nix.conf - Nix Reference Manual (original) (raw)

Nix supports a variety of configuration settings, which are read from configuration files or taken as command line flags.

Configuration files consist of name = value pairs, one per line. Comments start with a # character.

Other files can be included with a line like include <path>, where <path> is interpreted relative to the current configuration file. A missing file is an error unless !include is used instead.

A configuration setting usually overrides any previous value. However, for settings that take a list of items, you can prefix the name of the setting by extra- to append to the previous value.

defines the substituters setting to be a b c d.

Unknown option names are not an error, and are simply ignored with a warning.

Configuration options can be set on the command line, overriding the values set in the configuration file:

The extra- prefix is supported for settings that take a list of items (e.g. --extra-trusted users alice or --option extra-trusted-users alice).

Settings that have an integer type support the suffixes K, M, Gand T. These cause the specified value to be multiplied by 2^10, 2^20, 2^30 and 2^40, respectively. For instance, --min-free 1M is equivalent to --min-free 1048576.

• abort-on-warn
  If set to true, builtins.warn will throw an error when logging a warning.
  This will give you a stack trace that leads to the location of the warning.
  This is useful for finding information about warnings in third-party Nix code when you can not start the interactive debugger, such as when Nix is called from a non-interactive script. See debugger-on-warn.
  Currently, a stack trace can only be produced when the debugger is enabled, or when evaluation is aborted.
  This option can be enabled by setting NIX_ABORT_ON_WARN=1 in the environment.
  Default: false
• accept-flake-config

  Warning

  This setting is part of anexperimental feature.

  To change this setting, make sure theflakes experimental featureis enabled. For example, include the following in nix.conf:

  ```

extra-experimental-features = flakes
accept-flake-config = ...

Whether to accept nix configuration from a flake without prompting.  
**Default:** `false`

• access-tokens
  Access tokens used to access protected GitHub, GitLab, or other locations requiring token-based authentication.
  Access tokens are specified as a string made up of space-separated host=token values. The specific token used is selected by matching the host portion against the "host" specification of the input. The actual use of thetoken value is determined by the type of resource being accessed:
• Github: the token value is the OAUTH-TOKEN string obtained as the Personal Access Token from the Github server (see https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps).
• Gitlab: the token value is either the OAuth2 token or the Personal Access Token (these are different types tokens for gitlab, see https://docs.gitlab.com/12.10/ee/api/README.html#authentication). The token value should be type:tokenstring wheretype is either OAuth2 or PAT to indicate which type of token is being specified.
  Example ~/.config/nix/nix.conf:

access-tokens = github.com=23ac...b289 gitlab.mycompany.com=PAT:A123Bp_Cd..EfG gitlab.com=OAuth2:1jklw3jk  

Example ~/code/flake.nix:

input.foo = {  
  type = "gitlab";  
  host = "gitlab.mycompany.com";  
  owner = "mycompany";  
  repo = "pro";  
};  

This example specifies three tokens, one each for accessing github.com, gitlab.mycompany.com, and gitlab.com.
The input.foo uses the "gitlab" fetcher, which might requires specifying the token type along with the token value.
Default: empty

• allow-dirty
  Whether to allow dirty Git/Mercurial trees.
  Default: true
• allow-import-from-derivation
  By default, Nix allows Import from Derivation.
  With this option set to false, Nix will throw an error when evaluating an expression that uses this feature, even when the required store object is readily available. This ensures that evaluation will not require any builds to take place, regardless of the state of the store.
  Default: true
• allow-new-privileges
  (Linux-specific.) By default, builders on Linux cannot acquire new privileges by calling setuid/setgid programs or programs that have file capabilities. For example, programs such as sudo or pingwill fail. (Note that in sandbox builds, no such programs are available unless you bind-mount them into the sandbox via thesandbox-paths option.) You can allow the use of such programs by enabling this option. This is impure and usually undesirable, but may be useful in certain scenarios (e.g. to spin up containers or set up userspace network interfaces in tests).
  Default: false
• allow-symlinked-store
  If set to true, Nix will stop complaining if the store directory (typically /nix/store) contains symlink components.
  This risks making some builds "impure" because builders sometimes "canonicalise" paths by resolving all symlink components. Problems occur if those builds are then deployed to machines where /nix/store resolves to a different location from that of the build machine. You can enable this setting if you are sure you're not going to do that.
  Default: false
• allow-unsafe-native-code-during-evaluation
  Enable built-in functions that allow executing native code.
  In particular, this adds:
• builtins.importNative path symbol
  Opens dynamic shared object (DSO) at path, loads the function with the symbol name symbol from it and runs it. The loaded function must have the following signature:

extern "C" typedef void (*ValueInitialiser) (EvalState & state, Value & v);  

The Nix C++ API documentation has more details on evaluator internals.

• builtins.exec arguments
  Execute a program, where arguments are specified as a list of strings, and parse its output as a Nix expression.
  Default: false
• allowed-impure-host-deps
  Which prefixes to allow derivations to ask for access to (primarily for Darwin).
  Default: empty
• allowed-uris
  A list of URI prefixes to which access is allowed in restricted evaluation mode. For example, when set tohttps://github.com/NixOS, builtin functions such as fetchGit are allowed to access https://github.com/NixOS/patchelf.git.
  Access is granted when
• the URI is equal to the prefix,
• or the URI is a subpath of the prefix,
• or the prefix is a URI scheme ended by a colon : and the URI has the same scheme.
  Default: empty
• allowed-users
  A list user names, separated by whitespace. These users are allowed to connect to the Nix daemon.
  You can specify groups by prefixing names with @. For instance, @wheel means all users in the wheel group. Also, you can allow all users by specifying *.

  Note

  Trusted users (set in trusted-users) can always connect to the Nix daemon.
  Default: *

• always-allow-substitutes
  If set to true, Nix will ignore the allowSubstitutes attribute in derivations and always attempt to use available substituters.
  Default: false
• auto-allocate-uids

  Warning

  This setting is part of anexperimental feature.

  To change this setting, make sure theauto-allocate-uids experimental featureis enabled. For example, include the following in nix.conf:

  ```

extra-experimental-features = auto-allocate-uids
auto-allocate-uids = ...

Whether to select UIDs for builds automatically, instead of using the users in `build-users-group`.  
UIDs are allocated starting at 872415232 (0x34000000) on Linux and 56930 on macOS.  
**Default:** `false`

• auto-optimise-store
  If set to true, Nix automatically detects files in the store that have identical contents, and replaces them with hard links to a single copy. This saves disk space. If set to false (the default), you can still run nix-store --optimise to get rid of duplicate files.
  Default: false
• bash-prompt
  The bash prompt (PS1) in nix develop shells.
  Default: empty
• bash-prompt-prefix
  Prefix prepended to the PS1 environment variable in nix develop shells.
  Default: empty
• bash-prompt-suffix
  Suffix appended to the PS1 environment variable in nix develop shells.
  Default: empty
• build-dir
  The directory on the host, in which derivations' temporary build directories are created.
  If not set, Nix will use the system temporary directory indicated by the TMPDIR environment variable. Note that builds are often performed by the Nix daemon, so its TMPDIR is used, and not that of the Nix command line interface.
  This is also the location where --keep-failed leaves its files.
  If Nix runs without sandbox, or if the platform does not support sandboxing with bind mounts (e.g. macOS), then the builder's environment will contain this directory, instead of the virtual location sandbox-build-dir.
  Default: ``
• build-hook
  The path to the helper program that executes remote builds.
  Nix communicates with the build hook over stdio using a custom protocol to request builds that cannot be performed directly by the Nix daemon. The default value is the internal Nix binary that implements remote building.

  Important

  Change this setting only if you really know what you’re doing.
  Default: empty

• build-poll-interval
  How often (in seconds) to poll for locks.
  Default: 5
• build-users-group
  This options specifies the Unix group containing the Nix build user accounts. In multi-user Nix installations, builds should not be performed by the Nix account since that would allow users to arbitrarily modify the Nix store and database by supplying specially crafted builders; and they cannot be performed by the calling user since that would allow him/her to influence the build result.
  Therefore, if this option is non-empty and specifies a valid group, builds will be performed under the user accounts that are a member of the group specified here (as listed in /etc/group). Those user accounts should not be used for any other purpose!
  Nix will never run two builds under the same user account at the same time. This is to prevent an obvious security hole: a malicious user writing a Nix expression that modifies the build result of a legitimate Nix expression being built by another user. Therefore it is good to have as many Nix build user accounts as you can spare. (Remember: uids are cheap.)
  The build users should have permission to create files in the Nix store, but not delete them. Therefore, /nix/store should be owned by the Nix account, its group should be the group specified here, and its mode should be 1775.
  If the build users group is empty, builds will be performed under the uid of the Nix process (that is, the uid of the caller ifNIX_REMOTE is empty, the uid under which the Nix daemon runs ifNIX_REMOTE is daemon). Obviously, this should not be used with a nix daemon accessible to untrusted clients.
  Defaults to nixbld when running as root, empty otherwise.
  Default: machine-specific
• builders
  A semicolon- or newline-separated list of build machines.
  In addition to the usual ways of setting configuration options, the value can be read from a file by prefixing its absolute path with @.

  Example

  This is the default setting:

  ```

builders = @/etc/nix/machines

Each machine specification consists of the following elements, separated by spaces. Only the first element is required. To leave a field at its default, set it to `-`.  

1. The URI of the remote store in the format ssh://[username@]hostname.

   Example

   ssh://nix@mac
   For backward compatibility, ssh:// may be omitted. The hostname may be an alias defined in ~/.ssh/config.

2. A comma-separated list of Nix system types. If omitted, this defaults to the local platform type.

   Example

   aarch64-darwin
   It is possible for a machine to support multiple platform types.
   Example

   i686-linux,x86_64-linux

3. The SSH identity file to be used to log in to the remote machine. If omitted, SSH will use its regular identities.

   Example

   /home/user/.ssh/id_mac

4. The maximum number of builds that Nix will execute in parallel on the machine. Typically this should be equal to the number of CPU cores.
5. The “speed factor”, indicating the relative speed of the machine as a positive integer. If there are multiple machines of the right type, Nix will prefer the fastest, taking load into account.
6. A comma-separated list of supported system features.
   A machine will only be used to build a derivation if all the features in the derivation's requiredSystemFeatures attribute are supported by that machine.
7. A comma-separated list of required system features.
   A machine will only be used to build a derivation if all of the machine’s required features appear in the derivation’s requiredSystemFeatures attribute.
8. The (base64-encoded) public host key of the remote machine. If omitted, SSH will use its regular known_hosts file.
   The value for this field can be obtained via base64 -w0.

   Example

   Multiple builders specified on the command line:

   --builders 'ssh://mac x86_64-darwin ; ssh://beastie x86_64-freebsd'  
    

   Example

   This specifies several machines that can perform i686-linux builds:

   nix@scratchy.labs.cs.uu.nl i686-linux /home/nix/.ssh/id_scratchy 8 1 kvm  
   nix@itchy.labs.cs.uu.nl    i686-linux /home/nix/.ssh/id_scratchy 8 2  
   nix@poochie.labs.cs.uu.nl  i686-linux /home/nix/.ssh/id_scratchy 1 2 kvm benchmark  
    

   However, poochie will only build derivations that have the attribute

   requiredSystemFeatures = [ "benchmark" ];  
    

   or

   requiredSystemFeatures = [ "benchmark" "kvm" ];  
    

   itchy cannot do builds that require kvm, but scratchy does support such builds. For regular builds, itchy will be preferred over scratchy because it has a higher speed factor.
   For Nix to use substituters, the calling user must be in the trusted-users list.
   Note

   A build machine must be accessible via SSH and have Nix installed.nix must be available in $PATH for the user connecting over SSH.
   Warning

   If you are building via the Nix daemon (default), the Nix daemon user account on the local machine (that is, root) requires access to a user account on the remote machine (not necessarily root).

   If you can’t or don’t want to configure root to be able to access the remote machine, set store to any local store, e.g. by passing --store /tmp to the command on the local machine.
   To build only on remote machines and disable local builds, set max-jobs to 0.
   If you want the remote machines to use substituters, set builders-use-substitutes to true.
   Default: machine-specific

• builders-use-substitutes
  If set to true, Nix will instruct remote build machines to use their own substituters if available.
  It means that remote build hosts will fetch as many dependencies as possible from their own substituters (e.g, from cache.nixos.org) instead of waiting for the local machine to upload them all. This can drastically reduce build times if the network connection between the local machine and the remote build host is slow.
  Default: false
• commit-lock-file-summary

  Warning

  This setting is part of anexperimental feature.

  To change this setting, make sure theflakes experimental featureis enabled. For example, include the following in nix.conf:

  ```

extra-experimental-features = flakes
commit-lock-file-summary = ...

The commit summary to use when committing changed flake lock files. If empty, the summary is generated based on the action performed.  
**Default:** _empty_  
**Deprecated alias:** `commit-lockfile-summary`

• compress-build-log
  If set to true (the default), build logs written to/nix/var/log/nix/drvs will be compressed on the fly using bzip2. Otherwise, they will not be compressed.
  Default: true
  Deprecated alias: build-compress-log
• connect-timeout
  The timeout (in seconds) for establishing connections in the binary cache substituter. It corresponds to curl’s--connect-timeout option. A value of 0 means no limit.
  Default: 0
• cores
  Sets the value of the NIX_BUILD_CORES environment variable in the invocation of the builder executable of a derivation. The builder executable can use this variable to control its own maximum amount of parallelism.
  For instance, in Nixpkgs, if the attribute enableParallelBuilding for the mkDerivation build helper is set to true, it will pass the -j${NIX_BUILD_CORES} flag to GNU Make.
  The value 0 means that the builder should use all available CPU cores in the system.

  Note

  The number of parallel local Nix build jobs is independently controlled with the max-jobs setting.
  Default: machine-specific
  Deprecated alias: build-cores

• debugger-on-trace
  If set to true and the --debugger flag is given, the following functions will enter the debugger like builtins.break.
• builtins.trace
• builtins.traceVerboseif trace-verbose is set to true.
• builtins.warn
  This is useful for debugging warnings in third-party Nix code.
  Default: false
• debugger-on-warn
  If set to true and the --debugger flag is given, builtins.warnwill enter the debugger like builtins.break.
  This is useful for debugging warnings in third-party Nix code.
  Use debugger-on-trace to also enter the debugger on legacy warnings that are logged with builtins.trace.
  Default: false
• diff-hook
  Absolute path to an executable capable of diffing build results. The hook is executed if run-diff-hook is true, and the output of a build is known to not be the same. This program is not executed to determine if two results are the same.
  The diff hook is executed by the same user and group who ran the build. However, the diff hook does not have write access to the store path just built.
  The diff hook program receives three parameters:

1. A path to the previous build's results
2. A path to the current build's results
3. The path to the build's derivation
4. The path to the build's scratch directory. This directory will exist only if the build was run with --keep-failed.
   The stderr and stdout output from the diff hook will not be displayed to the user. Instead, it will print to the nix-daemon's log.
   When using the Nix daemon, diff-hook must be set in the nix.confconfiguration file, and cannot be passed at the command line.
   Default: ``

• download-attempts
  How often Nix will attempt to download a file before giving up.
  Default: 5
• download-buffer-size
  The size of Nix's internal download buffer during curl transfers. If data is not processed quickly enough to exceed the size of this buffer, downloads may stall.
  Default: 67108864
• download-speed
  Specify the maximum transfer rate in kilobytes per second you want Nix to use for downloads.
  Default: 0
• eval-cache
  Whether to use the flake evaluation cache.
  Default: true
• eval-system
  This option definesbuiltins.currentSystemin the Nix language if it is set as a non-empty string. Otherwise, if it is defined as the empty string (the default), the value of thesystem configuration setting is used instead.
  Unlike system, this setting does not change what kind of derivations can be built locally. This is useful for evaluating Nix code on one system to produce derivations to be built on another type of system.
  Default: empty
• experimental-features
  Experimental features that are enabled.
  Example:

experimental-features = nix-command flakes  

The following experimental features are available:

• auto-allocate-uids
• ca-derivations
• cgroups
• configurable-impure-env
• daemon-trust-override
• dynamic-derivations
• fetch-closure
• fetch-tree
• flakes
• git-hashing
• impure-derivations
• local-overlay-store
• mounted-ssh-store
• nix-command
• no-url-literals
• parse-toml-timestamps
• pipe-operators
• read-only-local-store
• recursive-nix
• verified-fetches
  Experimental features are further documented in the manual.
  Default: empty
• System types of executables that can be run on this machine.
  Nix will only build a given derivation locally when its system attribute equals any of the values specified here or in the system option.
  Setting this can be useful to build derivations locally on compatible machines:
• i686-linux executables can be run on x86_64-linux machines (set by default)
• x86_64-darwin executables can be run on macOS aarch64-darwin with Rosetta 2 (set by default where applicable)
• armv6 and armv5tel executables can be run on armv7
• some aarch64 machines can also natively run 32-bit ARM code
• qemu-user may be used to support non-native platforms (though this may be slow and buggy)
  Build systems will usually detect the target platform to be the current physical system and therefore produce machine code incompatible with what may be intended in the derivation. You should design your derivation's builder accordingly and cross-check the results when using this option against natively-built versions of your derivation.
  Default: machine-specific
• fallback
  If set to true, Nix will fall back to building from source if a binary substitute fails. This is equivalent to the --fallbackflag. The default is false.
  Default: false
  Deprecated alias: build-fallback
• filter-syscalls
  Whether to prevent certain dangerous system calls, such as creation of setuid/setgid files or adding ACLs or extended attributes. Only disable this if you're aware of the security implications.
  Default: true
• flake-registry

  Warning

  This setting is part of anexperimental feature.

  To change this setting, make sure theflakes experimental featureis enabled. For example, include the following in nix.conf:

  ```

extra-experimental-features = flakes
flake-registry = ...

Path or URI of the global flake registry.  
When empty, disables the global flake registry.  
**Default:** `https://channels.nixos.org/flake-registry.json`

• fsync-metadata
  If set to true, changes to the Nix store metadata (in/nix/var/nix/db) are synchronously flushed to disk. This improves robustness in case of system crashes, but reduces performance. The default is true.
  Default: true
• gc-reserved-space
  Amount of reserved disk space for the garbage collector.
  Default: 8388608
• hashed-mirrors
  A list of web servers used by builtins.fetchurl to obtain files by hash. Given a hash algorithm ha and a base-16 hash h, Nix will try to download the file from hashed-mirror/ha/h. This allows files to be downloaded even if they have disappeared from their original URI. For example, given an example mirror http://tarballs.nixos.org/, when building the derivation

builtins.fetchurl {  
  url = "https://example.org/foo-1.2.3.tar.xz";  
  sha256 = "2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae";  
}  

Nix will attempt to download this file fromhttp://tarballs.nixos.org/sha256/2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7aefirst. If it is not available there, if will try the original URI.
Default: empty

• http-connections
  The maximum number of parallel TCP connections used to fetch files from binary caches and by other downloads. It defaults to 25. 0 means no limit.
  Default: 25
  Deprecated alias: binary-caches-parallel-connections
• http2
  Whether to enable HTTP/2 support.
  Default: true
• id-count
  The number of UIDs/GIDs to use for dynamic ID allocation.
  Default: 8388608
• ignore-try
  If set to true, ignore exceptions inside 'tryEval' calls when evaluating nix expressions in debug mode (using the --debugger flag). By default the debugger will pause on all exceptions.
  Default: false
• ignored-acls
  A list of ACLs that should be ignored, normally Nix attempts to remove all ACLs from files and directories in the Nix store, but some ACLs like security.selinux or system.nfs4_acl can't be removed even by root. Therefore it's best to just ignore them.
  Default: security.csm security.selinux system.nfs4_acl
• impersonate-linux-26
  Whether to impersonate a Linux 2.6 machine on newer kernels.
  Default: false
  Deprecated alias: build-impersonate-linux-26
• impure-env

  Warning

  This setting is part of anexperimental feature.

  To change this setting, make sure theconfigurable-impure-env experimental featureis enabled. For example, include the following in nix.conf:

  ```

extra-experimental-features = configurable-impure-env
impure-env = ...

A list of items, each in the format of:  

• name=value: Set environment variable name to value.
  If the user is trusted (see trusted-users option), when building a fixed-output derivation, environment variables set in this option will be passed to the builder if they are listed in impureEnvVars.
  This option is useful for, e.g., setting https_proxy for fixed-output derivations and in a multi-user Nix installation, or setting private access tokens when fetching a private repository.
  Default: empty
• keep-build-log
  If set to true (the default), Nix will write the build log of a derivation (i.e. the standard output and error of its builder) to the directory /nix/var/log/nix/drvs. The build log can be retrieved using the command nix-store -l path.
  Default: true
  Deprecated alias: build-keep-log
• keep-derivations
  If true (default), the garbage collector will keep the derivations from which non-garbage store paths were built. If false, they will be deleted unless explicitly registered as a root (or reachable from other roots).
  Keeping derivation around is useful for querying and traceability (e.g., it allows you to ask with what dependencies or options a store path was built), so by default this option is on. Turn it off to save a bit of disk space (or a lot if keep-outputs is also turned on).
  Default: true
  Deprecated alias: gc-keep-derivations
• keep-env-derivations
  If false (default), derivations are not stored in Nix user environments. That is, the derivations of any build-time-only dependencies may be garbage-collected.
  If true, when you add a Nix derivation to a user environment, the path of the derivation is stored in the user environment. Thus, the derivation will not be garbage-collected until the user environment generation is deleted (nix-env --delete-generations). To prevent build-time-only dependencies from being collected, you should also turn on keep-outputs.
  The difference between this option and keep-derivations is that this one is “sticky”: it applies to any user environment created while this option was enabled, while keep-derivations only applies at the moment the garbage collector is run.
  Default: false
  Deprecated alias: env-keep-derivations
• keep-failed
  Whether to keep temporary directories of failed builds.
  Default: false
• keep-going
  Whether to keep building derivations when another build fails.
  Default: false
• keep-outputs
  If true, the garbage collector will keep the outputs of non-garbage derivations. If false (default), outputs will be deleted unless they are GC roots themselves (or reachable from other roots).
  In general, outputs must be registered as roots separately. However, even if the output of a derivation is registered as a root, the collector will still delete store paths that are used only at build time (e.g., the C compiler, or source tarballs downloaded from the network). To prevent it from doing so, set this option to true.
  Default: false
  Deprecated alias: gc-keep-outputs
• log-lines
  The number of lines of the tail of the log to show if a build fails.
  Default: 25
• max-build-log-size
  This option defines the maximum number of bytes that a builder can write to its stdout/stderr. If the builder exceeds this limit, it’s killed. A value of 0 (the default) means that there is no limit.
  Default: 0
  Deprecated alias: build-max-log-size
• max-call-depth
  The maximum function call depth to allow before erroring.
  Default: 10000
• max-free
  When a garbage collection is triggered by the min-free option, it stops as soon as max-free bytes are available. The default is infinity (i.e. delete all garbage).
  Default: -1
• max-jobs
  Maximum number of jobs that Nix will try to build locally in parallel.
  The special value auto causes Nix to use the number of CPUs in your system. Use 0 to disable local builds and directly use the remote machines specified in builders. This will not affect derivations that have preferLocalBuild = true, which are always built locally.

  Note

  The number of CPU cores to use for each build job is independently determined by the cores setting.
  The setting can be overridden using the --max-jobs (-j) command line switch.
  Default: 1
  Deprecated alias: build-max-jobs

• max-silent-time
  This option defines the maximum number of seconds that a builder can go without producing any data on standard output or standard error. This is useful (for instance in an automated build system) to catch builds that are stuck in an infinite loop, or to catch remote builds that are hanging due to network problems. It can be overridden using the --max-silent-time command line switch.
  The value 0 means that there is no timeout. This is also the default.
  Default: 0
  Deprecated alias: build-max-silent-time
• max-substitution-jobs
  This option defines the maximum number of substitution jobs that Nix will try to run in parallel. The default is 16. The minimum value one can choose is 1 and lower values will be interpreted as 1.
  Default: 16
  Deprecated alias: substitution-max-jobs
• min-free
  When free disk space in /nix/store drops below min-free during a build, Nix performs a garbage-collection until max-free bytes are available or there is no more garbage. A value of 0 (the default) disables this feature.
  Default: 0
• min-free-check-interval
  Number of seconds between checking free disk space.
  Default: 5
• nar-buffer-size
  Maximum size of NARs before spilling them to disk.
  Default: 33554432
• narinfo-cache-negative-ttl
  The TTL in seconds for negative lookups. If a store path is queried from a substituter but was not found, there will be a negative lookup cached in the local disk cache database for the specified duration.
  Set to 0 to force updating the lookup cache.
  To wipe the lookup cache completely:

$ rm $HOME/.cache/nix/binary-cache-v*.sqlite*  
# rm /root/.cache/nix/binary-cache-v*.sqlite*  

Default: 3600

• narinfo-cache-positive-ttl
  The TTL in seconds for positive lookups. If a store path is queried from a substituter, the result of the query will be cached in the local disk cache database including some of the NAR metadata. The default TTL is a month, setting a shorter TTL for positive lookups can be useful for binary caches that have frequent garbage collection, in which case having a more frequent cache invalidation would prevent trying to pull the path again and failing with a hash mismatch if the build isn't reproducible.
  Default: 2592000
• netrc-file
  If set to an absolute path to a netrc file, Nix will use the HTTP authentication credentials in this file when trying to download from a remote host through HTTP or HTTPS. Defaults to$NIX_CONF_DIR/netrc.
  The netrc file consists of a list of accounts in the following format:

machine my-machine  
login my-username  
password my-password  

For the exact syntax, see the curldocumentation.

Note

This must be an absolute path, and ~ is not resolved. For example, ~/.netrc won't resolve to your home directory's.netrc.
Default: /dummy/netrc

• nix-path
  List of search paths to use for lookup path resolution. This setting determines the value ofbuiltins.nixPath and can be used with builtins.findFile.
• The configuration setting is overridden by the NIX_PATHenvironment variable.
• NIX_PATH is overridden by specifying the setting as the command line flag --nix-path.
• Any current value is extended by the -I option or --extra-nix-path.
  If the respective paths are accessible, the default values are:
• $HOME/.nix-defexpr/channels
• nixpkgs=$NIX_STATE_DIR/profiles/per-user/root/channels/nixpkgs
• $NIX_STATE_DIR/profiles/per-user/root/channels
  See NIX_STATE_DIR for details.

  Note

  If restricted evaluation is enabled, the default value is empty.

  If pure evaluation is enabled, builtins.nixPath always evaluates to the empty list [ ].
  Default: machine-specific

• nix-shell-always-looks-for-shell-nix
  Before Nix 2.24, nix-shell would only look at shell.nix if it was in the working directory - when no file was specified.
  Since Nix 2.24, nix-shell always looks for a shell.nix, whether that's in the working directory, or in a directory that was passed as an argument.
  You may set this to false to temporarily revert to the behavior of Nix 2.23 and older.
  Using this setting is not recommended. It will be deprecated and removed.
  Default: true
• nix-shell-shebang-arguments-relative-to-script
  Before Nix 2.24, relative file path expressions in arguments in a nix-shell shebang were resolved relative to the working directory.
  Since Nix 2.24, nix-shell resolves these paths in a manner that is relative to the base directory, defined as the script's directory.
  You may set this to false to temporarily revert to the behavior of Nix 2.23 and older.
  Using this setting is not recommended. It will be deprecated and removed.
  Default: true
• plugin-files
  A list of plugin files to be loaded by Nix. Each of these files will be dlopened by Nix. If they contain the symbol nix_plugin_entry(), this symbol will be called. Alternatively, they can affect execution through static initialization. In particular, these plugins may construct static instances of RegisterPrimOp to add new primops or constants to the expression language, RegisterStoreImplementation to add new store implementations, RegisterCommand to add new subcommands to the nixcommand, and RegisterSetting to add new nix config settings. See the constructors for those types for more details.
  Warning! These APIs are inherently unstable and may change from release to release.
  Since these files are loaded into the same address space as Nix itself, they must be DSOs compatible with the instance of Nix running at the time (i.e. compiled against the same headers, not linked to any incompatible libraries). They should not be linked to any Nix libs directly, as those will be available already at load time.
  If an entry in the list is a directory, all files in the directory are loaded as plugins (non-recursively).
  Default: empty
• post-build-hook
  Optional. The path to a program to execute after each build.
  This option is only settable in the global nix.conf, or on the command line by trusted users.
  When using the nix-daemon, the daemon executes the hook as root. If the nix-daemon is not involved, the hook runs as the user executing the nix-build.
• The hook executes after an evaluation-time build.
• The hook does not execute on substituted paths.
• The hook's output always goes to the user's terminal.
• If the hook fails, the build succeeds but no further builds execute.
• The hook executes synchronously, and blocks other builds from progressing while it runs.
  The program executes with no arguments. The program's environment contains the following environment variables:
• DRV_PATHThe derivation for the built paths.
  Example:/nix/store/5nihn1a7pa8b25l9zafqaqibznlvvp3f-bash-4.4-p23.drv
• OUT_PATHSOutput paths of the built derivation, separated by a space character.
  Example:/nix/store/zf5lbh336mnzf1nlswdn11g4n2m8zh3g-bash-4.4-p23-dev /nix/store/rjxwxwv1fpn9wa2x5ssk5phzwlcv4mna-bash-4.4-p23-doc /nix/store/6bqvbzjkcp9695dq0dpl5y43nvy37pq1-bash-4.4-p23-info /nix/store/r7fng3kk3vlpdlh2idnrbn37vh4imlj2-bash-4.4-p23-man /nix/store/xfghy8ixrhz3kyy6p724iv3cxji088dx-bash-4.4-p23.
  Default: empty
• pre-build-hook
  If set, the path to a program that can set extra derivation-specific settings for this system. This is used for settings that can't be captured by the derivation model itself and are too variable between different versions of the same system to be hard-coded into nix.
  The hook is passed the derivation path and, if sandboxes are enabled, the sandbox directory. It can then modify the sandbox and send a series of commands to modify various settings to stdout. The currently recognized commands are:
• extra-sandbox-paths
  Pass a list of files and directories to be included in the sandbox for this build. One entry per line, terminated by an empty line. Entries have the same format as sandbox-paths.
  Default: empty
• preallocate-contents
  Whether to preallocate files when writing objects with known size.
  Default: false
• print-missing
  Whether to print what paths need to be built or downloaded.
  Default: true
• pure-eval
  Pure evaluation mode ensures that the result of Nix expressions is fully determined by explicitly declared inputs, and not influenced by external state:
• Restrict file system and network access to files specified by cryptographic hash
• Disable impure constants:
  • builtins.currentSystem
  • builtins.currentTime
  • builtins.nixPath
  • builtins.storePath
    Default: false
• require-drop-supplementary-groups
  Following the principle of least privilege, Nix will attempt to drop supplementary groups when building with sandboxing.
  However this can fail under some circumstances. For example, if the user lacks the CAP_SETGID capability. Search setgroups(2) for EPERM to find more detailed information on this.
  If you encounter such a failure, setting this option to false will let you ignore it and continue. But before doing so, you should consider the security implications carefully. Not dropping supplementary groups means the build sandbox will be less restricted than intended.
  This option defaults to true when the user is root (since root usually has permissions to call setgroups) and false otherwise.
  Default: false
• require-sigs
  If set to true (the default), any non-content-addressed path added or copied to the Nix store (e.g. when substituting from a binary cache) must have a signature by a trusted key. A trusted key is one listed in trusted-public-keys, or a public key counterpart to a private key stored in a file listed in secret-key-files.
  Set to false to disable signature checking and trust all non-content-addressed paths unconditionally.
  (Content-addressed paths are inherently trustworthy and thus unaffected by this configuration option.)
  Default: true
• restrict-eval
  If set to true, the Nix evaluator will not allow access to any files outside ofbuiltins.nixPath, or to URIs outside ofallowed-uris.
  Default: false
• run-diff-hook
  If true, enable the execution of the diff-hook program.
  When using the Nix daemon, run-diff-hook must be set in thenix.conf configuration file, and cannot be passed at the command line.
  Default: false
• sandbox
  If set to true, builds will be performed in a sandboxed environment, i.e., they’re isolated from the normal file system hierarchy and will only see their dependencies in the Nix store, the temporary build directory, private versions of /proc,/dev, /dev/shm and /dev/pts (on Linux), and the paths configured with the sandbox-paths option. This is useful to prevent undeclared dependencies on files in directories such as/usr/bin. In addition, on Linux, builds run in private PID, mount, network, IPC and UTS namespaces to isolate them from other processes in the system (except that fixed-output derivations do not run in private network namespace to ensure they can access the network).
  Currently, sandboxing only work on Linux and macOS. The use of a sandbox requires that Nix is run as root (so you should use the “build users” feature to perform the actual builds under different users than root).
  If this option is set to relaxed, then fixed-output derivations and derivations that have the __noChroot attribute set to truedo not run in sandboxes.
  The default is true on Linux and false on all other platforms.
  Default: true
  Deprecated alias: build-use-chroot, build-use-sandbox
• sandbox-build-dir
  Linux only
  The build directory inside the sandbox.
  This directory is backed by build-dir on the host.
  Default: /build
• sandbox-dev-shm-size
  Linux only
  This option determines the maximum size of the tmpfs filesystem mounted on /dev/shm in Linux sandboxes. For the format, see the description of the size option of tmpfs in mount(8). The default is 50%.
  Default: 50%
• sandbox-fallback
  Whether to disable sandboxing when the kernel doesn't allow it.
  Default: true
• sandbox-paths
  A list of paths bind-mounted into Nix sandbox environments. You can use the syntax target=source to mount a path in a different location in the sandbox; for instance, /bin=/nix-bin will mount the path /nix-bin as /bin inside the sandbox. If source is followed by ?, then it is not an error if source does not exist; for example, /dev/nvidiactl? specifies that /dev/nvidiactl will only be mounted in the sandbox if it exists in the host filesystem.
  If the source is in the Nix store, then its closure will be added to the sandbox as well.
  Depending on how Nix was built, the default value for this option may be empty or provide /bin/sh as a bind-mount of bash.
  Default: empty
  Deprecated alias: build-chroot-dirs, build-sandbox-paths
• secret-key-files
  A whitespace-separated list of files containing secret (private) keys. These are used to sign locally-built paths. They can be generated using nix-store --generate-binary-cache-key. The corresponding public key can be distributed to other users, who can add it to trusted-public-keys in their nix.conf.
  Default: empty
• show-trace
  Whether Nix should print out a stack trace in case of Nix expression evaluation errors.
  Default: false
• ssl-cert-file
  The path of a file containing CA certificates used to authenticate https:// downloads. Nix by default will use the first of the following files that exists:

1. /etc/ssl/certs/ca-certificates.crt
2. /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt
   The path can be overridden by the following environment variables, in order of precedence:
3. NIX_SSL_CERT_FILE
4. SSL_CERT_FILE
   Default: empty

• stalled-download-timeout
  The timeout (in seconds) for receiving data from servers during download. Nix cancels idle downloads after this timeout's duration.
  Default: 300
• start-id
  The first UID and GID to use for dynamic ID allocation.
  Default: 872415232
• store
  The URL of the Nix storeto use for most operations. See theStore Typessection of the manual for supported store types and settings.
  Default: auto
• substitute
  If set to true (default), Nix will use binary substitutes if available. This option can be disabled to force building from source.
  Default: true
  Deprecated alias: build-use-substitutes
• substituters
  A list of URLs of Nix stores to be used as substituters, separated by whitespace. A substituter is an additional store from which Nix can obtain store objects instead of building them.
  Substituters are tried based on their priority value, which each substituter can set independently. Lower value means higher priority. The default is https://cache.nixos.org, which has a priority of 40.
  At least one of the following conditions must be met for Nix to use a substituter:
• The substituter is in the trusted-substituters list
• The user calling Nix is in the trusted-users list
  In addition, each store path should be trusted as described in trusted-public-keys
  Default: https://cache.nixos.org/
  Deprecated alias: binary-caches
• sync-before-registering
  Whether to call sync() before registering a path as valid.
  Default: false
• system
  The system type of the current Nix installation. Nix will only build a given derivation locally when its system attribute equals any of the values specified here or in extra-platforms.
  The default value is set when Nix itself is compiled for the system it will run on. The following system types are widely used, as Nix is actively supported on these platforms:
• x86_64-linux
• x86_64-darwin
• i686-linux
• aarch64-linux
• aarch64-darwin
• armv6l-linux
• armv7l-linux
  In general, you do not have to modify this setting. While you can force Nix to run a Darwin-specific builder executable on a Linux machine, the result would obviously be wrong.
  This value is available in the Nix language asbuiltins.currentSystemif theeval-systemconfiguration option is set as the empty string.
  Default: x86_64-linux
• system-features
  A set of system “features” supported by this machine.
  This complements the system and extra-platforms configuration options and the corresponding system attribute on derivations.
  A derivation can require system features in the requiredSystemFeatures attribute, and the machine to build the derivation must have them.
  System features are user-defined, but Nix sets the following defaults:
• apple-virt
  Included on Darwin if virtualization is available.
• kvm
  Included on Linux if /dev/kvm is accessible.
• nixos-test, benchmark, big-parallel
  These historical pseudo-features are always enabled for backwards compatibility, as they are used in Nixpkgs to route Hydra builds to specific machines.
• ca-derivations
  Included by default if the ca-derivations experimental feature is enabled.
  This system feature is implicitly required by derivations with the __contentAddressed attribute.
• recursive-nix
  Included by default if the recursive-nix experimental feature is enabled.
• uid-range
  On Linux, Nix can run builds in a user namespace where they run as root (UID 0) and have 65,536 UIDs available. This is primarily useful for running containers such as systemd-nspawn inside a Nix build. For an example, see tests/systemd-nspawn/nix.
  Included by default on Linux if the auto-allocate-uids setting is enabled.
  Default: machine-specific
• tarball-ttl
  The number of seconds a downloaded tarball is considered fresh. If the cached tarball is stale, Nix will check whether it is still up to date using the ETag header. Nix will download a new version if the ETag header is unsupported, or the cached ETag doesn't match.
  Setting the TTL to 0 forces Nix to always check if the tarball is up to date.
  Nix caches tarballs in $XDG_CACHE_HOME/nix/tarballs.
  Files fetched via NIX_PATH, fetchGit, fetchMercurial,fetchTarball, and fetchurl respect this TTL.
  Default: 3600
• timeout
  This option defines the maximum number of seconds that a builder can run. This is useful (for instance in an automated build system) to catch builds that are stuck in an infinite loop but keep writing to their standard output or standard error. It can be overridden using the --timeout command line switch.
  The value 0 means that there is no timeout. This is also the default.
  Default: 0
  Deprecated alias: build-timeout
• trace-function-calls
  If set to true, the Nix evaluator will trace every function call. Nix will print a log message at the "vomit" level for every function entrance and function exit.

function-trace entered undefined position at 1565795816999559622  
function-trace exited undefined position at 1565795816999581277  
function-trace entered /nix/store/.../example.nix:226:41 at 1565795253249935150  
function-trace exited /nix/store/.../example.nix:226:41 at 1565795253249941684  

The undefined position means the function call is a builtin.
Use the contrib/stack-collapse.py script distributed with the Nix source code to convert the trace logs in to a format suitable forflamegraph.pl.
Default: false

• trace-verbose
  Whether builtins.traceVerbose should trace its first argument when evaluated.
  Default: false
• trust-tarballs-from-git-forges
  If enabled (the default), Nix will consider tarballs from GitHub and similar Git forges to be locked if a Git revision is specified, e.g. github:NixOS/patchelf/7c2f768bf9601268a4e71c2ebe91e2011918a70f. This requires Nix to trust that the provider will return the correct contents for the specified Git revision.
  If disabled, such tarballs are only considered locked if anarHash attribute is specified, e.g. github:NixOS/patchelf/7c2f768bf9601268a4e71c2ebe91e2011918a70f?narHash=sha256-PPXqKY2hJng4DBVE0I4xshv/vGLUskL7jl53roB8UdU%3D.
  Default: true
• trusted-public-keys
  A whitespace-separated list of public keys.
  At least one of the following condition must be met for Nix to accept copying a store object from another Nix store (such as a substituter):
• the store object has been signed using a key in the trusted keys list
• the require-sigs option has been set to false
• the store URL is configured with trusted=true
• the store object is content-addressed
  Default: cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
  Deprecated alias: binary-cache-public-keys
• trusted-substituters
  A list of Nix store URLs, separated by whitespace. These are not used by default, but users of the Nix daemon can enable them by specifying substituters.
  Unprivileged users (those set in only allowed-users but not trusted-users) can pass as substituters only those URLs listed in trusted-substituters.
  Default: empty
  Deprecated alias: trusted-binary-caches
• trusted-users
  A list of user names, separated by whitespace. These users will have additional rights when connecting to the Nix daemon, such as the ability to specify additional substituters, or to import unsigned realisations or unsigned input-addressed store objects.
  You can also specify groups by prefixing names with @. For instance, @wheel means all users in the wheel group.

  Warning

  Adding a user to trusted-users is essentially equivalent to giving that user root access to the system. For example, the user can access or replace store path contents that are critical for system security.
  Default: root

• upgrade-nix-store-path-url
  Used by nix upgrade-nix, the URL of the file that contains the store paths of the latest Nix release.
  Default: https://github.com/NixOS/nixpkgs/raw/master/nixos/modules/installer/tools/nix-fallback-paths.nix
• use-case-hack
  Whether to enable a macOS-specific hack for dealing with file name case collisions.
  Default: false
• use-cgroups
  Whether to execute builds inside cgroups. This is only supported on Linux.
  Cgroups are required and enabled automatically for derivations that require the uid-range system feature.
  Default: false
• use-registries

  Warning

  This setting is part of anexperimental feature.

  To change this setting, make sure theflakes experimental featureis enabled. For example, include the following in nix.conf:

  ```

extra-experimental-features = flakes
use-registries = ...

Whether to use flake registries to resolve flake references.  
**Default:** `true`

• use-sqlite-wal
  Whether SQLite should use WAL mode.
  Default: true
• use-xdg-base-directories
  If set to true, Nix will conform to the XDG Base Directory Specification for files in $HOME. The environment variables used to implement this are documented in the Environment Variables section.

  WarningThis changes the location of some well-known symlinks that Nix creates, which might break tools that rely on the old, non-XDG-conformant locations.
  In particular, the following locations change:

  Old	New
  ~/.nix-profile	$XDG_STATE_HOME/nix/profile
  ~/.nix-defexpr	$XDG_STATE_HOME/nix/defexpr
  ~/.nix-channels	$XDG_STATE_HOME/nix/channels
  If you already have Nix installed and are using profiles or channels, you should migrate manually when you enable this option. If $XDG_STATE_HOME is not set, use $HOME/.local/state/nix instead of $XDG_STATE_HOME/nix. This can be achieved with the following shell commands:

nix_state_home=${XDG_STATE_HOME-$HOME/.local/state}/nix  
mkdir -p $nix_state_home  
mv <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mi>H</mi><mi>O</mi><mi>M</mi><mi>E</mi><mi mathvariant="normal">/</mi><mi mathvariant="normal">.</mi><mi>n</mi><mi>i</mi><mi>x</mi><mo>−</mo><mi>p</mi><mi>r</mi><mi>o</mi><mi>f</mi><mi>i</mi><mi>l</mi><mi>e</mi></mrow><annotation encoding="application/x-tex">HOME/.nix-profile </annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mord mathnormal" style="margin-right:0.08125em;">H</span><span class="mord mathnormal" style="margin-right:0.05764em;">OME</span><span class="mord">/.</span><span class="mord mathnormal">ni</span><span class="mord mathnormal">x</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">−</span><span class="mspace" style="margin-right:0.2222em;"></span></span><span class="base"><span class="strut" style="height:0.8889em;vertical-align:-0.1944em;"></span><span class="mord mathnormal">p</span><span class="mord mathnormal">ro</span><span class="mord mathnormal" style="margin-right:0.10764em;">f</span><span class="mord mathnormal">i</span><span class="mord mathnormal" style="margin-right:0.01968em;">l</span><span class="mord mathnormal">e</span></span></span></span>nix_state_home/profile  
mv <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mi>H</mi><mi>O</mi><mi>M</mi><mi>E</mi><mi mathvariant="normal">/</mi><mi mathvariant="normal">.</mi><mi>n</mi><mi>i</mi><mi>x</mi><mo>−</mo><mi>d</mi><mi>e</mi><mi>f</mi><mi>e</mi><mi>x</mi><mi>p</mi><mi>r</mi></mrow><annotation encoding="application/x-tex">HOME/.nix-defexpr </annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mord mathnormal" style="margin-right:0.08125em;">H</span><span class="mord mathnormal" style="margin-right:0.05764em;">OME</span><span class="mord">/.</span><span class="mord mathnormal">ni</span><span class="mord mathnormal">x</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">−</span><span class="mspace" style="margin-right:0.2222em;"></span></span><span class="base"><span class="strut" style="height:0.8889em;vertical-align:-0.1944em;"></span><span class="mord mathnormal">d</span><span class="mord mathnormal">e</span><span class="mord mathnormal" style="margin-right:0.10764em;">f</span><span class="mord mathnormal">e</span><span class="mord mathnormal">x</span><span class="mord mathnormal">p</span><span class="mord mathnormal" style="margin-right:0.02778em;">r</span></span></span></span>nix_state_home/defexpr  
mv <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mi>H</mi><mi>O</mi><mi>M</mi><mi>E</mi><mi mathvariant="normal">/</mi><mi mathvariant="normal">.</mi><mi>n</mi><mi>i</mi><mi>x</mi><mo>−</mo><mi>c</mi><mi>h</mi><mi>a</mi><mi>n</mi><mi>n</mi><mi>e</mi><mi>l</mi><mi>s</mi></mrow><annotation encoding="application/x-tex">HOME/.nix-channels </annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mord mathnormal" style="margin-right:0.08125em;">H</span><span class="mord mathnormal" style="margin-right:0.05764em;">OME</span><span class="mord">/.</span><span class="mord mathnormal">ni</span><span class="mord mathnormal">x</span><span class="mspace" style="margin-right:0.2222em;"></span><span class="mbin">−</span><span class="mspace" style="margin-right:0.2222em;"></span></span><span class="base"><span class="strut" style="height:0.6944em;"></span><span class="mord mathnormal">c</span><span class="mord mathnormal">hann</span><span class="mord mathnormal">e</span><span class="mord mathnormal" style="margin-right:0.01968em;">l</span><span class="mord mathnormal">s</span></span></span></span>nix_state_home/channels  

Default: false

• user-agent-suffix
  String appended to the user agent in HTTP requests.
  Default: empty
• warn-dirty
  Whether to warn about dirty Git/Mercurial trees.
  Default: true
• warn-large-path-threshold
  Warn when copying a path larger than this number of bytes to the Nix store (as determined by its NAR serialisation).
  Default: -1