NixOS options

initrd-ssh — SSH access to initrd for remote disk unlocking

network

kernelModules : [str] — extra kernel modules to include in initrd for networking

netdevs : lazy attribute set of anything — systemd-networkd netdev units for the initrd

networks : lazy attribute set of anything — systemd-networkd network units for the initrd

authorizedKeys : [str] — SSH public keys authorized to connect to initrd

hostKeyPaths : [str] = ["/etc/secrets/initrd/ssh_host_ed25519_key"] — paths to SSH host keys for initrd

plymouth — graphical startup

systemd

initrd — systemd initrd

loader — systemd-boot

bcachefs — bcachefs

bcachefs-snapshots — periodic bcachefs subvolume snapshots

targets

targets : {…} — subvolumes to snapshot periodically

<name>

retention

daily : int = 7 — number of daily snapshots to keep

hourly : int = 6 — number of hourly snapshots to keep

keepLast : int = 3 — always keep at least this many snapshots regardless of age

monthly : int = 6 — number of monthly snapshots to keep

weekly : int = 4 — number of weekly snapshots to keep

calendar : str = "*:0/10" — systemd calendar expression for snapshot frequency

device : str — bcachefs device path

subvolume : str — path within bcachefs to the subvolume group (containing @live)

impermanence — bcachefs root impermanence (wipe-on-boot)

retention

daily : int = 7 — number of daily snapshots to keep

hourly : int = 6 — number of hourly snapshots to keep

keepLast : int = 3 — always keep at least this many snapshots regardless of age

monthly : int = 3 — number of monthly snapshots to keep

weekly : int = 4 — number of weekly snapshots to keep

device : str — bcachefs device path (e.g

subvolume : str = "subvolumes/root" — path within bcachefs to the root subvolume group (containing @blank and @live)

layouts

bcachefs-pool — @psyclyx's bcachefs-pool disk layout

UUID

boot : str — boot partition UUID (`ls -lah /dev/disk/by-uuid`)

root : str — external bcachefs FS UUID (`bcachefs show-superblock`)

wants : [str] — list of devices to weakly depend on via x-systemd.wants

bcachefs-subvols — bcachefs subvolume layout (partlabel-based)

subvolumes

subvolumes : {…} — mount point → subvolume mapping

<name>

neededForBoot : bool

subdir : str — path within bcachefs (X-mount.subdir value)

bootPartlabel : str — partlabel for the EFI boot partition

rootPartlabel : str — partlabel for the bcachefs root partition

swapPartlabel : ?str — partlabel for swap partition (null to disable)

btrfs-luks — btrfs-on-LUKS subvolume layout

bootUUID : str — UUID of the EFI boot partition

fsUUID : str — UUID of the btrfs filesystem inside LUKS

luksName : str = "crypted" — name for the opened LUKS device

luksUUID : str — UUID of the LUKS container

subvolumes : {str} — mount point → btrfs subvolume name mapping

swapUUID : ?str — UUID of swap partition (null to disable)

zfs-pool — ZFS pool disk layout

arc

maxBytes : ?(positive integer, meaning >0) — maximum ARC size in bytes

boot

UUID : str — boot (ESP) partition UUID

hostId : str — 8-character hex string for networking.hostId

poolName : str = "rpool" — ZFS pool name

zfs — ZFS filesystem support

arc

maxBytes : ?(positive integer, meaning >0) — maximum ARC size in bytes (null = ZFS default, ~50% RAM)

minBytes : ?(positive integer, meaning >0) — minimum ARC size in bytes (null = ZFS default)

encryption — whether pools use native ZFS encryption (prompts for passphrase in initrd)

scrub — enable periodic ZFS scrubs

interval : str = "monthly" — scrub interval (systemd calendar expression)

trim — enable periodic ZFS TRIM

hostId : str — 8-character hex string for networking.hostId (required by ZFS)

pools : [str] = ["rpool"] — ZFS pool names to request encryption credentials for

cpu

amd — AMD CPU config (currently only Ryzen 5950x)

intel — intel CPU config (tested on i5-8350U)

enableMitigations : bool = true — runtime patches for CPU vulnerabilities

drivers

scsi — SCSI drivers

cdRom : bool = true — SCSI CD_ROM

disk : bool = true — SCSI Disk

generic : bool = true — SCSI Generic

usb — USB drivers

ehci : bool = true — USB EHCI controller (USB 2)

hid : bool = true — USB HID

storage : bool = true — USB storage

uhci : bool = true — USB UHCI controller (USB 1)

xhci : bool = true — USB XHCI controller (USB 3, 2, 1)

gpu

intel — intel integrated graphics (i915)

nvidia — nvidia GPU (currently 3090)

ipmi

ilo — HPE Integrated Lights Out

monitors

monitors : {…}

<name>

mode

mode : ?{…}

height : int

refresh : ?int

width : int

position

position : {…}

x : int = 0

y : int = 0

connector : str

identifier : str = "\u2039name\u203a"

scale : int = 1.0

presets

apple-silicon — apple Silicon (Asahi Linux)

hpe

dl20-gen10 — HPE ProLiant DL20 Gen 10

dl360-gen9 — HPE ProLiant DL360 Gen 9

storage

p408i-a-g10 — HPE P408i-a-G10 storage controller

p440a — HPE P440a(r) storage controller

cake-qos — CAKE QoS traffic shaping with autorate

autorate — enable cake-autorate dynamic bandwidth adjustment

connectionActiveThr : int = 5000 — connection active threshold (kbps)

hash : str = "sha256-2WnMmilrVgVwjHK5ZkoXrzVlofuvvwQbSROfvd4RbEk="

version : str = "3.2.2"

download

base : int — baseline download rate (kbps)

max : int — maximum download rate (kbps)

min : int — minimum download rate (kbps)

upload

base : int — baseline upload rate (kbps)

max : int — maximum upload rate (kbps)

min : int — minimum upload rate (kbps)

interface : str — WAN-facing interface to shape

dhcp-ddns — DHCP dynamic DNS updates via Kea DHCP-DDNS

keyName : str = "ddns-iyr" — TSIG key name for DNS updates

port : u16 = 53001 — port for the DHCP-DDNS service

dns — network DNS configuration

authoritative

zones

zones : {…} — authoritative zones to serve

<name>

admin : ?str — admin email (SOA)

data : ?strings concatenated with "\n" — raw zone data

ddns : bool — allow RFC 2136 dynamic updates (authenticated by TSIG)

extraRecords : strings concatenated with "\n" — additional records appended to zone

ttl : int = 300 — default TTL

interfaces : [str] = [ "127.0.0.1" "::1" ] — interfaces for authoritative DNS

ns : ?str — IP address for auto-generated ns1/ns2 glue records

port : u16 = 5353 — port for authoritative DNS

tsigKeyFile : ?absolute path — path to a file containing TSIG key config for DDNS/ACME

tsigKeyName : ?str — name of the TSIG key (must match key defined in tsigKeyFile)

tsigSecretFile : ?absolute path — path to a file containing the base64 TSIG secret (for ACME DNS-01)

client — enable client DNS (avahi + systemd-resolved)

resolver — enable DNS resolver

forwardZones

forwardZones : {…} — additional forward zones for the resolver

<name>

forward-addr : [str] — forward addresses for this zone

localZones

localZones : {…} — zones served locally by the resolver via unbound local-data

<name>

records : [str] — DNS records (e.g., 'host.example.com

type : static | transparent | typetransparent | redirect = "static" — unbound local-zone type

accessControl : [str] — ACL entries for the resolver (e.g., '10.0.0.0/24 allow')

extraStubZones : [str] — additional zones to stub (beyond authoritative zones)

interfaces : [str] — interfaces for resolver (IPs)

zones — auto-generate authoritative zones from egregore

extraRecords : {strings concatenated with "\n"} — extra records appended to generated forward zones, keyed by egregore network …

extraZones : {any} — additional zones merged with generated ones

gatewayHostname : str — hostname of the gateway/DNS server (for NS/A glue records)

firewall — nftables firewall

forward

forward : [{…}] — zone-to-zone forwarding rules

*

rules

rules : [(open submodule of attribute set of (string, int, bool, | [strings/ints))]] — additional match criteria for this forward rule

