ghaf.boot.loader.systemd-boot-dtb.enable
Whether to enable systemd-boot-dtb.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.development.debug.tools.enable
Whether to enable Debug Tools.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.development.nix-setup.enable
Whether to enable Target Nix config options.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.development.nix-setup.nixpkgs
Path to the nixpkgs repository
Type: null or path
Default:
null
Declared by:
ghaf.development.ssh.daemon.enable
Whether to enable ssh daemon.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.development.usb-serial.enable
Whether to enable Usb-Serial.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.firewall.kernel-modules.enable
Whether to enable kernel modules required for firewall.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.givc.enable
Whether to enable Enable gRPC inter-vm communication.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.givc.enableTls
Enable TLS for gRPC communication globally, or disable for debugging.
Type: boolean
Default:
false
Declared by:
ghaf.givc.adminConfig
Admin server configuration.
Type: submodule
Declared by:
ghaf.givc.adminConfig.addr
Address of admin server
Type: string
Declared by:
ghaf.givc.adminConfig.name
Host name of admin server
Type: string
Declared by:
ghaf.givc.adminConfig.port
Port of admin server
Type: string
Declared by:
ghaf.givc.adminConfig.protocol
Protocol of admin server
Type: string
Declared by:
ghaf.givc.appPrefix
Common application path prefix.
Type: string
Default:
"/run/current-system/sw/bin"
Declared by:
ghaf.givc.debug
Whether to enable Enable givc debug mode.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.givc.host.enable
Whether to enable Enable host givc module…
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.givc.idsExtraArgs
Extra arguments for applications when IDS/MITM is enabled.
Type: string
Default:
""
Declared by:
ghaf.graphics.enableDemoApplications
Whether to enable some applications for demoing.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.graphics.boot.enable
Enables graphical boot with plymouth.
Type: boolean
Default:
false
Declared by:
ghaf.graphics.demo-apps.chromium
Include package Chromium browser to menu and system environment
Type: boolean
Default:
false
Declared by:
ghaf.graphics.demo-apps.element-desktop
Include package Element desktop to menu and system environment
Type: boolean
Default:
false
Declared by:
ghaf.graphics.demo-apps.firefox
Include package Firefox browser to menu and system environment
Type: boolean
Default:
false
Declared by:
ghaf.graphics.demo-apps.gala-app
Include package Gala App to menu and system environment
Type: boolean
Default:
false
Declared by:
ghaf.graphics.demo-apps.google-chrome
Include package Google Chrome browser to menu and system environment
Type: boolean
Default:
false
Declared by:
ghaf.graphics.demo-apps.zathura
Include package zathura to menu and system environment
Type: boolean
Default:
false
Declared by:
ghaf.graphics.labwc.enable
Whether to enable labwc.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.graphics.labwc.autolock.enable
Whether to enable screen autolocking.
Type: boolean
Default:
true
Declared by:
ghaf.graphics.labwc.autolock.duration
Timeout for screen autolock in seconds.
Type: signed integer
Default:
300
Declared by:
ghaf.graphics.labwc.autologinUser
Username of the account that will be automatically logged in to the desktop. If unspecified, the login manager is shown as usual.
Type: null or string
Default:
"ghaf"
Declared by:
ghaf.graphics.labwc.extraAutostart
These lines go to the end of labwc autoconfig
Type: string
Default:
""
Declared by:
ghaf.graphics.labwc.frameColouring
List of applications and their frame colours
Type: list of (submodule)
Default:
[
{
colour = "#006305";
identifier = "foot";
}
]
Declared by:
ghaf.graphics.labwc.frameColouring.*.colour
Colour of the window frame
Type: string
Example:
"#006305"
Declared by:
ghaf.graphics.labwc.frameColouring.*.identifier
Identifier of the application
Type: string
Example:
"foot"
Declared by:
ghaf.graphics.labwc.gtk
Global gtk+ configuration
Type: submodule
Default:
{
colorScheme = "prefer-dark";
fontName = "Cantarell";
fontSize = "11";
iconTheme = "Papirus";
theme = "Adwaita";
}
Declared by:
ghaf.graphics.labwc.gtk.colorScheme
The preferred color scheme for gtk+. Valid values are ‘default’, ‘prefer-dark’, ‘prefer-light’.
Type: one of “default”, “prefer-dark”, “prefer-light”
Example:
"prefer-dark"
Declared by:
ghaf.graphics.labwc.gtk.fontName
The preferred font family.
Type: string
Example:
"Cantarell"
Declared by:
ghaf.graphics.labwc.gtk.fontSize
The preferred default font size.
Type: null or string
Example:
"11"
Declared by:
ghaf.graphics.labwc.gtk.iconTheme
Name of the default icon theme used by gtk+.
Type: string
Example:
"Papirus"
Declared by:
ghaf.graphics.labwc.gtk.theme
Basename of the default theme used by gtk+.
Type: string
Example:
"Adwaita"
Declared by:
ghaf.graphics.labwc.maxDesktops
Max number of virtual desktops.
Type: signed integer
Default:
4
Declared by:
ghaf.graphics.labwc.securityContext
Wayland security context settings
Type: list of (submodule)
Default:
[ ]
Declared by:
ghaf.graphics.labwc.securityContext.*.color
Window frame color
Type: string
Example:
"#006305"
Declared by:
ghaf.graphics.labwc.securityContext.*.identifier
The identifier attached to the security context
Type: string
Declared by:
ghaf.graphics.labwc.wallpaper
Path to the wallpaper image
Type: path
Default:
"/nix/store/hpr4r8z5wms16azg4q40lan1dhk1b0dh-ghaf-artwork-0.1.0/ghaf-desert-sunset.jpg"
Declared by:
ghaf.graphics.launchers
Application launchers to show in the system drawer or launcher.
Type: list of (submodule)
Default:
[ ]
Declared by:
ghaf.graphics.launchers.*.description
Description of the application
Type: string
Default:
"Secured Ghaf Application"
Declared by:
ghaf.graphics.launchers.*.icon
Optional icon for the launcher. If unspecified, active icon theme will be searched to find an icon matching the launcher name. Can be set to an icon name from the current theme (Papirus) or a full path to an icon file.
Type: null or string
Default:
null
Declared by:
ghaf.graphics.launchers.*.name
Name of the application
Type: string
Declared by:
ghaf.graphics.launchers.*.path
Path to the executable to be launched
Type: path
Declared by:
ghaf.graphics.launchers.*.vm
VM name in case this launches an isolated application.
Type: null or string
Default:
null
Declared by:
ghaf.graphics.login-manager.enable
Whether to enable login manager using greetd.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.guest.kernel.hardening.enable
Enable Ghaf Guest hardening feature
Type: boolean
Default:
false
Declared by:
ghaf.guest.kernel.hardening.graphics.enable
Enable support for Graphics in the Ghaf Guest
Type: boolean
Default:
false
Declared by:
ghaf.hardware.definition.audio.acpiPath
Path to ACPI file to add to a VM
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.audio.kernelConfig
Hardware specific kernel configuration for audio devices
Type: submodule
Default:
{ }
Declared by:
ghaf.hardware.definition.audio.kernelConfig.kernelParams
Hardware specific kernel parameters
Type: list of string
Default:
[ ]
Example:
[
"intel_iommu=on,sm_on"
"iommu=pt"
"module_blacklist=i915"
"acpi_backlight=vendor"
"acpi_osi=linux"
]
Declared by:
ghaf.hardware.definition.audio.kernelConfig.stage1.kernelModules
Hardware specific kernel modules
Type: list of string
Default:
[ ]
Example:
[
"i915"
]
Declared by:
ghaf.hardware.definition.audio.kernelConfig.stage2.kernelModules
Hardware specific kernel modules
Type: list of string
Default:
[ ]
Example:
[
"i915"
]
Declared by:
ghaf.hardware.definition.audio.pciDevices
PCI Devices to passthrough to AudioVM
Type: list of (submodule)
Default:
[ ]
Example:
[
{
path = "0000:00:1f.0";
vendorId = "8086";
productId = "519d";
}
{
path = "0000:00:1f.3";
vendorId = "8086";
productId = "51ca";
}
{
path = "0000:00:1f.4";
vendorId = "8086";
productId = "51a3";
}
{
path = "0000:00:1f.5";
vendorId = "8086";
productId = "51a4";
}
]
Declared by:
ghaf.hardware.definition.audio.pciDevices.*.name
PCI device name (optional)
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.audio.pciDevices.*.path
PCI device path
Type: string
Declared by:
ghaf.hardware.definition.audio.pciDevices.*.productId
PCI Product ID (optional)
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.audio.pciDevices.*.vendorId
PCI Vendor ID (optional)
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.audio.removePciDevice
PCI Device path to remove at VM reboot
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.audio.rescanPciDevice
PCI Device path to rescan at VM reboot
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.disks
Disks to format and mount
Type: attribute set of (submodule)
Default:
{ }
Example:
{
disk1.device = "/dev/nvme0n1";
}
Declared by:
ghaf.hardware.definition.disks.<name>.device
Path to the disk
Type: string
Declared by:
ghaf.hardware.definition.gpu.kernelConfig
Hardware specific kernel configuration for gpu devices
Type: submodule
Default:
{ }
Declared by:
ghaf.hardware.definition.gpu.kernelConfig.kernelParams
Hardware specific kernel parameters
Type: list of string
Default:
[ ]
Example:
[
"intel_iommu=on,sm_on"
"iommu=pt"
"module_blacklist=i915"
"acpi_backlight=vendor"
"acpi_osi=linux"
]
Declared by:
ghaf.hardware.definition.gpu.kernelConfig.stage1.kernelModules
Hardware specific kernel modules
Type: list of string
Default:
[ ]
Example:
[
"i915"
]
Declared by:
ghaf.hardware.definition.gpu.kernelConfig.stage2.kernelModules
Hardware specific kernel modules
Type: list of string
Default:
[ ]
Example:
[
"i915"
]
Declared by:
ghaf.hardware.definition.gpu.pciDevices
PCI Devices to passthrough to GuiVM
Type: list of (submodule)
Default:
[ ]
Example:
[{
path = "0000:00:02.0";
vendorId = "8086";
productId = "a7a1";
}]
Declared by:
ghaf.hardware.definition.gpu.pciDevices.*.name
PCI device name (optional)
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.gpu.pciDevices.*.path
PCI device path
Type: string
Declared by:
ghaf.hardware.definition.gpu.pciDevices.*.productId
PCI Product ID (optional)
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.gpu.pciDevices.*.vendorId
PCI Vendor ID (optional)
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.host.kernelConfig
Host kernel configuration
Type: submodule
Default:
{ }
Declared by:
ghaf.hardware.definition.host.kernelConfig.kernelParams
Hardware specific kernel parameters
Type: list of string
Default:
[ ]
Example:
[
"intel_iommu=on,sm_on"
"iommu=pt"
"module_blacklist=i915"
"acpi_backlight=vendor"
"acpi_osi=linux"
]
Declared by:
ghaf.hardware.definition.host.kernelConfig.stage1.kernelModules
Hardware specific kernel modules
Type: list of string
Default:
[ ]
Example:
[
"i915"
]
Declared by:
ghaf.hardware.definition.host.kernelConfig.stage2.kernelModules
Hardware specific kernel modules
Type: list of string
Default:
[ ]
Example:
[
"i915"
]
Declared by:
ghaf.hardware.definition.input.keyboard
Name of the keyboard device(s)
Type: submodule
Default:
{ }
Declared by:
ghaf.hardware.definition.input.keyboard.evdev
List of event devices.
Type: list of string
Default:
[ ]
Declared by:
ghaf.hardware.definition.input.keyboard.name
List of input device names. Can either be a string, or a list of strings. The list option allows to bind several input device names to the same evdev. This allows to create one generic hardware definition for multiple SKUs.
Type: list of raw value
Default:
[ ]
Declared by:
ghaf.hardware.definition.input.misc
Name of the misc device(s)
Type: submodule
Default:
{ }
Declared by:
ghaf.hardware.definition.input.misc.evdev
List of event devices.
Type: list of string
Default:
[ ]
Declared by:
ghaf.hardware.definition.input.misc.name
List of input device names. Can either be a string, or a list of strings. The list option allows to bind several input device names to the same evdev. This allows to create one generic hardware definition for multiple SKUs.
Type: list of raw value
Default:
[ ]
Declared by:
ghaf.hardware.definition.input.mouse
Name of the mouse device(s)
Type: submodule
Default:
{ }
Declared by:
ghaf.hardware.definition.input.mouse.evdev
List of event devices.
Type: list of string
Default:
[ ]
Declared by:
ghaf.hardware.definition.input.mouse.name
List of input device names. Can either be a string, or a list of strings. The list option allows to bind several input device names to the same evdev. This allows to create one generic hardware definition for multiple SKUs.
Type: list of raw value
Default:
[ ]
Declared by:
ghaf.hardware.definition.input.touchpad
Name of the touchpad device(s)
Type: submodule
Default:
{ }
Declared by:
ghaf.hardware.definition.input.touchpad.evdev
List of event devices.
Type: list of string
Default:
[ ]
Declared by:
ghaf.hardware.definition.input.touchpad.name
List of input device names. Can either be a string, or a list of strings. The list option allows to bind several input device names to the same evdev. This allows to create one generic hardware definition for multiple SKUs.
Type: list of raw value
Default:
[ ]
Declared by:
ghaf.hardware.definition.name
Name of the hardware
Type: string
Default:
""
Declared by:
ghaf.hardware.definition.network.kernelConfig
Hardware specific kernel configuration for network devices
Type: submodule
Default:
{ }
Declared by:
ghaf.hardware.definition.network.kernelConfig.kernelParams
Hardware specific kernel parameters
Type: list of string
Default:
[ ]
Example:
[
"intel_iommu=on,sm_on"
"iommu=pt"
"module_blacklist=i915"
"acpi_backlight=vendor"
"acpi_osi=linux"
]
Declared by:
ghaf.hardware.definition.network.kernelConfig.stage1.kernelModules
Hardware specific kernel modules
Type: list of string
Default:
[ ]
Example:
[
"i915"
]
Declared by:
ghaf.hardware.definition.network.kernelConfig.stage2.kernelModules
Hardware specific kernel modules
Type: list of string
Default:
[ ]
Example:
[
"i915"
]
Declared by:
ghaf.hardware.definition.network.pciDevices
PCI Devices to passthrough to NetVM
Type: list of (submodule)
Default:
[ ]
Example:
[{
path = "0000:00:14.3";
vendorId = "8086";
productId = "51f1";
}]
Declared by:
ghaf.hardware.definition.network.pciDevices.*.name
PCI device name (optional)
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.network.pciDevices.*.path
PCI device path
Type: string
Declared by:
ghaf.hardware.definition.network.pciDevices.*.productId
PCI Product ID (optional)
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.network.pciDevices.*.vendorId
PCI Vendor ID (optional)
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.skus
List of hardware SKUs (Stock Keeping Unit) covered with this definition
Type: list of string
Default:
[ ]
Declared by:
ghaf.hardware.definition.usb.external
External USB device(s) to passthrough. Requires name, vendorId, and productId.
Type: list of (submodule)
Default:
[ ]
Example:
[
{
name = "external-device-1";
vendorId = "0123";
productId = "0123";
}
{
name = "external-device-2";
vendorId = "0123";
productId = "0123";
}
]
Declared by:
ghaf.hardware.definition.usb.external.*.hostbus
USB device bus number (optional). If this is set, the hostport must also be set.
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.usb.external.*.hostport
USB device device number (optional). If this is set, the hostbus must also be set.
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.usb.external.*.name
USB device name. NOT optional for external devices, in which case it must not contain spaces or extravagant characters.
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.usb.external.*.productId
USB Product ID (optional). If this is set, the vendorId must also be set.
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.usb.external.*.vendorId
USB Vendor ID (optional). If this is set, the productId must also be set.
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.usb.internal
Internal USB device(s) to passthrough.
Each device definition requires a name, and either vendorId and productId, or hostbus and hostport. The latter is useful for addressing devices that may have different vendor and product IDs in the same hardware generation.
Note that internal devices must follow the naming convention to be correctly identified and subsequently used. Current special names are:
- ‘cam0’ for the internal cam0 device
- ‘fpr0’ for the internal fingerprint reader device
Type: list of (submodule)
Default:
[ ]
Example:
[
{
name = "cam0";
vendorId = "0123";
productId = "0123";
}
{
name = "fpr0";
hostbus = "3";
hostport = "3";
}
]
Declared by:
ghaf.hardware.definition.usb.internal.*.hostbus
USB device bus number (optional). If this is set, the hostport must also be set.
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.usb.internal.*.hostport
USB device device number (optional). If this is set, the hostbus must also be set.
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.usb.internal.*.name
USB device name. NOT optional for external devices, in which case it must not contain spaces or extravagant characters.
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.usb.internal.*.productId
USB Product ID (optional). If this is set, the vendorId must also be set.
Type: null or string
Default:
null
Declared by:
ghaf.hardware.definition.usb.internal.*.vendorId
USB Vendor ID (optional). If this is set, the productId must also be set.
Type: null or string
Default:
null
Declared by:
ghaf.hardware.devices.audiovmPCIPassthroughModule
PCI devices to passthrough to the audiovm.
Type: attribute set of anything
Default:
{ }
Declared by:
ghaf.hardware.devices.guivmPCIPassthroughModule
PCI devices to passthrough to the guivm.
Type: attribute set of anything
Default:
{ }
Declared by:
ghaf.hardware.devices.guivmVirtioInputHostEvdevModule
Virtio evdev paths’ to passthrough to the guivm.
Type: attribute set of anything
Default:
{ }
Declared by:
ghaf.hardware.devices.netvmPCIPassthroughModule
PCI devices to passthrough to the netvm.
Type: attribute set of anything
Default:
{ }
Declared by:
ghaf.hardware.tpm2.enable
Whether to enable TPM2 PKCS#11 interface.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.hardware.usb.external.enable
Whether to enable Enable external USB device(s) passthrough support.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.hardware.usb.external.qemuExtraArgs
Extra arguments to pass to qemu when enabling the external USB device(s). Since there can be several devices that may need to be passed to different machines, the device names are used as keys to access the qemu arguments.
Type: attribute set of anything
Default:
{ }
Example:
{
"device1" = ["-device" "qemu-xhci" "-device" "usb-host,vendorid=0x1234,productid=0x1234"];
"device2" = ["-device" "qemu-xhci" "-device" "usb-host,vendorid=0x0001,productid=0x0001"];
}
Declared by:
ghaf.hardware.usb.internal.enable
Whether to enable Enable internal USB device(s) passthrough support.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.hardware.usb.internal.qemuExtraArgs
Extra arguments to pass to qemu when enabling the internal USB device(s). Since there could be several devices that may need to be passed to different machines, the device names are used as keys to access the qemu arguments. Note that some devices require special names to be used correctly.
Type: attribute set of anything
Default:
{ }
Example:
{
"device1" = ["-device" "qemu-xhci" "-device" "usb-host,vendorid=0x1234,productid=0x1234"];
"device2" = ["-device" "qemu-xhci" "-device" "usb-host,vendorid=0x0001,productid=0x0001"];
}
Declared by:
ghaf.hardware.usb.vhotplug.enable
Whether to enable Enable hot plugging of USB devices.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.hardware.usb.vhotplug.enableEvdevPassthrough
Enable passthrough of non-USB input devices on startup using QEMU virtio-input-host-pci device.
Type: boolean
Default:
true
Declared by:
ghaf.hardware.usb.vhotplug.pcieBusPrefix
PCIe bus prefix used for the pcie-root-port QEMU device when evdev passthrough is enabled.
Type: null or string
Default:
"rp"
Declared by:
ghaf.hardware.usb.vhotplug.pciePortCount
The number of PCIe ports used for hot-plugging virtio-input-host-pci devices.
Type: signed integer
Default:
5
Declared by:
ghaf.hardware.usb.vhotplug.rules
List of virtual machines with USB hot plugging rules.
Type: list of (attribute set)
Default:
[
{
evdevPassthrough = {
enable = true;
pcieBusPrefix = "rp";
};
name = "GUIVM";
qmpSocket = "/var/lib/microvms/gui-vm/gui-vm.sock";
usbPassthrough = [
{
class = 3;
description = "HID Keyboard";
protocol = 1;
}
{
class = 3;
description = "HID Mouse";
protocol = 2;
}
{
class = 11;
description = "Chip/SmartCard (e.g. YubiKey)";
}
{
class = 224;
description = "Bluetooth";
disable = true;
protocol = 1;
subclass = 1;
}
{
class = 8;
description = "Mass Storage - SCSI (USB drives)";
sublass = 6;
}
];
}
{
name = "NetVM";
qmpSocket = "/var/lib/microvms/net-vm/net-vm.sock";
usbPassthrough = [
{
class = 2;
description = "Communications - Ethernet Networking";
disable = true;
sublass = 6;
}
];
}
{
name = "ChromeVM";
qmpSocket = "/var/lib/microvms/chrome-vm/chrome-vm.sock";
usbPassthrough = [
{
class = 14;
description = "Video (USB Webcams)";
ignore = [
{
description = "Lenovo X1 Integrated Camera";
productId = "b751";
vendorId = "04f2";
}
{
description = "Lenovo X1 Integrated Camera";
productId = "2145";
vendorId = "5986";
}
{
description = "Lenovo X1 Integrated Camera";
productId = "0052";
vendorId = "30c9";
}
];
}
];
}
{
name = "AudioVM";
qmpSocket = "/var/lib/microvms/audio-vm/audio-vm.sock";
usbPassthrough = [
{
class = 1;
description = "Audio";
}
];
}
]
Example:
[
{
name = "GUIVM";
qmpSocket = "/var/lib/microvms/gui-vm/gui-vm.sock";
usbPassthrough = [
{
class = 3;
protocol = 1;
description = "HID Keyboard";
ignore = [
{
vendorId = "046d";
productId = "c52b";
description = "Logitech, Inc. Unifying Receiver";
}
];
}
{
vendorId = "067b";
productId = "23a3";
description = "Prolific Technology, Inc. USB-Serial Controller";
disable = true;
}
];
}
{
name = "NetVM";
qmpSocket = "/var/lib/microvms/net-vm/net-vm.sock";
usbPassthrough = [
{
productName = ".*ethernet.*";
description = "Ethernet devices";
}
];
}
];
Declared by:
ghaf.hardware.x86_64.common.enable
Whether to enable Common x86 configs.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.host.kernel.hardening.enable
Enable Ghaf Host hardening feature
Type: boolean
Default:
false
Declared by:
ghaf.host.kernel.hardening.debug.enable
Enable support for debug features in the Ghaf Host
Type: boolean
Default:
false
Declared by:
ghaf.host.kernel.hardening.hypervisor.enable
Enable Hypervisor hardening feature
Type: boolean
Default:
false
Declared by:
ghaf.host.kernel.hardening.inputdevices.enable
Enable support for input devices in the Ghaf Host
Type: boolean
Default:
false
Declared by:
ghaf.host.kernel.hardening.networking.enable
Enable support for networking in the Ghaf Host
Type: boolean
Default:
false
Declared by:
ghaf.host.kernel.hardening.usb.enable
Enable support for USB in the Ghaf Host
Type: boolean
Default:
false
Declared by:
ghaf.host.kernel.hardening.virtualization.enable
Enable support for virtualization in the Ghaf Host
Type: boolean
Default:
false
Declared by:
ghaf.host.networking.enable
Whether to enable Host networking.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.host.powercontrol.enable
Enable host power control
Type: boolean
Default:
false
Declared by:
ghaf.host.secureboot.enable
Whether to enable Host secureboot.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.imageBuilder.compression
Compression algorithm used for the install image
Type: one of “none”, “zstd”
Default:
"zstd"
Declared by:
ghaf.kernel.audiovm
AudioVM kernel configuration
Type: attribute set
Default:
{ }
Declared by:
ghaf.kernel.guivm
GuiVM kernel configuration
Type: attribute set
Default:
{ }
Declared by:
ghaf.kernel.host
Host kernel configuration
Type: attribute set
Default:
{ }
Declared by:
ghaf.logging.client.enable
Enable logging client service. Currently we have grafana alloy running as client which will upload system journal logs to grafana alloy running in admin-vm.
Type: boolean
Default:
false
Declared by:
ghaf.logging.client.endpoint
Assign endpoint url value to the alloy.service running in different log producers. This endpoint URL will include protocol, upstream, address along with port value.
Type: string
Declared by:
ghaf.logging.listener.address
Listener address will be used where log producers will push logs and where admin-vm alloy.service will be keep on listening or receiving logs.
Type: string
Declared by:
ghaf.logging.listener.port
Listener port for the logproto endpoint which will be used to receive logs from different log producers. Also this port value will be used to open the port in the admin-vm firewall.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
9999
Declared by:
ghaf.namespaces.vms
List of VMs currently enabled.
Type: list of string
Default:
[ ]
Declared by:
ghaf.networking.hosts.enable
Whether to enable Ghaf hosts entries.
Type: boolean
Default:
true
Example:
true
Declared by:
ghaf.networking.hosts.entries
List of hosts entries.
Type: list of (submodule)
Default:
null
Declared by:
ghaf.networking.hosts.entries.*.ip
Host IPv4 address as string.
Type: string
Declared by:
ghaf.networking.hosts.entries.*.name
Host name as string.
Type: string
Declared by:
ghaf.profiles.applications.enable
Whether to enable Some sample applications.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.profiles.debug.enable
Whether to enable debug profile.
Type: boolean
Default:
true
Example:
true
Declared by:
ghaf.profiles.graphics.enable
Whether to enable Graphics profile.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.profiles.graphics.compositor
Which Wayland compositor to use.
Choose one of: labwc
Type: value “labwc” (singular enum)
Default:
"labwc"
Declared by:
ghaf.profiles.graphics.renderer
Which wlroots renderer to use.
Choose one of: vulkan,pixman,gles2
Type: one of “vulkan”, “pixman”, “gles2”
Default:
"gles2"
Declared by:
ghaf.profiles.host-hardening.enable
Whether to enable Host hardening profile.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.profiles.release.enable
Whether to enable release profile.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.qemu.audiovm
Extra qemu arguments for AudioVM
Type: attribute set
Default:
{ }
Declared by:
ghaf.qemu.guivm
Extra qemu arguments for GuiVM
Type: attribute set
Default:
{ }
Declared by:
ghaf.reference.appvms.enable
Whether to enable Enable the Ghaf reference appvms module.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.appvms.enabled-app-vms
List of appvms to include in the Ghaf reference appvms module
Type: list of (attribute set)
Default:
[ ]
Declared by:
ghaf.reference.appvms.business-vm
Whether to enable Enable the Business appvm.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.appvms.chrome-vm
Whether to enable Enable the Google Chrome appvm.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.appvms.chromium-vm
Whether to enable Enable the Chromium appvm.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.appvms.comms-vm
Whether to enable Enable the communications appvm
- Element
- Slack
- Zoom .
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.appvms.gala-vm
Whether to enable Enable the Gala appvm.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.appvms.zathura-vm
Whether to enable Enable the Zathura appvm.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.desktop.applications.enable
Whether to enable desktop applications.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.personalize.keys.enable
Whether to enable Enable personalization of keys for dev team.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.profiles.laptop-x86.enable
Whether to enable Enable the basic x86 laptop config.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.profiles.laptop-x86.enabled-app-vms
List of appvms to include in the Ghaf reference appvms module
Type: list of (attribute set)
Default:
[ ]
Declared by:
ghaf.reference.profiles.laptop-x86.guivmExtraModules
List of additional modules to be passed to the guivm.
Type: unspecified value
Default:
[ ]
Declared by:
ghaf.reference.profiles.laptop-x86.netvmExtraModules
List of additional modules to be passed to the netvm.
Type: unspecified value
Default:
[ ]
Declared by:
ghaf.reference.profiles.mvp-user-trial.enable
Whether to enable Enable the mvp configuration for apps and services.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.profiles.mvp-user-trial-extras.enable
Whether to enable Enable the mvp configuration for apps and services.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.programs.chromium.enable
Whether to enable Enable Chromium program settings.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.programs.chromium.openInNormalExtension
Whether to enable browser extension to open links in the normal browser.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.programs.element-desktop.enable
Whether to enable element-desktop program settings.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.programs.google-chrome.enable
Whether to enable Enable Google chrome program settings.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.programs.google-chrome.defaultPolicy
Google chrome policy options. A list of available policies can be found in the Chrome Enterprise documentation: https://cloud.google.com/docs/chrome-enterprise/policies/ Make sure the selected policy is supported on Linux and your browser version.
Type: attribute set
Default:
{
AlwaysOpenPdfExternally = true;
DefaultBrowserSettingEnabled = true;
MetricsReportingEnabled = false;
PromptForDownloadLocation = true;
}
Example:
{
PromptForDownloadLocation=true;
}
Declared by:
ghaf.reference.programs.google-chrome.extraOpts
Extra google chrome policy options. A list of available policies can be found in the Chrome Enterprise documentation: https://cloud.google.com/docs/chrome-enterprise/policies/ Make sure the selected policy is supported on Linux and your browser version.
Type: attribute set
Default:
{ }
Example:
{
"BrowserSignin" = 0;
"SyncDisabled" = true;
"PasswordManagerEnabled" = false;
"SpellcheckEnabled" = true;
"SpellcheckLanguage" = [
"de"
"en-US"
];
}
Declared by:
ghaf.reference.programs.google-chrome.openInNormalExtension
Whether to enable browser extension to open links in the normal browser.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.programs.google-chrome.policyOwner
Policy files owner
Type: string
Default:
"root"
Declared by:
ghaf.reference.programs.google-chrome.policyOwnerGroup
Policy files group
Type: string
Default:
"root"
Declared by:
ghaf.reference.programs.windows-launcher.enable
Whether to enable Windows launcher.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.programs.windows-launcher.spice
Whether to enable remote access to the virtual machine using spice.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.programs.windows-launcher.spice-host
Spice host
Type: string
Default:
"192.168.101.2"
Declared by:
ghaf.reference.programs.windows-launcher.spice-port
Spice port
Type: signed integer
Default:
5900
Declared by:
ghaf.reference.programs.zathura.enable
Whether to enable Enable Zathura program settings.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.services.enable
Whether to enable Ghaf reference services.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.services.dendrite
Whether to enable dendrite-pinecone service.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.services.dendrite-pinecone.enable
Whether to enable Enable dendrite pinecone module.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.services.dendrite-pinecone.externalNic
External network interface
Type: string
Default:
""
Declared by:
ghaf.reference.services.dendrite-pinecone.internalNic
Internal network interface
Type: string
Default:
""
Declared by:
ghaf.reference.services.dendrite-pinecone.serverIpAddr
Dendrite Server Ip address
Type: string
Default:
""
Declared by:
ghaf.reference.services.ollama
Whether to enable ollama service.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.services.proxy-business
Whether to enable Enable the proxy server service.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.services.proxy-server.enable
Whether to enable Enable proxy server module.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.reference.services.proxy-server.bindPort
Bind port for proxy server
Type: signed integer
Default:
3128
Declared by:
ghaf.reference.services.proxy-server.internalAddress
Internal address for proxy server
Type: string
Default:
"192.168.100.1"
Declared by:
ghaf.security.apparmor.enable
Enable Apparmor security.
