local.ai.ollama.enable
Whether to enable Ollama vulkan setup.
Type: boolean
Default:
false
Example:
true
local.ai.ollama.port
Http port for ollama
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
11434
local.ai.webui.enable
Whether to enable Web ui for ollama.
Type: boolean
Default:
false
Example:
true
local.ai.webui.port
HTTP port for open webui
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8080
local.backup-manager.enable
Whether to enable backup-manager module.
Type: boolean
Default:
false
Example:
true
local.backup-manager.backupLocation
Base path for borg backup repository (must be a mounted filesystem)
Type: string
Default:
""
Example:
"/media/Backups"
local.backup-manager.exclude
Glob patterns to exclude from backups
Type: list of string
Default:
[ ]
Example:
[
"*/node_modules"
"*/target"
"*/.cache"
"*.tmp"
]
local.backup-manager.paths
Additional paths to backup beyond auto-discovered user folders (Projects, Documents, Pictures, Videos, .ssh)
Type: list of string
Default:
[ ]
Example:
[
"/etc/nixos"
"/var/lib/important"
]
local.bluetooth.enable
Whether to enable Modern Bluetooth stack.
Type: boolean
Default:
false
Example:
true
local.bootloader.enablePlymouth
Enable Plymouth boot splash screen
Type: boolean
Default:
true
local.bootloader.addRecoveryOption
Add recovery partition boot option to bootloader menu
Type: boolean
Default:
false
local.bootloader.device
Device for BIOS bootloader installation (required for BIOS mode)
Type: string
Default:
""
Example:
"/dev/sda"
local.bootloader.mode
Boot mode: UEFI or legacy BIOS
Type: one of “uefi”, “bios”
Default:
"uefi"
local.bootloader.recoveryUUID
UUID of recovery partition for boot menu entry (use blkid to find partition UUID)
Type: string
Default:
""
Example:
"12345678-1234-1234-1234-123456789abc"
local.bootloader.uefiType
UEFI bootloader to use
Type: one of “systemd-boot”, “grub”, “limine”
Default:
"systemd-boot"
local.dashboard.enable
Whether to enable homepage dashboard.
Type: boolean
Default:
false
Example:
true
local.dashboard.allowedHosts
List of allowed hostnames for accessing the dashboard (for reverse proxy). Defaults to hostname, IP, and .local address.
Type: list of string
Default:
[
"localhost"
"127.0.0.1"
]
Example:
[
"onix.local"
"192.168.1.100"
]
local.dashboard.openFirewall
Open firewall port for dashboard
Type: boolean
Default:
false
local.dashboard.port
Port to run the dashboard on
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
3000
local.desktops.enable
Enable desktop environment support
Type: boolean
Default:
false
local.desktops.enableEnv
Enable Wayland environment variables
Type: boolean
Default:
true
local.desktops.displayManager
The display manager to use
Type: one of “sddm”, “gdm”, “ly”, “none”, “dms”
Default:
"sddm"
local.desktops.hyprland
Enable Hyprland compositor
Type: boolean
Default:
false
local.desktops.niri
Enable Niri compositor
Type: boolean
Default:
false
local.desktops.plasma6
Enable KDE Plasma 6 desktop environment
Type: boolean
Default:
false
local.disks.enable
Whether to enable basic configuration for disk management.
Type: boolean
Default:
false
Example:
true
local.docs.enable
Whether to enable Enable the dotfiles documentation service.
Type: boolean
Default:
false
Example:
true
local.docs.package
The documentation package to serve.
Type: package
Default:
<derivation dotfiles-docs-site>
local.docs.port
Port to serve the documentation on.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
3088
local.dotfiles-sync.enable
Whether to enable Dotfiles management.
Type: boolean
Default:
false
Example:
true
local.dotfiles-sync.maintenance.enable
Whether to enable System maintenance (GC and optimization).
