NixOS/nixpkgs
1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-09 09:36:20 +09:00
Code Activity

treewide: Fix all Nix ASTs in all markdown files

Browse source 
This allows for correct highlighting and maybe future automatic
formatting. The AST was verified to work with nixfmt only.
This commit is contained in:
Janne Heß 2024-03-27 19:10:27 +01:00 committed by Valentin Gagarin
parent bc77c7a973
commit fcc95ff817
150 changed files with 2896 additions and 2087 deletions
Download patch file Download diff file Expand all files Collapse all files

6
nixos/doc/manual/configuration/abstractions.section.md
View file

@ -47,9 +47,9 @@ You can write a `let` wherever an expression is allowed. Thus, you also could ha
```nix
{
services.httpd.virtualHosts =
let commonConfig = ...; in
{ "blog.example.org" = (commonConfig // { ... })
"wiki.example.org" = (commonConfig // { ... })
let commonConfig = { /* ... */ }; in
{ "blog.example.org" = (commonConfig // { /* ... */ });
"wiki.example.org" = (commonConfig // { /* ... */ });
};
}
```

10
nixos/doc/manual/configuration/ad-hoc-network-config.section.md
View file

@ -6,8 +6,10 @@ is useful for doing network configuration not covered by the existing NixOS
modules. For instance, to statically configure an IPv6 address:
```nix
networking.localCommands =
''
ip -6 addr add 2001:610:685:1::1/64 dev eth0
'';
{
networking.localCommands =
''
ip -6 addr add 2001:610:685:1::1/64 dev eth0
'';
}
```

34
nixos/doc/manual/configuration/adding-custom-packages.section.md
View file

@ -23,7 +23,9 @@ Then you write and test the package as described in the Nixpkgs manual.
Finally, you add it to [](#opt-environment.systemPackages), e.g.
```nix
environment.systemPackages = [ pkgs.my-package ];
{
environment.systemPackages = [ pkgs.my-package ];
}
```
and you run `nixos-rebuild`, specifying your own Nixpkgs tree:
@ -38,24 +40,28 @@ tree. For instance, here is how you specify a build of the
`configuration.nix`:
```nix
environment.systemPackages =
let
my-hello = with pkgs; stdenv.mkDerivation rec {
name = "hello-2.8";
src = fetchurl {
url = "mirror://gnu/hello/${name}.tar.gz";
hash = "sha256-5rd/gffPfa761Kn1tl3myunD8TuM+66oy1O7XqVGDXM=";
{
environment.systemPackages =
let
my-hello = with pkgs; stdenv.mkDerivation rec {
name = "hello-2.8";
src = fetchurl {
url = "mirror://gnu/hello/${name}.tar.gz";
hash = "sha256-5rd/gffPfa761Kn1tl3myunD8TuM+66oy1O7XqVGDXM=";
};
};
};
in
[ my-hello ];
in
[ my-hello ];
}
```
Of course, you can also move the definition of `my-hello` into a
separate Nix expression, e.g.
```nix
environment.systemPackages = [ (import ./my-hello.nix) ];
{
environment.systemPackages = [ (import ./my-hello.nix) ];
}
```
where `my-hello.nix` contains:
@ -88,7 +94,9 @@ section](#module-services-flatpak). AppImages will not run "as-is" on NixOS.
First you need to install `appimage-run`: add to `/etc/nixos/configuration.nix`
```nix
environment.systemPackages = [ pkgs.appimage-run ];
{
environment.systemPackages = [ pkgs.appimage-run ];
}
```
Then instead of running the AppImage "as-is", run `appimage-run foo.appimage`.

60
nixos/doc/manual/configuration/config-file.section.md
View file

@ -5,7 +5,7 @@ The NixOS configuration file generally looks like this:
```nix
{ config, pkgs, ... }:
{ option definitions
{ /* option definitions */
}
```
@ -80,7 +80,9 @@ Strings
: Strings are enclosed in double quotes, e.g.
```nix
networking.hostName = "dexter";
{
networking.hostName = "dexter";
}
```
Special characters can be escaped by prefixing them with a backslash
@ -89,11 +91,13 @@ Strings
Multi-line strings can be enclosed in *double single quotes*, e.g.
```nix
networking.extraHosts =
''
127.0.0.2 other-localhost
10.0.0.1 server
'';
{
networking.extraHosts =
''
127.0.0.2 other-localhost
10.0.0.1 server
'';
}
```
The main difference is that it strips from each line a number of
@ -108,8 +112,10 @@ Booleans
: These can be `true` or `false`, e.g.
```nix
networking.firewall.enable = true;
networking.firewall.allowPing = false;
{
networking.firewall.enable = true;
networking.firewall.allowPing = false;
}
```
Integers
@ -117,7 +123,9 @@ Integers
: For example,
```nix
boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 60;
{
boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 60;
}
```
(Note that here the attribute name `net.ipv4.tcp_keepalive_time` is
@ -132,11 +140,13 @@ Sets
braces, as in the option definition
```nix
fileSystems."/boot" =
{ device = "/dev/sda1";
fsType = "ext4";
options = [ "rw" "data=ordered" "relatime" ];
};
{
fileSystems."/boot" =
{ device = "/dev/sda1";
fsType = "ext4";
options = [ "rw" "data=ordered" "relatime" ];
};
}
```
Lists
@ -145,13 +155,17 @@ Lists
separated by whitespace, like this:
```nix
boot.kernelModules = [ "fuse" "kvm-intel" "coretemp" ];
{
boot.kernelModules = [ "fuse" "kvm-intel" "coretemp" ];
}
```
List elements can be any other type, e.g. sets:
```nix
swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];
{
swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];
}
```
Packages
@ -161,12 +175,14 @@ Packages
argument `pkgs`. Typical uses:
```nix
environment.systemPackages =
[ pkgs.thunderbird
pkgs.emacs
];
{
environment.systemPackages =
[ pkgs.thunderbird
pkgs.emacs
];
services.postgresql.package = pkgs.postgresql_14;
services.postgresql.package = pkgs.postgresql_14;
}
```
The latter option definition changes the default PostgreSQL package

