Whether to enable the validation of bootspec documents for each build. This will introduce Go in the build-time closure as we are relying on Cuelang for schema validation. Enable this option if you want to ascertain that your documents are correct .

User-defined data that extends the bootspec document.

To reduce incompatibility and prevent names from clashing between applications, it is highly recommended to use a unique namespace for your extensions.

The package to use for bootspec.

A list of additional packages supplying kernel modules.

The set of kernel modules in the initial ramdisk used during the boot process. This set must include all modules necessary for mounting the root device. That is, it should include modules for the physical device (e.g., SCSI drivers) and for the file system (e.g., ext3). The set specified here is automatically closed under the module dependency relation, i.e., all dependencies of the modules list here are included automatically. The modules listed here are available in the initrd, but are only loaded on demand (e.g., the ext3 module is loaded automatically when an ext3 filesystem is mounted, and modules for PCI devices are loaded when they match the PCI ID of a device in your system). To force a module to be loaded, include it in boot.initrd.kernelModules.

The compressor to use on the initrd image. May be any of:

• The name of one of the predefined compressors, see pkgs/build-support/kernel/initrd-compressor-meta.nix for the definitions.
• A function which, given the nixpkgs package set, returns the path to a compressor tool, e.g. pkgs: "${pkgs.pigz}/bin/pigz"
• (not recommended, because it does not work when cross-compiling) the full path to a compressor tool, e.g. "${pkgs.pigz}/bin/pigz"

The given program should read data from stdin and write it to stdout compressed.

Arguments to pass to the compressor for the initrd image, or null to use the compressor's defaults.

Contents of the initrd.

This option has no description.

This option has no description.

Set to true for unauthenticated emergency access to the initramfs rescue shell, and false or null for no access.

Can also be set to a hashed super user password to allow authenticated access to the rescue mode.

When access is denied, finix prints the failure reason on console and reboots after 10s instead of opening a shell.

Whether to enable the NixOS initial RAM disk (initrd). This may be needed to perform some initialisation tasks (like mounting network/encrypted file systems) before continuing the boot process.

Lines of shell commands that are run after coldbooting the device-manager and before mounting file-systems.

List of modules that are always loaded by the initrd.

the initrd to use for your system... use a module to build one

Whether to enable support for the 9p filesystem in the initial ramdisk.

Whether to enable support for the btrfs filesystem in the initial ramdisk.

Packages providing filesystem utilities for btrfs in the initial ramdisk.

Whether to enable support for the ext2 filesystem in the initial ramdisk.

Packages providing filesystem utilities for ext2 in the initial ramdisk.

Whether to enable support for the ext4 filesystem in the initial ramdisk.

Packages providing filesystem utilities for ext4 in the initial ramdisk.

Whether to enable support for the f2fs filesystem in the initial ramdisk.

Packages providing filesystem utilities for f2fs in the initial ramdisk.

Whether to enable support for the fuse filesystem in the initial ramdisk.

Whether to enable LUKS encrypted device support in the initial ramdisk.

Packages providing LUKS utilities in the initial ramdisk.

Whether to enable LVM support in the initial ramdisk.

Packages providing LVM utilities in the initial ramdisk.

Whether to enable support for bind mounts in the initial ramdisk.

This option has no description.

This option has no description.

Whether to enable support for the tmpfs filesystem in the initial ramdisk.

Whether to enable support for the vfat filesystem in the initial ramdisk.

Packages providing filesystem utilities for vfat in the initial ramdisk.

Whether to enable support for the xfs filesystem in the initial ramdisk.

Packages providing filesystem utilities for xfs in the initial ramdisk.

Whether to enable support for the zfs filesystem in the initial ramdisk.

Packages providing filesystem utilities for zfs in the initial ramdisk.

Whether to enable the Linux kernel. This is useful for systemd-like containers which do not require a kernel.

Provides a custom seed for the RANDSTRUCT security option of the Linux kernel. Note that RANDSTRUCT is only enabled in NixOS hardened kernels. Using a custom seed requires building the kernel and dependent packages locally, since this customization happens at build time.

Runtime parameters of the Linux kernel, as set by sysctl(8). Note that sysctl parameters names must be enclosed in quotes (e.g. "vm.swappiness" instead of vm.swappiness). The value of each parameter may be a string, integer, boolean, or null (signifying the option will not appear at all).

The maximum receive socket buffer size in bytes. In case of conflicting values, the highest will be used.

The maximum send socket buffer size in bytes. In case of conflicting values, the highest will be used.

The maximum number of memory map areas a process may have. In case of conflicting values, the highest will be used.

The set of kernel modules to be loaded in the second stage of the boot process. Note that modules that are needed to mount the root file system should be added to boot.initrd.availableKernelModules or boot.initrd.kernelModules.

This option allows you to override the Linux kernel used by NixOS. Since things like external kernel module packages are tied to the kernel you're using, it also overrides those. This option is a function that takes Nixpkgs as an argument (as a convenience), and returns an attribute set containing at the very least an attribute kernel. Additional attributes may be needed depending on your configuration. For instance, if you use the NVIDIA X driver, then it also needs to contain an attribute nvidia_x11.

Please note that we strictly support kernel versions that are maintained by the Linux developers only. More information on the availability of kernel versions is documented in the Linux section of the manual.

Parameters added to the kernel command line.

A list of additional patches to apply to the kernel.

Every item should be an attribute set with the following attributes:

{
  name = "foo";                 # descriptive name, required

  patch = ./foo.patch;          # path or derivation that contains the patch source
                                # (required, but can be null if only config changes
                                # are needed)

  extraStructuredConfig = {     # attrset of extra configuration parameters without the CONFIG_ prefix
    FOO = lib.kernel.yes;       # (optional)
  };                            # values should generally be lib.kernel.yes,
                                # lib.kernel.no or lib.kernel.module

  features = {                  # attrset of extra "features" the kernel is considered to have
    foo = true;                 # (may be checked by other NixOS modules, optional)
  };

  extraConfig = "FOO y";        # extra configuration options in string form without the CONFIG_ prefix
                                # (optional, multiple lines allowed to specify multiple options)
                                # (deprecated, use extraStructuredConfig instead)
}

There's a small set of existing kernel patches in Nixpkgs, available as pkgs.kernelPatches, that follow this format and can be used directly.

Whether the installation process is allowed to modify EFI boot variables.

Where the EFI System Partition is mounted.

Whether to enable modprobe config. This is useful for systems like containers which do not require a kernel.

Whether to enable support for the 9p filesystem.

Whether to enable support for the mergerfs fuse filesystem.

Whether to enable support for the btrfs filesystem.

Packages providing filesystem utilities for btrfs.

Whether to enable support for the efivarfs filesystem.

Whether to enable support for the ext2 filesystem.

Packages providing filesystem utilities for ext2.

Whether to enable support for the ext4 filesystem.

Packages providing filesystem utilities for ext4.

Whether to enable support for the f2fs filesystem.

Packages providing filesystem utilities for f2fs.

Whether to enable support for the fuse filesystem.

Whether to enable LUKS encrypted device support.

Packages providing LUKS utilities.

Whether to enable LVM support.

Packages providing lvm utilities.

Whether to enable support for bind mounts.

This option has no description.

This option has no description.

Whether to enable support for the tmpfs filesystem.

Whether to enable support for the vfat filesystem.

Packages providing filesystem utilities for vfat.

Whether to enable support for the xfs filesystem.

Packages providing filesystem utilities for xfs.

Whether to enable support for the zfs filesystem.

Packages providing filesystem utilities for zfs.

List of ZFS pools to import at boot. Defaults to the pools necessary for booting.

List of ZFS dataset names to load keys for during boot.

Default shell linked system-wide to /bin/sh. Do your best to make sure any modifications to this shell are POSIX-compliant.

Set of files that have to be linked in /etc.

Whether this /etc file should be generated. This option allows specific /etc files to be disabled.

GID of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink').

Group name of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink'). Changing this option takes precedence over gid.

If set to something else than symlink, the file is copied instead of symlinked, with the given file mode.

Path of the source file.

Name of symlink (relative to /etc). Defaults to the attribute name.

Text of the file.

UID of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink').

User name of created file. Only takes effect when the file is copied (that is, the mode is not 'symlink'). Changing this option takes precedence over uid.

Shell fragments to be run after the system environment has been created. This should only be used for things that need to modify the internals of the environment, e.g. generating MIME caches. The environment being built can be accessed at $out.

This option has no description.

List of directories to be symlinked in /run/current-system/sw.

This option has no description.

This option has no description.

The file systems to be mounted. It must include an entry for the root directory (mountPoint = "/"). Each entry in the list is an attribute set with the following fields: mountPoint, device, fsType (a file system type recognised by mount; defaults to "auto"), and options (the mount options passed to mount using the -o flag; defaults to [ "defaults" ]).

Instead of specifying device, you can also specify a volume label (label) for file systems that support it, such as ext2/ext3 (see mke2fs -L).

List of paths that should be mounted before this one. This filesystem's device and mountPoint are always checked and do not need to be included explicitly. If a path is added to this list, any other filesystem whose mount point is a parent of the path will be mounted before this filesystem. The paths do not need to actually be the mountPoint of some other filesystem.

Location of the device.

Type of the file system.

Label of the device (if any).

Location of the mounted file system.

Whether this filesystem is needed for boot. If set, the filesystem will be mounted in the initial ramdisk.

Disable running fsck on this filesystem.

Options used to mount the file system.

An attribute set of cgroups (v2) that will be created by finit.

See upstream documentation for additional details.

The name of the cgroup to create.

Settings to apply to this cgroup.

See kernel documentation for additional details.

Environment variables passed to all finit services.

The package to use for finit.

Packages added to the finit PATH environment variable.

In this mode of operation, every service needs to explicitly declare their readiness notification

An attribute set of resource limits that will be apply by finit.

See upstream documentation for additional details.

An attribute set of one-shot commands to run in sequence when entering a runlevel. run commands are guaranteed to be completed before running the next command. Useful when serialization is required.

See upstream documentation for additional details.

Allow services to run with minimal required privileges instead of running as root.

For services that need to create their own child cgroups (container runtimes like docker, podman, systemd-nspawn, lxc, etc...).

See upstream documentation for details.

The name of the cgroup to place this process under.

The cgroup settings to apply to this process.

See kernel documentation for additional details.

A script which will be called when the service is removed.

The command to execute.

See upstream documentation for details.

If you have conflicting services and want to prevent them from starting.

A human-readable description of this service, displayed by initctl.

Whether to enable this stanza.

either a path or a path prefixed with a '-' to indicate a missing file is fine.

Environment variables passed to this service.

A place for finit configuration options which have not been added to the nix module yet.

The group this service should be executed as.

The instance identifier, derived from the attribute name if it contains an @ character.

Redirect stderr and stdout of the application to a file or syslog using the native logit tool. This is useful for programs that do not support syslog on their own, which is sometimes the case when running in the foreground.

See upstream documentation for additional details.

If a service should not be automatically started, it can be configured as manual. The service can then be started at any time by running initctl start <service>.

The name of this stanza, derived from the attribute name.

Packages added to the PATH environment variable of this service.

A script which will be called after the service has stopped.

A script which will be called before the service is started.

Order of this run command in relation to the others. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

By default, a run or task will re-run each time its runlevel is entered, and its post: script does not run on completion.

With remain:yes, the task runs once and does not re-run on runlevel. The post: script will run if the task is explicitly stopped or when the task leaves its valid runlevels.

Enable endless restarts without counting toward the retry limit. When set, the service will be restarted indefinitely regardless of the restart limit.

The number of times finit tries to restart a crashing service. When this limit is reached the service is marked crashed and must be restarted manually with initctl restart NAME.

The number of seconds before Finit tries to restart a crashing service, default: 2 seconds for the first five retries, then back-off to 5 seconds. The maximum of this configured value and the above (2 and 5) will be used.

See upstream documentation for details.

Explicitly specify supplementary groups, in addition to reading group membership from /etc/group.

The user this service should be executed as.

The runlevel to start after bootstrap, S.

An attribute set of services, or daemons, to be monitored and automatically restarted if they exit prematurely.

See upstream documentation for additional details.

Allow services to run with minimal required privileges instead of running as root.

For services that need to create their own child cgroups (container runtimes like docker, podman, systemd-nspawn, lxc, etc...).

See upstream documentation for details.

The name of the cgroup to place this process under.

The cgroup settings to apply to this process.

See kernel documentation for additional details.

A script which will be called when the service is removed.

The command to execute.

See upstream documentation for details.

If you have conflicting services and want to prevent them from starting.

A human-readable description of this service, displayed by initctl.

Whether to enable this stanza.

either a path or a path prefixed with a '-' to indicate a missing file is fine.

Environment variables passed to this service.

A place for finit configuration options which have not been added to the nix module yet.

The group this service should be executed as.

The instance identifier, derived from the attribute name if it contains an @ character.

The delay in seconds between finit sending a SIGTERM and a SIGKILL.

Redirect stderr and stdout of the application to a file or syslog using the native logit tool. This is useful for programs that do not support syslog on their own, which is sometimes the case when running in the foreground.

See upstream documentation for additional details.

If a service should not be automatically started, it can be configured as manual. The service can then be started at any time by running initctl start <service>.

The name of this stanza, derived from the attribute name.

Whether this service supports reload on SIGHUP.

See upstream documentation for details.

• reboot - when all retries have failed, and the service has crashed, if this option is set the system is rebooted.
• script - similarly, but instead of rebooting, call the post:script action if set.

Packages added to the PATH environment variable of this service.

See upstream documentation for details.

A script which will be called after the service has stopped.

A script which will be called before the service is started.

A script which will be called when the service is ready.

Some services do not support SIGHUP but may have other ways to update the configuration of a running daemon. When reload is defined it is preferred over SIGHUP. Like systemd, finit sets ``$MAINPIDas a convenience to scripts, which in effect also allow settingreload` to `kill -HUP $MAINPID`.

Enable endless restarts without counting toward the retry limit. When set, the service will be restarted indefinitely regardless of the restart limit.

The number of times finit tries to restart a crashing service. When this limit is reached the service is marked crashed and must be restarted manually with initctl restart NAME.

The number of seconds before Finit tries to restart a crashing service, default: 2 seconds for the first five retries, then back-off to 5 seconds. The maximum of this configured value and the above (2 and 5) will be used.

An attribute set of resource limits that will be apply by finit.

See upstream documentation for additional details.

See upstream documentation for details.

Some services may require alternate methods to be stopped. If stop is defined it is preferred over SIGTERM. Similar to reload, finit sets $MAINPID.

Explicitly specify supplementary groups, in addition to reading group membership from /etc/group.

Service type. Set to "forking" for traditional daemons that fork to the background and use PID files for process tracking.

The user this service should be executed as.

An attribute set of SysV init scripts to be managed by finit. These are legacy init scripts that are called with start, stop, and restart arguments.

See upstream documentation for additional details.

Allow services to run with minimal required privileges instead of running as root.

For services that need to create their own child cgroups (container runtimes like docker, podman, systemd-nspawn, lxc, etc...).

See upstream documentation for details.

The name of the cgroup to place this process under.

The cgroup settings to apply to this process.

See kernel documentation for additional details.

A script which will be called when the service is removed.

The command to execute.

See upstream documentation for details.

If you have conflicting services and want to prevent them from starting.