Type: boolean
Default:
false
Example:
true
local.dotfiles-sync.maintenance.autoUpgrade
Whether to automatically pull from git and upgrade
Type: boolean
Default:
false
local.dotfiles-sync.maintenance.upgradeFlake
Flake URL for system auto-upgrade
Type: string
Default:
"git+http://192.168.1.65:3002/xiro/dotfiles.nix.git"
Example:
"github:user/dotfiles"
local.dotfiles-sync.repo.enable
Whether to enable Manage /etc/nixos permissions and symlinks.
Type: boolean
Default:
false
Example:
true
local.dotfiles-sync.repo.editorGroup
Group that has write access to the /etc/nixos repository
Type: string
Default:
"wheel"
Example:
"users"
local.dotfiles-sync.sync.enable
Whether to enable Automated git sync.
Type: boolean
Default:
false
Example:
true
local.dotfiles-sync.sync.interval
How often to pull changes from git (systemd time span format: 30m, 1h, 2h, etc.)
Type: string
Default:
"30m"
Example:
"1h"
local.downloads.enable
Whether to enable download services.
Type: boolean
Default:
false
Example:
true
local.downloads.downloadDir
Base directory for downloads
Type: string
Default:
"/media/Media/downloads"
Example:
"/mnt/storage/downloads"
local.downloads.pinchflat.enable
Whether to enable Pinchflat YouTube downloader.
Type: boolean
Default:
false
Example:
true
local.downloads.pinchflat.openFirewall
Open firewall port for Pinchflat
Type: boolean
Default:
false
local.downloads.pinchflat.port
Web interface port
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8945
local.downloads.qbittorrent.enable
Whether to enable Transmission BitTorrent client.
Type: boolean
Default:
false
Example:
true
local.downloads.qbittorrent.openFirewall
Open firewall ports for Transmission
Type: boolean
Default:
false
local.downloads.qbittorrent.port
Web interface port
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8080
local.downloads.qbittorrent.subPath
Subpath for reverse proxy (e.g., /transmission)
Type: string
Default:
""
Example:
"/qbittorrent"
local.file-browser.enable
Whether to enable Web-based file browser.
Type: boolean
Default:
false
Example:
true
local.file-browser.openFirewall
Open firewall port for File Browser
Type: boolean
Default:
false
local.file-browser.port
Web interface port
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8999
local.file-browser.rootPath
Root path to serve files from
Type: string
Default:
"/media"
local.file-sharing.enable
Whether to enable file sharing services.
Type: boolean
Default:
false
Example:
true
local.file-sharing.definitions
Structured share definitions that automatically configure both Samba and NFS
Type: attribute set of (submodule)
Default:
{ }
Example:
{
media = {
path = "/srv/media";
comment = "Media files";
readOnly = true;
guestOk = true;
enableNFS = true;
};
documents = {
path = "/srv/documents";
comment = "Shared documents";
validUsers = [ "alice" "bob" ];
};
}
local.file-sharing.definitions.<name>.enableNFS
Also export this share via NFS
Type: boolean
Default:
false
local.file-sharing.definitions.<name>.browseable
Whether the share is visible in browse lists
Type: boolean
Default:
true
local.file-sharing.definitions.<name>.comment
Description of the share
Type: string
Default:
""
local.file-sharing.definitions.<name>.createMask
Permissions mask for created files
Type: string
Default:
"0666"
local.file-sharing.definitions.<name>.directoryMask
Permissions mask for created directories
Type: string
Default:
"0777"
local.file-sharing.definitions.<name>.guestOk
Allow guest access without authentication
Type: boolean
Default:
false
local.file-sharing.definitions.<name>.nfsClients
Network range for NFS access
Type: string
Default:
"192.168.0.0/16"
Example:
"192.168.1.0/24"
local.file-sharing.definitions.<name>.nfsOptions
NFS export options
Type: list of string
Default:
[
"rw"
"sync"
"no_subtree_check"
]
local.file-sharing.definitions.<name>.path
Absolute path to the share directory
Type: absolute path
local.file-sharing.definitions.<name>.readOnly
Whether the share is read-only
Type: boolean
Default:
false
local.file-sharing.definitions.<name>.validUsers
List of users allowed to access (empty = all users)
Type: list of string
Default:
[ ]
Example:
[
"alice"
"bob"
]
local.file-sharing.definitions.<name>.writeable
Whether users can write to the share
Type: boolean
Default:
true
local.file-sharing.nfs.enable
Whether to enable NFS server.
Type: boolean
Default:
false
Example:
true
local.file-sharing.nfs.exports
NFS exports configuration
Type: strings concatenated with “\n”
Default:
""
Example:
''
/srv/shares 192.168.1.0/24(rw,sync,no_subtree_check,no_root_squash)
/srv/media 192.168.1.0/24(ro,sync,no_subtree_check)
''
local.file-sharing.nfs.openFirewall
Open firewall ports for NFS
Type: boolean
Default:
false
local.file-sharing.samba.enable
Whether to enable Samba server.
Type: boolean
Default:
false
Example:
true
local.file-sharing.samba.openFirewall
Open firewall ports for Samba
Type: boolean
Default:
false
local.file-sharing.samba.serverString
Server description string
Type: string
Default:
"NixOS File Server"
local.file-sharing.samba.shares
Samba share definitions
Type: attribute set of attribute set of unspecified value
Default:
{ }
Example:
{
public = {
path = "/srv/shares/public";
"read only" = "no";
browseable = "yes";
"guest ok" = "yes";
};
media = {
path = "/srv/media";
"read only" = "yes";
browseable = "yes";
"guest ok" = "yes";
};
}
local.file-sharing.samba.workgroup
Samba workgroup name
Type: string
Default:
"WORKGROUP"
local.file-sharing.shareDir
Base directory for shared files
Type: string
Default:
"/srv/shares"
Example:
"/mnt/storage/shares"
local.flatpak.enable
Whether to enable Flatpak support.
Type: boolean
Default:
false
Example:
true
local.flatpak.extraPackages
flatpaks to install
Type: list of string
Default:
[ ]
local.gaming.enable
Whether to enable Gaming optimizations.
Type: boolean
Default:
false
Example:
true
local.gitea.enable
Whether to enable Gitea Git service.
Type: boolean
Default:
false
Example:
true
local.gitea.dataDir
Data directory for Gitea
Type: string
Default:
"/var/lib/gitea"
local.gitea.domain
Domain name for Gitea instance
Type: string
Default:
"localhost"
Example:
"git.example.com"
local.gitea.openFirewall
Open firewall ports for Gitea
Type: boolean
Default:
false
local.gitea.port
HTTP port for Gitea web interface
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
3001
local.gitea.rootUrl
Root URL for Gitea
Type: string
Default:
"http://localhost:3001/"
Example:
"https://git.example.com/"
local.gitea.sshPort
SSH port for Git operations
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
2222
local.gog-downloader.enable
Whether to enable Automated GOG library synchronization.
Type: boolean
Default:
false
Example:
true
local.gog-downloader.directory
Directory where games will be downloaded
Type: absolute path
Default:
"/media/Media/games"
local.gog-downloader.extraArgs
Extra arguments passed to lgogdownloader
Type: string
Default:
"--repair --download"
local.gog-downloader.interval
Systemd timer interval.
Type: string
Default:
"daily"
local.gog-downloader.platforms
Platforms to download (l=linux, w=windows, m=mac)
Type: string
Default:
"l+w"
local.gog-downloader.secretFile
Path to a file containing environment variables for GOG login. Expected format: GOG_EMAIL=user@example.com GOG_PASSWORD=yourpassword
Type: absolute path
local.harmonia-cache.enable
Whether to enable Attic binary cache server.
Type: boolean
Default:
false
Example:
true
local.harmonia-cache.openFirewall
open firewall
Type: boolean
Default:
false
local.harmonia-cache.port
HTTP port for cache server
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
5000
local.harmonia-cache.signKeyPaths
secret key paths
Type: list of absolute path
Default:
[ ]
local.kmscon.enable
Whether to enable kmscon terminal emulator for servers.
Type: boolean
Default:
false
Example:
true
local.localization.enable
Whether to enable Localization settings (timezone and locale).
Type: boolean
Default:
false
Example:
true
local.localization.locale
Default system locale for language, formatting, and character encoding
Type: string
Default:
"en_US.UTF-8"
Example:
"en_GB.UTF-8"
local.localization.timeZone
System timezone (use timedatectl list-timezones to see available options)
Type: string
Default:
"America/Chicago"
Example:
"Europe/London"
local.media.enable
Whether to enable media server stack.
Type: boolean
Default:
false
Example:
true
local.media.audiobookshelf.enable
Whether to enable Audiobookshelf audiobook server.
Type: boolean
Default:
false
Example:
true
local.media.audiobookshelf.openFirewall
Open firewall port for Audiobookshelf
Type: boolean
Default:
false
local.media.audiobookshelf.port
HTTP port for Audiobookshelf
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
13378
local.media.ersatztv.enable
Whether to enable ErsatzTV streaming service.
Type: boolean
Default:
false
Example:
true
local.media.ersatztv.openFirewall
Open firewall port for ErsatzTV
Type: boolean
Default:
false
local.media.ersatztv.port
HTTP port for ErsatzTV
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8409
local.media.jellyfin.enable
Whether to enable Jellyfin media server.
Type: boolean
Default:
false
Example:
true
local.media.jellyfin.openFirewall
Open firewall port for Jellyfin
Type: boolean
Default:
false
local.media.jellyfin.port
HTTP port for Jellyfin
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8096
local.media.komga.enable
Whether to enable Komga comic/manga server.
Type: boolean
Default:
false
Example:
true
local.media.komga.openFirewall
Open firewall port for Komga
Type: boolean
Default:
false
local.media.komga.port
HTTP port for Komga
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8092
local.media.mediaDir
Base directory for media files
Type: string
Default:
"/media/Media"
Example:
"/media/Media"
local.media.plex.enable
Whether to enable Plex Media Server.
Type: boolean
Default:
false
Example:
true
local.media.plex.openFirewall
Open firewall port for Plex
Type: boolean
Default:
false
local.media.plex.port
HTTP port for Plex
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
32400
local.minecraft-server.enable
If enabled, start a Minecraft Server. The server
data will be loaded from and saved to
services.minecraft-server.dataDir.
Type: boolean
Default:
false
local.minecraft-server.package
The minecraft-server package to use.
Type: package
Default:
pkgs.minecraft-server
Example:
minecraft-server_1_12_2
local.minecraft-server.dataDir
Directory to store Minecraft database and other state/data files.
Type: absolute path
Default:
"/var/lib/minecraft"
local.minecraft-server.declarative
Whether to use a declarative Minecraft server configuration.
Only if set to true, the options
services.minecraft-server.whitelist and
services.minecraft-server.serverProperties will be
applied.
Type: boolean
Default:
false
local.minecraft-server.eula
Whether you agree to
Mojangs EULA. This option must be set to
true to run Minecraft server.
Type: boolean
Default:
false
local.minecraft-server.jvmOpts
JVM options for the Minecraft server.
Type: strings concatenated with “ “
Default:
"-Xmx2048M -Xms2048M"
Example:
"-Xms4092M -Xmx4092M -XX:+UseG1GC -XX:+CMSIncrementalPacing -XX:+CMSClassUnloadingEnabled -XX:ParallelGCThreads=2 -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10"
local.minecraft-server.openFirewall
Whether to open ports in the firewall for the server.
Type: boolean
Default:
false
local.minecraft-server.serverProperties
Minecraft server properties for the server.properties file. Only has
an effect when services.minecraft-server.declarative
is set to true. See
https://minecraft.gamepedia.com/Server.properties#Java_Edition_3
for documentation on these values.
Type: attribute set of (boolean or signed integer or string)
Default:
{ }
Example:
{
server-port = 43000;
difficulty = 3;
gamemode = 1;
max-players = 5;
motd = "NixOS Minecraft server!";
white-list = true;
enable-rcon = true;
"rcon.password" = "hunter2";
}
local.minecraft-server.whitelist
Whitelisted players, only has an effect when
services.minecraft-server.declarative is
true and the whitelist is enabled
via services.minecraft-server.serverProperties by
setting white-list to true.
This is a mapping from Minecraft usernames to UUIDs.
You can use https://mcuuid.net/ to get a
Minecraft UUID for a username.
Type: attribute set of Minecraft UUID
Default:
{ }
Example:
{
username1 = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
username2 = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy";
};
local.network.enable
Whether to enable Standard system networking.
Type: boolean
Default:
false
Example:
true
local.network.useNetworkManager
Whether to use NetworkManager (for desktops) or just iwd/systemd (minimal).
Type: boolean
Default:
true
local.network.usePihole
Whether to prioritize the local Pi-hole (192.168.1.65) for DNS.
Type: boolean
Default:
true
local.network-hosts.onix
Address for Onix host
Type: string (read only)
Default:
"192.168.1.65"
local.network-hosts.ruby
Address for Ruby host
Type: string (read only)
Default:
"192.168.1.66"
local.network-hosts.sapphire
Address for Sapphire host
Type: string (read only)
Default:
"192.168.1.67"
local.network-hosts.useAvahi
Whether to use Avahi/mDNS hostnames (.local) instead of raw IP addresses for local network hosts
Type: boolean
Default:
false
local.network-mounts.enable
Whether to enable Samba mounts from Onix.
Type: boolean
Default:
false
Example:
true
local.network-mounts.mounts
List of SMB/CIFS shares to mount automatically with systemd automount
Type: list of (submodule)
Default:
[ ]
Example:
[
{ shareName = "Media"; localPath = "/media/Media"; }
{ shareName = "Backups"; localPath = "/media/Backups"; noShow = true; }
]
local.network-mounts.mounts.*.localPath
Local mount point path (common locations: /media/, /mnt/, or /run/media/)
Type: string
Example:
"/media/Media"
local.network-mounts.mounts.*.noAuth
Whether to mount as guest without authentication
Type: boolean
Default:
false
local.network-mounts.mounts.*.noShow
Whether to hide this mount from file manager
Type: boolean
Default:
false
local.network-mounts.mounts.*.options
Additional mount options to append to defaults
Type: list of string
Default:
[ ]
Example:
[
"ro"
"vers=3.0"
]
local.network-mounts.mounts.*.shareName
Name of the share on the SMB server
Type: string
Example:
"Media"
local.network-mounts.noAuth
Mount shares as guest without credentials
Type: boolean
Default:
false
local.network-mounts.secretName
Name of sops secret containing SMB credentials (username=xxx and password=xxx format)
Type: string
Default:
"onix_creds"
Example:
"smb_credentials"
local.network-mounts.serverIp
IP address or hostname of SMB/CIFS server
Type: string
Default:
"192.168.1.65"
Example:
"192.168.1.100"
local.nix-cache-client.enable
Whether to enable cache module.
Type: boolean
Default:
false
Example:
true
local.nix-cache-client.publicKey
Public key for cache verification
Type: string
Default:
"cache.onix.home-1:/M1y/hGaD/dB8+mDfZmMdtXaWjq7XtLc1GMycddoNIE="
Example:
"cache:AbCdEf1234567890+GhIjKlMnOpQrStUvWxYz=="
local.nix-cache-client.serverAddress
Attic binary cache server URL with optional priority parameter
Type: string
Default:
"http://192.168.1.65:5000/?priority=1"
Example:
"http://cache.example.com:8080/nixos?priority=10"
local.nix-core-settings.enable
Whether to enable Basic system and Nix settings.
Type: boolean
Default:
false
Example:
true
local.pihole.enable
Whether to enable Pi-hole DNS service.
Type: boolean
Default:
false
Example:
true
local.pihole.adminPassword
Admin password for the Pi-hole Web UI.
Type: string
Default:
"admin"
local.pihole.dataDir
Directory to store Pi-hole configuration and data.
Type: string
Default:
"/var/lib/pihole"
local.pipewire-audio.enable
Whether to enable PipeWire based audio stack.
Type: boolean
Default:
false
Example:
true
local.recovery-builder.enable
Whether to enable Recovery Builder.
Type: boolean
Default:
false
Example:
true
local.registry.enable
Whether to enable Flake registry for dotfiles.
Type: boolean
Default:
false
Example:
true
local.reverse-proxy.enable
Whether to enable reverse proxy with automatic HTTPS.
Type: boolean
Default:
false
Example:
true
local.reverse-proxy.acmeEmail
Email address for ACME/Let’s Encrypt certificates
Type: string
Default:
""
Example:
"admin@example.com"
local.reverse-proxy.domain
Primary domain name for the reverse proxy
Type: string
Default:
"localhost"
Example:
"server.example.com"
local.reverse-proxy.openFirewall
Open firewall ports 80 and 443
Type: boolean
Default:
true
local.reverse-proxy.services
Services to proxy
Type: attribute set of (submodule)
Default:
{ }
Example:
{
gitea.target = "http://localhost:3001";
}
local.reverse-proxy.services.<name>.extraConfig
Extra Nginx configuration for this location
Type: strings concatenated with “\n”
Default:
""
local.reverse-proxy.services.<name>.target
Backend target (e.g., http://localhost:3001)
Type: string
local.reverse-proxy.sharedFolders
Path on disk to serve at files.onix.home
Type: attribute set of absolute path
Default:
{ }
Example:
{
games = "/media/Media/games";
wallpapers = "/media/Media/wallpapers";
}
local.reverse-proxy.useACME
Whether to use Let’s Encrypt for HTTPS (requires public domain). If false, uses self-signed certificates.
Type: boolean
Default:
false
local.secrets.enable
Whether to enable sops-nix secret management.
Type: boolean
Default:
false
Example:
true
local.secrets.keys
List of sops keys to automatically map to /run/secrets/ for system-wide access
Type: list of string
Default:
[ ]
Example:
[
"onix_creds"
"ssh_pub_ruby/master"
"ssh_pub_sapphire/master"
]
local.secrets.sopsFile
Path to the encrypted YAML file containing system secrets
Type: absolute path
Default:
/nix/store/shwnn10jy3f95zhilzlb0gcx0jxp44vz-source/secrets/secrets.yaml
Example:
../secrets/system-secrets.yaml
local.security.enable
Whether to enable Centralized security settings.
Type: boolean
Default:
false
Example:
true
local.security.adminUser
The main admin user to grant passwordless sudo/doas access and SSH key authorization
Type: string
Default:
"tod"
Example:
"admin"
local.userManager.enable
Whether to enable Automatic user group management.
Type: boolean
Default:
false
Example:
true
local.userManager.extraGroups
Groups to assign to all auto-discovered users on this host
Type: list of string
Default:
[
"wheel"
"networkmanager"
"input"
"docker"
"cdrom"
"incus-admin"
]
Example:
[
"wheel"
"networkmanager"
"input"
"video"
"audio"
"docker"
]
local.virtualisation.incus.enable
Whether to enable Incus virtualisation.
Type: boolean
Default:
false
Example:
true
local.virtualisation.incus.enableReverseProxy
Whether to configure the reverse proxy for the Incus UI/socket.
Type: boolean
Default:
true
local.virtualisation.incus.macvlanInterface
Physical interface to attach macvlan network to.
Type: null or string
Default:
null
local.virtualisation.incus.storageSource
Path for the default storage pool.
Type: string
Default:
"/var/lib/incus/storage"
local.virtualisation.incus.ui.enable
Whether to enable Incus UI.
Type: boolean
Default:
false
Example:
true
local.yubikey.enable
Whether to enable YubiKey support and GPG/SSH intergration.
Type: boolean
Default:
false
Example:
true
local.zerotier.enable
Whether to enable zerotier virtual network.
Type: boolean
Default:
false
Example:
true
local.zerotier.networkIdSecret
The name of the sops secret containing the ZeroTier network ID.
Type: string
Default:
"zerotier_network_id"