52
nixos/doc/manual/configuration/customizing-packages.section.md
View file

@ -16,18 +16,20 @@ Examples include:
You can use them like this:
```nix
environment.systemPackages = with pkgs; [
sl
(pass.withExtensions (subpkgs: with subpkgs; [
pass-audit
pass-otp
pass-genphrase
]))
(python3.withPackages (subpkgs: with subpkgs; [
requests
]))
cowsay
];
{
environment.systemPackages = with pkgs; [
sl
(pass.withExtensions (subpkgs: with subpkgs; [
pass-audit
pass-otp
pass-genphrase
]))
(python3.withPackages (subpkgs: with subpkgs; [
requests
]))
cowsay
];
}
```
:::
@ -38,7 +40,9 @@ dependency on GTK 2. If you want to build it against GTK 3, you can
specify that as follows:
```nix
environment.systemPackages = [ (pkgs.emacs.override { gtk = pkgs.gtk3; }) ];
{
environment.systemPackages = [ (pkgs.emacs.override { gtk = pkgs.gtk3; }) ];
}
```
The function `override` performs the call to the Nix function that
@ -58,12 +62,14 @@ of the package, such as the source code. For instance, if you want to
override the source code of Emacs, you can say:
```nix
environment.systemPackages = [
(pkgs.emacs.overrideAttrs (oldAttrs: {
name = "emacs-25.0-pre";
src = /path/to/my/emacs/tree;
}))
];
{
environment.systemPackages = [
(pkgs.emacs.overrideAttrs (oldAttrs: {
name = "emacs-25.0-pre";
src = /path/to/my/emacs/tree;
}))
];
}
```
Here, `overrideAttrs` takes the Nix derivation specified by `pkgs.emacs`
@ -80,9 +86,11 @@ two instances of the package. If you want to have everything depend on
your customised instance, you can apply a *global* override as follows:
```nix
nixpkgs.config.packageOverrides = pkgs:
{ emacs = pkgs.emacs.override { gtk = pkgs.gtk3; };
};
{
nixpkgs.config.packageOverrides = pkgs:
{ emacs = pkgs.emacs.override { gtk = pkgs.gtk3; };
};
}
```
The effect of this definition is essentially equivalent to modifying the

4
nixos/doc/manual/configuration/declarative-packages.section.md
View file

@ -7,7 +7,9 @@ following line to `configuration.nix` enables the Mozilla Thunderbird
email application:
```nix
environment.systemPackages = [ pkgs.thunderbird ];
{
environment.systemPackages = [ pkgs.thunderbird ];
}
```
The effect of this specification is that the Thunderbird package from

10
nixos/doc/manual/configuration/file-systems.chapter.md
View file

@ -6,10 +6,12 @@ Ext4 file system on device `/dev/disk/by-label/data` onto the mount
point `/data`:
```nix
fileSystems."/data" =
{ device = "/dev/disk/by-label/data";
fsType = "ext4";
};
{
fileSystems."/data" =
{ device = "/dev/disk/by-label/data";
fsType = "ext4";
};
}
```
This will create an entry in `/etc/fstab`, which will generate a

18
nixos/doc/manual/configuration/firewall.section.md
View file

@ -5,14 +5,18 @@ and other unexpected packets. The firewall applies to both IPv4 and IPv6
traffic. It is enabled by default. It can be disabled as follows:
```nix
networking.firewall.enable = false;
{
networking.firewall.enable = false;
}
```
If the firewall is enabled, you can open specific TCP ports to the
outside world:
```nix
networking.firewall.allowedTCPPorts = [ 80 443 ];
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
}
```
Note that TCP port 22 (ssh) is opened automatically if the SSH daemon is
@ -22,10 +26,12 @@ enabled (`services.openssh.enable = true`). UDP ports can be opened through
To open ranges of TCP ports:
```nix
networking.firewall.allowedTCPPortRanges = [
{ from = 4000; to = 4007; }
{ from = 8000; to = 8010; }
];
{
networking.firewall.allowedTCPPortRanges = [
{ from = 4000; to = 4007; }
{ from = 8000; to = 8010; }
];
}
```
Similarly, UDP port ranges can be opened through

58
nixos/doc/manual/configuration/gpu-accel.chapter.md
View file

@ -55,9 +55,11 @@ supported through the rocmPackages.clr.icd package. Adding this package to
enables OpenCL support:
```nix
hardware.opengl.extraPackages = [
rocmPackages.clr.icd
];
{
hardware.opengl.extraPackages = [
rocmPackages.clr.icd
];
}
```
### Intel {#sec-gpu-accel-opencl-intel}
@ -74,9 +76,11 @@ to enable OpenCL support. For example, for Gen8 and later GPUs, the following
configuration can be used:
```nix
hardware.opengl.extraPackages = [
intel-compute-runtime
];
{
hardware.opengl.extraPackages = [
intel-compute-runtime
];
}
```
## Vulkan {#sec-gpu-accel-vulkan}
@ -141,20 +145,22 @@ makes amdvlk the default driver and hides radv and lavapipe from the device list
A specific driver can be forced as follows:
```nix
hardware.opengl.extraPackages = [
pkgs.amdvlk
];
{
hardware.opengl.extraPackages = [
pkgs.amdvlk
];
# To enable Vulkan support for 32-bit applications, also add:
hardware.opengl.extraPackages32 = [
pkgs.driversi686Linux.amdvlk
];
# To enable Vulkan support for 32-bit applications, also add:
hardware.opengl.extraPackages32 = [
pkgs.driversi686Linux.amdvlk
];
# Force radv
environment.variables.AMD_VULKAN_ICD = "RADV";
# Or
environment.variables.VK_ICD_FILENAMES =
"/run/opengl-driver/share/vulkan/icd.d/radeon_icd.x86_64.json";
# Force radv
environment.variables.AMD_VULKAN_ICD = "RADV";
# Or
environment.variables.VK_ICD_FILENAMES =
"/run/opengl-driver/share/vulkan/icd.d/radeon_icd.x86_64.json";
}
```
## VA-API {#sec-gpu-accel-va-api}
@ -178,17 +184,21 @@ $ nix-shell -p libva-utils --run vainfo
Modern Intel GPUs use the iHD driver, which can be installed with:
```nix
hardware.opengl.extraPackages = [
intel-media-driver
];
{
hardware.opengl.extraPackages = [
intel-media-driver
];
}
```
Older Intel GPUs use the i965 driver, which can be installed with:
```nix
hardware.opengl.extraPackages = [
intel-vaapi-driver
];
{
hardware.opengl.extraPackages = [
intel-vaapi-driver
];
}
```
## Common issues {#sec-gpu-accel-common-issues}

20
nixos/doc/manual/configuration/ipv4-config.section.md
View file

@ -5,18 +5,22 @@ configure network interfaces. However, you can configure an interface
manually as follows:
```nix
networking.interfaces.eth0.ipv4.addresses = [ {
address = "192.168.1.2";
prefixLength = 24;
} ];
{
networking.interfaces.eth0.ipv4.addresses = [ {
address = "192.168.1.2";
prefixLength = 24;
} ];
}
```
Typically you'll also want to set a default gateway and set of name
servers:
```nix
networking.defaultGateway = "192.168.1.1";
networking.nameservers = [ "8.8.8.8" ];
{
networking.defaultGateway = "192.168.1.1";
networking.nameservers = [ "8.8.8.8" ];
}
```
::: {.note}
@ -28,7 +32,9 @@ configuration is performed by `network-setup.service`.
The host name is set using [](#opt-networking.hostName):
```nix
networking.hostName = "cartman";
{
networking.hostName = "cartman";
}
```
The default host name is `nixos`. Set it to the empty string (`""`) to

28
nixos/doc/manual/configuration/ipv6-config.section.md
View file

@ -9,34 +9,42 @@ may be overridden on a per-interface basis by
IPv6 support globally by setting:
```nix
networking.enableIPv6 = false;
{
networking.enableIPv6 = false;
}
```
You can disable IPv6 on a single interface using a normal sysctl (in
this example, we use interface `eth0`):
```nix
boot.kernel.sysctl."net.ipv6.conf.eth0.disable_ipv6" = true;
{
boot.kernel.sysctl."net.ipv6.conf.eth0.disable_ipv6" = true;
}
```
As with IPv4 networking interfaces are automatically configured via
DHCPv6. You can configure an interface manually:
```nix
networking.interfaces.eth0.ipv6.addresses = [ {
address = "fe00:aa:bb:cc::2";
prefixLength = 64;
} ];
{
networking.interfaces.eth0.ipv6.addresses = [ {
address = "fe00:aa:bb:cc::2";
prefixLength = 64;
} ];
}
```
For configuring a gateway, optionally with explicitly specified
interface:
```nix
networking.defaultGateway6 = {
address = "fe00::1";
interface = "enp0s3";
};
{
networking.defaultGateway6 = {
address = "fe00::1";
interface = "enp0s3";
};
}
```
See [](#sec-ipv4) for similar examples and additional information.

30
nixos/doc/manual/configuration/kubernetes.chapter.md
View file

@ -7,14 +7,16 @@ There are generally two ways of enabling Kubernetes on NixOS. One way is
to enable and configure cluster components appropriately by hand:
```nix
services.kubernetes = {
apiserver.enable = true;
controllerManager.enable = true;
scheduler.enable = true;
addonManager.enable = true;
proxy.enable = true;
flannel.enable = true;
};
{
services.kubernetes = {
apiserver.enable = true;
controllerManager.enable = true;
scheduler.enable = true;
addonManager.enable = true;
proxy.enable = true;
flannel.enable = true;
};
}
```
Another way is to assign cluster roles ("master" and/or "node") to
@ -22,20 +24,26 @@ the host. This enables apiserver, controllerManager, scheduler,
addonManager, kube-proxy and etcd:
```nix
services.kubernetes.roles = [ "master" ];
{
services.kubernetes.roles = [ "master" ];
}
```
While this will enable the kubelet and kube-proxy only:
```nix
services.kubernetes.roles = [ "node" ];
{
services.kubernetes.roles = [ "node" ];
}
```
Assigning both the master and node roles is usable if you want a single
node Kubernetes cluster for dev or testing purposes:
```nix
services.kubernetes.roles = [ "master" "node" ];
{
services.kubernetes.roles = [ "master" "node" ];
}
```
Note: Assigning either role will also default both

54
nixos/doc/manual/configuration/linux-kernel.chapter.md
View file

@ -5,7 +5,9 @@ option `boot.kernelPackages`. For instance, this selects the Linux 3.10
kernel:
```nix
boot.kernelPackages = pkgs.linuxKernel.packages.linux_3_10;
{
boot.kernelPackages = pkgs.linuxKernel.packages.linux_3_10;
}
```
Note that this not only replaces the kernel, but also packages that are
@ -40,13 +42,15 @@ If you want to change the kernel configuration, you can use the
instance, to enable support for the kernel debugger KGDB:
```nix
nixpkgs.config.packageOverrides = pkgs: pkgs.lib.recursiveUpdate pkgs {
linuxKernel.kernels.linux_5_10 = pkgs.linuxKernel.kernels.linux_5_10.override {
extraConfig = ''
KGDB y
'';
{
nixpkgs.config.packageOverrides = pkgs: pkgs.lib.recursiveUpdate pkgs {
linuxKernel.kernels.linux_5_10 = pkgs.linuxKernel.kernels.linux_5_10.override {
extraConfig = ''
KGDB y
'';
};
};
};
}
```
`extraConfig` takes a list of Linux kernel configuration options, one
@ -59,14 +63,18 @@ by `udev`. You can force a module to be loaded via
[](#opt-boot.kernelModules), e.g.
```nix
boot.kernelModules = [ "fuse" "kvm-intel" "coretemp" ];
{
boot.kernelModules = [ "fuse" "kvm-intel" "coretemp" ];
}
```
If the module is required early during the boot (e.g. to mount the root
file system), you can use [](#opt-boot.initrd.kernelModules):
```nix
boot.initrd.kernelModules = [ "cifs" ];
{
boot.initrd.kernelModules = [ "cifs" ];
}
```
This causes the specified modules and their dependencies to be added to
@ -76,7 +84,9 @@ Kernel runtime parameters can be set through
[](#opt-boot.kernel.sysctl), e.g.
```nix
boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 120;
{
boot.kernel.sysctl."net.ipv4.tcp_keepalive_time" = 120;
}
```
sets the kernel's TCP keepalive time to 120 seconds. To see the
@ -89,7 +99,9 @@ Please refer to the Nixpkgs manual for the various ways of [building a custom ke
To use your custom kernel package in your NixOS configuration, set
```nix
boot.kernelPackages = pkgs.linuxPackagesFor yourCustomKernel;
{
boot.kernelPackages = pkgs.linuxPackagesFor yourCustomKernel;
}
```
## Rust {#sec-linux-rust}
@ -99,15 +111,17 @@ default. For kernel versions 6.7 or newer, experimental Rust support
can be enabled. In a NixOS configuration, set:
```nix
boot.kernelPatches = [
{
name = "Rust Support";
patch = null;
features = {
rust = true;
};
}
];
{
boot.kernelPatches = [
{
name = "Rust Support";
patch = null;
features = {
rust = true;
};
}
];
}
```
## Developing kernel modules {#sec-linux-config-developing-modules}

34
nixos/doc/manual/configuration/luks-file-systems.section.md
View file

@ -29,15 +29,19 @@ system is automatically mounted at boot time as `/`, add the following
to `configuration.nix`:
```nix
boot.initrd.luks.devices.crypted.device = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d";
fileSystems."/".device = "/dev/mapper/crypted";
{
boot.initrd.luks.devices.crypted.device = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d";
fileSystems."/".device = "/dev/mapper/crypted";
}
```
Should grub be used as bootloader, and `/boot` is located on an
encrypted partition, it is necessary to add the following grub option:
```nix
boot.loader.grub.enableCryptodisk = true;
{
boot.loader.grub.enableCryptodisk = true;
}
```
## FIDO2 {#sec-luks-file-systems-fido2}
@ -68,8 +72,10 @@ To ensure that this file system is decrypted using the FIDO2 compatible
key, add the following to `configuration.nix`:
```nix
boot.initrd.luks.fido2Support = true;
boot.initrd.luks.devices."/dev/sda2".fido2.credential = "f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7";
{
boot.initrd.luks.fido2Support = true;
boot.initrd.luks.devices."/dev/sda2".fido2.credential = "f1d00200108b9d6e849a8b388da457688e3dd653b4e53770012d8f28e5d3b269865038c346802f36f3da7278b13ad6a3bb6a1452e24ebeeaa24ba40eef559b1b287d2a2f80b7";
}
```
You can also use the FIDO2 passwordless setup, but for security reasons,
@ -77,7 +83,9 @@ you might want to enable it only when your device is PIN protected, such
as [Trezor](https://trezor.io/).
```nix
boot.initrd.luks.devices."/dev/sda2".fido2.passwordLess = true;
{
boot.initrd.luks.devices."/dev/sda2".fido2.passwordLess = true;
}
```
### systemd Stage 1 {#sec-luks-file-systems-fido2-systemd}
@ -88,13 +96,15 @@ unlocking the existing LUKS2 volume `root` using any enrolled FIDO2 compatible
tokens.
```nix
boot.initrd = {
luks.devices.root = {
crypttabExtraOpts = [ "fido2-device=auto" ];
device = "/dev/sda2";
{
boot.initrd = {
luks.devices.root = {
crypttabExtraOpts = [ "fido2-device=auto" ];
device = "/dev/sda2";
};
systemd.enable = true;
};
systemd.enable = true;
};
}
```
All tokens that should be used for unlocking the LUKS2-encrypted volume must

10
nixos/doc/manual/configuration/modularity.section.md
View file

@ -16,7 +16,7 @@ including them from `configuration.nix`, e.g.:
{ imports = [ ./vpn.nix ./kde.nix ];
services.httpd.enable = true;
environment.systemPackages = [ pkgs.emacs ];
...
# ...
}
```
@ -42,7 +42,9 @@ merged last, so for list-type options, it will appear at the end of the
merged list. If you want it to appear first, you can use `mkBefore`:
```nix
boot.kernelModules = mkBefore [ "kvm-intel" ];
{
boot.kernelModules = mkBefore [ "kvm-intel" ];
}
```
This causes the `kvm-intel` kernel module to be loaded before any other
@ -60,7 +62,9 @@ When that happens, it's possible to force one definition take precedence
over the others:
```nix
services.httpd.adminAddr = pkgs.lib.mkForce "bob@example.org";
{
services.httpd.adminAddr = pkgs.lib.mkForce "bob@example.org";
}
```
When using multiple modules, you may need to access configuration values

16
nixos/doc/manual/configuration/network-manager.section.md
View file

@ -4,7 +4,9 @@ To facilitate network configuration, some desktop environments use
NetworkManager. You can enable NetworkManager by setting:
```nix
networking.networkmanager.enable = true;
{
networking.networkmanager.enable = true;
}
```
some desktop managers (e.g., GNOME) enable NetworkManager automatically
@ -14,7 +16,9 @@ All users that should have permission to change network settings must
belong to the `networkmanager` group:
```nix
users.users.alice.extraGroups = [ "networkmanager" ];
{
users.users.alice.extraGroups = [ "networkmanager" ];
}
```
NetworkManager is controlled using either `nmcli` or `nmtui`
@ -32,9 +36,11 @@ can be used together if desired. To do this you need to instruct
NetworkManager to ignore those interfaces like:
```nix
networking.networkmanager.unmanaged = [
"*" "except:type:wwan" "except:type:gsm"
];
{
networking.networkmanager.unmanaged = [
"*" "except:type:wwan" "except:type:gsm"
];
}
```
Refer to the option description for the exact syntax and references to

28
nixos/doc/manual/configuration/overlayfs.section.md
View file

@ -4,21 +4,23 @@ NixOS offers a convenient abstraction to create both read-only as well writable
overlays.
```nix
fileSystems = {
"/writable-overlay" = {
overlay = {
lowerdir = [ writableOverlayLowerdir ];
upperdir = "/.rw-writable-overlay/upper";
workdir = "/.rw-writable-overlay/work";
{
fileSystems = {
"/writable-overlay" = {
overlay = {
lowerdir = [ writableOverlayLowerdir ];
upperdir = "/.rw-writable-overlay/upper";
workdir = "/.rw-writable-overlay/work";
};
# Mount the writable overlay in the initrd.
neededForBoot = true;
};
# Mount the writable overlay in the initrd.
neededForBoot = true;
"/readonly-overlay".overlay.lowerdir = [
writableOverlayLowerdir
writableOverlayLowerdir2
];
};
"/readonly-overlay".overlay.lowerdir = [
writableOverlayLowerdir
writableOverlayLowerdir2
];
};
}
```
If `upperdir` and `workdir` are not null, they will be created before the

8
nixos/doc/manual/configuration/profiles.chapter.md
View file

@ -8,9 +8,11 @@ is to say, expected usage is to add them to the imports list of your
`/etc/configuration.nix` as such:
```nix
imports = [
<nixpkgs/nixos/modules/profiles/profile-name.nix>
];
{
imports = [
<nixpkgs/nixos/modules/profiles/profile-name.nix>
];
}
```
Even if some of these profiles seem only useful in the context of

20
nixos/doc/manual/configuration/renaming-interfaces.section.md
View file

@ -25,10 +25,12 @@ we assign the name `wan` to the interface with MAC address
`52:54:00:12:01:01` using a netword link unit:
```nix
systemd.network.links."10-wan" = {
matchConfig.PermanentMACAddress = "52:54:00:12:01:01";
linkConfig.Name = "wan";
};
{
systemd.network.links."10-wan" = {
matchConfig.PermanentMACAddress = "52:54:00:12:01:01";
linkConfig.Name = "wan";
};
}
```
Note that links are directly read by udev, *not networkd*, and will work
@ -37,10 +39,12 @@ even if networkd is disabled.
Alternatively, we can use a plain old udev rule:
```nix
boot.initrd.services.udev.rules = ''
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", \
ATTR{address}=="52:54:00:12:01:01", KERNEL=="eth*", NAME="wan"
'';
{
boot.initrd.services.udev.rules = ''
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", \
ATTR{address}=="52:54:00:12:01:01", KERNEL=="eth*", NAME="wan"
'';
}
```
::: {.warning}

10
nixos/doc/manual/configuration/ssh.section.md
View file

@ -3,7 +3,9 @@
Secure shell (SSH) access to your machine can be enabled by setting:
```nix
services.openssh.enable = true;
{
services.openssh.enable = true;
}
```
By default, root logins using a password are disallowed. They can be
@ -14,6 +16,8 @@ You can declaratively specify authorised RSA/DSA public keys for a user
as follows:
```nix
users.users.alice.openssh.authorizedKeys.keys =
[ "ssh-dss AAAAB3NzaC1kc3MAAACBAPIkGWVEt4..." ];
{
users.users.alice.openssh.authorizedKeys.keys =
[ "ssh-dss AAAAB3NzaC1kc3MAAACBAPIkGWVEt4..." ];
}
```

51
nixos/doc/manual/configuration/subversion.chapter.md
View file

@ -21,9 +21,11 @@ Apache HTTP, setting [](#opt-services.httpd.adminAddr)
appropriately:
```nix
services.httpd.enable = true;
services.httpd.adminAddr = ...;
networking.firewall.allowedTCPPorts = [ 80 443 ];
{
services.httpd.enable = true;
services.httpd.adminAddr = "...";
networking.firewall.allowedTCPPorts = [ 80 443 ];
}
```
For a simple Subversion server with basic authentication, configure the
@ -34,25 +36,28 @@ the `.authz` file describing access permission, and `AuthUserFile` to
the password file.
```nix
services.httpd.extraModules = [
# note that order is *super* important here
{ name = "dav_svn"; path = "${pkgs.apacheHttpdPackages.subversion}/modules/mod_dav_svn.so"; }
{ name = "authz_svn"; path = "${pkgs.apacheHttpdPackages.subversion}/modules/mod_authz_svn.so"; }
];
services.httpd.virtualHosts = {
"svn" = {
hostName = HOSTNAME;
documentRoot = DOCUMENTROOT;
locations."/svn".extraConfig = ''
DAV svn
SVNParentPath REPO_PARENT
AuthzSVNAccessFile ACCESS_FILE
AuthName "SVN Repositories"
AuthType Basic
AuthUserFile PASSWORD_FILE
Require valid-user
'';
}
{
services.httpd.extraModules = [
# note that order is *super* important here
{ name = "dav_svn"; path = "${pkgs.apacheHttpdPackages.subversion}/modules/mod_dav_svn.so"; }
{ name = "authz_svn"; path = "${pkgs.apacheHttpdPackages.subversion}/modules/mod_authz_svn.so"; }
];
services.httpd.virtualHosts = {
"svn" = {
hostName = HOSTNAME;
documentRoot = DOCUMENTROOT;
locations."/svn".extraConfig = ''
DAV svn
SVNParentPath REPO_PARENT
AuthzSVNAccessFile ACCESS_FILE
AuthName "SVN Repositories"
AuthType Basic
AuthUserFile PASSWORD_FILE
Require valid-user
'';
};
};
}
```
The key `"svn"` is just a symbolic name identifying the virtual host.
@ -90,7 +95,7 @@ $ htpasswd -s PASSWORD_FILE USER_NAME
The file describing access permissions `ACCESS_FILE` will look something
like the following:
```nix
```
[/]
* = r

28
nixos/doc/manual/configuration/user-mgmt.chapter.md
View file

@ -6,13 +6,15 @@ management. In the declarative style, users are specified in
account named `alice` shall exist:
```nix
users.users.alice = {
isNormalUser = true;
home = "/home/alice";
description = "Alice Foobar";
extraGroups = [ "wheel" "networkmanager" ];
openssh.authorizedKeys.keys = [ "ssh-dss AAAAB3Nza... alice@foobar" ];
};
{
users.users.alice = {
isNormalUser = true;
home = "/home/alice";
description = "Alice Foobar";
extraGroups = [ "wheel" "networkmanager" ];
openssh.authorizedKeys.keys = [ "ssh-dss AAAAB3Nza... alice@foobar" ];
};
}
```
Note that `alice` is a member of the `wheel` and `networkmanager`
@ -38,7 +40,9 @@ A user ID (uid) is assigned automatically. You can also specify a uid
manually by adding
```nix
uid = 1000;
{
uid = 1000;
}
```
to the user specification.
@ -47,7 +51,9 @@ Groups can be specified similarly. The following states that a group
named `students` shall exist:
```nix
users.groups.students.gid = 1000;
{
users.groups.students.gid = 1000;
}
```
As with users, the group ID (gid) is optional and will be assigned
@ -100,7 +106,9 @@ Instead of using a custom perl script to create users and groups, you can use
systemd-sysusers:
```nix
systemd.sysusers.enable = true;
{
systemd.sysusers.enable = true;
}
```
The primary benefit of this is to remove a dependency on perl.

6
nixos/doc/manual/configuration/wayland.chapter.md
View file

@ -9,7 +9,9 @@ a Wayland Compositor such as sway without separately enabling a Wayland
server:
```nix
{
programs.sway.enable = true;
}
```
This installs the sway compositor along with some essential utilities.
@ -19,7 +21,9 @@ If you are using a wlroots-based compositor, like sway, and want to be
able to share your screen, you might want to activate this option:
```nix
xdg.portal.wlr.enable = true;
{
xdg.portal.wlr.enable = true;
}
```
and configure Pipewire using

40
nixos/doc/manual/configuration/wireless.section.md
View file

@ -7,25 +7,29 @@ skip the rest of this section on wireless networks.
NixOS will start wpa_supplicant for you if you enable this setting:
```nix
networking.wireless.enable = true;
{
networking.wireless.enable = true;
}
```
NixOS lets you specify networks for wpa_supplicant declaratively:
```nix
networking.wireless.networks = {
echelon = { # SSID with no spaces or special characters
psk = "abcdefgh";
{
networking.wireless.networks = {
echelon = { # SSID with no spaces or special characters
psk = "abcdefgh";
};
"echelon's AP" = { # SSID with spaces and/or special characters
psk = "ijklmnop";
};
echelon = { # Hidden SSID
hidden = true;
psk = "qrstuvwx";
};
free.wifi = {}; # Public wireless network
};
"echelon's AP" = { # SSID with spaces and/or special characters
psk = "ijklmnop";
};
echelon = { # Hidden SSID
hidden = true;
psk = "qrstuvwx";
};
free.wifi = {}; # Public wireless network
};
}
```
Be aware that keys will be written to the nix store in plaintext! When
@ -46,11 +50,13 @@ network={
```
```nix
networking.wireless.networks = {
echelon = {
pskRaw = "dca6d6ed41f4ab5a984c9f55f6f66d4efdc720ebf66959810f4329bb391c5435";
{
networking.wireless.networks = {
echelon = {
pskRaw = "dca6d6ed41f4ab5a984c9f55f6f66d4efdc720ebf66959810f4329bb391c5435";
};
};
};
}
```
or you can use it to directly generate the `wpa_supplicant.conf`:

