NGIpkgs Overview

2024-11-22T00:22:07Z

Aerogramme

https://nlnet.nl/project/Aerogramme

Packages

aerogramme-0.3.0
Version: 0.3.0

Alive2

https://nlnet.nl/project/Alive2

Packages

alive2-0-unstable-2024-09-23
Version: 0-unstable-2024-09-23

AtomicData

https://nlnet.nl/project/AtomicData

Packages

atomic-server-0.39.0
Version: 0.39.0

Options

services.atomic-server.enable
Description: Whether to enable Enable Atomic Server.
Type: boolean
Default: false
services.atomic-server.settings
Description: Atomic Server configuration. Refer to https://docs.atomicdata.dev/atomicserver/installation#atomicserver-cli-options--env-vars for details on supported values. ATOMIC_CONFIG_DIR and ATOMIC_DATA_DIR are set automatically to work with NixOS Modules.
Type: unspecified value
Default: { }

Examples

  • Basic configuration, mainly used for testing purposes.

    {...}: {
  networking.firewall.allowedTCPPorts = [80];

  services = {
    atomic-server = {
      enable = true;
    };
  };
}

CNSPRCY

https://nlnet.nl/project/CNSPRCY

Packages

cnsprcy-0.2.0
Version: 0.2.0

Cryptpad

https://nlnet.nl/project/Cryptpad

Packages

cryptpad-2024.9.1
Version: 2024.9.1

Options

services.cryptpad.configureNginx
Description: Configure Nginx as a reverse proxy for Cryptpad. Note that this makes some assumptions on your setup, and sets settings that will affect other virtualHosts running on your Nginx instance, if any. Alternatively you can configure a reverse-proxy of your choice.
Type: boolean
Default: false
services.cryptpad.enable
Description: Whether to enable cryptpad.
Type: boolean
Default: false
services.cryptpad.package
Description: The cryptpad package to use.
Type: package
Default: pkgs.cryptpad
services.cryptpad.settings
Description: Cryptpad configuration settings. See https://github.com/cryptpad/cryptpad/blob/main/config/config.example.js for a more extensive reference documentation. Test your deployed instance through https://<domain>/checkup/.
Type: JSON value
Default:
services.cryptpad.settings.adminKeys
Description: List of public signing keys of users that can access the admin panel
Type: list of string
Default: [ ]
services.cryptpad.settings.blockDailyCheck
Description: Disable telemetry. This setting is only effective if the ‘Disable server telemetry’ setting in the admin menu has been untouched, and will be ignored by cryptpad once that option is set either way. Note that due to the service confinement, just enabling the option in the admin menu will not be able to resolve DNS and fail; this setting must be set as well.
Type: boolean
Default: true
services.cryptpad.settings.httpAddress
Description: Address on which the Node.js server should listen
Type: string
Default: "127.0.0.1"
services.cryptpad.settings.httpPort
Description: Port on which the Node.js server should listen
Type: signed integer
Default: 3000
services.cryptpad.settings.httpSafeOrigin
Description: Cryptpad sandbox URL
Type: null or string
Default:
services.cryptpad.settings.httpUnsafeOrigin
Description: This is the URL that users will enter to load your instance
Type: string
Default: ""
services.cryptpad.settings.installMethod
Description: Install method is listed in telemetry if you agree to it through the consentToContact setting in the admin panel.
Type: string
Default: "nixos"
services.cryptpad.settings.logLevel
Description: Controls log level
Type: string
Default: "info"
services.cryptpad.settings.logToStdout
Description: Controls whether log output should go to stdout of the systemd service
Type: boolean
Default: true
services.cryptpad.settings.maxWorkers
Description: Number of child processes, defaults to number of cores available
Type: null or signed integer
Default: null
services.cryptpad.settings.websocketPort
Description: Port for the websocket that needs to be separate
Type: signed integer
Default: 3003

DMT-Core

https://nlnet.nl/project/DMT-Core

Packages

python3.12-dmt-core-2.1.0
Version: 2.1.0

Dokieli

https://nlnet.nl/project/Dokieli

Packages

dokieli-0-unstable-2024-09-23
Version: 0-unstable-2024-09-23

Flarum

https://nlnet.nl/project/Flarum

Packages

flarum-1.8.1
Version: 1.8.1

Options

services.flarum.adminEmail
Description: Email for first web application administrator
Type: string
Default: "admin@example.com"
services.flarum.adminUser
Description: Username for first web application administrator
Type: string
Default: "flarum"
services.flarum.baseUrl
Description: Change domain instead.
Type: string
Default: "http://localhost"
services.flarum.createDatabaseLocally
Description:

Create the database and database user locally, and run installation.

WARNING: Due to https://github.com/flarum/framework/issues/4018, this option is set to false by default. The ‘flarum install’ command may delete existing database tables. Only set this to true if you are certain you are working with a fresh, empty database.
Type: boolean
Default: false
services.flarum.database
Description: MySQL database parameters
Type: attribute set of (string or boolean or signed integer)
Default: { database = "flarum"; driver = "mysql"; host = "localhost"; password = ""; port = 3306; prefix = ""; strict = false; username = "flarum"; }
services.flarum.domain
Description: Domain to serve on.
Type: string
Default: "localhost"
services.flarum.enable
Description: Whether to enable Flarum discussion platform.
Type: boolean
Default: false
services.flarum.forumTitle
Description: Title of the forum.
Type: string
Default: "A Flarum Forum on NixOS"
services.flarum.group
Description: System group to run Flarum
Type: string
Default: "flarum"
services.flarum.initialAdminPassword
Description: Initial password for the adminUser
Type: string
Default: "flarum"
services.flarum.package
Description: The flarum package to use.
Type: package
Default: pkgs.flarum
services.flarum.stateDir
Description: Home directory for writable storage
Type: path
Default: "/var/lib/flarum"
services.flarum.user
Description: System user to run Flarum
Type: string
Default: "flarum"

Forgejo

https://nlnet.nl/project/Forgejo

Packages

forgejo-9.0.2
Version: 9.0.2

Options

services.forgejo.customDir
Description:

Base directory for custom templates and other options.

If {option}services.forgejo.useWizard is disabled (default), this directory will also hold secrets and the resulting {file}app.ini config at runtime.
Type: string
Default: "${config.services.forgejo.stateDir}/custom"
services.forgejo.database.createDatabase
Description: Whether to create a local database automatically.
Type: boolean
Default: true
services.forgejo.database.host
Description: Database host address.
Type: string
Default: "127.0.0.1"
services.forgejo.database.name
Description: Database name.
Type: string
Default: "forgejo"
services.forgejo.database.passwordFile
Description: A file containing the password corresponding to {option}services.forgejo.database.user.
Type: null or path
Default: null
services.forgejo.database.path
Description: Path to the sqlite3 database file.
Type: string
Default: "${config.services.forgejo.stateDir}/data/forgejo.db"
services.forgejo.database.port
Description: Database host port.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: if config.services.forgejo.database.type != "postgresql" then 3306 else 5432
services.forgejo.database.socket
Description: Path to the unix socket file to use for authentication.
Type: null or path
Default: null
services.forgejo.database.type
Description: Database engine to use.
Type: one of "sqlite3", "mysql", "postgres"
Default: "sqlite3"
services.forgejo.database.user
Description: Database user.
Type: string
Default: "forgejo"
services.forgejo.dump.backupDir
Description: Path to the directory where the dump archives will be stored.
Type: string
Default: "${config.services.forgejo.stateDir}/dump"
services.forgejo.dump.enable
Description: Whether to enable periodic dumps via the built-in {command}dump command.
Type: boolean
Default: false
services.forgejo.dump.file
Description: Filename to be used for the dump. If null a default name is chosen by forgejo.
Type: null or string
Default: null
services.forgejo.dump.interval
Description:

Run a Forgejo dump at this interval. Runs by default at 04:31 every day.

