completed.
string
"i2c"
<SLAM>/modules/hardware/i2c.nix

The default locale. It determines the language for program messages, the format for dates and times, sort order, and so on. It also determines the character set, such as UTF-8.

string
"C.UTF-8"
"en_IE.UTF-8"

A set of additional system-wide locale settings other than LANG which can be configured with i18n.defaultLocale.

attribute set of string
{ }
{
  LC_MESSAGES = "en_IE/UTF-8";
  LC_NUMERIC = "kn_IN/UTF-8";
}

Customized pkg.glibcLocales package. Changing this option can disable handling of i18n.defaultLocale and supportedLocale.

absolute path
pkgs.glibcLocales.override {
  allLocales = lib.any (x: x == "all") config.i18n.supportedLocales;
  locales = config.i18n.supportedLocales;
}
pkgs.glibcLocales

List of locales that the system should support. The value ‘all’ means that all locales supported by Glibc will be installed. A full list of supported locales can be found at https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED.

list of string
lib.unique
  (builtins.map (l: (lib.replaceStrings [ "utf8" "utf-8" "UTF8" ] [ "UTF-8" "UTF-8" "UTF-8" ] l) + "/UTF-8") (
    [
      "C.UTF-8"
      config.i18n.defaultLocale
    ] ++ (lib.attrValues (lib.filterAttrs (n: v: n != "LANGUAGE") config.i18n.extraLocaleSettings))
  ))
[
  "kk_KZ/PT154"
  "kk_KZ.UTF-8/UTF-8"
]

This option allows modules to define helper functions, constants, etc.

attribute set of (attribute set)
{ }
/nix/store/ci5r8q32x2y8zcab0bha5yj7474ysr76-source/nixos/modules/misc/lib.nix

List of maintainers of each module. This option should be defined at most once per module.

The option value is not a list of maintainers, but an attribute set that maps module file names to lists of maintainers.

list of (maintainer)
[ ]
[ lib.maintainers.alice lib.maintainers.bob ]
/nix/store/ci5r8q32x2y8zcab0bha5yj7474ysr76-source/modules/generic/meta-maintainers.nix

Primary network domain name for this system.

string
""

Primary fully qualified domain name for this system.

string
"laptop"

The 32-bit host ID of the machine, formatted as 8 hexadecimal characters.

You should try to make this ID unique among your machines. You can generate a random 32-bit ID using the following commands:

head -c 8 /etc/machine-id
(this derives it from the machine-id that systemd generates) or 
head -c4 /dev/urandom | od -A none -t x4
The primary use case is to ensure when using ZFS that a pool isn't imported accidentally on a wrong machine.
null or string
null
"4e98920d"

Internal host name for this system.

string
"slam"

Locally defined maps of hostnames to IP addresses.

attribute set of list of string
{
  "127.0.0.1" = [ "foo.bar.baz" ];
  "192.168.0.2" = [ "fileserver.local" "nameserver.local" ];
};

List of statically configured IPv4 addresses.

list of (submodule)
[ ]
[
  {
    device = "eth0";
    local = "192.0.2.7";
    prefixLength = 24;
  }
  {
    device = "eth1";
    local = "203.0.113.175";
    prefixLength = 32;
  }
]

Network attachment device.

string
"eth0"

Local address.

string

Network prefix length.

signed integer
32

List of statically configured IPv6 routes.

list of (submodule)
[ ]
[
  {
    device = "eth0";
    prefix = "192.0.2.0";
    prefixLengh = 24;
  }
  {
    device = "eth0";
    gateway = "192.0.2.1";
  }
]

Network attachment device.

string
"eth0"

Network gateway to use as a default route.

null or string
null

Route addressing prefix.

null or string
null

Network prefix length.

null or signed integer
null

List of statically configured IPv6 addresses.

list of (submodule)
[ ]
[
  {
    device = "eth0";
    local = "2001:db8:1::3";
    prefixLength = 64;
  }
  {
    device = "eth1";
    local = "fd12:3456::7";
    prefixLength = 48;
  }
]

Network attachment device.

string
"eth0"

Local address.

string

Network prefix length.

signed integer
128

List of statically configured IPv6 routes.

list of (submodule)
[ ]
[
  {
    device = "eth0";
    prefix = "2001:db8:1::";
    prefixLengh = 64;
  }
  {
    device = "eth0";
    gateway = "2001:db8:1::1";
  }
]

Network attachment device.

string
"eth0"

Network gateway to use as a default route.

null or string
null

Route addressing prefix.

null or string
null

Network prefix length.

null or signed integer
null

The network definitions to automatically connect to when wpa_supplicant is running. If this parameter is left empty wpa_supplicant will use /etc/wpa_supplicant.conf as the configuration file.

attribute set of (submodule)
{ }
{
  # SSID with no spaces or special characters
  # (password will be written to /nix/store!)
  echelon = {

    psk = "abcdefgh";
  };

  # safe version of the above: read PSK from the
  # variable psk_echelon, defined in secretsFile,
  # this won't leak into /nix/store
  echelon = {
    pskRaw = "ext:psk_echelon";
  };

  # SSID with spaces and/or special characters
  # (password will be written to /nix/store!)        };
  "echelon's AP" = {
    psk = "ijklmnop";
  };

  # Public wireless network
  "free.wifi" = { };
}
/home/repo/slam-images/config/thinkpad-x220.nix

Use this option to configure advanced authentication methods like EAP. See wpa_supplicant.conf(5) for example configurations.

Be aware that this will be written to the Nix store in plaintext! Use an external reference like ext:secretname for secrets.
Mutually exclusive with psk and Va pskRaw .
null or string
null
  eap=PEAP
  identity="user@example.com"
  password=ext:example_password
/home/repo/slam-images/config/thinkpad-x220.nix

The list of authentication protocols accepted by this network. This corresponds to the key_mgmt option in wpa_supplicant.

list of (one of WPA-PSK, WPA-EAP, IEEE8021X, NONE, WPA-NONE, FT-PSK, FT-EAP, FT-EAP-SHA384, WPA-PSK-SHA256, WPA-EAP-SHA256, SAE, FT-SAE, WPA-EAP-SUITE-B, WPA-EAP-SUITE-B-192, OSEN, FILS-SHA256, FILS-SHA384, FT-FILS-SHA256, FT-FILS-SHA384, OWE, DPP)
[
  "WPA-PSK"
  "WPA-EAP"
  "SAE"
  "FT-PSK"
  "FT-EAP"
  "FT-SAE"
]
/home/repo/slam-images/config/thinkpad-x220.nix

Extra configuration lines appended to the network block. See wpa_supplicant.conf(5) for available options.

string
""
  bssid_blacklist=02:11:22:33:44:55 02:22:aa:44:55:66
/home/repo/slam-images/config/thinkpad-x220.nix

Set this to ‘true’ if the SSID of the network is hidden.

boolean
false
{ echelon = {
    hidden = true;
    psk = "abcdefgh";
  };
}
/home/repo/slam-images/config/thinkpad-x220.nix

By default, all networks will get same priority group (0). If some of the networks are more desirable, this field can be used to change the order in which wpa_supplicant goes through the networks when selecting a BSS. The priority groups will be iterated in decreasing priority (i.e., the larger the priority value, the sooner the network is matched against the scan results). Within each priority group, networks will be selected based on security policy, signal strength, etc.

null or signed integer
null
/home/repo/slam-images/config/thinkpad-x220.nix

The network's pre-shared key in plaintext defaulting to being a network without any authentication.