*

comment : ?str

verdict : str = "accept"

from : str — source zone name

to : str — destination zone name

input

input : {…} — per-zone input policy and rules

<name>

rules

rules : [(open submodule of attribute set of (string, int, bool, | [strings/ints))]] — additional structured input rules for this zone

*

comment : ?str

verdict : str = "accept"

allowICMP : bool = true — accept standard ICMP/ICMPv6 traffic on this zone

allowedTCPPorts : [u16] — TCP ports to accept on this zone

allowedUDPPorts : [u16] — UDP ports to accept on this zone

policy : accept | drop = "drop" — default verdict for unmatched traffic on this zone

masquerade

masquerade : [{…}] — zone-to-zone NAT masquerade rules

*

from : str — source zone name

to : str — destination zone name

synFloodProtection — add syn-flood rate-limiting chain

burst : int = 50 — burst packets for SYN flood limiting

rate : str = "25/second" — nftables rate expression for SYN flood limiting

zones

zones : {…} — named interface groups

<name>

interfaces : [str] — interfaces belonging to this zone

gateway — gateway VLAN networking from egregore topology

transitDhcpV6

duidRawData : ?str

iaid : int = 250

prefixDelegationHint : str = "::/60"

initrdKernelModules : [str] = ["8021q"]

initrdVlans : [str] — egregore network names to bring up in initrd

lanAddress : ?str — static address on the untagged LAN interface

lanInterface : str — physical LAN trunk interface

lanMac : ?str

wanInterface : str — physical WAN interface

wanMac : ?str

interfaces

bonds

bonds : {…}

<name>

hashPolicy : str = "layer2+3"

lacpTransmitRate : ?str

mac : ?str — override MAC address for the bond

miiMonitorSec : str = "0.1"

mode : str = "balance-xor"

slaves : str | [str] — slave interfaces (glob pattern or explicit list)

bridges

bridges : {…}

<name>

member : str — interface to bridge (typically a bond)

initrd — bring up a subset of interfaces in initrd

interfaces : [str] — interface names to bring up in initrd (addresses from networks)

kernelModules : [str]

networks

networks : {…}

<name>

policyRouting

policyRouting : ?{…} — source-based policy routing for this interface

gateway : str

priority : int = 200

subnet : str — subnet CIDR for the direct route in the policy table

table : int

addresses : [str] — static addresses in CIDR notation

dhcp : bool — use DHCP instead of static addressing

dns : [str]

domains : [str]

gateway : ?str — default gateway (only used when policyRouting is null)

ipv6AcceptRA : bool

mac : ?str

requiredForOnline : str = "no"

vlans

vlans : {…}

<name>

id : int

parent : str

networkd — systemd-networkd

nftables

tables

tables : {…}

<name>

chains

chains : {…}

<name>

rules

rules : [(open submodule of attribute set of (string, int, bool, | [strings/ints))]]

*

comment : ?str

verdict : str = "accept"

content : strings concatenated with "\n"

device : ?str

hook : ?str

policy : ?accept | drop

priority : ?int

type : ?filter | nat | route

content : strings concatenated with "\n"

family : ip | ip6 | inet | arp | bridge | …

ports

ports : {((submodule) | (16 bit unsigned integer; between 0 and 65535 (both inclusive) | [u16]} — service port registry

<name>

tcp : [u16] — TCP ports

udp : [u16] — UDP ports

topology — project egregore host data into network interfaces

defaultNetwork : str — egregore network name that gets the default route (others get policy routing)

tuning — TCP/IP stack tuning for all hosts

wireless — wireless network support

adb — android Debug Bridge and Android Studio

aspell — aspell + english dicts

dictionaries : fn → [pkg] = "dicts: [dicts.en dicts.en-computers dicts.en-science]" — function returning dictionaries to include with aspell

finalPackage : pkg = pkgs.aspell-with-dicts — the aspell-with-dicts package to use

ccache — enable ccache for C/C++ compilation

glasgow — glasgow digital interface explorer

users : [str] — users to put in the plugdev group

qmk — QMK

river — river wayland compositor with UWSM session management

ssacli — HPE Smart Storage Array Command Line Interface

steam — enable steam

sway — swayfx wm

zsh — zsh config

defaultShell : bool — zsh as the default shell

avahi — service discovery / MDNS

bcachefs-exporter — bcachefs sysfs metrics textfile exporter for Prometheus

chrony — chrony NTP client

consul — consul service discovery and DNS

agentTokenFile : ?str — path to file containing this node's ACL agent token

clusterNodes : [str] — hostnames of all Consul server nodes

dataDir : str = "/var/lib/consul"

dataNetwork : str = "infra" — topology network for cluster and client traffic

datacenter : str = "psyclyx"

dnsPort : u16 = 8600

encryptionKeyFile : ?str — path to file containing the gossip encryption key (from `consul keygen`)

httpPort : u16 = 8500

serfPort : u16 = 8301

serverPort : u16 = 8300

dhcp — DHCP server derived from egregore entities

pools

pools : {…}

<name>

ipv4Range

ipv4Range : {…}

end : str

start : str

ipv6Suffix

ipv6Suffix : {…}

end : str = "1ff"

start : str = "100"

extraReservations : [(attribute set)]

ipv6 : bool = true

network : str

extraDhcp4 : attribute set

extraDhcp6 : attribute set

interface : str = "bond0"

fail2ban — fail2ban intrusion prevention

fstrim — TRIM daemon for SSDs

fwupd — fwupd

gdm — GNOME Display Manager

gnome-keyring — gnome-keyring

gnupg-agent — gnupg agent (for pinentry)

grafana — visualization and dashboarding tool

dashboards — built-in homelab monitoring dashboards

extraProviders : [(attribute set)] — additional dashboard provider configs

listen

address : str = "127.0.0.1" — address the http server binds to

port : u16 = 2134 — port the http server binds to

oidc — OIDC authentication

autoLogin : bool = true — automatically redirect to the OIDC provider

clientId : str — OIDC client ID

clientSecretFile : str — path to file containing the OIDC client secret

issuer : str — OIDC issuer URL (e.g

name : str = "Login" — display name for the OIDC provider on the login page

roleAttributePath : ?str — JMESPath expression to map OIDC userinfo claims to Grafana roles

domain : ?str — domain the server runs on

secretKeyFile : str — path to file containing the secret key used for signing data source settings

greetd — greetd+regreet

home-assistant — enables Home Assistant, with @psyclyx's config

discovery

address : str — static IPv4 address for the Home Assistant container

firewallZone : ?str — firewall zone to add the macvlan shim interface to

gateway : str — IP assigned to the host-side macvlan shim

interface : ?str — parent interface for a macvlan network enabling mDNS/SSDP device discovery

parentNetworkUnit : str — systemd-networkd unit name of the parent interface's .network file

subnet : str — subnet CIDR for the macvlan network

devices : [str] — device paths to pass through to the container

trustedProxies : [str] — IP addresses trusted as reverse proxies (enables use_x_forwarded_for)

icecream — icecream (icecc) distributed compilation

maxJobs : ?(positive integer, meaning >0) — maximum parallel compile jobs

netName : str = "PSYCLYX" — icecream network name

noRemote : bool — prevent remote jobs from being scheduled on this node

scheduler : bool — whether this node runs the icecream scheduler

schedulerHost : ?str — explicit scheduler hostname/IP

kanata — kanata (keyboard remapper)

kiosk — cage Wayland kiosk

url : str — URL to display in the kiosk

user : str = "kiosk" — user to autologin as

knot — knot authoritative DNS server

zones

zones : {…} — zone definitions

<name>

data : strings concatenated with "\n" — zone file data

ddns : bool — allow RFC 2136 dynamic updates (authenticated by TSIG)

