Nix 2.26.3
Nix, the purely functional package manager; unstable internal interfaces
 
Loading...
Searching...
No Matches
nix::Settings Class Reference
Inheritance diagram for nix::Settings:
nix::Config nix::AbstractConfig

Public Attributes

Path nixPrefix
 
Path nixStore
 
Path nixDataDir
 
Path nixLogDir
 
Path nixStateDir
 
Path nixConfDir
 
std::vector< PathnixUserConfFiles
 
Path nixDaemonSocketFile
 
Setting< std::string > storeUri
 
Setting< bool > keepFailed
 
Setting< bool > keepGoing
 
Setting< bool > tryFallback
 
bool verboseBuild = true
 
Setting< size_tlogLines
 
MaxBuildJobsSetting maxBuildJobs
 
Setting< unsigned intmaxSubstitutionJobs
 
Setting< unsigned intbuildCores
 
bool readOnlyMode = false
 
Setting< std::string > thisSystem
 
Setting< time_t > maxSilentTime
 
Setting< time_t > buildTimeout
 
Setting< Strings > buildHook
 
Setting< std::string > builders
 
Setting< bool > alwaysAllowSubstitutes
 
Setting< bool > buildersUseSubstitutes
 
Setting< off_t > reservedSize
 
Setting< bool > fsyncMetadata
 
Setting< bool > fsyncStorePaths
 
Setting< bool > useSQLiteWAL
 
Setting< bool > syncBeforeRegistering
 
Setting< bool > useSubstitutes
 
Setting< std::string > buildUsersGroup
 
Setting< bool > autoAllocateUids
 
Setting< uint32_t > startId
 
Setting< uint32_t > uidCount
 
Setting< bool > impersonateLinux26
 
Setting< bool > keepLog
 
Setting< bool > compressLog
 
Setting< unsigned long > maxLogSize
 
Setting< unsigned intpollInterval
 
Setting< bool > gcKeepOutputs
 
Setting< bool > gcKeepDerivations
 
Setting< bool > autoOptimiseStore
 
Setting< bool > envKeepDerivations
 
Setting< SandboxMode > sandboxMode
 
Setting< PathSet > sandboxPaths
 
Setting< bool > sandboxFallback
 
Setting< bool > requireDropSupplementaryGroups
 
Setting< std::optional< Path > > buildDir
 
Setting< PathSet > allowedImpureHostPrefixes
 
Setting< bool > runDiffHook
 
OptionalPathSetting diffHook
 
Setting< Strings > trustedPublicKeys
 
Setting< Strings > secretKeyFiles
 
Setting< unsigned inttarballTtl
 
Setting< bool > requireSigs
 
Setting< StringSet > extraPlatforms
 
Setting< StringSet > systemFeatures
 
Setting< Strings > substituters
 
Setting< StringSet > trustedSubstituters
 
Setting< unsigned intttlNegativeNarInfoCache
 
Setting< unsigned intttlPositiveNarInfoCache
 
Setting< bool > printMissing
 
Setting< std::string > preBuildHook
 
Setting< std::string > postBuildHook
 
Setting< unsigned intdownloadSpeed
 
Setting< std::string > netrcFile
 
Setting< PathcaFile
 
Setting< Strings > hashedMirrors
 
Setting< uint64_t > minFree
 
Setting< uint64_t > maxFree
 
Setting< uint64_t > minFreeCheckInterval
 
Setting< size_tnarBufferSize
 
Setting< bool > allowSymlinkedStore
 
Setting< bool > useXDGBaseDirectories
 
Setting< StringMap > impureEnv
 
Setting< std::string > upgradeNixStorePathUrl
 
Setting< uint64_t > warnLargePathThreshold
 

Additional Inherited Members

- Public Types inherited from nix::Config
using Settings = std::map<std::string, SettingData>
 
- Public Member Functions inherited from nix::Config
 Config (StringMap initials={})
 
bool set (const std::string &name, const std::string &value) override
 
void addSetting (AbstractSetting *setting)
 
void getSettings (std::map< std::string, SettingInfo > &res, bool overriddenOnly=false) override
 
void resetOverridden () override
 
nlohmann::json toJSON () override
 
std::string toKeyValue () override
 
void convertToArgs (Args &args, const std::string &category) override
 
- Public Member Functions inherited from nix::AbstractConfig
void applyConfig (const std::string &contents, const std::string &path="<unknown>")
 
void warnUnknownSettings ()
 
void reapplyUnknownSettings ()
 
- Protected Member Functions inherited from nix::AbstractConfig
 AbstractConfig (StringMap initials={})
 
- Protected Attributes inherited from nix::AbstractConfig
StringMap unknownSettings
 

Member Data Documentation

◆ allowedImpureHostPrefixes

Setting<PathSet> nix::Settings::allowedImpureHostPrefixes
Initial value:
{this, {}, "allowed-impure-host-deps",
"Which prefixes to allow derivations to ask for access to (primarily for Darwin)."}

◆ allowSymlinkedStore

Setting<bool> nix::Settings::allowSymlinkedStore
Initial value:
{
this, false, "allow-symlinked-store",
R"(
If set to `true`, Nix will stop complaining if the store directory
(typically /nix/store) contains symlink components.
This risks making some builds "impure" because builders sometimes
"canonicalise" paths by resolving all symlink components. Problems
occur if those builds are then deployed to machines where /nix/store
resolves to a different location from that of the build machine. You
can enable this setting if you are sure you're not going to do that.
)"}

◆ alwaysAllowSubstitutes

Setting<bool> nix::Settings::alwaysAllowSubstitutes
Initial value:
{
this, false, "always-allow-substitutes",
R"(
If set to `true`, Nix will ignore the [`allowSubstitutes`](@docroot@/language/advanced-attributes.md) attribute in derivations and always attempt to use [available substituters](#conf-substituters).
)"}

◆ autoAllocateUids

Setting<bool> nix::Settings::autoAllocateUids
Initial value:
{this, false, "auto-allocate-uids",
R"(
Whether to select UIDs for builds automatically, instead of using the
users in `build-users-group`.
UIDs are allocated starting at 872415232 (0x34000000) on Linux and 56930 on macOS.
)", {}, true, Xp::AutoAllocateUids}

◆ autoOptimiseStore

Setting<bool> nix::Settings::autoOptimiseStore
Initial value:
{
this, false, "auto-optimise-store",
R"(
If set to `true`, Nix automatically detects files in the store
that have identical contents, and replaces them with hard links to
a single copy. This saves disk space. If set to `false` (the
default), you can still run `nix-store --optimise` to get rid of
duplicate files.
)"}

◆ buildCores

Setting<unsigned int> nix::Settings::buildCores
Initial value:
{
this,
getDefaultCores(),
"cores",
R"(
Sets the value of the `NIX_BUILD_CORES` environment variable in the [invocation of the `builder` executable](@docroot@/language/derivations.md#builder-execution) of a derivation.
The `builder` executable can use this variable to control its own maximum amount of parallelism.
<!--
FIXME(@fricklerhandwerk): I don't think this should even be mentioned here.
A very generic example using `derivation` and `xargs` may be more appropriate to explain the mechanism.
Using `mkDerivation` as an example requires being aware of that there are multiple independent layers that are completely opaque here.
-->
For instance, in Nixpkgs, if the attribute `enableParallelBuilding` for the `mkDerivation` build helper is set to `true`, it will pass the `-j${NIX_BUILD_CORES}` flag to GNU Make.
The value `0` means that the `builder` should use all available CPU cores in the system.
> **Note**
>
> The number of parallel local Nix build jobs is independently controlled with the [`max-jobs`](#conf-max-jobs) setting.
)",
{"build-cores"},
false}

◆ buildDir

Setting<std::optional<Path> > nix::Settings::buildDir
Initial value:
{this, std::nullopt, "build-dir",
R"(
The directory on the host, in which derivations' temporary build directories are created.
If not set, Nix will use the system temporary directory indicated by the `TMPDIR` environment variable.
Note that builds are often performed by the Nix daemon, so its `TMPDIR` is used, and not that of the Nix command line interface.
This is also the location where [`--keep-failed`](@docroot@/command-ref/opt-common.md#opt-keep-failed) leaves its files.
If Nix runs without sandbox, or if the platform does not support sandboxing with bind mounts (e.g. macOS), then the [`builder`](@docroot@/language/derivations.md#attr-builder)'s environment will contain this directory, instead of the virtual location [`sandbox-build-dir`](#conf-sandbox-build-dir).
)"}

◆ buildersUseSubstitutes

Setting<bool> nix::Settings::buildersUseSubstitutes
Initial value:
{
this, false, "builders-use-substitutes",
R"(
If set to `true`, Nix will instruct [remote build machines](#conf-builders) to use their own [`substituters`](#conf-substituters) if available.
It means that remote build hosts will fetch as many dependencies as possible from their own substituters (e.g, from `cache.nixos.org`) instead of waiting for the local machine to upload them all.
This can drastically reduce build times if the network connection between the local machine and the remote build host is slow.
)"}

◆ buildHook

Setting<Strings> nix::Settings::buildHook
Initial value:
{this, {"nix", "__build-remote"}, "build-hook",
R"(
The path to the helper program that executes remote builds.
Nix communicates with the build hook over `stdio` using a custom protocol to request builds that cannot be performed directly by the Nix daemon.
The default value is the internal Nix binary that implements remote building.
> **Important**
>
> Change this setting only if you really know what you’re doing.
)"}

◆ buildTimeout

Setting<time_t> nix::Settings::buildTimeout
Initial value:
{
this, 0, "timeout",
R"(
This option defines the maximum number of seconds that a builder can
run. This is useful (for instance in an automated build system) to
catch builds that are stuck in an infinite loop but keep writing to
their standard output or standard error. It can be overridden using
the `--timeout` command line switch.
The value `0` means that there is no timeout. This is also the
default.
)",
{"build-timeout"}}

◆ caFile

Setting<Path> nix::Settings::caFile
Initial value:
{
this, getDefaultSSLCertFile(), "ssl-cert-file",
R"(
The path of a file containing CA certificates used to
authenticate `https://` downloads. Nix by default will use
the first of the following files that exists:
1. `/etc/ssl/certs/ca-certificates.crt`
2. `/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt`
The path can be overridden by the following environment
variables, in order of precedence:
1. `NIX_SSL_CERT_FILE`
2. `SSL_CERT_FILE`
)"}

◆ compressLog

Setting<bool> nix::Settings::compressLog
Initial value:
{
this, true, "compress-build-log",
R"(
If set to `true` (the default), build logs written to
`/nix/var/log/nix/drvs` will be compressed on the fly using bzip2.
Otherwise, they will not be compressed.
)",
{"build-compress-log"}}

◆ diffHook

OptionalPathSetting nix::Settings::diffHook
Initial value:
{
this, std::nullopt, "diff-hook",
R"(
Absolute path to an executable capable of diffing build
results. The hook is executed if `run-diff-hook` is true, and the
output of a build is known to not be the same. This program is not
executed to determine if two results are the same.
The diff hook is executed by the same user and group who ran the
build. However, the diff hook does not have write access to the
store path just built.
The diff hook program receives three parameters:
1. A path to the previous build's results
2. A path to the current build's results
3. The path to the build's derivation
4. The path to the build's scratch directory. This directory will
exist only if the build was run with `--keep-failed`.
The stderr and stdout output from the diff hook will not be
displayed to the user. Instead, it will print to the nix-daemon's
log.
When using the Nix daemon, `diff-hook` must be set in the `nix.conf`
configuration file, and cannot be passed at the command line.
)"}

◆ downloadSpeed

Setting<unsigned int> nix::Settings::downloadSpeed
Initial value:
{
this, 0, "download-speed",
R"(
Specify the maximum transfer rate in kilobytes per second you want
Nix to use for downloads.
)"}

◆ envKeepDerivations

Setting<bool> nix::Settings::envKeepDerivations
Initial value:
{
this, false, "keep-env-derivations",
R"(
If `false` (default), derivations are not stored in Nix user
environments. That is, the derivations of any build-time-only
dependencies may be garbage-collected.
If `true`, when you add a Nix derivation to a user environment, the
path of the derivation is stored in the user environment. Thus, the
derivation will not be garbage-collected until the user environment
generation is deleted (`nix-env --delete-generations`). To prevent
build-time-only dependencies from being collected, you should also
turn on `keep-outputs`.
The difference between this option and `keep-derivations` is that
this one is “sticky”: it applies to any user environment created
while this option was enabled, while `keep-derivations` only applies
at the moment the garbage collector is run.
)",
{"env-keep-derivations"}}

◆ extraPlatforms

Setting<StringSet> nix::Settings::extraPlatforms
Initial value:
{
this,
getDefaultExtraPlatforms(),
"extra-platforms",
R"(
System types of executables that can be run on this machine.
Nix will only build a given [derivation](@docroot@/language/derivations.md) locally when its `system` attribute equals any of the values specified here or in the [`system` option](#conf-system).
Setting this can be useful to build derivations locally on compatible machines:
- `i686-linux` executables can be run on `x86_64-linux` machines (set by default)
- `x86_64-darwin` executables can be run on macOS `aarch64-darwin` with Rosetta 2 (set by default where applicable)
- `armv6` and `armv5tel` executables can be run on `armv7`
- some `aarch64` machines can also natively run 32-bit ARM code
- `qemu-user` may be used to support non-native platforms (though this
may be slow and buggy)
Build systems will usually detect the target platform to be the current physical system and therefore produce machine code incompatible with what may be intended in the derivation.
You should design your derivation's `builder` accordingly and cross-check the results when using this option against natively-built versions of your derivation.
)",
{},
false}

