Additional arguments passed to each module in addition to ones like
lib, config, and pkgs,
modulesPath.
This option is also available to all submodules. Submodules do not
inherit args from their parent module, nor do they provide args to their
parent module or sibling submodules. The sole exception to this is the
argument name which is provided by parent modules to a
submodule and contains the attribute name the submodule is bound to, or
a unique generated name if it is not bound to an attribute.
Some arguments are already passed by default, of which the following cannot be changed with this option:
lib: The nixpkgs library.
config: The results of all options after merging the
values from all modules together.
options: The options declared in all
modules.
specialArgs: The specialArgs argument
passed to evalModules.
All attributes of specialArgs
Whereas option values can generally depend on other option values
thanks to laziness, this does not apply to imports, which
must be computed statically before anything else.
For this reason, callers of the module system can provide
specialArgs which are available during import
resolution.
For NixOS, specialArgs includes
modulesPath, which allows you to import extra modules from
the nixpkgs package tree without having to somehow make the module aware
of the location of the nixpkgs or NixOS directories.
{ modulesPath, ... }: {
imports = [
(modulesPath + "/profiles/minimal.nix")
];
}For NixOS, the default value for this option includes at least this argument:
pkgs: The nixpkgs package set according to the
nixpkgs.pkgs option.Type: lazy attribute set of raw value
Declared by:
Default root dir, used by homeDirRoot
Type: string
Default: "$HOME/nixjail"
Declared by:
Configure profiles for the packages list, using the
further options to configure them with bwrap
Type: list of (submodule)
Default: [ ]
Declared by:
Packages to be wrapped with bwrap using the configs on the profile
Type: nixpkgs overlay
Default: <function>
Declared by:
Automatically creates a home directory on
home_dir_root
Type: boolean
Default: true
Declared by:
replace cacert package. (requires trim_etc = true)
Type: null or package
Default: null
Declared by:
Enables xdg-dbus-proxy
Type: boolean
Default: false
Declared by:
Enables xdg-dbus-proxy logs
Type: boolean
Default: false
Declared by:
In addition to the basic SEE/TALK/OWN policy, it is possible to specify more complicated rules about what method calls can be made on and what broadcast signals can be received from well-known names. A rule can restrict the allowed calls/signals to a specific object path or a subtree of object paths, and it can restrict the allowed interface down to an individual method or signal name.
Rules are specified with the --call and --broadcast options. The RULE in these options determines what interfaces, methods and object paths are allowed. It must be of the form [METHOD][@PATH], where METHOD can be either ‘’ or a D-Bus interface, possible with a '.’ suffix, or a fully-qualified method name, and PATH is a D-Bus object path, possible with a ‘/*’ suffix.
Type: list of string
Default: [ ]
Declared by:
In addition to the basic SEE/TALK/OWN policy, it is possible to specify more complicated rules about what method calls can be made on and what broadcast signals can be received from well-known names. A rule can restrict the allowed calls/signals to a specific object path or a subtree of object paths, and it can restrict the allowed interface down to an individual method or signal name.
Rules are specified with the --call and --broadcast options. The RULE in these options determines what interfaces, methods and object paths are allowed. It must be of the form [METHOD][@PATH], where METHOD can be either ‘’ or a D-Bus interface, possible with a '.’ suffix, or a fully-qualified method name, and PATH is a D-Bus object path, possible with a ‘/*’ suffix.
Type: list of string
Default: [ ]
Declared by:
Type: list of string
Default: [ ]
Declared by:
Type: list of string
Default: [ ]
Declared by:
Type: list of string
Default: [ ]
Declared by:
In addition to the basic SEE/TALK/OWN policy, it is possible to specify more complicated rules about what method calls can be made on and what broadcast signals can be received from well-known names. A rule can restrict the allowed calls/signals to a specific object path or a subtree of object paths, and it can restrict the allowed interface down to an individual method or signal name.
Rules are specified with the --call and --broadcast options. The RULE in these options determines what interfaces, methods and object paths are allowed. It must be of the form [METHOD][@PATH], where METHOD can be either ‘’ or a D-Bus interface, possible with a '.’ suffix, or a fully-qualified method name, and PATH is a D-Bus object path, possible with a ‘/*’ suffix.
Type: list of string
Default: [ ]
Declared by:
In addition to the basic SEE/TALK/OWN policy, it is possible to specify more complicated rules about what method calls can be made on and what broadcast signals can be received from well-known names. A rule can restrict the allowed calls/signals to a specific object path or a subtree of object paths, and it can restrict the allowed interface down to an individual method or signal name.
Rules are specified with the --call and --broadcast options. The RULE in these options determines what interfaces, methods and object paths are allowed. It must be of the form [METHOD][@PATH], where METHOD can be either ‘’ or a D-Bus interface, possible with a '.’ suffix, or a fully-qualified method name, and PATH is a D-Bus object path, possible with a ‘/*’ suffix.
Type: list of string
Default: [ ]
Declared by:
Type: list of string
Default: [ ]
Declared by:
Type: list of string
Default: [ ]
Declared by:
Type: list of string
Default: [ ]
Declared by:
Adds the following read-only binds:
“$HOME/.config/mimeapps.list” “$HOME/.local/share/applications/mimeapps.list” “$HOME/.config/dconf” “$HOME/.config/gtk-3.0/settings.ini” “$HOME/.config/gtk-4.0/settings.ini” “$HOME/.gtkrc-2.0”
Type: boolean
Default: true
Declared by:
If true add --dev-bind-try /dev /dev
Type: boolean
Default: false
Declared by:
If true add
--dev-bind-try /dev/dri /dev/dri
Type: boolean
Default: false
Declared by:
Extra configs for bwrap
Type: list of string
Default: [ ]
Declared by:
Root dir for the autoBindHome
Type: string
Default: "$HOME/nixjail"
Declared by:
Add package to environment.systemPackages
Type: boolean
Default: true
Declared by:
Share IPC
Type: boolean
Default: false
Declared by:
Fixes “cannot set terminal process group (-1)” by adding
--new-session but is not recommended because of a security
issue with TIOCSTI [1] [1] -
https://wiki.archlinux.org/title/Bubblewrap#New_session
Type: boolean
Default: false
Declared by:
Add ld.so.conf and ld.so.cache symlinks (both 32 and 64 bit glibcs)
Type: boolean
Default: false
Declared by:
If true add --share-net
Type: boolean
Default: false
Declared by:
arguments to pass to the packages
Type: string
Default: "\"$@\""
Declared by:
commands before the exec
Type: string
Default: ""
Declared by:
Removes all desktop items from derivation, requires
symlinkJoin = false to work
Type: boolean
Default: false
Declared by:
replace /etc/resolv.conf. (requires trim_etc = true)
Type: null or string
Default: null
Declared by:
Adds
--ro-bind-try $(readlink -mn $${cfg.from} $${cfg.to})
Type: list of (string or (submodule))
Default: [ ]
Declared by:
Adds
--bind-try $(readlink -mn $${cfg.from} $${cfg.to})
Type: list of (string or (submodule))
Default: [ ]
Declared by:
If false it disables the merge of the generated bwrapped
package with the original content (like desktop entries, libs and man
pages)
Type: boolean
Default: true
Declared by:
If true add --bind-try /tmp /tmp
Type: boolean
Default: false
Declared by:
Only ro-bind the essential on /etc
Type: boolean
Default: true
Declared by:
If false removes --unshare-all, not
recommended!
Type: boolean
Default: true
Declared by:
If true add
--bind-try $XDG_RUNTIME_DIR $XDG_RUNTIME_DIR
Type: boolean or value “ro” (singular enum)
Default: false
Declared by:
Default root dir, used by homeDirRoot
Type: string
Default: "$HOME/nixjail"
Declared by:
Configure profiles for the packages list, using the
further options to configure them with bwrap
Type: list of (submodule)
Default: [ ]
Declared by:
Automatically creates a home directory on
home_dir_root
Type: boolean
Default: true
Declared by:
replace cacert package. (requires trim_etc = true)
Type: null or package
Default: null
Declared by:
Enables xdg-dbus-proxy
Type: boolean
Default: false
Declared by:
Enables xdg-dbus-proxy logs
Type: boolean
Default: false
Declared by:
In addition to the basic SEE/TALK/OWN policy, it is possible to specify more complicated rules about what method calls can be made on and what broadcast signals can be received from well-known names. A rule can restrict the allowed calls/signals to a specific object path or a subtree of object paths, and it can restrict the allowed interface down to an individual method or signal name.
Rules are specified with the --call and --broadcast options. The RULE in these options determines what interfaces, methods and object paths are allowed. It must be of the form [METHOD][@PATH], where METHOD can be either ‘’ or a D-Bus interface, possible with a '.’ suffix, or a fully-qualified method name, and PATH is a D-Bus object path, possible with a ‘/*’ suffix.
Type: list of string
Default: [ ]
Declared by:
In addition to the basic SEE/TALK/OWN policy, it is possible to specify more complicated rules about what method calls can be made on and what broadcast signals can be received from well-known names. A rule can restrict the allowed calls/signals to a specific object path or a subtree of object paths, and it can restrict the allowed interface down to an individual method or signal name.
Rules are specified with the --call and --broadcast options. The RULE in these options determines what interfaces, methods and object paths are allowed. It must be of the form [METHOD][@PATH], where METHOD can be either ‘’ or a D-Bus interface, possible with a '.’ suffix, or a fully-qualified method name, and PATH is a D-Bus object path, possible with a ‘/*’ suffix.
