Provided by: nix-bin_2.6.0+dfsg-3_amd64 bug

Name

       nix.conf - Nix configuration file

Description

       By default Nix reads settings from the following places:

       • The  system-wide  configuration file sysconfdir/nix/nix.conf (i.e.  /etc/nix/nix.conf on
         most systems), or $NIX_CONF_DIR/nix.conf if NIX_CONF_DIR is set. Values loaded  in  this
         file are not forwarded to the Nix daemon. The client assumes that the daemon has already
         loaded them.

       • If NIX_USER_CONF_FILES is set, then each path separated by : will be loaded  in  reverse
         order.

         Otherwise it will look for nix/nix.conf files in XDG_CONFIG_DIRS and XDG_CONFIG_HOME. If
         unset,  XDG_CONFIG_DIRS  defaults  to  /etc/xdg,   and   XDG_CONFIG_HOME   defaults   to
         $HOME/.config       as       per       XDG       Base       Directory      Specification
         (https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html).

       • If NIX_CONFIG is set, its contents is treated as the contents of a configuration file.

       The configuration files consist of name = value pairs, one per line. Other  files  can  be
       included  with a line like include path, where path is interpreted relative to the current
       conf file and a missing file is an error unless !include is used instead.  Comments  start
       with a # character. Here is an example configuration file:

       keep-outputs = true       # Nice for developers
       keep-derivations = true   # Idem

       You can override settings on the command line using the --option flag, e.g. --option keep-
       outputs false. Every configuration setting also has a  corresponding  command  line  flag,
       e.g.  --max-jobs  16;  for  Boolean settings, there are two flags to enable or disable the
       setting (e.g. --keep-failed and --no-keep-failed).

       A configuration setting usually overrides any previous value. However, you can prefix  the
       name of the setting by extra- to append to the previous value. For instance,

       substituters = a b
       extra-substituters = c d

       defines  the  substituters setting to be a b c d. This is also available as a command line
       flag (e.g. --extra-substituters).

       The following settings are currently available:

       • accept-flake-config

         Whether to accept nix configuration from a flake without prompting.

         Default: false

       • access-tokens

         Access tokens used to access protected GitHub,  GitLab,  or  other  locations  requiring
         token-based authentication.

         Access  tokens  are  specified as a string made up of space-separated host=token values.
         The specific token used is selected by matching the  host  portion  against  the  “host”
         specification  of the input. The actual use of the token value is determined by the type
         of resource being accessed:

         • Github: the token value is the OAUTH-TOKEN string  obtained  as  the  Personal  Access
           Token            from            the            Github           server           (see
           https://docs.github.com/en/developers/apps/authorizing-oath-apps).

         • Gitlab: the token value is either the OAuth2 token or the Personal Access Token (these
           are         different         types        tokens        for        gitlab,        see
           https://docs.gitlab.com/12.10/ee/api/README.html#authentication).   The  token   value
           should  be  type:tokenstring where type is either OAuth2 or PAT to indicate which type
           of token is being specified.

         Example ~/.config/nix/nix.conf:

       access-tokens = github.com=23ac...b289 gitlab.mycompany.com=PAT:A123Bp_Cd..EfG gitlab.com=OAuth2:1jklw3jk

              Example ~/code/flake.nix:

       input.foo = {
         type = "gitlab";
         host = "gitlab.mycompany.com";
         owner = "mycompany";
         repo = "pro";
       };

              This  example  specifies  three  tokens,  one  each   for   accessing   github.com,
              gitlab.mycompany.com, and sourceforge.net.

              The  input.foo uses the “gitlab” fetcher, which might requires specifying the token
              type along with the token value.

              Default: ""

       • allow-dirty

         Whether to allow dirty Git/Mercurial trees.

         Default: true

       • allow-import-from-derivation

         By default, Nix allows you to import from a derivation, allowing building at  evaluation
         time.  With  this  option  set  to  false,  Nix  will  throw an error when evaluating an
         expression that uses this feature, allowing users to ensure their  evaluation  will  not
         require any builds to take place.

         Default: true

       • allow-new-privileges

         (Linux-specific.) By default, builders on Linux cannot acquire new privileges by calling
         setuid/setgid programs or programs that have file capabilities.  For  example,  programs
         such  as  sudo  or  ping  will  fail. (Note that in sandbox builds, no such programs are
         available unless you bind-mount them into the sandbox via the sandbox-paths option.) You
         can  allow  the use of such programs by enabling this option. This is impure and usually
         undesirable, but may be useful in certain scenarios (e.g. to spin up containers  or  set
         up userspace network interfaces in tests).

         Default: false

       • allow-symlinked-store

         If  set to true, Nix will stop complaining if the store directory (typically /nix/store)
         contains symlink components.

         This risks making some builds “impure” because builders sometimes  “canonicalise”  paths
         by resolving all symlink components. Problems occur if those builds are then deployed to
         machines where /nix/store resolves to a  different  location  from  that  of  the  build
         machine. You can enable this setting if you are sure you’re not going to do that.

         Default: false

       • allow-unsafe-native-code-during-evaluation

         Whether builtin functions that allow executing native code should be enabled.

         Default: false

       • allowed-impure-host-deps

         Which prefixes to allow derivations to ask for access to (primarily for Darwin).

         Default: empty

       • allowed-uris

         A  list  of  URI  prefixes to which access is allowed in restricted evaluation mode. For
         example, when set to https://github.com/NixOS, builtin functions such  as  fetchGit  are
         allowed to access https://github.com/NixOS/patchelf.git.

         Default: empty

       • allowed-users

         A  list  of  names of users (separated by whitespace) that are allowed to connect to the
         Nix daemon. As with the trusted-users option, you can specify groups by  prefixing  them
         with @. Also, you can allow all users by specifying *. The default is *.

         Note that trusted users are always allowed to connect.

         Default: *

       • auto-optimise-store

         If  set  to  true,  Nix  automatically  detects  files  in the store that have identical
         contents, and replaces them with hard links to a single copy. This saves disk space.  If
         set  to  false  (the  default),  you  can  still  run nix-store --optimise to get rid of
         duplicate files.

         Default: false

       • bash-prompt

         The bash prompt (PS1) in nix develop shells.

         Default: empty

       • bash-prompt-suffix

         Suffix appended to the PS1 environment variable in nix develop shells.

         Default: empty

       • build-hook

         The path of the helper program that executes builds to remote machines.

         Default: /usr/libexec/nix/build-remote

       • build-poll-interval

         How often (in seconds) to poll for locks.

         Default: 5

       • build-users-group

         This options specifies the Unix group containing the Nix build user accounts. In  multi-
         user  Nix  installations,  builds  should not be performed by the Nix account since that
         would allow users to  arbitrarily  modify  the  Nix  store  and  database  by  supplying
         specially  crafted builders; and they cannot be performed by the calling user since that
         would allow him/her to influence the build result.

         Therefore, if this option is non-empty and specifies  a  valid  group,  builds  will  be
         performed  under  the  user  accounts  that are a member of the group specified here (as
         listed in /etc/group). Those user accounts should not be used for any other purpose!

         Nix will never run two builds under the same user account at the same time. This  is  to
         prevent  an  obvious  security  hole:  a  malicious  user  writing a Nix expression that
         modifies the build result of a legitimate Nix expression being built  by  another  user.
         Therefore  it  is  good  to  have  as  many  Nix  build  user accounts as you can spare.
         (Remember: uids are cheap.)

         The build users should have permission to create files in the Nix store, but not  delete
         them.  Therefore, /nix/store should be owned by the Nix account, its group should be the
         group specified here, and its mode should be 1775.

         If the build users group is empty, builds will be performed under the  uid  of  the  Nix
         process  (that is, the uid of the caller if NIX_REMOTE is empty, the uid under which the
         Nix daemon runs if NIX_REMOTE is daemon). Obviously, this should not be used  in  multi-
         user settings with untrusted users.

         Default: empty

       • builders

         A  semicolon-separated  list  of build machines.  For the exact format and examples, see
         the manual chapter on remote builds (../advanced-topics/distributed-builds.md)

         Default: @/dummy/machines

       • builders-use-substitutes

         If set to true, Nix will  instruct  remote  build  machines  to  use  their  own  binary
         substitutes if available. In practical terms, this means that remote hosts will fetch as
         many  build  dependencies  as  possible  from   their   own   substitutes   (e.g,   from
         cache.nixos.org),  instead  of  waiting  for  this  host  to  upload  them all. This can
         drastically reduce build times if the network connection between this computer  and  the
         remote build host is slow.

         Default: false

       • commit-lockfile-summary

         The  commit  summary  to  use  when  committing  changed flake lock files. If empty, the
         summary is generated based on the action performed.

         Default: empty

       • compress-build-log

         If set to true (the default),  build  logs  written  to  /nix/var/log/nix/drvs  will  be
         compressed on the fly using bzip2.  Otherwise, they will not be compressed.

         Default: true

         Deprecated alias: build-compress-log

       • connect-timeout

         The  timeout  (in seconds) for establishing connections in the binary cache substituter.
         It corresponds to curl’s --connect-timeout option.

         Default: 0

       • cores

         Sets the value  of  the  NIX_BUILD_CORES  environment  variable  in  the  invocation  of
         builders.  Builders  can  use  this  variable at their discretion to control the maximum
         amount  of  parallelism.  For  instance,  in  Nixpkgs,  if  the   derivation   attribute
         enableParallelBuilding  is  set to true, the builder passes the -jN flag to GNU Make. It
         can be overridden using the --cores command line switch and defaults to 1. The  value  0
         means that the builder should use all available CPU cores in the system.

         Default: machine-specific    Deprecated alias: build-cores

       • diff-hook

         Absolute path to an executable capable of diffing build results. The hook is executed if
         run-diff-hook is true, and the output of a build is known  to  not  be  the  same.  This
         program is not executed to determine if two results are the same.

         The  diff  hook  is  executed by the same user and group who ran the build. However, the
         diff hook does not have write access to the store path just built.

         The diff hook program receives three parameters:

         1.     A path to the previous build’s results

         2.     A path to the current build’s results

         3.     The path to the build’s derivation

         4.     The path to the build’s scratch directory. This directory will exist only if  the
                build was run with --keep-failed.

         The  stderr  and  stdout  output  from  the diff hook will not be displayed to the user.
         Instead, it will print to the nix-daemon’s log.

         When using the Nix daemon, diff-hook must be set in the nix.conf configuration file, and
         cannot be passed at the command line.

         Default: empty

       • download-attempts

         How often Nix will attempt to download a file before giving up.

         Default: 5

       • enforce-determinism

         Whether to fail if repeated builds produce different output. See repeat.

         Default: true

       • eval-cache

         Whether to use the flake evaluation cache.

         Default: true

       • experimental-features

         Experimental Nix features to enable.

         Default: 2

       • extra-platforms

         Platforms  other than the native one which this machine is capable of building for. This
         can be useful for supporting additional architectures on compatible machines: i686-linux
         can  be built on x86_64-linux machines (and the default for this setting reflects this);
         armv7 is backwards-compatible with armv6 and armv5tel; some aarch64  machines  can  also
         natively  run 32-bit ARM code; and qemu-user may be used to support non-native platforms
         (though this may be slow and buggy). Most values for this are  not  enabled  by  default
         because build systems will often misdetect the target platform and generate incompatible
         code, so you may wish to cross-check the results of using  this  option  against  proper
         natively-built versions of your derivations.

         Default: machine-specific  - fallback

         If set to true, Nix will fall back to building from source if a binary substitute fails.
         This is equivalent to the --fallback flag. The default is false.

         Default: false

         Deprecated alias: build-fallback

       • filter-syscalls

         Whether to prevent certain dangerous system calls, such  as  creation  of  setuid/setgid
         files  or  adding  ACLs or extended attributes. Only disable this if you’re aware of the
         security implications.

         Default: true

       • flake-registry

         Path or URI of the global flake registry.

         Default: https://github.com/NixOS/flake-registry/raw/master/flake-registry.json

       • fsync-metadata

         If set to true, changes to the Nix store metadata (in /nix/var/nix/db) are synchronously
         flushed  to  disk.  This  improves  robustness  in  case  of system crashes, but reduces
         performance. The default is true.

         Default: true

       • gc-reserved-space

         Amount of reserved disk space for the garbage collector.

         Default: 8388608

       • hashed-mirrors

         A list of web servers used by builtins.fetchurl to obtain files by hash. The default  is
         http://tarballs.nixos.org/.  Given  a hash type ht and a base-16 hash h, Nix will try to
         download the file from hashed-mirror/ht/h. This allows files to be  downloaded  even  if
         they  have  disappeared  from  their original URI. For example, given the default mirror
         http://tarballs.nixos.org/, when building the derivation

       builtins.fetchurl {
         url = "https://example.org/foo-1.2.3.tar.xz";
         sha256 = "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae";
       }

              Nix      will      attempt       to       download       this       file       from
              http://tarballs.nixos.org/sha256/2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
              first. If it is not available there, if will try the original URI.

              Default: empty

       • http-connections

         The maximum number of parallel TCP connections used to fetch files  from  binary  caches
         and by other downloads. It defaults to 25. 0 means no limit.

         Default: 25

         Deprecated alias: binary-caches-parallel-connections

       • http2

         Whether to enable HTTP/2 support.

         Default: true

       • ignored-acls

         A  list  of  ACLs  that should be ignored, normally Nix attempts to remove all ACLs from
         files and directories  in  the  Nix  store,  but  some  ACLs  like  security.selinux  or
         system.nfs4_acl can’t be removed even by root. Therefore it’s best to just ignore them.

         Default: security.selinux system.nfs4_acl

       • impersonate-linux-26

         Whether to impersonate a Linux 2.6 machine on newer kernels.

         Default: false

         Deprecated alias: build-impersonate-linux-26

       • keep-build-log

         If  set  to  true  (the default), Nix will write the build log of a derivation (i.e. the
         standard output and error of its builder) to the  directory  /nix/var/log/nix/drvs.  The
         build log can be retrieved using the command nix-store -l path.

         Default: true

         Deprecated alias: build-keep-log

       • keep-derivations

         If  true  (default),  the  garbage  collector  will keep the derivations from which non-
         garbage store paths were built.  If  false,  they  will  be  deleted  unless  explicitly
         registered as a root (or reachable from other roots).

         Keeping  derivation  around is useful for querying and traceability (e.g., it allows you
         to ask with what dependencies or options a store path was built),  so  by  default  this
         option  is on. Turn it off to save a bit of disk space (or a lot if keep-outputs is also
         turned on).

         Default: true

         Deprecated alias: gc-keep-derivations

       • keep-env-derivations

         If false (default), derivations are not stored in Nix user environments.  That  is,  the
         derivations of any build-time-only dependencies may be garbage-collected.

         If true, when you add a Nix derivation to a user environment, the path of the derivation
         is stored in the user environment. Thus, the derivation will  not  be  garbage-collected
         until  the  user  environment  generation  is deleted (nix-env --delete-generations). To
         prevent build-time-only dependencies from being collected, you should also turn on keep-
         outputs.

         The difference between this option and keep-derivations is that this one is “sticky”: it
         applies to any user environment created while  this  option  was  enabled,  while  keep-
         derivations only applies at the moment the garbage collector is run.

         Default: false

         Deprecated alias: env-keep-derivations

       • keep-failed

         Whether to keep temporary directories of failed builds.

         Default: false

       • keep-going

         Whether to keep building derivations when another build fails.

         Default: false

       • keep-outputs

         If  true,  the  garbage  collector  will keep the outputs of non-garbage derivations. If
         false (default), outputs will be  deleted  unless  they  are  GC  roots  themselves  (or
         reachable from other roots).

         In  general, outputs must be registered as roots separately. However, even if the output
         of a derivation is registered as a root, the collector will  still  delete  store  paths
         that  are  used  only at build time (e.g., the C compiler, or source tarballs downloaded
         from the network). To prevent it from doing so, set this option to true.

         Default: false

         Deprecated alias: gc-keep-outputs

       • log-lines

         If verbose-build is false, the number of lines of the tail of the log to show if a build
         fails.

         Default: 10

       • max-build-log-size

         This  option  defines  the  maximum  number  of  bytes  that  a builder can write to its
         stdout/stderr. If the builder exceeds this  limit,  it’s  killed.  A  value  of  0  (the
         default) means that there is no limit.

         Default: 0

         Deprecated alias: build-max-log-size

       • max-free

         When  a garbage collection is triggered by the min-free option, it stops as soon as max-
         free bytes are available. The default is infinity (i.e. delete all garbage).

         Default: -1

       • max-jobs

         This option defines the maximum number of jobs that Nix will try to build  in  parallel.
         The  default  is  1. The special value auto causes Nix to use the number of CPUs in your
         system. 0 is useful when using remote builders to prevent any local builds  (except  for
         preferLocalBuild  derivation  attribute  which  executes  locally regardless). It can be
         overridden using the --max-jobs (-j) command line switch.

         Default: 1

         Deprecated alias: build-max-jobs

       • max-silent-time

         This option defines the maximum  number  of  seconds  that  a  builder  can  go  without
         producing  any  data on standard output or standard error.  This is useful (for instance
         in an automated build system) to catch builds that are stuck in an infinite loop, or  to
         catch remote builds that are hanging due to network problems. It can be overridden using
         the --max-silent-time command line switch.

         The value 0 means that there is no timeout. This is also the default.

         Default: 0

         Deprecated alias: build-max-silent-time

       • min-free

         When free disk space in /nix/store drops below min-free during a build, Nix  performs  a
         garbage-collection  until  max-free  bytes  are available or there is no more garbage. A
         value of 0 (the default) disables this feature.

         Default: 0

       • min-free-check-interval

         Number of seconds between checking free disk space.

         Default: 5

       • nar-buffer-size

         Maximum size of NARs before spilling them to disk.

         Default: 33554432

       • narinfo-cache-negative-ttl

         The TTL in seconds for negative lookups. If a store path is queried from  a  substituter
         but  was  not  found,  there  will  be  a negative lookup cached in the local disk cache
         database for the specified duration.

         Default: 3600

       • narinfo-cache-positive-ttl

         The TTL in seconds for positive lookups. If a store path is queried from a  substituter,
         the  result  of the query will be cached in the local disk cache database including some
         of the NAR metadata. The default TTL is a month, setting  a  shorter  TTL  for  positive
         lookups  can be useful for binary caches that have frequent garbage collection, in which
         case having a more frequent cache invalidation would prevent trying  to  pull  the  path
         again and failing with a hash mismatch if the build isn’t reproducible.

         Default: 2592000

       • netrc-file

         If  set  to  an  absolute  path  to  a  netrc file, Nix will use the HTTP authentication
         credentials in this file when trying to download from a  remote  host  through  HTTP  or
         HTTPS. Defaults to $NIX_CONF_DIR/netrc.

         The netrc file consists of a list of accounts in the following format:

       machine my-machine
       login my-username
       password my-password

              For  the  exact  syntax,  see the curl documentation (https://ec.haxx.se/usingcurl-
              netrc.html).

                     Note

                     This must be an absolute path, and ~ is not resolved. For example,  ~/.netrc
                     won’t resolve to your home directory’s .netrc.

              Default: /dummy/netrc

       • nix-path

         List of directories to be searched for <...> file references.

         Default: empty

       • plugin-files

         A list of plugin files to be loaded by Nix. Each of these files will be dlopened by Nix,
         allowing them to affect execution through static initialization.  In  particular,  these
         plugins may construct static instances of RegisterPrimOp to add new primops or constants
         to   the   expression   language,   RegisterStoreImplementation   to   add   new   store
         implementations,  RegisterCommand  to  add  new  subcommands  to  the  nix  command, and
         RegisterSetting to add new nix config settings. See the constructors for those types for
         more details.

         Warning! These APIs are inherently unstable and may change from release to release.

         Since  these  files  are  loaded into the same address space as Nix itself, they must be
         DSOs compatible with the instance of Nix running at the time (i.e. compiled against  the
         same  headers,  not  linked to any incompatible libraries). They should not be linked to
         any Nix libs directly, as those will be available already at load time.

         If an entry in the list is a directory, all files in the directory are loaded as plugins
         (non-recursively).

         Default: empty

       • post-build-hook

         Optional. The path to a program to execute after each build.

         This  option  is only settable in the global nix.conf, or on the command line by trusted
         users.

         When using the nix-daemon, the daemon executes the hook as root.  If the  nix-daemon  is
         not involved, the hook runs as the user executing the nix-build.

         • The hook executes after an evaluation-time build.

         • The hook does not execute on substituted paths.

         • The hook’s output always goes to the user’s terminal.

         • If the hook fails, the build succeeds but no further builds execute.

         • The  hook  executes  synchronously,  and blocks other builds from progressing while it
           runs.

         The program executes with no arguments. The program’s environment contains the following
         environment variables:

         • DRV_PATH The derivation for the built paths.

           Example: /nix/store/5nihn1a7pa8b25l9zafqaqibznlvvp3f-bash-4.4-p23.drv

         • OUT_PATHS Output paths of the built derivation, separated by a space character.

           Example:                  /nix/store/zf5lbh336mnzf1nlswdn11g4n2m8zh3g-bash-4.4-p23-dev
           /nix/store/rjxwxwv1fpn9wa2x5ssk5phzwlcv4mna-bash-4.4-p23-doc
           /nix/store/6bqvbzjkcp9695dq0dpl5y43nvy37pq1-bash-4.4-p23-info
           /nix/store/r7fng3kk3vlpdlh2idnrbn37vh4imlj2-bash-4.4-p23-man
           /nix/store/xfghy8ixrhz3kyy6p724iv3cxji088dx-bash-4.4-p23.

         Default: empty

       • pre-build-hook

         If  set,  the path to a program that can set extra derivation-specific settings for this
         system. This is used for settings that can’t be captured by the derivation model  itself
         and are too variable between different versions of the same system to be hard-coded into
         nix.

         The hook is passed the derivation path  and,  if  sandboxes  are  enabled,  the  sandbox
         directory.  It  can  then  modify  the  sandbox  and send a series of commands to modify
         various settings to stdout. The currently recognized commands are:

         • extra-sandbox-paths
           Pass a list of files and directories to be included in the sandbox for this build. One
           entry  per line, terminated by an empty line. Entries have the same format as sandbox-
           paths.

         Default: empty

       • preallocate-contents

         Whether to preallocate files when writing objects with known size.

         Default: false

       • print-missing

         Whether to print what paths need to be built or downloaded.

         Default: true

       • pure-eval

         Whether to restrict file system and network access to files specified  by  cryptographic
         hash.

         Default: true

       • repeat

         How  many  times  to  repeat builds to check whether they are deterministic. The default
         value is 0. If the value is non-zero, every build is repeated the  specified  number  of
         times.  If  the  contents of any of the runs differs from the previous ones and enforce-
         determinism is true, the build is  rejected  and  the  resulting  store  paths  are  not
         registered as “valid” in Nix’s database.

         Default: 0

         Deprecated alias: build-repeat

       • require-sigs

         If  set to true (the default), any non-content-addressed path added or copied to the Nix
         store (e.g. when substituting from a binary cache) must have a valid signature, that is,
         be  signed  using one of the keys listed in trusted-public-keys or secret-key-files. Set
         to false to disable signature checking.

         Default: true

       • restrict-eval

         If set to true, the Nix evaluator will not allow access to any files outside of the  Nix
         search  path (as set via the NIX_PATH environment variable or the -I option), or to URIs
         outside of allowed-uri. The default is false.

         Default: false

       • run-diff-hook

         If true, enable the execution of the diff-hook program.

         When using the Nix daemon, run-diff-hook must be set in the nix.conf configuration file,
         and cannot be passed at the command line.

         Default: false

       • sandbox

         If  set  to  true,  builds  will  be performed in a sandboxed environment, i.e., they’re
         isolated from the normal file system hierarchy and will only see their  dependencies  in
         the  Nix store, the temporary build directory, private versions of /proc, /dev, /dev/shm
         and /dev/pts (on Linux), and the paths configured with the sandbox-paths option. This is
         useful  to  prevent undeclared dependencies on files in directories such as /usr/bin. In
         addition, on Linux, builds run in private PID, mount, network, IPC and UTS namespaces to
         isolate them from other processes in the system (except that fixed-output derivations do
         not run in private network namespace to ensure they can access the network).

         Currently, sandboxing only work on Linux and macOS. The use of a sandbox  requires  that
         Nix  is  run  as root (so you should use the “build users” feature to perform the actual
         builds under different users than root).

         If this option is set to relaxed, then fixed-output  derivations  and  derivations  that
         have the __noChroot attribute set to true do not run in sandboxes.

         The default is true on Linux and false on all other platforms.

         Default: true

         Deprecated alias: build-use-chroot, build-use-sandbox

       • sandbox-build-dir

         The build directory inside the sandbox.

         Default: /build

       • sandbox-dev-shm-size

         This  option  determines the maximum size of the tmpfs filesystem mounted on /dev/shm in
         Linux sandboxes. For the format, see the description of the  size  option  of  tmpfs  in
         mount8. The default is 50%.

         Default: 50%

       • sandbox-fallback

         Whether to disable sandboxing when the kernel doesn’t allow it.

         Default: true

       • sandbox-paths

         A  list  of  paths  bind-mounted  into  Nix sandbox environments. You can use the syntax
         target=source to mount a path in a different location  in  the  sandbox;  for  instance,
         /bin=/nix-bin  will  mount  the  path  /nix-bin as /bin inside the sandbox. If source is
         followed by ?, then it  is  not  an  error  if  source  does  not  exist;  for  example,
         /dev/nvidiactl?  specifies that /dev/nvidiactl will only be mounted in the sandbox if it
         exists in the host filesystem.

         Depending on how Nix was built, the default value  for  this  option  may  be  empty  or
         provide /bin/sh as a bind-mount of bash.

         Default: empty

         Deprecated alias: build-chroot-dirs, build-sandbox-paths

       • secret-key-files

         A whitespace-separated list of files containing secret (private) keys. These are used to
         sign locally-built paths. They can be generated using nix-store --generate-binary-cache-
         key.  The  corresponding public key can be distributed to other users, who can add it to
         trusted-public-keys in their nix.conf.

         Default: empty

       • show-trace

         Whether Nix should print out a stack trace in case of Nix expression evaluation errors.

         Default: false

       • stalled-download-timeout

         The timeout (in seconds) for receiving data from servers during  download.  Nix  cancels
         idle downloads after this timeout’s duration.

         Default: 300

       • store

         The default Nix store to use.

         Default: auto

       • substitute

         If  set to true (default), Nix will use binary substitutes if available. This option can
         be disabled to force building from source.

         Default: true

         Deprecated alias: build-use-substitutes

       • substituters

         A list of URLs of substituters, separated by whitespace. Substituters are tried based on
         their  Priority  value,  which each substituter can set independently. Lower value means
         higher priority.  The default is https://cache.nixos.org, with a Priority of 40.

         Default: https://cache.nixos.org/

         Deprecated alias: binary-caches

       • sync-before-registering

         Whether to call sync() before registering a path as valid.

         Default: false

       • system

         This option specifies the canonical Nix system name of the current installation, such as
         i686-linux  or  x86_64-darwin.  Nix  can  only  build derivations whose system attribute
         equals the value specified here. In general, it never makes sense to modify  this  value
         from  its  default, since you can use it to ‘lie’ about the platform you are building on
         (e.g., perform a Mac OS build on a Linux machine; the result would obviously be  wrong).
         It  only makes sense if the Nix binaries can run on multiple platforms, e.g., ‘universal
         binaries’ that run on x86_64-linux and i686-linux.

         It defaults to the canonical Nix system name detected by configure at build time.

         Default: x86_64-linux

       • system-features

         A set of system “features” supported by this machine, e.g. kvm.  Derivations can express
         a  dependency  on such features through the derivation attribute requiredSystemFeatures.
         For example, the attribute

       requiredSystemFeatures = [ "kvm" ];

              ensures that the derivation can only be built on a machine with the kvm feature.

              This setting by default includes kvm if /dev/kvm is  accessible,  and  the  pseudo-
              features  nixos-test,  benchmark and big-parallel that are used in Nixpkgs to route
              builds to specific machines.

              Default: machine-specific  - tarball-ttl

              The number of seconds a downloaded tarball  is  considered  fresh.  If  the  cached
              tarball  is  stale,  Nix  will  check whether it is still up to date using the ETag
              header. Nix will download a new version if the ETag header is unsupported,  or  the
              cached ETag doesn’t match.

              Setting the TTL to 0 forces Nix to always check if the tarball is up to date.

              Nix caches tarballs in $XDG_CACHE_HOME/nix/tarballs.

              Files  fetched  via  NIX_PATH, fetchGit, fetchMercurial, fetchTarball, and fetchurl
              respect this TTL.

              Default: 3600

       • timeout

         This option defines the maximum number of seconds that a builder can run. This is useful
         (for  instance  in  an  automated  build  system)  to  catch builds that are stuck in an
         infinite loop but keep writing to their standard output or standard  error.  It  can  be
         overridden using the --timeout command line switch.

         The value 0 means that there is no timeout. This is also the default.

         Default: 0

         Deprecated alias: build-timeout

       • trace-function-calls

         If  set to true, the Nix evaluator will trace every function call.  Nix will print a log
         message at the “vomit” level for every function entrance and function exit.

       function-trace entered undefined position at 1565795816999559622
       function-trace exited undefined position at 1565795816999581277
       function-trace entered /nix/store/.../example.nix:226:41 at 1565795253249935150
       function-trace exited /nix/store/.../example.nix:226:41 at 1565795253249941684

              The undefined position means the function call is a builtin.

              Use the contrib/stack-collapse.py script distributed with the Nix  source  code  to
              convert the trace logs in to a format suitable for flamegraph.pl.

              Default: false

       • trusted-public-keys

         A whitespace-separated list of public keys. When paths are copied from another Nix store
         (such as a binary cache), they must be signed with  one  of  these  keys.  For  example:
         cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
         hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=.

         Default: cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=

         Deprecated alias: binary-cache-public-keys

       • trusted-substituters

         A list of URLs of substituters, separated by whitespace. These are not used by  default,
         but  can  be enabled by users of the Nix daemon by specifying --option substituters urls
         on the command line. Unprivileged users are only allowed to pass a subset  of  the  URLs
         listed in substituters and trusted-substituters.

         Default: empty

         Deprecated alias: trusted-binary-caches

       • trusted-users

         A  list  of  names  of  users (separated by whitespace) that have additional rights when
         connecting to the Nix daemon, such as the ability to specify additional  binary  caches,
         or  to  import  unsigned NARs. You can also specify groups by prefixing them with @; for
         instance, @wheel means all users in the wheel group. The default is root.

                Warning

                Adding a user to trusted-users is essentially equivalent to giving that user root
                access  to  the  system.  For example, the user can set sandbox-paths and thereby
                obtain read access to directories that are otherwise inacessible to them.

         Default: root

       • use-case-hack

         Whether to enable a Darwin-specific hack for dealing with file name collisions.

         Default: false

       • use-registries

         Whether to use flake registries to resolve flake references.

         Default: true

       • use-sqlite-wal

         Whether SQLite should use WAL mode.

         Default: true

       • user-agent-suffix

         String appended to the user agent in HTTP requests.

         Default: empty

       • warn-dirty

         Whether to warn about dirty Git/Mercurial trees.

         Default: true

                                                                                      nix.conf(5)