◆ fsyncMetadata

Setting<bool> nix::Settings::fsyncMetadata
Initial value:
{
this, true, "fsync-metadata",
R"(
If set to `true`, changes to the Nix store metadata (in
`/nix/var/nix/db`) are synchronously flushed to disk. This improves
robustness in case of system crashes, but reduces performance. The
default is `true`.
)"}

◆ fsyncStorePaths

Setting<bool> nix::Settings::fsyncStorePaths
Initial value:
{this, false, "fsync-store-paths",
R"(
Whether to call `fsync()` on store paths before registering them, to
flush them to disk. This improves robustness in case of system crashes,
but reduces performance. The default is `false`.
)"}

◆ gcKeepDerivations

Setting<bool> nix::Settings::gcKeepDerivations
Initial value:
{
this, true, "keep-derivations",
R"(
If `true` (default), the garbage collector will keep the derivations
from which non-garbage store paths were built. If `false`, they will
be deleted unless explicitly registered as a root (or reachable from
other roots).
Keeping derivation around is useful for querying and traceability
(e.g., it allows you to ask with what dependencies or options a
store path was built), so by default this option is on. Turn it off
to save a bit of disk space (or a lot if `keep-outputs` is also
turned on).
)",
{"gc-keep-derivations"}}

◆ gcKeepOutputs

Setting<bool> nix::Settings::gcKeepOutputs
Initial value:
{
this, false, "keep-outputs",
R"(
If `true`, the garbage collector will keep the outputs of
non-garbage derivations. If `false` (default), outputs will be
deleted unless they are GC roots themselves (or reachable from other
roots).
In general, outputs must be registered as roots separately. However,
even if the output of a derivation is registered as a root, the
collector will still delete store paths that are used only at build
time (e.g., the C compiler, or source tarballs downloaded from the
network). To prevent it from doing so, set this option to `true`.
)",
{"gc-keep-outputs"}}

◆ hashedMirrors

Setting<Strings> nix::Settings::hashedMirrors
Initial value:
{
this, {}, "hashed-mirrors",
R"(
A list of web servers used by `builtins.fetchurl` to obtain files by
hash. Given a hash algorithm *ha* and a base-16 hash *h*, Nix will try to
download the file from *hashed-mirror*/*ha*/*h*. This allows files to
be downloaded even if they have disappeared from their original URI.
For example, given an example mirror `http://tarballs.nixos.org/`,
when building the derivation
```nix
builtins.fetchurl {
url = "https://example.org/foo-1.2.3.tar.xz";
sha256 = "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae";
}
```
Nix will attempt to download this file from
`http://tarballs.nixos.org/sha256/2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae`
first. If it is not available there, if will try the original URI.
)"}

◆ impersonateLinux26

Setting<bool> nix::Settings::impersonateLinux26
Initial value:
{this, false, "impersonate-linux-26",
"Whether to impersonate a Linux 2.6 machine on newer kernels.",
{"build-impersonate-linux-26"}}

◆ impureEnv

Setting<StringMap> nix::Settings::impureEnv
Initial value:
{this, {}, "impure-env",
R"(
A list of items, each in the format of:
- `name=value`: Set environment variable `name` to `value`.
If the user is trusted (see `trusted-users` option), when building
a fixed-output derivation, environment variables set in this option
will be passed to the builder if they are listed in [`impureEnvVars`](@docroot@/language/advanced-attributes.md#adv-attr-impureEnvVars).
This option is useful for, e.g., setting `https_proxy` for
fixed-output derivations and in a multi-user Nix installation, or
setting private access tokens when fetching a private repository.
)",
{},
true,
Xp::ConfigurableImpureEnv
}

◆ keepFailed

Setting<bool> nix::Settings::keepFailed
Initial value:
{this, false, "keep-failed",
"Whether to keep temporary directories of failed builds."}

◆ keepGoing

Setting<bool> nix::Settings::keepGoing
Initial value:
{this, false, "keep-going",
"Whether to keep building derivations when another build fails."}

◆ keepLog

Setting<bool> nix::Settings::keepLog
Initial value:
{
this, true, "keep-build-log",
R"(
If set to `true` (the default), Nix will write the build log of a
derivation (i.e. the standard output and error of its builder) to
the directory `/nix/var/log/nix/drvs`. The build log can be
retrieved using the command `nix-store -l path`.
)",
{"build-keep-log"}}

◆ logLines

Setting<size_t> nix::Settings::logLines
Initial value:
{this, 25, "log-lines",
"The number of lines of the tail of "
"the log to show if a build fails."}

◆ maxBuildJobs

MaxBuildJobsSetting nix::Settings::maxBuildJobs
Initial value:
{
this, 1, "max-jobs",
R"(
Maximum number of jobs that Nix will try to build locally in parallel.
The special value `auto` causes Nix to use the number of CPUs in your system.
Use `0` to disable local builds and directly use the remote machines specified in [`builders`](#conf-builders).
This will not affect derivations that have [`preferLocalBuild = true`](@docroot@/language/advanced-attributes.md#adv-attr-preferLocalBuild), which are always built locally.
> **Note**
>
> The number of CPU cores to use for each build job is independently determined by the [`cores`](#conf-cores) setting.
<!-- TODO(@fricklerhandwerk): would be good to have those shorthands for common options as part of the specification -->
The setting can be overridden using the `--max-jobs` (`-j`) command line switch.
)",
{"build-max-jobs"}}

◆ maxFree

Setting<uint64_t> nix::Settings::maxFree
Initial value:
{
this, std::numeric_limits<int64_t>::max(), "max-free",
R"(
When a garbage collection is triggered by the `min-free` option, it
stops as soon as `max-free` bytes are available. The default is
infinity (i.e. delete all garbage).
)"}

◆ maxLogSize

Setting<unsigned long> nix::Settings::maxLogSize
Initial value:
{
this, 0, "max-build-log-size",
R"(
This option defines the maximum number of bytes that a builder can
write to its stdout/stderr. If the builder exceeds this limit, it’s
killed. A value of `0` (the default) means that there is no limit.
)",
{"build-max-log-size"}}

◆ maxSilentTime

Setting<time_t> nix::Settings::maxSilentTime
Initial value:
{
this, 0, "max-silent-time",
R"(
This option defines the maximum number of seconds that a builder can
go without producing any data on standard output or standard error.
This is useful (for instance in an automated build system) to catch
builds that are stuck in an infinite loop, or to catch remote builds
that are hanging due to network problems. It can be overridden using
the `--max-silent-time` command line switch.
The value `0` means that there is no timeout. This is also the
default.
)",
{"build-max-silent-time"}}

◆ maxSubstitutionJobs

Setting<unsigned int> nix::Settings::maxSubstitutionJobs
Initial value:
{
this, 16, "max-substitution-jobs",
R"(
This option defines the maximum number of substitution jobs that Nix
will try to run in parallel. The default is `16`. The minimum value
one can choose is `1` and lower values will be interpreted as `1`.
)",
{"substitution-max-jobs"}}

◆ minFree

Setting<uint64_t> nix::Settings::minFree
Initial value:
{
this, 0, "min-free",
R"(
When free disk space in `/nix/store` drops below `min-free` during a
build, Nix performs a garbage-collection until `max-free` bytes are
available or there is no more garbage. A value of `0` (the default)
disables this feature.
)"}

◆ minFreeCheckInterval

Setting<uint64_t> nix::Settings::minFreeCheckInterval
Initial value:
{this, 5, "min-free-check-interval",
"Number of seconds between checking free disk space."}

◆ narBufferSize

Setting<size_t> nix::Settings::narBufferSize
Initial value:
{this, 32 * 1024 * 1024, "nar-buffer-size",
"Maximum size of NARs before spilling them to disk."}

◆ netrcFile

Setting<std::string> nix::Settings::netrcFile
Initial value:
{
this, fmt("%s/%s", nixConfDir, "netrc"), "netrc-file",
R"(
If set to an absolute path to a `netrc` file, Nix will use the HTTP
authentication credentials in this file when trying to download from
a remote host through HTTP or HTTPS. Defaults to
`$NIX_CONF_DIR/netrc`.
The `netrc` file consists of a list of accounts in the following
format:
machine my-machine
login my-username
password my-password
For the exact syntax, see [the `curl`
documentation](https://ec.haxx.se/usingcurl-netrc.html).
> **Note**
>
> This must be an absolute path, and `~` is not resolved. For
> example, `~/.netrc` won't resolve to your home directory's
> `.netrc`.
)"}
Path nixConfDir
Definition globals.hh:80
std::string fmt(const std::string &s)
Definition fmt.hh:67

◆ nixConfDir

Path nix::Settings::nixConfDir

The directory where system configuration files are stored.

◆ nixDaemonSocketFile

Path nix::Settings::nixDaemonSocketFile

File name of the socket the daemon listens to.

◆ nixLogDir

Path nix::Settings::nixLogDir

The directory where we log various operations.

◆ nixStateDir

Path nix::Settings::nixStateDir

The directory where state is stored.

◆ nixStore

Path nix::Settings::nixStore

The directory where we store sources and derived files.

◆ nixUserConfFiles

std::vector<Path> nix::Settings::nixUserConfFiles

A list of user configuration files to load.

◆ pollInterval

Setting<unsigned int> nix::Settings::pollInterval
Initial value:
{this, 5, "build-poll-interval",
"How often (in seconds) to poll for locks."}

◆ preBuildHook

Setting<std::string> nix::Settings::preBuildHook
Initial value:
{
this, "", "pre-build-hook",
R"(
If set, the path to a program that can set extra derivation-specific
settings for this system. This is used for settings that can't be
captured by the derivation model itself and are too variable between
different versions of the same system to be hard-coded into nix.
The hook is passed the derivation path and, if sandboxes are
enabled, the sandbox directory. It can then modify the sandbox and
send a series of commands to modify various settings to stdout. The
currently recognized commands are:
- `extra-sandbox-paths`\
Pass a list of files and directories to be included in the
sandbox for this build. One entry per line, terminated by an
empty line. Entries have the same format as `sandbox-paths`.
)"}

◆ printMissing

Setting<bool> nix::Settings::printMissing
Initial value:
{this, true, "print-missing",
"Whether to print what paths need to be built or downloaded."}

◆ readOnlyMode

bool nix::Settings::readOnlyMode = false

Read-only mode. Don't copy stuff to the store, don't change the database.

◆ requireDropSupplementaryGroups

Setting<bool> nix::Settings::requireDropSupplementaryGroups
Initial value:
{this, isRootUser(), "require-drop-supplementary-groups",
R"(
Following the principle of least privilege,
Nix will attempt to drop supplementary groups when building with sandboxing.
However this can fail under some circumstances.
For example, if the user lacks the `CAP_SETGID` capability.
Search `setgroups(2)` for `EPERM` to find more detailed information on this.
If you encounter such a failure, setting this option to `false` will let you ignore it and continue.
But before doing so, you should consider the security implications carefully.
Not dropping supplementary groups means the build sandbox will be less restricted than intended.
This option defaults to `true` when the user is root
(since `root` usually has permissions to call setgroups)
and `false` otherwise.
)"}
bool isRootUser()

◆ requireSigs

Setting<bool> nix::Settings::requireSigs
Initial value:
{
this, true, "require-sigs",
R"(
If set to `true` (the default), any non-content-addressed path added
or copied to the Nix store (e.g. when substituting from a binary
cache) must have a signature by a trusted key. A trusted key is one
listed in `trusted-public-keys`, or a public key counterpart to a
private key stored in a file listed in `secret-key-files`.
Set to `false` to disable signature checking and trust all
non-content-addressed paths unconditionally.
(Content-addressed paths are inherently trustworthy and thus
unaffected by this configuration option.)
)"}

◆ reservedSize

Setting<off_t> nix::Settings::reservedSize
Initial value:
{this, 8 * 1024 * 1024, "gc-reserved-space",
"Amount of reserved disk space for the garbage collector."}

◆ runDiffHook

Setting<bool> nix::Settings::runDiffHook
Initial value:
{
this, false, "run-diff-hook",
R"(
If true, enable the execution of the `diff-hook` program.
When using the Nix daemon, `run-diff-hook` must be set in the
`nix.conf` configuration file, and cannot be passed at the command
line.
)"}

◆ sandboxFallback

Setting<bool> nix::Settings::sandboxFallback
Initial value:
{this, true, "sandbox-fallback",
"Whether to disable sandboxing when the kernel doesn't allow it."}

