Skip to content

Initrd

boot.initrd.availableKernelModules

The set of kernel modules in the initial ramdisk used during the boot process. This set must include all modules necessary for mounting the root device. That is, it should include modules for the physical device (e.g., SCSI drivers) and for the file system (e.g., ext3). The set specified here is automatically closed under the module dependency relation, i.e., all dependencies of the modules list here are included automatically. The modules listed here are available in the initrd, but are only loaded on demand (e.g., the ext3 module is loaded automatically when an ext3 filesystem is mounted, and modules for PCI devices are loaded when they match the PCI ID of a device in your system). To force a module to be loaded, include it in {option}boot.initrd.kernelModules.

Type: list of string

Default

[ ]

Example

["sata_nv""ext3"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/kernel.nix

boot.initrd.checkJournalingFS

Whether to run {command}fsck on journaling filesystems such as ext3.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/stage-1.nix

boot.initrd.clevis.devices

Encrypted devices that need to be unlocked at boot using Clevis Type: attribute set of (submodule)

Default

{ }

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/clevis.nix

boot.initrd.clevis.devices.<name>.secretFile

Clevis JWE file used to decrypt the device at boot, in concert with the chosen pin (one of TPM2, Tang server, or SSS). Type: path

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/clevis.nix

boot.initrd.clevis.enable

Whether to enable Clevis in initrd. Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/clevis.nix

boot.initrd.clevis.package

Clevis package Type: package

Default

"pkgs.clevis"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/clevis.nix

boot.initrd.clevis.useTang

Whether the Clevis JWE file used to decrypt the devices uses a Tang server as a pin. Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/clevis.nix

boot.initrd.compressor

The compressor to use on the initrd image. May be any of:

  • The name of one of the predefined compressors, see {file}pkgs/build-support/kernel/initrd-compressor-meta.nix for the definitions.
  • A function which, given the nixpkgs package set, returns the path to a compressor tool, e.g. pkgs: "${pkgs.pigz}/bin/pigz"
  • (not recommended, because it does not work when cross-compiling) the full path to a compressor tool, e.g. "${pkgs.pigz}/bin/pigz"

The given program should read data from stdin and write it to stdout compressed.

Type: string or function that evaluates to a(n) string

Default

zstd if the kernel supports it (5.9+), gzip if not

Example

"xz"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/stage-1.nix

boot.initrd.compressorArgs

Arguments to pass to the compressor for the initrd image, or null to use the compressor's defaults. Type: null or (list of string)

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/stage-1.nix

boot.initrd.enable

Whether to enable the NixOS initial RAM disk (initrd). This may be needed to perform some initialisation tasks (like mounting network/encrypted file systems) before continuing the boot process.

Type: boolean

Default

!config.boot.isContainer

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/stage-1.nix

boot.initrd.extraFiles

Extra files to link and copy in to the initrd.

Type: attribute set of (submodule)

Default

{ }

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/stage-1.nix

boot.initrd.extraFiles.<name>.source

The object to make available inside the initrd. Type: package

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/stage-1.nix

boot.initrd.includeDefaultModules

This option, if set, adds a collection of default kernel modules to {option}boot.initrd.availableKernelModules and {option}boot.initrd.kernelModules.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/kernel.nix

boot.initrd.kernelModules

List of modules that are always loaded by the initrd. Type: list of string

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/kernel.nix

boot.initrd.luks.cryptoModules

A list of cryptographic kernel modules needed to decrypt the root device(s). The default includes all common modules.

Type: list of string

Default

["aes""aes_generic""blowfish""twofish""serpent""cbc""xts""lrw""sha1""sha256""sha512""af_alg""algif_skcipher"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices

The encrypted disk that should be opened before the root filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM setups are supported. The unencrypted devices can be accessed as {file}/dev/mapper/«name».

Type: attribute set of (submodule)

Default

{ }

Example

{luksroot = {device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08";};}

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.allowDiscards

Whether to allow TRIM requests to the underlying device. This option has security implications; please read the LUKS documentation before activating it. This option is incompatible with authenticated encryption (dm-crypt stacked over dm-integrity).

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.bypassWorkqueues

Whether to bypass dm-crypt's internal read and write workqueues. Enabling this should improve performance on SSDs; see here for more information. Needs Linux 5.9 or later.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.device

Path of the underlying encrypted block device. Type: string

Example

"/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.fallbackToPassword

Whether to fallback to interactive passphrase prompt if the keyfile cannot be found. This will prevent unattended boot should the keyfile go missing.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.fido2.credential

The FIDO2 credential ID. Type: null or string

Default

null

Example

"f1d00200d8dc783f7fb1e10ace8da27f8312d72692abfca2f7e4960a73f48e82e1f7571f6ebfcee9fb434f9886ccc8fcc52a6614d8d2"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.fido2.credentials

List of FIDO2 credential IDs.

Use this if you have multiple FIDO2 keys you want to use for the same luks device.

Type: list of string

Default

[ ]

Example

["f1d00200d8dc783f7fb1e10ace8da27f8312d72692abfca2f7e4960a73f48e82e1f7571f6ebfcee9fb434f9886ccc8fcc52a6614d8d2"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.fido2.gracePeriod

Time in seconds to wait for the FIDO2 key. Type: signed integer

Default

10

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.fido2.passwordLess

Defines whatever to use an empty string as a default salt.

Enable only when your device is PIN protected, such as Trezor.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.gpgCard

The option to use this LUKS device with a GPG encrypted luks password by the GPG Smartcard. If null (the default), GPG-Smartcard will be disabled for this device.

Type: null or (submodule)

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.gpgCard.encryptedPass

Path to the GPG encrypted passphrase. Type: path

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.gpgCard.gracePeriod

Time in seconds to wait for the GPG Smartcard. Type: signed integer

Default

10

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.gpgCard.publicKey

Path to the Public Key. Type: path

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.header

The name of the file or block device that should be used as header for the encrypted device.

Type: null or string

Default

null

Example

"/root/header.img"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.keyFile

The name of the file (can be a raw device or a partition) that should be used as the decryption key for the encrypted device. If not specified, you will be prompted for a passphrase instead.

Type: null or string

Default

null

Example

"/dev/sdb1"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.keyFileOffset

The offset of the key file. Use this in combination with keyFileSize to use part of a file as key file (often the case if a raw device or partition is used as a key file). If not specified, the key begins at the first byte of keyFile.

Type: null or signed integer

Default

null

Example

4096

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.keyFileSize

The size of the key file. Use this if only the beginning of the key file should be used as a key (often the case if a raw device or partition is used as key file). If not specified, the whole keyFile will be used decryption, instead of just the first keyFileSize bytes.

Type: null or signed integer

Default

null

Example

4096

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.keyFileTimeout

The amount of time in seconds for a keyFile to appear before timing out and trying passwords.

Type: null or signed integer

Default

null

Example

5

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.postOpenCommands

Commands that should be run right after we have mounted our LUKS device.

Type: strings concatenated with "\n"

Default

""

Example

'' umount /tmp/persistent''

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.preLVM

Whether the luksOpen will be attempted before LVM scan or after it. Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.preOpenCommands

Commands that should be run right before we try to mount our LUKS device. This can be useful, if the keys needed to open the drive is on another partition.

Type: strings concatenated with "\n"

Default

""

Example

'' mkdir -p /tmp/persistent mount -t zfs rpool/safe/persistent /tmp/persistent''

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.tryEmptyPassphrase

If keyFile fails then try an empty passphrase first before prompting for password.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.yubikey

The options to use for this LUKS device in YubiKey-PBA. If null (the default), YubiKey-PBA will be disabled for this device.

Type: null or (submodule)

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.yubikey.gracePeriod

Time in seconds to wait for the YubiKey. Type: signed integer

Default

10

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.yubikey.iterationStep

How much the iteration count for PBKDF2 is increased at each successful authentication. Type: signed integer

Default

0

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.yubikey.keyLength

Length of the LUKS slot key derived with PBKDF2 in byte. Type: signed integer

Default

64

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.yubikey.saltLength

Length of the new salt in byte (64 is the effective maximum). Type: signed integer

Default

16

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.yubikey.slot

Which slot on the YubiKey to challenge. Type: signed integer

Default

2

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.yubikey.storage.device

An unencrypted device that will temporarily be mounted in stage-1. Must contain the current salt to create the challenge for this LUKS device.

Type: path

Default

"/dev/sda1"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.yubikey.storage.fsType

The filesystem of the unencrypted device. Type: string

Default

"vfat"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.yubikey.storage.path

Absolute path of the salt on the unencrypted device with that device's root directory as "/".

Type: string

Default

"/crypt-storage/default"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.devices.<name>.yubikey.twoFactor

Whether to use a passphrase and a YubiKey (true), or only a YubiKey (false). Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.fido2Support

Enables support for authenticating with FIDO2 devices.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.gpgSupport

Enables support for authenticating with a GPG encrypted password.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.mitigateDMAAttacks

Unless enabled, encryption keys can be easily recovered by an attacker with physical access to any machine with PCMCIA, ExpressCard, ThunderBolt or FireWire port. More information is available at https://en.wikipedia.org/wiki/DMA_attack.

This option blacklists FireWire drivers, but doesn't remove them. You can manually load the drivers if you need to use a FireWire device, but don't forget to unload them!

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.reusePassphrases

When opening a new LUKS device try reusing last successful passphrase.

Useful for mounting a number of devices that use the same passphrase without retyping it several times.

Such setup can be useful if you use {command}cryptsetup luksSuspend. Different LUKS devices will still have different master keys even when using the same passphrase.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.luks.yubikeySupport

Enables support for authenticating with a YubiKey on LUKS devices. See the NixOS wiki for information on how to properly setup a LUKS device and a YubiKey to work with this feature.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

boot.initrd.network.enable

Add network connectivity support to initrd. The network may be configured using the ip kernel parameter, as described in the kernel documentation. Otherwise, if {option}networking.useDHCP is enabled, an IP address is acquired using DHCP.

You should add the module(s) required for your network card to boot.initrd.availableKernelModules. lspci -v | grep -iA8 'network\|ethernet' will tell you which.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/initrd-network.nix

boot.initrd.network.flushBeforeStage2

Whether to clear the configuration of the interfaces that were set up in the initrd right before stage 2 takes over. Stage 2 will do the regular network configuration based on the NixOS networking options.

The default is false when systemd is enabled in initrd, because the systemd-networkd documentation suggests it.

Type: boolean

Default

"!config.boot.initrd.systemd.enable"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/initrd-network.nix

boot.initrd.network.openvpn.configuration

The configuration file for OpenVPN.

::: {.warning} Unless your bootloader supports initrd secrets, this configuration is stored insecurely in the global Nix store. :::

Type: path

Example

./configuration.ovpn

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/initrd-openvpn.nix

boot.initrd.network.openvpn.enable

Starts an OpenVPN client during initrd boot. It can be used to e.g. remotely accessing the SSH service controlled by {option}boot.initrd.network.ssh or other network services included. Service is killed when stage-1 boot is finished.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/initrd-openvpn.nix

boot.initrd.network.postCommands

Shell commands to be executed after stage 1 of the boot has initialised the network.

Type: strings concatenated with "\n"

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/initrd-network.nix

boot.initrd.network.ssh.authorizedKeyFiles

Authorized keys taken from files for the root user on initrd. You can combine the authorizedKeyFiles and authorizedKeys options.

Type: list of path

Default

config.users.users.root.openssh.authorizedKeys.keyFiles

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/initrd-ssh.nix

boot.initrd.network.ssh.authorizedKeys

Authorized keys for the root user on initrd. You can combine the authorizedKeys and authorizedKeyFiles options.

Type: list of string

Default

config.users.users.root.openssh.authorizedKeys.keys

Example

["ssh-rsa AAAAB3NzaC1yc2etc/etc/etcjwrsh8e596z6J0l7 example@host""ssh-ed25519 AAAAC3NzaCetcetera/etceteraJZMfk3QPfQ foo@bar"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/initrd-ssh.nix

boot.initrd.network.ssh.enable

Start SSH service during initrd boot. It can be used to debug failing boot on a remote server, enter pasphrase for an encrypted partition etc. Service is killed when stage-1 boot is finished.

The sshd configuration is largely inherited from {option}services.openssh.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/initrd-ssh.nix

boot.initrd.network.ssh.extraConfig

Verbatim contents of {file}sshd_config. Type: strings concatenated with "\n"

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/initrd-ssh.nix

boot.initrd.network.ssh.hostKeys

Specify SSH host keys to import into the initrd.

To generate keys, use {manpage}ssh-keygen(1) as root:

ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key

::: {.warning} Unless your bootloader supports initrd secrets, these keys are stored insecurely in the global Nix store. Do NOT use your regular SSH host private keys for this purpose or you'll expose them to regular users!