The format is described in {manpage}systemd.time(7).
Type: string
Default: "04:31"
services.forgejo.dump.type
Description: Archive format used to store the dump file.
Type: one of "zip", "tar", "tar.sz", "tar.gz", "tar.xz", "tar.bz2", "tar.br", "tar.lz4", "tar.zst"
Default: "zip"
services.forgejo.enable
Description: Whether to enable Forgejo, a software forge.
Type: boolean
Default: false
services.forgejo.group
Description: Group under which Forgejo runs.
Type: string
Default: "forgejo"
services.forgejo.lfs.contentDir
Description: Where to store LFS files.
Type: string
Default: "${config.services.forgejo.stateDir}/data/lfs"
services.forgejo.lfs.enable
Description: Enables git-lfs support.
Type: boolean
Default: false
services.forgejo.package
Description: The forgejo-lts package to use.
Type: package
Default: pkgs.forgejo-lts
services.forgejo.repositoryRoot
Description: Path to the git repositories.
Type: string
Default: "${config.services.forgejo.stateDir}/repositories"
services.forgejo.secrets
Description:

This is a small wrapper over systemd’s LoadCredential.

It takes the same sections and keys as {option}services.forgejo.settings, but the value of each key is a path instead of a string or bool.

The path is then loaded as credential, exported as environment variable and then feed through https://codeberg.org/forgejo/forgejo/src/branch/forgejo/contrib/environment-to-ini/environment-to-ini.go.

It does the required environment variable escaping for you.

Keys specified here take priority over the ones in {option}services.forgejo.settings!
Type: attribute set of attribute set of path
Default: { }
services.forgejo.settings
Description: Free-form settings written directly to the app.ini configfile file. Refer to https://forgejo.org/docs/latest/admin/config-cheat-sheet/ for supported values.
Type: attribute set of section of an INI file (attrs of INI atom (null, bool, int, float or string))
Default: { }
services.forgejo.settings.log.LEVEL
Description: General log level.
Type: one of "Trace", "Debug", "Info", "Warn", "Error", "Critical"
Default: "Info"
services.forgejo.settings.log.ROOT_PATH
Description: Root path for log files.
Type: string
Default: "${config.services.forgejo.stateDir}/log"
services.forgejo.settings.server.DISABLE_SSH
Description: Disable external SSH feature.
Type: boolean
Default: false
services.forgejo.settings.server.DOMAIN
Description: Domain name of your server.
Type: string
Default: "localhost"
services.forgejo.settings.server.HTTP_ADDR
Description: Listen address. Must be a path when using a unix socket.
Type: string or path
Default: if lib.hasSuffix "+unix" cfg.settings.server.PROTOCOL then "/run/forgejo/forgejo.sock" else "0.0.0.0"
services.forgejo.settings.server.HTTP_PORT
Description: Listen port. Ignored when using a unix socket.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: 3000
services.forgejo.settings.server.PROTOCOL
Description: Listen protocol. +unix means “over unix”, not “in addition to.”
Type: one of "http", "https", "fcgi", "http+unix", "fcgi+unix"
Default: "http"
services.forgejo.settings.server.ROOT_URL
Description: Full public URL of Forgejo server.
Type: string
Default: "http://${config.services.forgejo.settings.server.DOMAIN}:${toString config.services.forgejo.settings.server.HTTP_PORT}/"
services.forgejo.settings.server.SSH_PORT
Description: SSH port displayed in clone URL. The option is required to configure a service when the external visible port differs from the local listening port i.e. if port forwarding is used.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: 22
services.forgejo.settings.server.STATIC_ROOT_PATH
Description: Upper level of template and static files path.
Type: string or path
Default: config.services.forgejo.package.data
services.forgejo.settings.session.COOKIE_SECURE
Description: Marks session cookies as “secure” as a hint for browsers to only send them via HTTPS. This option is recommend, if Forgejo is being served over HTTPS.
Type: boolean
Default: false
services.forgejo.stateDir
Description: Forgejo data directory.
Type: string
Default: "/var/lib/forgejo"
services.forgejo.useWizard
Description: Whether to use the built-in installation wizard instead of declaratively managing the {file}app.ini config file in nix.
Type: boolean
Default: false
services.forgejo.user
Description: User account under which Forgejo runs.
Type: string
Default: "forgejo"

GNUTaler

https://nlnet.nl/project/GNUTaler

Packages

anastasis-0.4.1
Version: 0.4.1
anastasis-gtk-0.4.1
Version: 0.4.1
libeufin-0.13.0
Version: 0.13.0
taldir-0-unstable-2024-02-18
Version: 0-unstable-2024-02-18
taler-depolymerization-0-unstable-2024-06-17
Version: 0-unstable-2024-06-17
taler-exchange-0.13.0
Version: 0.13.0
taler-mdb-0.13.0
Version: 0.13.0
taler-merchant-0.13.0
Version: 0.13.0
taler-sync-0.13.1
Version: 0.13.1
taler-wallet-core-0.13.3
Version: 0.13.3
twister-0.9.4
Version: 0.9.4

Gancio

https://nlnet.nl/project/Gancio

Packages

gancio-1.19.4
Version: 1.19.4

Options

services.gancio.enable
Description: Whether to enable Gancio, a shared agenda for local communities.
Type: boolean
Default: false
services.gancio.nginx
Description: Extra configuration for the nginx virtual host of gancio.
Type: submodule
Default: { }
services.gancio.nginx.acmeFallbackHost
Description:

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.
Type: null or string
Default: null
services.gancio.nginx.acmeRoot
Description: Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.
Type: null or string
Default: "/var/lib/acme/acme-challenge"
services.gancio.nginx.addSSL
Description: Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).
Type: boolean
Default: false
services.gancio.nginx.basicAuth
Description:

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.
Type: attribute set of string
Default: { }
services.gancio.nginx.basicAuthFile
Description: Basic Auth password file for a vhost. Can be created by running {command}nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.
Type: null or path
Default: null
services.gancio.nginx.default
Description: Makes this vhost the default.
Type: boolean
Default: false
services.gancio.nginx.enableACME
Description: Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through {option}useACMEHost.
Type: boolean
Default: true
services.gancio.nginx.extraConfig
Description: These lines go to the end of the vhost verbatim.
Type: strings concatenated with "\n"
Default: ""
services.gancio.nginx.forceSSL
Description: Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
Type: boolean
Default: true
services.gancio.nginx.globalRedirect
Description: If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.
Type: null or string
Default: null
services.gancio.nginx.http2
Description: Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.
Type: boolean
Default: true
services.gancio.nginx.http3
Description: Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.
Type: boolean
Default: true
services.gancio.nginx.http3_hq
Description: Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/
Type: boolean
Default: false
services.gancio.nginx.kTLS
Description: Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.
Type: boolean
Default: false
services.gancio.nginx.listen
Description:

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.
Type: list of (submodule)
Default: [ ]
services.gancio.nginx.listen.*.addr
Description: Listen address.
Type: string
Default:
services.gancio.nginx.listen.*.extraParameters
Description: Extra parameters of this listen directive.
Type: list of string
Default: [ ]
services.gancio.nginx.listen.*.port
Description: Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.
Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: null
services.gancio.nginx.listen.*.proxyProtocol
Description: Enable PROXY protocol.
Type: boolean
Default: false
services.gancio.nginx.listen.*.ssl
Description: Enable SSL.
Type: boolean
Default: false
services.gancio.nginx.listenAddresses
Description:

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6
Type: list of string
Default: [ ]
services.gancio.nginx.locations
Description: Declarative location config
Type: attribute set of (submodule)
Default: { }
services.gancio.nginx.locations.<name>.alias
Description: Alias directory for requests.
Type: null or path
Default: null
services.gancio.nginx.locations.<name>.basicAuth
Description:

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.
Type: attribute set of string
Default: { }
services.gancio.nginx.locations.<name>.basicAuthFile
Description: Basic Auth password file for a vhost. Can be created by running {command}nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.
Type: null or path
Default: null
services.gancio.nginx.locations.<name>.extraConfig
Description: These lines go to the end of the location verbatim.
Type: strings concatenated with "\n"
Default: ""
services.gancio.nginx.locations.<name>.fastcgiParams
Description: FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.
Type: attribute set of (string or path)
Default: { }
services.gancio.nginx.locations.<name>.index
Description: Adds index directive.
Type: null or string
Default: null
services.gancio.nginx.locations.<name>.priority
Description: Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.
Type: signed integer
Default: 1000
services.gancio.nginx.locations.<name>.proxyPass
Description: Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.
Type: null or string
Default: null
services.gancio.nginx.locations.<name>.proxyWebsockets
Description: Whether to support proxying websocket connections with HTTP/1.1.
Type: boolean
Default: false
services.gancio.nginx.locations.<name>.recommendedProxySettings
Description: Enable recommended proxy settings.
Type: boolean
Default: config.services.nginx.recommendedProxySettings
services.gancio.nginx.locations.<name>.return
Description: Adds a return directive, for e.g. redirections.
Type: null or string or signed integer
Default: null
services.gancio.nginx.locations.<name>.root
Description: Root directory for requests.
Type: null or path
Default: null
services.gancio.nginx.locations.<name>.tryFiles
Description: Adds try_files directive.
Type: null or string
Default: null
services.gancio.nginx.onlySSL
Description: Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.
Type: boolean
Default: false
services.gancio.nginx.quic
Description: Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/
Type: boolean
Default: false
services.gancio.nginx.redirectCode
Description: HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.
Type: integer between 300 and 399 (both inclusive)
Default: 301
services.gancio.nginx.rejectSSL
Description: Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.
Type: boolean
Default: false
services.gancio.nginx.reuseport
Description: Create an individual listening socket . It is required to specify only once on one of the hosts.
Type: boolean
Default: false
services.gancio.nginx.root
Description: The path of the web root directory.
Type: null or path
Default: null
services.gancio.nginx.serverAliases
Description: Additional names of virtual hosts served by this virtual host configuration.
Type: list of string
Default: [ ]
services.gancio.nginx.serverName
Description: Name of this virtual host. Defaults to attribute name in virtualHosts.
Type: null or string
Default: null
services.gancio.nginx.sslCertificate
Description: Path to server SSL certificate.
Type: path
Default:
services.gancio.nginx.sslCertificateKey
Description: Path to server SSL certificate key.
Type: path
Default:
services.gancio.nginx.sslTrustedCertificate
Description: Path to root SSL certificate for stapling and client certificates.
Type: null or path
Default: null
services.gancio.nginx.useACMEHost
Description: A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through {option}enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using .
Type: null or string
Default: null
services.gancio.package
Description: The gancio package to use.
Type: package
Default: pkgs.gancio
services.gancio.plugins
Description: Paths of gancio plugins to activate (linked under $WorkingDirectory/plugins/).
Type: list of package
Default: [ ]
services.gancio.settings
Description: Configuration for Gancio, see https://gancio.org/install/config for supported values.
Type: JSON value
Default:
services.gancio.settings.baseurl
Description: The full URL under which the server is reachable.
Type: string
Default: "https://${cfg.settings.hostname}"
services.gancio.settings.db.database
Description: Name of the PostgreSQL database
Type: null or string
Default: '' if cfg.settings.db.dialect == "postgres" then cfg.user else null ''
services.gancio.settings.db.dialect
Description: The database dialect to use
Type: one of "sqlite", "postgres"
Default: "sqlite"
services.gancio.settings.db.host
Description: Connection string for the PostgreSQL database
Type: null or string
Default: '' if cfg.settings.db.dialect == "postgres" then "/run/postgresql" else null ''
services.gancio.settings.db.storage
Description: Location for the SQLite database.
Type: null or string
Default: '' if cfg.settings.db.dialect == "sqlite" then "/var/lib/gancio/db.sqlite" else null ''
services.gancio.settings.hostname
Description: The domain name under which the server is reachable.
Type: string
Default:
services.gancio.settings.log_level
Description: Gancio log level.
Type: one of "debug", "info", "warning", "error"
Default: "info"
services.gancio.settings.log_path
Description: Directory Gancio logs into
Type: string
Default: "/var/log/gancio"
services.gancio.settings.server.socket
Description: The unix socket for the gancio server to listen on.
Type: path
Default: "/run/gancio/socket"
services.gancio.user
Description: The user (and PostgreSQL database name) used to run the gancio server
Type: string
Default: "gancio"
services.gancio.userLocale
Description: Override default locales within gancio. See https://framagit.org/les/gancio/tree/master/locales.
Type: attribute set of attribute set of attribute set of string
Default: { }

Kbin

https://nlnet.nl/project/Kbin

Packages

kbin
Version: 0.0.1
kbin-0.0.1
Version: 0.0.1
kbin-frontend-0.0.1
Version: 0.0.1

Options

services.kbin.domain
Description: Domain to serve on.
Type: string
Default: "localhost"
services.kbin.enable
Description: Whether to enable Kbin.
Type: boolean
Default: false
services.kbin.group
Description: Primary group of the user running Kbin.
Type: string
Default: "kbin"
services.kbin.package
Description: The kbin package to use.
Type: package
Default: pkgs.kbin
services.kbin.secrets
Description: Paths to files containing secrets, keyed by the respective environment variable.
Type: attribute set of (null or path)
Default: { }
services.kbin.secrets.APP_SECRET
Description: Path to a file that contains the secret APP_SECRET.
Type: null or path
Default: null
services.kbin.secrets.MERCURE_JWT_SECRET
Description: Path to a file that contains the secret MERCURE_JWT_SECRET.
Type: null or path
Default: null
services.kbin.secrets.OAUTH_ENCRYPTION_KEY
Description: Path to a file that contains the secret OAUTH_ENCRYPTION_KEY.
Type: null or path
Default: null
services.kbin.secrets.OAUTH_PASSPHRASE
Description: Path to a file that contains the secret OAUTH_PASSPHRASE.
Type: null or path
Default: null
services.kbin.secrets.POSTGRES_PASSWORD
Description: Path to a file that contains the secret POSTGRES_PASSWORD.
Type: null or path
Default: null
services.kbin.secrets.RABBITMQ_PASSWORD
Description: Path to a file that contains the secret RABBITMQ_PASSWORD.
Type: null or path
Default: null
services.kbin.secrets.REDIS_PASSWORD
Description: Path to a file that contains the secret REDIS_PASSWORD.
Type: null or path
Default: null
services.kbin.settings
Description: Enviroment variables used to configure Kbin.
Type: attribute set of string
Default:
services.kbin.user
Description: User to run Kbin as.
Type: string
Default: "kbin"

Examples

  • Basic configuration, mainly used for testing purposes.

    {...}: {
  networking.firewall.allowedTCPPorts = [80];

  services = {
    kbin = {
      enable = true;
      # settings.APP_DEBUG = "1";
    };

    postgresql = {
      enable = true;
      authentication = "host all all 127.0.0.1/32 trust";
      ensureUsers = [
        {
          name = "kbin";
          ensureDBOwnership = true;
        }
      ];
      ensureDatabases = ["kbin"];
      enableTCPIP = true;
    };
  };
}

LiberaForms-E2EE

https://nlnet.nl/project/LiberaForms-E2EE

Packages

liberaforms
Version: 3.1.1

Options

services.liberaforms.bind
Description: Bind address to be used by gunicorn.
Type: string
Default: "127.0.0.1:5000"
services.liberaforms.cryptoKeyFile
Description: A file that contains a key to encrypt files uploaded to liberaforms. Created at default location by liberaforms-init script with flask cryptokey create.
Type: string
Default: "/etc/liberaforms/crypto.key"
services.liberaforms.dbHost
Description: Hostname of postgres database.
Type: string
Default: "localhost"
services.liberaforms.dbPasswordFile
Description: A file that contains a password for the liberaforms user in postgres, must be set. Created at default location by liberaforms-init script with openssl rand -base64 32.
Type: string
Default: "/etc/liberaforms/db-password.key"
services.liberaforms.defaultLang
Description: Default language of LiberaForms.
Type: string
Default: "en"
services.liberaforms.domain
Description: Domain for LiberaForms instance.
Type: string
Default: "liberaforms.local"
services.liberaforms.enable
Description: Whether to enable LiberaForms server.
Type: boolean
Default: false
services.liberaforms.enableDatabaseBackup
Description: Whether to enable Cron job for pg_dump.
Type: boolean
Default: false
services.liberaforms.enableHTTPS
Description: Whether to enable HTTPS for connections to nginx.
Type: boolean
Default: false
services.liberaforms.enableNginx
Description: Whether to enable Nginx reverse proxy web server.
Type: boolean
Default: false
services.liberaforms.enablePostgres
Description: Whether to enable Postgres database.
Type: boolean
Default: false
services.liberaforms.extraConfig
Description: Extra configuration for LiberaForms to be appended on the configuration. see https://gitlab.com/liberaforms/liberaforms/-/blob/develop/dotenv.example for all options.
Type: strings concatenated with "\n"
Default: ""
services.liberaforms.flaskConfig
Description: Sets the config to use (see config.py). Can be ‘production’ or ‘development’.
Type: string
Default: "production"
services.liberaforms.flaskEnv
Description: Sets the Flask running mode. Can be ‘production’ or ‘development’.
Type: string
Default: "production"
services.liberaforms.package
Description: LiberaForms package to use.
Type: package
Default: <LiberaForms flake>.packages.<system>.default
services.liberaforms.rootEmail
Description: Email address used for root user of LiberaForms.
Type: string
Default: ""
services.liberaforms.secretKeyFile
Description: A file that contains the server secret for safe session cookies, must be set. Created at default location by liberaforms-init script with openssl rand -base64 32.
Type: string
Default: "/etc/liberaforms/secret.key"
services.liberaforms.sessionType
Description: Session management backend (see docs/INSTALL).
Type: string
Default: "filesystem"
services.liberaforms.workDir
Description: Path to the working directory for LiberaForms.
Type: string
Default: "/var/lib/liberaforms"
services.liberaforms.workers
Description: The number of gunicorn worker processes for handling requests.
Type: signed integer
Default: 3

Libervia

https://nlnet.nl/project/Libervia

Packages

python3.12-doubleratchet-1.1.0
Version: 1.1.0
python3.12-helium-5.1.0
Version: 5.1.0
python3.12-kivy-garden-modernmenu-0-unstable-2019-12-10
Version: 0-unstable-2019-12-10
libervia-backend-0.8.0-unstable-2024-10-26
Version: 0.8.0-unstable-2024-10-26
libervia-desktop-kivy-0.8.0-unstable-2024-10-26
Version: 0.8.0-unstable-2024-10-26
libervia-media-0.8.0-unstable-2024-10-26
Version: 0.8.0-unstable-2024-10-26
python3.12-libervia-templates-0.8.0-unstable-2024-10-26
Version: 0.8.0-unstable-2024-10-26
libxeddsa-2.0.0
Version: 2.0.0
python3.12-oldmemo-1.1.0
Version: 1.1.0
python3.12-omemo-1.2.0
Version: 1.2.0
python3.12-sat-tmp-0.8.0
Version: 0.8.0
python3.12-twomemo-1.1.0
Version: 1.1.0
python3.12-urwid-satext-0.8.0-unstable-2023-04-08
Version: 0.8.0-unstable-2023-04-08
python3.12-wokkel-18.0.0
Version: 18.0.0
python3.12-x3dh-1.1.0
Version: 1.1.0
python3.12-xeddsa-1.1.0
Version: 1.1.0

Options

programs.libervia.enable
Description: Whether to enable Libervia.
Type: boolean
Default: false

Examples

  • Enables the use of Libervia’s CLI, TUI and GUI (kivy) clients.

    {...}: {
  programs.libervia.enable = true;
}

Libre-SOC-OpenPOWER-ISA

https://nlnet.nl/project/Libre-SOC-OpenPOWER-ISA

Packages

python3.9-soc
Version: unstable-2024-03-31
libresoc.v
Version: unstable-2024-03-31

Naja

https://nlnet.nl/project/Naja

Packages

naja-0-unstable-2024-08-27
Version: 0-unstable-2024-08-27

Omnom

https://nlnet.nl/project/Omnom

Packages

omnom-0-unstable-2024-08-29
Version: 0-unstable-2024-08-29

Openfire-IPv6

https://nlnet.nl/project/Openfire-IPv6

Packages

openfire-4.9.0
Version: 4.9.0

Options

services.openfire-server.autoUpdateState
Description:

When enabled, the state directory will be automatically updated to match the installed package version.

For manually doing this, please refer to the Openfire Upgrade Guide.
Type: boolean
Default: true
services.openfire-server.dataDir
Description: Where to load readonly data from.
Type: string
Default: "${config.services.openfire.package}/opt"
services.openfire-server.enable
Description: Whether to enable Openfire XMPP server.
Type: boolean
Default: false
services.openfire-server.openFirewall
Description: Whether to open ports in the firewall for the server.
Type: boolean
Default: false
services.openfire-server.package
Description: The openfire package to use.
Type: package
Default: pkgs.openfire
services.openfire-server.securePort
Description: The port on which Openfire should listen for secure Admin Console access.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: 9091
services.openfire-server.servicePort
Description: The port on which Openfire should listen for insecure Admin Console access.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: 9090
services.openfire-server.stateDir
Description:

Where to store runtime data (logs, plugins, …).

If left at the default, this will be automatically created on server startup if it does not already exist. If changed, it is the admin’s responsibility to make sure that the directory exists and is writeable by the openfire user.
Type: string
Default: "/var/lib/openfire"

Examples

  • Basic configuration, mainly used for testing purposes.

    {...}: {
  services.openfire-server = {
    enable = true;
    openFirewall = true;
  };
}

PeerTube

https://nlnet.nl/project/PeerTube

Packages

peertube-plugin-akismet-0.1.1
Version: 0.1.1
peertube-plugin-auth-ldap-0.0.12
Version: 0.0.12
peertube-plugin-auth-openid-connect-0.1.1
Version: 0.1.1
peertube-plugin-auth-saml2-0.0.8
Version: 0.0.8
peertube-plugin-auto-block-videos-0.0.2
Version: 0.0.2
peertube-plugin-auto-mute-0.0.6
Version: 0.0.6
peertube-plugin-hello-world-0.0.22
Version: 0.0.22
peertube-plugin-livechat-10.1.2
Version: 10.1.2
peertube-plugin-logo-framasoft-0.0.1
Version: 0.0.1
peertube-plugin-matomo-1.0.2
Version: 1.0.2
peertube-plugin-privacy-remover-0.0.1
Version: 0.0.1
peertube-plugin-transcoding-custom-quality-0.1.0
Version: 0.1.0
peertube-plugin-transcoding-profile-debug-0.0.5
Version: 0.0.5
peertube-plugin-video-annotation-0.0.8
Version: 0.0.8
peertube-theme-background-red-0.0.4
Version: 0.0.4
peertube-theme-dark-2.5.0
Version: 2.5.0
peertube-theme-framasoft-0.0.1
Version: 0.0.1