◆ sandboxPaths

Setting<PathSet> nix::Settings::sandboxPaths
Initial value:
{
this, {}, "sandbox-paths",
R"(
A list of paths bind-mounted into Nix sandbox environments. You can
use the syntax `target=source` to mount a path in a different
location in the sandbox; for instance, `/bin=/nix-bin` will mount
the path `/nix-bin` as `/bin` inside the sandbox. If *source* is
followed by `?`, then it is not an error if *source* does not exist;
for example, `/dev/nvidiactl?` specifies that `/dev/nvidiactl` will
only be mounted in the sandbox if it exists in the host filesystem.
If the source is in the Nix store, then its closure will be added to
the sandbox as well.
Depending on how Nix was built, the default value for this option
may be empty or provide `/bin/sh` as a bind-mount of `bash`.
)",
{"build-chroot-dirs", "build-sandbox-paths"}}

◆ secretKeyFiles

Setting<Strings> nix::Settings::secretKeyFiles
Initial value:
{
this, {}, "secret-key-files",
R"(
A whitespace-separated list of files containing secret (private)
keys. These are used to sign locally-built paths. They can be
generated using `nix-store --generate-binary-cache-key`. The
corresponding public key can be distributed to other users, who
can add it to `trusted-public-keys` in their `nix.conf`.
)"}

◆ startId

Setting<uint32_t> nix::Settings::startId
Initial value:
{this,
56930,
"start-id",
"The first UID and GID to use for dynamic ID allocation."}

◆ storeUri

Setting<std::string> nix::Settings::storeUri
Initial value:
{this, getEnv("NIX_REMOTE").value_or("auto"), "store",
R"(
The [URL of the Nix store](@docroot@/store/types/index.md#store-url-format)
to use for most operations.
See the
[Store Types](@docroot@/store/types/index.md)
section of the manual for supported store types and settings.
)"}

◆ substituters

Setting<Strings> nix::Settings::substituters
Initial value:
{
this,
Strings{"https://cache.nixos.org/"},
"substituters",
R"(
A list of [URLs of Nix stores](@docroot@/store/types/index.md#store-url-format) to be used as substituters, separated by whitespace.
A substituter is an additional [store](@docroot@/glossary.md#gloss-store) from which Nix can obtain [store objects](@docroot@/store/store-object.md) instead of building them.
Substituters are tried based on their priority value, which each substituter can set independently.
Lower value means higher priority.
The default is `https://cache.nixos.org`, which has a priority of 40.
At least one of the following conditions must be met for Nix to use a substituter:
- The substituter is in the [`trusted-substituters`](#conf-trusted-substituters) list
- The user calling Nix is in the [`trusted-users`](#conf-trusted-users) list
In addition, each store path should be trusted as described in [`trusted-public-keys`](#conf-trusted-public-keys)
)",
{"binary-caches"}}

◆ syncBeforeRegistering

Setting<bool> nix::Settings::syncBeforeRegistering
Initial value:
{this, false, "sync-before-registering",
"Whether to call `sync()` before registering a path as valid."}

◆ tarballTtl

Setting<unsigned int> nix::Settings::tarballTtl
Initial value:
{
this, 60 * 60, "tarball-ttl",
R"(
The number of seconds a downloaded tarball is considered fresh. If
the cached tarball is stale, Nix will check whether it is still up
to date using the ETag header. Nix will download a new version if
the ETag header is unsupported, or the cached ETag doesn't match.
Setting the TTL to `0` forces Nix to always check if the tarball is
up to date.
Nix caches tarballs in `$XDG_CACHE_HOME/nix/tarballs`.
Files fetched via `NIX_PATH`, `fetchGit`, `fetchMercurial`,
`fetchTarball`, and `fetchurl` respect this TTL.
)"}

◆ thisSystem

Setting<std::string> nix::Settings::thisSystem
Initial value:
{
this, SYSTEM, "system",
R"(
The system type of the current Nix installation.
Nix will only build a given [derivation](@docroot@/language/derivations.md) locally when its `system` attribute equals any of the values specified here or in [`extra-platforms`](#conf-extra-platforms).
The default value is set when Nix itself is compiled for the system it will run on.
The following system types are widely used, as Nix is actively supported on these platforms:
- `x86_64-linux`
- `x86_64-darwin`
- `i686-linux`
- `aarch64-linux`
- `aarch64-darwin`
- `armv6l-linux`
- `armv7l-linux`
In general, you do not have to modify this setting.
While you can force Nix to run a Darwin-specific `builder` executable on a Linux machine, the result would obviously be wrong.
This value is available in the Nix language as
[`builtins.currentSystem`](@docroot@/language/builtins.md#builtins-currentSystem)
if the
[`eval-system`](#conf-eval-system)
configuration option is set as the empty string.
)"}

◆ trustedPublicKeys

Setting<Strings> nix::Settings::trustedPublicKeys
Initial value:
{
this,
{"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="},
"trusted-public-keys",
R"(
A whitespace-separated list of public keys.
At least one of the following condition must be met
for Nix to accept copying a store object from another
Nix store (such as a [substituter](#conf-substituters)):
- the store object has been signed using a key in the trusted keys list
- the [`require-sigs`](#conf-require-sigs) option has been set to `false`
- the store URL is configured with `trusted=true`
- the store object is [content-addressed](@docroot@/glossary.md#gloss-content-addressed-store-object)
)",
{"binary-cache-public-keys"}}

◆ trustedSubstituters

Setting<StringSet> nix::Settings::trustedSubstituters
Initial value:
{
this, {}, "trusted-substituters",
R"(
A list of [Nix store URLs](@docroot@/store/types/index.md#store-url-format), separated by whitespace.
These are not used by default, but users of the Nix daemon can enable them by specifying [`substituters`](#conf-substituters).
Unprivileged users (those set in only [`allowed-users`](#conf-allowed-users) but not [`trusted-users`](#conf-trusted-users)) can pass as `substituters` only those URLs listed in `trusted-substituters`.
)",
{"trusted-binary-caches"}}

◆ tryFallback

Setting<bool> nix::Settings::tryFallback
Initial value:
{
this, false, "fallback",
R"(
If set to `true`, Nix will fall back to building from source if a
binary substitute fails. This is equivalent to the `--fallback`
flag. The default is `false`.
)",
{"build-fallback"}}

◆ ttlNegativeNarInfoCache

Setting<unsigned int> nix::Settings::ttlNegativeNarInfoCache
Initial value:
{
this, 3600, "narinfo-cache-negative-ttl",
R"(
The TTL in seconds for negative lookups.
If a store path is queried from a [substituter](#conf-substituters) but was not found, there will be a negative lookup cached in the local disk cache database for the specified duration.
Set to `0` to force updating the lookup cache.
To wipe the lookup cache completely:
```shell-session
$ rm $HOME/.cache/nix/binary-cache-v*.sqlite*
# rm /root/.cache/nix/binary-cache-v*.sqlite*
```
)"}

◆ ttlPositiveNarInfoCache

Setting<unsigned int> nix::Settings::ttlPositiveNarInfoCache
Initial value:
{
this, 30 * 24 * 3600, "narinfo-cache-positive-ttl",
R"(
The TTL in seconds for positive lookups. If a store path is queried
from a substituter, the result of the query will be cached in the
local disk cache database including some of the NAR metadata. The
default TTL is a month, setting a shorter TTL for positive lookups
can be useful for binary caches that have frequent garbage
collection, in which case having a more frequent cache invalidation
would prevent trying to pull the path again and failing with a hash
mismatch if the build isn't reproducible.
)"}

◆ uidCount

Setting<uint32_t> nix::Settings::uidCount
Initial value:
{this,
128,
"id-count",
"The number of UIDs/GIDs to use for dynamic ID allocation."}

◆ upgradeNixStorePathUrl

Setting<std::string> nix::Settings::upgradeNixStorePathUrl
Initial value:
{
this,
"https://github.com/NixOS/nixpkgs/raw/master/nixos/modules/installer/tools/nix-fallback-paths.nix",
"upgrade-nix-store-path-url",
R"(
Used by `nix upgrade-nix`, the URL of the file that contains the
store paths of the latest Nix release.
)"
}

◆ useSQLiteWAL

Setting<bool> nix::Settings::useSQLiteWAL
Initial value:
{this, !isWSL1(), "use-sqlite-wal",
"Whether SQLite should use WAL mode."}

◆ useSubstitutes

Setting<bool> nix::Settings::useSubstitutes
Initial value:
{
this, true, "substitute",
R"(
If set to `true` (default), Nix will use binary substitutes if
available. This option can be disabled to force building from
source.
)",
{"build-use-substitutes"}}

◆ verboseBuild

bool nix::Settings::verboseBuild = true

Whether to show build log output in real time.

◆ warnLargePathThreshold

Setting<uint64_t> nix::Settings::warnLargePathThreshold
Initial value:
{
this,
0,
"warn-large-path-threshold",
R"(
Warn when copying a path larger than this number of bytes to the Nix store
(as determined by its NAR serialisation).
Default is 0, which disables the warning.
Set it to 1 to warn on all paths.
)"
}

The documentation for this class was generated from the following files: