19struct MaxBuildJobsSetting :
public BaseSetting<unsigned int>
21 MaxBuildJobsSetting(
Config * options,
23 const std::string & name,
24 const std::string & description,
25 const std::set<std::string> & aliases = {})
26 : BaseSetting<unsigned int>(def,
true, name, description, aliases)
28 options->addSetting(
this);
31 unsigned int parse(
const std::string &
str)
const override;
42class Settings :
public Config {
44 unsigned int getDefaultCores();
46 StringSet getDefaultSystemFeatures();
48 StringSet getDefaultExtraPlatforms();
52 Path getDefaultSSLCertFile();
94 The [URL of the Nix store](@docroot@/store/types/index.md#store-url-format)
95 to use for most operations.
97 [Store Types](@docroot@/store/types/index.md)
98 section of the manual for supported store types and settings.
102 "Whether to keep temporary directories of failed builds."};
104 Setting<bool> keepGoing{
this,
false,
"keep-going",
105 "Whether to keep building derivations when another build fails."};
107 Setting<bool> tryFallback{
108 this,
false,
"fallback",
110 If set to `true`, Nix will fall back to building from source if a
111 binary substitute fails. This is equivalent to the `--fallback`
112 flag. The default is `false`.
122 "The number of lines of the tail of "
123 "the log to show if a build fails."};
128 Maximum number of jobs that Nix will try to build locally in parallel.
130 The special value `auto` causes Nix to use the number of CPUs in your system.
131 Use `0` to disable local builds and directly use the remote machines specified in [`builders`](#conf-builders).
132 This will not affect derivations that have [`preferLocalBuild = true`](@docroot@/language/advanced-attributes.md#adv-attr-preferLocalBuild), which are always built locally.
136 > The number of CPU cores to use for each build job is independently determined by the [`cores`](#conf-cores) setting.
138 <!-- TODO(@fricklerhandwerk): would be good to have those shorthands for common options as part of the specification -->
139 The setting can be overridden using the `--max-jobs` (`-j`) command line switch.
143 Setting<unsigned int> maxSubstitutionJobs{
144 this, 16,
"max-substitution-jobs",
146 This option defines the maximum number of substitution jobs that Nix
147 will try to run in parallel. The default is `16`. The minimum value
148 one can choose is `1` and lower values will be interpreted as `1`.
150 {"substitution-max-jobs"}};
152 Setting<unsigned int> buildCores{
157 Sets the value of the `NIX_BUILD_CORES` environment variable in the [invocation of the `builder` executable](@docroot@/language/derivations.md#builder-execution) of a derivation.
158 The `builder` executable can use this variable to control its own maximum amount of parallelism.
161 FIXME(@fricklerhandwerk): I don't think this should even be mentioned here.
162 A very generic example using `derivation` and `xargs` may be more appropriate to explain the mechanism.
163 Using `mkDerivation` as an example requires being aware of that there are multiple independent layers that are completely opaque here.
165 For instance, in Nixpkgs, if the attribute `enableParallelBuilding` for the `mkDerivation` build helper is set to `true`, it will pass the `-j${NIX_BUILD_CORES}` flag to GNU Make.
167 The value `0` means that the `builder` should use all available CPU cores in the system.
171 > The number of parallel local Nix build jobs is independently controlled with the [`max-jobs`](#conf-max-jobs) setting.
184 this, SYSTEM,
"system",
186 The system type of the current Nix installation.
187 Nix will only build a given [derivation](@docroot@/language/derivations.md) locally when its `system` attribute equals any of the values specified here or in [`extra-platforms`](#conf-extra-platforms).
189 The default value is set when Nix itself is compiled for the system it will run on.
190 The following system types are widely used, as Nix is actively supported on these platforms:
200 In general, you do not have to modify this setting.
201 While you can force Nix to run a Darwin-specific `builder` executable on a Linux machine, the result would obviously be wrong.
203 This value is available in the Nix language as
204 [`builtins.currentSystem`](@docroot@/language/builtins.md#builtins-currentSystem)
206 [`eval-system`](#conf-eval-system)
207 configuration option is set as the empty string.
211 this, 0,
"max-silent-time",
213 This option defines the maximum number of seconds that a builder can
214 go without producing any data on standard output or standard error.
215 This is useful (for instance in an automated build system) to catch
216 builds that are stuck in an infinite loop, or to catch remote builds
217 that are hanging due to network problems. It can be overridden using
218 the `--max-silent-time` command line switch.
220 The value `0` means that there is no timeout. This is also the
223 {"build-max-silent-time"}};
225 Setting<time_t> buildTimeout{
228 This option defines the maximum number of seconds that a builder can
229 run. This is useful (for instance in an automated build system) to
230 catch builds that are stuck in an infinite loop but keep writing to
231 their standard output or standard error. It can be overridden using
232 the `--timeout` command line switch.
234 The value `0` means that there is no timeout. This is also the
239 Setting<Strings> buildHook{
this, {
"nix",
"__build-remote"},
"build-hook",
241 The path to the helper program that executes remote builds.
243 Nix communicates with the build hook over `stdio` using a custom protocol to request builds that cannot be performed directly by the Nix daemon.
244 The default value is the internal Nix binary that implements remote building.
248 > Change this setting only if you really know what you’re doing.
251 Setting<std::string> builders{
252 this,
"@" +
nixConfDir +
"/machines",
"builders",
254 A semicolon- or newline-separated list of build machines.
256 In addition to the [usual ways of setting configuration options](@docroot@/command-ref/conf-file.md), the value can be read from a file by prefixing its absolute path with `@`.
260 > This is the default setting:
263 > builders = @/etc/nix/machines
266 Each machine specification consists of the following elements, separated by spaces.
267 Only the first element is required.
268 To leave a field at its default, set it to `-`.
270 1. The URI of the remote store in the format `ssh://[username@]hostname`.
276 For backward compatibility, `ssh://` may be omitted.
277 The hostname may be an alias defined in `~/.ssh/config`.
279 2. A comma-separated list of [Nix system types](@docroot@/development/building.md#system-type).
280 If omitted, this defaults to the local platform type.
286 It is possible for a machine to support multiple platform types.
290 > `i686-linux,x86_64-linux`
292 3. The SSH identity file to be used to log in to the remote machine.
293 If omitted, SSH will use its regular identities.
297 > `/home/user/.ssh/id_mac`
299 4. The maximum number of builds that Nix will execute in parallel on the machine.
300 Typically this should be equal to the number of CPU cores.
302 5. The “speed factor”, indicating the relative speed of the machine as a positive integer.
303 If there are multiple machines of the right type, Nix will prefer the fastest, taking load into account.
305 6. A comma-separated list of supported [system features](#conf-system-features).
307 A machine will only be used to build a derivation if all the features in the derivation's [`requiredSystemFeatures`](@docroot@/language/advanced-attributes.html#adv-attr-requiredSystemFeatures) attribute are supported by that machine.
309 7. A comma-separated list of required [system features](#conf-system-features).
311 A machine will only be used to build a derivation if all of the machine’s required features appear in the derivation’s [`requiredSystemFeatures`](@docroot@/language/advanced-attributes.html#adv-attr-requiredSystemFeatures) attribute.
313 8. The (base64-encoded) public host key of the remote machine.
314 If omitted, SSH will use its regular `known_hosts` file.
316 The value for this field can be obtained via `base64 -w0`.
320 > Multiple builders specified on the command line:
323 > --builders 'ssh://mac x86_64-darwin ; ssh://beastie x86_64-freebsd'
328 > This specifies several machines that can perform `i686-linux` builds:
331 > nix@scratchy.labs.cs.uu.nl i686-linux /home/nix/.ssh/id_scratchy 8 1 kvm
332 > nix@itchy.labs.cs.uu.nl i686-linux /home/nix/.ssh/id_scratchy 8 2
333 > nix@poochie.labs.cs.uu.nl i686-linux /home/nix/.ssh/id_scratchy 1 2 kvm benchmark
336 > However, `poochie` will only build derivations that have the attribute
339 > requiredSystemFeatures = [ "benchmark" ];
345 > requiredSystemFeatures = [ "benchmark" "kvm" ];
348 > `itchy` cannot do builds that require `kvm`, but `scratchy` does support such builds.
349 > For regular builds, `itchy` will be preferred over `scratchy` because it has a higher speed factor.
351 For Nix to use substituters, the calling user must be in the [`trusted-users`](#conf-trusted-users) list.
355 > A build machine must be accessible via SSH and have Nix installed.
356 > `nix` must be available in `$PATH` for the user connecting over SSH.
360 > If you are building via the Nix daemon (default), the Nix daemon user account on the local machine (that is, `root`) requires access to a user account on the remote machine (not necessarily `root`).
362 > If you can’t or don’t want to configure `root` to be able to access the remote machine, set [`store`](#conf-store) to any [local store](@docroot@/store/types/local-store.html), e.g. by passing `--store /tmp` to the command on the local machine.
364 To build only on remote machines and disable local builds, set [`max-jobs`](#conf-max-jobs) to 0.
366 If you want the remote machines to use substituters, set [`builders-use-substitutes`](#conf-builders-use-substituters) to `true`.
370 Setting<bool> alwaysAllowSubstitutes{
371 this,
false,
"always-allow-substitutes",
373 If set to `true`, Nix will ignore the [`allowSubstitutes`](@docroot@/language/advanced-attributes.md) attribute in derivations and always attempt to use [available substituters](#conf-substituters).
376 Setting<bool> buildersUseSubstitutes{
377 this,
false,
"builders-use-substitutes",
379 If set to `true`, Nix will instruct [remote build machines](#conf-builders) to use their own [`substituters`](#conf-substituters) if available.
381 It means that remote build hosts will fetch as many dependencies as possible from their own substituters (e.g, from `cache.nixos.org`) instead of waiting for the local machine to upload them all.
382 This can drastically reduce build times if the network connection between the local machine and the remote build host is slow.
385 Setting<off_t> reservedSize{this, 8 * 1024 * 1024,
"gc-reserved-space",
386 "Amount of reserved disk space for the garbage collector."};
388 Setting<bool> fsyncMetadata{
389 this,
true,
"fsync-metadata",
391 If set to `true`, changes to the Nix store metadata (in
392 `/nix/var/nix/db`) are synchronously flushed to disk. This improves
393 robustness in case of system crashes, but reduces performance. The
397 Setting<bool> fsyncStorePaths{this,
false,
"fsync-store-paths",
399 Whether to call `fsync()` on store paths before registering them, to
400 flush them to disk. This improves robustness in case of system crashes,
401 but reduces performance. The default is `false`.
404 Setting<bool> useSQLiteWAL{this, !isWSL1(),
"use-sqlite-wal",
405 "Whether SQLite should use WAL mode."};
409 Setting<bool> syncBeforeRegistering{
this,
false,
"sync-before-registering",
410 "Whether to call `sync()` before registering a path as valid."};
413 Setting<bool> useSubstitutes{
414 this,
true,
"substitute",
416 If set to `true` (default), Nix will use binary substitutes if
417 available. This option can be disabled to force building from
420 {"build-use-substitutes"}};
422 Setting<std::string> buildUsersGroup{
423 this,
"",
"build-users-group",
425 This options specifies the Unix group containing the Nix build user
426 accounts. In multi-user Nix installations, builds should not be
427 performed by the Nix account since that would allow users to
428 arbitrarily modify the Nix store and database by supplying specially
429 crafted builders; and they cannot be performed by the calling user
430 since that would allow him/her to influence the build result.
432 Therefore, if this option is non-empty and specifies a valid group,
433 builds will be performed under the user accounts that are a member
434 of the group specified here (as listed in `/etc/group`). Those user
435 accounts should not be used for any other purpose\!
437 Nix will never run two builds under the same user account at the
438 same time. This is to prevent an obvious security hole: a malicious
439 user writing a Nix expression that modifies the build result of a
440 legitimate Nix expression being built by another user. Therefore it
441 is good to have as many Nix build user accounts as you can spare.
442 (Remember: uids are cheap.)
444 The build users should have permission to create files in the Nix
445 store, but not delete them. Therefore, `/nix/store` should be owned
446 by the Nix account, its group should be the group specified here,
447 and its mode should be `1775`.
449 If the build users group is empty, builds will be performed under
450 the uid of the Nix process (that is, the uid of the caller if
451 `NIX_REMOTE` is empty, the uid under which the Nix daemon runs if
452 `NIX_REMOTE` is `daemon`). Obviously, this should not be used
453 with a nix daemon accessible to untrusted clients.
455 Defaults to `nixbld` when running as root, *empty* otherwise.
459 Setting<bool> autoAllocateUids{
this,
false,
"auto-allocate-uids",
461 Whether to select UIDs for builds automatically, instead of using the
462 users in `build-users-group`.
464 UIDs are allocated starting at 872415232 (0x34000000) on Linux and 56930 on macOS.
465 )", {}, true, Xp::AutoAllocateUids};
467 Setting<uint32_t> startId{
this,
474 "The first UID and GID to use for dynamic ID allocation."};
476 Setting<uint32_t> uidCount{
this,
478 maxIdsPerBuild * 128,
483 "The number of UIDs/GIDs to use for dynamic ID allocation."};
486 Setting<bool> useCgroups{
487 this,
false,
"use-cgroups",
489 Whether to execute builds inside cgroups.
490 This is only supported on Linux.
492 Cgroups are required and enabled automatically for derivations
493 that require the `uid-range` system feature.
497 Setting<bool> impersonateLinux26{
this,
false,
"impersonate-linux-26",
498 "Whether to impersonate a Linux 2.6 machine on newer kernels.",
499 {
"build-impersonate-linux-26"}};
501 Setting<bool> keepLog{
502 this,
true,
"keep-build-log",
504 If set to `true` (the default), Nix will write the build log of a
505 derivation (i.e. the standard output and error of its builder) to
506 the directory `/nix/var/log/nix/drvs`. The build log can be
507 retrieved using the command `nix-store -l path`.
511 Setting<bool> compressLog{
512 this,
true,
"compress-build-log",
514 If set to `true` (the default), build logs written to
515 `/nix/var/log/nix/drvs` will be compressed on the fly using bzip2.
516 Otherwise, they will not be compressed.
518 {"build-compress-log"}};
520 Setting<unsigned long> maxLogSize{
521 this, 0,
"max-build-log-size",
523 This option defines the maximum number of bytes that a builder can
524 write to its stdout/stderr. If the builder exceeds this limit, it’s
525 killed. A value of `0` (the default) means that there is no limit.
527 {"build-max-log-size"}};
529 Setting<unsigned int> pollInterval{
this, 5,
"build-poll-interval",
530 "How often (in seconds) to poll for locks."};
532 Setting<bool> gcKeepOutputs{
533 this,
false,
"keep-outputs",
535 If `true`, the garbage collector will keep the outputs of
536 non-garbage derivations. If `false` (default), outputs will be
537 deleted unless they are GC roots themselves (or reachable from other
540 In general, outputs must be registered as roots separately. However,
541 even if the output of a derivation is registered as a root, the
542 collector will still delete store paths that are used only at build
543 time (e.g., the C compiler, or source tarballs downloaded from the
544 network). To prevent it from doing so, set this option to `true`.
546 {"gc-keep-outputs"}};
548 Setting<bool> gcKeepDerivations{
549 this,
true,
"keep-derivations",
551 If `true` (default), the garbage collector will keep the derivations
552 from which non-garbage store paths were built. If `false`, they will
553 be deleted unless explicitly registered as a root (or reachable from
556 Keeping derivation around is useful for querying and traceability
557 (e.g., it allows you to ask with what dependencies or options a
558 store path was built), so by default this option is on. Turn it off
559 to save a bit of disk space (or a lot if `keep-outputs` is also
562 {"gc-keep-derivations"}};
564 Setting<bool> autoOptimiseStore{
565 this,
false,
"auto-optimise-store",
567 If set to `true`, Nix automatically detects files in the store
568 that have identical contents, and replaces them with hard links to
569 a single copy. This saves disk space. If set to `false` (the
570 default), you can still run `nix-store --optimise` to get rid of
574 Setting<bool> envKeepDerivations{
575 this,
false,
"keep-env-derivations",
577 If `false` (default), derivations are not stored in Nix user
578 environments. That is, the derivations of any build-time-only
579 dependencies may be garbage-collected.
581 If `true`, when you add a Nix derivation to a user environment, the
582 path of the derivation is stored in the user environment. Thus, the
583 derivation will not be garbage-collected until the user environment
584 generation is deleted (`nix-env --delete-generations`). To prevent
585 build-time-only dependencies from being collected, you should also
586 turn on `keep-outputs`.
588 The difference between this option and `keep-derivations` is that
589 this one is “sticky”: it applies to any user environment created
590 while this option was enabled, while `keep-derivations` only applies
591 at the moment the garbage collector is run.
593 {"env-keep-derivations"}};
595 Setting<SandboxMode> sandboxMode{
604 If set to `true`, builds will be performed in a *sandboxed
605 environment*, i.e., they’re isolated from the normal file system
606 hierarchy and will only see their dependencies in the Nix store,
607 the temporary build directory, private versions of `/proc`,
608 `/dev`, `/dev/shm` and `/dev/pts` (on Linux), and the paths
609 configured with the `sandbox-paths` option. This is useful to
610 prevent undeclared dependencies on files in directories such as
611 `/usr/bin`. In addition, on Linux, builds run in private PID,
612 mount, network, IPC and UTS namespaces to isolate them from other
613 processes in the system (except that fixed-output derivations do
614 not run in private network namespace to ensure they can access the
617 Currently, sandboxing only work on Linux and macOS. The use of a
618 sandbox requires that Nix is run as root (so you should use the
619 “build users” feature to perform the actual builds under different
622 If this option is set to `relaxed`, then fixed-output derivations
623 and derivations that have the `__noChroot` attribute set to `true`
624 do not run in sandboxes.
626 The default is `true` on Linux and `false` on all other platforms.
628 {"build-use-chroot",
"build-use-sandbox"}};
630 Setting<PathSet> sandboxPaths{
631 this, {},
"sandbox-paths",
633 A list of paths bind-mounted into Nix sandbox environments. You can
634 use the syntax `target=source` to mount a path in a different
635 location in the sandbox; for instance, `/bin=/nix-bin` will mount
636 the path `/nix-bin` as `/bin` inside the sandbox. If *source* is
637 followed by `?`, then it is not an error if *source* does not exist;
638 for example, `/dev/nvidiactl?` specifies that `/dev/nvidiactl` will
639 only be mounted in the sandbox if it exists in the host filesystem.
641 If the source is in the Nix store, then its closure will be added to
644 Depending on how Nix was built, the default value for this option
645 may be empty or provide `/bin/sh` as a bind-mount of `bash`.
647 {"build-chroot-dirs",
"build-sandbox-paths"}};
649 Setting<bool> sandboxFallback{
this,
true,
"sandbox-fallback",
650 "Whether to disable sandboxing when the kernel doesn't allow it."};
653 Setting<bool> requireDropSupplementaryGroups{
this,
isRootUser(),
"require-drop-supplementary-groups",
655 Following the principle of least privilege,
656 Nix will attempt to drop supplementary groups when building with sandboxing.
658 However this can fail under some circumstances.
659 For example, if the user lacks the `CAP_SETGID` capability.
660 Search `setgroups(2)` for `EPERM` to find more detailed information on this.
662 If you encounter such a failure, setting this option to `false` will let you ignore it and continue.
663 But before doing so, you should consider the security implications carefully.
664 Not dropping supplementary groups means the build sandbox will be less restricted than intended.
666 This option defaults to `true` when the user is root
667 (since `root` usually has permissions to call setgroups)
668 and `false` otherwise.
673 Setting<std::string> sandboxShmSize{
674 this,
"50%",
"sandbox-dev-shm-size",
678 This option determines the maximum size of the `tmpfs` filesystem
679 mounted on `/dev/shm` in Linux sandboxes. For the format, see the
680 description of the `size` option of `tmpfs` in mount(8). The default
684 Setting<Path> sandboxBuildDir{this,
"/build",
"sandbox-build-dir",
688 The build directory inside the sandbox.
690 This directory is backed by [`build-dir`](#conf-build-dir) on the host.
694 Setting<std::optional<Path>> buildDir{
this, std::nullopt,
"build-dir",
696 The directory on the host, in which derivations' temporary build directories are created.
698 If not set, Nix will use the system temporary directory indicated by the `TMPDIR` environment variable.
699 Note that builds are often performed by the Nix daemon, so its `TMPDIR` is used, and not that of the Nix command line interface.
701 This is also the location where [`--keep-failed`](@docroot@/command-ref/opt-common.md#opt-keep-failed) leaves its files.
703 If Nix runs without sandbox, or if the platform does not support sandboxing with bind mounts (e.g. macOS), then the [`builder`](@docroot@/language/derivations.md#attr-builder)'s environment will contain this directory, instead of the virtual location [`sandbox-build-dir`](#conf-sandbox-build-dir).
706 Setting<PathSet> allowedImpureHostPrefixes{this, {},
"allowed-impure-host-deps",
707 "Which prefixes to allow derivations to ask for access to (primarily for Darwin)."};
710 Setting<bool> darwinLogSandboxViolations{
this,
false,
"darwin-log-sandbox-violations",
711 "Whether to log Darwin sandbox access violations to the system log."};
714 Setting<bool> runDiffHook{
715 this,
false,
"run-diff-hook",
717 If true, enable the execution of the `diff-hook` program.
719 When using the Nix daemon, `run-diff-hook` must be set in the
720 `nix.conf` configuration file, and cannot be passed at the command
725 this, std::nullopt,
"diff-hook",
727 Absolute path to an executable capable of diffing build
728 results. The hook is executed if `run-diff-hook` is true, and the
729 output of a build is known to not be the same. This program is not
730 executed to determine if two results are the same.
732 The diff hook is executed by the same user and group who ran the
733 build. However, the diff hook does not have write access to the
734 store path just built.
736 The diff hook program receives three parameters:
738 1. A path to the previous build's results
740 2. A path to the current build's results
742 3. The path to the build's derivation
744 4. The path to the build's scratch directory. This directory will
745 exist only if the build was run with `--keep-failed`.
747 The stderr and stdout output from the diff hook will not be
748 displayed to the user. Instead, it will print to the nix-daemon's
751 When using the Nix daemon, `diff-hook` must be set in the `nix.conf`
752 configuration file, and cannot be passed at the command line.
755 Setting<Strings> trustedPublicKeys{
757 {
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="},
758 "trusted-public-keys",
760 A whitespace-separated list of public keys.
762 At least one of the following condition must be met
763 for Nix to accept copying a store object from another
764 Nix store (such as a [substituter](#conf-substituters)):
766 - the store object has been signed using a key in the trusted keys list
767 - the [`require-sigs`](#conf-require-sigs) option has been set to `false`
768 - the store URL is configured with `trusted=true`
769 - the store object is [content-addressed](@docroot@/glossary.md#gloss-content-addressed-store-object)
771 {"binary-cache-public-keys"}};
773 Setting<Strings> secretKeyFiles{
774 this, {},
"secret-key-files",
776 A whitespace-separated list of files containing secret (private)
777 keys. These are used to sign locally-built paths. They can be
778 generated using `nix-store --generate-binary-cache-key`. The
779 corresponding public key can be distributed to other users, who
780 can add it to `trusted-public-keys` in their `nix.conf`.
783 Setting<unsigned int> tarballTtl{
784 this, 60 * 60,
"tarball-ttl",
786 The number of seconds a downloaded tarball is considered fresh. If
787 the cached tarball is stale, Nix will check whether it is still up
788 to date using the ETag header. Nix will download a new version if
789 the ETag header is unsupported, or the cached ETag doesn't match.
791 Setting the TTL to `0` forces Nix to always check if the tarball is
794 Nix caches tarballs in `$XDG_CACHE_HOME/nix/tarballs`.
796 Files fetched via `NIX_PATH`, `fetchGit`, `fetchMercurial`,
797 `fetchTarball`, and `fetchurl` respect this TTL.
800 Setting<bool> requireSigs{
801 this,
true,
"require-sigs",
803 If set to `true` (the default), any non-content-addressed path added
804 or copied to the Nix store (e.g. when substituting from a binary
805 cache) must have a signature by a trusted key. A trusted key is one
806 listed in `trusted-public-keys`, or a public key counterpart to a
807 private key stored in a file listed in `secret-key-files`.
809 Set to `false` to disable signature checking and trust all
810 non-content-addressed paths unconditionally.
812 (Content-addressed paths are inherently trustworthy and thus
813 unaffected by this configuration option.)
816 Setting<StringSet> extraPlatforms{
818 getDefaultExtraPlatforms(),
821 System types of executables that can be run on this machine.
823 Nix will only build a given [derivation](@docroot@/language/derivations.md) locally when its `system` attribute equals any of the values specified here or in the [`system` option](#conf-system).
825 Setting this can be useful to build derivations locally on compatible machines:
826 - `i686-linux` executables can be run on `x86_64-linux` machines (set by default)
827 - `x86_64-darwin` executables can be run on macOS `aarch64-darwin` with Rosetta 2 (set by default where applicable)
828 - `armv6` and `armv5tel` executables can be run on `armv7`
829 - some `aarch64` machines can also natively run 32-bit ARM code
830 - `qemu-user` may be used to support non-native platforms (though this
831 may be slow and buggy)
833 Build systems will usually detect the target platform to be the current physical system and therefore produce machine code incompatible with what may be intended in the derivation.
834 You should design your derivation's `builder` accordingly and cross-check the results when using this option against natively-built versions of your derivation.
840 Setting<StringSet> systemFeatures{
842 getDefaultSystemFeatures(),
845 A set of system “features” supported by this machine.
847 This complements the [`system`](#conf-system) and [`extra-platforms`](#conf-extra-platforms) configuration options and the corresponding [`system`](@docroot@/language/derivations.md#attr-system) attribute on derivations.
849 A derivation can require system features in the [`requiredSystemFeatures` attribute](@docroot@/language/advanced-attributes.md#adv-attr-requiredSystemFeatures), and the machine to build the derivation must have them.
851 System features are user-defined, but Nix sets the following defaults:
855 Included on Darwin if virtualization is available.
859 Included on Linux if `/dev/kvm` is accessible.
861 - `nixos-test`, `benchmark`, `big-parallel`
863 These historical pseudo-features are always enabled for backwards compatibility, as they are used in Nixpkgs to route Hydra builds to specific machines.
867 Included by default if the [`ca-derivations` experimental feature](@docroot@/development/experimental-features.md#xp-feature-ca-derivations) is enabled.
869 This system feature is implicitly required by derivations with the [`__contentAddressed` attribute](@docroot@/language/advanced-attributes.md#adv-attr-__contentAddressed).
873 Included by default if the [`recursive-nix` experimental feature](@docroot@/development/experimental-features.md#xp-feature-recursive-nix) is enabled.
877 On Linux, Nix can run builds in a user namespace where they run as root (UID 0) and have 65,536 UIDs available.
878 This is primarily useful for running containers such as `systemd-nspawn` inside a Nix build. For an example, see [`tests/systemd-nspawn/nix`][nspawn].
880 [nspawn]: https://github.com/NixOS/nix/blob/67bcb99700a0da1395fa063d7c6586740b304598/tests/systemd-nspawn.nix.
882 Included by default on Linux if the [`auto-allocate-uids`](#conf-auto-allocate-uids) setting is enabled.
888 Setting<Strings> substituters{
890 Strings{
"https://cache.nixos.org/"},
893 A list of [URLs of Nix stores](@docroot@/store/types/index.md#store-url-format) to be used as substituters, separated by whitespace.
894 A substituter is an additional [store](@docroot@/glossary.md#gloss-store) from which Nix can obtain [store objects](@docroot@/store/store-object.md) instead of building them.
896 Substituters are tried based on their priority value, which each substituter can set independently.
897 Lower value means higher priority.
898 The default is `https://cache.nixos.org`, which has a priority of 40.
900 At least one of the following conditions must be met for Nix to use a substituter:
902 - The substituter is in the [`trusted-substituters`](#conf-trusted-substituters) list
903 - The user calling Nix is in the [`trusted-users`](#conf-trusted-users) list
905 In addition, each store path should be trusted as described in [`trusted-public-keys`](#conf-trusted-public-keys)
909 Setting<StringSet> trustedSubstituters{
910 this, {},
"trusted-substituters",
912 A list of [Nix store URLs](@docroot@/store/types/index.md#store-url-format), separated by whitespace.
913 These are not used by default, but users of the Nix daemon can enable them by specifying [`substituters`](#conf-substituters).
915 Unprivileged users (those set in only [`allowed-users`](#conf-allowed-users) but not [`trusted-users`](#conf-trusted-users)) can pass as `substituters` only those URLs listed in `trusted-substituters`.
917 {"trusted-binary-caches"}};
919 Setting<unsigned int> ttlNegativeNarInfoCache{
920 this, 3600,
"narinfo-cache-negative-ttl",
922 The TTL in seconds for negative lookups.
923 If a store path is queried from a [substituter](#conf-substituters) but was not found, there will be a negative lookup cached in the local disk cache database for the specified duration.
925 Set to `0` to force updating the lookup cache.
927 To wipe the lookup cache completely:
930 $ rm $HOME/.cache/nix/binary-cache-v*.sqlite*
931 # rm /root/.cache/nix/binary-cache-v*.sqlite*
935 Setting<unsigned int> ttlPositiveNarInfoCache{
936 this, 30 * 24 * 3600,
"narinfo-cache-positive-ttl",
938 The TTL in seconds for positive lookups. If a store path is queried
939 from a substituter, the result of the query will be cached in the
940 local disk cache database including some of the NAR metadata. The
941 default TTL is a month, setting a shorter TTL for positive lookups
942 can be useful for binary caches that have frequent garbage
943 collection, in which case having a more frequent cache invalidation
944 would prevent trying to pull the path again and failing with a hash
945 mismatch if the build isn't reproducible.