Additionally, even if your initrd supports secrets, if you're using initrd SSH to unlock an encrypted disk then using your regular host keys exposes the private keys on your unencrypted boot partition. :::

Type: list of (string or path)

Default

[ ]

Example

["/etc/secrets/initrd/ssh_host_rsa_key""/etc/secrets/initrd/ssh_host_ed25519_key"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/initrd-ssh.nix

boot.initrd.network.ssh.ignoreEmptyHostKeys

Allow leaving {option}config.boot.initrd.network.ssh.hostKeys empty, to deploy ssh host keys out of band.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/initrd-ssh.nix

boot.initrd.network.ssh.port

Port on which SSH initrd service should listen.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default

22

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/initrd-ssh.nix

boot.initrd.network.ssh.shell

Login shell of the remote user. Can be used to limit actions user can do.

Type: null or string

Default

"\"/bin/ash\""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/initrd-ssh.nix

boot.initrd.network.udhcpc.enable

Enables the udhcpc service during stage 1 of the boot process. This defaults to {option}networking.useDHCP. Therefore, this useful if useDHCP is off but the initramfs should do dhcp.

Type: boolean

Default

"networking.useDHCP"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/initrd-network.nix

boot.initrd.network.udhcpc.extraArgs

Additional command-line arguments passed verbatim to udhcpc if {option}boot.initrd.network.enable and {option}boot.initrd.network.udhcpc.enable are enabled.

Type: list of string

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/initrd-network.nix

boot.initrd.postDeviceCommands

Shell commands to be executed immediately after stage 1 of the boot has loaded kernel modules and created device nodes in {file}/dev.

Type: strings concatenated with "\n"

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/stage-1.nix

boot.initrd.postMountCommands

Shell commands to be executed immediately after the stage 1 filesystems have been mounted.

Type: strings concatenated with "\n"

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/stage-1.nix

boot.initrd.postResumeCommands

Shell commands to be executed immediately after attempting to resume.

Type: strings concatenated with "\n"

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/stage-1.nix

boot.initrd.preDeviceCommands

Shell commands to be executed before udev is started to create device nodes.

Type: strings concatenated with "\n"

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/stage-1.nix

boot.initrd.preFailCommands

Shell commands to be executed before the failure prompt is shown.

Type: strings concatenated with "\n"

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/stage-1.nix

boot.initrd.preLVMCommands

Shell commands to be executed immediately before LVM discovery.

Type: strings concatenated with "\n"

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/stage-1.nix

boot.initrd.prepend

Other initrd files to prepend to the final initrd we are building.

Type: list of string

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/stage-1.nix

boot.initrd.secrets

Secrets to append to the initrd. The attribute name is the path the secret should have inside the initrd, the value is the path it should be copied from (or null for the same path inside and out).

Note that nixos-rebuild switch will generate the initrd also for past generations, so if secrets are moved or deleted you will also have to garbage collect the generations that use those secrets.

Type: attribute set of (null or path)

Default

{ }

Example

{ "/etc/dropbear/dropbear_rsa_host_key" =./secret-dropbear-key;}

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/stage-1.nix

boot.initrd.services.bcache.enable

This will only be used when systemd is used in stage 1.

Whether to enable bcache support in the initrd.

Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/tasks/bcache.nix

boot.initrd.services.lvm.enable

This will only be used when systemd is used in stage 1.

Whether to enable booting from LVM2 in the initrd.

Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/tasks/lvm.nix

boot.initrd.services.resolved.enable

Whether to enable resolved for stage 1 networking. Uses the toplevel 'services.resolved' options for 'resolved.conf'

Type: unspecified value

Default

"config.boot.initrd.systemd.network.enable"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/resolved.nix

boot.initrd.services.udev.binPackages

This will only be used when systemd is used in stage 1.

Packages to search for binaries that are referenced by the udev rules in stage 1. This list always contains /bin of the initrd.

Type: list of path

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/hardware/udev.nix

boot.initrd.services.udev.packages

This will only be used when systemd is used in stage 1.

List of packages containing {command}udev rules that will be copied to stage 1. All files found in {file}«pkg»/etc/udev/rules.d and {file}«pkg»/lib/udev/rules.d will be included.

Type: list of path

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/hardware/udev.nix

boot.initrd.services.udev.rules

{command}udev rules to include in the initrd only. They'll be written into file {file}99-local.rules. Thus they are read and applied after the essential initrd rules.

Type: strings concatenated with "\n"

Default

""

Example

'' SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:1D:60:B9:6D:4F", KERNEL=="eth*", NAME="my_fast_network_card"''

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/hardware/udev.nix

boot.initrd.supportedFilesystems

Names of supported filesystem types, or an attribute set of file system types and their state. The set form may be used together with lib.mkForce to explicitly disable support for specific filesystems, e.g. to disable ZFS with an unsupported kernel.