A human-readable description of this service, displayed by initctl.

Whether to enable this stanza.

either a path or a path prefixed with a '-' to indicate a missing file is fine.

Environment variables passed to this service.

A place for finit configuration options which have not been added to the nix module yet.

The group this service should be executed as.

The instance identifier, derived from the attribute name if it contains an @ character.

The delay in seconds between finit sending a SIGTERM and a SIGKILL.

Redirect stderr and stdout of the application to a file or syslog using the native logit tool. This is useful for programs that do not support syslog on their own, which is sometimes the case when running in the foreground.

See upstream documentation for additional details.

If a service should not be automatically started, it can be configured as manual. The service can then be started at any time by running initctl start <service>.

The name of this stanza, derived from the attribute name.

Whether this service supports reload on SIGHUP.

See upstream documentation for details.

• reboot - when all retries have failed, and the service has crashed, if this option is set the system is rebooted.
• script - similarly, but instead of rebooting, call the post:script action if set.

Packages added to the PATH environment variable of this service.

See upstream documentation for details.

A script which will be called after the service has stopped.

A script which will be called before the service is started.

A script which will be called when the service is ready.

Some services do not support SIGHUP but may have other ways to update the configuration of a running daemon. When reload is defined it is preferred over SIGHUP. Like systemd, finit sets ``$MAINPIDas a convenience to scripts, which in effect also allow settingreload` to `kill -HUP $MAINPID`.

Enable endless restarts without counting toward the retry limit. When set, the service will be restarted indefinitely regardless of the restart limit.

The number of times finit tries to restart a crashing service. When this limit is reached the service is marked crashed and must be restarted manually with initctl restart NAME.

The number of seconds before Finit tries to restart a crashing service, default: 2 seconds for the first five retries, then back-off to 5 seconds. The maximum of this configured value and the above (2 and 5) will be used.

An attribute set of resource limits that will be apply by finit.

See upstream documentation for additional details.

See upstream documentation for details.

Some services may require alternate methods to be stopped. If stop is defined it is preferred over SIGTERM. Similar to reload, finit sets $MAINPID.

Explicitly specify supplementary groups, in addition to reading group membership from /etc/group.

Service type. Set to "forking" for traditional daemons that fork to the background and use PID files for process tracking.

The user this service should be executed as.

An attribute set of one-shot commands to be executed by finit.

See upstream documentation for additional details.

Allow services to run with minimal required privileges instead of running as root.

For services that need to create their own child cgroups (container runtimes like docker, podman, systemd-nspawn, lxc, etc...).

See upstream documentation for details.

The name of the cgroup to place this process under.

The cgroup settings to apply to this process.

See kernel documentation for additional details.

A script which will be called when the service is removed.

The command to execute.

See upstream documentation for details.

If you have conflicting services and want to prevent them from starting.

A human-readable description of this service, displayed by initctl.

Whether to enable this stanza.

either a path or a path prefixed with a '-' to indicate a missing file is fine.

Environment variables passed to this service.

A place for finit configuration options which have not been added to the nix module yet.

The group this service should be executed as.

The instance identifier, derived from the attribute name if it contains an @ character.

Redirect stderr and stdout of the application to a file or syslog using the native logit tool. This is useful for programs that do not support syslog on their own, which is sometimes the case when running in the foreground.

See upstream documentation for additional details.

If a service should not be automatically started, it can be configured as manual. The service can then be started at any time by running initctl start <service>.

The name of this stanza, derived from the attribute name.

Packages added to the PATH environment variable of this service.

A script which will be called after the service has stopped.

A script which will be called before the service is started.

By default, a run or task will re-run each time its runlevel is entered, and its post: script does not run on completion.

With remain:yes, the task runs once and does not re-run on runlevel. The post: script will run if the task is explicitly stopped or when the task leaves its valid runlevels.

Enable endless restarts without counting toward the retry limit. When set, the service will be restarted indefinitely regardless of the restart limit.

The number of times finit tries to restart a crashing service. When this limit is reached the service is marked crashed and must be restarted manually with initctl restart NAME.

The number of seconds before Finit tries to restart a crashing service, default: 2 seconds for the first five retries, then back-off to 5 seconds. The maximum of this configured value and the above (2 and 5) will be used.

An attribute set of resource limits that will be apply by finit.

See upstream documentation for additional details.

See upstream documentation for details.

Explicitly specify supplementary groups, in addition to reading group membership from /etc/group.

The user this service should be executed as.

Rules for creation, deletion and cleaning of volatile and temporary files automatically. See tmpfiles.d(5) for the exact format.

An attribute set of TTYs that finit should manage.

See upstream documentation for additional details.

Baud rate for serial TTYs.

For services that need to create their own child cgroups (container runtimes like docker, podman, systemd-nspawn, lxc, etc...).

See upstream documentation for details.

The name of the cgroup to place this process under.

The cgroup settings to apply to this process.

See kernel documentation for additional details.

Specify an external getty, like agetty or the BusyBox getty.

See upstream documentation for details.

A human-readable description of this service, displayed by initctl.

Embedded systems may want to enable automatic device by supplying the special @console device. This works regardless weather the system uses ttyS0, ttyAMA0, ttyMXC0, or anything else. finit figures it out by querying sysfs: /sys/class/tty/console/active.

Whether to enable this stanza.

A place for finit configuration options which have not been added to the nix module yet.

Explicit instance ID for the TTY. If not set, finit auto-derives it from the device name (e.g., tty1 becomes :1, ttyS0 becomes :S0).

Disables clearing the TTY after each session. Clearing the TTY when a user logs out is usually preferable.

Disables getty and /bin/login, and gives the user a root (login) shell on the given TTY device immediately. Needless to say, this is a rather insecure option, but can be very useful for developer builds, during board bringup, or similar.

No device node mode. This is insecure and intended only for board bringup or testing scenarios.

Disables the press Enter to activate console message before actually starting the getty program.

Start sulogin instead of a regular shell, requiring the root password. Useful for rescue/single-user mode.

See upstream documentation for details.

The TERM environment variable value for the TTY.

Enable a basic set of fonts providing several styles and families and reasonable coverage of Unicode.

Allow bitmap fonts. Set to false to ban all bitmap fonts.

Allow Type-1 fonts. Default is false because of poor rendering.

Enable font antialiasing. At high resolution (> 200 DPI), antialiasing has no visible effect; users of such displays may want to disable this option.

Generate system fonts cache for 32-bit applications.

System-wide default emoji font(s). Multiple fonts may be listed in case a font does not support all emoji.

Note that fontconfig matches color emoji fonts preferentially, so if you want to use a black and white font while having a color font installed (eg. Noto Color Emoji installed alongside Noto Emoji), fontconfig will still choose the color font even when it is later in the list.

System-wide default monospace font(s). Multiple fonts may be listed in case multiple languages must be supported.

System-wide default sans serif font(s). Multiple fonts may be listed in case multiple languages must be supported.

System-wide default serif font(s). Multiple fonts may be listed in case multiple languages must be supported.

If enabled, a Fontconfig configuration file will be built pointing to a set of default fonts. If you don't care about running X11 applications or any other program that uses Fontconfig, you can leave this option off and prevent a dependency on all those fonts.

Enable the autohinter in place of the default interpreter. The results are usually lower quality than correctly-hinted fonts, but better than unhinted fonts.

Enable font hinting. Hinting aligns glyphs to pixel boundaries to improve rendering sharpness at low resolution. At high resolution (> 200 dpi) hinting will do nothing (at best); users of such displays may want to disable this option.

Hintstyle is the amount of font reshaping done to line up to the grid.

slight will make the font more fuzzy to line up to the grid but will be better in retaining font shape, while full will be a crisp font that aligns well to the pixel grid but will lose a greater amount of font shape.

Include the user configuration from /.config/fontconfig/fonts.conf or /.config/fontconfig/conf.d.

System-wide customization file contents, has higher priority than defaultFonts settings.

FreeType LCD filter. At high resolution (> 200 DPI), LCD filtering has no visible effect; users of such displays may want to select none.

Subpixel order. The overwhelming majority of displays are rgb in their normal orientation. Select vrgb for mounting such a display 90 degrees clockwise from its normal orientation or vbgr for mounting 90 degrees counter-clockwise. Select bgr in the unlikely event of mounting 180 degrees from the normal orientation. Reverse these directions in the improbable event that the display's native subpixel order is bgr.

Use embedded bitmaps in fonts like Calibri.

List of primary font packages.

Binary keymap file. If unset then this is generated from the hardware.console.keyMap option.

Whether to configure the console at boot.

The keyboard mapping table for the virtual consoles. This option may have no effect if hardware.console.binaryKeyMap is set.

Turn VESA screen blanking on or off.

List of packages containing firmware files. Such files will be loaded automatically if the kernel asks for them (i.e., when it has detected specific hardware that requires firmware to function). If multiple packages contain firmware files with the same name, the first package in the list takes precedence. Note that you must rebuild your system if you add files to any of these directories.

Whether to enable hardware accelerated graphics drivers.

This is required to allow most graphical applications and environments to use hardware rendering, video encode/decode acceleration, etc.

This option should be enabled by default by the corresponding modules, so you do not usually have to set it yourself.

On 64-bit systems, whether to also install 32-bit drivers for 32-bit applications (such as Wine).

Additional packages to add to the default graphics driver lookup path. This can be used to add OpenCL drivers, VA-API/VDPAU drivers, etc.

Additional packages to add to 32-bit graphics driver lookup path on 64-bit systems. Used when enable32Bit is set. This can be used to add OpenCL drivers, VA-API/VDPAU drivers, etc.

Whether to enable support for i2c devices. Access to these devices is granted to users in the hardware.i2c.group group.

Group to own the /dev/i2c-* devices.

Whether to enable NVIDIA driver support .

Whether to enable forcefully the full composition pipeline. This sometimes fixes screen tearing issues. This has been reported to reduce the performance of some OpenGL applications and may produce issues in WebGL. It also drastically increases the time the driver needs to clock down after load .

Whether to enable the GPU System Processor (GSP) on the video card .

Whether to enable kernel modesetting when using the NVIDIA proprietary driver.

Enabling this fixes screen tearing when using Optimus via PRIME (see hardware.nvidia.prime.sync.enable. This is not enabled by default because it is not officially supported by NVIDIA and would not work with SLI.

Enabling this and using version 545 or newer of the proprietary NVIDIA driver causes it to provide its own framebuffer device, which can cause Wayland compositors to work when they otherwise wouldn't. .

Whether to enable the open source NVIDIA kernel module.

The NVIDIA driver package to use.

Whether to enable experimental power management through systemd. For more information, see the NVIDIA docs, on Chapter 21. Configuring Power Management Support .

Whether to enable experimental power management of PRIME offload. For more information, see the NVIDIA docs, on Chapter 22. PCI-Express Runtime D3 (RTD3) Power Management .

Whether to enable NVIDIA driver support for kernel suspend notifiers, which allows the driver to be notified of suspend and resume events by the kernel, rather than relying on systemd services. Requires NVIDIA driver version 595 or newer, and the open source kernel modules. .

Whether to enable configuring X to allow external NVIDIA GPUs when using Prime [Reverse] sync optimus .

Bus ID of the AMD APU. You can find it using lspci; for example if lspci shows the AMD APU at "0001:02:03.4", set this option to "PCI:2@1:3:4".

lspci might omit the PCI domain (0001 in above example) if it is zero. In which case, use "@0" instead.

Please be aware that this option takes decimal address while lspci reports hexadecimal address. So for device at domain "10000", use "@65536".

Bus ID of the Intel GPU. You can find it using lspci; for example if lspci shows the Intel GPU at "0001:02:03.4", set this option to "PCI:2@1:3:4".

lspci might omit the PCI domain (0001 in above example) if it is zero. In which case, use "@0" instead.

Please be aware that this option takes decimal address while lspci reports hexadecimal address. So for device at domain "10000", use "@65536".

Bus ID of the NVIDIA GPU. You can find it using lspci; for example if lspci shows the NVIDIA GPU at "0001:02:03.4", set this option to "PCI:2@1:3:4".

lspci might omit the PCI domain (0001 in above example) if it is zero. In which case, use "@0" instead.

Please be aware that this option takes decimal address while lspci reports hexadecimal address. So for device at domain "10000", use "@65536".

Whether to enable render offload support using the NVIDIA proprietary driver via PRIME.

If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to be specified (hardware.nvidia.prime.nvidiaBusId and hardware.nvidia.prime.intelBusId or hardware.nvidia.prime.amdgpuBusId) .

Whether to enable adding a nvidia-offload convenience script to environment.systemPackages for offloading programs to an nvidia device. To work, you must also enable hardware.nvidia.prime.offload.enable or hardware.nvidia.prime.reverseSync.enable.

Example usage: nvidia-offload sauerbraten_client

This script can be renamed with hardware.nvidia.prime.offload.enableOffloadCmd. .

Specifies the CLI name of the hardware.nvidia.prime.offload.enableOffloadCmd convenience script for offloading programs to an nvidia device.

Whether to enable NVIDIA Optimus support using the NVIDIA proprietary driver via reverse PRIME. If enabled, the Intel/AMD GPU will be used for all rendering, while enabling output to displays attached only to the NVIDIA GPU without a multiplexer.

Warning: This feature is relatively new, depending on your system this might work poorly. AMD support, especially so. See: <https://forums.developer.nvidia.com/t/the-all-new-outputsink-feature-aka-reverse-prime/129828>

Note that this option only has any effect if the "nvidia" driver is specified in services.xserver.videoDrivers, and it should preferably be the only driver there.

If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to be specified (hardware.nvidia.prime.nvidiaBusId and hardware.nvidia.prime.intelBusId or hardware.nvidia.prime.amdgpuBusId).

If you enable this, you may want to also enable kernel modesetting for the NVIDIA driver (hardware.nvidia.modesetting.enable) in order to prevent tearing.

Note that this configuration will only be successful when a display manager for which the services.xserver.displayManager.setupCommands option is supported is used .

Whether to enable configure the display manager to be able to use the outputs attached to the NVIDIA GPU. Disable in order to configure the NVIDIA GPU outputs manually using xrandr. Note that this configuration will only be successful when a display manager for which the services.xserver.displayManager.setupCommands option is supported is used .

Whether to enable NVIDIA Optimus support using the NVIDIA proprietary driver via PRIME. If enabled, the NVIDIA GPU will be always on and used for all rendering, while enabling output to displays attached only to the integrated Intel/AMD GPU without a multiplexer.

Note that this option only has any effect if the "nvidia" driver is specified in services.xserver.videoDrivers, and it should preferably be the only driver there.

If this is enabled, then the bus IDs of the NVIDIA and Intel/AMD GPUs have to be specified (hardware.nvidia.prime.nvidiaBusId and hardware.nvidia.prime.intelBusId or hardware.nvidia.prime.amdgpuBusId).

If you enable this, you may want to also enable kernel modesetting for the NVIDIA driver (hardware.nvidia.modesetting.enable) in order to prevent tearing.

Note that this configuration will only be successful when a display manager for which the services.xserver.displayManager.setupCommands option is supported is used .

Whether to enable Whether video acceleration (VA-API) should be enabled. .

Whether to enable uinput support.

Group to own the uinput devices.

The default locale. It determines the language for program messages, the format for dates and times, sort order, and so on. It also determines the character set, such as UTF-8.

A set of additional system-wide locale settings other than LANG which can be configured with i18n.defaultLocale.

Customized pkg.glibcLocales package.

Changing this option can disable handling of i18n.defaultLocale and supportedLocale.

List of locales that the system should support. The value "all" means that all locales supported by Glibc will be installed. A full list of supported locales can be found at <https://sourceware.org/git/?p=glibc.git;a=blob;f=localedata/SUPPORTED>.

List of maintainers of each module. This option should be defined at most once per module.

The option value is not a list of maintainers, but an attribute set that maps module file names to lists of maintainers.

The 32-bit host ID of the machine, formatted as 8 hexadecimal characters.

You should try to make this ID unique among your machines. You can generate a random 32-bit ID using the following commands:

head -c 8 /etc/machine-id

(this derives it from the machine-id that systemd generates) or

head -c4 /dev/urandom | od -A none -t x4

The primary use case is to ensure when using ZFS that a pool isn't imported accidentally on a wrong machine.

The hostname of this system.

Locally defined maps of hostnames to IP addresses.

The nixpkgs package set to use for this system.

Whether to enable bash.

The package to use for bash.

Whether to enable brightnessctl.

The package to use for brightnessctl.

Package providing the standard core utilities used by the system.

Most modules should use this option instead of depending directly on pkgs.coreutils, allowing alternative implementations such as uutils, busybox, or toybox to be selected globally.

Whether to enable dma.

The package to use for dma.

dma configuration. See dma(8) for additional details.

Whether to enable doas.

The package to use for doas.

Whether to enable fish.

The package to use for fish.

Whether to enable gamemode.

The package to use for gamemode.

gamemode configuration. See gamemoded(8) for additional details.

Whether to enable gnome-keyring.

Whether to enable hyprland.

The package to use for hyprland.

Whether to enable hyprlock.

The package to use for hyprlock.

Designates interfaces that should be automatically configured by the system when appropriate.

Whether to enable debug logging.

Whether to enable ifupdown-ng.

Additional arguments to pass to ifupdown-ng. See ifupdown-ng(8) for additional details.

/etc/network/interfaces configuration. See interfaces(5) for additional details.

Associates an IPv4 or IPv6 address in CIDR notation with the parent interface.

Associates an IPv4 or IPv6 address with the parent interface for use as a default route (gateway).

Designates one or more required interfaces that must be brought up before configuration of the parent interface. Interfaces associated with the parent are taken down at the same time as the parent.

Designates that an executor should be used. See EXECUTORS section for more information on executors.

The package to use for ifupdown-ng.

ifupdown-ng configuration. See ifupdown-ng.conf(5) for additional details.

Whether to enable labwc.

The package to use for labwc.

A set of files to be copied to /boot. Each attribute name denotes the destination file name in /boot, while the corresponding attribute value specifies the source file.

Device to install the BIOS version of limine on.

Whether or not to install limine for BIOS.

Whether to enable debug logging.

Whether or not to install the limine EFI files as removable.

See boot.loader.grub.efiInstallAsRemovable

Whether or not to install the limine EFI files.

Whether to enable limine as the system bootloader.

Whether or not to enroll the config. Only works on EFI!

A string which is appended to the end of limine.conf. The config format can be found here.

Force installation even if the safety checks fail, use absolutely only if necessary!

Maximum number of latest generations in the boot menu. Useful to prevent boot partition of running out of disk space. null means no limit i.e. all generations that were not garbage collected yet.

The package to use for limine.

The 1-based index of the dedicated partition for limine's second stage.

Enroll automatically generated keys.

Extra arguments passed to sbctl.

Generate keys automatically when none exists during bootloader installation.

Whether to sign the limine binary with sbctl.

The sbctl package to use.

limine configuration. See upstream documentation for additional details.

If set to false, the editor will not be accessible.

If set to false, do not panic if there is a hash mismatch for a file, but print a warning instead.

Specifies the timeout in seconds before the first entry is automatically booted. If set to "no", disable automatic boot. If set to 0, boots default entry instantly.

A list of wallpapers. If more than one is specified, a random one will be selected at boot.

The style which will be used to display the wallpaper image.

Whether to validate file checksums before booting.

Whether to enable LXQt.

Which LXQt packages to exclude from the default environment.

Extra packages to be installed system wide.

The package that provides a default icon theme.

The default Wayland compositor package to use.

Whether to enable the LXQt desktop environment's Wayland session.

Whether to enable the LXQt desktop environment's X11 session.

The default X11 window manager package to use.

Whether to enable mangowc.

The package to use for mangowc.

Whether to configure micro as the default editor using the EDITOR environment variable.

Whether to enable micro.

The package to use for micro.

Whether to configure nano as the default editor using the EDITOR environment variable.

Whether to enable nano.

The package to use for nano.

Whether to enable niri.

The package to use for niri.

Whether to enable nvidia-settings.

The package to use for nvidia-settings.

Whether to enable debug logging.

Whether to enable plymouth.

Font file made available for displaying text on the splash screen.

The package to use for plymouth.

plymouthd configuration. See plymouthd(8) for additional details.

The name of the plymouth theme to use. Must match the directory name of the theme within the theme package specified by programs.plymouth.theme.

The package containing a plymouth theme.

Whether to enable pmount.

