Module options

Base options

  • option boot.commandLine

    Kernel command line

    type list of non-empty string

    default

    [ ]
    
  • option boot.commandLineDtbNode

    Kernel command line’s devicetree node

    type one of “bootargs”, “bootargs-override”

    default

    "bootargs"
    
  • option boot.imageFormat

    type one of “fit”, “uimage”

    default

    "uimage"
    
  • option boot.imageType

    type one of “primary”, “secondary”

    default

    "primary"
    
  • option boot.tftp.ipaddr

    Our IP address to use when creating scripts to boot or flash from U-Boot. Not relevant in normal operation

    type string

  • option boot.tftp.loadAddress

    RAM address at which to load data when transferring via TFTP. This is not the address of the flash storage, nor the kernel load address: it should be set to some part of RAM that’s not used for anything else and suitable for temporary storage.

    type unsigned integer, meaning >=0

  • option boot.tftp.serverip

    IP address of the TFTP server. Not relevant in normal operation

    type string

  • option defaultProfile.packages

    List of packages which are available in a login shell. (This is analogous to systemPackages in NixOS, but we don’t symlink into /run/current-system, we just add the paths in /etc/profile

    type list of package

  • option filesystem

    Skeleton filesystem, represented as nested attrset. Consult the source code if you need to add to this

    type anything

  • option rootOptions

    type null or string

    default

    null
    
  • option rootfsType

    type one of “btrfs”, “ext4”, “jffs2”, “squashfs”, “ubifs”

    default

    "squashfs"
    
  • option services

    type attribute set of s6-rc service

  • option system.callService

    type function that evaluates to a(n) function that evaluates to a(n) anything

Busybox

Busybox provides stripped-down versions of many usual Linux/Unix tools, and may be configured to include only the commands (termed “applets”) required by the user or by other included modules.

  • option programs.busybox.applets

    Applets required

    type list of string

    example

    [
      "sh"
      "getty"
      "login"
    ]
    

    default

    [ ]
    
  • option programs.busybox.options

    Other busybox config flags that do not map directly to applet names (often prefixed FEATURE_)

    type attribute set of non-empty string

    example

    {
      FEATURE_DD_IBS_OBS = "y";
    }
    

    default

    { }
    

Hardware-dependent options

These are attributes of the hardware not of the application you want to run on it, and would usually be set in the “device” file: devices/manuf-model/default.nix

  • option hardware.alignment

    Alignment passed to mkimage for FIT

    type null or (unsigned integer, meaning >=0)

    default

    null
    
  • option hardware.defaultOutput

    “Default” output: what gets built for this device when outputs.default is requested. Typically this is “mtdimage” or “vmroot”

    type non-empty string

  • option hardware.dts.includes

    List of directories to search for DTS includes (.dtsi files)

    type list of path

    default

    [ ]
    
  • option hardware.dts.src

    If the device requires an external device tree to be loaded alongside the kernel, this is the path to the device tree source (we usually get these from OpenWrt). This value may be null if the platform creates the device tree - currently this is the case only for QEMU.

    type null or path

  • option hardware.entryPoint

    type unsigned integer, meaning >=0

  • option hardware.flash.address

    Start address of whichever partition (often called “firmware”) we’re going to overwrite with our kernel uimage and root fs. Usually not the entire flash, as we don’t want to clobber the bootloader, calibration data etc

    type unsigned integer, meaning >=0

  • option hardware.flash.eraseBlockSize

    Flash erase block size in bytes

    type unsigned integer, meaning >=0

  • option hardware.flash.size

    Size in bytes of the firmware partition

    type unsigned integer, meaning >=0

  • option hardware.loadAddress

    type unsigned integer, meaning >=0

    default

    null
    
  • option hardware.networkInterfaces

    type attribute set of anything

  • option hardware.radios

    Kernel modules (from mac80211 package) required for the wireless devices on this board

    type list of string

    example

    [
      "ath9k"
      "ath10k"
    ]
    

    default

    [ ]
    
  • option hardware.ram.startAddress

    type signed integer

  • option hardware.rootDevice

    Full path to preferred root device

    type string

    example

    "/dev/mtdblock3"
    

hostname

  • option hostname

    System hostname of the device, as returned by gethostname(2). May or may not correspond to any name it’s reachable at on any network.

    type non-empty string

    default

    "liminix"
    

extlinux

  • option boot.loader.extlinux.enable

    Whether to enable extlinux.

