NixOS options

initrd-ssh — SSH access to initrd for remote disk unlocking

authorizedKeys : [str] — SSH public keys authorized to connect to initrd

hostKeyPaths : [str] = ["/etc/secrets/initrd/ssh_host_ed25519_key"] — paths to SSH host keys for initrd

plymouth — graphical startup

systemd

initrd — systemd initrd

loader — systemd-boot

roles

base — base NixOS role

users

psyc — psyc user

bcachefs — bcachefs

layouts

bcachefs-pool — @psyclyx's bcachefs-pool disk layout

UUID

boot : str — boot partition UUID (`ls -lah /dev/disk/by-uuid`)

root : str — external bcachefs FS UUID (`bcachefs show-superblock`)

wants : [str] — list of devices to weakly depend on via x-systemd.wants

cpu

amd — AMD CPU config (currently only Ryzen 5950x)

intel — intel CPU config (tested on i5-8350U)

enableMitigations : bool = true — runtime patches for CPU vulnerabilities

drivers

scsi — SCSI drivers

cdRom : bool = true — SCSI CD_ROM

disk : bool = true — SCSI Disk

generic : bool = true — SCSI Generic

usb — USB drivers

ehci : bool = true — USB EHCI controller (USB 2)

hid : bool = true — USB HID

storage : bool = true — USB storage

uhci : bool = true — USB UHCI controller (USB 1)

xhci : bool = true — USB XHCI controller (USB 3, 2, 1)

gpu

intel — intel graphics (i915 driver, kaby lake)

nvidia — nvidia GPU (currently 3090)

ipmi

ilo — HPE Integrated Lights Out

monitors

monitors : {…}

<name>

mode

mode : ?{…}

height : int

refresh : ?int

width : int

position

position : {…}

x : int = 0

y : int = 0

connector : str

identifier : str = "\u2039name\u203a"

scale : int = 1.0

presets

hpe

dl20-gen10 — HPE ProLiant DL20 Gen 10

dl360-gen9 — HPE ProLiant DL360 Gen 9

storage

p408i-a-g10 — HPE P408i-a-G10 storage controller

p440a — HPE P440a(r) storage controller

dns — network DNS configuration

authoritative

zones

zones : {…} — authoritative zones to serve

<name>

admin : ?str — admin email (SOA)

data : ?strings concatenated with "\n" — raw zone data

extraRecords : strings concatenated with "\n" — additional records appended to zone

peerRecords : bool — auto-generate A/AAAA records from network.json peers

ttl : int = 300 — default TTL

interfaces : [str] = [ "127.0.0.1" "::1" ] — interfaces for authoritative DNS

port : u16 = 5353 — port for authoritative DNS

client — enable client DNS (avahi + systemd-resolved)

resolver — enable DNS resolver

extraStubZones : [str] — additional zones to stub (beyond authoritative zones)

interfaces : [str] — interfaces for resolver

networkd — systemd-networkd

ports

home-assistant : u16 = 8123

initrd-ssh : u16 = 8022 — SSH port to listen on in initrd

ssh : [u16] = [22] — ports for OpenSSH to listen on

wireguard — wireGuard VPN (multi-site hub topology)

wireless — wireless network support

aspell — aspell + english dicts

dictionaries : fn → [pkg] = "dicts: [dicts.en dicts.en-computers dicts.en-science]" — function returning dictionaries to include with aspell

finalPackage : pkg = pkgs.aspell-with-dicts — the aspell-with-dicts package to use

glasgow — glasgow digital interface explorer

users : [str] — users to put in the plugdev group

nvf — nvf (neovim)

qmk — QMK

ssacli — HPE Smart Storage Array Command Line Interface

steam — enable steam

sway — swayfx wm

zsh — zsh config

defaultShell : bool — zsh as the default shell

avahi — service discovery / MDNS

fstrim — TRIM daemon for SSDs

fwupd — fwupd

gdm — GNOME DIsplay Manager

gnome-keyring — gnome-keyring

gnupg-agent — gnupg agent (for pinentry)

greetd — greetd+regreet

home-assistant — enables Home Assistant, with @psyclyx's config

kanata — kanata (keyboard remapper)

locate — locate service

users : [str] — users to put in the mlocate group

nginx — nginx web server with Let's Encrypt

acme

email : str — email for Let's Encrypt registration

virtualHosts

virtualHosts : {…} — virtual hosts to configure (keys are domain names)

<name>

locations

locations : {…} — location blocks

<name>

proxyPass : ?str — proxy requests to this URL

root : ?absolute path — document root for this location

root : ?absolute path — document root for static files

nsd — NSD authoritative DNS server

zones

zones : {…} — zone definitions

<name>

data : strings concatenated with "\n" — zone file data

interfaces : [str] = [ "127.0.0.1" "::1" ] — interfaces to listen on

port : u16 = 5353 — port for authoritative DNS (5353 for local stub, 53 for public)

openrgb — openRGB

openssh — enable OpenSSH

agentAuth — respect SSH Agent authentication in PAM

printing — enable printing

resolved — systemd-resolved dns resolver

sddm — simple Desktop Display Manager

tailscale — enable tailscale service and related settings

exitNode : bool — configure tailscale client as an exit node

thermald — thermal throttling daemon for intel cpus

unbound — unbound DNS resolver

forward

tls : bool = true — use TLS for upstream queries

upstream : [str] = [ "1.1.1.1@853#cloudflare-dns.com" "1.0.0.1@853#cloudflare-dns.com" ] — upstream DNS servers

stubZones

stubZones : [{…}] — zones to stub to a local authoritative server

*

name : str — zone name

stub-addr : str — stub address (e.g., '127.0.0.1@5353')

accessControl : [str] — access control entries (e.g., '10.0.0.0/8 allow')

interfaces : [str] — additional interfaces to listen on (127.0.0.1 and ::1 always included)

containers — container config

nvidia : bool — nvidia-container-tools for gpu-accelerated container support

documentation — documentation generation

emulation — architecture emulation config

emulatedSystems : [str] = ["aarch64-linux"] — systems to emulate

fonts — configure fonts

home-manager — home-manager config

locale — locale config

default : str = "en_US.UTF-8" — default locale

nix — nix config

nix-ld — support externally compiled, statically linked binaries via nix-ld

nixpkgs — nixpkgs config

storage — storage config

tune

hdd : bool = true — udev rules for rotational disk perf

nvme : bool = true — udev rules and kernel params for nvme disk perf

ssd : bool = true — udev rules for ssd perf

stylix — stylix config

sudo — privilege escalation via sudo

timestampTimeout : uint = 30 — timeout (in minutes) before asking for password again

swap — swap config

swappiness : int (0..200) = 60 — RAM/swap bias (0=max ram preference, 200=max swap preference)

zswap : bool = true — zswap (swap to zstd in-memory before disk)

timezone — timezone config

default : str = "America/Los_Angeles" — default timezone

yubikey — yubikey support