Module options¶
Base options¶
- option
boot.commandLine
Kernel command line
type list of non-empty string
default
[ ]
- option
boot.commandLineDtbNode
Kernel command line’s devicetree node
type one of “bootargs”, “bootargs-override”
default
"bootargs"
option
boot.imageFormat
type one of “fit”, “uimage”
default
"uimage"
option
boot.imageType
type one of “primary”, “secondary”
default
"primary"
- option
boot.tftp.ipaddr
Our IP address to use when creating scripts to boot or flash from U-Boot. Not relevant in normal operation
type string
- option
boot.tftp.loadAddress
RAM address at which to load data when transferring via TFTP. This is not the address of the flash storage, nor the kernel load address: it should be set to some part of RAM that’s not used for anything else and suitable for temporary storage.
type unsigned integer, meaning >=0
- option
boot.tftp.serverip
IP address of the TFTP server. Not relevant in normal operation
type string
- option
defaultProfile.packages
List of packages which are available in a login shell. (This is analogous to systemPackages in NixOS, but we don’t symlink into /run/current-system, we just add the paths in /etc/profile
type list of package
- option
filesystem
Skeleton filesystem, represented as nested attrset. Consult the source code if you need to add to this
type anything
option
rootOptions
type null or string
default
null
option
rootfsType
type one of “btrfs”, “ext4”, “jffs2”, “squashfs”, “ubifs”
default
"squashfs"
option
services
type attribute set of s6-rc service
option
system.callService
type function that evaluates to a(n) function that evaluates to a(n) anything
Busybox¶
Busybox provides stripped-down versions of many usual Linux/Unix tools, and may be configured to include only the commands (termed “applets”) required by the user or by other included modules.
- option
programs.busybox.applets
Applets required
type list of string
example
[ "sh" "getty" "login" ]default
[ ]
- option
programs.busybox.options
Other busybox config flags that do not map directly to applet names (often prefixed FEATURE_)
type attribute set of non-empty string
example
{ FEATURE_DD_IBS_OBS = "y"; }default
{ }
Hardware-dependent options¶
These are attributes of the hardware not of the application
you want to run on it, and would usually be set in the “device” file:
devices/manuf-model/default.nix
- option
hardware.alignment
Alignment passed to mkimage for FIT
type null or (unsigned integer, meaning >=0)
default
null
- option
hardware.defaultOutput
“Default” output: what gets built for this device when outputs.default is requested. Typically this is “mtdimage” or “vmroot”
type non-empty string
- option
hardware.dts.includes
List of directories to search for DTS includes (.dtsi files)
type list of path
default
[ ]
- option
hardware.dts.src
If the device requires an external device tree to be loaded alongside the kernel, this is the path to the device tree source (we usually get these from OpenWrt). This value may be null if the platform creates the device tree - currently this is the case only for QEMU.
type null or path
option
hardware.entryPoint
type unsigned integer, meaning >=0
- option
hardware.flash.address
Start address of whichever partition (often called “firmware”) we’re going to overwrite with our kernel uimage and root fs. Usually not the entire flash, as we don’t want to clobber the bootloader, calibration data etc
type unsigned integer, meaning >=0
- option
hardware.flash.eraseBlockSize
Flash erase block size in bytes
type unsigned integer, meaning >=0
- option
hardware.flash.size
Size in bytes of the firmware partition
type unsigned integer, meaning >=0
option
hardware.loadAddress
type unsigned integer, meaning >=0
default
null
option
hardware.networkInterfaces
type attribute set of anything
- option
hardware.radios
Kernel modules (from mac80211 package) required for the wireless devices on this board
type list of string
example
[ "ath9k" "ath10k" ]default
[ ]option
hardware.ram.startAddress
type signed integer
- option
hardware.rootDevice
Full path to preferred root device
type string
example
"/dev/mtdblock3"
hostname¶
- option
hostname
System hostname of the device, as returned by gethostname(2). May or may not correspond to any name it’s reachable at on any network.
type non-empty string
default
"liminix"
extlinux¶
- option
boot.loader.extlinux.enable
Whether to enable extlinux.
type boolean
example
true
default
false
initramfs¶
- option
boot.initramfs.enable
Whether to enable initramfs.
type boolean
example
true
default
false
tftpboot¶
option
boot.tftp.appendDTB
type boolean
default
false
option
boot.tftp.compressRoot
type boolean
default
false
option
boot.tftp.freeSpaceBytes
type signed integer
default
0
option
boot.tftp.kernelFormat
type one of “zimage”, “uimage”
default
"uimage"
ubifs¶
option
hardware.ubi.logicalEraseBlockSize
type string
option
hardware.ubi.maxLEBcount
type string
option
hardware.ubi.minIOSize
type string
option
hardware.ubi.physicalEraseBlockSize
type string
ramdisk¶
- option
boot.ramdisk.enable
Whether to enable reserving part of memory as an MTD-based RAM disk. Needed for TFTP booting or for kexec-based revertable upgrade .
type boolean
example
true
default
false
s6¶
- option
logging.directory
default log directory
type path
default
"/run/log"
- option
logging.script
“log script” used by fallback s6-log process
type string
default
"pliminix t"
- option
logging.shipping.enable
Whether to enable unix socket for log shipping.
type boolean
example
true
default
false
- option
logging.shipping.service
log shipper service
type s6-rc service
- option
logging.shipping.socket
socket pathname
type path
default
"/run/.log-shipping.sock"
Users¶
User- and group-related configuration.
Changes made here are reflected in files such as :file:/etc/shadow, :file:/etc/passwd, :file:/etc/group etc. If you are familiar with user configuration in NixOS, please note that Liminix does not have the concept of “mutable users” - files in /etc/ are symlinks to the immutable store, so you can’t e.g change a password with passwd
option
groups
type attribute set of (submodule)
option
groups.<name>.gid
type signed integer
option
groups.<name>.usernames
type list of string
default
[ ]option
users
type attribute set of (submodule)
option
users.<name>.dir
type string
default
"/run"
option
users.<name>.gecos
type string
example
"Jo Q User"
default
""
option
users.<name>.gid
type signed integer
option
users.<name>.openssh.authorizedKeys.keys
type list of string
default
[ ]
- option
users.<name>.passwd
encrypted password, as generated by mkpasswd -m sha512crypt
type string
example
"$6$RIYL.EgWOrtoJ0/7$Z53a8sc0o6AU/kuFOGiLJKhwVavTG/deoM7JTs6luNczYSUsh4UYmhvT8sVzm.l8F/LZXhhhkC7IHQs5UGAIM/"
default
"!!"
option
users.<name>.shell
type string
default
"/bin/sh"
option
users.<name>.uid
type signed integer
Bridge module¶
Allows creation of Layer 2 software “bridge” network devices. A common use case is to merge together a hardware Ethernet device with one or more WLANs so that several local devices appear to be on the same network.
path modules/bridge/default.nix
service
system.service.bridge.members
Service parameters
- option
members
interfaces to add to the bridge
type list of s6-rc service
- option
primary
primary bridge interface
type s6-rc service
service
system.service.bridge.primary
Service parameters
- option
ifname
bridge interface name to create
type string
DHCP6 client module¶
This is for use if you have an IPv6-capable upstream that provides address information and/or prefix delegation using DHCP6. It provides a service to request address information in the form of a DHCP lease, and two dependent services that listen for updates to the DHCP address information and can be used to update addresses of network interfaces that you want to assign those prefixes to
path modules/dhcp6c/default.nix
service
system.service.dhcp6c.address
Service parameters
option
client
type anything
- option
interface
interface to assign the address to
type s6-rc service
service
system.service.dhcp6c.client
Service parameters
- option
interface
interface (usually WAN) to query for DHCP6
type s6-rc service
service
system.service.dhcp6c.prefix
Service parameters
option
client
type anything
- option
interface
interface to assign <prefix>::1 to
type s6-rc service
Dnsmasq¶
This module includes a service to provide DNS, DHCP, and IPv6 router advertisement for the local network.
path modules/dnsmasq/default.nix
service
system.service.dnsmasq
Service parameters
- option
domain
Domain name for DHCP service: causes the DHCP server to return the domain to any hosts which request it, and sets the domain which it is legal for DHCP-configured hosts to claim
type string
- option
group
Specifies the unix group which dnsmasq will run as
type string
default
dnsmasqoption
hosts
type attribute set of (submodule)
option
interface
type s6-rc service
option
ranges
type list of string
option
resolvconf
type null or s6-rc service
option
upstreams
type list of string
- option
user
Specifies the unix user which dnsmasq will run as
type string
default
dnsmasq
Firewall¶
Provides a service to create an nftables ruleset based on configuration supplied to it.
path modules/firewall/default.nix
service
system.service.firewall
Service parameters
- option
extraRules
firewall ruleset
type attribute set of (attribute set)
- option
rules
firewall ruleset
type attribute set of (attribute set)
Hostapd¶
Hostapd (host access point daemon) enables a wireless network interface to act as an access point and authentication server, providing IEEE 802.11 access point management, and IEEE 802.1X/WPA/WPA2/EAP Authenticators. In less technical terms, this service is what you need for your Liminix device to provide a wireless network that clients can connect to.
If you have more than one wireless network interface (e.g. wlan0, wlan1) you can run an instance of hostapd on each of them.
path modules/hostapd/default.nix
service
system.service.hostapd
Service parameters
option
interface
type s6-rc service
option
params
type attribute set
ifwait¶
path modules/ifwait/default.nix
service
system.service.ifwait
Service parameters
option
interface
type s6-rc service
option
service
type s6-rc service
option
state
type string
Mount
Mount filesystems
path modules/mount/default.nix
service
system.service.mount
Service parameters
option
fstype
type string
default
autooption
mountpoint
type string
option
options
type list of string
option
partlabel
type string
Network¶
Basic network services for creating hardware ethernet devices and adding addresses
path modules/network/default.nix
- service
system.service.network.address
network interface address
Service parameters
option
address
type string
option
family
type one of “inet”, “inet6”
option
interface
type s6-rc service
option
prefixLength
type integer between 0 and 128 (both inclusive)
- service
system.service.network.dhcp.client
DHCP v4 client
Service parameters
option
interface
type s6-rc service
service
system.service.network.forward
Service parameters
option
enableIPv4
type boolean
option
enableIPv6
type boolean
- service
system.service.network.link
hardware network interface
Service parameters
- option
devpath
Path to the sysfs node of the device. If you provide this and the ifname option, the device will be renamed to the name given by ifname.
type null or string
- option
ifname
Device name as used by the kernel (as seen in “ip link” or “ifconfig” output). If devpath is also specified, the device will be renamed to the name provided.
type string
option
mtu
type null or signed integer
service
system.service.network.route
Service parameters
- option
interface
Interface to route through. May be omitted if it can be inferred from “via”
type null or s6-rc service
- option
metric
route metric
type signed integer
- option
target
host or network to add route to
type string
- option
via
address of next hop
type string
NTP¶
A network time protocol implementation so that your Liminix device may synchronize its clock with an accurate time source, and optionally also provide time service to its peers. The implementation used in Liminix is Chrony
path modules/ntp/default.nix
service
system.service.ntp
Service parameters
- option
allow
subnets from which NTP clients are allowed to access the server
type list of string
option
bindaddress
type null or string
option
binddevice
type null or string
option
dumpdir
type path
default
/run/chrony
option
extraConfig
type strings concatenated with “\n”
default
option
makestep
type null or (submodule)
option
peers
type attribute set of list of string
option
pools
type attribute set of list of string
option
servers
type attribute set of list of string
option
user
type string
default
ntp
PPP¶
ppoe
(PPP over Ethernet) provides a service to address the case
where your Liminix device is connected to an upstream network using
PPPoE. This is typical for UK broadband connections where the
physical connection is made by OpenReach (“Fibre To The X”) and
common in some other localities as well: check with your ISP if this is
you.
l2tp
(Layer 2 Tunelling Protocol) provides a service that
tunnels PPP over the Internet. This may be used by some ISPs in
conjunction with a DHCP uplink, or other more creative forms of
network connection
path modules/ppp/default.nix
service
system.service.l2tp
Service parameters
- option
debug
log the contents of all control packets sent or received
type boolean
option
lcpEcho
type unspecified
- option
lns
hostname or address of the L2TP network server
type string
- option
password
password
type null or string or function that evaluates to a(n) anything
- option
ppp-options
options supplied on ppp command line
type list of string
- option
username
username
type null or string or function that evaluates to a(n) anything
service
system.service.pppoe
Service parameters
- option
debug
log the contents of all control packets sent or received
type boolean
- option
interface
ethernet interface to run PPPoE over
type s6-rc service
option
lcpEcho
type unspecified
- option
password
password
type null or string or function that evaluates to a(n) anything
- option
ppp-options
options supplied on ppp command line
type list of string
- option
username
username
type null or string or function that evaluates to a(n) anything
Secrets
path modules/secrets/default.nix
- service
system.service.secrets.outboard
fetch secrets from external vault with https
Service parameters
- option
interval
how often to check the source, in minutes
type signed integer
- option
name
service name
type string
- option
password
password for HTTP basic auth
type null or string
- option
url
source url
type string matching the pattern https?://.*
- option
username
username for HTTP basic auth
type null or string
- service
system.service.secrets.subscriber
wrapper around a service that needs notifying (e.g. restarting) when secrets change
Service parameters
- option
action
how do we notify the service to regenerate its config
type one of “restart”, “restart-all”, “hup”, “int”, “quit”, “kill”, “term”, “winch”, “usr1”, “usr2”
default
restart-all
- option
service
subscribing service that will receive notification
type s6-rc service
- option
watch
secrets paths to subscribe to
type list of function that evaluates to a(n) anything
- service
system.service.secrets.tang
fetch secrets from encrypted local pathname, using tang
Service parameters
- option
interval
how often to check the source, in minutes
type signed integer
- option
name
service name
type string
- option
path
encrypted source pathname
type path
Secure Shell¶
Provide SSH service using Dropbear
path modules/ssh/default.nix
service
system.service.ssh
Service parameters
- option
address
Listen on specified address
type null or string
- option
allowLocalPortForward
Enable local port forwarding
type boolean
- option
allowPasswordLogin
Allow login using password (disable for public key auth only)
type boolean
- option
allowPasswordLoginForRoot
Allow root to login using password (disable for public key auth only)
type boolean
- option
allowRemoteConnectionToForwardedPorts
Allow remote hosts to connect to local forwarded ports (by default they are bound to loopback)
type boolean
- option
allowRemotePortForward
Enable remote port forwarding
type boolean
- option
allowRoot
Allow root to login
type boolean
- option
authorizedKeys
Authorized SSH public keys for each username. If this optin is provided it overrides any keys found in /home/{username}/.ssh
type null or (attribute set of list of non-empty string) or function that evaluates to a(n) anything
option
extraConfig
type strings concatenated with “ “
default
- option
port
Listen on specified TCP port
type 16 bit unsigned integer; between 0 and 65535 (both inclusive)
uevent-rule¶
path modules/uevent-rule/default.nix
- service
system.service.uevent-rule
a service which starts other services based on device state (sysfs)
Service parameters
- option
serviceName
name of the service to run when the rule matches
type string
- option
symlink
create symlink targeted on devpath
type null or string
option
terms
type attribute set
VLAN¶
Virtual LANs give you the ability to sub-divide a LAN. Linux can accept VLAN tagged traffic and presents each VLAN ID as a different network interface (eg: eth0.100 for VLAN ID 100)
Some Liminix devices with multiple ethernet ports are implemented using a network switch connecting the physical ports to the CPU, and require using VLAN in order to send different traffic to different ports (e.g. LAN vs WAN)
path modules/vlan/default.nix
service
system.service.vlan
Service parameters
- option
ifname
interface name to create
type string
- option
primary
existing physical interface
type s6-rc service
- option
vid
VLAN identifier (VID) in range 1-4094
type string
Watchdog
Enable hardware watchdog (for devices that support one) and feed it by checking the health of specified critical services. If the watchdog feeder stops, the device will reboot.
path modules/watchdog/default.nix
service
system.service.watchdog
Service parameters
- option
headStart
delay in seconds before watchdog starts checking service health
type signed integer
- option
watched
services to watch
type list of s6-rc service