Provided by: nix-bin_2.18.1+dfsg-1ubuntu5_amd64 
Name
nix.conf - Nix configuration file
Description
Nix supports a variety of configuration settings, which are read from configuration files
or taken as command line flags.
Configuration file
By default Nix reads settings from the following places, in that order:
1. The system-wide configuration file sysconfdir/nix/nix.conf (i.e. /etc/nix/nix.conf on
most systems), or $NIX_CONF_DIR/nix.conf if NIX_CONF_DIR is set.
Values loaded in this file are not forwarded to the Nix daemon. The client assumes
that the daemon has already loaded them.
2. If NIX_USER_CONF_FILES is set, then each path separated by : will be loaded in reverse
order.
Otherwise it will look for nix/nix.conf files in XDG_CONFIG_DIRS and XDG_CONFIG_HOME.
If unset, XDG_CONFIG_DIRS defaults to /etc/xdg, and XDG_CONFIG_HOME defaults to
$HOME/.config as per XDG Base Directory Specification.
3. If NIX_CONFIG is set, its contents are treated as the contents of a configuration file.
File format
Configuration files consist of name = value pairs, one per line. Comments start with a #
character.
Example:
keep-outputs = true # Nice for developers
keep-derivations = true # Idem
Other files can be included with a line like include <path>, where <path> is interpreted
relative to the current configuration file. A missing file is an error unless !include is
used instead.
A configuration setting usually overrides any previous value. However, for settings that
take a list of items, you can prefix the name of the setting by extra- to append to the
previous value.
For instance,
substituters = a b
extra-substituters = c d
defines the substituters setting to be a b c d.
Unknown option names are not an error, and are simply ignored with a warning.
Command line flags
Configuration options can be set on the command line, overriding the values set in the
configuration file:
• Every configuration setting has corresponding command line flag (e.g. --max-jobs 16).
Boolean settings do not need an argument, and can be explicitly disabled with the no-
prefix (e.g. --keep-failed and --no-keep-failed).
Unknown option names are invalid flags (unless there is already a flag with that name),
and are rejected with an error.
• The flag --option <name> <value> is interpreted exactly like a <name> = <value> in a
setting file.
Unknown option names are ignored with a warning.
The extra- prefix is supported for settings that take a list of items (e.g. --extra-
trusted users alice or --option extra-trusted-users alice).
Available settings
• accept-flake-config
Whether to accept nix configuration from a flake without prompting.
Warning This setting is part of an experimental feature.
To change this setting, you need to make sure the corresponding experimental feature,
flakes, is enabled. For example, include the following in nix.conf:
extra-experimental-features = flakes
accept-flake-config = ...
Default: false
• access-tokens
Access tokens used to access protected GitHub, GitLab, or other locations requiring
token-based authentication.
Access tokens are specified as a string made up of space-separated host=token values.
The specific token used is selected by matching the host portion against the “host”
specification of the input. The actual use of the token value is determined by the type
of resource being accessed:
• Github: the token value is the OAUTH-TOKEN string obtained as the Personal Access
Token from the Github server (see
https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-
apps).
• Gitlab: the token value is either the OAuth2 token or the Personal Access Token
(these are different types tokens for gitlab, see
https://docs.gitlab.com/12.10/ee/api/README.html#authentication). The token value
should be type:tokenstring where type is either OAuth2 or PAT to indicate which type
of token is being specified.
Example ~/.config/nix/nix.conf:
access-tokens = github.com=23ac...b289 gitlab.mycompany.com=PAT:A123Bp_Cd..EfG gitlab.com=OAuth2:1jklw3jk
Example ~/code/flake.nix:
input.foo = {
type = "gitlab";
host = "gitlab.mycompany.com";
owner = "mycompany";
repo = "pro";
};
This example specifies three tokens, one each for accessing github.com,
gitlab.mycompany.com, and gitlab.com.
The input.foo uses the “gitlab” fetcher, which might requires specifying the token
type along with the token value.
Default: empty
• allow-dirty
Whether to allow dirty Git/Mercurial trees.
Default: true
• allow-import-from-derivation
By default, Nix allows you to import from a derivation, allowing building at evaluation
time. With this option set to false, Nix will throw an error when evaluating an
expression that uses this feature, allowing users to ensure their evaluation will not
require any builds to take place.
