Options

# GitHub OAuth credentials
CONCOURSE_GITHUB_CLIENT_ID="..."
CONCOURSE_GITHUB_CLIENT_SECRET="..."

# AWS SSM credentials
CONCOURSE_AWS_SSM_REGION="..."
CONCOURSE_AWS_SSM_ACCESS_KEY="..."
CONCOURSE_AWS_SSM_SECRET_KEY="..."

Type: string

Declared in: shared/concourse/options.nix

nixfiles.concourse.githubUser

The GitHub user to authenticate with.

Type: string

Default: "barrucadu"

Declared in: shared/concourse/options.nix

nixfiles.concourse.metricsPort

Port (on 127.0.0.1) to expose the Prometheus metrics on.

Type: signed integer

Default: 45811

Declared in: shared/concourse/options.nix

nixfiles.concourse.port

Port (on 127.0.0.1) to expose Concourse CI on.

Type: signed integer

Default: 46498

Declared in: shared/concourse/options.nix

nixfiles.concourse.postgresTag

Tag to use of the postgres container image.

Type: string

Default: "16"

Declared in: shared/concourse/options.nix

nixfiles.concourse.workerScratchDir

Mount a directory from the host into the worker container to use as temporary storage. This is useful if the filesystem used for container volumes isn't very big.

Type: null or path

Default: null

Declared in: shared/concourse/options.nix

nixfiles.eraseYourDarlings.barrucaduPasswordFile

File containing the hashed password for barrucadu.

If using sops-nix set the neededForUsers option on the secret.

Type: string

Declared in: shared/erase-your-darlings/options.nix

nixfiles.eraseYourDarlings.enable

Enable wiping / on boot and storing persistent data in ${persistDir}.

Type: boolean

Default: false

Declared in: shared/erase-your-darlings/options.nix

nixfiles.eraseYourDarlings.machineId

An arbitrary 32-character hexadecimal string, used to identify the host. This is needed for journalctl logs from previous boots to be accessible.

See the systemd documentation.

Type: string

Example: "64b1b10f3bef4616a7faf5edf1ef3ca5"

Declared in: shared/erase-your-darlings/options.nix

nixfiles.eraseYourDarlings.persistDir

Persistent directory which will not be erased. This must be on a different ZFS dataset that will not be wiped when rolling back to the rootSnapshot.

This module moves various files from / to here.

Type: path

Default: "/persist"

Declared in: shared/erase-your-darlings/options.nix

nixfiles.eraseYourDarlings.rootSnapshot

ZFS snapshot to roll back to on boot.

Type: string

Default: "local/volatile/root@blank"

Declared in: shared/erase-your-darlings/options.nix

nixfiles.finder.elasticsearchTag

Tag to use of the elasticsearch container image.

Type: string

Default: "8.0.0"

Declared in: shared/finder/options.nix

nixfiles.finder.enable

Enable the finder service.

Type: boolean

Default: false

Declared in: shared/finder/options.nix

nixfiles.finder.image

Container image to run.

Type: string

Declared in: shared/finder/options.nix

nixfiles.finder.mangaDir

Directory to serve manga files from.

Type: path

Example: "/mnt/nas/manga"

Declared in: shared/finder/options.nix

nixfiles.finder.port

Port (on 127.0.0.1) to expose finder on.

Type: signed integer

Default: 44986

Declared in: shared/finder/options.nix

nixfiles.firewall.ipBlocklistFile

File containing IPs to block. This is of the form:

ip-address # comment
ip-address # comment
...

Type: null or string

Default: null

Declared in: shared/options.nix

nixfiles.foundryvtt.dataDir

Directory to store data files in.

The downloaded FoundryVTT program files must be in ${dataDir}/bin.

If the erase-your-darlings module is enabled, this is overridden to be on the persistent volume.

Type: string

Default: "/var/lib/foundryvtt"

Declared in: shared/foundryvtt/options.nix

nixfiles.foundryvtt.enable

Enable the FoundryVTT service.

Type: boolean

Default: false

Declared in: shared/foundryvtt/options.nix

nixfiles.foundryvtt.port

Port (on 127.0.0.1) to expose FoundryVTT on.

Type: signed integer

Default: 46885

Declared in: shared/foundryvtt/options.nix

nixfiles.minecraft.dataDir

Directory to store data files in.

If the erase-your-darlings module is enabled, this is overridden to be on the persistent volume.

Type: path

Default: "/var/lib/minecraft"

Declared in: shared/minecraft/options.nix

nixfiles.minecraft.enable

Enable the Minecraft service.

Type: boolean

Default: false

Declared in: shared/minecraft/options.nix

nixfiles.minecraft.servers

Attrset of minecraft server definitions. Each server {name} is run in the working directory ${dataDir}/{name}.

Type: attribute set of (submodule)

Default: { }

Declared in: shared/minecraft/options.nix

nixfiles.minecraft.servers.<name>.autoStart

Start the server automatically on boot.

Type: boolean

Default: true

Declared in: shared/minecraft/options.nix

nixfiles.minecraft.servers.<name>.jar

Name of the JAR file to use. This file must be in the working directory.

Type: string

Default: "minecraft-server.jar"

Declared in: shared/minecraft/options.nix

nixfiles.minecraft.servers.<name>.jre

Java runtime package to use.

Type: package

Default: <derivation openjdk-headless-17.0.7+7>

Declared in: shared/minecraft/options.nix

nixfiles.minecraft.servers.<name>.jvmOpts

Java runtime arguments. Cargo cult these from a forum post and then never think about them again.

Type: strings concatenated with " "

Default: "-Xmx4G -Xms4G -XX:+UnlockExperimentalVMOptions -XX:+UseG1GC -XX:G1NewSizePercent=20 -XX:G1ReservePercent=20 -XX:MaxGCPauseMillis=50 -XX:G1HeapRegionSize=32M"

Declared in: shared/minecraft/options.nix

nixfiles.minecraft.servers.<name>.port

Port to open in the firewall. This must match the port in the server.properties file.

Type: signed integer

Declared in: shared/minecraft/options.nix

nixfiles.oci-containers.backend

The container runtime.

Type: one of "docker", "podman"

Default: "docker"

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods

Attrset of pod definitions.

Type: attribute set of (submodule)

Default: { }

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.containers

Attrset of container definitions.

Type: attribute set of (submodule)

Default: { }

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.containers.<name>.autoStart

Start the container automatically on boot.

Type: boolean

Default: true

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.containers.<name>.cmd

Command-line arguments to pass to the container image's entrypoint.

Type: list of string

Default: [ ]

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.containers.<name>.dependsOn

Other containers that this one depends on, in ${pod}-${name} format.

Type: list of string

Default: [ ]

Example: [ "concourse-db" ]

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.containers.<name>.environment

Environment variables to set for this container.

Type: attribute set of string

Default: { }

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.containers.<name>.environmentFiles

List of environment files for this container.

Type: list of path

Default: [ ]

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.containers.<name>.extraOptions

Extra options to pass to docker run / podman run.

Type: list of string

Default: [ ]

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.containers.<name>.image

Container image to run.

Type: string

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.containers.<name>.login.passwordFile

File containing the password for the container registry.

Type: null or string

Default: null

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.containers.<name>.login.registry

Container registry to authenticate with.

Type: null or string

Default: null

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.containers.<name>.login.username

Username for the container registry.

Type: null or string

Default: null

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.containers.<name>.ports

List of ports to expose.

Type: list of (submodule)

Default: [ ]

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.containers.<name>.ports.*.host

Host port (on 127.0.0.1) to expose the container port on.

Type: signed integer

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.containers.<name>.ports.*.inner

The container port to expose to the hosti.

Type: signed integer

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.containers.<name>.pullOnStart

Pull the container image when starting (useful for :latest images).

Type: boolean

Default: true

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.containers.<name>.volumes

List of volume definitions.

Type: list of (submodule)

Default: [ ]

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.containers.<name>.volumes.*.host

Directory on the host to bind-mount into the container.

This option conflicts with ${name}.

Type: null or string

Default: null

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.containers.<name>.volumes.*.inner

Directory in the container to mount the volume to.

Type: string

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.containers.<name>.volumes.*.name

Name of the volume. This is equivalent to:

host = "${volumeBaseDir}/${volumeSubDir}/${name}";

This option c.logonflicts with ${host}.

Type: null or string

Default: null

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.pods.<name>.volumeSubDir

Subdirectory of the ${volumeBaseDir} to store bind-mounts under.

Type: string

Default: "‹name›"

Declared in: shared/oci-containers/options.nix

nixfiles.oci-containers.volumeBaseDir

Directory to store volume bind-mounts under.

If the erase-your-darlings module is enabled, this is overridden to be on the persistent volume.

Type: string

Declared in: shared/oci-containers/options.nix

nixfiles.pleroma.adminEmail

Email address used to contact the server operator.

Type: string

Default: "mike@barrucadu.co.uk"

Declared in: shared/pleroma/options.nix

nixfiles.pleroma.allowRegistration

Allow new users to sign up.

Type: boolean

Default: false

Declared in: shared/pleroma/options.nix

nixfiles.pleroma.domain

Domain which Pleroma will be exposed on.

Type: string

Example: "social.lainon.life"

Declared in: shared/pleroma/options.nix

nixfiles.pleroma.enable

Enable the Pleroma service.

Type: boolean

Default: false

Declared in: shared/pleroma/options.nix

nixfiles.pleroma.faviconPath

File to use for the favicon.

Type: null or path

Default: null

Declared in: shared/pleroma/options.nix

nixfiles.pleroma.instanceName

Name of the instance, defaults to the ${domain} if not set.

Type: null or string

Default: null

Declared in: shared/pleroma/options.nix

nixfiles.pleroma.notifyEmail

Email address used for notification, defaults to the ${adminEmail} if not set.

Type: null or string

Default: null

Declared in: shared/pleroma/options.nix

nixfiles.pleroma.port

Port (on 127.0.0.1) to expose Pleroma on.

Type: signed integer

Default: 46283

Declared in: shared/pleroma/options.nix

nixfiles.pleroma.postgresTag

Tag to use of the postgres container image.

Type: string

Default: "16"

Declared in: shared/pleroma/options.nix

nixfiles.pleroma.secretsFile

File containing secret configuration.

See the Pleroma documentation for what this needs to contain.

Type: string

Declared in: shared/pleroma/options.nix

nixfiles.resolved.address

Address to listen on.

Type: string

Default: "0.0.0.0:53"

Declared in: shared/resolved/options.nix

nixfiles.resolved.authoritativeOnly

Only answer queries for which this server is authoritative: do not perform recursive or forwarding resolution.

Type: boolean

Default: false

Declared in: shared/resolved/options.nix

nixfiles.resolved.cacheSize

How many records to hold in the cache.

Type: signed integer

Default: 512

Declared in: shared/resolved/options.nix

nixfiles.resolved.enable

Enable the resolved service.

Type: boolean

Default: false

Declared in: shared/resolved/options.nix

nixfiles.resolved.forwardAddress

Act as a forwarding resolver, not a recursive resolver: forward queries which can't be answered from local state to this nameserver and cache the result.

Type: null or string

Default: null

Declared in: shared/resolved/options.nix

nixfiles.resolved.hostsDirs

List of directories to read hosts files from.

Type: list of string

Default: [ ]

Declared in: shared/resolved/options.nix

nixfiles.resolved.logFormat

Format of the log messages.

Type: string

Default: "json,no-time"

Declared in: shared/resolved/options.nix

nixfiles.resolved.logLevel

Verbosity of the log messages.

Type: string

Default: "dns_resolver=info,resolved=info"

Declared in: shared/resolved/options.nix

nixfiles.resolved.metricsAddress

Address to listen on to serve Prometheus metrics.

Type: string

Default: "127.0.0.1:9420"

Declared in: shared/resolved/options.nix

nixfiles.resolved.protocolMode

How to choose between connecting to upstream nameservers over IPv4 or IPv6 when acting as a recursive resolver.

Type: string

Default: "only-v4"

Declared in: shared/resolved/options.nix

nixfiles.resolved.useDefaultZones

Include the default zone files.

Type: boolean

Default: true

Declared in: shared/resolved/options.nix

nixfiles.resolved.zonesDirs

List of directories to read zone files from.

Type: list of string

Default: [ ]

Declared in: shared/resolved/options.nix

nixfiles.restic-backups.backups

Attrset of backup job definitions.

Type: attribute set of (submodule)

Default: { }

Declared in: shared/restic-backups/options.nix

nixfiles.restic-backups.backups.<name>.cleanupCommand

A script to run after taking the backup.

Type: null or string

Default: null

Declared in: shared/restic-backups/options.nix

nixfiles.restic-backups.backups.<name>.paths

List of paths to back up.

Type: list of string

Default: [ ]

Declared in: shared/restic-backups/options.nix

nixfiles.restic-backups.backups.<name>.prepareCommand

A script to run before beginning the backup.

Type: null or string

Default: null

Declared in: shared/restic-backups/options.nix

nixfiles.restic-backups.backups.<name>.startAt

When to run the backup.

Type: string

Default: "Mon, 04:00"

Declared in: shared/restic-backups/options.nix

nixfiles.restic-backups.checkRepositoryAt

If not null, when to run restic check to validate the repository metadata.

Type: null or string

Default: null

Declared in: shared/restic-backups/options.nix

nixfiles.restic-backups.enable

Enable the backup service.

Type: boolean

Default: false

Declared in: shared/restic-backups/options.nix

nixfiles.restic-backups.environmentFile

Environment file to pass secrets into the service. This is of the form:

# Repository password
RESTIC_PASSWORD="..."

# B2 credentials
B2_ACCOUNT_ID="..."
B2_ACCOUNT_KEY="..."

# AWS SNS credentials
AWS_ACCESS_KEY="..."
AWS_SECRET_ACCESS_KEY="..."
AWS_DEFAULT_REGION="..."

If any of the backup jobs need secrets, those should be specified in this file as well.

Type: null or string

Declared in: shared/restic-backups/options.nix

nixfiles.restic-backups.sudoRules

List of additional sudo rules to grant the backup user.

Type: list of (submodule)

Default: [ ]

Declared in: shared/restic-backups/options.nix

nixfiles.restic-backups.sudoRules.*.command

The command for which the rule applies.

Type: string

Declared in: shared/restic-backups/options.nix

nixfiles.restic-backups.sudoRules.*.runAs

The user / group under which the command is allowed to run.

A user can be specified using just the username: "foo". It is also possible to specify a user/group combination using "foo:bar" or to only allow running as a specific group with ":bar".

Type: string

Default: "ALL:ALL"

Declared in: shared/restic-backups/options.nix