    type boolean

    example

    true
    

    default

    false
    

initramfs

  • option boot.initramfs.enable

    Whether to enable initramfs.

    type boolean

    example

    true
    

    default

    false
    

tftpboot

  • option boot.tftp.appendDTB

    type boolean

    default

    false
    
  • option boot.tftp.compressRoot

    type boolean

    default

    false
    
  • option boot.tftp.freeSpaceBytes

    type signed integer

    default

    0
    
  • option boot.tftp.kernelFormat

    type one of “zimage”, “uimage”

    default

    "uimage"
    

ubifs

  • option hardware.ubi.logicalEraseBlockSize

    type string

  • option hardware.ubi.maxLEBcount

    type string

  • option hardware.ubi.minIOSize

    type string

  • option hardware.ubi.physicalEraseBlockSize

    type string

ramdisk

  • option boot.ramdisk.enable

    Whether to enable reserving part of memory as an MTD-based RAM disk. Needed for TFTP booting or for kexec-based revertable upgrade .

    type boolean

    example

    true
    

    default

    false
    

s6

  • option logging.directory

    default log directory

    type path

    default

    "/run/log"
    
  • option logging.script

    “log script” used by fallback s6-log process

    type string

    default

    "pliminix t"
    
  • option logging.shipping.enable

    Whether to enable unix socket for log shipping.

    type boolean

    example

    true
    

    default

    false
    
  • option logging.shipping.service

    log shipper service

    type s6-rc service

  • option logging.shipping.socket

    socket pathname

    type path

    default

    "/run/.log-shipping.sock"
    

Users

User- and group-related configuration.

Changes made here are reflected in files such as :file:/etc/shadow, :file:/etc/passwd, :file:/etc/group etc. If you are familiar with user configuration in NixOS, please note that Liminix does not have the concept of “mutable users” - files in /etc/ are symlinks to the immutable store, so you can’t e.g change a password with passwd

  • option groups

    type attribute set of (submodule)

  • option groups.<name>.gid

    type signed integer

  • option groups.<name>.usernames

    type list of string

    default

    [ ]
    
  • option users

    type attribute set of (submodule)

  • option users.<name>.dir

    type string

    default

    "/run"
    
  • option users.<name>.gecos

    type string

    example

    "Jo Q User"
    

    default

    ""
    
  • option users.<name>.gid

    type signed integer

  • option users.<name>.openssh.authorizedKeys.keys

    type list of string

    default

    [ ]
    
  • option users.<name>.passwd

    encrypted password, as generated by mkpasswd -m sha512crypt

    type string

    example

    "$6$RIYL.EgWOrtoJ0/7$Z53a8sc0o6AU/kuFOGiLJKhwVavTG/deoM7JTs6luNczYSUsh4UYmhvT8sVzm.l8F/LZXhhhkC7IHQs5UGAIM/"
    

    default

    "!!"
    
  • option users.<name>.shell

    type string

    default

    "/bin/sh"
    
  • option users.<name>.uid

    type signed integer

Bridge module

Allows creation of Layer 2 software “bridge” network devices. A common use case is to merge together a hardware Ethernet device with one or more WLANs so that several local devices appear to be on the same network.

path modules/bridge/default.nix

  • service system.service.bridge.members

    Service parameters

    • option members

      interfaces to add to the bridge

      type list of s6-rc service

    • option primary

      primary bridge interface

      type s6-rc service

  • service system.service.bridge.primary

    Service parameters

    • option ifname

      bridge interface name to create

      type string

DHCP6 client module

This is for use if you have an IPv6-capable upstream that provides address information and/or prefix delegation using DHCP6. It provides a service to request address information in the form of a DHCP lease, and two dependent services that listen for updates to the DHCP address information and can be used to update addresses of network interfaces that you want to assign those prefixes to

path modules/dhcp6c/default.nix

  • service system.service.dhcp6c.address

    Service parameters

    • option client

      type anything

    • option interface

      interface to assign the address to

      type s6-rc service

  • service system.service.dhcp6c.client

    Service parameters

    • option interface

      interface (usually WAN) to query for DHCP6

      type s6-rc service

  • service system.service.dhcp6c.prefix

    Service parameters

    • option client

      type anything

    • option interface

      interface to assign <prefix>::1 to

      type s6-rc service

Dnsmasq

This module includes a service to provide DNS, DHCP, and IPv6 router advertisement for the local network.