948 Setting<bool> printMissing{this,
true,
"print-missing",
949 "Whether to print what paths need to be built or downloaded."};
951 Setting<std::string> preBuildHook{
952 this,
"",
"pre-build-hook",
954 If set, the path to a program that can set extra derivation-specific
955 settings for this system. This is used for settings that can't be
956 captured by the derivation model itself and are too variable between
957 different versions of the same system to be hard-coded into nix.
959 The hook is passed the derivation path and, if sandboxes are
960 enabled, the sandbox directory. It can then modify the sandbox and
961 send a series of commands to modify various settings to stdout. The
962 currently recognized commands are:
964 - `extra-sandbox-paths`\
965 Pass a list of files and directories to be included in the
966 sandbox for this build. One entry per line, terminated by an
967 empty line. Entries have the same format as `sandbox-paths`.
970 Setting<std::string> postBuildHook{
971 this,
"",
"post-build-hook",
973 Optional. The path to a program to execute after each build.
975 This option is only settable in the global `nix.conf`, or on the
976 command line by trusted users.
978 When using the nix-daemon, the daemon executes the hook as `root`.
979 If the nix-daemon is not involved, the hook runs as the user
980 executing the nix-build.
982 - The hook executes after an evaluation-time build.
984 - The hook does not execute on substituted paths.
986 - The hook's output always goes to the user's terminal.
988 - If the hook fails, the build succeeds but no further builds
991 - The hook executes synchronously, and blocks other builds from
992 progressing while it runs.
994 The program executes with no arguments. The program's environment
995 contains the following environment variables:
998 The derivation for the built paths.
1001 `/nix/store/5nihn1a7pa8b25l9zafqaqibznlvvp3f-bash-4.4-p23.drv`
1004 Output paths of the built derivation, separated by a space
1008 `/nix/store/zf5lbh336mnzf1nlswdn11g4n2m8zh3g-bash-4.4-p23-dev
1009 /nix/store/rjxwxwv1fpn9wa2x5ssk5phzwlcv4mna-bash-4.4-p23-doc
1010 /nix/store/6bqvbzjkcp9695dq0dpl5y43nvy37pq1-bash-4.4-p23-info
1011 /nix/store/r7fng3kk3vlpdlh2idnrbn37vh4imlj2-bash-4.4-p23-man
1012 /nix/store/xfghy8ixrhz3kyy6p724iv3cxji088dx-bash-4.4-p23`.
1015 Setting<unsigned int> downloadSpeed {
1016 this, 0,
"download-speed",
1018 Specify the maximum transfer rate in kilobytes per second you want
1019 Nix to use for downloads.
1022 Setting<std::string> netrcFile{
1025 If set to an absolute path to a `netrc` file, Nix will use the HTTP
1026 authentication credentials in this file when trying to download from
1027 a remote host through HTTP or HTTPS. Defaults to
1028 `$NIX_CONF_DIR/netrc`.
1030 The `netrc` file consists of a list of accounts in the following
1035 password my-password
1037 For the exact syntax, see [the `curl`
1038 documentation](https://ec.haxx.se/usingcurl-netrc.html).
1042 > This must be an absolute path, and `~` is not resolved. For
1043 > example, `~/.netrc` won't resolve to your home directory's
1047 Setting<Path> caFile{
1048 this, getDefaultSSLCertFile(),
"ssl-cert-file",
1050 The path of a file containing CA certificates used to
1051 authenticate `https://` downloads. Nix by default will use
1052 the first of the following files that exists:
1054 1. `/etc/ssl/certs/ca-certificates.crt`
1055 2. `/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt`
1057 The path can be overridden by the following environment
1058 variables, in order of precedence:
1060 1. `NIX_SSL_CERT_FILE`
1065 Setting<bool> filterSyscalls{
1066 this,
true,
"filter-syscalls",
1068 Whether to prevent certain dangerous system calls, such as
1069 creation of setuid/setgid files or adding ACLs or extended
1070 attributes. Only disable this if you're aware of the
1071 security implications.
1074 Setting<bool> allowNewPrivileges{
1075 this,
false,
"allow-new-privileges",
1077 (Linux-specific.) By default, builders on Linux cannot acquire new
1078 privileges by calling setuid/setgid programs or programs that have
1079 file capabilities. For example, programs such as `sudo` or `ping`
1080 will fail. (Note that in sandbox builds, no such programs are
1081 available unless you bind-mount them into the sandbox via the
1082 `sandbox-paths` option.) You can allow the use of such programs by
1083 enabling this option. This is impure and usually undesirable, but
1084 may be useful in certain scenarios (e.g. to spin up containers or
1085 set up userspace network interfaces in tests).
1090 Setting<StringSet> ignoredAcls{
1091 this, {
"security.selinux",
"system.nfs4_acl",
"security.csm"},
"ignored-acls",
1093 A list of ACLs that should be ignored, normally Nix attempts to
1094 remove all ACLs from files and directories in the Nix store, but
1095 some ACLs like `security.selinux` or `system.nfs4_acl` can't be
1096 removed even by root. Therefore it's best to just ignore them.