Be aware that this will be written to the Nix store in plaintext! Use pskRaw with an external reference to keep it safe.
Mutually exclusive with pskRaw.
null or string matching the pattern [[:print:]]{8,63}
null
/home/repo/slam-images/config/thinkpad-x220.nix

Either the raw pre-shared key in hexadecimal format or the name of the secret (as defined inside the secretsFile and prefixed with Dq ext: ) containing the network pre-shared key.

Be aware that this will be written to the Nix store in plaintext! Always use an external reference.
The external secret can be either the plaintext passphrase or the raw pre-shared key.
Mutually exclusive with psk and auth.
null or string matching the pattern ([[:xdigit:]]{64})|(ext:[^=]+)
null
"ext:name_of_the_secret_here"
/home/repo/slam-images/config/thinkpad-x220.nix

evaluation of Nixpkgs; the top level attribute set of packages

Whether to enable [doas](https://github.com/Duncaen/OpenDoas).

boolean
false
<SLAM>/modules//programs/doas

The package to use for `doas`.

package
pkgs.doas
<SLAM>/modules//programs/doas

Whether to enable [fish](https://fishshell.com/).

boolean
false
<SLAM>/modules//programs/fish

The package to use for `fish`.

package
pkgs.fish
<SLAM>/modules//programs/fish

Whether to enable [sudo](https://www.sudo.ws/).

boolean
false
<SLAM>/modules//programs/sudo

The package to use for `sudo`.

package
pkgs.sudo
<SLAM>/modules//programs/sudo

The selected module which should implement functionality for the {option}`providers.bootloader` contract.

value none (singular enum)
"none"

The full path to a program of your choosing which performs the bootloader installation process.

The program will be called with an argument pointing to the output of the system's toplevel.

absolute path
pkgs.writeShellScript "no-bootloader" ''
  echo 'Warning: do not know how to make this configuration bootable; please enable a boot loader.' 1>&2

The selected module which should implement functionality for the {option}`providers.privileges` contract.

one of sudo, doas, none
"none"
<SLAM>/modules/programs/sudo/providers.privileges.nix <SLAM>/modules/programs/doas/providers.privileges.nix

The command to be used by modules requiring privilege escalation.

main program, path or command
"/run/wrappers/bin/sudo"

A list of rules which provide a way to temporarily elevate the privileges of a command for a given user or group.

list of (submodule)
[ ]

Arguments that must be provided to the command. When empty, the command must be run without any arguments.

list of string
[ ]

The command the user or group members are allowed to run.

::: {.note} It is best practice to specify absolute paths. :::

main program, path or command

The groups that are able to run this command.

list of non-empty string
[ ]

Whether the user is required to enter a password.

boolean
true

The user the command is allowed to run as, or `"*"` for allowing the command to run as any user.

non-empty string
"root"

The users that are able to run this command.

list of non-empty string
[ ]

The selected module which should implement functionality for the {option}`providers.resumeAndSuspend` contract.

value none (singular enum)
"none"
<SLAM>/modules/providers/resume-and-suspend

A set of hooks which are to be run on system _suspend_ or _resume_.

attribute set of (submodule)
{ }
<SLAM>/modules/providers/resume-and-suspend

Shell commands to execute when the `event` is triggered.

strings concatenated with 0
""
<SLAM>/modules/providers/resume-and-suspend

Whether this hook should be executed on the given `event`.

boolean
true
<SLAM>/modules/providers/resume-and-suspend

The event type.

one of suspend, resume
<SLAM>/modules/providers/resume-and-suspend

Order of this hook in relation to the others. The semantics are the same as with `lib.mkOrder`. Smaller values are inserted first.

integer between 0 and 9999 (both inclusive)
1000
<SLAM>/modules/providers/resume-and-suspend

The selected module which should implement functionality for the {option}`providers.scheduler` contract.

value none (singular enum)
"none"

Whether the selected {option}`providers.scheduler` implementation supports running tasks as a specified user.

boolean

A set of tasks which are to be run at specified intervals.

attribute set of (submodule)
{ }

The command this task should execute at specified {option}`interval`s.

main program, path or command

The interval at which this task should run its specified {option}`command`. Accepts either a standard {manpage}`crontab(5)` expression or one of: `hourly`, `daily`, `weekly`, `monthly`, or `yearly`.

If a standard {manpage}`crontab(5)` expression is provided this value will be passed directly to the `scheduler` implementation and execute exactly as specified.

If one of the special values, `hourly`, `daily`, `monthly`, `weekly`, or `yearly`, is provided then the underlying `scheduler` implementation will use its features to decide when best to run.

string
"15 * * * *"

The user this task should run as, subject to {option}`provider.scheduler` implementation capabilities. See {option}`providers.scheduler.supportedFeatures` and your selected backend implementation for additional details.

null or string
null

Whether to enable debugging.

boolean
false
true
<SLAM>/modules/security/pam

Whether to enable Pluggable Authentication Modules.

boolean
true
true
<SLAM>/modules/security/pam

Set of rules for pam_env.

attribute set of (submodule)
<SLAM>/modules/security/pam

Default value of environment variable.

null or string
null
<SLAM>/modules/security/pam

Value to overidde environment variable with.

null or string
null
<SLAM>/modules/security/pam

PAM impleementation package.

package
"linux-pam"
<SLAM>/modules/security/pam

PAM service descriptions.

attribute set of (submodule)
{ }
<SLAM>/modules/security/pam

Whether to enable Pluggable Authentication Module.

boolean
true
true
<SLAM>/modules/security/pam

Name of this module.

string
"‹name›"
<SLAM>/modules/security/pam

Authentication rules for this module.

attribute set of ((submodule) or string convertible to it)
<SLAM>/modules/security/pam

List of rules that must precede this one.

list of string
[ ]
<SLAM>/modules/security/pam

PAM control flag, module and arguments

string
<SLAM>/modules/security/pam

(Read-only) the path to the final bundle of certificate authorities as a single file.

read-only absolute path
/nix/store/ci5r8q32x2y8zcab0bha5yj7474ysr76-source/nixos/modules/security/ca.nix

A list of blacklisted CA certificate names that won't be imported from the Mozilla Trust Store into {file}`/etc/ssl/certs/ca-certificates.crt`. Use the names from that file.

list of string
[ ]
[
  "WoSign"
  "WoSign China"
  "CA WoSign ECC Root"
  "Certification Authority of WoSign G2"
]
/nix/store/ci5r8q32x2y8zcab0bha5yj7474ysr76-source/nixos/modules/security/ca.nix

A list of files containing trusted root certificates in PEM format. These are concatenated to form {file}`/etc/ssl/certs/ca-certificates.crt`, which is used by many programs that use OpenSSL, such as {command}`curl` and {command}`git`.

list of absolute path
[ ]
[ "${pkgs.dn42-cacert}/etc/ssl/certs/dn42-ca.crt" ]
/nix/store/ci5r8q32x2y8zcab0bha5yj7474ysr76-source/nixos/modules/security/ca.nix

A list of trusted root certificates in PEM format.

list of string
[ ]
[ ''
    NixOS.org
    =========
    -----BEGIN CERTIFICATE-----
    MIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
    TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
    ...
    -----END CERTIFICATE-----
  ''
]
/nix/store/ci5r8q32x2y8zcab0bha5yj7474ysr76-source/nixos/modules/security/ca.nix

Whether to enable usage of a compatibility bundle.

Such a bundle consists exclusively of `BEGIN CERTIFICATE` and no `BEGIN TRUSTED CERTIFICATE`, which is an OpenSSL specific PEM format.

It is known to be incompatible with certain software stacks.

Nevertheless, enabling this will strip all additional trust rules provided by the certificates themselves. This can have security consequences depending on your usecases

boolean
false
true
/nix/store/ci5r8q32x2y8zcab0bha5yj7474ysr76-source/nixos/modules/security/ca.nix

Size limit for the /run/wrappers tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax. “not set to less than 64MB.

string
"50%"
"10G"
<SLAM>/modules/security/wrappers

This option effectively allows adding setuid/setgid bits, capabilities, changing file ownership and permissions of a program without directly modifying it. This works by creating a wrapper program under the security.wrapperDir directory, which is then added to the shell PATH.

attribute set of (submodule)
{ }
<SLAM>/modules/security/wrappers

A comma-separated list of capability clauses to be given to the wrapper program. The format for capability clauses is described in the “TEXTUAL REPRESENTATION” section of the cap_from_text(3) manual page. For a list of capabilities supported by the system, check the capabilities(7) manual page.

cap_setpcap, which is required for the wrapper program to be able to raise caps into the Ambient set is NOT raised to the Ambient set so that the real program cannot modify its own capabilities!! This may be too restrictive for cases in which the real program needs cap_setpcap but it at least leans on the side security paranoid vs. too relaxed.

strings concatenated with,
""
<SLAM>/modules/security/wrappers

The group of the wrapper program.

string
<SLAM>/modules/security/wrappers

The owner of the wrapper program.

string
<SLAM>/modules/security/wrappers

The permissions of the wrapper program. The format is that of a symbolic or numeric file mode understood by chmod.

file mode string
"u+rx,g+x,o+x"
"a+rx"
<SLAM>/modules/security/wrappers

The name of the wrapper program. Defaults to the attribute name.

null or string
"‹name›"
<SLAM>/modules/security/wrappers

Whether to add the setgid bit the wrapper program.

boolean
false
<SLAM>/modules/security/wrappers

Whether to add the setuid bit the wrapper program.

boolean
false
<SLAM>/modules/security/wrappers

The absolute path to the program to be wrapped.

absolute path
<SLAM>/modules/security/wrappers

Path to a Chrony configuration file.

absolute path
<derivation chrony.conf>
<SLAM>/modules//services/chronyd

Whether to enable chrony as a system service.

boolean
false
<SLAM>/modules//services/chronyd

The package to use for chrony.

package
pkgs.chrony
<SLAM>/modules//services/chronyd

Path to dhcpcd configuration file.

absolute path
"Generated configuration file."

Whether to enable dhcpcd as a system service.

boolean
false

The package to use for dhcpcd.

package
pkgs.dhcpcd.override {
  withUdev = config.services.udev.enable;
}

Free-form settings to generate a dhcpcd configuration file from.

open submodule of attribute set of (atom (null, bool, int, float or string) or a non-empty list of them)
{ }

Disable printing of kernel messages to the console and enable dmesg running as a dedicated service.

boolean
true

List of command-line options to pass to the dmesg service.

list of string
[ ]

Whether to enable getty services.

boolean
true
<SLAM>/modules//services/getty

The list of tty devices on which to start a login prompt.

list of string
[
  "tty1"
  "tty2"
  "tty3"
  "tty4"
  "tty5"
  "tty6"
]
<SLAM>/modules//services/getty

Whether to enable greetd as a system service.

boolean
false
<SLAM>/modules//services/greetd

greetd configuration. See greetd(5) for additional details.

TOML value
{ }
<SLAM>/modules//services/greetd

Mdeved rules for coldplug events during the initramfs stage of booting.

strings concatenated with 0

Whether to enable debug logging.

boolean
false

Whether the mdevd hardware event manager has been enabled by config.boot.hardwareManager.

read-only unspecified value
true

Mdevd rules for hotplug events. These rules are active after the initial mdevd daemon has coldbooted with the services.mdevd.coldplug rules.

strings concatenated with 0

After mdevd has handled the uevents, rebroadcast them to the netlink groups identified by the nlgroups mask.

A value that intersects with ‘4’ will make the daemon rebroadcast kernel uevents to libudev-zero.

null or (unsigned integer, meaning >=0)
4

The mdevd package to use.

package
pkgs.alt.slam.mdevd

Whether to enable the Nix daemon as a system service. Disabling Nix makes the system hard to modify and the Nix programs and configuration will not be made available.

boolean
false

Number of “nixbld” user accounts created to perform secure concurrent builds. If you receive an error message saying that “all build users are currently in use”, you should increase this value.

signed integer
8

The package to use for nix.

package
pkgs.nix

Configuration for Nix, see https://nixos.org/manual/nix/stable/command-ref/conf-file.html or nix.conf(5) for available options. The value declared here will be translated directly to the key-value pairs Nix expects. You can use ‘nix-instantiate --eval --strict '<nixpkgs/nixos>' -A config.nix.settings’ to view the current value. By default it is empty. Nix configurations defined under nix.* will be translated and applied to this option. In addition, configuration specified in nix.extraOptions will be appended verbatim to the resulting config file.