Default: true
• allow-new-privileges
(Linux-specific.) By default, builders on Linux cannot acquire new privileges by
calling setuid/setgid programs or programs that have file capabilities. For example,
programs such as sudo or ping will fail. (Note that in sandbox builds, no such programs
are available unless you bind-mount them into the sandbox via the sandbox-paths
option.) You can allow the use of such programs by enabling this option. This is impure
and usually undesirable, but may be useful in certain scenarios (e.g. to spin up
containers or set up userspace network interfaces in tests).
Default: false
• allow-symlinked-store
If set to true, Nix will stop complaining if the store directory (typically /nix/store)
contains symlink components.
This risks making some builds “impure” because builders sometimes “canonicalise” paths
by resolving all symlink components. Problems occur if those builds are then deployed
to machines where /nix/store resolves to a different location from that of the build
machine. You can enable this setting if you are sure you’re not going to do that.
Default: false
• allow-unsafe-native-code-during-evaluation
Whether builtin functions that allow executing native code should be enabled.
Default: false
• allowed-impure-host-deps
Which prefixes to allow derivations to ask for access to (primarily for Darwin).
Default: empty
• allowed-uris
A list of URI prefixes to which access is allowed in restricted evaluation mode. For
example, when set to https://github.com/NixOS, builtin functions such as fetchGit are
allowed to access https://github.com/NixOS/patchelf.git.
Default: empty
• allowed-users
A list user names, separated by whitespace. These users are allowed to connect to the
Nix daemon.
You can specify groups by prefixing names with @. For instance, @wheel means all users
in the wheel group. Also, you can allow all users by specifying *.
Note
Trusted users (set in trusted-users) can always connect to the Nix daemon.
Default: *
• auto-allocate-uids
Whether to select UIDs for builds automatically, instead of using the users in build-
users-group.
UIDs are allocated starting at 872415232 (0x34000000) on Linux and 56930 on macOS.
Default: false
• auto-optimise-store
If set to true, Nix automatically detects files in the store that have identical
contents, and replaces them with hard links to a single copy. This saves disk space. If
set to false (the default), you can still run nix-store --optimise to get rid of
duplicate files.
Default: false
• bash-prompt
The bash prompt (PS1) in nix develop shells.
Default: empty
• bash-prompt-prefix
Prefix prepended to the PS1 environment variable in nix develop shells.
Default: empty
• bash-prompt-suffix
Suffix appended to the PS1 environment variable in nix develop shells.
Default: empty
• build-hook
The path to the helper program that executes remote builds.
Nix communicates with the build hook over stdio using a custom protocol to request
builds that cannot be performed directly by the Nix daemon. The default value is the
internal Nix binary that implements remote building.
Important
Change this setting only if you really know what you’re doing.
Default: empty
• build-poll-interval
How often (in seconds) to poll for locks.
Default: 5
• build-users-group
This options specifies the Unix group containing the Nix build user accounts. In multi-
user Nix installations, builds should not be performed by the Nix account since that
would allow users to arbitrarily modify the Nix store and database by supplying
specially crafted builders; and they cannot be performed by the calling user since that
would allow him/her to influence the build result.
Therefore, if this option is non-empty and specifies a valid group, builds will be
performed under the user accounts that are a member of the group specified here (as
listed in /etc/group). Those user accounts should not be used for any other purpose!
Nix will never run two builds under the same user account at the same time. This is to
prevent an obvious security hole: a malicious user writing a Nix expression that
modifies the build result of a legitimate Nix expression being built by another user.
Therefore it is good to have as many Nix build user accounts as you can spare.
(Remember: uids are cheap.)
The build users should have permission to create files in the Nix store, but not delete
them. Therefore, /nix/store should be owned by the Nix account, its group should be the
group specified here, and its mode should be 1775.
If the build users group is empty, builds will be performed under the uid of the Nix
process (that is, the uid of the caller if NIX_REMOTE is empty, the uid under which the
Nix daemon runs if NIX_REMOTE is daemon). Obviously, this should not be used with a nix
daemon accessible to untrusted clients.
Defaults to nixbld when running as root, empty otherwise.
Default: machine-specific
• builders
A semicolon-separated list of build machines. For the exact format and examples, see
the manual chapter on remote builds
Default: @/dummy/machines
• builders-use-substitutes
If set to true, Nix will instruct remote build machines to use their own binary
substitutes if available. In practical terms, this means that remote hosts will fetch
as many build dependencies as possible from their own substitutes (e.g, from
cache.nixos.org), instead of waiting for this host to upload them all. This can
drastically reduce build times if the network connection between this computer and the
remote build host is slow.
Default: false
• commit-lockfile-summary
The commit summary to use when committing changed flake lock files. If empty, the
summary is generated based on the action performed.
Warning This setting is part of an experimental feature.
To change this setting, you need to make sure the corresponding experimental feature,
flakes, is enabled. For example, include the following in nix.conf:
extra-experimental-features = flakes
commit-lockfile-summary = ...
Default: empty
• compress-build-log
If set to true (the default), build logs written to /nix/var/log/nix/drvs will be
compressed on the fly using bzip2. Otherwise, they will not be compressed.
Default: true
Deprecated alias: build-compress-log
• connect-timeout
The timeout (in seconds) for establishing connections in the binary cache substituter.
It corresponds to curl’s --connect-timeout option. A value of 0 means no limit.
Default: 0
• cores
Sets the value of the NIX_BUILD_CORES environment variable in the invocation of
builders. Builders can use this variable at their discretion to control the maximum
amount of parallelism. For instance, in Nixpkgs, if the derivation attribute
enableParallelBuilding is set to true, the builder passes the -jN flag to GNU Make. It
can be overridden using the --cores command line switch and defaults to 1. The value 0
means that the builder should use all available CPU cores in the system.
Default: machine-specific
Deprecated alias: build-cores
• diff-hook
Absolute path to an executable capable of diffing build results. The hook is executed
if run-diff-hook is true, and the output of a build is known to not be the same. This
program is not executed to determine if two results are the same.
The diff hook is executed by the same user and group who ran the build. However, the
diff hook does not have write access to the store path just built.
The diff hook program receives three parameters:
1. A path to the previous build’s results
2. A path to the current build’s results
3. The path to the build’s derivation
4. The path to the build’s scratch directory. This directory will exist only if the
build was run with --keep-failed.
The stderr and stdout output from the diff hook will not be displayed to the user.
Instead, it will print to the nix-daemon’s log.
When using the Nix daemon, diff-hook must be set in the nix.conf configuration file,
and cannot be passed at the command line.
Default: ``
• download-attempts
How often Nix will attempt to download a file before giving up.
Default: 5
• download-speed
Specify the maximum transfer rate in kilobytes per second you want Nix to use for
downloads.
Default: 0
• eval-cache
Whether to use the flake evaluation cache.
Default: true
• experimental-features
Experimental features that are enabled.
Example:
experimental-features = nix-command flakes
The following experimental features are available:
• auto-allocate-uids
• ca-derivations
• cgroups
• daemon-trust-override
• dynamic-derivations
• fetch-closure
• flakes
• impure-derivations
• nix-command
• no-url-literals
• parse-toml-timestamps
• read-only-local-store
• recursive-nix
• repl-flake
Experimental features are further documented in the manual.
Default: empty
• extra-platforms
System types of executables that can be run on this machine.
Nix will only build a given derivation locally when its system attribute equals any of
the values specified here or in the system option.
Setting this can be useful to build derivations locally on compatible machines:
• i686-linux executables can be run on x86_64-linux machines (set by default)
• x86_64-darwin executables can be run on macOS aarch64-darwin with Rosetta 2 (set by
default where applicable)
• armv6 and armv5tel executables can be run on armv7
• some aarch64 machines can also natively run 32-bit ARM code
• qemu-user may be used to support non-native platforms (though this may be slow and
buggy)
Build systems will usually detect the target platform to be the current physical system
and therefore produce machine code incompatible with what may be intended in the
derivation. You should design your derivation’s builder accordingly and cross-check
the results when using this option against natively-built versions of your derivation.
Default: machine-specific
• fallback
If set to true, Nix will fall back to building from source if a binary substitute
fails. This is equivalent to the --fallback flag. The default is false.
Default: false
Deprecated alias: build-fallback
• filter-syscalls
Whether to prevent certain dangerous system calls, such as creation of setuid/setgid
files or adding ACLs or extended attributes. Only disable this if you’re aware of the
security implications.
Default: true
• flake-registry
Path or URI of the global flake registry.
When empty, disables the global flake registry.
Warning This setting is part of an experimental feature.
To change this setting, you need to make sure the corresponding experimental feature,
flakes, is enabled. For example, include the following in nix.conf:
extra-experimental-features = flakes
flake-registry = ...
Default: https://channels.nixos.org/flake-registry.json
• fsync-metadata
If set to true, changes to the Nix store metadata (in /nix/var/nix/db) are
synchronously flushed to disk. This improves robustness in case of system crashes, but
reduces performance. The default is true.
Default: true
• gc-reserved-space
Amount of reserved disk space for the garbage collector.
Default: 8388608
• hashed-mirrors
A list of web servers used by builtins.fetchurl to obtain files by hash. Given a hash
type ht and a base-16 hash h, Nix will try to download the file from hashed-
mirror/ht/h. This allows files to be downloaded even if they have disappeared from
their original URI. For example, given an example mirror http://tarballs.nixos.org/,
when building the derivation
builtins.fetchurl {
url = "https://example.org/foo-1.2.3.tar.xz";
sha256 = "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae";
}
Nix will attempt to download this file from
http://tarballs.nixos.org/sha256/2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
first. If it is not available there, if will try the original URI.
Default: empty
• http-connections
The maximum number of parallel TCP connections used to fetch files from binary caches
and by other downloads. It defaults to 25. 0 means no limit.
Default: 25
Deprecated alias: binary-caches-parallel-connections
• http2
Whether to enable HTTP/2 support.
Default: true
• id-count
The number of UIDs/GIDs to use for dynamic ID allocation.
Default: 8388608
• ignore-try
If set to true, ignore exceptions inside ‘tryEval’ calls when evaluating nix
expressions in debug mode (using the –debugger flag). By default the debugger will
pause on all exceptions.
Default: false
• ignored-acls
A list of ACLs that should be ignored, normally Nix attempts to remove all ACLs from
files and directories in the Nix store, but some ACLs like security.selinux or
system.nfs4_acl can’t be removed even by root. Therefore it’s best to just ignore them.
Default: security.csm security.selinux system.nfs4_acl
• impersonate-linux-26
Whether to impersonate a Linux 2.6 machine on newer kernels.
Default: false
Deprecated alias: build-impersonate-linux-26
• keep-build-log
If set to true (the default), Nix will write the build log of a derivation (i.e. the
standard output and error of its builder) to the directory /nix/var/log/nix/drvs. The
build log can be retrieved using the command nix-store -l path.
Default: true
Deprecated alias: build-keep-log
• keep-derivations
If true (default), the garbage collector will keep the derivations from which non-
garbage store paths were built. If false, they will be deleted unless explicitly
registered as a root (or reachable from other roots).
Keeping derivation around is useful for querying and traceability (e.g., it allows you
to ask with what dependencies or options a store path was built), so by default this
option is on. Turn it off to save a bit of disk space (or a lot if keep-outputs is also
turned on).
Default: true
Deprecated alias: gc-keep-derivations
• keep-env-derivations
If false (default), derivations are not stored in Nix user environments. That is, the
derivations of any build-time-only dependencies may be garbage-collected.
If true, when you add a Nix derivation to a user environment, the path of the
derivation is stored in the user environment. Thus, the derivation will not be garbage-
collected until the user environment generation is deleted (nix-env --delete-
generations). To prevent build-time-only dependencies from being collected, you should
also turn on keep-outputs.
The difference between this option and keep-derivations is that this one is “sticky”:
it applies to any user environment created while this option was enabled, while keep-
derivations only applies at the moment the garbage collector is run.
Default: false
Deprecated alias: env-keep-derivations
• keep-failed
Whether to keep temporary directories of failed builds.
Default: false
• keep-going
Whether to keep building derivations when another build fails.
Default: false
• keep-outputs
If true, the garbage collector will keep the outputs of non-garbage derivations. If
false (default), outputs will be deleted unless they are GC roots themselves (or
reachable from other roots).
In general, outputs must be registered as roots separately. However, even if the output
of a derivation is registered as a root, the collector will still delete store paths
that are used only at build time (e.g., the C compiler, or source tarballs downloaded
from the network). To prevent it from doing so, set this option to true.
Default: false
Deprecated alias: gc-keep-outputs
• log-lines
The number of lines of the tail of the log to show if a build fails.
Default: 10
• max-build-log-size
This option defines the maximum number of bytes that a builder can write to its
stdout/stderr. If the builder exceeds this limit, it’s killed. A value of 0 (the
default) means that there is no limit.
Default: 0
Deprecated alias: build-max-log-size
• max-free
When a garbage collection is triggered by the min-free option, it stops as soon as max-
free bytes are available. The default is infinity (i.e. delete all garbage).
Default: -1
• max-jobs
This option defines the maximum number of jobs that Nix will try to build in parallel.
The default is 1. The special value auto causes Nix to use the number of CPUs in your
system. 0 is useful when using remote builders to prevent any local builds (except for
preferLocalBuild derivation attribute which executes locally regardless). It can be
overridden using the --max-jobs (-j) command line switch.
Default: 1
Deprecated alias: build-max-jobs
• max-silent-time
This option defines the maximum number of seconds that a builder can go without
producing any data on standard output or standard error. This is useful (for instance
in an automated build system) to catch builds that are stuck in an infinite loop, or to
catch remote builds that are hanging due to network problems. It can be overridden
using the --max-silent-time command line switch.
The value 0 means that there is no timeout. This is also the default.
Default: 0
Deprecated alias: build-max-silent-time
• max-substitution-jobs
This option defines the maximum number of substitution jobs that Nix will try to run in
parallel. The default is 16. The minimum value one can choose is 1 and lower values
will be interpreted as 1.
Default: 16
Deprecated alias: substitution-max-jobs
• min-free
When free disk space in /nix/store drops below min-free during a build, Nix performs a
garbage-collection until max-free bytes are available or there is no more garbage. A
value of 0 (the default) disables this feature.
Default: 0
• min-free-check-interval
Number of seconds between checking free disk space.
Default: 5
• nar-buffer-size
Maximum size of NARs before spilling them to disk.
Default: 33554432
• narinfo-cache-negative-ttl
The TTL in seconds for negative lookups. If a store path is queried from a substituter
but was not found, there will be a negative lookup cached in the local disk cache
database for the specified duration.
Default: 3600
• narinfo-cache-positive-ttl
The TTL in seconds for positive lookups. If a store path is queried from a substituter,
the result of the query will be cached in the local disk cache database including some
of the NAR metadata. The default TTL is a month, setting a shorter TTL for positive
lookups can be useful for binary caches that have frequent garbage collection, in which
case having a more frequent cache invalidation would prevent trying to pull the path
again and failing with a hash mismatch if the build isn’t reproducible.
Default: 2592000
• netrc-file
If set to an absolute path to a netrc file, Nix will use the HTTP authentication
credentials in this file when trying to download from a remote host through HTTP or
HTTPS. Defaults to $NIX_CONF_DIR/netrc.
The netrc file consists of a list of accounts in the following format:
machine my-machine login my-username password my-password
For the exact syntax, see the curl documentation.
Note
This must be an absolute path, and ~ is not resolved. For example, ~/.netrc
won’t resolve to your home directory’s .netrc.
Default: /dummy/netrc
• nix-path
List of directories to be searched for <...> file references
In particular, outside of pure evaluation mode, this determines the value of
builtins.nixPath.
Default: empty
• plugin-files
A list of plugin files to be loaded by Nix. Each of these files will be dlopened by
Nix, allowing them to affect execution through static initialization. In particular,
these plugins may construct static instances of RegisterPrimOp to add new primops or
constants to the expression language, RegisterStoreImplementation to add new store
implementations, RegisterCommand to add new subcommands to the nix command, and
RegisterSetting to add new nix config settings. See the constructors for those types
for more details.
Warning! These APIs are inherently unstable and may change from release to release.
Since these files are loaded into the same address space as Nix itself, they must be
DSOs compatible with the instance of Nix running at the time (i.e. compiled against the
same headers, not linked to any incompatible libraries). They should not be linked to
any Nix libs directly, as those will be available already at load time.
If an entry in the list is a directory, all files in the directory are loaded as
plugins (non-recursively).
Default: empty
• post-build-hook
Optional. The path to a program to execute after each build.
This option is only settable in the global nix.conf, or on the command line by trusted
users.
When using the nix-daemon, the daemon executes the hook as root. If the nix-daemon is
not involved, the hook runs as the user executing the nix-build.
• The hook executes after an evaluation-time build.
• The hook does not execute on substituted paths.
• The hook’s output always goes to the user’s terminal.
• If the hook fails, the build succeeds but no further builds execute.
• The hook executes synchronously, and blocks other builds from progressing while it
runs.
The program executes with no arguments. The program’s environment contains the
following environment variables:
• DRV_PATH The derivation for the built paths.
Example: /nix/store/5nihn1a7pa8b25l9zafqaqibznlvvp3f-bash-4.4-p23.drv
• OUT_PATHS Output paths of the built derivation, separated by a space character.
Example: /nix/store/zf5lbh336mnzf1nlswdn11g4n2m8zh3g-bash-4.4-p23-dev
/nix/store/rjxwxwv1fpn9wa2x5ssk5phzwlcv4mna-bash-4.4-p23-doc
/nix/store/6bqvbzjkcp9695dq0dpl5y43nvy37pq1-bash-4.4-p23-info
/nix/store/r7fng3kk3vlpdlh2idnrbn37vh4imlj2-bash-4.4-p23-man
/nix/store/xfghy8ixrhz3kyy6p724iv3cxji088dx-bash-4.4-p23.
Default: empty
• pre-build-hook
If set, the path to a program that can set extra derivation-specific settings for this
system. This is used for settings that can’t be captured by the derivation model itself
and are too variable between different versions of the same system to be hard-coded
into nix.
The hook is passed the derivation path and, if sandboxes are enabled, the sandbox
directory. It can then modify the sandbox and send a series of commands to modify
various settings to stdout. The currently recognized commands are:
• extra-sandbox-paths
Pass a list of files and directories to be included in the sandbox for this build.
One entry per line, terminated by an empty line. Entries have the same format as
sandbox-paths.
Default: empty
• preallocate-contents
Whether to preallocate files when writing objects with known size.
Default: false
• print-missing
Whether to print what paths need to be built or downloaded.
Default: true
• pure-eval
Pure evaluation mode ensures that the result of Nix expressions is fully determined by
explicitly declared inputs, and not influenced by external state:
• Restrict file system and network access to files specified by cryptographic hash
• Disable bultins.currentSystem and builtins.currentTime
Default: false
• require-drop-supplementary-groups
Following the principle of least privilege, Nix will attempt to drop supplementary
groups when building with sandboxing.
However this can fail under some circumstances. For example, if the user lacks the
CAP_SETGID capability. Search setgroups(2) for EPERM to find more detailed information
on this.
If you encounter such a failure, setting this option to false will let you ignore it
and continue. But before doing so, you should consider the security implications
carefully. Not dropping supplementary groups means the build sandbox will be less
restricted than intended.
This option defaults to true when the user is root (since root usually has permissions
to call setgroups) and false otherwise.
Default: false
• require-sigs
If set to true (the default), any non-content-addressed path added or copied to the Nix
store (e.g. when substituting from a binary cache) must have a signature by a trusted
key. A trusted key is one listed in trusted-public-keys, or a public key counterpart to
a private key stored in a file listed in secret-key-files.
Set to false to disable signature checking and trust all non-content-addressed paths
unconditionally.
(Content-addressed paths are inherently trustworthy and thus unaffected by this
configuration option.)
Default: true
• restrict-eval
If set to true, the Nix evaluator will not allow access to any files outside of the Nix
search path (as set via the NIX_PATH environment variable or the -I option), or to URIs
outside of allowed-uris. The default is false.
Default: false
• run-diff-hook
If true, enable the execution of the diff-hook program.
When using the Nix daemon, run-diff-hook must be set in the nix.conf configuration
file, and cannot be passed at the command line.
Default: false
• sandbox
If set to true, builds will be performed in a sandboxed environment, i.e., they’re
isolated from the normal file system hierarchy and will only see their dependencies in
the Nix store, the temporary build directory, private versions of /proc, /dev, /dev/shm
and /dev/pts (on Linux), and the paths configured with the sandbox-paths option. This
is useful to prevent undeclared dependencies on files in directories such as /usr/bin.
In addition, on Linux, builds run in private PID, mount, network, IPC and UTS
namespaces to isolate them from other processes in the system (except that fixed-output
derivations do not run in private network namespace to ensure they can access the
network).
Currently, sandboxing only work on Linux and macOS. The use of a sandbox requires that
Nix is run as root (so you should use the “build users” feature to perform the actual
builds under different users than root).
If this option is set to relaxed, then fixed-output derivations and derivations that
have the __noChroot attribute set to true do not run in sandboxes.
The default is true on Linux and false on all other platforms.
Default: true
Deprecated alias: build-use-chroot, build-use-sandbox
• sandbox-build-dir
The build directory inside the sandbox.
Default: /build
• sandbox-dev-shm-size
This option determines the maximum size of the tmpfs filesystem mounted on /dev/shm in
Linux sandboxes. For the format, see the description of the size option of tmpfs in
mount(8). The default is 50%.
Default: 50%
• sandbox-fallback
Whether to disable sandboxing when the kernel doesn’t allow it.
Default: true
• sandbox-paths
A list of paths bind-mounted into Nix sandbox environments. You can use the syntax
target=source to mount a path in a different location in the sandbox; for instance,
/bin=/nix-bin will mount the path /nix-bin as /bin inside the sandbox. If source is
followed by ?, then it is not an error if source does not exist; for example,
/dev/nvidiactl? specifies that /dev/nvidiactl will only be mounted in the sandbox if it
exists in the host filesystem.
If the source is in the Nix store, then its closure will be added to the sandbox as
well.
Depending on how Nix was built, the default value for this option may be empty or
provide /bin/sh as a bind-mount of bash.
Default: empty
Deprecated alias: build-chroot-dirs, build-sandbox-paths
• secret-key-files
A whitespace-separated list of files containing secret (private) keys. These are used
to sign locally-built paths. They can be generated using nix-store --generate-binary-
cache-key. The corresponding public key can be distributed to other users, who can add
it to trusted-public-keys in their nix.conf.
Default: empty
• show-trace
Whether Nix should print out a stack trace in case of Nix expression evaluation errors.
Default: false
• ssl-cert-file
The path of a file containing CA certificates used to authenticate https:// downloads.
Nix by default will use the first of the following files that exists:
1. /etc/ssl/certs/ca-certificates.crt
2. /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt
The path can be overridden by the following environment variables, in order of
precedence:
1. NIX_SSL_CERT_FILE
2. SSL_CERT_FILE
Default: /etc/ssl/certs/ca-certificates.crt
• stalled-download-timeout
The timeout (in seconds) for receiving data from servers during download. Nix cancels
idle downloads after this timeout’s duration.
Default: 300
• start-id
The first UID and GID to use for dynamic ID allocation.
Default: 872415232
• store
The URL of the Nix store to use for most operations. See nix help-stores for supported
store types and settings.
Default: auto
• substitute
If set to true (default), Nix will use binary substitutes if available. This option can
be disabled to force building from source.
Default: true
Deprecated alias: build-use-substitutes
• substituters
A list of URLs of Nix stores to be used as substituters, separated by whitespace. A
substituter is an additional [store]{@docroot@/glossary.md##gloss-store} from which Nix
can obtain store objects instead of building them.
Substituters are tried based on their priority value, which each substituter can set
independently. Lower value means higher priority. The default is
https://cache.nixos.org, which has a priority of 40.
At least one of the following conditions must be met for Nix to use a substituter:
• The substituter is in the trusted-substituters list
• The user calling Nix is in the trusted-users list
In addition, each store path should be trusted as described in trusted-public-keys
Default: https://cache.nixos.org/
Deprecated alias: binary-caches
• sync-before-registering
Whether to call sync() before registering a path as valid.
Default: false
• system
The system type of the current Nix installation. Nix will only build a given
derivation locally when its system attribute equals any of the values specified here or
in extra-platforms.
The default value is set when Nix itself is compiled for the system it will run on.
The following system types are widely used, as Nix is actively supported on these
platforms:
• x86_64-linux
• x86_64-darwin
• i686-linux
• aarch64-linux
• aarch64-darwin
• armv6l-linux
• armv7l-linux
In general, you do not have to modify this setting. While you can force Nix to run a
Darwin-specific builder executable on a Linux machine, the result would obviously be
wrong.
This value is available in the Nix language as builtins.currentSystem.
Default: x86_64-linux
• system-features
A set of system “features” supported by this machine, e.g. kvm. Derivations can
express a dependency on such features through the derivation attribute
requiredSystemFeatures. For example, the attribute
requiredSystemFeatures = [ “kvm” ];
ensures that the derivation can only be built on a machine with the kvm feature.
This setting by default includes kvm if /dev/kvm is accessible, and the pseudo-features
nixos-test, benchmark and big-parallel that are used in Nixpkgs to route builds to
specific machines.
Default: machine-specific
• tarball-ttl
The number of seconds a downloaded tarball is considered fresh. If the cached tarball
is stale, Nix will check whether it is still up to date using the ETag header. Nix will
download a new version if the ETag header is unsupported, or the cached ETag doesn’t
match.
Setting the TTL to 0 forces Nix to always check if the tarball is up to date.
Nix caches tarballs in $XDG_CACHE_HOME/nix/tarballs.
Files fetched via NIX_PATH, fetchGit, fetchMercurial, fetchTarball, and fetchurl
respect this TTL.
Default: 3600
• timeout
This option defines the maximum number of seconds that a builder can run. This is
useful (for instance in an automated build system) to catch builds that are stuck in an
infinite loop but keep writing to their standard output or standard error. It can be
overridden using the --timeout command line switch.
The value 0 means that there is no timeout. This is also the default.
Default: 0
Deprecated alias: build-timeout
• trace-function-calls
If set to true, the Nix evaluator will trace every function call. Nix will print a log
message at the “vomit” level for every function entrance and function exit.
function-trace entered undefined position at 1565795816999559622 function-trace exited
undefined position at 1565795816999581277 function-trace entered
/nix/store/…/example.nix:226:41 at 1565795253249935150 function-trace exited
/nix/store/…/example.nix:226:41 at 1565795253249941684
The undefined position means the function call is a builtin.
Use the contrib/stack-collapse.py script distributed with the Nix source code to
convert the trace logs in to a format suitable for flamegraph.pl.
Default: false
• trace-verbose
Whether builtins.traceVerbose should trace its first argument when evaluated.
Default: false
• trusted-public-keys
A whitespace-separated list of public keys.
At least one of the following condition must be met for Nix to accept copying a store
object from another Nix store (such as a substituter):
• the store object has been signed using a key in the trusted keys list
• the require-sigs option has been set to false
• the store object is output-addressed
Default: cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
Deprecated alias: binary-cache-public-keys
• trusted-substituters
A list of Nix store URLs, separated by whitespace. These are not used by default, but
users of the Nix daemon can enable them by specifying substituters.
Unprivileged users (those set in only allowed-users but not trusted-users) can pass as
substituters only those URLs listed in trusted-substituters.
Default: empty
Deprecated alias: trusted-binary-caches
• trusted-users
A list of user names, separated by whitespace. These users will have additional rights
when connecting to the Nix daemon, such as the ability to specify additional
substituters, or to import unsigned NARs.
You can also specify groups by prefixing names with @. For instance, @wheel means all
users in the wheel group.
Warning
Adding a user to trusted-users is essentially equivalent to giving that user
root access to the system. For example, the user can access or replace store
path contents that are critical for system security.
Default: root
• use-case-hack
Whether to enable a Darwin-specific hack for dealing with file name collisions.
Default: false
• use-cgroups
Whether to execute builds inside cgroups. This is only supported on Linux.
Cgroups are required and enabled automatically for derivations that require the uid-
range system feature.
Default: false
• use-registries
Whether to use flake registries to resolve flake references.
Warning This setting is part of an experimental feature.
To change this setting, you need to make sure the corresponding experimental feature,
flakes, is enabled. For example, include the following in nix.conf:
extra-experimental-features = flakes
use-registries = ...
Default: true
• use-sqlite-wal
Whether SQLite should use WAL mode.
Default: true
• use-xdg-base-directories
If set to true, Nix will conform to the XDG Base Directory Specification for files in
$HOME. The environment variables used to implement this are documented in the
Environment Variables section.
Warning This changes the location of some well-known symlinks that Nix creates,
which might break tools that rely on the old, non-XDG-conformant locations.
In particular, the following locations change:
┌────────────────────────────────────┬─────────────────────────────────────────────────┐
│ Old │ New │
├────────────────────────────────────┼─────────────────────────────────────────────────┤
│ ~/.nix-profile │ $XDG_STATE_HOME/nix/profile │
├────────────────────────────────────┼─────────────────────────────────────────────────┤
│ ~/.nix-defexpr │ $XDG_STATE_HOME/nix/defexpr │
├────────────────────────────────────┼─────────────────────────────────────────────────┤
│ ~/.nix-channels │ $XDG_STATE_HOME/nix/channels │
└────────────────────────────────────┴─────────────────────────────────────────────────┘
If you already have Nix installed and are using profiles or channels, you should
migrate manually when you enable this option. If $XDG_STATE_HOME is not set, use
$HOME/.local/state/nix instead of $XDG_STATE_HOME/nix. This can be achieved with the
following shell commands:
nix_state_home=${XDG_STATE_HOME-$HOME/.local/state}/nix
mkdir -p $nix_state_home
mv $HOME/.nix-profile $nix_state_home/profile
mv $HOME/.nix-defexpr $nix_state_home/defexpr
mv $HOME/.nix-channels $nix_state_home/channels
Default: false
• user-agent-suffix
String appended to the user agent in HTTP requests.
Default: empty
• warn-dirty
Whether to warn about dirty Git/Mercurial trees.
Default: true
nix.conf(5)