144
nixos/doc/manual/configuration/x-windows.chapter.md
View file

@ -4,7 +4,9 @@ The X Window System (X11) provides the basis of NixOS' graphical user
interface. It can be enabled as follows:
```nix
services.xserver.enable = true;
{
services.xserver.enable = true;
}
```
The X server will automatically detect and use the appropriate video
@ -12,7 +14,9 @@ driver from a set of X.org drivers (such as `vesa` and `intel`). You can
also specify a driver manually, e.g.
```nix
services.xserver.videoDrivers = [ "r128" ];
{
services.xserver.videoDrivers = [ "r128" ];
}
```
to enable X.org's `xf86-video-r128` driver.
@ -22,15 +26,17 @@ Otherwise, you can only log into a plain undecorated `xterm` window.
Thus you should pick one or more of the following lines:
```nix
services.xserver.desktopManager.plasma5.enable = true;
services.xserver.desktopManager.xfce.enable = true;
services.xserver.desktopManager.gnome.enable = true;
services.xserver.desktopManager.mate.enable = true;
services.xserver.windowManager.xmonad.enable = true;
services.xserver.windowManager.twm.enable = true;
services.xserver.windowManager.icewm.enable = true;
services.xserver.windowManager.i3.enable = true;
services.xserver.windowManager.herbstluftwm.enable = true;
{
services.xserver.desktopManager.plasma5.enable = true;
services.xserver.desktopManager.xfce.enable = true;
services.xserver.desktopManager.gnome.enable = true;
services.xserver.desktopManager.mate.enable = true;
services.xserver.windowManager.xmonad.enable = true;
services.xserver.windowManager.twm.enable = true;
services.xserver.windowManager.icewm.enable = true;
services.xserver.windowManager.i3.enable = true;
services.xserver.windowManager.herbstluftwm.enable = true;
}
```
NixOS's default *display manager* (the program that provides a graphical
@ -38,22 +44,28 @@ login prompt and manages the X server) is LightDM. You can select an
alternative one by picking one of the following lines:
```nix
services.xserver.displayManager.sddm.enable = true;
services.xserver.displayManager.gdm.enable = true;
{
services.xserver.displayManager.sddm.enable = true;
services.xserver.displayManager.gdm.enable = true;
}
```
You can set the keyboard layout (and optionally the layout variant):
```nix
services.xserver.xkb.layout = "de";
services.xserver.xkb.variant = "neo";
{
services.xserver.xkb.layout = "de";
services.xserver.xkb.variant = "neo";
}
```
The X server is started automatically at boot time. If you don't want
this to happen, you can set:
```nix
services.xserver.autorun = false;
{
services.xserver.autorun = false;
}
```
The X server can then be started manually:
@ -66,7 +78,9 @@ On 64-bit systems, if you want OpenGL for 32-bit programs such as in
Wine, you should also set the following:
```nix
hardware.opengl.driSupport32Bit = true;
{
hardware.opengl.driSupport32Bit = true;
}
```
## Auto-login {#sec-x11-auto-login}
@ -84,16 +98,20 @@ desktop environment. If you wanted no desktop environment and i3 as your
your window manager, you'd define:
```nix
services.xserver.displayManager.defaultSession = "none+i3";
{
services.xserver.displayManager.defaultSession = "none+i3";
}
```
Every display manager in NixOS supports auto-login, here is an example
using lightdm for a user `alice`:
```nix
services.xserver.displayManager.lightdm.enable = true;
services.xserver.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = "alice";
{
services.xserver.displayManager.lightdm.enable = true;
services.xserver.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = "alice";
}
```
## Intel Graphics drivers {#sec-x11--graphics-cards-intel}
@ -119,18 +137,22 @@ drivers. Use the option
to set one. The recommended configuration for modern systems is:
```nix
services.xserver.videoDrivers = [ "modesetting" ];
{
services.xserver.videoDrivers = [ "modesetting" ];
}
```
If you experience screen tearing no matter what, this configuration was
reported to resolve the issue:
```nix
services.xserver.videoDrivers = [ "intel" ];
services.xserver.deviceSection = ''
Option "DRI" "2"
Option "TearFree" "true"
'';
{
services.xserver.videoDrivers = [ "intel" ];
services.xserver.deviceSection = ''
Option "DRI" "2"
Option "TearFree" "true"
'';
}
```
Note that this will likely downgrade the performance compared to
@ -143,15 +165,19 @@ better 3D performance than the X.org drivers. It is not enabled by
default because it's not free software. You can enable it as follows:
```nix
services.xserver.videoDrivers = [ "nvidia" ];
{
services.xserver.videoDrivers = [ "nvidia" ];
}
```
If you have an older card, you may have to use one of the legacy drivers:
```nix
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_390;
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_340;
{
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_470;
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_390;
hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_340;
}
```
You may need to reboot after enabling this driver to prevent a clash
@ -166,7 +192,9 @@ performance. If you still want to use it anyway, you need to explicitly
set:
```nix
services.xserver.videoDrivers = [ "amdgpu-pro" ];
{
services.xserver.videoDrivers = [ "amdgpu-pro" ];
}
```
You will need to reboot after enabling this driver to prevent a clash
@ -178,14 +206,18 @@ Support for Synaptics touchpads (found in many laptops such as the Dell
Latitude series) can be enabled as follows:
```nix
services.xserver.libinput.enable = true;
{
services.xserver.libinput.enable = true;
}
```
The driver has many options (see [](#ch-options)).
For instance, the following disables tap-to-click behavior:
```nix
services.xserver.libinput.touchpad.tapping = false;
{
services.xserver.libinput.touchpad.tapping = false;
}
```
Note: the use of `services.xserver.synaptics` is deprecated since NixOS
@ -198,9 +230,11 @@ GTK themes can be installed either to user profile or system-wide (via
GTK ones, you can use the following configuration:
```nix
qt.enable = true;
qt.platformTheme = "gtk2";
qt.style = "gtk2";
{
qt.enable = true;
qt.platformTheme = "gtk2";
qt.style = "gtk2";
}
```
## Custom XKB layouts {#custom-xkb-layouts}
@ -217,7 +251,7 @@ Create a file called `us-greek` with the following content (under a
directory called `symbols`; it's an XKB peculiarity that will help with
testing):
```nix
```
xkb_symbols "us-greek"
{
include "us(basic)" // includes the base US keys
@ -234,11 +268,13 @@ xkb_symbols "us-greek"
A minimal layout specification must include the following:
```nix
services.xserver.xkb.extraLayouts.us-greek = {
description = "US layout with alt-gr greek";
languages = [ "eng" ];
symbolsFile = /yourpath/symbols/us-greek;
};
{
services.xserver.xkb.extraLayouts.us-greek = {
description = "US layout with alt-gr greek";
languages = [ "eng" ];
symbolsFile = /yourpath/symbols/us-greek;
};
}
```
::: {.note}
@ -275,7 +311,7 @@ Use the *xev* utility from `pkgs.xorg.xev` to find the codes of the keys
of interest, then create a `media-key` file to hold the keycodes
definitions
```nix
```
xkb_keycodes "media"
{
<volUp> = 123;
@ -285,7 +321,7 @@ xkb_keycodes "media"
Now use the newly define keycodes in `media-sym`:
```nix
```
xkb_symbols "media"
{
key.type = "ONE_LEVEL";
@ -297,12 +333,14 @@ xkb_symbols "media"
As before, to install the layout do
```nix
services.xserver.xkb.extraLayouts.media = {
description = "Multimedia keys remapping";
languages = [ "eng" ];
symbolsFile = /path/to/media-key;
keycodesFile = /path/to/media-sym;
};
{
services.xserver.xkb.extraLayouts.media = {
description = "Multimedia keys remapping";
languages = [ "eng" ];
symbolsFile = /path/to/media-key;
keycodesFile = /path/to/media-sym;
};
}
```
::: {.note}
@ -318,7 +356,9 @@ workaround, you can set the keymap using `setxkbmap` at the start of the
session with:
```nix
services.xserver.displayManager.sessionCommands = "setxkbmap -keycodes media";
{
services.xserver.displayManager.sessionCommands = "setxkbmap -keycodes media";
}
```
If you are manually starting the X server, you should set the argument

22
nixos/doc/manual/configuration/xfce.chapter.md
View file

@ -3,21 +3,25 @@
To enable the Xfce Desktop Environment, set
```nix
services.xserver.desktopManager.xfce.enable = true;
services.xserver.displayManager.defaultSession = "xfce";
{
services.xserver.desktopManager.xfce.enable = true;
services.xserver.displayManager.defaultSession = "xfce";
}
```
Optionally, *picom* can be enabled for nice graphical effects, some
example settings:
```nix
services.picom = {
enable = true;
fade = true;
inactiveOpacity = 0.9;
shadow = true;
fadeDelta = 4;
};
{
services.picom = {
enable = true;
fade = true;
inactiveOpacity = 0.9;
shadow = true;
fadeDelta = 4;
};
}
```
Some Xfce programs are not installed automatically. To install them