NixOS options

initrd-ssh — SSH access to initrd for remote disk unlocking

network

kernelModules : [str] — extra kernel modules to include in initrd for networking

netdevs : lazy attribute set of anything — systemd-networkd netdev units for the initrd

networks : lazy attribute set of anything — systemd-networkd network units for the initrd

authorizedKeys : [str] — SSH public keys authorized to connect to initrd

hostKeyPaths : [str] = ["/etc/secrets/initrd/ssh_host_ed25519_key"] — paths to SSH host keys for initrd

plymouth — graphical startup

systemd

initrd — systemd initrd

loader — systemd-boot

bcachefs — bcachefs

bcachefs-snapshots — periodic bcachefs subvolume snapshots

targets

targets : {…} — subvolumes to snapshot periodically

<name>

retention

daily : int = 7 — number of daily snapshots to keep

hourly : int = 6 — number of hourly snapshots to keep

keepLast : int = 3 — always keep at least this many snapshots regardless of age

monthly : int = 6 — number of monthly snapshots to keep

weekly : int = 4 — number of weekly snapshots to keep

calendar : str = "*:0/10" — systemd calendar expression for snapshot frequency

device : str — bcachefs device path

subvolume : str — path within bcachefs to the subvolume group (containing @live)

impermanence — bcachefs root impermanence (wipe-on-boot)

retention

daily : int = 7 — number of daily snapshots to keep

hourly : int = 6 — number of hourly snapshots to keep

keepLast : int = 3 — always keep at least this many snapshots regardless of age

monthly : int = 3 — number of monthly snapshots to keep

weekly : int = 4 — number of weekly snapshots to keep

device : str — bcachefs device path (e.g

prune : bool = true — whether to prune old root snapshots according to the retention policy

subvolume : str = "subvolumes/root" — path within bcachefs to the root subvolume group (containing @blank and @live)

layouts

bcachefs-pool — @psyclyx's bcachefs-pool disk layout

UUID

boot : str — boot partition UUID (`ls -lah /dev/disk/by-uuid`)

root : str — external bcachefs FS UUID (`bcachefs show-superblock`)

wants : [str] — list of devices to weakly depend on via x-systemd.wants

bcachefs-subvols — bcachefs subvolume layout

subvolumes

subvolumes : {…} — mount point → subvolume mapping

<name>

neededForBoot : bool

subdir : str — path within the bcachefs filesystem

bootDevice : str — EFI boot partition device (fstab syntax)

device : str — root bcachefs device (fstab syntax: UUID=..., PARTLABEL=..., etc.)

extraDeviceWants : [str] — additional device paths for multi-device pools (x-systemd.wants=)

btrfs-luks — btrfs-on-LUKS subvolume layout

bootUUID : str — UUID of the EFI boot partition

fsUUID : str — UUID of the btrfs filesystem inside LUKS

luksName : str = "crypted" — name for the opened LUKS device

luksUUID : str — UUID of the LUKS container

subvolumes : {str} — mount point → btrfs subvolume name mapping

swapUUID : ?str — UUID of swap partition (null to disable)

nfs-root — diskless host: tmpfs root, NFS /nix + /persist

zfs — ZFS filesystem support

arc

maxBytes : ?(positive integer, meaning >0) — maximum ARC size in bytes (null = ZFS default, ~50% RAM)

minBytes : ?(positive integer, meaning >0) — minimum ARC size in bytes (null = ZFS default)

encryption — whether pools use native ZFS encryption (prompts for passphrase in initrd)

scrub — enable periodic ZFS scrubs

interval : str = "monthly" — scrub interval (systemd calendar expression)

trim — enable periodic ZFS TRIM

hostId : str — 8-character hex string for networking.hostId (required by ZFS)

pools : [str] = ["rpool"] — ZFS pool names to request encryption credentials for

zfs-runtime — import a ZFS pool at boot and mount its datasets at runtime

arc

maxBytes : ?(positive integer, meaning >0) — maximum ARC size in bytes (null = ZFS default)

datasets

datasets : {…} — datasets to mount at runtime, keyed by full dataset path (e.g

<name>

mountpoint : str — where to mount this dataset

neededForBoot : bool — whether the mount must happen before systemd considers the system "online"

options : [str] = ["defaults"] — mount options

hostId : str — 8-character hex string for networking.hostId

poolName : str — ZFS pool name to import

cpu

amd — AMD CPU config (currently only Ryzen 5950x)

intel — intel CPU config (tested on i5-8350U)

enableMitigations : bool = true — runtime patches for CPU vulnerabilities

drivers

scsi — SCSI drivers

cdRom : bool = true — SCSI CD_ROM

disk : bool = true — SCSI Disk

generic : bool = true — SCSI Generic

usb — USB drivers

ehci : bool = true — USB EHCI controller (USB 2)

hid : bool = true — USB HID

storage : bool = true — USB storage

uhci : bool = true — USB UHCI controller (USB 1)

xhci : bool = true — USB XHCI controller (USB 3, 2, 1)

gpu

intel — intel integrated graphics (i915)

nvidia — nvidia GPU (currently 3090)

ipmi

ilo — HPE Integrated Lights Out

monitors

monitors : {…}

<name>

mode

mode : ?{…}

height : int

refresh : ?int

width : int

position

position : {…}

x : int = 0

y : int = 0

connector : str

identifier : str = "\u2039name\u203a"

scale : int = 1.0

presets

apple-silicon — apple Silicon (Asahi Linux)

hpe

dl20-gen10 — HPE ProLiant DL20 Gen 10

dl360-gen9 — HPE ProLiant DL360 Gen 9

storage

p408i-a-g10 — HPE P408i-a-G10 storage controller

p440a — HPE P440a(r) storage controller

cake-qos — CAKE QoS traffic shaping with autorate

autorate — enable cake-autorate dynamic bandwidth adjustment

connectionActiveThr : int = 5000 — connection active threshold (kbps)

hash : str = "sha256-2WnMmilrVgVwjHK5ZkoXrzVlofuvvwQbSROfvd4RbEk="

version : str = "3.2.2"

download

base : int — baseline download rate (kbps)

max : int — maximum download rate (kbps)

min : int — minimum download rate (kbps)

upload

base : int — baseline upload rate (kbps)

max : int — maximum upload rate (kbps)

min : int — minimum upload rate (kbps)

interface : str — WAN-facing interface to shape

dhcp-ddns — DHCP dynamic DNS updates via Kea DHCP-DDNS

keyName : str = "ddns-iyr" — TSIG key name for DNS updates

port : u16 = 53001 — port for the DHCP-DDNS service

dns — network DNS configuration

authoritative

zones

zones : {…} — authoritative zones to serve

<name>

admin : ?str — admin email (SOA)

data : ?strings concatenated with "\n" — raw zone data

ddns : bool — allow RFC 2136 dynamic updates (authenticated by TSIG)

extraRecords : strings concatenated with "\n" — additional records appended to zone

ttl : int = 300 — default TTL

interfaces : [str] = [ "127.0.0.1" "::1" ] — interfaces for authoritative DNS

ns : ?str — IP address for auto-generated ns1/ns2 glue records

port : u16 = 5353 — port for authoritative DNS

tsigKeyFile : ?absolute path — path to a file containing TSIG key config for DDNS/ACME

tsigKeyName : ?str — name of the TSIG key (must match key defined in tsigKeyFile)

tsigSecretFile : ?absolute path — path to a file containing the base64 TSIG secret (for ACME DNS-01)

client — enable client DNS (avahi + systemd-resolved)

resolver — enable DNS resolver

forwardZones

forwardZones : {…} — additional forward zones for the resolver

<name>

forward-addr : [str] — forward addresses for this zone

localZones

localZones : {…} — zones served locally by the resolver via unbound local-data

<name>

records : [str] — DNS records (e.g., 'host.example.com

type : static | transparent | typetransparent | redirect = "static" — unbound local-zone type

accessControl : [str] — ACL entries for the resolver (e.g., '10.0.0.0/24 allow')

extraStubZones : [str] — additional zones to stub (beyond authoritative zones)

interfaces : [str] — interfaces for resolver (IPs)

zones — auto-generate authoritative zones from egregore

siteZone — site umbrella zone with host A records

networks : [str] — ordered preference list of network entities

extraRecords : {strings concatenated with "\n"} — extra records appended to generated forward zones, keyed by egregore network …

extraZones : {any} — additional zones merged with generated ones

gatewayHostname : str = config.networking.hostName — hostname of the gateway/DNS server (for NS/A glue records and for filtering e…

firewall — nftables firewall

forward

forward : [{…}] — zone-to-zone forwarding rules

*

rules

rules : [(open submodule of attribute set of (string, int, bool, | [strings/ints))]] — additional match criteria for this forward rule

*

comment : ?str

verdict : str = "accept"

from : str — source zone name

to : str — destination zone name

input

input : {…} — per-zone input policy and rules

<name>

rules

rules : [(open submodule of attribute set of (string, int, bool, | [strings/ints))]] — additional structured input rules for this zone

*

comment : ?str

verdict : str = "accept"

allowICMP : bool = true — accept standard ICMP/ICMPv6 traffic on this zone

allowedTCPPorts : [u16] — TCP ports to accept on this zone

allowedUDPPorts : [u16] — UDP ports to accept on this zone

policy : accept | drop = "drop" — default verdict for unmatched traffic on this zone

masquerade

masquerade : [{…}] — zone-to-zone NAT masquerade rules

*

from : str — source zone name

to : str — destination zone name

synFloodProtection — add syn-flood rate-limiting chain

burst : int = 50 — burst packets for SYN flood limiting

rate : str = "25/second" — nftables rate expression for SYN flood limiting

zones

zones : {…} — named interface groups

<name>

interfaces : [str] — interfaces belonging to this zone

gateway — gateway VLAN networking (RA + DHCPv6-PD per VLAN, WAN transit)

initrd — bring the listed networks up in initrd

networks

networks : [{…}] — gateway VLANs to bring up before stage-2

*

address4 : str — IPv4 address in CIDR notation for initrd reachability

id : int

kernelModules : [str] = ["8021q"]

networks

networks : [{…}] — networks this host gateways

*

staticRoutes

staticRoutes : [{…}] — static routes to install on this VLAN's network unit

*

destination : str

gateway : str

address4 : str — IPv4 address in CIDR notation (the gateway IP)

address6 : ?str — IPv6 address in CIDR notation

id : int — VLAN id on lanInterface

pdSubnetId : ?int — subnet id for DHCPv6 prefix delegation on this VLAN

raDomains : [str] — domains advertised via RA option (DNSSL)

ulaPrefix : ?str — ULA prefix advertised in RA, e.g

transitDhcpV6

duidRawData : ?str

iaid : int = 250

prefixDelegationHint : str = "::/60"

initrdVlans : [str] — egregore network names whose gateway addresses should come up in initrd

lanAddress : ?str — static address on the untagged LAN interface

lanInterface : str — physical LAN trunk interface

lanMac : ?str

transitVlan : int — VLAN id of the WAN transit subinterface on wanInterface

transitVlanFromGlobals : bool = true — derive transitVlan from egregore globals (`conventions.transitVlan`) rather t…

wanInterface : str — physical WAN interface

wanMac : ?str

interfaces

bonds

bonds : {…}

<name>

hashPolicy : str = "layer2+3"

lacpTransmitRate : ?str

mac : ?str — override MAC address for the bond

miiMonitorSec : str = "0.1"

mode : str = "802.3ad"

slaves : str | [str] — slave interfaces (glob pattern or explicit list)

bridges

bridges : {…}

<name>

member : str — interface to bridge (typically a bond)

initrd — bring up a subset of interfaces in initrd

interfaces : [str] — interface names to bring up in initrd (addresses from networks)

kernelModules : [str]

networks

networks : {…}

<name>

policyRouting

policyRouting : ?{…} — source-based policy routing for this interface

gateway : str

priority : int = 200

subnet : str — subnet CIDR for the direct route in the policy table

table : int

addresses : [str] — static addresses in CIDR notation

dhcp : bool — use DHCP instead of static addressing

dns : [str]

domains : [str]

gateway : ?str — default gateway (only used when policyRouting is null)

ipv6AcceptRA : bool

mac : ?str

mtu : ?(positive integer, meaning >0) — link MTU in bytes

requiredForOnline : str = "no"

vlans

vlans : {…}

<name>

id : int

parent : str

networkd — systemd-networkd

nftables

tables

tables : {…}

<name>

chains

chains : {…}

<name>

rules

rules : [(open submodule of attribute set of (string, int, bool, | [strings/ints))]]

*

comment : ?str

verdict : str = "accept"

content : strings concatenated with "\n"

device : ?str

hook : ?str

policy : ?accept | drop

priority : ?int

type : ?filter | nat | route

content : strings concatenated with "\n"

family : ip | ip6 | inet | arp | bridge | …

ports

ports : {((submodule) | (16 bit unsigned integer; between 0 and 65535 (both inclusive) | [u16]} — service port registry

<name>

tcp : [u16] — TCP ports

udp : [u16] — UDP ports

topology — project egregore host data into network interfaces

defaultNetwork : str — egregore network name that gets the default route (others get policy routing)

tuning — TCP/IP stack tuning for all hosts

wireless — wireless network support

adb — android Debug Bridge and Android Studio

aspell — aspell + english dicts

dictionaries : fn → [pkg] = "dicts: [dicts.en dicts.en-computers dicts.en-science]" — function returning dictionaries to include with aspell

finalPackage : pkg = pkgs.aspell-with-dicts — the aspell-with-dicts package to use

ccache — enable ccache for C/C++ compilation

glasgow — glasgow digital interface explorer

users : [str] — users to put in the plugdev group

orca-slicer — orcaSlicer 3D-printing slicer

qmk — QMK

river — river wayland compositor with UWSM session management

ssacli — HPE Smart Storage Array Command Line Interface

steam — enable steam

sway — swayfx wm

zsh — zsh config

defaultShell : bool — zsh as the default shell

alloy — grafana Alloy log shipping agent (replaces promtail)

lokiUrl : str — base URL of the Loki instance (e.g

avahi — service discovery / MDNS

bcachefs-exporter — bcachefs sysfs metrics textfile exporter for Prometheus

chrony — chrony NTP client

consul — consul service discovery and DNS

agentTokenFile : ?str — path to file containing this node's ACL agent token

clusterNodes : [str] — hostnames of all Consul server nodes

dataDir : str = "/var/lib/consul"