open submodule of attribute set of (Nix config atom (null, bool, int, float, str, path or package) or list of (Nix config atom (null, bool, int, float, str, path or package)))
{ }

A list of names of users (separated by whitespace) that are allowed to connect to the Nix daemon. As with nix.settings.trusted-users, you can specify groups by prefixing them with ‘@’. Also, you can allow all users by specifying ‘*’. The default is ‘*’. Note that trusted users are always allowed to connect.

list of string
[
  "*"
]
[
  "@wheel"
  "@builders"
  "alice"
  "bob"
]

If set to true, Nix automatically detects files in the store that have identical contents, and replaces them with hard links to a single copy. This saves disk space. If set to false (the default), you can still run nix-store --optimise to get rid of duplicate files.

boolean
false
true

This option defines the maximum number of concurrent tasks during one build. It affects, e.g., -j option for make. The special value 0 means that the builder should use all available CPU cores in the system. Some builds may become non-deterministic with this option; use with care! Packages will only be affected if enableParallelBuilding is set for them.

signed integer
0
64

This option defines the maximum number of jobs that Nix will try to build in parallel. The default is auto, which means it will use all available logical cores. It is recommend to set it to the total number of logical cores in your system (e.g., 16 for two CPUs with 4 cores each and hyper-threading).

signed integer or value auto (singular enum)
"auto"
64

If enabled (the default), Nix will only download binaries from binary caches if they are cryptographically signed with any of the keys listed in nix.settings.trusted-public-keys. If disabled, signatures are neither required nor checked, so it's strongly recommended that you use only trustworthy caches using authenticated transport.

boolean
true

If set, Nix will perform builds in a sandboxed environment that it will set up automatically for each build. This prevents impurities in builds by disallowing access to dependencies outside of the Nix store by using network and mount namespaces in a chroot environment.

This is enabled by default even though it has a possible performance impact due to the initial setup time of a sandbox for each build. It doesn't affect derivation hashes, so changing this option will not trigger a rebuild of packages.

When set to ‘relaxed’, this option permits derivations that set ‘__noChroot = true;’ to run outside of the sandboxed environment. Exercise caution when using this mode of operation! It is intended to be a quick hack when building with packages that are not easily setup to be built reproducibly.

boolean or value relaxed (singular enum)
true

List of binary cache URLs used to obtain pre-built binaries of Nix packages. No caches are added by default.

list of string
[ ]

The set of features supported by the machine. Derivations can express dependencies on system features through the requiredSystemFeatures attribute.

list of string

List of public keys used to sign binary caches. If nix.settings.trusted-public-keys is enabled then Nix will use a binary from a binary cache if and only if it is signed by of the keys listed here. No keys are added by default.

list of string
[ ]
[
  "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs="
]

List of binary cache URLs that non-root users can use (in addition to those specified using nix.settings.substituters by passing ‘--option binary-caches’ to Nix commands.

list of string
[ ]
[
  "https://hydra.nixos.org/"
]

A list of names of users that have additional rights when connecting to the Nix daemon, such as the ability to specify additional binary caches, or to import unsigned NARs. You can also specify groups by prefixing them with ‘@’; for instance, ‘@wheel’ means all users in the wheel group.

list of string
[
  "root"
  "alice"
  "@wheel"
]

Whether to enable the OpenSMTPD server.

boolean
false
<SLAM>/modules//services/opensmtpd

Extra command line arguments provided when the smtpd process is started.

list of string
[ ]
[
  "-v"
  "-P mta"
]
<SLAM>/modules//services/opensmtpd

The opensmtpd package to use.

package
pkgs.opensmtpd
<SLAM>/modules//services/opensmtpd

Packages to search for filters, tables, queues, and schedulers.

Add packages here if you want to use them as as such, for example from the opensmtpd-table-* packages.

list of package
[ ]
<SLAM>/modules//services/opensmtpd

The contents of the smtpd.conf configuration file. See the OpenSMTPD documentation for syntax information.

strings concatenated with 0
  listen on lo
  accept for any deliver to lmtp localhost:24
<SLAM>/modules//services/opensmtpd

Whether to set the system sendmail to OpenSMTPD's.

boolean
true
<SLAM>/modules//services/opensmtpd

Whether to enable [openssh](https://www.openssh.com/) as a system service.

boolean
false
<SLAM>/modules//services/openssh

The package to use for `openssh`.

package
pkgs.openssh
<SLAM>/modules//services/openssh

`openssh` configuration. See {manpage}`sshd_config(5)` for additional details.

open submodule of attribute set of (atom (null, bool, int, float or string))
{ }
<SLAM>/modules//services/openssh

Specifies which address family should be used by {manpage}`sshd(8)`.

one of any, inet, inet6
"any"
<SLAM>/modules//services/openssh

The contents of the specified file are sent to the remote user before authentication is allowed. If the argument is `none` then no banner is displayed.

value none (singular enum) or absolute path
"none"
<SLAM>/modules//services/openssh

Allowed ciphers

Defaults to recommended settings from both <https://stribika.github.io/2015/01/04/secure-secure-shell.html> and <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>

list of string
[
  "chacha20-poly1305@openssh.com"
  "aes256-gcm@openssh.com"
  "aes128-gcm@openssh.com"
  "aes256-ctr"
  "aes192-ctr"
  "aes128-ctr"
]
<SLAM>/modules//services/openssh

TODO: description

list of absolute path
[ ]
<SLAM>/modules//services/openssh

Specifies whether keyboard-interactive authentication is allowed.

boolean
true
<SLAM>/modules//services/openssh

Allowed key exchange algorithms

Uses the lower bound recommended in both <https://stribika.github.io/2015/01/04/secure-secure-shell.html> and <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>

list of string
[
  "sntrup761x25519-sha512@openssh.com"
  "curve25519-sha256"
  "curve25519-sha256@libssh.org"
  "diffie-hellman-group-exchange-sha256"
]
<SLAM>/modules//services/openssh

Gives the verbosity level that is used when logging messages from {manpage}`sshd(8)`. Logging with a `DEBUG` level violates the privacy of users and is not recommended.

one of QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, DEBUG3
"INFO"
<SLAM>/modules//services/openssh

Allowed MACs

Defaults to recommended settings from both <https://stribika.github.io/2015/01/04/secure-secure-shell.html> and <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>

list of string
[
  "hmac-sha2-512-etm@openssh.com"
  "hmac-sha2-256-etm@openssh.com"
  "umac-128-etm@openssh.com"
]
<SLAM>/modules//services/openssh

Specifies whether password authentication is allowed.

boolean
true
<SLAM>/modules//services/openssh

Whether the root user can login using ssh.

one of yes, without-password, prohibit-password, forced-commands-only, no
"prohibit-password"
<SLAM>/modules//services/openssh

Specifies the port number that {manpage}`sshd(8)` listens on.

list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)
[
  22
]
<SLAM>/modules//services/openssh

Whether sshd should check file modes and ownership of directories

boolean
true
<SLAM>/modules//services/openssh

Whether to enable PAM authentication.

boolean
true
true
<SLAM>/modules//services/openssh

Whether to enable file transfer sessions using SFTP.

boolean
true
true
<SLAM>/modules//services/openssh

Command with optional arguments to execute upon SFTP requests.

string
<SLAM>/modules//services/openssh

Optional arguments to pass to the SFTP executable.

list of string
[ ]
<SLAM>/modules//services/openssh

Whether to enable debug logging.

boolean
false
<SLAM>/modules//services/seatd

Whether to enable seatd as a system service.

boolean
false
<SLAM>/modules//services/seatd

Group to own the seatd socket. If you want non-root users to be able to access the seatd session, add them to this group.

string
"seat"
<SLAM>/modules//services/seatd

The seatd package to use.

package
pkgs.alt.slam.seatd
<SLAM>/modules//services/seatd

Whether to enable the Syndev uevent monitor. The uvent dataspace will be bound to ‘<oid uevents>’.

boolean
false
<SLAM>/modules//services/syndev

Subscribe to events on the specified netlink group. Mdevd usually subscribes to group 1, so set this to a mask not intersecting with 1, and set services.mdevd.nlgroups to a value that intersects with the nlgroup set here.

unsigned integer, meaning >=0
2
<SLAM>/modules//services/syndev

The syndev package to use.

package
pkgs.alt.sam.syndev
<SLAM>/modules//services/syndev

Whether to enable tlp as a system service.

boolean
false
/home/repo/slam-images/config/thinkpad-x220.nix

The package to use for tlp.

package
pkgs.tlp
/home/repo/slam-images/config/thinkpad-x220.nix

tlp configuration. See upstream documentation for additional details.

attribute set of (atom (null, bool, int, float or string) or a non-empty list of them)
{ }
/home/repo/slam-images/config/thinkpad-x220.nix

Services for tmpfiles.

attribute set of (submodule)
{ }

Whether to enable tmpfiles.

boolean
true
true

Rules for creation, deletion and cleaning of volatile and temporary files automatically. See tmpfiles.d 5 for the exact format.

list of string
[ ]
[
  "d /tmp 1777 root root 10d"
]

Whether to enable debug logging.

boolean
false
true

Whether to enable as a system service.

read-only boolean
false

The package to use for eudev.

package
pkgs.eudev

List of packages containing udev rules. All files found in «pkg»/etc/udev/rules.d and «pkg»/lib/udev/rules.d will be included.

list of absolute path
[ ]

Packages added to the PATH environment variable when executing programs from Udev rules. THe coreutils, (GNU) sed, grep, util-linux packages are automatically included.

list of absolute path
[ ]

Whether to allow configuring networks “imperatively” (e.g. via wpa_supplicant_gui) and declaratively via networking.wireless.networks.

boolean
false
true
/home/repo/slam-images/config/thinkpad-x220.nix

Whether to enable the DBus control interface. This is only needed when using NetworkManager or connman.

boolean
length cfg.interfaces < 2
/home/repo/slam-images/config/thinkpad-x220.nix

Force a specific wpa_supplicant driver.

string
"nl80211,wext"
/home/repo/slam-images/config/thinkpad-x220.nix

Whether to enable wpa_supplicant.

boolean
false
true
/home/repo/slam-images/config/thinkpad-x220.nix

Extra lines appended to the configuration file. See wpa_supplicant.conf(5) for available options.

string
""
  p2p_disabled=1
/home/repo/slam-images/config/thinkpad-x220.nix

Whether to fall back to WPA2 authentication protocols if WPA3 failed. This allows old wireless cards (that lack recent features required by WPA3) to connect to mixed WPA2/WPA3 access points. To avoid possible downgrade attacks, disable this options.

boolean
true
/home/repo/slam-images/config/thinkpad-x220.nix

The interfaces wpa_supplicant will use. If empty, it will automatically use all wireless interfaces. A separate wpa_supplicant instance will be started for each interface.

list of string
[ ]
[
  "wlan0"
  "wlan1"
]
/home/repo/slam-images/config/thinkpad-x220.nix

The wpa_supplicant package to use.

package
pkgs.wpa_supplicant
/home/repo/slam-images/config/thinkpad-x220.nix

Whether to periodically scan for (better) networks when the signal of the current one is low. This will make roaming between access points faster, but will consume more power.

boolean
true
/home/repo/slam-images/config/thinkpad-x220.nix

File consisting of lines of the form ‘varname=value’ to define variables for the wireless configuration.

Secrets (PSKs, passwords, etc.) can be provided without adding them to the world-readable Nix store by defining them in the secrets file and referring to them in option networking.wireless.networks with the syntax ext:secretname. Example:

# content of /run/secrets/wireless.conf
psk_home=mypassword
psk_other=6a381cea59c7a2d6b30736ba0e6f397f7564a044bcdb7a327a1d16a1ed91b327
pass_work=myworkpassword

# wireless-related configuration
networking.wireless.secretsFile = "/run/secrets/wireless.conf";
networking.wireless.networks = {
  home.pskRaw = "ext:psk_home";
  other.pskRaw = "ext:psk_other";
  work.auth = ''
    eap=PEAP
    identity="my-user@example.com"
    password=ext:pass_work
  '';
};
null or absolute path
null
"/run/secrets/wireless.conf"
/home/repo/slam-images/config/thinkpad-x220.nix

Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli. This is useful for laptop users that switch networks a lot and don't want to depend on a large package such as NetworkManager just to pick nearby access points.

When using a declarative network specification you cannot persist any settings via wpa_gui or wpa_cli.

boolean
false
/home/repo/slam-images/config/thinkpad-x220.nix

Members of this group can control wpa_supplicant.

string
"wheel"
"network"
/home/repo/slam-images/config/thinkpad-x220.nix

Additional configurations to build.

attribute set of (submodule)
{ }
{
  mdevd = {
    services.mdevd.enable = lib.mkForce true;
    services.udev.enable = lib.mkForce false;
  };
}
<SLAM>/modules/system/activation/specialisation.nix

Whether an activation script is enabled.

boolean
true

the actual script to run on activation....

read-only absolute path

Packages available during activation from PATH.

list of package
[ ]

A set of shell script fragments that are executed when a system configuration is activated. Examples are updating (/etc), creating accounts, and so on. Since these are executed every time you boot the system or a configuration transition occurs, it's important that they are idempotent and fast.

attribute set of ((submodule) or string convertible to it)
{ }
{ stdio.text =
  ''
    # Needed by some programs.
    ln -sfn /proc/self/fd /dev/fd
    ln -sfn /proc/self/fd/0 /dev/stdin
    ln -sfn /proc/self/fd/1 /dev/stdout
    ln -sfn /proc/self/fd/2 /dev/stderr
  '';
}

List of dependencies. The script will run after these.

list of string
[ ]

The content of the script.

strings concatenated with 0

top-level system derivation

read-only absolute path

Bootloader install script.

read-only absolute path
<SLAM>/modules/boot/loader.nix

Whether to enable logging to the file-system by default.

boolean
true
true
<SLAM>/modules/system/logging.nix

PATH used to boot the system bus.

read-only unspecified value
"The packages s6, execline"

Whether s6 is enabled as PID1.

read-only unspecified value
"config.system.serviceManager ==

Whether to enable copy catch-all messages to /dev/console.

boolean
false
true
<SLAM>/modules/s6/slam.nix

The s6 package to use.

package
pkgs.s6

Scripts generated for s6-rc.

read-only attribute set of package
<SLAM>/modules/s6/rc.nix

s6-rc services.

attribute set of (submodule)
{ }
<SLAM>/modules/s6/rc.nix

Name of the direct producer of this service.

null or string
null
<SLAM>/modules/s6/rc.nix

List of other s6-rc services that must be started befor this one.

list of string
[
  "mounts"
]
<SLAM>/modules/s6/rc.nix

Unix command-line to be lexed by execlineb. This is the command that brings a service down.

null or strings concatenated with 0
null
<SLAM>/modules/s6/rc.nix

Attrset of environment variables. These are written to an env directory in the s6-rc service description and can be loaded by ‘s6-envdir env’.

attribute set of string
{ }
<SLAM>/modules/s6/rc.nix

Executable file to run after a longrun service has finished.

null or path in the Nix store
null
<SLAM>/modules/s6/rc.nix

Command-line arguments passed to s6-log before the logging directory. The default arguments prepend logged lines with a TAI64N timestamp. Override args to ‘[]’ if this information would be redundant.

list of string
[
  "t"
  "s1000000"
  "n20"
]
<SLAM>/modules/s6/rc.nix

Directory for log files from this daemon.

absolute path
/var/log/‹name›
<SLAM>/modules/s6/rc.nix

Whether to enable inject a logging wrapper over this daemon.

boolean
false
true
<SLAM>/modules/s6/rc.nix

When non-null enable s6 readiness notification for this daemon using the specified file-descriptor.

null or signed integer
null
3
<SLAM>/modules/s6/rc.nix

List of bundles that this service belongs to.

list of string
[ ]
<SLAM>/modules/s6/rc.nix

List of directories to compose into the PATH environmental variable. If env.PATH is set then this value is ignored. Otherwise it will be appended with execline and s6 packages.

list of (string or absolute path or package)
[ ]
<SLAM>/modules/s6/rc.nix

Name of the whole producer consumer pipline. Declaring this will compile a pipeline bundle with this name.

null or string
null
<SLAM>/modules/s6/rc.nix

Name of the direct consumer of this service.

null or string
null
<SLAM>/modules/s6/rc.nix

Executable file to run for a longrun service.

path in the Nix store
<SLAM>/modules/s6/rc.nix

Derived service definition directory for this service. For a description of this format see s6-rc-compile(8) or https://skarnet.org/software/s6-rc/s6-rc-compile.html.

read-only package
not available
<SLAM>/modules/s6/rc.nix

s6-rc service type.

one of oneshot, longrun, bundle
<SLAM>/modules/s6/rc.nix

Unix command-line to be lexed by execlineb. This is the command that brings a service up.

strings concatenated with 0
<SLAM>/modules/s6/rc.nix

Directory to be scanned by s6-svscan.

absolute path not in the Nix store

Which service-manager to bootstrap into.

one of parent, finit, s6, synit
"parent"

A collection of modular services.

attribute set of (submodule)
{ }

The duration in seconds which a service-manager is allowed to delay a shutdown. If null then shutdown may be delayed indefinitely.

null or signed integer
6

PATH used to boot the system bus.

read-only unspecified value
The packages execline, s6, syndicate-server, and security wrappers.

Whether to enable Synit control socket at /run/synit/system-bus.sock.

boolean
false
true
<SLAM>/modules/synit/slam.nix

Definitions of daemons to assert as Synit core services. For each daemon defined in core a ‘<requires-service <daemon ${name}>>’ assertion is also made.

attribute set of (submodule)
{ }
<SLAM>/modules/synit/daemons.nix

Daemon command line. A string is executed in a shell whereas a list of strings is executed directly. See https://synit.org/book/operation/builtin/daemon.html#adding-process-specifications-to-a-service.

string or absolute path or list of (string or absolute path)
<SLAM>/modules/synit/daemons.nix

Whether the Unix process environment is cleared or inherited. See https://synit.org/book/operation/builtin/daemon.html#specifying-subprocess-environment-variables.

boolean
false
<SLAM>/modules/synit/daemons.nix

Sets the working direcctory of a daemon. See https://synit.org/book/operation/builtin/daemon.html#setting-the-current-working-directory-for-a-subprocess.

null or string
null
<SLAM>/modules/synit/daemons.nix

Sets Unix process environment for a daemon. See https://synit.org/book/operation/builtin/daemon.html#specifying-subprocess-environment-variables.

null or (attribute set of string)
null
<SLAM>/modules/synit/daemons.nix

Whether this service is tautologically required.

boolean
true
<SLAM>/modules/synit/daemons.nix

Command-line arguments passed to s6-log before the logging directory. The default arguments prepend logged lines with a TAI64N timestamp. Override args to [‘’] if this information would be redundant.

list of string
[
  "t"
]
<SLAM>/modules/synit/daemons.nix

Directory for log files from this daemon.

absolute path
/var/log/‹name›
<SLAM>/modules/synit/daemons.nix

Whether to enable inject a logging wrapper over this daemon.

boolean
config.system.logging.logToFileSystem
true
<SLAM>/modules/synit/daemons.nix

List of directories to compose into the PATH environmental variable. If env.PATH is set then this value is ignored. Otherwise it will be appended with execline and s6 packages.

list of (string or absolute path or package)
[ ]
<SLAM>/modules/synit/daemons.nix

Whether this daemon should persist and never be replaced or removed.

boolean
false
<SLAM>/modules/synit/daemons.nix

Specify a protocol for communicating with a daemon over stdin and stdout. See https://synit.org/book/operation/builtin/daemon.html#speaking-syndicate-network-protocol-via-stdinstdout.

one of none, application/syndicate, text/syndicate
"none"
<SLAM>/modules/synit/daemons.nix