The package to use for pmount.

Environment variables to pass to cage. See upstream documentation for additional details.

Additional arguments to pass to cage. See upstream documentation for additional details.

The package to use for cage.

Whether to enable debug logging.

Whether to enable regreet.

The package to use for regreet.

regreet configuration. See upstream documentation for additional details.

Whether to enable resolvconf.

The package to use for resolvconf.

resolvconf configuration. See resolvconf.conf(5) for additional details.

Whether to enable seahorse.

Whether to enable shadow.

The package to use for shadow.

shadow configuration. See login.defs(5) for additional details.

Indicate if login is allowed if we can't cd to the home directory.

This defines the system default encryption algorithm for encrypting passwords.

Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.

Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.

Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers

Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers

Range of user IDs used for the creation of system users by useradd or newusers.

Range of user IDs used for the creation of system users by useradd or newusers.

The terminal permissions: the login tty will be owned by the TTYGROUP group, and the permissions will be set to TTYPERM.

The terminal permissions: the login tty will be owned by the TTYGROUP group, and the permissions will be set to TTYPERM.

Range of user IDs used for the creation of regular users by useradd or newusers.

Range of user IDs used for the creation of regular users by useradd or newusers.

The file mode creation mask is initialized to this value.

Whether to enable sudo.

The package to use for sudo.

Whether to enable sway.

The package to use for sway.

Whether to enable debug logging.

Whether to enable tuigreet.

Additional arguments to pass to tuigreet. See tuigreet(1) for additional details.

The package to use for tuigreet.

Whether to enable virtualbox.

The package to use for virtualbox.

Whether to enable xwayland-satellite.

The package to use for xwayland-satellite.

Whether to enable zzz.

The package to use for zzz.

The selected module which should implement functionality for the providers.bootloader contract.

The full path to a program of your choosing which performs the bootloader installation process.

The program will be called with an argument pointing to the output of the system's toplevel.

The selected module which should implement functionality for the providers.privileges contract.

The command to be used by modules requiring privilege escalation.

A list of rules which provide a way to temporarily elevate the privileges of a command for a given user or group.

Arguments that must be provided to the command. When empty, the command must be run without any arguments.

The command the user or group members are allowed to run.

The groups that are able to run this command.

Whether the user is required to enter a password.

The user the command is allowed to run as, or "*" for allowing the command to run as any user.

The users that are able to run this command.

The selected module which should implement functionality for the providers.resumeAndSuspend contract.

A set of hooks which are to be run on system suspend, hibernate or resume.

Shell commands to execute when the event is triggered.

Whether this hook should be executed on the given event.

The event type.

Order of this hook in relation to the others. The semantics are the same as with lib.mkOrder. Smaller values are inserted first.

The selected module which should implement functionality for the providers.scheduler contract.

Whether the selected providers.scheduler implementation supports running tasks as a specified user.

A set of tasks which are to be run at specified intervals.

The command this task should execute at specified intervals.

The interval at which this task should run its specified command. Accepts either a standard crontab(5) expression or one of: hourly, daily, weekly, monthly, or yearly.

If a standard crontab(5) expression is provided this value will be passed directly to the scheduler implementation and execute exactly as specified.

If one of the special values, hourly, daily, monthly, weekly, or yearly, is provided then the underlying scheduler implementation will use its features to decide when best to run.

The user this task should run as, subject to provider.scheduler implementation capabilities. See providers.scheduler.supportedFeatures and your selected backend implementation for additional details.

This option has no description.

This option has no description.

Set of rules for pam_env(8).

The DEFAULT environment variables to be set, unset or modified by pam_env(8). See pam_env.conf(5) for additional details.

The environment variables to be set, unset or modified by pam_env(8). See pam_env.conf(5) for additional details.

This option has no description.

This option has no description.

This option has no description.

This option has no description.

This option has no description.

(Read-only) the path to the final bundle of certificate authorities as a single file.

A list of blacklisted CA certificate names that won't be imported from the Mozilla Trust Store into /etc/ssl/certs/ca-certificates.crt. Use the names from that file.

A list of files containing trusted root certificates in PEM format. These are concatenated to form /etc/ssl/certs/ca-certificates.crt, which is used by many programs that use OpenSSL, such as curl and git.

A list of trusted root certificates in PEM format.

Whether to enable usage of a compatibility bundle.

Such a bundle consists exclusively of BEGIN CERTIFICATE and no BEGIN TRUSTED CERTIFICATE, which is an OpenSSL specific PEM format.

It is known to be incompatible with certain software stacks.

Nevertheless, enabling this will strip all additional trust rules provided by the certificates themselves. This can have security consequences depending on your usecases .

Size limit for the /run/wrappers tmpfs. Look at mount(8), tmpfs size option, for the accepted syntax. WARNING: don't set to less than 64MB.

This option effectively allows adding setuid/setgid bits, capabilities, changing file ownership and permissions of a program without directly modifying it. This works by creating a wrapper program under the security.wrapperDir directory, which is then added to the shell PATH.

A comma-separated list of capability clauses to be given to the wrapper program. The format for capability clauses is described in the “TEXTUAL REPRESENTATION” section of the cap_from_text(3) manual page. For a list of capabilities supported by the system, check the capabilities(7) manual page.