Type: (attribute set of boolean) or (list of string) convertible to it

Default

{ }

Example

{btrfs = true;zfs = lib.mkForce false;}

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/stage-1.nix

boot.initrd.systemd.additionalUpstreamUnits

Additional units shipped with systemd that shall be enabled.

Type: list of string

Default

[ ]

Example

["debug-shell.service""systemd-quotacheck.service"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.automounts

Definition of systemd automount units. This is a list instead of an attrSet, because systemd mandates the names to be derived from the 'where' attribute.

Type: list of (submodule)

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.contents

Set of files that have to be linked into the initrd Type: attribute set of (submodule)

Default

{ }

Example

{"/etc/hostname".text = "mymachine";}

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.contents.<name>.enable

Whether to enable copying of this file and symlinking it. Type: boolean

Default

true

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.contents.<name>.source

Path of the source file. Type: path

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.contents.<name>.target

Path of the symlink.

Type: path

Default

"‹name›"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.contents.<name>.text

Text of the file. Type: null or strings concatenated with "\n"

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.dbus.enable

Whether to enable dbus in stage 1. Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/system/dbus.nix

boot.initrd.systemd.emergencyAccess

Set to true for unauthenticated emergency access, and false for no emergency access.

Can also be set to a hashed super user password to allow authenticated access to the emergency mode.

Type: boolean or null or (string, not containing newlines or colons)

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.enable

Whether to enable systemd in initrd. The unit options such as {option}boot.initrd.systemd.services are the same as their stage 2 counterparts such as {option}systemd.services, except that restartTriggers and reloadTriggers are not supported.

Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.enableTpm2

Whether to enable TPM2 support in the initrd.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.extraBin

Tools to add to /bin

Type: attribute set of path

Default

{ }

Example

{umount = ${pkgs.util-linux}/bin/umount;}

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.extraConfig

Extra config options for systemd. See systemd-system.conf(5) man page for available options.

Type: strings concatenated with "\n"

Default

""

Example

"DefaultLimitCORE=infinity"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.groups

Groups to include in initrd.

Type: attribute set of (submodule)

Default

{ }

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/users-groups.nix

boot.initrd.systemd.groups.<name>.gid

ID of the group in initrd.

Type: signed integer

Default

config.users.groups.${name}.gid

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/users-groups.nix

boot.initrd.systemd.initrdBin

Packages to include in /bin for the stage 1 emergency shell.

Type: list of package

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.managerEnvironment

Environment variables of PID 1. These variables are not passed to started units.

Type: attribute set of (null or string or path or package)

Default

{ }

Example

{SYSTEMD_LOG_LEVEL = "debug";}

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.mounts

Definition of systemd mount units. This is a list instead of an attrSet, because systemd mandates the names to be derived from the 'where' attribute.

Type: list of (submodule)

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.network.config

Definition of global systemd network config. Type: submodule

Default

{ }

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/networkd.nix

boot.initrd.systemd.network.enable

Whether to enable networkd or not.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/networkd.nix

Definition of systemd network links. Type: attribute set of (submodule)

Default

{ }

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/networkd.nix

boot.initrd.systemd.network.netdevs

Definition of systemd network devices. Type: attribute set of (submodule)

Default

{ }

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/networkd.nix

boot.initrd.systemd.network.networks

Definition of systemd networks. Type: attribute set of (submodule)

Default

{ }

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/networkd.nix

boot.initrd.systemd.network.wait-online.anyInterface

Whether to consider the network online when any interface is online, as opposed to all of them. This is useful on portable machines with a wired and a wireless interface, for example.

This is on by default if {option}networking.useDHCP is enabled.

Type: boolean

Default

"config.networking.useDHCP"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/networkd.nix

boot.initrd.systemd.network.wait-online.enable

Whether to enable the systemd-networkd-wait-online service.

systemd-networkd-wait-online can timeout and fail if there are no network interfaces available for it to manage. When systemd-networkd is enabled but a different service is responsible for managing the system's internet connection (for example, NetworkManager or connman are used to manage WiFi connections), this service is unnecessary and can be disabled.

Type: boolean

Default

true

Example

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/networkd.nix

boot.initrd.systemd.network.wait-online.extraArgs

Extra command-line arguments to pass to systemd-networkd-wait-online. These also affect per-interface systemd-network-wait-online@ services.

See {manpage}systemd-networkd-wait-online.service(8) for all available options.

Type: list of string

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/networkd.nix

boot.initrd.systemd.network.wait-online.ignoredInterfaces

Network interfaces to be ignored when deciding if the system is online.

Type: list of string

Default

[ ]

Example

["wg0"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/networkd.nix

boot.initrd.systemd.network.wait-online.timeout

Time to wait for the network to come online, in seconds. Set to 0 to disable.

Type: unsigned integer, meaning >=0

Default

120

Example

0

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/networkd.nix

boot.initrd.systemd.package

The systemd package to use.

Type: package

Default

config.systemd.package

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.packages

Packages providing systemd units and hooks. Type: list of package

Default

[ ]

Example

[ pkgs.systemd-cryptsetup-generator ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.paths

Definition of systemd path units. Type: attribute set of (submodule)

Default

{ }

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.repart.device

The device to operate on.

If device == null, systemd-repart will operate on the device backing the root partition. So in order to dynamically create the root partition in the initrd you need to set a device.

Type: null or string

Default

null

Example

"/dev/vda"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/repart.nix

boot.initrd.systemd.repart.enable

Grow and add partitions to a partition table at boot time in the initrd. systemd-repart only works with GPT partition tables.

To run systemd-repart after the initrd, see options.systemd.repart.enable.

Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/repart.nix

boot.initrd.systemd.root

Controls how systemd will interpret the root FS in initrd. See {manpage}kernel-command-line(7). NixOS currently does not allow specifying the root file system itself this way. Instead, the fstab value is used in order to interpret the root file system specified with the fileSystems option.

Type: one of "fstab", "gpt-auto"

Default

"fstab"

Example

"gpt-auto"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.services

Definition of systemd service units. Type: attribute set of (submodule)

Default

{ }

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.slices

Definition of slice configurations. Type: attribute set of (submodule)

Default

{ }

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.sockets

Definition of systemd socket units. Type: attribute set of (submodule)

Default

{ }

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.storePaths

Store paths to copy into the initrd as well.

Type: list of ((optionally newline-terminated) single-line string or package)

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.strip

Whether to completely strip executables and libraries copied to the initramfs.

Setting this to false may save on the order of 30MiB on the machine building the system (by avoiding a binutils reference), at the cost of ~1MiB of initramfs size. This puts this option firmly in the territory of micro-optimisation.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.suppressedStorePaths

Store paths specified in the storePaths option that should not be copied.

Type: list of (optionally newline-terminated) single-line string

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.suppressedUnits

A list of units to skip when generating system systemd configuration directory. This has priority over upstream units, {option}boot.initrd.systemd.units, and {option}boot.initrd.systemd.additionalUpstreamUnits. The main purpose of this is to prevent a upstream systemd unit from being added to the initrd with any modifications made to it by other NixOS modules.

Type: list of string

Default

[ ]

Example

["systemd-backlight@.service"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.targets

Definition of systemd target units. Type: attribute set of (submodule)

Default

{ }

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.timers

Definition of systemd timer units. Type: attribute set of (submodule)

Default

{ }

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.units

Definition of systemd units. Type: attribute set of (submodule)

Default

{ }

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/systemd/initrd.nix

boot.initrd.systemd.users

Users to include in initrd.

Type: attribute set of (submodule)

Default

{ }

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/users-groups.nix

boot.initrd.systemd.users.<name>.group

Group the user belongs to in initrd.

Type: (optionally newline-terminated) single-line string

Default

config.users.users.${name}.group

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/users-groups.nix

boot.initrd.systemd.users.<name>.shell

The path to the user's shell in initrd.

Type: path, not containing newlines or colons

Default

${pkgs.shadow}/bin/nologin

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/users-groups.nix

boot.initrd.systemd.users.<name>.uid

ID of the user in initrd.

Type: signed integer

Default

config.users.users.${name}.uid

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/config/users-groups.nix

boot.initrd.unl0kr.enable

Whether to enable the unl0kr on-screen keyboard in initrd to unlock LUKS.

Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/unl0kr.nix

boot.initrd.verbose

Verbosity of the initrd. Please note that disabling verbosity removes only the mandatory messages generated by the NixOS scripts. For a completely silent boot, you might also want to set the two following configuration options:

  • boot.consoleLogLevel = 0;
  • boot.kernelParams = [ "quiet" "udev.log_level=3" ];

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/system/boot/stage-1.nix