Reverse requires of this daemon. It is a list of service keys.

list of list of string
[ ]
[
  [
    "milestone"
    "network"
  ]
]
<SLAM>/modules/synit/daemons.nix

When non-null enable s6 readiness notification for this daemon using the specified file-descriptor. Setting a file-descriptor here disables readyOnStart.

null or signed integer
null
3
<SLAM>/modules/synit/daemons.nix

Whether a daemon should be considered ready immediately after startup. See See https://synit.org/book/operation/builtin/daemon.html#ready-signalling.

boolean
true
<SLAM>/modules/synit/daemons.nix

Services required this daemon. It is a list of ‘{ key, state }’ attrs where key identifies a service and state is a service state.

list of (submodule)
[ ]
[
  {
    key = [
      "milestone"
      "foo"
    ];
    state = "up";
  }
  {
    key = [
      "daemon"
      "oneshot-script"
    ];
    state = "complete";
  }
]
<SLAM>/modules/synit/daemons.nix

Label of a service. The head of the list is the record label and the tail is the fields.

list of string
<SLAM>/modules/synit/daemons.nix

Required service state.

string
"up"
<SLAM>/modules/synit/daemons.nix

Daemon restart policy. See https://synit.org/book/operation/builtin/daemon.html#whether-and-when-to-restart.

one of always, on-error, all, never
"always"
<SLAM>/modules/synit/daemons.nix

Syndicate-server script associated with this daemon.

strings concatenated with 0
<SLAM>/modules/synit/daemons.nix

List of Nix store paths that can be read or executed.

unspecified value
<SLAM>/modules/synit/daemons.nix

Whether to enable Syd sandboxing.

boolean
false
true
<SLAM>/modules/synit/daemons.nix

List of predefined Syd profiles to apply. See syd(5) for list of common profiles.

list of string
[ ]
[
  "readonly"
  "nomem"
]
<SLAM>/modules/synit/daemons.nix

Syd sandboxing commands.

strings concatenated with 0
  allow/read+/etc/secrets/foo
  allow/net/bind+127.0.0.1!8080
<SLAM>/modules/synit/daemons.nix

Definitions of daemons to assert into the Synit configuration dataspace.";

attribute set of (submodule)
{ }
<SLAM>/modules/synit/daemons.nix

Daemon command line. A string is executed in a shell whereas a list of strings is executed directly. See https://synit.org/book/operation/builtin/daemon.html#adding-process-specifications-to-a-service.

string or absolute path or list of (string or absolute path)
<SLAM>/modules/synit/daemons.nix

Whether the Unix process environment is cleared or inherited. See https://synit.org/book/operation/builtin/daemon.html#specifying-subprocess-environment-variables.

boolean
false
<SLAM>/modules/synit/daemons.nix

Sets the working direcctory of a daemon. See https://synit.org/book/operation/builtin/daemon.html#setting-the-current-working-directory-for-a-subprocess.

null or string
null
<SLAM>/modules/synit/daemons.nix

Sets Unix process environment for a daemon. See https://synit.org/book/operation/builtin/daemon.html#specifying-subprocess-environment-variables.

null or (attribute set of string)
null
<SLAM>/modules/synit/daemons.nix

Whether this service is tautologically required.

boolean
true
<SLAM>/modules/synit/daemons.nix

Command-line arguments passed to s6-log before the logging directory. The default arguments prepend logged lines with a TAI64N timestamp. Override args to [‘’] if this information would be redundant.

list of string
[
  "t"
]
<SLAM>/modules/synit/daemons.nix

Directory for log files from this daemon.

absolute path
/var/log/‹name›
<SLAM>/modules/synit/daemons.nix

Whether to enable inject a logging wrapper over this daemon.

boolean
config.system.logging.logToFileSystem
true
<SLAM>/modules/synit/daemons.nix

List of directories to compose into the PATH environmental variable. If env.PATH is set then this value is ignored. Otherwise it will be appended with execline and s6 packages.

list of (string or absolute path or package)
[ ]
<SLAM>/modules/synit/daemons.nix

Whether this daemon should persist and never be replaced or removed.

boolean
false
<SLAM>/modules/synit/daemons.nix

Specify a protocol for communicating with a daemon over stdin and stdout. See https://synit.org/book/operation/builtin/daemon.html#speaking-syndicate-network-protocol-via-stdinstdout.

one of none, application/syndicate, text/syndicate
"none"
<SLAM>/modules/synit/daemons.nix

Reverse requires of this daemon. It is a list of service keys.

list of list of string
[ ]
[
  [
    "milestone"
    "network"
  ]
]
<SLAM>/modules/synit/daemons.nix

When non-null enable s6 readiness notification for this daemon using the specified file-descriptor. Setting a file-descriptor here disables readyOnStart.

null or signed integer
null
3
<SLAM>/modules/synit/daemons.nix

Whether a daemon should be considered ready immediately after startup. See See https://synit.org/book/operation/builtin/daemon.html#ready-signalling.

boolean
true
<SLAM>/modules/synit/daemons.nix

Services required this daemon. It is a list of ‘{ key, state }’ attrs where key identifies a service and state is a service state.

list of (submodule)
[ ]
[
  {
    key = [
      "milestone"
      "foo"
    ];
    state = "up";
  }
  {
    key = [
      "daemon"
      "oneshot-script"
    ];
    state = "complete";
  }
]
<SLAM>/modules/synit/daemons.nix

Label of a service. The head of the list is the record label and the tail is the fields.

list of string
<SLAM>/modules/synit/daemons.nix

Required service state.

string
"up"
<SLAM>/modules/synit/daemons.nix

Daemon restart policy. See https://synit.org/book/operation/builtin/daemon.html#whether-and-when-to-restart.

one of always, on-error, all, never
"always"
<SLAM>/modules/synit/daemons.nix

Syndicate-server script associated with this daemon.

strings concatenated with 0
<SLAM>/modules/synit/daemons.nix

List of Nix store paths that can be read or executed.

unspecified value
<SLAM>/modules/synit/daemons.nix

Whether to enable Syd sandboxing.

boolean
false
true
<SLAM>/modules/synit/daemons.nix

List of predefined Syd profiles to apply. See syd(5) for list of common profiles.

list of string
[ ]
[
  "readonly"
  "nomem"
]
<SLAM>/modules/synit/daemons.nix

Syd sandboxing commands.

strings concatenated with 0
  allow/read+/etc/secrets/foo
  allow/net/bind+127.0.0.1!8080
<SLAM>/modules/synit/daemons.nix

List of edges in the service dependency graph. This list is populated from other options but dependencies can also be explicitly specified here.

list of (submodule)
<SLAM>/modules/synit/dependencies.nix

Service that will be started if its dependers are required.