path modules/dnsmasq/default.nix

  • service system.service.dnsmasq

    Service parameters

    • option domain

      Domain name for DHCP service: causes the DHCP server to return the domain to any hosts which request it, and sets the domain which it is legal for DHCP-configured hosts to claim

      type string

    • option group

      Specifies the unix group which dnsmasq will run as

      type string

      default

      dnsmasq
      
    • option hosts

      type attribute set of (submodule)

    • option interface

      type s6-rc service

    • option ranges

      type list of string

    • option resolvconf

      type null or s6-rc service

    • option upstreams

      type list of string

    • option user

      Specifies the unix user which dnsmasq will run as

      type string

      default

      dnsmasq
      

Firewall

Provides a service to create an nftables ruleset based on configuration supplied to it.

path modules/firewall/default.nix

  • service system.service.firewall

    Service parameters

    • option extraRules

      firewall ruleset

      type attribute set of (attribute set)

    • option rules

      firewall ruleset

      type attribute set of (attribute set)

Hostapd

Hostapd (host access point daemon) enables a wireless network interface to act as an access point and authentication server, providing IEEE 802.11 access point management, and IEEE 802.1X/WPA/WPA2/EAP Authenticators. In less technical terms, this service is what you need for your Liminix device to provide a wireless network that clients can connect to.

If you have more than one wireless network interface (e.g. wlan0, wlan1) you can run an instance of hostapd on each of them.

path modules/hostapd/default.nix

  • service system.service.hostapd

    Service parameters

    • option interface

      type s6-rc service

    • option params

      type attribute set

ifwait

path modules/ifwait/default.nix

  • service system.service.ifwait

    Service parameters

    • option interface

      type s6-rc service

    • option service

      type s6-rc service

    • option state

      type string

Mount

Mount filesystems

path modules/mount/default.nix

  • service system.service.mount

    Service parameters

    • option fstype

      type string

      default

      auto
      
    • option mountpoint

      type string

    • option options

      type list of string

    • option partlabel

      type string

Network

Basic network services for creating hardware ethernet devices and adding addresses

path modules/network/default.nix

  • service system.service.network.address

    network interface address

    Service parameters

    • option address

      type string

    • option family

      type one of “inet”, “inet6”

    • option interface

      type s6-rc service

    • option prefixLength

      type integer between 0 and 128 (both inclusive)

  • service system.service.network.dhcp.client

    DHCP v4 client

    Service parameters

    • option interface

      type s6-rc service

  • service system.service.network.forward

    Service parameters

    • option enableIPv4

      type boolean

    • option enableIPv6

      type boolean

  • service system.service.network.link

    hardware network interface

    Service parameters

    • option devpath

      Path to the sysfs node of the device. If you provide this and the ifname option, the device will be renamed to the name given by ifname.

      type null or string

    • option ifname

      Device name as used by the kernel (as seen in “ip link” or “ifconfig” output). If devpath is also specified, the device will be renamed to the name provided.

      type string

    • option mtu

      type null or signed integer

  • service system.service.network.route

    Service parameters

    • option interface

      Interface to route through. May be omitted if it can be inferred from “via”

      type null or s6-rc service

    • option metric

      route metric

      type signed integer

    • option target

      host or network to add route to

      type string

    • option via

      address of next hop

      type string

NTP

A network time protocol implementation so that your Liminix device may synchronize its clock with an accurate time source, and optionally also provide time service to its peers. The implementation used in Liminix is Chrony

path modules/ntp/default.nix

  • service system.service.ntp

    Service parameters

    • option allow

      subnets from which NTP clients are allowed to access the server

      type list of string

    • option bindaddress

      type null or string

    • option binddevice

      type null or string

    • option dumpdir

      type path

      default

      /run/chrony
      
    • option extraConfig

      type strings concatenated with “\n”

      default

      
      
    • option makestep

      type null or (submodule)

    • option peers

      type attribute set of list of string

    • option pools

      type attribute set of list of string

    • option servers

      type attribute set of list of string

    • option user

      type string

      default

      ntp
      

PPP

ppoe (PPP over Ethernet) provides a service to address the case where your Liminix device is connected to an upstream network using PPPoE. This is typical for UK broadband connections where the physical connection is made by OpenReach (“Fibre To The X”) and common in some other localities as well: check with your ISP if this is you.