dataNetwork : str = "infra" — topology network for cluster and client traffic

datacenter : str = "psyclyx"

dnsPort : u16 = 8600

encryptionKeyFile : ?str — path to file containing the gossip encryption key (from `consul keygen`)

httpPort : u16 = 8500

serfPort : u16 = 8301

serverPort : u16 = 8300

dhcp — DHCP server derived from egregore entities

pools

pools : {…}

<name>

ipv4Range

ipv4Range : {…}

end : str

start : str

ipv6Suffix

ipv6Suffix : {…}

end : str = "1ff"

start : str = "100"

extraReservations : [(attribute set)]

ipv6 : bool = true

network : str

extraDhcp4 : attribute set

extraDhcp6 : attribute set

interface : str = "bond0"

fail2ban — fail2ban intrusion prevention

fstrim — TRIM daemon for SSDs

fwupd — fwupd

gdm — GNOME Display Manager

gnome-keyring — gnome-keyring

gnupg-agent — gnupg agent (for pinentry)

grafana — visualization and dashboarding tool

dashboards — built-in homelab monitoring dashboards

extraProviders : [(attribute set)] — additional dashboard provider configs

listen

address : str = "127.0.0.1" — address the http server binds to

port : u16 = 2134 — port the http server binds to

oidc — OIDC authentication

autoLogin : bool = true — automatically redirect to the OIDC provider

clientId : str — OIDC client ID

clientSecretFile : str — path to file containing the OIDC client secret

issuer : str — OIDC issuer URL (e.g

name : str = "Login" — display name for the OIDC provider on the login page

roleAttributePath : ?str — JMESPath expression to map OIDC userinfo claims to Grafana roles

datasources : [(attribute set)] — datasource provisioning configurations

domain : ?str — domain the server runs on

secretKeyFile : str — path to file containing the secret key used for signing data source settings

greetd — greetd+regreet

icecream — icecream (icecc) distributed compilation

maxJobs : ?(positive integer, meaning >0) — maximum parallel compile jobs

netName : str = "PSYCLYX" — icecream network name

noRemote : bool — prevent remote jobs from being scheduled on this node

scheduler : bool — whether this node runs the icecream scheduler

schedulerHost : ?str — explicit scheduler hostname/IP

iscsi

initiator — open-iSCSI initiator for runtime LUN mounts

mounts

mounts : {…}

<name>

fsType : str = "ext4"

lun : int = 0

mountpoint : str — where to mount the attached block device

options : [str]

portals : [str] — portal IP addresses for the target

targetIqn : str

initiatorIqn : str — this host's iSCSI IQN

target — LIO iSCSI target (kernel-native; configured via targetctl)

portals

portals : [{…}] — IP addresses the target portal binds to

*

address : str

network : ?str — egregore network name (metadata, for logs)

targets

targets : {…}

<name>

luns

luns : [{…}]

*

device : str — backing block device path

lun : int = 0

readOnly : bool

aclIqns : [str] — initiator IQNs allowed to attach this target

iqn : str

kanata — kanata (keyboard remapper)

kiosk — cage Wayland kiosk

url : str — URL to display in the kiosk

user : str = "kiosk" — user to autologin as

knot — knot authoritative DNS server

zones

zones : {…} — zone definitions

<name>

data : strings concatenated with "\n" — zone file data

ddns : bool — allow RFC 2136 dynamic updates (authenticated by TSIG)

interfaces : [str] = [ "127.0.0.1" "::1" ] — interfaces to listen on

port : u16 = 5353 — port for authoritative DNS (5353 for local stub, 53 for public)

tsigKeyFile : ?absolute path — path to a file containing TSIG key config (Knot YAML format)

tsigKeyName : ?str — name of the TSIG key (must match the key defined in tsigKeyFile)

locate — locate service

users : [str] — users to put in the mlocate group

loki — loki log aggregation server

port : u16 = 3100 — HTTP listen port for the Loki server

retentionPeriod : str = "744h" — log retention period

nfs-server — NFS v4 server with declarative export ACLs

exports

exports : [{…}] — declarative NFS exports

*

clients

clients : [{…}]

*

address : str — client IP / CIDR / hostname

options : [str] = [ "sync" "no_subtree_check" "no_root_squash" ] — per-client export options

readOnly : bool

fsid : ?int — explicit fsid for the export

path : str — local path to export

bindAddresses : [str] — IP addresses for the NFS server to bind

nginx — nginx web server with Let's Encrypt

acme

email : str — email for Let's Encrypt registration

staticSites

staticSites : {…} — localhost-only static file virtual hosts (no TLS)

<name>

port : u16 — localhost port to listen on

root : absolute path — document root for static files

virtualHosts

virtualHosts : {…} — virtual hosts to configure (keys are domain names)

<name>

locations

locations : {…} — location blocks

<name>

proxyPass : ?str — proxy requests to this URL

root : ?absolute path — document root for this location

root : ?absolute path — document root for static files

nomad — nomad workload orchestrator

consul

address : str = "127.0.0.1:8500" — consul HTTP API address for service registration

tokenFile : ?str — path to file containing the Consul ACL token for Nomad

vault

address : str — openBao API address (e.g

tokenFile : ?str — path to file containing the OpenBao token for Nomad

clusterNodes : [str] — hostnames of all Nomad server nodes

dataDir : str = "/var/lib/nomad"

dataNetwork : str = "infra" — topology network for cluster traffic

datacenter : str = "psyclyx"

encryptionKeyFile : ?str — path to file containing the gossip encryption key (from `nomad operator gossi…

httpPort : u16 = 4646

nodePool : str = "default" — nomad node pool for this client

rpcPort : u16 = 4647

serfPort : u16 = 4648

ollama — ollama local LLM inference server

acceleration : ?cuda | rocm | vulkan — GPU acceleration backend (selects the appropriate ollama package variant)

extraEnv : {str} — additional environment variables for Ollama

host : str = "127.0.0.1" — address Ollama listens on

keepAlive : str = "5m" — how long to keep models loaded in VRAM after last request

loadModels : [str] — models to pull on service start

port : u16 = 11434 — port Ollama listens on

openbao — openBao secrets management with integrated Raft storage

autoInit — automatically initialise the cluster on first deploy

recoveryKeyRecipients : [str] — age public keys used to encrypt recovery keys

recoveryShares : int = 3

recoveryThreshold : int = 2

pki — PKI secrets engine with root CA

roles

roles : [{…}] — PKI roles to create

*

allowIpSans : bool = true

allowSubdomains : bool = true

allowedDomains : str — allowed domains for certificates

maxTtl : str = "720h"

name : str — role name

commonName : str — common name for the root CA certificate

maxTtl : str = "87600h" — maximum lease TTL for the PKI engine

settings

settings : open submodule of attribute set of anything

storagePath : str = "/var/lib/openbao"

transitAddress : str — address of the transit seal provider (e.g

ui : bool = true

apiPort : u16 = 8200

authPasswordFile : ?str — path to file containing the userpass auth password for the services account

clusterNodes : [str] — hostnames of all nodes in the OpenBao cluster

clusterPort : u16 = 8201

configure : strings concatenated with "\n" — idempotent bao CLI commands run after authentication succeeds

configureTokenFile : ?str — path to a pre-existing OpenBao token

dataNetwork : str = "infra"

servicesPolicy : strings concatenated with "\n" = '' path "kv/*" { capabilities = ["create","read","update","patch","list"] } path "pki/*" { capabilities = ["create","read","update","list"] } path "sys/mounts/*" { capabilities = ["create","read","update","sudo"] } path "sys/mounts" { capabilities = ["read","list"] } path "sys/auth/*" { capabilities = ["create","read","update","sudo"] } path "sys/auth" { capabilities = ["read","list"] } path "sys/policies/acl/*" { capabilities = ["create","read","update","list"] } path "auth/*" { capabilities = ["create","read","update","list"] } '' — HCL policy attached to the services user

transitTokenFile : str — path to file containing the transit auto-unseal token

openbao-cert-publish — publish ACME certs to OpenBao KV

certs

certs : {…} — certs to publish, keyed by cert domain name (matches the security.acme.certs …

<name>

kvPath : str — KV path (under kvMount) for this cert

insecureSkipVerify : bool — skip TLS verification of the OpenBao server cert

kvMount : str = "kv"

tokenFile : str = "/run/openbao-auth/services-token" — path to the OpenBao auth token (provisioned by openbao-login)

vaultAddr : str — openBao API endpoint to push certs to

openbao-kv — openBao KV secret consumption

secrets

secrets : {…}

<name>

fallbackScript : ?str — if set, run this script (stdout → output file) when OpenBao is unavailable an…

group : str = "root"

kvMount : str = "kv" — KV v2 mount path

kvPath : str — path within the KV mount

mode : str = "0400"

outputFile : str — destination path for the rendered secret

owner : str = "root"

reloadUnits : [str]

renderScript : str = "cat" — script that receives the KV data JSON on stdin and outputs the final file con…

renewInterval : str = "1h"

insecureSkipVerify : bool — skip TLS verification of the OpenBao server cert

tokenFile : str — path to file containing the OpenBao token for KV operations

vaultAddr : str = "http://127.0.0.1:8200" — openBao API address

openbao-login — openBao userpass login service

authPasswordFile : absolute path — path to the userpass password for the services user

insecureSkipVerify : bool — skip TLS verification of the OpenBao server cert

tokenFile : str = "/run/openbao-auth/services-token" — path where the issued token is written

username : str = "services" — userpass username

vaultAddr : str — openBao API endpoint to authenticate against

openbao-pki — openBao PKI certificate management

certificates

certificates : {…}

<name>

altNames : [str]

caFile : str = "ca.pem"

certFile : str = "cert.pem" — filename for the certificate within directory

commonName : str

directory : str

group : str = "root"

ipSans : [str]

keyFile : str = "key.pem"

keyMode : str = "600" — file mode for the private key

organization : ?str — organization (O=) field in the cert subject

owner : str = "root"

pkiPath : str = "pki"

reloadUnits : [str]

renewInterval : str = "8h"

role : str

ttl : str = "24h"

tokenFile : str — path to file containing the OpenBao token for PKI operations

vaultAddr : str = "http://127.0.0.1:8200" — openBao API address

openbao-seal-oracle — openBao standalone seal oracle

pki — PKI secrets engine with root CA

roles

roles : [{…}] — PKI roles to create

*

allowIpSans : bool = true

allowSubdomains : bool = true

allowedDomains : str — allowed domains for certificates

maxTtl : str = "720h"

name : str — role name

commonName : str — common name for the root CA certificate

maxTtl : str = "87600h" — maximum lease TTL for the PKI engine

seal

seal : open submodule of attribute set of string — seal stanza configuration

secretField : ?str — seal attribute whose value is injected from secretFile at runtime (e.g

type : str = "pkcs11"

tls — TLS on the external listener

certFile : str = "/var/lib/openbao-seal/listener-cert.pem" — path to the TLS cert file on the OpenBao host

commonName : str = "openbao" — CN to put on the self-signed cert generated at first boot

keyFile : str = "/var/lib/openbao-seal/listener-key.pem" — path to the TLS key file on the OpenBao host

subjectAltNames : [str] — DNS/IP SubjectAltNames for the generated self-signed cert

tpm

userpassUsers

userpassUsers : {…} — userpass auth users to create

<name>

passwordFile : str — path to a file containing the user's password

policies : [str] — policy names attached to the user

apiPort : u16 = 8200

authMethods : [str] — auth methods to enable on the seal oracle

bindAddress : str — IP address to bind the API listener on

configure : strings concatenated with "\n" — extra bao CLI commands run after transit engine bootstrap

kvMounts : [str] — paths at which to mount the KV v2 secrets engine

rootTokenFile : str — path to file containing the root token (for the configure service)

secretFile : ?str — path to file whose contents are injected into the seal field named by seal.se…

serviceEnvironment : {str}

openbao-vm-auth — openBao cert-auth lifecycle for this guest

pki

mount : str = "pki" — PKI engine mount path on the OpenBao server

role : str — PKI role used for both bootstrap and renewal

commonName : str — subject CN requested from PKI

insecureSkipVerify : bool — skip server-cert verification when talking to OpenBao

renewMargin : str = "168h" — refresh the cert when its remaining TTL drops below this

stateDir : str = "/var/lib/openbao-auth" — persistent directory holding the cert, key, and CA

tokenFile : str = "/run/openbao-auth/services-token" — path to write the issued service token for openbao-kv consumers

ttl : str = "720h" — requested cert lifetime (PKI role enforces its own max)

vaultAddr : str — openBao API endpoint reachable from the guest

wrapTokenFile : str = "/run/openbao-init/wrap-token" — file holding the one-time wrap token the hypervisor placed here via virtiofs …

openbao-vm-ssh-host — openBao SSH host cert signing for this guest

certPath : str = "/etc/ssh/ssh_host_ed25519_key-cert.pub" — path to write the signed host cert to

hostFqdn : str — hostname put into the signed cert's valid_principals

hostKeyPath : str = "/etc/ssh/ssh_host_ed25519_key" — path to the ed25519 host key

insecureSkipVerify : bool — skip TLS verification of the OpenBao server cert

signPath : str — openBao path to POST the pubkey to, e.g

tokenFile : str = "/run/openbao-auth/services-token" — openBao token used to authorize the sign request

ttl : str = "168h" — requested cert TTL (role's max_ttl bounds this)

vaultAddr : str — openBao API endpoint reachable from the guest

openrgb — openRGB

openssh — enable OpenSSH

agentAuth — respect SSH Agent authentication in PAM

authPrincipals : {[str]} — per-user list of authorized principals for SSH certificate auth

patroni — patroni-managed PostgreSQL HA cluster

exporters

postgres — enable the Prometheus postgres exporter

ssl — enable SSL/TLS for PostgreSQL connections

caFile : str = "/run/openbao-pki/postgres/ca.pem"

certFile : str = "/run/openbao-pki/postgres/cert.pem"

keyFile : str = "/run/openbao-pki/postgres/key.pem"

clientNetwork : str = "infra" — topology network for client/HAProxy connections (pg_hba, listen)

clusterNodes : [str] — hostnames of all nodes in the Patroni cluster

dataNetwork : str = "data" — topology network name for data traffic

port : u16 = 5432 — port for the PostgreSQL server

raftPort : u16 = 2222 — port for Patroni Raft consensus

replicationPasswordFile : ?str — path to file containing the replication user password

replicationUser : str = "replicator" — username for streaming replication

restApiPort : u16 = 8008 — port for the Patroni REST API

scope : str = "psyclyx-pg" — patroni cluster scope (name)

superuserPasswordFile : ?str — path to file containing the superuser password

postgres-init — declarative roles / databases / tablespaces / extensions for a local PostgreSQL

databases

databases : {…} — databases to create, keyed by DB name

<name>

encoding : str = "UTF8" — server-side encoding

owner : str — role that owns the database

tablespace : ?str — if set, place the database on this tablespace (must be declared in `tablespac…

extensions

extensions : {[{…}]} — extensions to install per database (keyed by DB name)

<name>

*

name : str — extension name (e.g

schema : str = "public" — schema the extension is installed into

roles

roles : {…} — login roles to create/update, keyed by role name

<name>

passwordFile : str — path to a file containing the role's password

schemas

schemas : {{…}} — schemas to create per database

<name>

<name>

owner : str — role that owns the schema

tablespaces

tablespaces : {…} — tablespaces to create, keyed by tablespace name

<name>

location : str — filesystem path PostgreSQL will use for this tablespace

extraAfter : [str] — extra systemd units the init unit should run After=

extraWants : [str] — extra systemd units the init unit should Wants=

package : pkg = pkgs.postgresql — postgreSQL package whose psql binary runs the init script

superuser : str = "postgres" — local OS user that owns the postgresql server and runs the init unit

printing — enable printing

prometheus — prometheus monitoring

collector — prometheus collector (scrapes local targets, remote-writes to server)

extraScrapeConfigs : [(attribute set)] — additional Prometheus scrape_config job objects

remoteWriteUrl : str — prometheus remote_write endpoint URL

scrapeTargets : [str] — list of host:port strings for node exporter scrape targets

snmpTargets : [str] — list of SNMP device addresses to scrape via snmp_exporter

server — prometheus server

extraScrapeConfigs : [(attribute set)] — additional Prometheus scrape_config job objects

scrapeTargets : [str] — list of host:port strings for node exporter scrape targets

snmpTargets : [str] — list of SNMP device addresses to scrape via snmp_exporter

pxe-server — TFTP + HTTP for iPXE chainload and per-host netboot bundles

clients

clients : {…}

<name>

cmdline : str = "init=/nix/var/nix/profiles/system/init" — kernel cmdline passed in the iPXE chain script

initrd : absolute path — initramfs image to serve (typically a netbootRamdisk)

kernel : absolute path — linux kernel image (bzImage) to serve

macs : [str] — MACs that should chainload this client's boot bundle

ipxeBinaries

ipxeBinaries : {…} — iPXE chainload binaries

bios : absolute path — undionly.kpxe for BIOS clients

uefi : absolute path — ipxe.efi for UEFI clients

bindAddresses : [str] — IPv4 addresses to serve PXE on

hostSpecs : {str} — per-host lab-loader spec JSONs

httpPort : u16 = 8089

jweBlobs : {absolute path} — per-binding JWE blobs

redis-sentinel — redis server with Sentinel for HA metadata

exporters

redis — enable the Prometheus redis exporter

clusterNodes : [str] — hostnames of all nodes in the Redis Sentinel cluster

dataNetwork : str = "data" — topology network name for data traffic

masterName : str = "shared-meta" — sentinel master name

quorum : int = 2 — number of Sentinels that must agree for failover

redisPort : u16 = 6379 — port for the Redis server

requirePassFile : ?str — path to file containing the Redis password

sentinelPort : u16 = 26379 — port for the Redis Sentinel

serverName : str = "shared" — redis server instance name (used for systemd units, user/group)

resolved — systemd-resolved dns resolver

sddm — simple Desktop Display Manager

seaweedfs — seaweedFS distributed storage cluster

filer

configDir : ?str — directory containing filer.toml (sops-rendered)

port : u16 = 8888 — filer HTTP port

master

port : u16 = 9333 — master HTTP port

volumeSizeLimitMB : int = 30000 — max volume file size in MB

s3 — enable S3 gateway

iamConfigFile : ?str — path to IAM JSON config (sops-rendered)

port : u16 = 8333 — s3 API port

volume

dataCenter : str — volume server datacenter label

maxVolumes : int = 300 — max volumes per server

port : u16 = 8080 — volume HTTP port

rack : str = "rack1" — volume server rack label

webdav — enable WebDAV server

port : u16 = 7333 — webDAV server port

buckets : [str] — s3 buckets to create declaratively

clusterNodes : [str] — hostnames of all nodes running volume+filer

dataNetwork : str = "data" — topology network name for intra-cluster traffic

masterNodes : [str] — hostnames of nodes running the master (odd count for Raft)

metricsNetwork : str = "infra" — topology network for metrics endpoints

metricsPort : u16 = 9327 — base metrics port (master=9327, volume=9328, filer=9329, s3=9330)

mountPoint : str = "/mnt/seaweedfs" — FUSE mount path

replication : str = "001" — replication strategy (e.g

volumeBasePath : str = "/srv/seaweedfs" — data directory root

thermald — thermal throttling daemon for intel cpus

unbound — unbound DNS resolver

forward

tls : bool = true — use TLS for upstream queries

upstream : [str] = [ "1.1.1.1@853#cloudflare-dns.com" "1.0.0.1@853#cloudflare-dns.com" ] — upstream DNS servers

forwardZones

forwardZones : [{…}] — additional forward zones (beyond the default catch-all)

*

forward-addr : [str] — forward addresses for this zone

name : str — zone name

stubZones

stubZones : [{…}] — zones to stub to a local authoritative server

*

name : str — zone name

stub-addr : str — stub address (e.g., '127.0.0.1@5353')

accessControl : [str] — access control entries (e.g., '10.0.0.0/8 allow')

interfaces : [str] — additional interfaces to listen on (127.0.0.1 and ::1 always included)

localData : [str] — local data entries without quoting (e.g., 'host.example.com

localZones : {str} — local zone declarations mapping zone name to type (e.g., { "example.com" = "s…

containers — container config

nvidia : bool — nvidia-container-tools for gpu-accelerated container support

distributed-builds — nix distributed build configuration with SSH cert auth

documentation — documentation generation

emulation — architecture emulation config

emulatedSystems : [str] = ["aarch64-linux"] — systems to emulate

fonts — configure fonts

home-manager — home-manager config

locale — locale config

default : str = "en_US.UTF-8" — default locale

extraSupported : [str] — additional UTF-8 locales to generate

nix — nix config

githubAccessTokensFile : ?absolute path — path to a nix.conf snippet file containing access-tokens

nix-ld — support externally compiled, statically linked binaries via nix-ld

nixpkgs — nixpkgs config

storage — storage config

tune

hdd : bool = true — udev rules for rotational disk perf

nvme : bool = true — udev rules and kernel params for nvme disk perf

ssd : bool = true — udev rules for ssd perf

stylix — stylix config

sudo — privilege escalation via sudo

timestampTimeout : uint = 30 — timeout (in minutes) before asking for password again

swap — swap config

swappiness : int (0..200) = 10 — RAM/swap bias (0=max ram preference, 200=max swap preference)

zswap : bool = true — zswap (swap to zstd in-memory before disk)

timezone — timezone config

default : str = "America/Los_Angeles" — default timezone

tuning — kernel, VM, and filesystem tuning for all hosts

yubikey — yubikey support

bootstrap — project first-boot bootstrap entities (openbao-seal-oracle init, future: tpm-…

iscsi — project lun entities into SCST target / iSCSI initiator config

loader-spec — project per-host lab-loader specs (and the JWE blobs they reference) into pxe…

exportNetwork : str = "lab" — network whose addresses the loader uses to reach producers (NFS, JWE fetch)

nfs — project nfs-export entities into server config and consumer mounts

openbao-fleet — project openbao-policy, openbao-cert-role, and kv-secret entities into the lo…

openbao-vm-auth — project host.openbao.cert bindings into hypervisor-side wrap-token minters an…

insecureSkipVerify : bool = true — skip TLS verification when talking to OpenBao

vaultAddr : str = "<scheme>://<addr>:<port>" derived from globals.openbao.{serverHost,serverNetwork,port,scheme}. — openBao endpoint used by both the hypervisor's wrap-token minter and the gues…

openbao-vm-ssh-host — project host.openbao.ssh bindings into per-guest openbao-vm-ssh-host services

insecureSkipVerify : bool = true — skip server-cert verification (self-signed listener)

vaultAddr : str = "https://10.0.25.1:8200" — openBao endpoint used by the guest's sign request

pxe

loaderSystem

loaderSystem : ?{…} — when set, every PXE host is served the same kernel + initrd (the lab-loader's…

kernel : absolute path

kernelParams : [str]

netbootRamdisk : absolute path

toplevel : absolute path

httpPort : u16 = 8089 — HTTP port the PXE server uses (must match pxe-server.httpPort)

serve : bool — set to true on the host that should run the PXE server

storage — project zfs-pool / zfs-dataset / clevis-binding entities into disko, zfs-runt…

exportNetwork : str = "lab" — network entity name carrying ZFS-derived NFS exports

vms — project hosts with refs.hypervisor = me into microvm.vms.

defaults

memMiB : positive integer, meaning >0 = 1024 — default guest memory in MiB

vcpu : positive integer, meaning >0 = 2 — default guest vCPU count

guests : {module} — per-VM NixOS module

hypervisor : qemu | cloud-hypervisor | firecracker | stratovirt = "qemu" — microvm.nix hypervisor backend used as the default for each guest

zvol-provision — project this host's `lun` entities into per-zvol create + mkfs systemd units