submodule
<SLAM>/modules/synit/dependencies.nix

Label of a service. The head of the list is the record label and the tail is the fields.

list of string
<SLAM>/modules/synit/dependencies.nix

Required service state.

string
"up"
<SLAM>/modules/synit/dependencies.nix

Label of a service. The head of the list is the record label and the tail is the fields.

list of string
<SLAM>/modules/synit/dependencies.nix

Enable Synit, either as a primary or secondary service-manager.

unspecified value
"config.system.serviceManager ==

Attribute set of service milestones and their dependees. A milestone will not be required unless it has been added to system.synit.plan.requires.

attribute set of (submodule)
{
  network = {
    requires = [
      {
        key = [
          "milestone"
          "devices"
        ];
      }
      {
        key = [
          "daemon"
          "dhcpcd"
        ];
        state = "ready";
      }
    ];
  };
}
<SLAM>/modules/synit/dependencies.nix

Reverse requires of this milestone. It is a list of service keys.

list of list of string
[ ]
<SLAM>/modules/synit/dependencies.nix

List of services required by this milestone.

list of (submodule)
[ ]
<SLAM>/modules/synit/dependencies.nix

Label of a service. The head of the list is the record label and the tail is the fields.

list of string
<SLAM>/modules/synit/dependencies.nix

Required service state.

string
"up"
<SLAM>/modules/synit/dependencies.nix

The synit-pid1 package to use.

package
pkgs.alt.sam.synit-pid1
<SLAM>/modules/synit/pid1.nix

Template for the activation script run by the user.

package
<SLAM>/modules/synit/plans.nix

The syndicate-server script that comprises a plan for system configuration.

attribute set of ((list of anything) or string convertible to it)
<SLAM>/modules/synit/plans.nix

File containing the complete syndicate-server script for this plan.

read-only unspecified value
<SLAM>/modules/synit/plans.nix

List of services required by this plan.

list of list of string
<SLAM>/modules/synit/dependencies.nix

A collection of modular services.

attribute set of (submodule)
{ }
<SLAM>/modules/system/service/synit/system.nix

The syndicate-server package to use.

package
pkgs.alt.sam.syndicate-server

Bash scripts to run during the build of the toplevel derivation.

attribute set of ((submodule) or string convertible to it)

List of dependencies. The script will run after these.

list of string
[ ]

The content of the script.

strings concatenated with 0

System-wide timezone.

null or string without spaces
null

Whether to enable use experimental builderball cache.

boolean
false
true
/depot/ops/modules/tvl-cache.nix

Whether to enable the TVL binary cache.

boolean
false
true
/depot/ops/modules/tvl-cache.nix

Groups for user accounts.

attribute set of (submodule)
{ }
<SLAM>/modules/users/options.nix

The group GID. If the GID is null, a free GID is picked on activation.

null or signed integer
null
<SLAM>/modules/users/options.nix

The user names of the group members, added to the /etc/group file.

list of (string, not containing newlines or colons)
[ ]
<SLAM>/modules/users/options.nix

The name of the group. If undefined, the name of the attribute set will be used.

string, not containing newlines or colons
<SLAM>/modules/users/options.nix

User accounts.

attribute set of (submodule)
{ }
<SLAM>/modules/users/options.nix <SLAM>/modules/synit/users.nix

Whether to create the home directory and ensure ownership as well as permissions to match the user.

boolean
false
<SLAM>/modules/users/options.nix

A short description of the user account, typically the user's full name. This is actually the “GECOS” “comment” field in /etc/passwd.

string, not containing newlines or colons
""
"Alice Q. User"
<SLAM>/modules/users/options.nix

The user's auxiliary groups.

list of string
[ ]
<SLAM>/modules/users/options.nix

The user's primary group.

string
<SLAM>/modules/users/options.nix

The user's home directory.

absolute path, not containing newlines or colons
"/var/empty"
<SLAM>/modules/users/options.nix

Specifies the initial hashed password for the user, i.e. the hashed password assigned if the user does not already exist. If users.mutableUsers is true, the password can be changed subsequently using the passwd command. Otherwise, it's equivalent to setting the hashedPassword option.

null or (string, not containing newlines or colons)
null
<SLAM>/modules/users/options.nix

Specifies the initial password for the user, i.e. the password assigned if the user does not already exist. If users.mutableUsers is true, the password can be changed subsequently using the passwd command. Otherwise, it's equivalent to setting the password option. The same caveat applies: the password specified here is world-readable in the Nix store, so it should only be used for guest accounts or passwords that will be changed promptly.

null or string
null
<SLAM>/modules/users/options.nix

Indicates whether this is an account for a “real” user. This automatically sets group to ‘users’, createHome to ‘true’, home to /home/«username», and isSystemUser to ‘false’. Exactly one of isNormalUser and isSystemUser must be enabled.

boolean
false
<SLAM>/modules/users/options.nix

Indicates if the user is a system user or not. This option only has an effect if uid is ‘null’, in which case it determines whether the user's UID is allocated in the range for system users (below 1000) or in the range for normal users (starting at 1000). Exactly one of isNormalUser and isSystemUser must be enabled.

boolean
false
<SLAM>/modules/users/options.nix

The name of the user account. If undefined, the name of the attribute set will be used.

string, not containing newlines or colons
<SLAM>/modules/users/options.nix

Specifies the hashed password for the user.

null or string
null
<SLAM>/modules/users/options.nix

The full path to a file that contains the hash of the user's password. The password file is read on each system activation. The file should contain exactly one line, which should be the password in an encrypted form that is suitable for the ‘chpasswd -e’ command.

null or string
null
<SLAM>/modules/users/options.nix

The path to the user's shell. Can use shell derivations, like ‘pkgs.bashInteractive’. Don't forget to enable your shell in programs if necessary, like ‘programs.zsh.enable = true;’.

null or package or (absolute path, not containing newlines or colons)
pkgs.shadow
pkgs.bashInteractive
<SLAM>/modules/users/options.nix

List of paths to configuration scripts to load into the user-level syndicate-server at boot.

list of absolute path
[ ]
<SLAM>/modules/synit/users.nix

List of names of additional dataspaces to create within the user-bus. The config, log, and gatekeeper namespaces are reserved. Dataspaces othewise created within configuration files may be destroyed and recreated during a configuration transition.

list of string
[ ]
<SLAM>/modules/synit/users.nix

Reference to system-bus. Can be ‘"$config"’ for full access or an attenuation for restricted access. Defaults to an invalid reference.

unspecified value
"#f"
"@
<SLAM>/modules/synit/users.nix

The account UID. If the UID is null, a free UID is picked on activation.

null or signed integer
null
<SLAM>/modules/users/options.nix
April 16, 2026 SLAM