Type: list of string
Default: [ ]
Declared by:
Type: list of string
Default: [ ]
Declared by:
Type: list of string
Default: [ ]
Declared by:
Type: list of string
Default: [ ]
Declared by:
In addition to the basic SEE/TALK/OWN policy, it is possible to specify more complicated rules about what method calls can be made on and what broadcast signals can be received from well-known names. A rule can restrict the allowed calls/signals to a specific object path or a subtree of object paths, and it can restrict the allowed interface down to an individual method or signal name.
Rules are specified with the --call and --broadcast options. The RULE in these options determines what interfaces, methods and object paths are allowed. It must be of the form [METHOD][@PATH], where METHOD can be either ‘’ or a D-Bus interface, possible with a '.’ suffix, or a fully-qualified method name, and PATH is a D-Bus object path, possible with a ‘/*’ suffix.
Type: list of string
Default: [ ]
Declared by:
In addition to the basic SEE/TALK/OWN policy, it is possible to specify more complicated rules about what method calls can be made on and what broadcast signals can be received from well-known names. A rule can restrict the allowed calls/signals to a specific object path or a subtree of object paths, and it can restrict the allowed interface down to an individual method or signal name.
Rules are specified with the --call and --broadcast options. The RULE in these options determines what interfaces, methods and object paths are allowed. It must be of the form [METHOD][@PATH], where METHOD can be either ‘’ or a D-Bus interface, possible with a '.’ suffix, or a fully-qualified method name, and PATH is a D-Bus object path, possible with a ‘/*’ suffix.
Type: list of string
Default: [ ]
Declared by:
Type: list of string
Default: [ ]
Declared by:
Type: list of string
Default: [ ]
Declared by:
Type: list of string
Default: [ ]
Declared by:
Adds the following read-only binds:
“$HOME/.config/mimeapps.list” “$HOME/.local/share/applications/mimeapps.list” “$HOME/.config/dconf” “$HOME/.config/gtk-3.0/settings.ini” “$HOME/.config/gtk-4.0/settings.ini” “$HOME/.gtkrc-2.0”
Type: boolean
Default: true
Declared by:
If true add --dev-bind-try /dev /dev
Type: boolean
Default: false
Declared by:
If true add
--dev-bind-try /dev/dri /dev/dri
Type: boolean
Default: false
Declared by:
Extra configs for bwrap
Type: list of string
Default: [ ]
Declared by:
Root dir for the autoBindHome
Type: string
Default: "$HOME/nixjail"
Declared by:
Add package to environment.systemPackages
Type: boolean
Default: true
Declared by:
Share IPC
Type: boolean
Default: false
Declared by:
Fixes “cannot set terminal process group (-1)” by adding
--new-session but is not recommended because of a security
issue with TIOCSTI [1] [1] -
https://wiki.archlinux.org/title/Bubblewrap#New_session
Type: boolean
Default: false
Declared by:
Add ld.so.conf and ld.so.cache symlinks (both 32 and 64 bit glibcs)
Type: boolean
Default: false
Declared by:
Packages installed once on x86 systems and twice on x86_64 systems. On x86 they are merged with packages from targetPkgs. On x86_64 they are added to targetPkgs and in addition their 32bit versions are also installed. The final directory structure looks as follows: /lib32 will include 32bit libraries from multiPkgs /lib64 will include 64bit libraries from multiPkgs and targetPkgs /lib will link to /lib32
Type: function that evaluates to a(n) list of package
Default: <function>
Declared by:
Name of the FHS
Type: string
Default: null
Declared by:
If true add --share-net
Type: boolean
Default: false
Declared by:
arguments to pass to the packages
Type: string
Default: "\"$@\""
Declared by:
commands before the exec
Type: string
Default: ""
Declared by:
Script to run when configuring FHS
Type: string
Default: ""
Declared by:
replace /etc/resolv.conf. (requires trim_etc = true)
Type: null or string
Default: null
Declared by:
Adds
--ro-bind-try $(readlink -mn $${cfg.from} $${cfg.to})
Type: list of (string or (submodule))
Default: [ ]
Declared by:
Script to run when starting FHS
Type: string
Default: "$TERM"
Declared by:
Adds
--bind-try $(readlink -mn $${cfg.from} $${cfg.to})
Type: list of (string or (submodule))
Default: [ ]
Declared by:
Packages that will only be installed once-matching the host’s architecture (64bit on x86_64 and 32bit on x86)
Type: function that evaluates to a(n) list of package
Default: <function>
Declared by:
If true add --bind-try /tmp /tmp
Type: boolean
Default: false
Declared by:
Only ro-bind the essential on /etc
Type: boolean
Default: true
Declared by:
If false removes --unshare-all, not
recommended!
Type: boolean
Default: true
Declared by:
If true add
--bind-try $XDG_RUNTIME_DIR $XDG_RUNTIME_DIR
Type: boolean or value “ro” (singular enum)
Default: false
Declared by: