Name

nix.conf - Nix configuration file

Description

By default Nix reads settings from the following places:

• The system-wide configuration file sysconfdir/nix/nix.conf (i.e. /etc/nix/nix.conf on most systems), or $NIX_CONF_DIR/nix.conf if NIX_CONF_DIR is set. Values loaded in this file are not forwarded to the Nix daemon. The client assumes that the daemon has already loaded them.
• If NIX_USER_CONF_FILES is set, then each path separated by : will be loaded in reverse order.

Otherwise it will look for nix/nix.conf files in XDG_CONFIG_DIRS and XDG_CONFIG_HOME. If unset, XDG_CONFIG_DIRS defaults to /etc/xdg, and XDG_CONFIG_HOME defaults to $HOME/.config as per XDG Base Directory Specification (https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html).

•

If NIX_CONFIG is set, its contents is treated as the contents of a configuration file.

The configuration files consist of name = value pairs, one per line. Other files can be included with a line like include path, where path is interpreted relative to the current conf file and a missing file is an error unless !include is used instead. Comments start with a # character. Here is an example configuration file:

keep-outputs = true       # Nice for developers
keep-derivations = true   # Idem

You can override settings on the command line using the --option flag, e.g. --option keep-outputs false. Every configuration setting also has a corresponding command line flag, e.g. --max-jobs 16; for Boolean settings, there are two flags to enable or disable the setting (e.g. --keep-failed and --no-keep-failed).

A configuration setting usually overrides any previous value. However, you can prefix the name of the setting by extra- to append to the previous value. For instance,

substituters = a b
extra-substituters = c d

defines the substituters setting to be a b c d. This is also available as a command line flag (e.g. --extra-substituters).

The following settings are currently available:

•

accept-flake-config (#conf-accept-flake-config)

Whether to accept nix configuration from a flake without prompting.

Default: false

•

access-tokens (#conf-access-tokens)

Access tokens used to access protected GitHub, GitLab, or other locations requiring token-based authentication.

Access tokens are specified as a string made up of space-separated host=token values. The specific token used is selected by matching the host portion against the “host” specification of the input. The actual use of the token value is determined by the type of resource being accessed:

Example ~/.config/nix/nix.conf:

access-tokens = github.com=23ac...b289 gitlab.mycompany.com=PAT:A123Bp_Cd..EfG gitlab.com=OAuth2:1jklw3jk

Example ~/code/flake.nix:

input.foo = {


  type = "gitlab";


  host = "gitlab.mycompany.com";


  owner = "mycompany";


  repo = "pro";
};

This example specifies three tokens, one each for accessing github.com, gitlab.mycompany.com, and sourceforge.net.

The input.foo uses the “gitlab” fetcher, which might requires specifying the token type along with the token value.

Default: ""

•

allow-dirty (#conf-allow-dirty)

Whether to allow dirty Git/Mercurial trees.

Default: true

•

allow-import-from-derivation (#conf-allow-import-from-derivation)

By default, Nix allows you to import from a derivation, allowing building at evaluation time. With this option set to false, Nix will throw an error when evaluating an expression that uses this feature, allowing users to ensure their evaluation will not require any builds to take place.

Default: true

•

allow-new-privileges (#conf-allow-new-privileges)

(Linux-specific.) By default, builders on Linux cannot acquire new privileges by calling setuid/setgid programs or programs that have file capabilities. For example, programs such as sudo or ping will fail. (Note that in sandbox builds, no such programs are available unless you bind-mount them into the sandbox via the sandbox-paths option.) You can allow the use of such programs by enabling this option. This is impure and usually undesirable, but may be useful in certain scenarios (e.g. to spin up containers or set up userspace network interfaces in tests).

Default: false

•

allow-symlinked-store (#conf-allow-symlinked-store)

If set to true, Nix will stop complaining if the store directory (typically /nix/store) contains symlink components.

This risks making some builds “impure” because builders sometimes “canonicalise” paths by resolving all symlink components. Problems occur if those builds are then deployed to machines where /nix/store resolves to a different location from that of the build machine. You can enable this setting if you are sure you’re not going to do that.

Default: false

•

allow-unsafe-native-code-during-evaluation (#conf-allow-unsafe-native-code-during-evaluation)

Whether builtin functions that allow executing native code should be enabled.

Default: false

•

allowed-impure-host-deps (#conf-allowed-impure-host-deps)

Which prefixes to allow derivations to ask for access to (primarily for Darwin).

Default: empty

•

allowed-uris (#conf-allowed-uris)

A list of URI prefixes to which access is allowed in restricted evaluation mode. For example, when set to https://github.com/NixOS, builtin functions such as fetchGit are allowed to access https://github.com/NixOS/patchelf.git.

Default: empty

•

allowed-users (#conf-allowed-users)

A list of names of users (separated by whitespace) that are allowed to connect to the Nix daemon. As with the trusted-users option, you can specify groups by prefixing them with @. Also, you can allow all users by specifying *. The default is *.

Note that trusted users are always allowed to connect.

Default: *

•

auto-optimise-store (#conf-auto-optimise-store)

If set to true, Nix automatically detects files in the store that have identical contents, and replaces them with hard links to a single copy. This saves disk space. If set to false (the default), you can still run nix-store --optimise to get rid of duplicate files.

Default: false

•

bash-prompt (#conf-bash-prompt)

The bash prompt (PS1) in nix develop shells.

Default: empty

•

bash-prompt-suffix (#conf-bash-prompt-suffix)

Suffix appended to the PS1 environment variable in nix develop shells.

Default: empty

•

build-hook (#conf-build-hook)

The path of the helper program that executes builds to remote machines.

Default: /usr/libexec/nix/build-remote

•

build-poll-interval (#conf-build-poll-interval)

How often (in seconds) to poll for locks.

Default: 5

•

build-users-group (#conf-build-users-group)

This options specifies the Unix group containing the Nix build user accounts. In multi-user Nix installations, builds should not be performed by the Nix account since that would allow users to arbitrarily modify the Nix store and database by supplying specially crafted builders; and they cannot be performed by the calling user since that would allow him/her to influence the build result.

Therefore, if this option is non-empty and specifies a valid group, builds will be performed under the user accounts that are a member of the group specified here (as listed in /etc/group). Those user accounts should not be used for any other purpose!

Nix will never run two builds under the same user account at the same time. This is to prevent an obvious security hole: a malicious user writing a Nix expression that modifies the build result of a legitimate Nix expression being built by another user. Therefore it is good to have as many Nix build user accounts as you can spare. (Remember: uids are cheap.)

The build users should have permission to create files in the Nix store, but not delete them. Therefore, /nix/store should be owned by the Nix account, its group should be the group specified here, and its mode should be 1775.

If the build users group is empty, builds will be performed under the uid of the Nix process (that is, the uid of the caller if NIX_REMOTE is empty, the uid under which the Nix daemon runs if NIX_REMOTE is daemon). Obviously, this should not be used in multi-user settings with untrusted users.

Default: empty

•

builders (#conf-builders)

A semicolon-separated list of build machines. For the exact format and examples, see the manual chapter on remote builds (../advanced-topics/distributed-builds.md)

Default: @/dummy/machines

•

builders-use-substitutes (#conf-builders-use-substitutes)

If set to true, Nix will instruct remote build machines to use their own binary substitutes if available. In practical terms, this means that remote hosts will fetch as many build dependencies as possible from their own substitutes (e.g, from cache.nixos.org), instead of waiting for this host to upload them all. This can drastically reduce build times if the network connection between this computer and the remote build host is slow.

Default: false

•

commit-lockfile-summary (#conf-commit-lockfile-summary)

The commit summary to use when committing changed flake lock files. If empty, the summary is generated based on the action performed.

Default: empty

•

compress-build-log (#conf-compress-build-log)

If set to true (the default), build logs written to /nix/var/log/nix/drvs will be compressed on the fly using bzip2. Otherwise, they will not be compressed.

Default: true

Deprecated alias: build-compress-log

•

connect-timeout (#conf-connect-timeout)

The timeout (in seconds) for establishing connections in the binary cache substituter. It corresponds to curl’s --connect-timeout option. A value of 0 means no limit.

Default: 0

•

cores (#conf-cores)

Sets the value of the NIX_BUILD_CORES environment variable in the invocation of builders. Builders can use this variable at their discretion to control the maximum amount of parallelism. For instance, in Nixpkgs, if the derivation attribute enableParallelBuilding is set to true, the builder passes the -jN flag to GNU Make. It can be overridden using the --cores command line switch and defaults to 1. The value 0 means that the builder should use all available CPU cores in the system.

Default: machine-specific Deprecated alias: build-cores

•

diff-hook (#conf-diff-hook)

Absolute path to an executable capable of diffing build results. The hook is executed if run-diff-hook is true, and the output of a build is known to not be the same. This program is not executed to determine if two results are the same.

The diff hook is executed by the same user and group who ran the build. However, the diff hook does not have write access to the store path just built.

The diff hook program receives three parameters:

The stderr and stdout output from the diff hook will not be displayed to the user. Instead, it will print to the nix-daemon’s log.

When using the Nix daemon, diff-hook must be set in the nix.conf configuration file, and cannot be passed at the command line.

Default: empty

•

download-attempts (#conf-download-attempts)

How often Nix will attempt to download a file before giving up.

Default: 5

•

enforce-determinism (#conf-enforce-determinism)

Whether to fail if repeated builds produce different output. See repeat.

Default: true

•

eval-cache (#conf-eval-cache)

Whether to use the flake evaluation cache.

Default: true

•

experimental-features (#conf-experimental-features)

Experimental Nix features to enable.

Default: 3

•

extra-platforms (#conf-extra-platforms)

Platforms other than the native one which this machine is capable of building for. This can be useful for supporting additional architectures on compatible machines: i686-linux can be built on x86_64-linux machines (and the default for this setting reflects this); armv7 is backwards-compatible with armv6 and armv5tel; some aarch64 machines can also natively run 32-bit ARM code; and qemu-user may be used to support non-native platforms (though this may be slow and buggy). Most values for this are not enabled by default because build systems will often misdetect the target platform and generate incompatible code, so you may wish to cross-check the results of using this option against proper natively-built versions of your derivations.

Default: machine-specific

•

fallback (#conf-fallback)

If set to true, Nix will fall back to building from source if a binary substitute fails. This is equivalent to the --fallback flag. The default is false.

Default: false

Deprecated alias: build-fallback

•

filter-syscalls (#conf-filter-syscalls)

Whether to prevent certain dangerous system calls, such as creation of setuid/setgid files or adding ACLs or extended attributes. Only disable this if you’re aware of the security implications.

Default: true

•

flake-registry (#conf-flake-registry)

Path or URI of the global flake registry.

Default: https://github.com/NixOS/flake-registry/raw/master/flake-registry.json

•

fsync-metadata (#conf-fsync-metadata)

If set to true, changes to the Nix store metadata (in /nix/var/nix/db) are synchronously flushed to disk. This improves robustness in case of system crashes, but reduces performance. The default is true.

Default: true

•

gc-reserved-space (#conf-gc-reserved-space)

Amount of reserved disk space for the garbage collector.

Default: 8388608

•

hashed-mirrors (#conf-hashed-mirrors)

A list of web servers used by builtins.fetchurl to obtain files by hash. The default is http://tarballs.nixos.org/. Given a hash type ht and a base-16 hash h, Nix will try to download the file from hashed-mirror/ht/h. This allows files to be downloaded even if they have disappeared from their original URI. For example, given the default mirror http://tarballs.nixos.org/, when building the derivation

builtins.fetchurl {


  url = "https://example.org/foo-1.2.3.tar.xz";


  sha256 = "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae";
}

Nix will attempt to download this file from http://tarballs.nixos.org/sha256/2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae first. If it is not available there, if will try the original URI.

Default: empty

•

http-connections (#conf-http-connections)

The maximum number of parallel TCP connections used to fetch files from binary caches and by other downloads. It defaults to 25. 0 means no limit.

Default: 25

Deprecated alias: binary-caches-parallel-connections

•

http2 (#conf-http2)

Whether to enable HTTP/2 support.

Default: true

•

ignored-acls (#conf-ignored-acls)

A list of ACLs that should be ignored, normally Nix attempts to remove all ACLs from files and directories in the Nix store, but some ACLs like security.selinux or system.nfs4_acl can’t be removed even by root. Therefore it’s best to just ignore them.

Default: security.selinux system.nfs4_acl

•

impersonate-linux-26 (#conf-impersonate-linux-26)

Whether to impersonate a Linux 2.6 machine on newer kernels.

Default: false

Deprecated alias: build-impersonate-linux-26

•

keep-build-log (#conf-keep-build-log)

If set to true (the default), Nix will write the build log of a derivation (i.e. the standard output and error of its builder) to the directory /nix/var/log/nix/drvs. The build log can be retrieved using the command nix-store -l path.

Default: true

Deprecated alias: build-keep-log

•

keep-derivations (#conf-keep-derivations)

If true (default), the garbage collector will keep the derivations from which non-garbage store paths were built. If false, they will be deleted unless explicitly registered as a root (or reachable from other roots).

Keeping derivation around is useful for querying and traceability (e.g., it allows you to ask with what dependencies or options a store path was built), so by default this option is on. Turn it off to save a bit of disk space (or a lot if keep-outputs is also turned on).

Default: true

Deprecated alias: gc-keep-derivations

•

keep-env-derivations (#conf-keep-env-derivations)

If false (default), derivations are not stored in Nix user environments. That is, the derivations of any build-time-only dependencies may be garbage-collected.

If true, when you add a Nix derivation to a user environment, the path of the derivation is stored in the user environment. Thus, the derivation will not be garbage-collected until the user environment generation is deleted (nix-env --delete-generations). To prevent build-time-only dependencies from being collected, you should also turn on keep-outputs.

The difference between this option and keep-derivations is that this one is “sticky”: it applies to any user environment created while this option was enabled, while keep-derivations only applies at the moment the garbage collector is run.

Default: false

Deprecated alias: env-keep-derivations

•

keep-failed (#conf-keep-failed)

Whether to keep temporary directories of failed builds.

Default: false

•

keep-going (#conf-keep-going)

Whether to keep building derivations when another build fails.

Default: false

•

keep-outputs (#conf-keep-outputs)

If true, the garbage collector will keep the outputs of non-garbage derivations. If false (default), outputs will be deleted unless they are GC roots themselves (or reachable from other roots).

In general, outputs must be registered as roots separately. However, even if the output of a derivation is registered as a root, the collector will still delete store paths that are used only at build time (e.g., the C compiler, or source tarballs downloaded from the network). To prevent it from doing so, set this option to true.

Default: false

Deprecated alias: gc-keep-outputs

•

log-lines (#conf-log-lines)

The number of lines of the tail of the log to show if a build fails.

Default: 10

•

max-build-log-size (#conf-max-build-log-size)

This option defines the maximum number of bytes that a builder can write to its stdout/stderr. If the builder exceeds this limit, it’s killed. A value of 0 (the default) means that there is no limit.

Default: 0

Deprecated alias: build-max-log-size

•

max-free (#conf-max-free)

When a garbage collection is triggered by the min-free option, it stops as soon as max-free bytes are available. The default is infinity (i.e. delete all garbage).

Default: -1

•

max-jobs (#conf-max-jobs)

This option defines the maximum number of jobs that Nix will try to build in parallel. The default is 1. The special value auto causes Nix to use the number of CPUs in your system. 0 is useful when using remote builders to prevent any local builds (except for preferLocalBuild derivation attribute which executes locally regardless). It can be overridden using the --max-jobs (-j) command line switch.

Default: 1

Deprecated alias: build-max-jobs

•

max-silent-time (#conf-max-silent-time)

This option defines the maximum number of seconds that a builder can go without producing any data on standard output or standard error. This is useful (for instance in an automated build system) to catch builds that are stuck in an infinite loop, or to catch remote builds that are hanging due to network problems. It can be overridden using the --max-silent-time command line switch.

The value 0 means that there is no timeout. This is also the default.

Default: 0

Deprecated alias: build-max-silent-time

•

min-free (#conf-min-free)

When free disk space in /nix/store drops below min-free during a build, Nix performs a garbage-collection until max-free bytes are available or there is no more garbage. A value of 0 (the default) disables this feature.

Default: 0

•

min-free-check-interval (#conf-min-free-check-interval)

Number of seconds between checking free disk space.

Default: 5

•

nar-buffer-size (#conf-nar-buffer-size)

Maximum size of NARs before spilling them to disk.

Default: 33554432

•

narinfo-cache-negative-ttl (#conf-narinfo-cache-negative-ttl)

The TTL in seconds for negative lookups. If a store path is queried from a substituter but was not found, there will be a negative lookup cached in the local disk cache database for the specified duration.

Default: 3600

•

narinfo-cache-positive-ttl (#conf-narinfo-cache-positive-ttl)

The TTL in seconds for positive lookups. If a store path is queried from a substituter, the result of the query will be cached in the local disk cache database including some of the NAR metadata. The default TTL is a month, setting a shorter TTL for positive lookups can be useful for binary caches that have frequent garbage collection, in which case having a more frequent cache invalidation would prevent trying to pull the path again and failing with a hash mismatch if the build isn’t reproducible.

Default: 2592000

•

netrc-file (#conf-netrc-file)

If set to an absolute path to a netrc file, Nix will use the HTTP authentication credentials in this file when trying to download from a remote host through HTTP or HTTPS. Defaults to $NIX_CONF_DIR/netrc.

The netrc file consists of a list of accounts in the following format:

machine my-machine
login my-username
password my-password

For the exact syntax, see the curl documentation (https://ec.haxx.se/usingcurl-netrc.html).

Default: /dummy/netrc

•

nix-path (#conf-nix-path)

List of directories to be searched for <...> file references.

Default: empty

•

plugin-files (#conf-plugin-files)

A list of plugin files to be loaded by Nix. Each of these files will be dlopened by Nix, allowing them to affect execution through static initialization. In particular, these plugins may construct static instances of RegisterPrimOp to add new primops or constants to the expression language, RegisterStoreImplementation to add new store implementations, RegisterCommand to add new subcommands to the nix command, and RegisterSetting to add new nix config settings. See the constructors for those types for more details.

Warning! These APIs are inherently unstable and may change from release to release.

Since these files are loaded into the same address space as Nix itself, they must be DSOs compatible with the instance of Nix running at the time (i.e. compiled against the same headers, not linked to any incompatible libraries). They should not be linked to any Nix libs directly, as those will be available already at load time.

If an entry in the list is a directory, all files in the directory are loaded as plugins (non-recursively).

Default: empty

•

post-build-hook (#conf-post-build-hook)

Optional. The path to a program to execute after each build.

This option is only settable in the global nix.conf, or on the command line by trusted users.

When using the nix-daemon, the daemon executes the hook as root. If the nix-daemon is not involved, the hook runs as the user executing the nix-build.

The program executes with no arguments. The program’s environment contains the following environment variables:

Default: empty

•

pre-build-hook (#conf-pre-build-hook)

If set, the path to a program that can set extra derivation-specific settings for this system. This is used for settings that can’t be captured by the derivation model itself and are too variable between different versions of the same system to be hard-coded into nix.

The hook is passed the derivation path and, if sandboxes are enabled, the sandbox directory. It can then modify the sandbox and send a series of commands to modify various settings to stdout. The currently recognized commands are:

Default: empty

•

preallocate-contents (#conf-preallocate-contents)

Whether to preallocate files when writing objects with known size.

Default: false

•

print-missing (#conf-print-missing)

Whether to print what paths need to be built or downloaded.

Default: true

•

pure-eval (#conf-pure-eval)

Whether to restrict file system and network access to files specified by cryptographic hash.

Default: true

•

repeat (#conf-repeat)

How many times to repeat builds to check whether they are deterministic. The default value is 0. If the value is non-zero, every build is repeated the specified number of times. If the contents of any of the runs differs from the previous ones and enforce-determinism is true, the build is rejected and the resulting store paths are not registered as “valid” in Nix’s database.

Default: 0

Deprecated alias: build-repeat

•

require-sigs (#conf-require-sigs)

If set to true (the default), any non-content-addressed path added or copied to the Nix store (e.g. when substituting from a binary cache) must have a valid signature, that is, be signed using one of the keys listed in trusted-public-keys or secret-key-files. Set to false to disable signature checking.

Default: true

•

restrict-eval (#conf-restrict-eval)

If set to true, the Nix evaluator will not allow access to any files outside of the Nix search path (as set via the NIX_PATH environment variable or the -I option), or to URIs outside of allowed-uri. The default is false.

Default: false

•

run-diff-hook (#conf-run-diff-hook)

If true, enable the execution of the diff-hook program.

When using the Nix daemon, run-diff-hook must be set in the nix.conf configuration file, and cannot be passed at the command line.

Default: false

•

sandbox (#conf-sandbox)

If set to true, builds will be performed in a sandboxed environment, i.e., they’re isolated from the normal file system hierarchy and will only see their dependencies in the Nix store, the temporary build directory, private versions of /proc, /dev, /dev/shm and /dev/pts (on Linux), and the paths configured with the sandbox-paths option. This is useful to prevent undeclared dependencies on files in directories such as /usr/bin. In addition, on Linux, builds run in private PID, mount, network, IPC and UTS namespaces to isolate them from other processes in the system (except that fixed-output derivations do not run in private network namespace to ensure they can access the network).

Currently, sandboxing only work on Linux and macOS. The use of a sandbox requires that Nix is run as root (so you should use the “build users” feature to perform the actual builds under different users than root).

If this option is set to relaxed, then fixed-output derivations and derivations that have the __noChroot attribute set to true do not run in sandboxes.

The default is true on Linux and false on all other platforms.

Default: true

Deprecated alias: build-use-chroot, build-use-sandbox

•

sandbox-build-dir (#conf-sandbox-build-dir)

The build directory inside the sandbox.

Default: /build

•

sandbox-dev-shm-size (#conf-sandbox-dev-shm-size)

This option determines the maximum size of the tmpfs filesystem mounted on /dev/shm in Linux sandboxes. For the format, see the description of the size option of tmpfs in mount8. The default is 50%.

Default: 50%

•

sandbox-fallback (#conf-sandbox-fallback)

Whether to disable sandboxing when the kernel doesn’t allow it.

Default: true

•

sandbox-paths (#conf-sandbox-paths)

A list of paths bind-mounted into Nix sandbox environments. You can use the syntax target=source to mount a path in a different location in the sandbox; for instance, /bin=/nix-bin will mount the path /nix-bin as /bin inside the sandbox. If source is followed by ?, then it is not an error if source does not exist; for example, /dev/nvidiactl? specifies that /dev/nvidiactl will only be mounted in the sandbox if it exists in the host filesystem.

Depending on how Nix was built, the default value for this option may be empty or provide /bin/sh as a bind-mount of bash.

Default: empty

Deprecated alias: build-chroot-dirs, build-sandbox-paths

•

secret-key-files (#conf-secret-key-files)

A whitespace-separated list of files containing secret (private) keys. These are used to sign locally-built paths. They can be generated using nix-store --generate-binary-cache-key. The corresponding public key can be distributed to other users, who can add it to trusted-public-keys in their nix.conf.

Default: empty

•

show-trace (#conf-show-trace)

Whether Nix should print out a stack trace in case of Nix expression evaluation errors.

Default: false

•

stalled-download-timeout (#conf-stalled-download-timeout)

The timeout (in seconds) for receiving data from servers during download. Nix cancels idle downloads after this timeout’s duration.

Default: 300

•

store (#conf-store)

The default Nix store to use.

Default: auto

•

substitute (#conf-substitute)

If set to true (default), Nix will use binary substitutes if available. This option can be disabled to force building from source.

Default: true

Deprecated alias: build-use-substitutes

•

substituters (#conf-substituters)

A list of URLs of substituters, separated by whitespace. Substituters are tried based on their Priority value, which each substituter can set independently. Lower value means higher priority. The default is https://cache.nixos.org, with a Priority of 40.

Default: https://cache.nixos.org/

Deprecated alias: binary-caches

•

sync-before-registering (#conf-sync-before-registering)

Whether to call sync() before registering a path as valid.

Default: false

•

system (#conf-system)

This option specifies the canonical Nix system name of the current installation, such as i686-linux or x86_64-darwin. Nix can only build derivations whose system attribute equals the value specified here. In general, it never makes sense to modify this value from its default, since you can use it to ‘lie’ about the platform you are building on (e.g., perform a Mac OS build on a Linux machine; the result would obviously be wrong). It only makes sense if the Nix binaries can run on multiple platforms, e.g., ‘universal binaries’ that run on x86_64-linux and i686-linux.

It defaults to the canonical Nix system name detected by configure at build time.

Default: x86_64-linux

•

system-features (#conf-system-features)

A set of system “features” supported by this machine, e.g. kvm. Derivations can express a dependency on such features through the derivation attribute requiredSystemFeatures. For example, the attribute

requiredSystemFeatures = [ "kvm" ];

ensures that the derivation can only be built on a machine with the kvm feature.

This setting by default includes kvm if /dev/kvm is accessible, and the pseudo-features nixos-test, benchmark and big-parallel that are used in Nixpkgs to route builds to specific machines.

Default: machine-specific

•

tarball-ttl (#conf-tarball-ttl)

The number of seconds a downloaded tarball is considered fresh. If the cached tarball is stale, Nix will check whether it is still up to date using the ETag header. Nix will download a new version if the ETag header is unsupported, or the cached ETag doesn’t match.

Setting the TTL to 0 forces Nix to always check if the tarball is up to date.

Nix caches tarballs in $XDG_CACHE_HOME/nix/tarballs.

Files fetched via NIX_PATH, fetchGit, fetchMercurial, fetchTarball, and fetchurl respect this TTL.

Default: 3600

•

timeout (#conf-timeout)

This option defines the maximum number of seconds that a builder can run. This is useful (for instance in an automated build system) to catch builds that are stuck in an infinite loop but keep writing to their standard output or standard error. It can be overridden using the --timeout command line switch.

The value 0 means that there is no timeout. This is also the default.

Default: 0

Deprecated alias: build-timeout

•

trace-function-calls (#conf-trace-function-calls)

If set to true, the Nix evaluator will trace every function call. Nix will print a log message at the “vomit” level for every function entrance and function exit.

function-trace entered undefined position at 1565795816999559622
function-trace exited undefined position at 1565795816999581277
function-trace entered /nix/store/.../example.nix:226:41 at 1565795253249935150
function-trace exited /nix/store/.../example.nix:226:41 at 1565795253249941684

The undefined position means the function call is a builtin.

Use the contrib/stack-collapse.py script distributed with the Nix source code to convert the trace logs in to a format suitable for flamegraph.pl.

Default: false

•

trusted-public-keys (#conf-trusted-public-keys)

A whitespace-separated list of public keys. When paths are copied from another Nix store (such as a binary cache), they must be signed with one of these keys. For example: cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=.

Default: cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=

Deprecated alias: binary-cache-public-keys

•

trusted-substituters (#conf-trusted-substituters)

A list of URLs of substituters, separated by whitespace. These are not used by default, but can be enabled by users of the Nix daemon by specifying --option substituters urls on the command line. Unprivileged users are only allowed to pass a subset of the URLs listed in substituters and trusted-substituters.

Default: empty

Deprecated alias: trusted-binary-caches

•

trusted-users (#conf-trusted-users)

A list of names of users (separated by whitespace) that have additional rights when connecting to the Nix daemon, such as the ability to specify additional binary caches, or to import unsigned NARs. You can also specify groups by prefixing them with @; for instance, @wheel means all users in the wheel group. The default is root.

Default: root

•

use-case-hack (#conf-use-case-hack)

Whether to enable a Darwin-specific hack for dealing with file name collisions.

Default: false

•

use-registries (#conf-use-registries)

Whether to use flake registries to resolve flake references.

Default: true

•

use-sqlite-wal (#conf-use-sqlite-wal)

Whether SQLite should use WAL mode.

Default: true

•

user-agent-suffix (#conf-user-agent-suffix)

String appended to the user agent in HTTP requests.

Default: empty

•

warn-dirty (#conf-warn-dirty)

Whether to warn about dirty Git/Mercurial trees.

Default: true