Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

activation.autoStart

Whether to enable starting the container on hypervisor boot.

Type: boolean

Default:

true

Example:

true

activation.reloadScript

Script to run when a container is supposed to be reloaded.

Type: null or absolute path

Default:

null

activation.strategy

Decide whether to restart or reload the container during activation.

dynamic checks whether the .nspawn-unit has changed (apart from the init-script) and if that’s the case, it will be restarted, otherwise a reload will happen.

Type: one of “none”, “reload”, “restart”, “dynamic”

Default:

"dynamic"

bindMounts

Extra paths to bind into the container. These take the form of “hostPath:containerPath[:options]”.

Type: list of string

Default:

[ ]

bridge

Name of the networking bridge to connect the container to.

Type: null or string

Default:

null

config

NixOS configuration for the container. See configuration.nix(5) for available options.

Only available for declarative containers. Imperative containers can be configured as usual without this option.

Type: NixOS configuration

Default:

{ }

containerNetworkConfig

Extra options to pass to the configuration for the container’s host0 interface.

See systemd.network.networks for a full list of options.

If null, the defaults defined by systemd are used. This results in a network with DHCP, link local addresses and LLDP enabled which is reachable from the host network.

Using this is preferred over adding options via systemd.network.networks.host0 as care has been taken to preserve the default host0 configuration from pkgs.systemd.

Type: null or (attribute set)

Default:

null

credentials

Credentials using the LoadCredential=-feature from systemd.exec(5). These will be passed to the container’s service-manager and can be used in a service inside a container like

{
  systemd.services."service-name".serviceConfig.LoadCredential = "foo:foo";
}

where foo is the id of the credential passed to the container.

See also systemd-nspawn(1).

Type: list of (submodule)

Default:

[ ]

credentials.*.id

ID of the credential under which the credential can be referenced by services inside the container.

Type: string

credentials.*.path

Path or ID of the credential passed to the container.

Type: string

declarative

Indicates whether this container is declarative or imperative.

Type: boolean

Default:

true

ephemeral

ephemeral means that the container’s rootfs will be wiped before every startup. See systemd.nspawn(5) for further context.

Type: boolean

Default:

false

Example:

true

forwardPorts

Define port-forwarding from a container to host. See --port section of systemd-nspawn(5) for further information.

Type: list of (submodule)

Default:

[ ]

Example:

[
  { containerPort = 80; hostPort = 8080; protocol = "tcp"; }
]

forwardPorts.*.containerPort

Port to forward on the container-side. If null, the -option will be used.

Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default:

null

forwardPorts.*.hostPort

Source port on the host-side.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

forwardPorts.*.protocol

Protocol specifier for the port-forward between host and container.

Type: one of “udp”, “tcp”

Default:

"tcp"

hostNetworkConfig

Extra options to pass to the configuration for the hypervisor’s network interface. This only applies to containers using private networking - that is, they are not assigned to a bridge or zone.

See systemd.network.networks for a full list of options.

If null, the defaults defined by systemd are used. This results in a network with a randomly assigned IPv4 subnet and an IPv6 link local address. IPv4 NAT will be enabled and will grant the container internet access.

Using this is preferred over adding options via systemd.network.networks as care has been taken to preserve the default host0 configuration from pkgs.systemd.

Type: null or (attribute set)

Default:

null

mountDaemonSocket

Whether to enable daemon-socket in the container.

Type: boolean

Default:

false

Example:

true

nixpkgs

Path to the nixpkgs-checkout or channel to use for the container. If not provided, the current nixpkgs eval is used.

Only available for declarative containers.

Type: null or absolute path

Default:

null

sharedNix

Warning: Experimental setting! Expect things to break!

With this option disabled, only the needed store-paths will be mounted into the container rather than the entire store.

Type: boolean

Default:

true

systemCallFilter

Whether to filter system calls for the container. Corresponds to SystemCallFilter of systemd.exec(5).

Type: null or string

Default:

null

timeoutStartSec

Timeout for the startup of the container. Corresponds to DefaultTimeoutStartSec of systemd.system(5).

Type: string

Default:

"90s"

userNamespacing

Whether to use user/group namespacing. This will also enable idmapping on core mounts. You may want to disable this if you run into boot issues related to idmap bind mounts.

Type: boolean

Default:

false

zone

Name of the networking zone defined by systemd.nspawn(5).

Type: null or string

Default:

null