l2tp (Layer 2 Tunelling Protocol) provides a service that tunnels PPP over the Internet. This may be used by some ISPs in conjunction with a DHCP uplink, or other more creative forms of network connection

path modules/ppp/default.nix

  • service system.service.l2tp

    Service parameters

    • option debug

      log the contents of all control packets sent or received

      type boolean

    • option lcpEcho

      type unspecified

    • option lns

      hostname or address of the L2TP network server

      type string

    • option password

      password

      type null or string or function that evaluates to a(n) anything

    • option ppp-options

      options supplied on ppp command line

      type list of string

    • option username

      username

      type null or string or function that evaluates to a(n) anything

  • service system.service.pppoe

    Service parameters

    • option debug

      log the contents of all control packets sent or received

      type boolean

    • option interface

      ethernet interface to run PPPoE over

      type s6-rc service

    • option lcpEcho

      type unspecified

    • option password

      password

      type null or string or function that evaluates to a(n) anything

    • option ppp-options

      options supplied on ppp command line

      type list of string

    • option username

      username

      type null or string or function that evaluates to a(n) anything

Secrets

path modules/secrets/default.nix

  • service system.service.secrets.outboard

    fetch secrets from external vault with https

    Service parameters

    • option interval

      how often to check the source, in minutes

      type signed integer

    • option name

      service name

      type string

    • option password

      password for HTTP basic auth

      type null or string

    • option url

      source url

      type string matching the pattern https?://.*

    • option username

      username for HTTP basic auth

      type null or string

  • service system.service.secrets.subscriber

    wrapper around a service that needs notifying (e.g. restarting) when secrets change

    Service parameters

    • option action

      how do we notify the service to regenerate its config

      type one of “restart”, “restart-all”, “hup”, “int”, “quit”, “kill”, “term”, “winch”, “usr1”, “usr2”

      default

      restart-all
      
    • option service

      subscribing service that will receive notification

      type s6-rc service

    • option watch

      secrets paths to subscribe to

      type list of function that evaluates to a(n) anything

  • service system.service.secrets.tang

    fetch secrets from encrypted local pathname, using tang

    Service parameters

    • option interval

      how often to check the source, in minutes

      type signed integer

    • option name

      service name

      type string

    • option path

      encrypted source pathname

      type path

Secure Shell

Provide SSH service using Dropbear

path modules/ssh/default.nix

  • service system.service.ssh

    Service parameters

    • option address

      Listen on specified address

      type null or string

    • option allowLocalPortForward

      Enable local port forwarding

      type boolean

    • option allowPasswordLogin

      Allow login using password (disable for public key auth only)

      type boolean

    • option allowPasswordLoginForRoot

      Allow root to login using password (disable for public key auth only)

      type boolean

    • option allowRemoteConnectionToForwardedPorts

      Allow remote hosts to connect to local forwarded ports (by default they are bound to loopback)

      type boolean

    • option allowRemotePortForward

      Enable remote port forwarding

      type boolean

    • option allowRoot

      Allow root to login

      type boolean

    • option authorizedKeys

      Authorized SSH public keys for each username. If this optin is provided it overrides any keys found in /home/{username}/.ssh

      type null or (attribute set of list of non-empty string) or function that evaluates to a(n) anything

    • option extraConfig

      type strings concatenated with “ “

      default

      
      
    • option port

      Listen on specified TCP port

      type 16 bit unsigned integer; between 0 and 65535 (both inclusive)

uevent-rule

path modules/uevent-rule/default.nix

  • service system.service.uevent-rule

    a service which starts other services based on device state (sysfs)

    Service parameters

    • option serviceName

      name of the service to run when the rule matches

      type string

    • option symlink

      create symlink targeted on devpath

      type null or string

    • option terms

      type attribute set

VLAN

Virtual LANs give you the ability to sub-divide a LAN. Linux can accept VLAN tagged traffic and presents each VLAN ID as a different network interface (eg: eth0.100 for VLAN ID 100)

Some Liminix devices with multiple ethernet ports are implemented using a network switch connecting the physical ports to the CPU, and require using VLAN in order to send different traffic to different ports (e.g. LAN vs WAN)

path modules/vlan/default.nix

  • service system.service.vlan

    Service parameters

    • option ifname

      interface name to create

      type string

    • option primary

      existing physical interface

      type s6-rc service

    • option vid

      VLAN identifier (VID) in range 1-4094

      type string

Watchdog

Enable hardware watchdog (for devices that support one) and feed it by checking the health of specified critical services. If the watchdog feeder stops, the device will reboot.

path modules/watchdog/default.nix

  • service system.service.watchdog

    Service parameters

    • option headStart

      delay in seconds before watchdog starts checking service health

      type signed integer

    • option watched

      services to watch

      type list of s6-rc service