1100 Setting<Strings> hashedMirrors{
1101 this, {},
"hashed-mirrors",
1103 A list of web servers used by `builtins.fetchurl` to obtain files by
1104 hash. Given a hash algorithm *ha* and a base-16 hash *h*, Nix will try to
1105 download the file from *hashed-mirror*/*ha*/*h*. This allows files to
1106 be downloaded even if they have disappeared from their original URI.
1107 For example, given an example mirror `http://tarballs.nixos.org/`,
1108 when building the derivation
1112 url = "https://example.org/foo-1.2.3.tar.xz";
1113 sha256 = "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae";
1117 Nix will attempt to download this file from
1118 `http://tarballs.nixos.org/sha256/2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae`
1119 first. If it is not available there, if will try the original URI.
1122 Setting<uint64_t> minFree{
1123 this, 0,
"min-free",
1125 When free disk space in `/nix/store` drops below `min-free` during a
1126 build, Nix performs a garbage-collection until `max-free` bytes are
1127 available or there is no more garbage. A value of `0` (the default)
1128 disables this feature.
1131 Setting<uint64_t> maxFree{
1135 this, std::numeric_limits<int64_t>::max(),
"max-free",
1137 When a garbage collection is triggered by the `min-free` option, it
1138 stops as soon as `max-free` bytes are available. The default is
1139 infinity (i.e. delete all garbage).
1142 Setting<uint64_t> minFreeCheckInterval{this, 5,
"min-free-check-interval",
1143 "Number of seconds between checking free disk space."};
1145 Setting<size_t> narBufferSize{
this, 32 * 1024 * 1024,
"nar-buffer-size",
1146 "Maximum size of NARs before spilling them to disk."};
1148 Setting<bool> allowSymlinkedStore{
1149 this,
false,
"allow-symlinked-store",
1151 If set to `true`, Nix will stop complaining if the store directory
1152 (typically /nix/store) contains symlink components.
1154 This risks making some builds "impure" because builders sometimes
1155 "canonicalise" paths by resolving all symlink components. Problems
1156 occur if those builds are then deployed to machines where /nix/store
1157 resolves to a different location from that of the build machine. You
1158 can enable this setting if you are sure you're not going to do that.
1161 Setting<bool> useXDGBaseDirectories{
1162 this,
false,
"use-xdg-base-directories",
1164 If set to `true`, Nix will conform to the [XDG Base Directory Specification] for files in `$HOME`.
1165 The environment variables used to implement this are documented in the [Environment Variables section](@docroot@/command-ref/env-common.md).
1167 [XDG Base Directory Specification]: https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
1170 > This changes the location of some well-known symlinks that Nix creates, which might break tools that rely on the old, non-XDG-conformant locations.
1172 In particular, the following locations change:
1175 |-------------------|--------------------------------|
1176 | `~/.nix-profile` | `$XDG_STATE_HOME/nix/profile` |
1177 | `~/.nix-defexpr` | `$XDG_STATE_HOME/nix/defexpr` |
1178 | `~/.nix-channels` | `$XDG_STATE_HOME/nix/channels` |
1180 If you already have Nix installed and are using [profiles](@docroot@/package-management/profiles.md) or [channels](@docroot@/command-ref/nix-channel.md), you should migrate manually when you enable this option.
1181 If `$XDG_STATE_HOME` is not set, use `$HOME/.local/state/nix` instead of `$XDG_STATE_HOME/nix`.
1182 This can be achieved with the following shell commands:
1185 nix_state_home=${XDG_STATE_HOME-$HOME/.local/state}/nix
1186 mkdir -p $nix_state_home
1187 mv $HOME/.nix-profile $nix_state_home/profile
1188 mv $HOME/.nix-defexpr $nix_state_home/defexpr
1189 mv $HOME/.nix-channels $nix_state_home/channels
1194 Setting<StringMap> impureEnv {this, {},
"impure-env",
1196 A list of items, each in the format of:
1198 - `name=value`: Set environment variable `name` to `value`.
1200 If the user is trusted (see `trusted-users` option), when building
1201 a fixed-output derivation, environment variables set in this option
1202 will be passed to the builder if they are listed in [`impureEnvVars`](@docroot@/language/advanced-attributes.md#adv-attr-impureEnvVars).
1204 This option is useful for, e.g., setting `https_proxy` for
1205 fixed-output derivations and in a multi-user Nix installation, or
1206 setting private access tokens when fetching a private repository.
1210 Xp::ConfigurableImpureEnv
1213 Setting<std::string> upgradeNixStorePathUrl{
1215 "https://github.com/NixOS/nixpkgs/raw/master/nixos/modules/installer/tools/nix-fallback-paths.nix",
1216 "upgrade-nix-store-path-url",
1218 Used by `nix upgrade-nix`, the URL of the file that contains the
1219 store paths of the latest Nix release.
1223 Setting<uint64_t> warnLargePathThreshold{
1226 "warn-large-path-threshold",
1228 Warn when copying a path larger than this number of bytes to the Nix store
1229 (as determined by its NAR serialisation).
1230 Default is 0, which disables the warning.
1231 Set it to 1 to warn on all paths.