Type: boolean
Default:
false
Declared by:
ghaf.security.sshKeys.getAuthKeysFileName
The name of the get-auth-keys file
Type: string
Default:
"get-auth-keys"
Declared by:
ghaf.security.sshKeys.getAuthKeysFilePathInEtc
The path to the SSH host key relative to /etc
Type: string
Default:
"ssh/get-auth-keys"
Declared by:
ghaf.security.sshKeys.sshAuthorizedKeysCommand
The authorized_keys command
Type: attribute set
Default:
{
authorizedKeysCommand = "/etc/ssh/get-auth-keys";
authorizedKeysCommandUser = "nobody";
}
Declared by:
ghaf.security.sshKeys.sshKeyPath
The ssh privatekey
Type: string
Default:
"/run/waypipe-ssh/id_ed25519"
Declared by:
ghaf.security.sshKeys.waypipeSshPublicKeyDir
The path to the Waypipe public key
Type: string
Default:
"/run/waypipe-ssh-public-key"
Declared by:
ghaf.security.sshKeys.waypipeSshPublicKeyFile
The Waypipe public key
Type: string
Default:
"/run/waypipe-ssh-public-key/id_ed25519.pub"
Declared by:
ghaf.security.sshKeys.waypipeSshPublicKeyName
The name of the Waypipe public key
Type: string
Default:
"waypipe-ssh-public-key"
Declared by:
ghaf.services.audio.enable
Whether to enable Enable audio service for audio VM.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.services.audio.pulseaudioTcpControlPort
TCP port used by Pipewire-pulseaudio control
Type: signed integer
Default:
4714
Declared by:
ghaf.services.audio.pulseaudioTcpPort
TCP port used by Pipewire-pulseaudio service
Type: signed integer
Default:
4713
Declared by:
ghaf.services.bluetooth.enable
Whether to enable Bluetooth configurations.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.services.disks.enable
Whether to enable Enable disk mount daemon.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.services.disks.fileManager
The program to open mounted directories
Type: string
Default:
"xdg-open"
Declared by:
ghaf.services.firmware.enable
Whether to enable PLaceholder for firmware handling.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.services.fprint.enable
Whether to enable Enable fingerprint reader support.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.services.wifi.enable
Whether to enable Wifi configuration for the net-vm.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.services.xdghandlers.enable
Whether to enable Enable Ghaf XDG handlers.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.services.xdghandlers.handlerPath
Path of xdgHandler script.
Type: string
Declared by:
ghaf.services.xdgopener.enable
Whether to enable Enable the XDG opening service.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.services.xdgopener.xdgPort
TCP port for the XDG socket
Type: signed integer
Default:
1200
Declared by:
ghaf.services.yubikey.enable
Whether to enable Enable yubikey support which provide 2FA.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.services.yubikey.u2fKeys
It will contain U2F Keys / public keys reterived from Yubikey hardware
Type: string
Default:
[ ]
Example:
"ghaf:SZ2CwN7EAE4Ujfxhm+CediUaT9ngoaMOqsKRDrOC+wUkTriKlc1cVtsxkOSav2r9ztaNKn/OwoHiN3BmsBYdZA==,oIdGgoGmkVrVis1kdzpvX3kXrOmBe2noFrpHqh4VKlq/WxrFk+Du670BL7DzLas+GxIPNjgdDCHo9daVzthIwQ==,es256,+presence:9CEdjOg0YGpvNeisK5OW1hjjg0nRvJDBpr7X8Q4QPtxJP4iC5C6dShTxEpxmLAkqAi8x/jKCDwpt146AYAXfFg==,q8ddSEI2tIyRwB2MhRlrGZRv6ZDkEC2RYn/n33fdmK1KjBkcMy6ELUMQQDVGtsvsiQFbRS3v4qxjsgXF5BVD0A==,es256,+presence+pin"
Declared by:
ghaf.shm.enable
Enables shared memory communication between virtual machines (VMs)
Type: boolean
Default:
false
Declared by:
ghaf.shm.enable_host
Enables the memsocket functionality on the host system
Type: boolean
Default:
false
Declared by:
ghaf.shm.clientSocketPath
Specifies the location of the output socket, which will connected to in order to receive data from AppVMs. This socket must be created by another application, such as Waypipe, when operating in client mode
Type: path
Default:
"/run/user/1000/memsocket-client.sock"
Declared by:
ghaf.shm.display
Enables the use of shared memory with Waypipe for Wayland-enabled applications running on virtual machines (VMs), facilitating efficient inter-VM communication
Type: boolean
Default:
false
Declared by:
ghaf.shm.flataddr
Maps the shared memory to a physical address if set to a non-zero value. The address must be platform-specific and arbitrarily chosen to avoid conflicts with other memory areas, such as PCI regions.
Type: string
Default:
"0x920000000"
Declared by:
ghaf.shm.hostSocketPath
Specifies the path to the shared memory socket, used by QEMU instances for inter-VM memory sharing and interrupt signaling
Type: path
Default:
"/tmp/ivshmem_socket"
Declared by:
ghaf.shm.hugePageSz
Specifies the size of the large memory page area. Supported kernel values are 2 MB and 1 GB
Type: string
Default:
"2M"
Declared by:
ghaf.shm.instancesCount
Number of memory slots allocated in the shared memory region
Type: signed integer
Default:
0
Declared by:
ghaf.shm.memSize
Specifies the size of the shared memory region, measured in megabytes (MB)
Type: signed integer
Default:
16
Declared by:
ghaf.shm.serverSocketPath
Specifies the path of the listening socket, which is used by Waypipe or other server applications as the output socket in server mode for data transmission
Type: path
Default:
"/run/user/1000/memsocket-server.sock"
Declared by:
ghaf.shm.vms_enabled
List of vms having access to shared memory
Type: list of string
Default:
[ ]
Declared by:
ghaf.systemd.enable
Whether to enable Enable minimal systemd configuration…
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.systemd.boot.enable
Enable systemd in stage 1 of the boot (initrd).
Type: unspecified value
Default:
false
Declared by:
ghaf.systemd.excludedHardenedConfigs
A list of units to skip when applying hardened systemd service configurations. The main purpose of this is to provide a mechanism to exclude specific hardened configurations for fast debugging and problem resolution.
Type: list of string
Default:
[ ]
Example:
[
"sshd.service"
]
Declared by:
ghaf.systemd.logLevel
Log Level for systemd services. Available options: “emerg”, “alert”, “crit”, “err”, “warning”, “info”, “debug”
Type: string
Default:
"info"
Declared by:
ghaf.systemd.verboseLogs
Increase systemd log verbosity.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withApparmor
Enable systemd apparmor functionality.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withAudio
Enable audio functionality.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withAudit
Enable systemd audit functionality.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withBluetooth
Enable bluetooth functionality.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withBootloader
Enable systemd bootloader functionality.
Type: boolean
Default:
true
Declared by:
ghaf.systemd.withCryptsetup
Enable systemd LUKS2 functionality.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withDebug
Enable systemd debug functionality.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withEfi
Enable systemd EFI functionality.
Type: boolean
Default:
true
Declared by:
ghaf.systemd.withFido2
Enable systemd Fido2 token functionality.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withHardenedConfigs
Enable common hardened configs.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withHomed
Enable systemd homed for users home functionality.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withHostnamed
Enable systemd hostname daemon.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withJournal
Enable systemd journal daemon.
Type: boolean
Default:
true
Declared by:
ghaf.systemd.withLocaled
Enable systemd locale daemon.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withLogind
Enable systemd login daemon.
Type: boolean
Default:
true
Declared by:
ghaf.systemd.withMachines
Enable systemd container and VM functionality.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withName
Set systemd name.
Type: string
Default:
"base-systemd"
Declared by:
ghaf.systemd.withNetworkd
Enable systemd networking daemon.
Type: boolean
Default:
true
Declared by:
ghaf.systemd.withNss
Enable systemd Name Service Switch (NSS) functionality.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withPolkit
Enable systemd polkit functionality.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withRepart
Enable systemd repart functionality.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withResolved
Enable systemd resolve daemon.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withSerial
Enable systemd serial console.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withTimesyncd
Enable systemd timesync daemon.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withTpm2Tss
Enable systemd TPM functionality.
Type: boolean
Default:
false
Declared by:
ghaf.systemd.withUkify
Enable systemd UKI functionality.
Type: boolean
Default:
true
Declared by:
ghaf.users.admin.enable
Enable the admin user account. Enabled by default.
Type: boolean
Default:
true
Declared by:
ghaf.users.admin.createHome
Boolean value whether to create admin home folder. Defaults to false, which sets it to ‘/var/empty’. A value of true will create the home directory as /home/<name>.
Type: boolean
Default:
false
Declared by:
ghaf.users.admin.extraGroups
Extra groups for the admin user.
Type: list of string
Default:
[ ]
Declared by:
ghaf.users.admin.hashedPassword
Hashed password for live updates.
Type: null or string
Default:
null
Declared by:
ghaf.users.admin.initialHashedPassword
Initial hashed password for the admin user account.
Type: null or string
Default:
null
Declared by:
ghaf.users.admin.initialPassword
Default password for the admin user account.
Type: null or string
Default:
"ghaf"
Declared by:
ghaf.users.admin.name
Admin account name. Defaults to ‘ghaf’.
Type: string
Default:
"ghaf"
Declared by:
ghaf.users.admin.uid
User identifier (uid) for the admin account.
Type: signed integer
Default:
1001
Declared by:
ghaf.users.appUser
User account to run applications.
Type: submodule
Declared by:
ghaf.users.appUser.enable
Whether to enable Enable auxiliary user account…
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.users.appUser.extraGroups
Extra groups for the auxiliary user.
Type: list of string
Default:
[ ]
Declared by:
ghaf.users.appUser.name
Auxiliary user’s name.
Type: string
Declared by:
ghaf.users.loginUser
User account for desktop login.
Type: submodule
Default:
{ }
Declared by:
ghaf.users.loginUser.enable
Whether to enable Enable desktop login user account…
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.users.loginUser.extraGroups
Extra groups for the login user.
Type: list of string
Default:
[ ]
Declared by:
ghaf.users.loginUser.homeSize
Size of the home directory for the login user in MB (integer). The integer size is inherited from the microvm volume size parameter. Defaults to 800 GB (800000 MB).
Type: signed integer
Default:
800000
Declared by:
ghaf.users.loginUser.uid
Login user identifier (uid). Defaults to 1000 for compatibility.
Type: signed integer
Default:
1000
Declared by:
ghaf.users.managed
List of declarativively managed user accounts.
The ghaf user interface for declarative users has the following options:
- No enable flag, a specified account is enabled by default [mandatory]
- name: User name
- vms: List of VMs (or host) the user is enabled in [optional]
- initialPassword: Default password for the user account
- initialHashedPassword: Initial hashed password for the user account
- hashedPassword: Hashed password for live updates
- uid: Optional user identifier (uid). Defaults to null
- gid: Optional primary group identifier (gid). Defaults to null
- createHome: Create home directory for the user
- linger: Enable lingering for the user
- extraGroups: Extra groups for the user
These, as any additional user option, may be set through the usual NixOS user options.
Type: list of (submodule)
Default:
[ ]
Declared by:
ghaf.users.managed.*.createHome
Create home directory for the user.
Type: boolean
Default:
true
Declared by:
ghaf.users.managed.*.extraGroups
Extra groups for the user.
Type: list of string
Default:
[ ]
Declared by:
ghaf.users.managed.*.gid
Optional primary group identifier (gid). Defaults to null.
Type: null or signed integer
Default:
null
Declared by:
ghaf.users.managed.*.hashedPassword
Hashed password for live updates.
Type: null or string
Default:
null
Declared by:
ghaf.users.managed.*.initialHashedPassword
Initial hashed password for the admin user account.
Type: null or string
Default:
null
Declared by:
ghaf.users.managed.*.initialPassword
Initial password for the admin user account.
Type: null or string
Default:
null
Declared by:
ghaf.users.managed.*.linger
Enable lingering for the user.
Type: boolean
Default:
false
Declared by:
ghaf.users.managed.*.name
User name
Type: null or string
Default:
null
Declared by:
ghaf.users.managed.*.uid
Optional user identifier (uid). Defaults to null.
Type: null or signed integer
Default:
null
Declared by:
ghaf.users.managed.*.vms
List of VMs (or host) the user is enabled in.
Type: list of string
Default:
[ ]
Declared by:
ghaf.users.proxyUser
User account for dbus proxy functionality.
Type: submodule
Declared by:
ghaf.users.proxyUser.enable
Whether to enable Enable auxiliary user account…
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.users.proxyUser.extraGroups
Extra groups for the auxiliary user.
Type: list of string
Default:
[ ]
Declared by:
ghaf.users.proxyUser.name
Auxiliary user’s name.
Type: string
Declared by:
ghaf.version
The version of Ghaf
Type: string (read only)
Default:
"24.12.1"
Declared by:
ghaf.virtualization.docker.daemon.enable
Whether to enable Docker Daemon.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.virtualization.microvm.adminvm.enable
Whether to enable AdminVM.
Type: boolean
Default:
false
Example:
true
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.adminvm.extraModules
List of additional modules to be imported and evaluated as part of AdminVM’s NixOS configuration.
Type: unspecified value
Default:
[ ]
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.enable
Whether to enable appvm.
Type: boolean
Default:
false
Example:
true
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.extraModules
List of additional modules to be imported and evaluated as part of appvm’s NixOS configuration.
Type: unspecified value
Default:
[ ]
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms
List of AppVMs to be created
Type: list of (submodule)
Default:
[ ]
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.packages
Packages that are included into the AppVM
Type: list of package
Default:
[ ]
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.applications
Applications to include in the AppVM
Type: list of (submodule)
Default:
[ ]
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.applications.*.packages
A list of packages required for the application
Type: list of package
Default:
[ ]
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.applications.*.command
The command to run the application
Type: string
Default:
null
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.applications.*.description
A brief description of the application
Type: string
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.applications.*.extraModules
Additional modules required for the application
Type: list of (attribute set)
Default:
[ ]
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.applications.*.givcArgs
A list of GIVC arguments for the application
Type: list of string
Default:
[ ]
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.applications.*.givcName
GIVC name for the application
Type: string
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.applications.*.icon
Application icon
Type: string
Default:
null
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.applications.*.name
The name of the application
Type: string
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.borderColor
Border color of the AppVM window
Type: null or string
Default:
null
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.cid
VSOCK context identifier (CID) for the AppVM Default value 0 means auto-assign using vsockBaseCID and AppVM index
Type: signed integer
Default:
0
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.cores
Amount of processor cores for this AppVM
Type: signed integer
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.extraModules
List of additional modules to be imported and evaluated as part of appvm’s NixOS configuration.
Type: unspecified value
Default:
[ ]
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.ghafAudio.enable
Whether to enable Ghaf application audio support.
Type: boolean
Default:
false
Example:
true
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.ghafAudio.useTunneling
Whether to enable Use Pulseaudio tunneling.
Type: boolean
Default:
false
Example:
true
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.macAddress
AppVM’s network interface MAC address
Type: string
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.name
Name of the AppVM
Type: string
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.ramMb
Amount of RAM for this AppVM
Type: signed integer
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.*.vtpm.enable
Whether to enable vTPM support in the virtual machine.
Type: boolean
Default:
false
Example:
true
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vsockBaseCID
Context Identifier (CID) of the AppVM VSOCK
Type: signed integer
Default:
100
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.waypipeBasePort
Waypipe base port number for AppVMs
Type: signed integer
Default:
1100
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.audiovm.enable
Whether to enable AudioVM.
Type: boolean
Default:
false
Example:
true
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.audiovm.audio
Enable Audio module configuration.
Type: boolean
Default:
false
Declared by:
ghaf.virtualization.microvm.audiovm.extraModules
List of additional modules to be imported and evaluated as part of AudioVM’s NixOS configuration.
Type: unspecified value
Default:
[ ]
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.enable
Whether to enable GUIVM.
Type: boolean
Default:
false
Example:
true
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.applications
Applications to include in the GUIVM
Type: list of (submodule)
Default:
[ ]
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.applications.*.command
The command to run the application
Type: string
Default:
null
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.applications.*.description
A brief description of the application
Type: string
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.applications.*.icon
Application icon
Type: string
Default:
null
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.applications.*.name
The name of the application
Type: string
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.extraModules
List of additional modules to be imported and evaluated as part of GUIVM’s NixOS configuration.
Type: unspecified value
Default:
[ ]
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.fprint
Enable Fingerprint module configuration.
Type: boolean
Default:
false
Declared by:
ghaf.virtualization.microvm.guivm.vsockCID
Context Identifier (CID) of the GUIVM VSOCK
Type: signed integer
Default:
3
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.yubikey
Enable Yubikey module configuration.
Type: boolean
Default:
false
Declared by:
ghaf.virtualization.microvm.idsvm.enable
Whether to enable Whether to enable IDS-VM on the system.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.virtualization.microvm.idsvm.extraModules
List of additional modules to be imported and evaluated as part of IDSVM’s NixOS configuration.
Type: unspecified value
Default:
[ ]
Declared by:
ghaf.virtualization.microvm.idsvm.mitmproxy.enable
Whether to enable Whether to enable mitmproxy on ids-vm.
Type: boolean
Default:
false
Example:
true
Declared by:
ghaf.virtualization.microvm.netvm.enable
Whether to enable NetVM.
Type: boolean
Default:
false
Example:
true
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.netvm.extraModules
List of additional modules to be imported and evaluated as part of NetVM’s NixOS configuration.
Type: unspecified value
Default:
[ ]
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.netvm.wifi
Enable Wifi module configuration.
Type: boolean
Default:
false
Declared by:
ghaf.virtualization.microvm-host.enable
Whether to enable MicroVM Host.
Type: boolean
Default:
false
Example:
true
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm-host.networkSupport
Whether to enable Network support services to run host applications…
Type: boolean
Default:
false
Example:
true
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm-host.sharedVmDirectory.enable
Whether to enable shared directory.
Type: boolean
Default:
true
Example:
true
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm-host.sharedVmDirectory.vms
List of names of virtual machines for which unsafe shared folder will be enabled.
Type: list of string
Default:
[ ]
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)