interfaces : [str] = [ "127.0.0.1" "::1" ] — interfaces to listen on

port : u16 = 5353 — port for authoritative DNS (5353 for local stub, 53 for public)

tsigKeyFile : ?absolute path — path to a file containing TSIG key config (Knot YAML format)

tsigKeyName : ?str — name of the TSIG key (must match the key defined in tsigKeyFile)

locate — locate service

users : [str] — users to put in the mlocate group

loki — loki log aggregation server

port : u16 = 3100 — HTTP listen port for the Loki server

retentionPeriod : str = "744h" — log retention period

nginx — nginx web server with Let's Encrypt

acme

email : str — email for Let's Encrypt registration

virtualHosts

virtualHosts : {…} — virtual hosts to configure (keys are domain names)

<name>

locations

locations : {…} — location blocks

<name>

proxyPass : ?str — proxy requests to this URL

root : ?absolute path — document root for this location

root : ?absolute path — document root for static files

nomad — nomad workload orchestrator

consul

address : str = "127.0.0.1:8500" — consul HTTP API address for service registration

tokenFile : ?str — path to file containing the Consul ACL token for Nomad

vault

address : str — openBao API address (e.g

tokenFile : ?str — path to file containing the OpenBao token for Nomad

clusterNodes : [str] — hostnames of all Nomad server nodes

dataDir : str = "/var/lib/nomad"

dataNetwork : str = "infra" — topology network for cluster traffic

datacenter : str = "psyclyx"

encryptionKeyFile : ?str — path to file containing the gossip encryption key (from `nomad operator gossi…

httpPort : u16 = 4646

nodePool : str = "default" — nomad node pool for this client

rpcPort : u16 = 4647

serfPort : u16 = 4648

openbao — openBao secrets management with integrated Raft storage

autoInit — automatically initialise the cluster on first deploy

recoveryKeyRecipients : [str] — age public keys used to encrypt recovery keys

recoveryShares : int = 3

recoveryThreshold : int = 2

settings

settings : open submodule of attribute set of anything

storagePath : str = "/var/lib/openbao"

transitAddress : str — address of the transit seal provider (e.g

ui : bool = true

apiPort : u16 = 8200

authPasswordFile : ?str — path to file containing the userpass auth password for the services account

clusterNodes : [str] — hostnames of all nodes in the OpenBao cluster

clusterPort : u16 = 8201

configure : strings concatenated with "\n" — idempotent bao CLI commands run after authentication succeeds

configureTokenFile : ?str — path to a pre-existing OpenBao token

dataNetwork : str = "infra"

servicesPolicy : strings concatenated with "\n" = '' path "kv/*" { capabilities = ["create","read","update","patch","list"] } path "pki/*" { capabilities = ["create","read","update","list"] } path "sys/mounts/*" { capabilities = ["create","read","update","sudo"] } path "sys/mounts" { capabilities = ["read","list"] } path "sys/auth/*" { capabilities = ["create","read","update","sudo"] } path "sys/auth" { capabilities = ["read","list"] } path "sys/policies/acl/*" { capabilities = ["create","read","update","list"] } path "auth/*" { capabilities = ["create","read","update","list"] } '' — HCL policy attached to the services user

transitTokenFile : str — path to file containing the transit auto-unseal token

openbao-kv — openBao KV secret consumption

secrets

secrets : {…}

<name>

fallbackScript : ?str — if set, run this script (stdout → output file) when OpenBao is unavailable an…

group : str = "root"

kvMount : str = "kv" — KV v2 mount path

kvPath : str — path within the KV mount

mode : str = "0400"

outputFile : str — destination path for the rendered secret

owner : str = "root"

reloadUnits : [str]

renderScript : str = "cat" — script that receives the KV data JSON on stdin and outputs the final file con…

renewInterval : str = "1h"