Options

services.peertube.configureNginx
Description: Configure nginx as a reverse proxy for peertube.
Type: boolean
Default: false
services.peertube.dataDirs
Description: Allow access to custom data locations.
Type: list of path
Default: [ ]
services.peertube.database.createLocally
Description: Configure local PostgreSQL database server for PeerTube.
Type: boolean
Default: false
services.peertube.database.host
Description: Database host address or unix socket.
Type: string
Default: if config.services.peertube.database.createLocally then "/run/postgresql" else null
services.peertube.database.name
Description: Database name.
Type: string
Default: "peertube"
services.peertube.database.passwordFile
Description: Password for PostgreSQL database.
Type: null or path
Default: null
services.peertube.database.port
Description: Database host port.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: 5432
services.peertube.database.user
Description: Database user.
Type: string
Default: "peertube"
services.peertube.enable
Description: Whether to enable Peertube.
Type: boolean
Default: false
services.peertube.enableWebHttps
Description: Whether clients will access your PeerTube instance with HTTPS. Does NOT configure the PeerTube webserver itself to listen for incoming HTTPS connections.
Type: boolean
Default: false
services.peertube.group
Description: Group under which Peertube runs.
Type: string
Default: "peertube"
services.peertube.listenHttp
Description: The port that the local PeerTube web server will listen on.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: 9000
services.peertube.listenWeb
Description: The public-facing port that PeerTube will be accessible at (likely 80 or 443 if running behind a reverse proxy). Clients will try to access PeerTube at this port.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: 9000
services.peertube.localDomain
Description: The domain serving your PeerTube instance.
Type: string
Default:
services.peertube.package
Description: PeerTube package to use.
Type: package
Default: pkgs.peertube
services.peertube.plugins.enable
Description: Whether to enable declarative plugin management for PeerTube .
Type: boolean
Default: false
services.peertube.plugins.package
Description: Base PeerTube package to use when using declarative plugin management. This overrides services.peertube.package.
Type: package
Default: pkgs.peertube
services.peertube.plugins.plugins
Description: List of packages with peertube plugins that should be added.
Type: list of package
Default: [ ]
services.peertube.redis.createLocally
Description: Configure local Redis server for PeerTube.
Type: boolean
Default: false
services.peertube.redis.enableUnixSocket
Description: Use Unix socket.
Type: boolean
Default: config.services.peertube.redis.createLocally
services.peertube.redis.host
Description: Redis host.
Type: null or string
Default: if config.services.peertube.redis.createLocally && !config.services.peertube.redis.enableUnixSocket then "127.0.0.1" else null
services.peertube.redis.passwordFile
Description: Password for redis database.
Type: null or path
Default: null
services.peertube.redis.port
Description: Redis port.
Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: if config.services.peertube.redis.createLocally && config.services.peertube.redis.enableUnixSocket then null else 6379
services.peertube.secrets.secretsFile
Description: Secrets to run PeerTube. Generate one using openssl rand -hex 32
Type: null or path
Default: null
services.peertube.serviceEnvironmentFile
Description: Set environment variables for the service. Mainly useful for setting the initial root password. For example write to file: PT_INITIAL_ROOT_PASSWORD=changeme
Type: null or path
Default: null
services.peertube.settings
Description: Configuration for peertube.
Type: JSON value
Default:
services.peertube.smtp.createLocally
Description: Configure local Postfix SMTP server for PeerTube.
Type: boolean
Default: false
services.peertube.smtp.passwordFile
Description: Password for smtp server.
Type: null or path
Default: null
services.peertube.user
Description: User account under which Peertube runs.
Type: string
Default: "peertube"

Examples

  • Basic configuration, mainly used for testing purposes.

    {
  config,
  pkgs,
  ...
}: let
  storageBase = "/var/lib/peertube";
  storageDir = subdir: "${storageBase}/${subdir}/";
in {
  environment = {
    # Sets the initial password of the root user to a fixed value. Make sure to change the password afterwards!
    etc."peertube-envvars".text = ''
      PT_INITIAL_ROOT_PASSWORD=changeme
    '';
  };

  services.peertube = {
    enable = true;

    # The system user & their group under which peertube will run
    user = "peertube";
    group = "peertube";

    # Do *NOT* use this in production, follow the docs and properly generate a secret here! i.e. using the output of:
    # openssl rand -hex 32
    # https://docs.joinpeertube.org/install/any-os#peertube-configuration
    secrets.secretsFile = pkgs.writeText "secrets.txt" "secrets";

    # Configure locally-running instances of redis server & database.
    database.createLocally = true;
    redis.createLocally = true;

    # Where we're running
    localDomain = "localhost";
    listenWeb = 9000;

    # Example settings, adjust as desired
    settings = {
      listen = {
        hostname = "0.0.0.0";
      };
      log = {
        level = "debug";
      };
      storage = {
        tmp = storageDir "tmp";
        logs = storageDir "logs";
        cache = storageDir "cache";
        plugins = storageDir "plugins";
      };
    };

    plugins = {
      enable = true;

      # The plugins you wish to use.
      plugins = with pkgs; [
        peertube-plugin-akismet
        peertube-plugin-auth-ldap
        peertube-plugin-auth-openid-connect
        peertube-plugin-auth-saml2
        peertube-plugin-auto-block-videos
        peertube-plugin-auto-mute
        peertube-plugin-hello-world
        peertube-plugin-logo-framasoft
        peertube-plugin-matomo
        peertube-plugin-privacy-remover
        peertube-plugin-transcoding-custom-quality
        peertube-plugin-transcoding-profile-debug
        peertube-plugin-video-annotation
        peertube-theme-background-red
        peertube-theme-dark
        peertube-theme-framasoft

        peertube-plugin-livechat
      ];
    };

    # For initial password
    serviceEnvironmentFile = "/etc/peertube-envvars";
  };

  systemd.tmpfiles.settings = let
    dirArgs = {
      mode = "0700";
      inherit (config.services.peertube) user group;
    };
  in {
    "99-peertube-plugins-test-setup" = {
      "${storageBase}".d = dirArgs;
      "${storageDir "tmp"}".d = dirArgs;
      "${storageDir "logs"}".d = dirArgs;
      "${storageDir "cache"}".d = dirArgs;
      "${storageDir "plugins"}".d = dirArgs;
    };
  };
}

Pretalx

https://nlnet.nl/project/Pretalx

Packages

pretalx-2024.3.1
Version: 2024.3.1

Options

services.ngi-pretalx.celery.backendFile
Description: Path to a file that contains the location (connection URI) of Celery backend. If you use a standard Redis-based setup, the file should contain redis://127.0.0.1/1 or similar. Check the documentation https://docs.celeryq.dev/en/stable/getting-started/backends-and-brokers/redis.html. Consider using a secret managing scheme such as agenix or sops-nix to generate this file.
Type: null or path
Default: null
services.ngi-pretalx.celery.brokerFile
Description: Path to a file that contains the location (connection URI) of Celery broker. If you use a standard Redis-based setup, the file should contain redis://127.0.0.1/2 or similar. Check the documentation https://docs.celeryq.dev/en/stable/getting-started/backends-and-brokers/redis.html. Consider using a secret managing scheme such as agenix or sops-nix to generate this file.
Type: null or path
Default: null
services.ngi-pretalx.celery.enable
Description: Whether to enable Enable support for Celery..
Type: boolean
Default: false
services.ngi-pretalx.celery.extraArgs
Description: Extra arguments to pass to celery. See https://docs.celeryq.dev/en/stable/reference/cli.html#celery-worker for more info.
Type: list of string
Default: [ ]
services.ngi-pretalx.database.backend
Description: The default is SQLite (“sqlite3”), which is not a production database. Please use a database like PostgreSQL (“postgresql”) or MySQL (“mysql”).
Type: one of "postgresql", "mysql", "sqlite3"
Default: "sqlite3"
services.ngi-pretalx.database.host
Description: Database host, or path to a socket (if you use PostgreSQL or MySQL). For local PostgreSQL authentication, you can leave this variable empty.
Type: null or string
Default: null
services.ngi-pretalx.database.name
Description: Database name. If you use SQLite, this is the filesystem path to the database file.
Type: string
Default: "pretalx"
services.ngi-pretalx.database.passwordFile
Description: Path to a file containing the database password. If you use PostgreSQL, consider using its peer authentication and not setting a password. Consider using a secret managing scheme such as agenix or sops-nix to generate this file.
Type: null or path
Default: null
services.ngi-pretalx.database.port
Description: Database port (e.g. 5432 for PostgreSQL or 3306 for MySQL).
Type: null or signed integer
Default: null
services.ngi-pretalx.database.user
Description: Database user that pretalx should connect as.
Type: null or string
Default: null
services.ngi-pretalx.enable
Description: Whether to enable Enable pretalx server..
Type: boolean
Default: false
services.ngi-pretalx.extraConfig
Description: Extra configuration to be appended to the generated pretalx configuration file. See https://docs.pretalx.org/administrator/configure.html for all options.
Type: attribute set
Default: { }
services.ngi-pretalx.filesystem.data
Description: Path that is the base for all other directories (see options media, static, logs). Unless you have a compelling reason to keep other files apart, setting this option is the easiest way to configure file storage.
Type: path
Default: "/var/lib/pretalx/data"
services.ngi-pretalx.filesystem.logs
Description: Directory that contains logged data. It needs to be writable by the pretalx process.
Type: string
Default: "/var/lib/pretalx/data/logs"
services.ngi-pretalx.filesystem.media
Description: Directory that contains user generated files. It needs to be writable by the pretalx process.
Type: string
Default: "/var/lib/pretalx/data/media"
services.ngi-pretalx.filesystem.static
Description: Directory that contains static files. It needs to be writable by the pretalx process. pretalx will put files there.
Type: string
Default: "${config.services.ngi-pretalx.package.static}"
services.ngi-pretalx.group
Description: Group that contains the system user that executes pretalx.
Type: string
Default: "pretalx"
services.ngi-pretalx.gunicorn.extraArgs
Description: Command line arguments passed to Gunicorn server.
Type: string
Default: "--workers=4 --max-requests=1200 --max-requests-jitter=50 --log-level=error"
services.ngi-pretalx.init.admin.email
Description: E-mail address of the administrator.
Type: string
Default:
services.ngi-pretalx.init.admin.passwordFile
Description: Path to a file containing the administrator password. Consider using a secret managing scheme such as agenix or sops-nix to generate this file.
Type: path
Default:
services.ngi-pretalx.init.organiser.name
Description: Name of the conference organiser.
Type: string
Default:
services.ngi-pretalx.init.organiser.slug
Description: Slug of the conference organiser (to be used in URLs).
Type: string
Default:
services.ngi-pretalx.locale.language_code
Description: Default locale.
Type: string
Default: "en"
services.ngi-pretalx.locale.time_zone
Description:

Default time zone as a pytz name.

You can use following code to generate the full list of timezone names:

import pytz

print(pytz.all_timezones)
Type: string
Default: "UTC"
services.ngi-pretalx.logging.email
Description: E-mail address (or comma-separated list of addresses) to send system logs to.
Type: string
Default:
services.ngi-pretalx.logging.email_level
Description: Log level to start sending emails at.
Type: one of "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL"
Default: "ERROR"
services.ngi-pretalx.logging.enable
Description: Whether to enable Enable support for logging..
Type: boolean
Default: false
services.ngi-pretalx.mail.enable
Description: Enable sending e-mails from pretalx.
Type: boolean
Default: true
services.ngi-pretalx.mail.from
Description: Fall-back sender address, e.g. for when pretalx sends event-independent e-mails.
Type: string
Default: "admin@localhost"
services.ngi-pretalx.mail.host
Description: Hostname of the SMTP server for sending e-mails.
Type: string
Default: "localhost"
services.ngi-pretalx.mail.passwordFile
Description: Path to a file containing the password for SMTP server authentication. Consider using a secret managing scheme such as agenix or sops-nix to generate this file.
Type: path
Default:
services.ngi-pretalx.mail.port
Description: TCP port of the SMTP server for sending e-mails.
Type: signed integer
Default: 25
services.ngi-pretalx.mail.ssl
Description: Whether to use SSL for sending mail.
Type: boolean
Default: true
services.ngi-pretalx.mail.tls
Description: Whether to use TLS for sending mail.
Type: boolean
Default: false
services.ngi-pretalx.mail.user
Description: Username for SMTP server authentication.
Type: string
Default:
services.ngi-pretalx.nginx
Description: nginx virtualHost settings.
Type: submodule
Default: { }
services.ngi-pretalx.nginx.acmeFallbackHost
Description:

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.
Type: null or string
Default: null
services.ngi-pretalx.nginx.acmeRoot
Description: Directory for the ACME challenge, which is public. Don’t put certs or keys in here. Set to null to inherit from config.security.acme.
Type: null or string
Default: "/var/lib/acme/acme-challenge"
services.ngi-pretalx.nginx.addSSL
Description: Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).
Type: boolean
Default: false
services.ngi-pretalx.nginx.basicAuth
Description:

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.
Type: attribute set of string
Default: { }
services.ngi-pretalx.nginx.basicAuthFile
Description: Basic Auth password file for a vhost. Can be created by running {command}nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.
Type: null or path
Default: null
services.ngi-pretalx.nginx.default
Description: Makes this vhost the default.
Type: boolean
Default: false
services.ngi-pretalx.nginx.enableACME
Description: Whether to ask Let’s Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through {option}useACMEHost.
Type: boolean
Default: false
services.ngi-pretalx.nginx.extraConfig
Description: These lines go to the end of the vhost verbatim.
Type: strings concatenated with "\n"
Default: ""
services.ngi-pretalx.nginx.forceSSL
Description: Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
Type: boolean
Default: false
services.ngi-pretalx.nginx.globalRedirect
Description: If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.
Type: null or string
Default: null
services.ngi-pretalx.nginx.http2
Description: Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx’s implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.
Type: boolean
Default: true
services.ngi-pretalx.nginx.http3
Description: Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.
Type: boolean
Default: true
services.ngi-pretalx.nginx.http3_hq
Description: Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/
Type: boolean
Default: false
services.ngi-pretalx.nginx.kTLS
Description: Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.
Type: boolean
Default: false
services.ngi-pretalx.nginx.listen
Description:

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.
Type: list of (submodule)
Default: [ ]
services.ngi-pretalx.nginx.listen.*.addr
Description: Listen address.
Type: string
Default:
services.ngi-pretalx.nginx.listen.*.extraParameters
Description: Extra parameters of this listen directive.
Type: list of string
Default: [ ]
services.ngi-pretalx.nginx.listen.*.port
Description: Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.
Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: null
services.ngi-pretalx.nginx.listen.*.proxyProtocol
Description: Enable PROXY protocol.
Type: boolean
Default: false
services.ngi-pretalx.nginx.listen.*.ssl
Description: Enable SSL.
Type: boolean
Default: false
services.ngi-pretalx.nginx.listenAddresses
Description:

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6
Type: list of string
Default: [ ]
services.ngi-pretalx.nginx.locations
Description: Declarative location config
Type: attribute set of (submodule)
Default: { }
services.ngi-pretalx.nginx.locations.<name>.alias
Description: Alias directory for requests.
Type: null or path
Default: null
services.ngi-pretalx.nginx.locations.<name>.basicAuth
Description:

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.
Type: attribute set of string
Default: { }
services.ngi-pretalx.nginx.locations.<name>.basicAuthFile
Description: Basic Auth password file for a vhost. Can be created by running {command}nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.
Type: null or path
Default: null
services.ngi-pretalx.nginx.locations.<name>.extraConfig
Description: These lines go to the end of the location verbatim.
Type: strings concatenated with "\n"
Default: ""
services.ngi-pretalx.nginx.locations.<name>.fastcgiParams
Description: FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won’t unset the default values for other parameters.
Type: attribute set of (string or path)
Default: { }
services.ngi-pretalx.nginx.locations.<name>.index
Description: Adds index directive.
Type: null or string
Default: null
services.ngi-pretalx.nginx.locations.<name>.priority
Description: Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.
Type: signed integer
Default: 1000
services.ngi-pretalx.nginx.locations.<name>.proxyPass
Description: Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.
Type: null or string
Default: null
services.ngi-pretalx.nginx.locations.<name>.proxyWebsockets
Description: Whether to support proxying websocket connections with HTTP/1.1.
Type: boolean
Default: false
services.ngi-pretalx.nginx.locations.<name>.recommendedProxySettings
Description: Enable recommended proxy settings.
Type: boolean
Default: config.services.nginx.recommendedProxySettings
services.ngi-pretalx.nginx.locations.<name>.return
Description: Adds a return directive, for e.g. redirections.
Type: null or string or signed integer
Default: null
services.ngi-pretalx.nginx.locations.<name>.root
Description: Root directory for requests.
Type: null or path
Default: null
services.ngi-pretalx.nginx.locations.<name>.tryFiles
Description: Adds try_files directive.
Type: null or string
Default: null
services.ngi-pretalx.nginx.onlySSL
Description: Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.
Type: boolean
Default: false
services.ngi-pretalx.nginx.quic
Description: Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/
Type: boolean
Default: false
services.ngi-pretalx.nginx.redirectCode
Description: HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.
Type: integer between 300 and 399 (both inclusive)
Default: 301
services.ngi-pretalx.nginx.rejectSSL
Description: Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.
Type: boolean
Default: false
services.ngi-pretalx.nginx.reuseport
Description: Create an individual listening socket . It is required to specify only once on one of the hosts.
Type: boolean
Default: false
services.ngi-pretalx.nginx.root
Description: The path of the web root directory.
Type: null or path
Default: null
services.ngi-pretalx.nginx.serverAliases
Description: Additional names of virtual hosts served by this virtual host configuration.
Type: list of string
Default: [ ]
services.ngi-pretalx.nginx.serverName
Description: Name of this virtual host. Defaults to attribute name in virtualHosts.
Type: null or string
Default: null
services.ngi-pretalx.nginx.sslCertificate
Description: Path to server SSL certificate.
Type: path
Default:
services.ngi-pretalx.nginx.sslCertificateKey
Description: Path to server SSL certificate key.
Type: path
Default:
services.ngi-pretalx.nginx.sslTrustedCertificate
Description: Path to root SSL certificate for stapling and client certificates.
Type: null or path
Default: null
services.ngi-pretalx.nginx.useACMEHost
Description: A host of an existing Let’s Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through {option}enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using .
Type: null or string
Default: null
services.ngi-pretalx.package
Description: The pretalxFull package to use.
Type: package
Default: pkgs.pretalxFull
services.ngi-pretalx.redis.enable
Description: Whether to enable Enable support for Redis..
Type: boolean
Default: false
services.ngi-pretalx.redis.locationFile
Description: Path to a file that contains the location (connection URI) of Redis server, if you want to use it as a cache. Contents of the file: redis://[:password]@127.0.0.1:6379/1 would be sensible, or unix://[:password]@/path/to/socket.sock?db=0 if you prefer to use sockets. Consider using a secret managing scheme such as agenix or sops-nix to generate this file.
Type: path
Default:
services.ngi-pretalx.redis.session
Description: Whether to use Redis as session storage.
Type: boolean
Default: false
services.ngi-pretalx.site.csp
Description: Use this setting to update the CSP security headers. See https://docs.pretalx.org/administrator/configure.html#csp-csp-script-csp-style-csp-img-csp-form.
Type: null or string
Default: null
services.ngi-pretalx.site.csp_form
Description: Use this setting to update the CSP security headers. See https://docs.pretalx.org/administrator/configure.html#csp-csp-script-csp-style-csp-img-csp-form.
Type: null or string
Default: null
services.ngi-pretalx.site.csp_img
Description: Use this setting to update the CSP security headers. See https://docs.pretalx.org/administrator/configure.html#csp-csp-script-csp-style-csp-img-csp-form.
Type: null or string
Default: null
services.ngi-pretalx.site.csp_script
Description: Use this setting to update the CSP security headers. See https://docs.pretalx.org/administrator/configure.html#csp-csp-script-csp-style-csp-img-csp-form.
Type: null or string
Default: null
services.ngi-pretalx.site.csp_style
Description: Use this setting to update the CSP security headers. See https://docs.pretalx.org/administrator/configure.html#csp-csp-script-csp-style-csp-img-csp-form.
Type: null or string
Default: null
services.ngi-pretalx.site.media
Description: Path that is appended to the site URL to address media files (all files uploaded by users or generated by pretalx).
Type: string
Default: "/media/"
services.ngi-pretalx.site.secretFile
Description: Path to a file containing a secret key that the Django web framework uses for cryptographic signing. See https://docs.pretalx.org/administrator/configure.html#secret. Consider using a secret managing scheme such as agenix or sops-nix to generate this file.
Type: null or path
Default: null
services.ngi-pretalx.site.static
Description: Path that is appended to the site URL to address static files.
Type: string
Default: "/static/"
services.ngi-pretalx.site.url
Description: URL for pretalx. pretalx uses this value when it has to render full URLs, for example in emails or feeds. It is also used to determine the allowed incoming hosts.
Type: string
Default: "http://options.invalid"
services.ngi-pretalx.user
Description: Username of the system user that should own files and services related to pretalx.
Type: string
Default: "pretalx"

Examples

  • Basic configuration for Pretalx, incl. secret management with SOPS, excl. database settings.

    {
  config,
  pkgs,
  ...
}: {
  networking = {
    firewall.allowedTCPPorts = [config.services.nginx.defaultHTTPListenPort];
    hostName = "server";
    domain = "example.com";
  };

  sops = {
    # See <https://github.com/Mic92/sops-nix>.

    age.keyFile = "/dev/null"; # For a production configuration, set this option.
    defaultSopsFile = "/dev/null"; # For a production configuration, set this option.
    validateSopsFiles = false; # For a production configuration, remove this line.

    secrets = let
      pretalxSecret = {
        owner = config.services.ngi-pretalx.user;
        group = config.services.ngi-pretalx.group;
      };
    in {
      "pretalx/database/password" = pretalxSecret;
      "pretalx/redis/location" = pretalxSecret;
      "pretalx/init/admin/password" = pretalxSecret;
      "pretalx/celery/backend" = pretalxSecret;
      "pretalx/celery/broker" = pretalxSecret;
    };
  };

  services = {
    ngi-pretalx = {
      enable = true;
      package = pkgs.pretalxFull;
      nginx = {
        # For a production configuration use this attribute set to configure the virtual host for pretalx.
      };
      database = {
        user = "pretalx";
        passwordFile = config.sops.secrets."pretalx/database/password".path;
      };
      redis = {
        enable = true;
        locationFile = config.sops.secrets."pretalx/redis/location".path;
      };
      celery = {
        enable = true;
        backendFile = config.sops.secrets."pretalx/celery/backend".path;
        brokerFile = config.sops.secrets."pretalx/celery/broker".path;
      };
      init = {
        admin = {
          email = "pretalx@localhost";
          passwordFile = config.sops.secrets."pretalx/init/admin/password".path;
        };
        organiser = {
          name = "NGI Packages";
          slug = "ngipkgs";
        };
      };
      mail.enable = false;
    };

    redis.servers."pretalx" = {
      enable = true;
      user = config.services.ngi-pretalx.user;
    };

    nginx = {
      enable = true;
      recommendedTlsSettings = true;
      recommendedOptimisation = true;
      recommendedGzipSettings = true;
      recommendedProxySettings = true;
    };
  };
}

  • Supplementary to base.nix, adds database configuration for MySQL.

    {
  config,
  pkgs,
  ...
}: {
  services = {
    ngi-pretalx.database = {
      backend = "mysql";
      host = "/var/run/mysqld/mysqld.sock";
      user = "pretalx";
    };

    mysql = {
      enable = true;
      package = pkgs.mariadb;
      ensureUsers = [
        {
          name = config.services.ngi-pretalx.database.user;
          ensurePermissions."${config.services.ngi-pretalx.database.name}.*" = "ALL PRIVILEGES";
        }
      ];
      ensureDatabases = [config.services.ngi-pretalx.database.name];
    };
  };
}

  • Supplementary to base.nix, adds database configuration for PostgreSQL.

    {config, ...}: {
  services = {
    ngi-pretalx.database = {
      backend = "postgresql";
      user = "pretalx";
    };

    postgresql = {
      enable = true;
      authentication = "local all all trust";
      ensureUsers = [
        {
          name = config.services.ngi-pretalx.database.user;
          ensureDBOwnership = true;
        }
      ];
      ensureDatabases = [config.services.ngi-pretalx.database.name];
    };
  };
}

Rosenpass

https://nlnet.nl/project/Rosenpass

Packages

rosenpass-0.2.2
Version: 0.2.2
rosenpass-tools-0.2.2
Version: 0.2.2

Servo

https://nlnet.nl/project/Servo

Packages

servo-0-unstable-2024-09-09
Version: 0-unstable-2024-09-09

Vula

https://nlnet.nl/project/Vula

Packages

vula-0.2-unstable-2024-05-17
Version: 0.2-unstable-2024-05-17

Options

services.vula.enable
Description: Whether to enable Enables Vula, “automatic local network encryption”. The wireguard kernel module is required..
Type: boolean
Default: false
services.vula.logLevel
Description: Vula daemons log level.
Type: one of "INFO", "WARN", "DEBUG"
Default: "INFO"
services.vula.openFirewall
Description: Opens ports 5353 and 5354, and enables [option]networking.firewall.checkReversePath.
Type: boolean
Default: false
services.vula.operatorsGroup
Description: Users in this group have full permissions to control vula.
Type: string
Default: "vula-ops"
services.vula.package
Description: The vula package to use.
Type: package
Default: pkgs.vula
services.vula.systemGroup
Description: Group name for vula system users.
Type: string
Default: "vula"
services.vula.userPrefix
Description: Prefix for names of vula system users.
Type: string
Default: "vula"

Examples

  • Simple configuration for Vula. Vula nodes will automatically discover each other on networks that support multicast DNS (mDNS).

    Add users to the group defined in config.services.vula.adminGroup to grant them permissions to manage Vula through the vula command.

    {
  services.vula.enable = true;
  services.vula.openFirewall = true;
}

Weblate

https://nlnet.nl/project/Weblate

Packages

weblate-5.8.3
Version: 5.8.3

Options

services.weblate.djangoSecretKeyFile
Description:

Location of the Django secret key.

This should be a path pointing to a file with secure permissions (not /nix/store).

Can be generated with weblate-generate-secret-key which is available as the weblate user.
Type: path
Default:
services.weblate.enable
Description: Whether to enable Weblate service.
Type: boolean
Default: false
services.weblate.extraConfig
Description: Text to append to settings.py Weblate configuration file.
Type: strings concatenated with "\n"
Default: ""
services.weblate.localDomain
Description: The domain name serving your Weblate instance.
Type: string
Default:
services.weblate.package
Description: The weblate package to use.
Type: package
Default: pkgs.weblate
services.weblate.smtp.enable
Description: Whether to enable Weblate SMTP support.
Type: boolean
Default: false
services.weblate.smtp.host
Description: SMTP host used when sending emails to users.
Type: string
Default:
services.weblate.smtp.passwordFile
Description:

Location of a file containing the SMTP password.

This should be a path pointing to a file with secure permissions (not /nix/store).
Type: path
Default:
services.weblate.smtp.user
Description: SMTP login name.
Type: string
Default:

Examples

  • Basic example for Weblate, with manual secrets deployment and automatic Nginx/ACME setup.

    {
  config,
  lib,
  pkgs,
  ...
}: {
  services.weblate = {
    enable = true;
    localDomain = "weblate.example.org";
    # Manually deployed secret. Can be generated with
    # `weblate-generate-secret-key > django-secret` when run as the weblate user.
    djangoSecretKeyFile = "/var/lib/weblate/django-secret";
    smtp = {
      enable = true;
      # Specify a valid account and server for your mail provider.
      user = "weblate@example.org";
      host = "mail.example.org";
      # Manually deployed secret
      passwordFile = "/var/lib/weblate/smtp-password";
    };
  };

  # Accept Letsencrypt TOS and provide contact email
  security.acme = {
    defaults.email = "letsencrypt@example.org";
    acceptTerms = true;
  };
}

lib25519

https://nlnet.nl/project/lib25519

Packages

lib25519-20240321
Version: 20240321
libcpucycles-20240318
Version: 20240318
librandombytes-20240318
Version: 20240318

mCaptcha

https://nlnet.nl/project/mCaptcha

Packages

mcaptcha-0.1.0
Version: 0.1.0
cache-0.1.0
Version: 0.1.0

Options

services.mcaptcha.captcha.saltFile
Description: Path to a file containing a salt.
Type: path
Default:
services.mcaptcha.database.createLocally
Description: Whether to create and use a local database instance
Type: boolean
Default: false
services.mcaptcha.database.passwordFile
Description:

Path to a file containing a database password.

Ignored when {option}services.mcaptcha.database.createLocally.
Type: null or path
Default: null
services.mcaptcha.enable
Description: Whether to enable mCaptcha server.
Type: boolean
Default: false
services.mcaptcha.group
Description: Group for the user mCaptcha runs under.
Type: string
Default: "mcaptcha"
services.mcaptcha.package
Description: The mcaptcha package to use.
Type: package
Default: pkgs.mcaptcha
services.mcaptcha.redis.createLocally
Description: Whether to create a Redis instance locally.
Type: boolean
Default: false
services.mcaptcha.redis.host
Description: Ignored when {option}services.mcaptcha.redis.createLocally.
Type: string
Default:
services.mcaptcha.redis.passwordFile
Description:

Path to a file containing the Redis server password.

Ignored when {option}services.mcaptcha.redis.createLocally.”;
Type: path
Default:
services.mcaptcha.redis.port
Description: Applies both when {option}services.mcaptcha.redis.createLocally is set and not.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: 6379
services.mcaptcha.redis.user
Description: Ignored when {option}services.mcaptcha.redis.createLocally.
Type: string
Default: "default"
services.mcaptcha.server.cookieSecretFile
Description: Path to a file containing a cookie secret.
Type: path
Default:
services.mcaptcha.settings
Description: Extra settings.
Type: TOML value
Default:
services.mcaptcha.settings.database.hostname
Description: Ignored when {option}services.mcaptcha.database.createLocally.
Type: null or string
Default: null
services.mcaptcha.settings.database.name
Description: Applies both when {option}services.mcaptcha.database.createLocally is set and not.
Type: string
Default: "mcaptcha"
services.mcaptcha.settings.database.port
Description: Ignored when {option}services.mcaptcha.database.createLocally.
Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: null
services.mcaptcha.settings.database.username
Description: Ignored when {option}services.mcaptcha.database.createLocally.
Type: null or string
Default: null
services.mcaptcha.settings.server.domain
Description: Web server host.
Type: string
Default: "localhost"
services.mcaptcha.settings.server.ip
Description: Web server addresses to bind to.
Type: string
Default: "127.0.0.1"
services.mcaptcha.settings.server.port
Description: Web server port.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default: 7000
services.mcaptcha.user
Description: User account to run under.
Type: string
Default: "mcaptcha"

mitmproxy

https://nlnet.nl/project/mitmproxy

Packages

mitmproxy-11.0.0
Version: 11.0.0

ntpd-rs

https://nlnet.nl/project/ntpd-rs

Packages

ntpd-rs-1.3.0
Version: 1.3.0

Options

services.ntpd-rs.enable
Description: Whether to enable Network Time Service (ntpd-rs).
Type: boolean
Default: false
services.ntpd-rs.metrics.enable
Description: Whether to enable ntpd-rs Prometheus Metrics Exporter.
Type: boolean
Default: false
services.ntpd-rs.package
Description: The ntpd-rs package to use.
Type: package
Default: pkgs.ntpd-rs
services.ntpd-rs.settings
Description:

Settings to write to {file}ntp.toml

See https://docs.ntpd-rs.pendulum-project.org/man/ntp.toml.5 for more information about available options.
Type: TOML value
Default: { }
services.ntpd-rs.useNetworkingTimeServers
Description: Use source time servers from {var}networking.timeServers in config.
Type: boolean
Default: true

tslib

https://nlnet.nl/project/tslib

Packages

tslib-1.23
Version: 1.23