tokenFile : str — path to file containing the OpenBao token for KV operations

vaultAddr : str = "http://127.0.0.1:8200" — openBao API address

openbao-pki — openBao PKI certificate management

certificates

certificates : {…}

<name>

altNames : [str]

caFile : str = "ca.pem"

certFile : str = "cert.pem" — filename for the certificate within directory

commonName : str

directory : str

group : str = "root"

ipSans : [str]

keyFile : str = "key.pem"

keyMode : str = "600" — file mode for the private key

organization : ?str — organization (O=) field in the cert subject

owner : str = "root"

pkiPath : str = "pki"

reloadUnits : [str]

renewInterval : str = "8h"

role : str

ttl : str = "24h"

tokenFile : str — path to file containing the OpenBao token for PKI operations

vaultAddr : str = "http://127.0.0.1:8200" — openBao API address

openbao-seal-oracle — openBao standalone seal oracle

seal

seal : open submodule of attribute set of string — seal stanza configuration

secretField : ?str — seal attribute whose value is injected from secretFile at runtime (e.g

type : str = "pkcs11"

tpm

apiPort : u16 = 8200

bindAddress : str — IP address to bind the API listener on

configure : strings concatenated with "\n" — extra bao CLI commands run after transit engine bootstrap

rootTokenFile : str — path to file containing the root token (for the configure service)

secretFile : ?str — path to file whose contents are injected into the seal field named by seal.se…

serviceEnvironment : {str}

openrgb — openRGB

openssh — enable OpenSSH

agentAuth — respect SSH Agent authentication in PAM

authPrincipals : {[str]} — per-user list of authorized principals for SSH certificate auth

patroni — patroni-managed PostgreSQL HA cluster

exporters

postgres — enable the Prometheus postgres exporter

ssl — enable SSL/TLS for PostgreSQL connections

caFile : str = "/run/openbao-pki/postgres/ca.pem"

certFile : str = "/run/openbao-pki/postgres/cert.pem"

keyFile : str = "/run/openbao-pki/postgres/key.pem"

clientNetwork : str = "infra" — topology network for client/HAProxy connections (pg_hba, listen)

clusterNodes : [str] — hostnames of all nodes in the Patroni cluster

dataNetwork : str = "data" — topology network name for data traffic

port : u16 = 5432 — port for the PostgreSQL server

raftPort : u16 = 2222 — port for Patroni Raft consensus

replicationPasswordFile : ?str — path to file containing the replication user password

replicationUser : str = "replicator" — username for streaming replication

restApiPort : u16 = 8008 — port for the Patroni REST API

scope : str = "psyclyx-pg" — patroni cluster scope (name)

superuserPasswordFile : ?str — path to file containing the superuser password

printing — enable printing

prometheus — prometheus monitoring

collector — prometheus collector (scrapes local targets, remote-writes to server)

extraScrapeConfigs : [(attribute set)] — additional Prometheus scrape_config job objects

remoteWriteUrl : str — prometheus remote_write endpoint URL

scrapeTargets : [str] — list of host:port strings for node exporter scrape targets

snmpTargets : [str] — list of SNMP device addresses to scrape via snmp_exporter

server — prometheus server

extraScrapeConfigs : [(attribute set)] — additional Prometheus scrape_config job objects

scrapeTargets : [str] — list of host:port strings for node exporter scrape targets

snmpTargets : [str] — list of SNMP device addresses to scrape via snmp_exporter

promtail — promtail log shipping agent

lokiUrl : str — URL of the Loki push endpoint (e.g

port : u16 = 9080 — HTTP listen port for Promtail

redis-sentinel — redis server with Sentinel for HA metadata

exporters

redis — enable the Prometheus redis exporter

clusterNodes : [str] — hostnames of all nodes in the Redis Sentinel cluster

dataNetwork : str = "data" — topology network name for data traffic

masterName : str = "shared-meta" — sentinel master name

quorum : int = 2 — number of Sentinels that must agree for failover

redisPort : u16 = 6379 — port for the Redis server

requirePassFile : ?str — path to file containing the Redis password

sentinelPort : u16 = 26379 — port for the Redis Sentinel

serverName : str = "shared" — redis server instance name (used for systemd units, user/group)

resolved — systemd-resolved dns resolver

sddm — simple Desktop Display Manager

seaweedfs — seaweedFS distributed storage cluster

filer

configDir : ?str — directory containing filer.toml (sops-rendered)

port : u16 = 8888 — filer HTTP port

master

port : u16 = 9333 — master HTTP port

volumeSizeLimitMB : int = 30000 — max volume file size in MB

s3 — enable S3 gateway

iamConfigFile : ?str — path to IAM JSON config (sops-rendered)

port : u16 = 8333 — s3 API port

volume

dataCenter : str = "lab" — volume server datacenter label

maxVolumes : int = 300 — max volumes per server

port : u16 = 8080 — volume HTTP port

rack : str = "rack1" — volume server rack label

webdav — enable WebDAV server

port : u16 = 7333 — webDAV server port

buckets : [str] — s3 buckets to create declaratively

clusterNodes : [str] — hostnames of all nodes running volume+filer

dataNetwork : str = "data" — topology network name for intra-cluster traffic

masterNodes : [str] — hostnames of nodes running the master (odd count for Raft)

metricsNetwork : str = "infra" — topology network for metrics endpoints

metricsPort : u16 = 9327 — base metrics port (master=9327, volume=9328, filer=9329, s3=9330)

mountPoint : str = "/mnt/seaweedfs" — FUSE mount path

replication : str = "001" — replication strategy (e.g

volumeBasePath : str = "/srv/seaweedfs" — data directory root

tailscale — enable tailscale service and related settings

exitNode : bool — configure tailscale client as an exit node

thermald — thermal throttling daemon for intel cpus

unbound — unbound DNS resolver

forward

tls : bool = true — use TLS for upstream queries

upstream : [str] = [ "1.1.1.1@853#cloudflare-dns.com" "1.0.0.1@853#cloudflare-dns.com" ] — upstream DNS servers

forwardZones

forwardZones : [{…}] — additional forward zones (beyond the default catch-all)

*

forward-addr : [str] — forward addresses for this zone

name : str — zone name

stubZones

stubZones : [{…}] — zones to stub to a local authoritative server

*

name : str — zone name

stub-addr : str — stub address (e.g., '127.0.0.1@5353')

accessControl : [str] — access control entries (e.g., '10.0.0.0/8 allow')

interfaces : [str] — additional interfaces to listen on (127.0.0.1 and ::1 always included)

localData : [str] — local data entries without quoting (e.g., 'host.example.com

localZones : {str} — local zone declarations mapping zone name to type (e.g., { "example.com" = "s…

containers — container config

nvidia : bool — nvidia-container-tools for gpu-accelerated container support

distributed-builds — nix distributed build configuration with SSH cert auth

documentation — documentation generation

emulation — architecture emulation config

emulatedSystems : [str] = ["aarch64-linux"] — systems to emulate

fonts — configure fonts

home-manager — home-manager config

locale — locale config

default : str = "en_US.UTF-8" — default locale

nix — nix config

githubAccessTokensFile : ?absolute path — path to a nix.conf snippet file containing access-tokens

nix-ld — support externally compiled, statically linked binaries via nix-ld

nixpkgs — nixpkgs config

storage — storage config

tune

hdd : bool = true — udev rules for rotational disk perf

nvme : bool = true — udev rules and kernel params for nvme disk perf

ssd : bool = true — udev rules for ssd perf

stylix — stylix config

sudo — privilege escalation via sudo

timestampTimeout : uint = 30 — timeout (in minutes) before asking for password again

swap — swap config

swappiness : int (0..200) = 10 — RAM/swap bias (0=max ram preference, 200=max swap preference)

zswap : bool = true — zswap (swap to zstd in-memory before disk)

timezone — timezone config

default : str = "America/Los_Angeles" — default timezone

tuning — kernel, VM, and filesystem tuning for all hosts

yubikey — yubikey support