Modules Options
ghaf.common.adminHost
Section titled “ghaf.common.adminHost”List of admin hosts currently enabled.
Type: null or string
Default:
nullDeclared by:
ghaf.common.appHosts
Section titled “ghaf.common.appHosts”List of app hosts currently enabled.
Type: list of string
Default:
[ ]Declared by:
ghaf.common.extraNetworking.enableStaticArp
Section titled “ghaf.common.extraNetworking.enableStaticArp”Enable static ARP entries for all hosts, and prevent any ARP traffic being sent or received on the internal network. This is useful to prevent ARP spoofing attacks between VMs.
Type: boolean
Default:
trueDeclared by:
ghaf.common.extraNetworking.hosts
Section titled “ghaf.common.extraNetworking.hosts”Extra host entries that override or extend the generated ones.
Type: attribute set of (submodule)
Default:
{ }Declared by:
ghaf.common.extraNetworking.hosts.<name>.cid
Section titled “ghaf.common.extraNetworking.hosts.<name>.cid”Vsock CID (Context IDentifier) as integer:
- VMADDR_CID_HYPERVISOR (0) is reserved for services built into the hypervisor
- VMADDR_CID_LOCAL (1) is the well-known address for local communication (loopback)
- VMADDR_CID_HOST (2) is the well-known address of the host
Type: null or signed integer
Default:
nullDeclared by:
ghaf.common.extraNetworking.hosts.<name>.interfaceName
Section titled “ghaf.common.extraNetworking.hosts.<name>.interfaceName”Name of the network interface.
Type: null or string
Default:
nullDeclared by:
ghaf.common.extraNetworking.hosts.<name>.ipv4
Section titled “ghaf.common.extraNetworking.hosts.<name>.ipv4”IPv4 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.common.extraNetworking.hosts.<name>.ipv4SubnetPrefixLength
Section titled “ghaf.common.extraNetworking.hosts.<name>.ipv4SubnetPrefixLength”The IPv4 subnet prefix length (e.g. 24 for 255.255.255.0)
Type: null or signed integer
Default:
nullExample:
24Declared by:
ghaf.common.extraNetworking.hosts.<name>.ipv6
Section titled “ghaf.common.extraNetworking.hosts.<name>.ipv6”IPv6 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.common.extraNetworking.hosts.<name>.mac
Section titled “ghaf.common.extraNetworking.hosts.<name>.mac”MAC address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.common.extraNetworking.hosts.<name>.name
Section titled “ghaf.common.extraNetworking.hosts.<name>.name”Host name as string.
Type: null or string
Default:
nullDeclared by:
ghaf.common.hardware.audio
Section titled “ghaf.common.hardware.audio”List of Audio PCI devices currently enabled for passthrough.
Type: list of (attribute set)
Default:
[ { }]Declared by:
ghaf.common.hardware.gpus
Section titled “ghaf.common.hardware.gpus”List of GPUs currently enabled for passthrough.
Type: list of (attribute set)
Default:
[ { }]Declared by:
ghaf.common.hardware.nics
Section titled “ghaf.common.hardware.nics”List of network interfaces currently enabled for passthrough.
Type: list of (attribute set)
Default:
[ { }]Declared by:
ghaf.common.hardware.usb
Section titled “ghaf.common.hardware.usb”List of USB devices enabled for passthrough.
Type: list of (attribute set)
Default:
[ { }]Declared by:
ghaf.common.policies
Section titled “ghaf.common.policies”System policies
Type: attribute set of attribute set of (submodule)
Default:
{ }Declared by:
ghaf.common.policies.<name>.<name>.depends
Section titled “ghaf.common.policies.<name>.<name>.depends”Services to restart after the policy update and after successful execution of the policy script if it is defined.
Type: list of string
Default:
[ ]Declared by:
ghaf.common.policies.<name>.<name>.dest
Section titled “ghaf.common.policies.<name>.<name>.dest”Destination file path (must not be null).
Type: null or absolute path
Default:
nullDeclared by:
ghaf.common.policies.<name>.<name>.factory
Section titled “ghaf.common.policies.<name>.<name>.factory”Initial policy file path or nix store path.
Type: null or absolute path
Default:
nullDeclared by:
ghaf.common.policies.<name>.<name>.script
Section titled “ghaf.common.policies.<name>.<name>.script”Script to execute after a policy update.
Type: null or absolute path
Default:
nullDeclared by:
ghaf.common.policies.<name>.<name>.updater.poll_interval_secs
Section titled “ghaf.common.policies.<name>.<name>.updater.poll_interval_secs”Polling interval in seconds.
Type: signed integer
Default:
300Declared by:
ghaf.common.policies.<name>.<name>.updater.url
Section titled “ghaf.common.policies.<name>.<name>.updater.url”URL to pull updates for this specific policy.
Type: null or string
Default:
nullDeclared by:
ghaf.common.systemHosts
Section titled “ghaf.common.systemHosts”List of system hosts currently enabled.
Type: list of string
Default:
[ ]Declared by:
ghaf.common.vms
Section titled “ghaf.common.vms”List of VMs currently enabled.
Type: list of string
Default:
[ ]Declared by:
ghaf.development.cuda.enable
Section titled “ghaf.development.cuda.enable”Whether to enable CUDA Support.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.development.debug.tools.enable
Section titled “ghaf.development.debug.tools.enable”Whether to enable Debug Tools.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.development.debug.tools.av.enable
Section titled “ghaf.development.debug.tools.av.enable”Whether to enable Camera Debugging Tools.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.development.debug.tools.gui.enable
Section titled “ghaf.development.debug.tools.gui.enable”Whether to enable GUI Debugging Tools.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.development.debug.tools.host.enable
Section titled “ghaf.development.debug.tools.host.enable”Whether to enable Host Debugging Tools.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.development.debug.tools.net.enable
Section titled “ghaf.development.debug.tools.net.enable”Whether to enable Network Debugging Tools.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.development.nix-setup.enable
Section titled “ghaf.development.nix-setup.enable”Whether to enable Target Nix config options.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.development.nix-setup.automatic-gc.enable
Section titled “ghaf.development.nix-setup.automatic-gc.enable”Whether to enable Enable automatic garbage collection.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.development.nix-setup.nixpkgs
Section titled “ghaf.development.nix-setup.nixpkgs”Path to the nixpkgs repository
Type: null or absolute path
Default:
nullDeclared by:
ghaf.development.ssh.daemon.enable
Section titled “ghaf.development.ssh.daemon.enable”Whether to enable ssh daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.development.usb-serial.enable
Section titled “ghaf.development.usb-serial.enable”Whether to enable Usb-Serial.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.firewall.enable
Section titled “ghaf.firewall.enable”Ghaf firewall for virtual machines
Type: boolean
Default:
trueDeclared by:
ghaf.firewall.IdsEnabled
Section titled “ghaf.firewall.IdsEnabled”Whether to enable Ids tool.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.firewall.allowedTCPPorts
Section titled “ghaf.firewall.allowedTCPPorts”Additional TCP ports to allow through the Ghaf firewall.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
[ ]Declared by:
ghaf.firewall.allowedUDPPorts
Section titled “ghaf.firewall.allowedUDPPorts”Additional UDP ports to allow through the Ghaf firewall.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
[ ]Declared by:
ghaf.firewall.attack-mitigation.enable
Section titled “ghaf.firewall.attack-mitigation.enable”Whether to enable Attack mitigation features integrated into the firewall.
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.firewall.attack-mitigation.ping
Section titled “ghaf.firewall.attack-mitigation.ping”Ping flood mitigation settings
Type: submodule
Default:
{ enable = true; rule = { burstNum = 10; maxPacketFreq = "60/min"; };}Declared by:
ghaf.firewall.attack-mitigation.ping.enable
Section titled “ghaf.firewall.attack-mitigation.ping.enable”Whether to enable Enable Ping flood mitigation.
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.firewall.attack-mitigation.ping.rule
Section titled “ghaf.firewall.attack-mitigation.ping.rule”Flood rule parameters for Ping
Type: submodule
Declared by:
ghaf.firewall.attack-mitigation.ping.rule.burstNum
Section titled “ghaf.firewall.attack-mitigation.ping.rule.burstNum”Number of packets allowed in a short time before blacklisting
Type: signed integer
Declared by:
ghaf.firewall.attack-mitigation.ping.rule.maxPacketFreq
Section titled “ghaf.firewall.attack-mitigation.ping.rule.maxPacketFreq”Maximum average packet rate allowed from a single IP before blacklisting.
Type: string
Declared by:
ghaf.firewall.attack-mitigation.ssh
Section titled “ghaf.firewall.attack-mitigation.ssh”SSH flood mitigation settings
Type: submodule
Default:
{ enable = false; rule = { burstNum = 5; maxPacketFreq = "30/minute"; };}Declared by:
ghaf.firewall.attack-mitigation.ssh.enable
Section titled “ghaf.firewall.attack-mitigation.ssh.enable”Whether to enable Enable SSH flood mitigation.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.firewall.attack-mitigation.ssh.rule
Section titled “ghaf.firewall.attack-mitigation.ssh.rule”Flood rule parameters for SSH
Type: submodule
Default:
{ burstNum = 5; maxPacketFreq = "30/minute";}Declared by:
ghaf.firewall.attack-mitigation.ssh.rule.burstNum
Section titled “ghaf.firewall.attack-mitigation.ssh.rule.burstNum”Number of packets allowed in a short time before blacklisting
Type: signed integer
Declared by:
ghaf.firewall.attack-mitigation.ssh.rule.maxPacketFreq
Section titled “ghaf.firewall.attack-mitigation.ssh.rule.maxPacketFreq”Maximum average packet rate allowed from a single IP before blacklisting.
Type: string
Declared by:
ghaf.firewall.blacklistFwMarkNum
Section titled “ghaf.firewall.blacklistFwMarkNum”Mark numbers for blacklisted packets.
Type: string (read only)
Default:
"8"Declared by:
ghaf.firewall.blacklistSize
Section titled “ghaf.firewall.blacklistSize”The maximum number of IP addresses that can be stored in BLACKLIST
Type: signed integer
Default:
65536Declared by:
ghaf.firewall.extra
Section titled “ghaf.firewall.extra”Extra firewall rules
Type: submodule
Default:
{ }Declared by:
ghaf.firewall.extra.forward
Section titled “ghaf.firewall.extra.forward”Extra firewall rules for FORWARD chain
Type: submodule
Default:
{ }Declared by:
ghaf.firewall.extra.forward.filter
Section titled “ghaf.firewall.extra.forward.filter”Extra firewall rules for ghaf-fw-fwd-filter
Type: list of string
Default:
[ ]Declared by:
ghaf.firewall.extra.input
Section titled “ghaf.firewall.extra.input”Extra firewall rules for INPUT chain
Type: submodule
Default:
{ }Declared by:
ghaf.firewall.extra.input.filter
Section titled “ghaf.firewall.extra.input.filter”Extra firewall rules for ghaf-fw-in-filter
Type: list of string
Default:
[ ]Declared by:
ghaf.firewall.extra.output
Section titled “ghaf.firewall.extra.output”Extra firewall rules for OUTPUT chain
Type: submodule
Default:
{ }Declared by:
ghaf.firewall.extra.output.filter
Section titled “ghaf.firewall.extra.output.filter”Extra firewall rules for ghaf-fw-out-filter
Type: list of string
Default:
[ ]Declared by:
ghaf.firewall.extra.postrouting
Section titled “ghaf.firewall.extra.postrouting”Extra firewall rules for POSTROUTING chain
Type: submodule
Default:
{ }Declared by:
ghaf.firewall.extra.postrouting.nat
Section titled “ghaf.firewall.extra.postrouting.nat”Extra iptables rules for ghaf-fw-post-nat
Type: list of string
Default:
[ ]Declared by:
ghaf.firewall.extra.prerouting
Section titled “ghaf.firewall.extra.prerouting”Extra firewall rules for PREROUTING chain
Type: submodule
Default:
{ }Declared by:
ghaf.firewall.extra.prerouting.mangle
Section titled “ghaf.firewall.extra.prerouting.mangle”Extra firewall rules for ghaf-fw-pre-mangle
Type: list of string
Default:
[ ]Declared by:
ghaf.firewall.extra.prerouting.nat
Section titled “ghaf.firewall.extra.prerouting.nat”Extra firewall rules for ghaf-fw-pre-nat
Type: list of string
Default:
[ ]Declared by:
ghaf.firewall.extra.prerouting.raw
Section titled “ghaf.firewall.extra.prerouting.raw”Extra firewall rules for raw chain
Type: list of string
Default:
[ ]Declared by:
ghaf.firewall.extraOptions
Section titled “ghaf.firewall.extraOptions”Extra options to extend networking.firewall configuration.
Type: attribute set of anything
Default:
{ }Declared by:
ghaf.firewall.filter-arp
Section titled “ghaf.firewall.filter-arp”Whether to enable static ARP and MAC/IP rules.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.firewall.kernel-modules.enable
Section titled “ghaf.firewall.kernel-modules.enable”Whether to enable kernel modules required for firewall.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.firewall.tcpBlacklistRules
Section titled “ghaf.firewall.tcpBlacklistRules”List of blacklist settings for specific TCP ports.
Type: list of (submodule)
Default:
[ ]Declared by:
ghaf.firewall.tcpBlacklistRules.*.burstNum
Section titled “ghaf.firewall.tcpBlacklistRules.*.burstNum”Number of packets allowed in a short time before blacklisting
Type: signed integer
Declared by:
ghaf.firewall.tcpBlacklistRules.*.fwMarkNum
Section titled “ghaf.firewall.tcpBlacklistRules.*.fwMarkNum”Firewall mark number for blacklisted packets
Type: string
Default:
"8"Declared by:
ghaf.firewall.tcpBlacklistRules.*.maxPacketFreq
Section titled “ghaf.firewall.tcpBlacklistRules.*.maxPacketFreq”Maximum average packet rate allowed from a single IP before blacklisting.
Type: string
Declared by:
ghaf.firewall.tcpBlacklistRules.*.port
Section titled “ghaf.firewall.tcpBlacklistRules.*.port”Port this blacklist rule applies to.
Type: signed integer
Declared by:
ghaf.firewall.tcpBlacklistRules.*.trackingSize
Section titled “ghaf.firewall.tcpBlacklistRules.*.trackingSize”Maximum number of IP addresses tracking in the hashtable.
Type: signed integer
Declared by:
ghaf.firewall.udpBlacklistRules
Section titled “ghaf.firewall.udpBlacklistRules”List of blacklist settings for specific UDP ports.
Type: list of (submodule)
Default:
[ ]Declared by:
ghaf.firewall.udpBlacklistRules.*.burstNum
Section titled “ghaf.firewall.udpBlacklistRules.*.burstNum”Number of packets allowed in a short time before blacklisting
Type: signed integer
Declared by:
ghaf.firewall.udpBlacklistRules.*.fwMarkNum
Section titled “ghaf.firewall.udpBlacklistRules.*.fwMarkNum”Firewall mark number for blacklisted packets
Type: string
Default:
"8"Declared by:
ghaf.firewall.udpBlacklistRules.*.maxPacketFreq
Section titled “ghaf.firewall.udpBlacklistRules.*.maxPacketFreq”Maximum average packet rate allowed from a single IP before blacklisting.
Type: string
Declared by:
ghaf.firewall.udpBlacklistRules.*.port
Section titled “ghaf.firewall.udpBlacklistRules.*.port”Port this blacklist rule applies to.
Type: signed integer
Declared by:
ghaf.firewall.udpBlacklistRules.*.trackingSize
Section titled “ghaf.firewall.udpBlacklistRules.*.trackingSize”Maximum number of IP addresses tracking in the hashtable.
Type: signed integer
Declared by:
ghaf.firewall.updater.enable
Section titled “ghaf.firewall.updater.enable”Whether to enable live update firewall rules.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.enable
Section titled “ghaf.givc.enable”Whether to enable Enable gRPC inter-vm communication.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.enableTls
Section titled “ghaf.givc.enableTls”Enable TLS for gRPC communication globally, or disable for debugging.
Type: boolean
Default:
trueDeclared by:
ghaf.givc.adminConfig
Section titled “ghaf.givc.adminConfig”Admin server configuration.
Type: submodule
Declared by:
ghaf.givc.adminConfig.addresses
Section titled “ghaf.givc.adminConfig.addresses”Addresses of admin server
Type: list of (submodule)
Declared by:
ghaf.givc.adminConfig.addresses.*.addr
Section titled “ghaf.givc.adminConfig.addresses.*.addr”IP address of admin server
Type: string
Declared by:
ghaf.givc.adminConfig.addresses.*.name
Section titled “ghaf.givc.adminConfig.addresses.*.name”Name of the IP range for parsing
Type: string
Declared by:
ghaf.givc.adminConfig.addresses.*.port
Section titled “ghaf.givc.adminConfig.addresses.*.port”Port of admin server
Type: string
Declared by:
ghaf.givc.adminConfig.addresses.*.protocol
Section titled “ghaf.givc.adminConfig.addresses.*.protocol”Protocol of admin server
Type: one of “tcp”, “unix”, “vsock”
Declared by:
ghaf.givc.adminConfig.name
Section titled “ghaf.givc.adminConfig.name”Host name of admin server
Type: string
Declared by:
ghaf.givc.adminvm.enable
Section titled “ghaf.givc.adminvm.enable”Whether to enable Enable adminvm givc module…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.appPrefix
Section titled “ghaf.givc.appPrefix”Common application path prefix.
Type: string
Declared by:
ghaf.givc.appvm.enable
Section titled “ghaf.givc.appvm.enable”Whether to enable Enable appvm givc module…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.appvm.applications
Section titled “ghaf.givc.appvm.applications”Applications to run in the appvm.
Type: list of (attribute set)
Default:
[ { }]Declared by:
ghaf.givc.audiovm.enable
Section titled “ghaf.givc.audiovm.enable”Whether to enable Enable audiovm givc module…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.cliArgs
Section titled “ghaf.givc.cliArgs”Arguments for the givc-cli to contact the admin service.
Type: string
Default:
""Declared by:
ghaf.givc.debug
Section titled “ghaf.givc.debug”Whether to enable Enable givc debug mode.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.guivm.enable
Section titled “ghaf.givc.guivm.enable”Whether to enable Enable guivm givc module…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.host.enable
Section titled “ghaf.givc.host.enable”Whether to enable Enable host givc module…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.idsExtraArgs
Section titled “ghaf.givc.idsExtraArgs”Extra arguments for applications when IDS/MITM is enabled.
Type: string
Declared by:
ghaf.givc.netvm.enable
Section titled “ghaf.givc.netvm.enable”Whether to enable Enable netvm givc module…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.policyAdmin.enable
Section titled “ghaf.givc.policyAdmin.enable”Whether to enable Policy admin…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.policyAdmin.storePath
Section titled “ghaf.givc.policyAdmin.storePath”Directory path for policy storage.
Type: absolute path
Default:
"/etc/policies"Declared by:
ghaf.givc.policyAdmin.updater.gitURL.enable
Section titled “ghaf.givc.policyAdmin.updater.gitURL.enable”Whether to enable pulling updates from git.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.policyAdmin.updater.gitURL.poll_interval_secs
Section titled “ghaf.givc.policyAdmin.updater.gitURL.poll_interval_secs”Polling interval in seconds.
Type: signed integer
Default:
300Declared by:
ghaf.givc.policyAdmin.updater.gitURL.ref
Section titled “ghaf.givc.policyAdmin.updater.gitURL.ref”Git reference (branch).
Type: string
Default:
"main"Declared by:
ghaf.givc.policyAdmin.updater.gitURL.url
Section titled “ghaf.givc.policyAdmin.updater.gitURL.url”Git repository URL.
Type: string
Default:
""Declared by:
ghaf.givc.policyAdmin.updater.perPolicy.enable
Section titled “ghaf.givc.policyAdmin.updater.perPolicy.enable”Whether to enable updates per policy from provided URL in VM policy.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.policyClient.enable
Section titled “ghaf.givc.policyClient.enable”Whether to enable Policy admin…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.policyClient.policies
Section titled “ghaf.givc.policyClient.policies”Definition of all managed policies.
Type: attribute set of (submodule)
Default:
{ }Declared by:
ghaf.givc.policyClient.policies.<name>.depends
Section titled “ghaf.givc.policyClient.policies.<name>.depends”Services to restart after the policy update and after successful execution of the policy script if it is defined.
Type: list of string
Default:
[ ]Declared by:
ghaf.givc.policyClient.policies.<name>.dest
Section titled “ghaf.givc.policyClient.policies.<name>.dest”Destination file path (must not be null).
Type: null or absolute path
Default:
nullDeclared by:
ghaf.givc.policyClient.policies.<name>.factory
Section titled “ghaf.givc.policyClient.policies.<name>.factory”Initial policy file path or nix store path.
Type: null or absolute path
Default:
nullDeclared by:
ghaf.givc.policyClient.policies.<name>.script
Section titled “ghaf.givc.policyClient.policies.<name>.script”Script to execute after a policy update.
Type: null or absolute path
Default:
nullDeclared by:
ghaf.givc.policyClient.policies.<name>.updater.poll_interval_secs
Section titled “ghaf.givc.policyClient.policies.<name>.updater.poll_interval_secs”Polling interval in seconds.
Type: signed integer
Default:
300Declared by:
ghaf.givc.policyClient.policies.<name>.updater.url
Section titled “ghaf.givc.policyClient.policies.<name>.updater.url”URL to pull updates for this specific policy.
Type: null or string
Default:
nullDeclared by:
ghaf.givc.policyClient.storePath
Section titled “ghaf.givc.policyClient.storePath”Directory path for policy storage.
Type: absolute path
Default:
"/etc/admin-policies"Declared by:
ghaf.global-config
Section titled “ghaf.global-config”Global configuration options that propagate to all VMs via specialArgs.
Type: submodule
Default:
{ }Declared by:
ghaf.global-config.debug.enable
Section titled “ghaf.global-config.debug.enable”Whether to enable debug mode globally (host and all VMs).
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.global-config.development.debug.tools.enable
Section titled “ghaf.global-config.development.debug.tools.enable”Whether to enable debug tools globally.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.global-config.development.nix-setup.enable
Section titled “ghaf.global-config.development.nix-setup.enable”Whether to enable Nix development setup globally.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.global-config.development.ssh.daemon.enable
Section titled “ghaf.global-config.development.ssh.daemon.enable”Whether to enable SSH daemon globally.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.global-config.features.audio.enable
Section titled “ghaf.global-config.features.audio.enable”Whether to enable audio services.
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.global-config.features.audio.targetVms
Section titled “ghaf.global-config.features.audio.targetVms”VMs that should have audio support
Type: list of string
Default:
[ "audio-vm"]Declared by:
ghaf.global-config.features.bluetooth.enable
Section titled “ghaf.global-config.features.bluetooth.enable”Whether to enable Bluetooth support.
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.global-config.features.bluetooth.targetVms
Section titled “ghaf.global-config.features.bluetooth.targetVms”VMs that should have Bluetooth support
Type: list of string
Default:
[ "audio-vm"]Declared by:
ghaf.global-config.features.brightness.enable
Section titled “ghaf.global-config.features.brightness.enable”Whether to enable brightness control via VirtIO.
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.global-config.features.brightness.targetVms
Section titled “ghaf.global-config.features.brightness.targetVms”VMs that should have brightness control
Type: list of string
Default:
[ "gui-vm"]Declared by:
ghaf.global-config.features.fprint.enable
Section titled “ghaf.global-config.features.fprint.enable”Whether to enable fingerprint authentication support.
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.global-config.features.fprint.targetVms
Section titled “ghaf.global-config.features.fprint.targetVms”VMs that should have fingerprint support
Type: list of string
Default:
[ "gui-vm"]Example:
[ "gui-vm" "admin-vm"]Declared by:
ghaf.global-config.features.locale.enable
Section titled “ghaf.global-config.features.locale.enable”Whether to enable runtime management of user and system locale settings.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.global-config.features.locale.targetVms
Section titled “ghaf.global-config.features.locale.targetVms”VMs where runtime locale management should be enabled.
Typically, this should only be a VM which allows user-friendly locale adjustments, e.g. via a Desktop Environment such as on GUI VM.
Type: list of string
Default:
[ ]Declared by:
ghaf.global-config.features.performance.enable
Section titled “ghaf.global-config.features.performance.enable”Whether to enable Ghaf performance and PPD profiles.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.global-config.features.performance.targetVms
Section titled “ghaf.global-config.features.performance.targetVms”VMs where Ghaf performance and PPD profiles should be enabled
Type: list of string
Default:
[ ]Declared by:
ghaf.global-config.features.power-manager.enable
Section titled “ghaf.global-config.features.power-manager.enable”Whether to enable Ghaf power management.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.global-config.features.power-manager.targetVms
Section titled “ghaf.global-config.features.power-manager.targetVms”VMs where Ghaf power management should be enabled
Type: list of string
Default:
[ ]Declared by:
ghaf.global-config.features.timezone.enable
Section titled “ghaf.global-config.features.timezone.enable”Whether to enable runtime management of timezone settings and propagation to host.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.global-config.features.timezone.targetVms
Section titled “ghaf.global-config.features.timezone.targetVms”VMs where runtime timezone settings management should be enabled.
Propagation will only be enabled on GUI VM.
Type: list of string
Default:
[ ]Declared by:
ghaf.global-config.features.wifi.enable
Section titled “ghaf.global-config.features.wifi.enable”Whether to enable WiFi networking support.
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.global-config.features.wifi.targetVms
Section titled “ghaf.global-config.features.wifi.targetVms”VMs that should have WiFi support
Type: list of string
Default:
[ "net-vm"]Declared by:
ghaf.global-config.features.yubikey.enable
Section titled “ghaf.global-config.features.yubikey.enable”Whether to enable Yubikey 2FA support.
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.global-config.features.yubikey.targetVms
Section titled “ghaf.global-config.features.yubikey.targetVms”VMs that should have Yubikey support
Type: list of string
Default:
[ "gui-vm"]Example:
[ "gui-vm" "admin-vm"]Declared by:
ghaf.global-config.givc.enable
Section titled “ghaf.global-config.givc.enable”Whether to enable GIVC (Ghaf Inter-VM Communication) globally.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.global-config.givc.debug
Section titled “ghaf.global-config.givc.debug”Whether to enable GIVC debug mode.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.global-config.graphics.boot.enable
Section titled “ghaf.global-config.graphics.boot.enable”Whether to enable graphical boot support (splash screen, user login detection).
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.global-config.idsvm.mitmproxy.enable
Section titled “ghaf.global-config.idsvm.mitmproxy.enable”Whether to enable MITM proxy in IDS VM for traffic inspection.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.global-config.logging.enable
Section titled “ghaf.global-config.logging.enable”Whether to enable logging globally.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.global-config.logging.listener.address
Section titled “ghaf.global-config.logging.listener.address”Logging listener address
Type: string
Default:
""Declared by:
ghaf.global-config.logging.listener.port
Section titled “ghaf.global-config.logging.listener.port”Logging listener port
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
9999Declared by:
ghaf.global-config.logging.server.endpoint
Section titled “ghaf.global-config.logging.server.endpoint”Logging server endpoint
Type: string
Default:
""Declared by:
ghaf.global-config.platform.buildSystem
Section titled “ghaf.global-config.platform.buildSystem”Build platform system (e.g., x86_64-linux)
Type: string
Default:
"x86_64-linux"Declared by:
ghaf.global-config.platform.hostSystem
Section titled “ghaf.global-config.platform.hostSystem”Host platform system (e.g., x86_64-linux)
Type: string
Default:
"x86_64-linux"Declared by:
ghaf.global-config.platform.timeZone
Section titled “ghaf.global-config.platform.timeZone”System timezone
Type: null or string
Default:
nullDeclared by:
ghaf.global-config.security.audit.enable
Section titled “ghaf.global-config.security.audit.enable”Whether to enable security auditing globally.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.global-config.shm.enable
Section titled “ghaf.global-config.shm.enable”Whether to enable shared memory for inter-VM communication.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.global-config.shm.flataddr
Section titled “ghaf.global-config.shm.flataddr”Maps the shared memory to a physical address for kvm_ivshmem
Type: string
Default:
"0x920000000"Declared by:
ghaf.global-config.shm.serverSocketPath
Section titled “ghaf.global-config.shm.serverSocketPath”Shared memory server socket path
Type: string
Default:
""Declared by:
ghaf.global-config.storage.encryption.enable
Section titled “ghaf.global-config.storage.encryption.enable”Whether to enable storage encryption globally.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.global-config.storage.storeOnDisk
Section titled “ghaf.global-config.storage.storeOnDisk”Whether to enable storing VM nix stores on disk rather than virtiofs.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.gracefulShutdown
Section titled “ghaf.gracefulShutdown”If true, the microvm ExecStop logic for this VM will be overridden with the host-managed graceful shutdown, which starts the guest’s poweroff.target and waits for the VM process to exit.
This option only has effect if the power manager module is enabled
on the host:
ghaf.services.power-manager.host.enable = true;
Type: boolean
Default:
"config.ghaf.givc.enable"Declared by:
ghaf.graphics.boot.enable
Section titled “ghaf.graphics.boot.enable”Whether to enable graphical boot with plymouth.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.graphics.boot.debug
Section titled “ghaf.graphics.boot.debug”Whether to enable plymouth debug logs.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.graphics.boot.deviceTimeout
Section titled “ghaf.graphics.boot.deviceTimeout”Timeout in seconds to wait for the graphics device to become ready.
Type: null or signed integer
Default:
8Declared by:
ghaf.graphics.boot.firmwareLogo.enable
Section titled “ghaf.graphics.boot.firmwareLogo.enable”Whether to override the UEFI firmware (BGRT) boot logo.
Type: boolean
Default:
trueDeclared by:
ghaf.graphics.boot.firmwareLogo.image
Section titled “ghaf.graphics.boot.firmwareLogo.image”Image to use in place of the UEFI firmware (BGRT) boot logo. Default is the Ghaf logo.
Type: absolute path
Default:
"/nix/store/47zxnir3fllkgkm4xy6140glz0x8xmbm-ghaf-artwork-0.1.0/1600px-Ghaf_logo.png"Declared by:
ghaf.graphics.boot.logo.enable
Section titled “ghaf.graphics.boot.logo.enable”Whether to enable custom logo at the bottom of the splash screen.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.graphics.boot.logo.image
Section titled “ghaf.graphics.boot.logo.image”Image to use at the bottom of the splash screen. Default is the Ghaf logo.
Type: absolute path
Default:
"/nix/store/47zxnir3fllkgkm4xy6140glz0x8xmbm-ghaf-artwork-0.1.0/ghaf-logo-512px.png"Declared by:
ghaf.graphics.boot.renderer
Section titled “ghaf.graphics.boot.renderer”Renderer for the graphical boot splash.
- simpledrm: Use a simple framebuffer. Recommended if the GPU is not ready at early boot.
- gpu: Use the system GPU if drivers are available in the initrd.
Type: one of “gpu”, “simpledrm”
Default:
"simpledrm"Declared by:
ghaf.graphics.boot.splashDelay
Section titled “ghaf.graphics.boot.splashDelay”Delay in seconds before showing the splash screen.
Type: null or signed integer
Default:
0Declared by:
ghaf.graphics.boot.theme
Section titled “ghaf.graphics.boot.theme”Plymouth theme to use. The “bgrt” theme is recommended for UEFI systems.
Type: one of “bgrt”, “details”, “fade-in”, “glow”, “script”, “solar”, “spinfinity”, “spinner”, “text”, “tribar”
Default:
"bgrt"Declared by:
ghaf.graphics.boot.waitForService
Section titled “ghaf.graphics.boot.waitForService”If set, plymouth will wait for the specified systemd service to be started before quitting.
Type: null or string
Default:
nullDeclared by:
ghaf.graphics.cosmic.enable
Section titled “ghaf.graphics.cosmic.enable”Whether to enable the COSMIC desktop environment in Ghaf.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.graphics.cosmic.bottomPanelApplets
Section titled “ghaf.graphics.cosmic.bottomPanelApplets”Cosmic top panel applets configuration.
Used only when the bottom-only panel layout is selected.
Type: submodule
Default:
{ center = [ ]; left = [ "com.system76.CosmicPanelAppButton" "com.system76.CosmicPanelWorkspacesButton" "com.system76.CosmicAppList" "com.system76.CosmicAppletMinimize" ]; right = [ "com.system76.CosmicAppletInputSources" "com.system76.CosmicAppletStatusArea" "ae.tii.CosmicAppletKillSwitch" "com.system76.CosmicAppletTiling" "com.system76.CosmicAppletNetwork" "com.system76.CosmicAppletAudio" "com.system76.CosmicAppletBattery" "com.system76.CosmicAppletNotifications" "com.system76.CosmicAppletTime" "com.system76.CosmicAppletPower" ];}Declared by:
ghaf.graphics.cosmic.bottomPanelApplets.center
Section titled “ghaf.graphics.cosmic.bottomPanelApplets.center”List of applets to show in the center of the panel.
Type: list of string
Default:
[ ]Declared by:
ghaf.graphics.cosmic.bottomPanelApplets.left
Section titled “ghaf.graphics.cosmic.bottomPanelApplets.left”List of applets to show on the left side of the panel.
Type: list of string
Default:
[ ]Declared by:
ghaf.graphics.cosmic.bottomPanelApplets.right
Section titled “ghaf.graphics.cosmic.bottomPanelApplets.right”List of applets to show on the right side of the panel.
Type: list of string
Default:
[ ]Declared by:
ghaf.graphics.cosmic.extraAutostart
Section titled “ghaf.graphics.cosmic.extraAutostart”Additional shell commands to run on ghaf COSMIC session start-up.
Type: string
Default:
""Declared by:
ghaf.graphics.cosmic.idleManagement.enable
Section titled “ghaf.graphics.cosmic.idleManagement.enable”Whether to enable idle management.
When enabled, the system will automatically manage screen blanking and suspension based on user inactivity.
If disabled, the default timeouts will be set to ‘Never’. However, users can still manually configure the settings via COSMIC Settings to override this behavior.
If ‘config.ghaf.services.power-manager.suspend.enable’ is false, suspension will not occur regardless of this setting.
Type: boolean
Default:
config.ghaf.profiles.graphics.idleManagement.enableDeclared by:
ghaf.graphics.cosmic.idleManagement.screenOffTime
Section titled “ghaf.graphics.cosmic.idleManagement.screenOffTime”Time in seconds of inactivity before the screen is turned off and the session is locked.
Type: signed integer
Default:
300Declared by:
ghaf.graphics.cosmic.idleManagement.suspendOnAC
Section titled “ghaf.graphics.cosmic.idleManagement.suspendOnAC”Time in seconds of inactivity before the system suspends when on AC power.
Type: signed integer
Default:
config.ghaf.graphics.cosmic.idleManagement.screenOffTime * 3Declared by:
ghaf.graphics.cosmic.idleManagement.suspendOnBattery
Section titled “ghaf.graphics.cosmic.idleManagement.suspendOnBattery”Time in seconds of inactivity before the system suspends when on battery power.
Type: signed integer
Default:
config.ghaf.graphics.cosmic.idleManagement.screenOffTime * 3Declared by:
ghaf.graphics.cosmic.renderDevice
Section titled “ghaf.graphics.cosmic.renderDevice”Path to the render device to be used by the COSMIC compositor.
If set, this will be assigned to the COSMIC_RENDER_DEVICE environment variable,
directing COSMIC to use the specified device (e.g., /dev/dri/renderD129).
This option can be useful in systems with multiple GPUs to explicitly select which device the compositor should use.
If unset, COSMIC will attempt to automatically detect a suitable render device.
Type: null or absolute path
Default:
"null"Example:
"/dev/dri/renderD129"Declared by:
ghaf.graphics.cosmic.screenRecorder.enable
Section titled “ghaf.graphics.cosmic.screenRecorder.enable”Whether to enable screen recording capabilities using gpu-screen-recorder.
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.graphics.cosmic.securityContext
Section titled “ghaf.graphics.cosmic.securityContext”Security context settings
Type: submodule
Default:
{ borderWidth = 4; rules = [ ];}Declared by:
ghaf.graphics.cosmic.securityContext.borderWidth
Section titled “ghaf.graphics.cosmic.securityContext.borderWidth”Default border width in pixels
Type: positive integer, meaning >0
Default:
6Example:
6Declared by:
ghaf.graphics.cosmic.securityContext.rules
Section titled “ghaf.graphics.cosmic.securityContext.rules”List of security contexts rules
Type: list of (submodule)
Declared by:
ghaf.graphics.cosmic.securityContext.rules.*.color
Section titled “ghaf.graphics.cosmic.securityContext.rules.*.color”Window border color
Type: string
Example:
"#006305"Declared by:
ghaf.graphics.cosmic.securityContext.rules.*.identifier
Section titled “ghaf.graphics.cosmic.securityContext.rules.*.identifier”The identifier attached to the security context
Type: string
Example:
"chrome-vm"Declared by:
ghaf.graphics.cosmic.topPanelApplets
Section titled “ghaf.graphics.cosmic.topPanelApplets”Cosmic top panel applets configuration.
Used only when the top and bottom panel layout is selected.
Type: submodule
Default:
{ center = [ "com.system76.CosmicAppletTime" "com.system76.CosmicAppletNotifications" ]; left = [ "com.system76.CosmicPanelAppButton" "com.system76.CosmicPanelWorkspacesButton" ]; right = [ "com.system76.CosmicAppletInputSources" "com.system76.CosmicAppletStatusArea" "ae.tii.CosmicAppletKillSwitch" "com.system76.CosmicAppletTiling" "com.system76.CosmicAppletNetwork" "com.system76.CosmicAppletAudio" "com.system76.CosmicAppletBattery" "com.system76.CosmicAppletPower" ];}Declared by:
ghaf.graphics.cosmic.topPanelApplets.center
Section titled “ghaf.graphics.cosmic.topPanelApplets.center”List of applets to show in the center of the panel.
Type: list of string
Default:
[ ]Declared by:
ghaf.graphics.cosmic.topPanelApplets.left
Section titled “ghaf.graphics.cosmic.topPanelApplets.left”List of applets to show on the left side of the panel.
Type: list of string
Default:
[ ]Declared by:
ghaf.graphics.cosmic.topPanelApplets.right
Section titled “ghaf.graphics.cosmic.topPanelApplets.right”List of applets to show on the right side of the panel.
Type: list of string
Default:
[ ]Declared by:
ghaf.graphics.hybrid-setup.enable
Section titled “ghaf.graphics.hybrid-setup.enable”Whether to enable Hybrid GPU setup that utilizes both Intel and NVIDIA GPU cards The Intel GPU will handle rendering tasks, while the Nvidia GPU will be dedicated to media coding. .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.graphics.hybrid-setup.prime.enable
Section titled “ghaf.graphics.hybrid-setup.prime.enable”Whether to enable NVIDIA PRIME offload rendering.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.graphics.hybrid-setup.prime.forceNvidiaOffload
Section titled “ghaf.graphics.hybrid-setup.prime.forceNvidiaOffload”Whether to enable Force all graphical applications to use NVIDIA via PRIME render offload by setting __NV_PRIME_RENDER_OFFLOAD=1 globally in the session environment. .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.graphics.hybrid-setup.prime.intelBusId
Section titled “ghaf.graphics.hybrid-setup.prime.intelBusId”Bus ID of the Intel GPU. You can find it using lspci; for example if lspci shows the Intel GPU at “0001:02:03.4”, set this option to “PCI:2@1:3:4”.
Type: string
Default:
""Declared by:
ghaf.graphics.hybrid-setup.prime.nvidiaBusId
Section titled “ghaf.graphics.hybrid-setup.prime.nvidiaBusId”Bus ID of the NVIDIA GPU. You can find it using lspci; for example if lspci shows the NVIDIA GPU at “0001:02:03.4”, set this option to “PCI:2@1:3:4”.
Type: string
Default:
""Declared by:
ghaf.graphics.intel-setup.enable
Section titled “ghaf.graphics.intel-setup.enable”Whether to enable Enable Intel GPU setup.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.graphics.launchers
Section titled “ghaf.graphics.launchers”Application launchers to show in the system drawer or launcher.
Type: list of (submodule)
Default:
[ ]Declared by:
ghaf.graphics.launchers.*.packages
Section titled “ghaf.graphics.launchers.*.packages”Packages required for this application
Type: list of package
Default:
[ ]Declared by:
ghaf.graphics.launchers.*.categories
Section titled “ghaf.graphics.launchers.*.categories”The Categories of the desktop entry; see https://specifications\.freedesktop\.org/menu-spec/1\.0/category-registry\.html for possible values
Type: list of string
Default:
[ ]Declared by:
ghaf.graphics.launchers.*.description
Section titled “ghaf.graphics.launchers.*.description”The Comment of the desktop entry
Type: string
Declared by:
ghaf.graphics.launchers.*.desktopName
Section titled “ghaf.graphics.launchers.*.desktopName”The Name of the desktop entry
Type: string
Default:
""Declared by:
ghaf.graphics.launchers.*.exec
Section titled “ghaf.graphics.launchers.*.exec”The Exec of the desktop entry.
If vm is set, this command will be executed in the target VM.
Type: null or string
Default:
nullDeclared by:
ghaf.graphics.launchers.*.extraModules
Section titled “ghaf.graphics.launchers.*.extraModules”Additional modules required for the application
Type: list of (attribute set)
Default:
[ ]Declared by:
ghaf.graphics.launchers.*.genericName
Section titled “ghaf.graphics.launchers.*.genericName”The GenericName of the desktop entry
Type: null or string
Default:
nullDeclared by:
ghaf.graphics.launchers.*.givcArgs
Section titled “ghaf.graphics.launchers.*.givcArgs”GIVC arguments for the application
Type: list of string
Default:
[ ]Declared by:
ghaf.graphics.launchers.*.icon
Section titled “ghaf.graphics.launchers.*.icon”The Icon of the desktop entry
Type: null or string
Default:
nullDeclared by:
ghaf.graphics.launchers.*.name
Section titled “ghaf.graphics.launchers.*.name”The name of the desktop file (excluding the .desktop or .directory file extensions)
Type: string
Declared by:
ghaf.graphics.launchers.*.noDisplay
Section titled “ghaf.graphics.launchers.*.noDisplay”The NoDisplay field of the desktop entry
Type: boolean
Default:
falseDeclared by:
ghaf.graphics.launchers.*.startupWMClass
Section titled “ghaf.graphics.launchers.*.startupWMClass”The StartupWMClass of the desktop entry
Type: null or string
Default:
nullDeclared by:
ghaf.graphics.launchers.*.vm
Section titled “ghaf.graphics.launchers.*.vm”VM name in case this launches an isolated application.
Type: null or string
Default:
nullDeclared by:
ghaf.graphics.login-manager.enable
Section titled “ghaf.graphics.login-manager.enable”Whether to enable Ghaf login manager config using greetd.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.graphics.login-manager.failLock.enable
Section titled “ghaf.graphics.login-manager.failLock.enable”Whether to enable Account locking after repeated failed login attempts. When activated, the system will temporarily lock accounts that exceed the maximum allowed authentication failures. .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.graphics.login-manager.failLock.maxTries
Section titled “ghaf.graphics.login-manager.failLock.maxTries”Defines the maximum number of consecutive failed authentication attempts allowed before the account is temporarily locked.
Key details:
- Each incorrect password submission increments the failure counter by one.
- Reaching this configured threshold immediately triggers the account lock.
- The internal failure counter resets upon a successful login.
Type: signed integer
Default:
5Declared by:
ghaf.graphics.nvidia-setup.enable
Section titled “ghaf.graphics.nvidia-setup.enable”Whether to enable Enable Nvidia setup.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.graphics.nvidia-setup.openDrivers
Section titled “ghaf.graphics.nvidia-setup.openDrivers”Whether to use the open source drivers instead of the nvidia proprietary drivers, e.g., for Blackwell architectures.
Type: boolean
Default:
falseDeclared by:
ghaf.graphics.nvidia-setup.vaapi.enable
Section titled “ghaf.graphics.nvidia-setup.vaapi.enable”Whether to enable the NVIDIA vaapi driver.
This allows using the NVIDIA GPU for decoding video streams instead of using software decoding on the CPU.
This particularly makes sense for desktop computers without an iGPU, as on those software en/decoding will take a lot of processing power while the NVIDIA GPU’s encoding capacity isn’t doing anything, so this option is enabled by default there.
However, on machines with an iGPU, the dGPU’s en/decoding capabilities are often more limited than those of the iGPU, and require more power, so this is disabled there by default - it may still make sense from time to time, so feel free to experiment.
Type: boolean
Default:
falseDeclared by:
ghaf.graphics.nvidia-setup.vaapi.maxInstances
Section titled “ghaf.graphics.nvidia-setup.vaapi.maxInstances”The maximum number of concurrent instances of the driver.
Sometimes useful for graphics cards with little VRAM.
Type: null or signed integer
Default:
nullDeclared by:
ghaf.graphics.nvidia-setup.withIntegratedGPU
Section titled “ghaf.graphics.nvidia-setup.withIntegratedGPU”Whether the computer has a separate integrated GPU.
This also configures the machine to use the integrated GPU for other things like software decoding, so keep this enabled even if you separately disable offload rendering.
Type: boolean
Default:
falseDeclared by:
ghaf.graphics.screen-recorder.enable
Section titled “ghaf.graphics.screen-recorder.enable”Whether to enable screen recording capabilities using gpu-screen-recorder.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.hardware.definition.audio.acpiPath
Section titled “ghaf.hardware.definition.audio.acpiPath”Path to ACPI file to add to a VM
Type: null or absolute path
Default:
"/sys/firmware/acpi/tables/NHLT"Declared by:
ghaf.hardware.definition.audio.kernelConfig
Section titled “ghaf.hardware.definition.audio.kernelConfig”Hardware specific kernel configuration for audio devices
Type: submodule
Default:
{ }Declared by:
ghaf.hardware.definition.audio.kernelConfig.kernelParams
Section titled “ghaf.hardware.definition.audio.kernelConfig.kernelParams”Hardware specific kernel parameters
Type: list of string
Default:
[ ]Example:
[ "intel_iommu=on,sm_on" "iommu=pt" "module_blacklist=i915" "acpi_backlight=vendor" "acpi_osi=linux"]Declared by:
ghaf.hardware.definition.audio.kernelConfig.stage1.kernelModules
Section titled “ghaf.hardware.definition.audio.kernelConfig.stage1.kernelModules”Hardware specific kernel modules
Type: list of string
Default:
[ ]Example:
[ "i915"]Declared by:
ghaf.hardware.definition.audio.kernelConfig.stage2.kernelModules
Section titled “ghaf.hardware.definition.audio.kernelConfig.stage2.kernelModules”Hardware specific kernel modules
Type: list of string
Default:
[ ]Example:
[ "i915"]Declared by:
ghaf.hardware.definition.audio.pciDevices
Section titled “ghaf.hardware.definition.audio.pciDevices”PCI Devices to passthrough to AudioVM
Type: list of (submodule)
Default:
[ ]Example:
[ { path = "0000:00:1f.0"; vendorId = "8086"; productId = "519d"; } { path = "0000:00:1f.3"; vendorId = "8086"; productId = "51ca"; } { path = "0000:00:1f.4"; vendorId = "8086"; productId = "51a3"; } { path = "0000:00:1f.5"; vendorId = "8086"; productId = "51a4"; }]Declared by:
ghaf.hardware.definition.audio.pciDevices.*.name
Section titled “ghaf.hardware.definition.audio.pciDevices.*.name”PCI device name (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.audio.pciDevices.*.path
Section titled “ghaf.hardware.definition.audio.pciDevices.*.path”PCI device path
Type: string
Declared by:
ghaf.hardware.definition.audio.pciDevices.*.productId
Section titled “ghaf.hardware.definition.audio.pciDevices.*.productId”PCI Product ID (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.audio.pciDevices.*.qemu.deviceExtraArgs
Section titled “ghaf.hardware.definition.audio.pciDevices.*.qemu.deviceExtraArgs”Device additional arguments (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.audio.pciDevices.*.vendorId
Section titled “ghaf.hardware.definition.audio.pciDevices.*.vendorId”PCI Vendor ID (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.audiovm.extraModules
Section titled “ghaf.hardware.definition.audiovm.extraModules”Hardware-specific NixOS modules for Audio VM configuration. These modules are included in the profile’s extendModules call.
Use this ONLY for hardware-specific configurations like:
- Audio device passthrough settings
- Hardware-specific QEMU arguments
- Hardware detection modules
For resource allocation (memory, vCPUs) or profile-specific modules, use ghaf.virtualization.vmConfig.sysvms.audiovm instead.
Type: list of unspecified value
Default:
[ ]Example:
[ ./audio-config.nix { microvm.qemu.extraArgs = [ ... ]; }]Declared by:
ghaf.hardware.definition.gpu.kernelConfig
Section titled “ghaf.hardware.definition.gpu.kernelConfig”Hardware specific kernel configuration for gpu devices
Type: submodule
Default:
{ }Declared by:
ghaf.hardware.definition.gpu.kernelConfig.kernelParams
Section titled “ghaf.hardware.definition.gpu.kernelConfig.kernelParams”Hardware specific kernel parameters
Type: list of string
Default:
[ ]Example:
[ "intel_iommu=on,sm_on" "iommu=pt" "module_blacklist=i915" "acpi_backlight=vendor" "acpi_osi=linux"]Declared by:
ghaf.hardware.definition.gpu.kernelConfig.stage1.kernelModules
Section titled “ghaf.hardware.definition.gpu.kernelConfig.stage1.kernelModules”Hardware specific kernel modules
Type: list of string
Default:
[ ]Example:
[ "i915"]Declared by:
ghaf.hardware.definition.gpu.kernelConfig.stage2.kernelModules
Section titled “ghaf.hardware.definition.gpu.kernelConfig.stage2.kernelModules”Hardware specific kernel modules
Type: list of string
Default:
[ ]Example:
[ "i915"]Declared by:
ghaf.hardware.definition.gpu.pciDevices
Section titled “ghaf.hardware.definition.gpu.pciDevices”PCI Devices to passthrough to GuiVM
Type: list of (submodule)
Default:
[ ]Example:
[{ path = "0000:00:02.0"; vendorId = "8086"; productId = "a7a1"; qemu.deviceExtraArgs = "x-igd-opregion=on"}]Declared by:
ghaf.hardware.definition.gpu.pciDevices.*.name
Section titled “ghaf.hardware.definition.gpu.pciDevices.*.name”PCI device name (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.gpu.pciDevices.*.path
Section titled “ghaf.hardware.definition.gpu.pciDevices.*.path”PCI device path
Type: string
Declared by:
ghaf.hardware.definition.gpu.pciDevices.*.productId
Section titled “ghaf.hardware.definition.gpu.pciDevices.*.productId”PCI Product ID (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.gpu.pciDevices.*.qemu.deviceExtraArgs
Section titled “ghaf.hardware.definition.gpu.pciDevices.*.qemu.deviceExtraArgs”Device additional arguments (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.gpu.pciDevices.*.vendorId
Section titled “ghaf.hardware.definition.gpu.pciDevices.*.vendorId”PCI Vendor ID (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.guivm.extraModules
Section titled “ghaf.hardware.definition.guivm.extraModules”Hardware-specific NixOS modules for GUI VM configuration. These modules are included in the profile’s extendModules call.
Use this ONLY for hardware-specific configurations like:
- GPU passthrough settings (PRIME, OVMF)
- Hardware-specific QEMU arguments
- Device-specific drivers/services
For resource allocation (memory, vCPUs) or profile-specific modules, use ghaf.virtualization.vmConfig.sysvms.guivm instead.
Type: list of unspecified value
Default:
[ ]Example:
[ ./gpu-config.nix { microvm.qemu.extraArgs = [ ... ]; }]Declared by:
ghaf.hardware.definition.host.extraVfioPciIds
Section titled “ghaf.hardware.definition.host.extraVfioPciIds”Extra ids for the vfio-pci.ids kerenel parameter
Type: list of string
Default:
[ ]Declared by:
ghaf.hardware.definition.host.kernelConfig
Section titled “ghaf.hardware.definition.host.kernelConfig”Host kernel configuration
Type: submodule
Default:
{ }Declared by:
ghaf.hardware.definition.host.kernelConfig.kernelParams
Section titled “ghaf.hardware.definition.host.kernelConfig.kernelParams”Hardware specific kernel parameters
Type: list of string
Default:
[ ]Example:
[ "intel_iommu=on,sm_on" "iommu=pt" "module_blacklist=i915" "acpi_backlight=vendor" "acpi_osi=linux"]Declared by:
ghaf.hardware.definition.host.kernelConfig.stage1.kernelModules
Section titled “ghaf.hardware.definition.host.kernelConfig.stage1.kernelModules”Hardware specific kernel modules
Type: list of string
Default:
[ ]Example:
[ "i915"]Declared by:
ghaf.hardware.definition.host.kernelConfig.stage2.kernelModules
Section titled “ghaf.hardware.definition.host.kernelConfig.stage2.kernelModules”Hardware specific kernel modules
Type: list of string
Default:
[ ]Example:
[ "i915"]Declared by:
ghaf.hardware.definition.input.keyboard
Section titled “ghaf.hardware.definition.input.keyboard”Name of the keyboard device(s)
Type: submodule
Default:
{ }Declared by:
ghaf.hardware.definition.input.keyboard.evdev
Section titled “ghaf.hardware.definition.input.keyboard.evdev”List of event devices.
Type: list of string
Default:
[ ]Declared by:
ghaf.hardware.definition.input.keyboard.name
Section titled “ghaf.hardware.definition.input.keyboard.name”List of input device names. Can either be a string, or a list of strings. The list option allows to bind several input device names to the same evdev. This allows to create one generic hardware definition for multiple SKUs.
Type: list of raw value
Default:
[ ]Declared by:
ghaf.hardware.definition.input.misc
Section titled “ghaf.hardware.definition.input.misc”Name of the misc device(s)
Type: submodule
Default:
{ }Declared by:
ghaf.hardware.definition.input.misc.evdev
Section titled “ghaf.hardware.definition.input.misc.evdev”List of event devices.
Type: list of string
Default:
[ ]Declared by:
ghaf.hardware.definition.input.misc.name
Section titled “ghaf.hardware.definition.input.misc.name”List of input device names. Can either be a string, or a list of strings. The list option allows to bind several input device names to the same evdev. This allows to create one generic hardware definition for multiple SKUs.
Type: list of raw value
Default:
[ ]Declared by:
ghaf.hardware.definition.input.mouse
Section titled “ghaf.hardware.definition.input.mouse”Name of the mouse device(s)
Type: submodule
Default:
{ }Declared by:
ghaf.hardware.definition.input.mouse.evdev
Section titled “ghaf.hardware.definition.input.mouse.evdev”List of event devices.
Type: list of string
Default:
[ ]Declared by:
ghaf.hardware.definition.input.mouse.name
Section titled “ghaf.hardware.definition.input.mouse.name”List of input device names. Can either be a string, or a list of strings. The list option allows to bind several input device names to the same evdev. This allows to create one generic hardware definition for multiple SKUs.
Type: list of raw value
Default:
[ ]Declared by:
ghaf.hardware.definition.input.touchpad
Section titled “ghaf.hardware.definition.input.touchpad”Name of the touchpad device(s)
Type: submodule
Default:
{ }Declared by:
ghaf.hardware.definition.input.touchpad.evdev
Section titled “ghaf.hardware.definition.input.touchpad.evdev”List of event devices.
Type: list of string
Default:
[ ]Declared by:
ghaf.hardware.definition.input.touchpad.name
Section titled “ghaf.hardware.definition.input.touchpad.name”List of input device names. Can either be a string, or a list of strings. The list option allows to bind several input device names to the same evdev. This allows to create one generic hardware definition for multiple SKUs.
Type: list of raw value
Default:
[ ]Declared by:
ghaf.hardware.definition.name
Section titled “ghaf.hardware.definition.name”Name of the hardware
Type: string
Default:
""Declared by:
ghaf.hardware.definition.netvm.extraModules
Section titled “ghaf.hardware.definition.netvm.extraModules”Hardware-specific NixOS modules for Net VM configuration.
This option allows hardware definitions to provide VM-specific configuration that will be merged with the base Net VM config.
Use this ONLY for hardware-specific settings like:
- PCIe root ports configuration
- Network device passthrough
- Custom kernel parameters
For resource allocation (memory, vCPUs) or profile-specific modules, use ghaf.virtualization.vmConfig.sysvms.netvm instead.
Type: list of unspecified value
Default:
[ ]Example:
[ ./net-config.nix { microvm.qemu.extraArgs = [ ... ]; }]Declared by:
ghaf.hardware.definition.network.kernelConfig
Section titled “ghaf.hardware.definition.network.kernelConfig”Hardware specific kernel configuration for network devices
Type: submodule
Default:
{ }Declared by:
ghaf.hardware.definition.network.kernelConfig.kernelParams
Section titled “ghaf.hardware.definition.network.kernelConfig.kernelParams”Hardware specific kernel parameters
Type: list of string
Default:
[ ]Example:
[ "intel_iommu=on,sm_on" "iommu=pt" "module_blacklist=i915" "acpi_backlight=vendor" "acpi_osi=linux"]Declared by:
ghaf.hardware.definition.network.kernelConfig.stage1.kernelModules
Section titled “ghaf.hardware.definition.network.kernelConfig.stage1.kernelModules”Hardware specific kernel modules
Type: list of string
Default:
[ ]Example:
[ "i915"]Declared by:
ghaf.hardware.definition.network.kernelConfig.stage2.kernelModules
Section titled “ghaf.hardware.definition.network.kernelConfig.stage2.kernelModules”Hardware specific kernel modules
Type: list of string
Default:
[ ]Example:
[ "i915"]Declared by:
ghaf.hardware.definition.network.pciDevices
Section titled “ghaf.hardware.definition.network.pciDevices”PCI Devices to passthrough to NetVM
Type: list of (submodule)
Default:
[ ]Example:
[{ path = "0000:00:14.3"; vendorId = "8086"; productId = "51f1";}]Declared by:
ghaf.hardware.definition.network.pciDevices.*.name
Section titled “ghaf.hardware.definition.network.pciDevices.*.name”PCI device name (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.network.pciDevices.*.path
Section titled “ghaf.hardware.definition.network.pciDevices.*.path”PCI device path
Type: string
Declared by:
ghaf.hardware.definition.network.pciDevices.*.productId
Section titled “ghaf.hardware.definition.network.pciDevices.*.productId”PCI Product ID (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.network.pciDevices.*.qemu.deviceExtraArgs
Section titled “ghaf.hardware.definition.network.pciDevices.*.qemu.deviceExtraArgs”Device additional arguments (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.network.pciDevices.*.vendorId
Section titled “ghaf.hardware.definition.network.pciDevices.*.vendorId”PCI Vendor ID (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.skus
Section titled “ghaf.hardware.definition.skus”List of hardware SKUs (Stock Keeping Unit) covered with this definition
Type: list of string
Default:
[ ]Declared by:
ghaf.hardware.definition.type
Section titled “ghaf.hardware.definition.type”Type of hardware (laptop, desktop, server)
Type: string
Default:
"laptop"Declared by:
ghaf.hardware.definition.usb.devices
Section titled “ghaf.hardware.definition.usb.devices”Internal USB device(s) to passthrough.
Each device definition requires a name, and either vendorId and productId, or hostbus and hostport. The latter is useful for addressing devices that may have different vendor and product IDs in the same hardware generation.
Note that internal devices must follow the naming convention to be correctly identified and subsequently used. Current special names are:
- ‘cam0’ for the internal cam0 device
- ‘fpr0’ for the internal fingerprint reader device
Type: list of (submodule)
Default:
[ ]Example:
[ { name = "cam0"; vendorId = "0123"; productId = "0123"; } { name = "fpr0"; hostbus = "3"; hostport = "3"; }]Declared by:
ghaf.hardware.definition.usb.devices.*.hostbus
Section titled “ghaf.hardware.definition.usb.devices.*.hostbus”USB device bus number (optional). If this is set, the hostport must also be set.
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.usb.devices.*.hostport
Section titled “ghaf.hardware.definition.usb.devices.*.hostport”USB device device number (optional). If this is set, the hostbus must also be set.
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.usb.devices.*.name
Section titled “ghaf.hardware.definition.usb.devices.*.name”USB device name. NOT optional for external devices, in which case it must not contain spaces or extravagant characters.
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.usb.devices.*.productId
Section titled “ghaf.hardware.definition.usb.devices.*.productId”USB Product ID (optional). If this is set, the vendorId must also be set.
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.usb.devices.*.vendorId
Section titled “ghaf.hardware.definition.usb.devices.*.vendorId”USB Vendor ID (optional). If this is set, the productId must also be set.
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.usb.devices.*.vmUdevExtraRule
Section titled “ghaf.hardware.definition.usb.devices.*.vmUdevExtraRule”Extra udev rule for the VM to control access of the USB device.
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.devices.audio
Section titled “ghaf.hardware.devices.audio”Audio PCI devices to passthrough.
Type: attribute set
Default:
{ }Declared by:
ghaf.hardware.devices.evdev
Section titled “ghaf.hardware.devices.evdev”Evdev devices to passthrough.
Type: attribute set
Default:
{ }Declared by:
ghaf.hardware.devices.gpus
Section titled “ghaf.hardware.devices.gpus”GPU PCI devices to passthrough.
Type: attribute set
Default:
{ }Declared by:
ghaf.hardware.devices.hotplug
Section titled “ghaf.hardware.devices.hotplug”Enable hotplugging of PCI devices. This allows to dynamically add or remove PCI devices to the microvm without needing to restart it. Useful for power management and future use cases.
Type: boolean
Default:
trueDeclared by:
ghaf.hardware.devices.nics
Section titled “ghaf.hardware.devices.nics”NIC PCI devices to passthrough.
Type: attribute set
Default:
{ }Declared by:
ghaf.hardware.passthrough.VMs
Section titled “ghaf.hardware.passthrough.VMs”VM USB device map.
Type: attribute set of (submodule)
Default:
{ }Declared by:
ghaf.hardware.passthrough.VMs.<name>.permittedDevices
Section titled “ghaf.hardware.passthrough.VMs.<name>.permittedDevices”List of devices allowed to access by the VM.
Type: list of string
Declared by:
ghaf.hardware.passthrough.evdev.evdevRules
Section titled “ghaf.hardware.passthrough.evdev.evdevRules”Non-USB Input Device Passthrough Rules for GUIVM
Type: list of (attribute set)
Default:
[ { allow = [ { property = "ID_INPUT_MOUSE"; value = "1"; } { property = "ID_INPUT_KEYBOARD"; value = "1"; } { property = "ID_INPUT_TOUCHPAD"; value = "1"; } { property = "ID_INPUT_TOUCHSCREEN"; value = "1"; } { property = "ID_INPUT_TABLET"; value = "1"; } { description = "ThinkPad Extra Buttons"; pathTag = "platform-thinkpad_acpi"; } { description = "Intel HID events"; pathTag = "platform-INTC1070_00"; } { description = "Intel HID events"; pathTag = "platform-INT33D5:00"; } { description = "Dell WMI hotkeys"; pathTag = "platform-PNP0C14:02"; } ]; description = "Non-USB Input Devices for GUIVM"; targetVm = "gui-vm"; }]Declared by:
ghaf.hardware.passthrough.mode
Section titled “ghaf.hardware.passthrough.mode”Pass through mode for the pre attached devices defined in hardware.passthrough.usb.devices. Options: “static”, “dynamic”, “user” “none”: no passthrough “static”: legacy mode, static passthrough via qemu “dynamic”: dynamic passthrough via vhotplug in runtime “user”: user defined passthrough [Not supported]
Type: string
Default:
"static"Declared by:
ghaf.hardware.passthrough.pci.audiovmRules
Section titled “ghaf.hardware.passthrough.pci.audiovmRules”PCI Device Passthrough Rules for AudioVM
Type: list of (attribute set)
Default:
[ { allow = [ { address = "0000:00:1f.0"; deviceId = "519d"; vendorId = "8086"; } { address = "0000:00:1f.3"; deviceId = "51ca"; vendorId = "8086"; } { address = "0000:00:1f.4"; deviceId = "51a3"; vendorId = "8086"; } { address = "0000:00:1f.5"; deviceId = "51a4"; vendorId = "8086"; } ]; description = "PCI Devices for AudioVM"; tag = "audio"; targetVm = "audio-vm"; }]Declared by:
ghaf.hardware.passthrough.pci.autoDetectAudio
Section titled “ghaf.hardware.passthrough.pci.autoDetectAudio”Whether to enable auto-detection of audio PCI devices.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.hardware.passthrough.pci.autoDetectGpu
Section titled “ghaf.hardware.passthrough.pci.autoDetectGpu”Whether to enable auto-detection of GPU PCI devices.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.hardware.passthrough.pci.autoDetectNet
Section titled “ghaf.hardware.passthrough.pci.autoDetectNet”Whether to enable auto-detection of network PCI devices.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.hardware.passthrough.pci.guivmRules
Section titled “ghaf.hardware.passthrough.pci.guivmRules”PCI Device Passthrough Rules for GUIVM
Type: list of (attribute set)
Default:
[ { allow = [ { address = "0000:00:02.0"; deviceId = "a7a1"; vendorId = "8086"; } ]; description = "Static PCI Devices for GUIVM"; skipOnSuspend = true; targetVm = "gui-vm"; }]Declared by:
ghaf.hardware.passthrough.pci.netvmRules
Section titled “ghaf.hardware.passthrough.pci.netvmRules”PCI Device Passthrough Rules for NetVM
Type: list of (attribute set)
Default:
[ { allow = [ { address = "0000:00:14.3"; deviceId = "51f1"; vendorId = "8086"; } ]; description = "Static PCI Devices for NetVM"; tag = "net"; targetVm = "net-vm"; }]Declared by:
ghaf.hardware.passthrough.pciAcsOverride.enable
Section titled “ghaf.hardware.passthrough.pciAcsOverride.enable”Whether to enable PCIe ACS (Access Control Services) override support for VFIO device assignment.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.hardware.passthrough.pciAcsOverride.ids
Section titled “ghaf.hardware.passthrough.pciAcsOverride.ids”List of specific PCI device IDs (vendor:device in hex) to override ACS. This works for ALL PCI devices including non-PCIe devices.
Use this when you need to split IOMMU groups for specific devices that are not PCIe (e.g., LPC/eSPI devices like Intel 00:1f.x).
Type: list of string
Default:
[ ]Example:
[ "8086:550a" "8086:7702"]Declared by:
ghaf.hardware.passthrough.pciPorts.pcieBusPrefix
Section titled “ghaf.hardware.passthrough.pciPorts.pcieBusPrefix”PCIe bus prefix used for the pcie-root-port QEMU device.
Type: null or string
Default:
"pci_hotplug_"Declared by:
ghaf.hardware.passthrough.pciPorts.pciePortCountForVMs
Section titled “ghaf.hardware.passthrough.pciPorts.pciePortCountForVMs”The number of PCIe ports used for hot-plugging PCI devices to virtual machines.
In order to support hot-plugging of PCIe devices, QEMU virtual machines must have available PCIe ports created by adding pcie-root-port devices at startup. This is used, for example, to pass input devices to the GUI VM as virtio-input-host-pci and to passthrough PCI devices from the host (GPU, network, audio devices) as vfio-pci. Additionally, vhotplug can detect PCI devices that are not listed in the static hardware definitions and pass them through as well.
Type: attribute set of signed integer
Default:
{ audio-vm = 11; gui-vm = 8; net-vm = 3;}Example:
{ "vm-name1" = 5; "vm-name2" = 3;}Declared by:
ghaf.hardware.passthrough.qemuExtraArgs
Section titled “ghaf.hardware.passthrough.qemuExtraArgs”Extra arguments to pass to qemu when enabling the internal USB device(s). Qemu arguments for the devices are grouped by vm-name.
Type: attribute set of list of string
Default:
{ }Example:
{ "vm-name1" = [ "-device qemu-xhci -device usb-host,vendorid=0x0001,productid=0x0001" ]; "vm-name2" = [ "-device qemu-xhci -device usb-host,vendorid=0x1234,productid=0x1234" ];}Declared by:
ghaf.hardware.passthrough.usb.audiovmRules
Section titled “ghaf.hardware.passthrough.usb.audiovmRules”USB Device Passthrough Rules for AudioVM
Type: list of (attribute set)
Default:
[ { allow = [ { description = "Audio"; interfaceClass = 1; } ]; deny = [ { description = "Video (USB Webcams)"; interfaceClass = 14; } ]; description = "Audio Devices for AudioVM"; targetVm = "audio-vm"; } { allow = [ { description = "Bluetooth"; interfaceClass = 224; interfaceProtocol = 1; interfaceSubclass = 1; } ]; description = "Bluetooth Devices for AudioVM"; tag = "bt"; targetVm = "audio-vm"; }]Declared by:
ghaf.hardware.passthrough.usb.guivmRules
Section titled “ghaf.hardware.passthrough.usb.guivmRules”USB Device Passthrough Rules for GUIVM
Type: list of (attribute set)
Default:
[ { allow = [ { description = "HID Keyboard"; interfaceClass = 3; interfaceProtocol = 1; } { description = "HID Mouse"; interfaceClass = 3; interfaceProtocol = 2; } { description = "Chip/SmartCard (e.g. YubiKey)"; interfaceClass = 11; } { description = "Mass Storage - SCSI (USB drives)"; interfaceClass = 8; interfaceSubclass = 6; } { description = "USB-C alternate modes supported by device"; interfaceClass = 17; } ]; description = "USB Devices for GUIVM"; targetVm = "gui-vm"; }]Declared by:
ghaf.hardware.passthrough.usb.netvmRules
Section titled “ghaf.hardware.passthrough.usb.netvmRules”USB Device Passthrough Rules for NetVM
Type: list of (attribute set)
Default:
[ { allow = [ { description = "Communications - Ethernet Networking"; interfaceClass = 2; interfaceSubclass = 6; } { description = "USB network devices that do not report their class or interfaces"; driverPath = ".*/kernel/drivers/net/usb/.*"; } ]; description = "USB Devices for NetVM"; targetVm = "net-vm"; }]Declared by:
ghaf.hardware.passthrough.usbQuirks.enable
Section titled “ghaf.hardware.passthrough.usbQuirks.enable”Whether to enable quirks for USB devices.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.hardware.passthrough.vhotplug.enable
Section titled “ghaf.hardware.passthrough.vhotplug.enable”Whether to enable Enable hot plugging of USB devices.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.hardware.passthrough.vhotplug.acpiRules
Section titled “ghaf.hardware.passthrough.vhotplug.acpiRules”List of ACPI hot plugging rules.
Type: list of (attribute set)
Default:
[ ]Declared by:
ghaf.hardware.passthrough.vhotplug.api.enable
Section titled “ghaf.hardware.passthrough.vhotplug.api.enable”Enable external API.
Type: boolean
Default:
trueDeclared by:
ghaf.hardware.passthrough.vhotplug.api.allowedCids
Section titled “ghaf.hardware.passthrough.vhotplug.api.allowedCids”List of VSOCK CIDs allowed to connect.
Type: list of signed integer
Default:
[ 4]Example:
[ 3 4 5]Declared by:
ghaf.hardware.passthrough.vhotplug.api.port
Section titled “ghaf.hardware.passthrough.vhotplug.api.port”API port number.
Type: signed integer
Default:
2000Declared by:
ghaf.hardware.passthrough.vhotplug.api.transports
Section titled “ghaf.hardware.passthrough.vhotplug.api.transports”List of supported transports for the API.
Type: list of (one of “tcp”, “unix”, “vsock”)
Default:
[ "vsock" "unix"]Example:
[ "tcp" "unix" "vsock"]Declared by:
ghaf.hardware.passthrough.vhotplug.evdevRules
Section titled “ghaf.hardware.passthrough.vhotplug.evdevRules”List of evdev hot plugging rules.
Type: list of (attribute set)
Default:
[ ]Declared by:
ghaf.hardware.passthrough.vhotplug.pciRules
Section titled “ghaf.hardware.passthrough.vhotplug.pciRules”List of PCI hot plugging rules.
Type: list of (attribute set)
Default:
[ ]Declared by:
ghaf.hardware.passthrough.vhotplug.postpendUsbRules
Section titled “ghaf.hardware.passthrough.vhotplug.postpendUsbRules”List of extra USB rules to be added to the system. Uses the same format as vhotplug.usbRules, and is postpened to the default rules. This is useful for adding rules for additional VMs while keeping the ghaf defaults.
Type: list of (attribute set)
Default:
[ ]Declared by:
ghaf.hardware.passthrough.vhotplug.prependUsbRules
Section titled “ghaf.hardware.passthrough.vhotplug.prependUsbRules”List of extra USB rules to be added to the system. Uses the same format as vhotplug.usbRules, and is prepended to the default rules. This is helpful for setting rules where the order of USB device detection matters for additional VMs, while still maintaining the default rules.
Type: list of (attribute set)
Default:
[ ]Declared by:
ghaf.hardware.passthrough.vhotplug.usbRules
Section titled “ghaf.hardware.passthrough.vhotplug.usbRules”List of USB hot plugging rules.
Type: list of (attribute set)
Default:
[ ]Declared by:
ghaf.hardware.passthrough.vhotplug.vms
Section titled “ghaf.hardware.passthrough.vhotplug.vms”List of virtual machines.
Type: list of (attribute set)
Default:
[ { name = "admin-vm"; socket = "/var/lib/microvms/admin-vm/admin-vm.sock"; type = "qemu"; } { name = "audio-vm"; socket = "/var/lib/microvms/audio-vm/audio-vm.sock"; type = "qemu"; } { name = "business-vm"; socket = "/var/lib/microvms/business-vm/business-vm.sock"; type = "qemu"; } { name = "chrome-vm"; socket = "/var/lib/microvms/chrome-vm/chrome-vm.sock"; type = "qemu"; } { name = "comms-vm"; socket = "/var/lib/microvms/comms-vm/comms-vm.sock"; type = "qemu"; } { name = "flatpak-vm"; socket = "/var/lib/microvms/flatpak-vm/flatpak-vm.sock"; type = "qemu"; } { name = "gui-vm"; socket = "/var/lib/microvms/gui-vm/gui-vm.sock"; type = "qemu"; } { name = "net-vm"; socket = "/var/lib/microvms/net-vm/net-vm.sock"; type = "qemu"; } { name = "zathura-vm"; socket = "/var/lib/microvms/zathura-vm/zathura-vm.sock"; type = "qemu"; }]Declared by:
ghaf.hardware.passthrough.vmUdevExtraRules
Section titled “ghaf.hardware.passthrough.vmUdevExtraRules”Extra udev rules to be used by the specified vm.
Type: attribute set of list of string
Default:
{ }Example:
{ "vm-name1" = [ "udev rule 1" "udev rule 2" ];}Declared by:
ghaf.hardware.tpm2.enable
Section titled “ghaf.hardware.tpm2.enable”Whether to enable TPM2 PKCS#11 interface.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.hardware.x86_64.common.enable
Section titled “ghaf.hardware.x86_64.common.enable”Whether to enable Common x86 configs.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.host.kernel.hardening.enable
Section titled “ghaf.host.kernel.hardening.enable”Whether to enable Ghaf Host hardening feature.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.host.kernel.hardening.debug.enable
Section titled “ghaf.host.kernel.hardening.debug.enable”Whether to enable support for debug features in the Ghaf Host.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.host.kernel.hardening.inputdevices.enable
Section titled “ghaf.host.kernel.hardening.inputdevices.enable”Whether to enable support for input devices in the Ghaf Host.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.host.kernel.hardening.networking.enable
Section titled “ghaf.host.kernel.hardening.networking.enable”Whether to enable support for networking in the Ghaf Host.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.host.kernel.hardening.usb.enable
Section titled “ghaf.host.kernel.hardening.usb.enable”Whether to enable support for USB in the Ghaf Host.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.host.kernel.hardening.virtualization.enable
Section titled “ghaf.host.kernel.hardening.virtualization.enable”Whether to enable support for virtualization in the Ghaf Host.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.host.kernel.memory-wipe.enable
Section titled “ghaf.host.kernel.memory-wipe.enable”Whether to enable Memory wipe on boot and free using kernel configuration (host only).
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.host.networking.enable
Section titled “ghaf.host.networking.enable”Whether to enable Host networking.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.host.networking.enableExternalNetworking
Section titled “ghaf.host.networking.enableExternalNetworking”Enable external host networking support. This option currently enables the host nat, and disables the default configuration of deactivating any additional interfaces. Note that even with this configuration, the host networking can be enabled manually if needed. By default, this option is enabled if no net-vm is defined, or the debug profile is enabled.
Type: boolean
Default:
(!(hasAttr "net-vm" config.microvm.vms)) || config.ghaf.profiles.debug.enableDeclared by:
ghaf.host.networking.bridgeNicName
Section titled “ghaf.host.networking.bridgeNicName”Name of the internal interface
Type: string
Default:
"virbr0"Declared by:
ghaf.host.secureboot.enable
Section titled “ghaf.host.secureboot.enable”Whether to enable Secure Boot support.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.host.secureboot.keysDir
Section titled “ghaf.host.secureboot.keysDir”Path to the directory containing Secure Boot public keys.
Type: string
Default:
"/etc/ghaf/secureboot/keys"Declared by:
ghaf.host.secureboot.keysSource
Section titled “ghaf.host.secureboot.keysSource”Source directory for Secure Boot public keys; set to null to skip installing keys.
Type: null or absolute path
Default:
https://github.com/tiiuae/ghaf/blob/main/modules/secureboot/keysDeclared by:
ghaf.identity.dynamicHostName.enable
Section titled “ghaf.identity.dynamicHostName.enable”Whether to enable runtime human-readable hostname derived from hardware.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.identity.dynamicHostName.digits
Section titled “ghaf.identity.dynamicHostName.digits”Number of decimal digits
Type: signed integer
Default:
10Declared by:
ghaf.identity.dynamicHostName.outputDir
Section titled “ghaf.identity.dynamicHostName.outputDir”Private host-only output dir
Type: absolute path
Default:
"/var/lib/ghaf/identity"Declared by:
ghaf.identity.dynamicHostName.prefix
Section titled “ghaf.identity.dynamicHostName.prefix”Hostname prefix
Type: string
Default:
"ghaf"Declared by:
ghaf.identity.dynamicHostName.shareDir
Section titled “ghaf.identity.dynamicHostName.shareDir”Shared dir exposed to VMs (is available under /etc/common in VMs)
Type: absolute path
Default:
"/persist/common/ghaf"Declared by:
ghaf.identity.dynamicHostName.source
Section titled “ghaf.identity.dynamicHostName.source”Source for generating the hardware ID:
- hardware: Best-effort hardware detection (DMI, disk hardware ID, MAC, machine-id)
- static: Use user-provided static value
- random: Generate random value on first boot (persisted)
Type: one of “hardware”, “static”, “random”
Default:
"hardware"Declared by:
ghaf.identity.dynamicHostName.staticValue
Section titled “ghaf.identity.dynamicHostName.staticValue”Static hardware ID value (only used when source = ‘static’)
Type: null or string
Default:
nullDeclared by:
ghaf.identity.vmHostNameExport.enable
Section titled “ghaf.identity.vmHostNameExport.enable”Whether to enable export dynamic hostname to VM environment.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.identity.vmHostNameExport.hostnamePath
Section titled “ghaf.identity.vmHostNameExport.hostnamePath”Path to hostname file in VM (usually shared via virtiofs)
Type: string
Default:
"/etc/common/ghaf/hostname"Declared by:
ghaf.identity.vmHostNameSetter.enable
Section titled “ghaf.identity.vmHostNameSetter.enable”Whether to enable set VM hostname from shared hardware-based hostname file.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.identity.vmHostNameSetter.hostnamePath
Section titled “ghaf.identity.vmHostNameSetter.hostnamePath”Path to hostname file in VM (usually shared via virtiofs)
Type: string
Default:
"/etc/common/ghaf/hostname"Declared by:
ghaf.kernel.audiovm
Section titled “ghaf.kernel.audiovm”AudioVM kernel configuration
Type: attribute set
Default:
{ }Declared by:
ghaf.kernel.guivm
Section titled “ghaf.kernel.guivm”GuiVM kernel configuration
Type: attribute set
Default:
{ }Declared by:
ghaf.kernel.host
Section titled “ghaf.kernel.host”Host kernel configuration
Type: attribute set
Default:
{ }Declared by:
ghaf.kernel.netvm
Section titled “ghaf.kernel.netvm”NetVM kernel configuration
Type: attribute set
Default:
{ }Declared by:
ghaf.logging.enable
Section titled “ghaf.logging.enable”Whether to enable logging service (grafana alloy client uploading journal logs to admin-vm).
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.logging.client.enable
Section titled “ghaf.logging.client.enable”Whether to enable Alloy client service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.logging.client.endpoint
Section titled “ghaf.logging.client.endpoint”Assign endpoint url value to the alloy.service running in different log producers. This endpoint URL will include protocol, upstream, address along with port value.
Type: string
Default:
"https://192.168.100.5:9999/loki/api/v1/push"Declared by:
ghaf.logging.client.tls.caFile
Section titled “ghaf.logging.client.tls.caFile”CA bundle used to verify the admin-vm TLS terminator certificate.
Type: null or absolute path
Default:
"/etc/givc/ca-cert.pem"Declared by:
ghaf.logging.client.tls.certFile
Section titled “ghaf.logging.client.tls.certFile”Client certificate (PEM) used for mTLS to the admin-vm.
Type: null or absolute path
Default:
"/etc/givc/cert.pem"Declared by:
ghaf.logging.client.tls.keyFile
Section titled “ghaf.logging.client.tls.keyFile”Client private key (PEM) used for mTLS to the admin-vm.
Type: null or absolute path
Default:
"/etc/givc/key.pem"Declared by:
ghaf.logging.client.tls.minVersion
Section titled “ghaf.logging.client.tls.minVersion”Minimum TLS version for the outbound connection.
Type: null or one of “TLS12”, “TLS13”
Default:
"TLS12"Declared by:
ghaf.logging.fss.enable
Section titled “ghaf.logging.fss.enable”Enable Forward Secure Sealing for systemd journal logs. Automatically enabled when ghaf.logging.enable is true.
FSS provides cryptographic tamper-evidence for audit logs using HMAC-based sealing chains. Any tampering will break the chain and be detected during verification.
Type: boolean
Default:
trueDeclared by:
ghaf.logging.fss.keyPath
Section titled “ghaf.logging.fss.keyPath”Directory to store FSS keys and metadata for this component.
Per-component isolation ensures each component (host + VMs) has independent FSS key pairs for proper tamper detection.
Path structure:
- Host: /persist/common/journal-fss/ghaf-host/ (direct persist access)
- VMs: /etc/common/journal-fss/<vm-name>/ (virtiofs mount from host)
Examples:
- Host: /persist/common/journal-fss/ghaf-host/verification-key
- Audio-VM: /etc/common/journal-fss/audio-vm/verification-key
- Admin-VM: /etc/common/journal-fss/admin-vm/verification-key
Contains:
- initialized: Sentinel file (prevents re-initialization)
- verification-key: Public verification key for independent validation
The sealing key is stored by systemd in /var/log/journal/<machine-id>/fss and should never be exported from the host.
Verification Key Storage:
- The verification key is extracted once during initial setup
- CRITICAL: Copy verification-key to secure offline storage immediately
- Required for independent verification of exported journal archives
- If lost, tamper detection is still functional but offline verification is impossible
Offline Verification Process:
- Export journal: journalctl -o export > journal.export
- Transfer journal.export and verification-key to verification system
- Verify: journalctl —verify —verify-key=<verification-key> —file=journal.export
Key Rotation:
- FSS keys are bound to the seal interval and cannot be rotated independently
- To rotate: clear journals, delete /persist/common/journal-fss/ghaf-host/initialized, reboot
- WARNING: Rotation destroys tamper-evidence chain for existing logs
- Best practice: Archive and verify existing journals before rotation
Type: absolute path
Default:
"/persist/common/journal-fss/ghaf-host"Declared by:
ghaf.logging.fss.sealInterval
Section titled “ghaf.logging.fss.sealInterval”Time interval for sealing journal entries during key generation.
This interval is set once during ‘journalctl —setup-keys’ and cannot be changed without regenerating keys. Systemd will create a new HMAC seal every interval, advancing the forward-secure key chain.
Shorter intervals provide more granular tamper detection but increase storage overhead.
Format: time span (e.g., “15min”, “1h”, “30s”) Recommended: 15min (systemd default)
Impact of Changing sealInterval:
-
REQUIRES key regeneration (destroys existing tamper-evidence chain)
-
Shorter intervals (e.g., “5min”):
- Faster tamper detection granularity
- Higher storage overhead (~0.5% per seal)
- More verification CPU overhead
-
Longer intervals (e.g., “1h”):
- Lower storage overhead
- Coarser tamper detection window
- Faster verification
Operational Notes:
-
The seal interval is embedded in the FSS key structure
-
Changing this value after deployment requires:
- Archive and verify existing journals
- Clear /var/log/journal/<machine-id>/
- Delete /persist/common/journal-fss/ghaf-host/initialized
- Reboot to trigger new key generation
-
All VMs in the system can use different seal intervals independently
Type: string
Default:
"15min"Declared by:
ghaf.logging.fss.verifyOnBoot
Section titled “ghaf.logging.fss.verifyOnBoot”Run journal verification on system boot.
Verification will run 10 minutes after systemd-journald starts to ensure journal files are ready and FSS setup has completed.
Type: boolean
Default:
trueDeclared by:
ghaf.logging.fss.verifySchedule
Section titled “ghaf.logging.fss.verifySchedule”Systemd calendar expression for periodic verification.
Examples: “hourly”, “daily”, “weekly”, “*:0/30” (every 30 min) See systemd.time(7) for full syntax.
Type: string
Default:
"hourly"Declared by:
ghaf.logging.journalRetention.enable
Section titled “ghaf.logging.journalRetention.enable”Enable local journal retention configuration. This configures systemd-journald to retain logs locally for a specified period.
Type: boolean
Default:
trueDeclared by:
ghaf.logging.journalRetention.MaxFileSec
Section titled “ghaf.logging.journalRetention.MaxFileSec”The maximum time to store entries in a single journal file before rotating to the next one. This setting takes time values which may be suffixed with the units: ‘year’, ‘month’, ‘week’, ‘day’, ‘h’ or ’ m’ to override the default time unit of seconds.
Type: string
Default:
"1day"Declared by:
ghaf.logging.journalRetention.maxDiskUsage
Section titled “ghaf.logging.journalRetention.maxDiskUsage”Maximum disk space that journal logs can occupy. Accepts sizes like “500M”, “1G”, etc.
Type: string
Default:
"500M"Declared by:
ghaf.logging.journalRetention.maxRetention
Section titled “ghaf.logging.journalRetention.maxRetention”Period of time to retain journal logs locally. After this period, old logs will be deleted automatically. This setting takes time values which may be suffixed with the units: ‘year’, ‘month’, ‘week’, ‘day’, ‘h’ or ’ m’ to override the default time unit of seconds.
Type: string
Default:
"30day"Declared by:
ghaf.logging.listener.address
Section titled “ghaf.logging.listener.address”Listener address will be used where log producers will push logs and where admin-vm alloy.service will be keep on listening or receiving logs.
Type: string
Default:
""Declared by:
ghaf.logging.listener.port
Section titled “ghaf.logging.listener.port”Listener port for the logproto endpoint which will be used to receive logs from different log producers. Also this port value will be used to open the port in the admin-vm firewall.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
9999Declared by:
ghaf.logging.recovery.enable
Section titled “ghaf.logging.recovery.enable”Whether to enable journald/alloy recovery after realtime clock jumps.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.logging.recovery.cooldownSeconds
Section titled “ghaf.logging.recovery.cooldownSeconds”Minimum time between recover executions.
Type: signed integer
Default:
60Declared by:
ghaf.logging.recovery.intervalSeconds
Section titled “ghaf.logging.recovery.intervalSeconds”Polling interval used by the clock-jump watcher.
Type: signed integer
Default:
5Declared by:
ghaf.logging.recovery.thresholdSeconds
Section titled “ghaf.logging.recovery.thresholdSeconds”Only act on clock jumps >= this many seconds.
Type: signed integer
Default:
30Declared by:
ghaf.logging.server.enable
Section titled “ghaf.logging.server.enable”Whether to enable Logs aggregator server.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.logging.server.endpoint
Section titled “ghaf.logging.server.endpoint”Assign endpoint url value to the alloy.service running in admin-vm. This endpoint URL will include protocol, upstream address along with port value.
Type: null or string
Default:
nullDeclared by:
ghaf.logging.server.identifierFilePath
Section titled “ghaf.logging.server.identifierFilePath”This configuration option used to specify the identifier file path. The identifier file will be text file which have unique identification value per machine so that when logs will be uploaded to cloud we can identify its origin.
Type: null or absolute path
Default:
"/etc/common/device-id"Example:
"/etc/common/device-id"Declared by:
ghaf.logging.server.tls.caFile
Section titled “ghaf.logging.server.tls.caFile”Optional CA bundle for server verification (e.g., /etc/givc/ca-cert.pem). If null, use system CAs.
Type: null or absolute path
Default:
"/etc/givc/ca-cert.pem"Declared by:
ghaf.logging.server.tls.certFile
Section titled “ghaf.logging.server.tls.certFile”Client certificate (PEM) used for mTLS.
Type: null or absolute path
Default:
"/etc/givc/cert.pem"Declared by:
ghaf.logging.server.tls.keyFile
Section titled “ghaf.logging.server.tls.keyFile”Client private key (PEM) used for mTLS.
Type: null or absolute path
Default:
"/etc/givc/key.pem"Declared by:
ghaf.logging.server.tls.minVersion
Section titled “ghaf.logging.server.tls.minVersion”Minimum TLS version for the outbound connection.
Type: null or one of “TLS12”, “TLS13”
Default:
"TLS12"Declared by:
ghaf.logging.server.tls.remoteCAFile
Section titled “ghaf.logging.server.tls.remoteCAFile”Optional CA bundle used ONLY for server→REMOTE (Grafana Loki) TLS verification.
Type: null or absolute path
Default:
nullDeclared by:
ghaf.logging.server.tls.serverName
Section titled “ghaf.logging.server.tls.serverName”Expected TLS server_name (SNI), e.g., loki.example.com (optional).
Type: null or string
Default:
nullDeclared by:
ghaf.logging.server.tls.terminator.backendPort
Section titled “ghaf.logging.server.tls.terminator.backendPort”HTTP backend port for Alloy when TLS terminator is enabled.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
3101Declared by:
ghaf.logging.server.tls.terminator.verifyClients
Section titled “ghaf.logging.server.tls.terminator.verifyClients”Require client certificates (mTLS).
Type: boolean
Default:
trueDeclared by:
ghaf.microvm-boot.enable
Section titled “ghaf.microvm-boot.enable”Whether to enable ghaf-specific microvm boot order.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.microvm-boot.debug
Section titled “ghaf.microvm-boot.debug”Whether to enable resource tracing of the ghaf-specific microvm boot order.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.microvm-boot.uiEnabled
Section titled “ghaf.microvm-boot.uiEnabled”Enable microvm boot order for GUI targets
Type: boolean
Default:
trueDeclared by:
ghaf.networking.hosts
Section titled “ghaf.networking.hosts”List of hosts entries.
Type: attribute set of (submodule)
Default:
{ }Declared by:
ghaf.networking.hosts.<name>.cid
Section titled “ghaf.networking.hosts.<name>.cid”Vsock CID (Context IDentifier) as integer:
- VMADDR_CID_HYPERVISOR (0) is reserved for services built into the hypervisor
- VMADDR_CID_LOCAL (1) is the well-known address for local communication (loopback)
- VMADDR_CID_HOST (2) is the well-known address of the host
Type: null or signed integer
Default:
nullDeclared by:
ghaf.networking.hosts.<name>.interfaceName
Section titled “ghaf.networking.hosts.<name>.interfaceName”Name of the network interface.
Type: null or string
Default:
nullDeclared by:
ghaf.networking.hosts.<name>.ipv4
Section titled “ghaf.networking.hosts.<name>.ipv4”IPv4 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.networking.hosts.<name>.ipv4SubnetPrefixLength
Section titled “ghaf.networking.hosts.<name>.ipv4SubnetPrefixLength”The IPv4 subnet prefix length (e.g. 24 for 255.255.255.0)
Type: null or signed integer
Default:
nullExample:
24Declared by:
ghaf.networking.hosts.<name>.ipv6
Section titled “ghaf.networking.hosts.<name>.ipv6”IPv6 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.networking.hosts.<name>.mac
Section titled “ghaf.networking.hosts.<name>.mac”MAC address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.networking.hosts.<name>.name
Section titled “ghaf.networking.hosts.<name>.name”Host name as string.
Type: null or string
Default:
nullDeclared by:
ghaf.partitioning.btrfs-postboot.enable
Section titled “ghaf.partitioning.btrfs-postboot.enable”Whether to enable btrfs post-boot partition extension.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.partitioning.disko.enable
Section titled “ghaf.partitioning.disko.enable”Whether to enable the disko partitioning scheme.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.partitioning.disko.imageBuilder.compression
Section titled “ghaf.partitioning.disko.imageBuilder.compression”Compression algorithm used for the install image
Type: one of “none”, “zstd”
Default:
"zstd"Declared by:
ghaf.profiles.debug.enable
Section titled “ghaf.profiles.debug.enable”Whether to enable debug profile.
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.profiles.graphics.enable
Section titled “ghaf.profiles.graphics.enable”Whether to enable Graphics profile.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.profiles.graphics.autoLogin.enable
Section titled “ghaf.profiles.graphics.autoLogin.enable”Whether to enable automatic login.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.profiles.graphics.autoLogin.user
Section titled “ghaf.profiles.graphics.autoLogin.user”Username to automatically log in as when auto-login is enabled.
This should correspond to a valid user defined in the system configuration.
Type: null or string
Default:
nullExample:
"ghaf"Declared by:
ghaf.profiles.graphics.bluetooth.enable
Section titled “ghaf.profiles.graphics.bluetooth.enable”Whether to enable support for Bluetooth on the system where graphics profile is applied.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.profiles.graphics.bluetooth.applet.enable
Section titled “ghaf.profiles.graphics.bluetooth.applet.enable”Enable the Blueman tray applet
Type: boolean
Default:
trueDeclared by:
ghaf.profiles.graphics.bluetooth.applet.useDbusProxy
Section titled “ghaf.profiles.graphics.bluetooth.applet.useDbusProxy”If true, run the applet via a D-Bus proxy to audio-vm.
Type: boolean
Default:
trueDeclared by:
ghaf.profiles.graphics.idleManagement.enable
Section titled “ghaf.profiles.graphics.idleManagement.enable”Whether to enable idle management.
When enabled, the system will automatically manage screen blanking and suspension based on user inactivity.
Disabling this option is the same as setting all idle timeouts to ‘0’.
If ‘config.ghaf.services.power-manager.suspend.enable’ is false, suspension will not occur regardless of this setting.
Type: boolean
Default:
trueDeclared by:
ghaf.profiles.graphics.networkManager.enable
Section titled “ghaf.profiles.graphics.networkManager.enable”Whether to enable NetworkManager on the system where graphics profile is applied.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.profiles.graphics.networkManager.applet.enable
Section titled “ghaf.profiles.graphics.networkManager.applet.enable”Enable the NetworkManager tray applet (nm-applet)
Type: boolean
Default:
trueDeclared by:
ghaf.profiles.graphics.networkManager.applet.useDbusProxy
Section titled “ghaf.profiles.graphics.networkManager.applet.useDbusProxy”If true, run the applet via a D-Bus proxy to net-vm.
Type: boolean
Default:
trueDeclared by:
ghaf.profiles.host-hardening.enable
Section titled “ghaf.profiles.host-hardening.enable”Whether to enable Host hardening profile.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.profiles.laptop-x86.enable
Section titled “ghaf.profiles.laptop-x86.enable”Whether to enable Enable the basic x86 laptop config.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.profiles.laptop-x86.adminvmBase
Section titled “ghaf.profiles.laptop-x86.adminvmBase”Laptop-x86 Admin VM base configuration. Profiles can extend this with extendModules if customization needed.
Type: unspecified value (read only)
Declared by:
ghaf.profiles.laptop-x86.audiovmBase
Section titled “ghaf.profiles.laptop-x86.audiovmBase”Laptop-x86 Audio VM base configuration. Profiles can extend this with extendModules if customization needed.
Type: unspecified value (read only)
Declared by:
ghaf.profiles.laptop-x86.guivmBase
Section titled “ghaf.profiles.laptop-x86.guivmBase”Laptop-x86 GUI VM base configuration. Profiles should extend this with extendModules to add services.
Type: unspecified value (read only)
Declared by:
ghaf.profiles.laptop-x86.idsvmBase
Section titled “ghaf.profiles.laptop-x86.idsvmBase”Laptop-x86 IDS VM base configuration. Profiles can extend this with extendModules if customization needed.
Type: unspecified value (read only)
Declared by:
ghaf.profiles.laptop-x86.mkAppVm
Section titled “ghaf.profiles.laptop-x86.mkAppVm”Function to create App VM configurations from a vmDef attribute set.
Type: unspecified value (read only)
Declared by:
ghaf.profiles.laptop-x86.netvmBase
Section titled “ghaf.profiles.laptop-x86.netvmBase”Laptop-x86 Net VM base configuration. Profiles can extend this with extendModules if customization needed.
Type: unspecified value (read only)
Declared by:
ghaf.profiles.minimal.enable
Section titled “ghaf.profiles.minimal.enable”Whether to enable minimal profile.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.profiles.release.enable
Section titled “ghaf.profiles.release.enable”Whether to enable release profile.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.qemu.audiovm
Section titled “ghaf.qemu.audiovm”Extra qemu arguments for AudioVM
Type: attribute set
Default:
{ }Declared by:
ghaf.qemu.guivm
Section titled “ghaf.qemu.guivm”Extra qemu arguments for GuiVM
Type: attribute set
Default:
{ }Declared by:
ghaf.qemu.netvm
Section titled “ghaf.qemu.netvm”Extra qemu arguments for NetVM
Type: attribute set
Default:
{ }Declared by:
ghaf.reference.appvms.enable
Section titled “ghaf.reference.appvms.enable”Whether to enable Enable the Ghaf reference appvms module.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.appvms.business.enable
Section titled “ghaf.reference.appvms.business.enable”Whether to enable Business App VM.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.appvms.chrome.enable
Section titled “ghaf.reference.appvms.chrome.enable”Whether to enable Google Chrome Browser App VM.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.appvms.chromium.enable
Section titled “ghaf.reference.appvms.chromium.enable”Whether to enable Chromium Browser App VM.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.appvms.comms.enable
Section titled “ghaf.reference.appvms.comms.enable”Whether to enable Communications App VM.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.appvms.flatpak.enable
Section titled “ghaf.reference.appvms.flatpak.enable”Whether to enable Flatpak App Store VM.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.appvms.gala.enable
Section titled “ghaf.reference.appvms.gala.enable”Whether to enable GALA Android-in-the-Cloud App VM.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.appvms.zathura.enable
Section titled “ghaf.reference.appvms.zathura.enable”Whether to enable Zathura PDF Viewer App VM.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.desktop.applications.enable
Section titled “ghaf.reference.desktop.applications.enable”Whether to enable desktop applications.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.desktop.ghaf-intro.enable
Section titled “ghaf.reference.desktop.ghaf-intro.enable”Whether to enable Ghaf introduction guide.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.passthrough.usb.fingerprintReaders
Section titled “ghaf.reference.passthrough.usb.fingerprintReaders”List of fingerprint readers.
Type: list of attribute set of string
Default:
[ ]Declared by:
ghaf.reference.passthrough.usb.internalWebcams
Section titled “ghaf.reference.passthrough.usb.internalWebcams”List of internal USB webcams.
Type: list of attribute set of string
Default:
[ ]Declared by:
ghaf.reference.personalize.keys.enable
Section titled “ghaf.reference.personalize.keys.enable”Whether to enable Enable personalization of keys for dev team.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.personalize.keys.authorizedSshKeys
Section titled “ghaf.reference.personalize.keys.authorizedSshKeys”List of authorized ssh keys for the development team.
Type: list of string
Default:
[ "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA/pwHnzGNM+ZU4lANGROTRe2ZHbes7cnZn72Oeun/MCAAAABHNzaDo= brian@arcadia" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEJ9ewKwo5FLj6zE30KnTn8+nw7aKdei9SeTwaAeRdJDAAAABHNzaDo= brian@minerva" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILu6O3swRVWAjP7J8iYGT6st7NAa+o/XaemokmtKdpGa brian@builder" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKm9NtS/ZmrxQhY/pbRlX+9O1VaBEd8D9vojDtvS0Ru juliuskoskela@vega" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM3w7NzqMuF+OAiIcYWyP9+J3kwvYMKQ+QeY9J8QjAXm shamma-alblooshi@tii.ae" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB/iv9RWMN6D9zmEU85XkaU8fAWJreWkv3znan87uqTW humaid@tahr" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGOifxDCESZZouWLpoCWGXEYOVbMz53vrXTi9RQe4Bu5 hazaa@nixos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICwsW+YJw6ukhoWPEBLN93EFiGhN7H2VJn5yZcKId56W mb@mmm" "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCsjXKHCkpQT4LhWIdT0vDM/E/3tw/4KHTQcdJhyqPSH0FnwC8mfP2N9oHYFa2isw538kArd5ZMo5DD1ujL5dLk= joerg@turingmachine" "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLMlGNda7bilB0+3aMeJSFcB17auBPV0WhW60WlGZsQRF50Z/OgIHAA0/8HaxPmpIOLHv8JO3dCsj+OY1iS4FNo= joerg@turingmachine" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIstCgKDX1vVWI8MgdVwsEMhju6DQJubi3V0ziLcU/2h vunny.sodhi@unikie.com" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINfyjcPGIRHEtXZgoF7wImA5gEY6ytIfkBeipz4lwnj6 Ganga.Ram@tii.ae" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEA7p7hHPvPT6uTU44Nb/p9/DT9mOi8mpqNllnpfawDE tanel@nixos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwGPH/oOrD1g15uiPV4gBKGk7f8ZBSyMEaptKOVs3NG jaroslawkurowski@TII-JaroslawKurowski" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHu4r7nCQ6A26HsE4+wIupvXAfVQHgBGXv0+epCho2/m rodrigo.pino@tii.ae" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGll9sWYdGc2xi9oQ25TEcI1D3T4n8MMXoMT+lJdE/KC milla@nixos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJSuGlmQ/iMu7JGL7L4jVT3d+o4MiOsuh0e1ZVkBUKq gayathri@tii.ae" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINlIpJ9Q1oW1KiFBa12N5K/ecGVeGSBbcD8M9ZjA0TYe kajus.naujokaitis@unikie.com" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPE/CgI8MXyHiiUyt7BXWjQG1pb25b4N3als/dKKPZyD samuli@nixos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpTkKsWyFQxWKwL22fghfJnLaOhUtZLlF9h2gdWcoJz everton.dematos@tii.ae" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAolaKCuIUBQSBFGFZI1taNX+JTAr8edqUts7A6k2Kv7"]Declared by:
ghaf.reference.profiles.mvp-user-trial.enable
Section titled “ghaf.reference.profiles.mvp-user-trial.enable”Whether to enable Enable the mvp configuration for apps and services.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.profiles.mvp-user-trial-extras.enable
Section titled “ghaf.reference.profiles.mvp-user-trial-extras.enable”Whether to enable Enable the mvp configuration for apps and services.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.programs.chromium.enable
Section titled “ghaf.reference.programs.chromium.enable”Whether to enable Enable Chromium program settings.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.programs.chromium.openInNormalExtension
Section titled “ghaf.reference.programs.chromium.openInNormalExtension”Whether to enable browser extension to open links in the normal browser.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.programs.element-desktop.enable
Section titled “ghaf.reference.programs.element-desktop.enable”Whether to enable element-desktop program settings.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.programs.element-desktop.gpsSupport
Section titled “ghaf.reference.programs.element-desktop.gpsSupport”Whether to enable gps support for location sharing.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.programs.firefox.enable
Section titled “ghaf.reference.programs.firefox.enable”Configure Firefox to used the vaapi driver for video decoding.
Note that this requires disabling the RDD sandbox.
Type: boolean
Default:
falseDeclared by:
ghaf.reference.programs.google-chrome.enable
Section titled “ghaf.reference.programs.google-chrome.enable”Whether to enable Google Chrome program settings.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.programs.google-chrome.defaultPolicy
Section titled “ghaf.reference.programs.google-chrome.defaultPolicy”Google chrome policy options. A list of available policies can be found in the Chrome Enterprise documentation: https://cloud.google.com/docs/chrome-enterprise/policies/ Make sure the selected policy is supported on Linux and your browser version.
Type: attribute set
Default:
{ AlwaysOpenPdfExternally = true; DefaultBrowserSettingEnabled = true; ExtensionInstallForcelist = [ ]; MetricsReportingEnabled = false; PromptForDownloadLocation = true;}Example:
{ PromptForDownloadLocation=true;}Declared by:
ghaf.reference.programs.google-chrome.extensions
Section titled “ghaf.reference.programs.google-chrome.extensions”List of Chrome extensions to install.
Each entry can be:
- A string: the Chrome extension ID (fetched from the Web Store at runtime)
- A package: a Nix derivation that provides a pre-fetched CRX file (for example, one defined in pkgs.chrome-extensions).
When provided as a package, it must have the following passthru attributes:
- id: the Chrome extension ID.
Type: list of (string or package)
Default:
[ ]Example:
[ "edacconmaakjimmfgnblocblbcdcpbko" # fetched at runtime from Chrome Web Store pkgs.chrome-extensions.session-buddy # pre-packaged, fetched at runtime from local server]Declared by:
ghaf.reference.programs.google-chrome.extraOpts
Section titled “ghaf.reference.programs.google-chrome.extraOpts”Extra google chrome policy options. A list of available policies can be found in the Chrome Enterprise documentation: https://cloud.google.com/docs/chrome-enterprise/policies/ Make sure the selected policy is supported on Linux and your browser version.
Type: attribute set
Default:
{ }Example:
{ "BrowserSignin" = 0; "SyncDisabled" = true; "PasswordManagerEnabled" = false; "SpellcheckEnabled" = true; "SpellcheckLanguage" = [ "de" "en-US" ];}Declared by:
ghaf.reference.programs.google-chrome.localExtensionServer.enable
Section titled “ghaf.reference.programs.google-chrome.localExtensionServer.enable”Enable local extension update HTTP server
Type: boolean
Default:
lib.any (ext: ext.source == "local") config.ghaf.reference.programs.google-chrome.extensionsDeclared by:
ghaf.reference.programs.google-chrome.localExtensionServer.port
Section titled “ghaf.reference.programs.google-chrome.localExtensionServer.port”Port for the local Chrome extension update server.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8080Declared by:
ghaf.reference.programs.google-chrome.openInNormalExtension
Section titled “ghaf.reference.programs.google-chrome.openInNormalExtension”Whether to enable browser extension to open links in the normal browser.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.programs.google-chrome.policyOwner
Section titled “ghaf.reference.programs.google-chrome.policyOwner”Policy files owner
Type: string
Default:
"root"Declared by:
ghaf.reference.programs.google-chrome.policyOwnerGroup
Section titled “ghaf.reference.programs.google-chrome.policyOwnerGroup”Policy files group
Type: string
Default:
"root"Declared by:
ghaf.reference.programs.windows-launcher.enable
Section titled “ghaf.reference.programs.windows-launcher.enable”Whether to enable Windows launcher.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.programs.windows-launcher.spice
Section titled “ghaf.reference.programs.windows-launcher.spice”Whether to enable remote access to the virtual machine using spice.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.programs.windows-launcher.spice-host
Section titled “ghaf.reference.programs.windows-launcher.spice-host”Spice host
Type: string
Default:
"192.168.100.2"Declared by:
ghaf.reference.programs.windows-launcher.spice-port
Section titled “ghaf.reference.programs.windows-launcher.spice-port”Spice port
Type: signed integer
Default:
5900Declared by:
ghaf.reference.programs.zathura.enable
Section titled “ghaf.reference.programs.zathura.enable”Whether to enable Enable Zathura program settings.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.enable
Section titled “ghaf.reference.services.enable”Whether to enable Ghaf reference services.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.alpaca-ollama
Section titled “ghaf.reference.services.alpaca-ollama”Whether to enable Alpaca/ollama service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.chromecast.enable
Section titled “ghaf.reference.services.chromecast.enable”Whether to enable Enable chromecast service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.chromecast.externalNic
Section titled “ghaf.reference.services.chromecast.externalNic”External network interface
Type: string
Default:
""Declared by:
ghaf.reference.services.chromecast.internalNic
Section titled “ghaf.reference.services.chromecast.internalNic”Internal network interface
Type: string
Default:
""Declared by:
ghaf.reference.services.chromecast.tcpPorts
Section titled “ghaf.reference.services.chromecast.tcpPorts”Chromecast tcp ports
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive) (read only)
Default:
[ 8008 8009]Declared by:
ghaf.reference.services.chromecast.udpPorts
Section titled “ghaf.reference.services.chromecast.udpPorts”Chromecast udp ports
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive) (read only)
Default:
[ 1900 5353]Declared by:
ghaf.reference.services.chromecast.vmName
Section titled “ghaf.reference.services.chromecast.vmName”The name of the chromium/chrome VM to setup chromecast for.
Type: string
Default:
"chrome-vm"Example:
"chrome-vm"Declared by:
ghaf.reference.services.dendrite
Section titled “ghaf.reference.services.dendrite”Whether to enable dendrite-pinecone service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.dendrite-pinecone.enable
Section titled “ghaf.reference.services.dendrite-pinecone.enable”Whether to enable Enable dendrite pinecone module.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.dendrite-pinecone.McastUdpIp
Section titled “ghaf.reference.services.dendrite-pinecone.McastUdpIp”Multicast UDP IP for dendrite pinecone
Type: string
Default:
"239.0.0.114"Declared by:
ghaf.reference.services.dendrite-pinecone.McastUdpPort
Section titled “ghaf.reference.services.dendrite-pinecone.McastUdpPort”Multicast UDP port for dendrite pinecone
Type: string
Default:
"60606"Declared by:
ghaf.reference.services.dendrite-pinecone.McastUdpPortInt
Section titled “ghaf.reference.services.dendrite-pinecone.McastUdpPortInt”Multicast UDP port for dendrite pinecone
Type: signed integer
Default:
60606Declared by:
ghaf.reference.services.dendrite-pinecone.TcpPort
Section titled “ghaf.reference.services.dendrite-pinecone.TcpPort”TCP port for dendrite pinecone
Type: string
Default:
"49000"Declared by:
ghaf.reference.services.dendrite-pinecone.TcpPortInt
Section titled “ghaf.reference.services.dendrite-pinecone.TcpPortInt”TCP port for dendrite pinecone
Type: signed integer
Default:
49000Declared by:
ghaf.reference.services.dendrite-pinecone.externalNic
Section titled “ghaf.reference.services.dendrite-pinecone.externalNic”External network interface
Type: string
Default:
""Declared by:
ghaf.reference.services.dendrite-pinecone.internalNic
Section titled “ghaf.reference.services.dendrite-pinecone.internalNic”Internal network interface
Type: string
Default:
""Declared by:
ghaf.reference.services.dendrite-pinecone.serverIpAddr
Section titled “ghaf.reference.services.dendrite-pinecone.serverIpAddr”Dendrite Server Ip address
Type: string
Default:
""Declared by:
ghaf.reference.services.google-chromecast
Section titled “ghaf.reference.services.google-chromecast”Google Chromecast service configuration
Type: submodule
Default:
{ enable = false; vmName = "chrome-vm";}Declared by:
ghaf.reference.services.google-chromecast.enable
Section titled “ghaf.reference.services.google-chromecast.enable”Whether to enable Chromecast service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.google-chromecast.vmName
Section titled “ghaf.reference.services.google-chromecast.vmName”The name of the chromium/chrome VM to setup chromecast for.
Type: string
Default:
"chrome-vm"Example:
"chrome-vm"Declared by:
ghaf.reference.services.ollama.enable
Section titled “ghaf.reference.services.ollama.enable”Whether to enable Enable the ollama service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.proxy-business
Section titled “ghaf.reference.services.proxy-business”Whether to enable Enable the proxy server service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.proxy-server.enable
Section titled “ghaf.reference.services.proxy-server.enable”Whether to enable Enable proxy server module.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.proxy-server.bindPort
Section titled “ghaf.reference.services.proxy-server.bindPort”Bind port for proxy server
Type: signed integer
Default:
3128Declared by:
ghaf.reference.services.proxy-server.internalAddress
Section titled “ghaf.reference.services.proxy-server.internalAddress”Internal address for proxy server
Type: string
Default:
"192.168.100.1"Declared by:
ghaf.reference.services.wireguard-gui
Section titled “ghaf.reference.services.wireguard-gui”Whether to enable Wireguard GUI service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.wireguard-gui-config.enable
Section titled “ghaf.reference.services.wireguard-gui-config.enable”Whether to enable wireguard gui config.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.wireguard-gui-vmconfig.enabledVmNames
Section titled “ghaf.reference.services.wireguard-gui-vmconfig.enabledVmNames”List of VM names where Wireguard GUI should be enabled.
Type: list of string
Default:
[ ]Example:
[ "business-vm" "chrome-vm"]Declared by:
ghaf.reference.services.wireguard-gui-vmconfig.netVmExternalNic
Section titled “ghaf.reference.services.wireguard-gui-vmconfig.netVmExternalNic”External network interface
Type: string
Default:
""Declared by:
ghaf.reference.services.wireguard-gui-vmconfig.serverPortsByVm
Section titled “ghaf.reference.services.wireguard-gui-vmconfig.serverPortsByVm”List of server ports per VM for Wireguard GUI. Each element has:
- vmName (string)
- serverPorts (list of integers)
Type: list of (submodule)
Default:
[ ]Example:
[ { serverPorts = [ 51820 51821 ]; vmName = "business-vm"; } { serverPorts = [ 51822 ]; vmName = "chrome-vm"; }]Declared by:
ghaf.reference.services.wireguard-gui-vmconfig.serverPortsByVm.*.serverPorts
Section titled “ghaf.reference.services.wireguard-gui-vmconfig.serverPortsByVm.*.serverPorts”WireGuard server ports for this VM.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
[ ]Declared by:
ghaf.reference.services.wireguard-gui-vmconfig.serverPortsByVm.*.vmName
Section titled “ghaf.reference.services.wireguard-gui-vmconfig.serverPortsByVm.*.vmName”VM name providing WireGuard server ports.
Type: string
Declared by:
ghaf.security.apparmor.enable
Section titled “ghaf.security.apparmor.enable”Enable Apparmor security.
Type: boolean
Default:
falseDeclared by:
ghaf.security.audit.enable
Section titled “ghaf.security.audit.enable”Whether to enable Enable audit support.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.security.audit.enableOspp
Section titled “ghaf.security.audit.enableOspp”Whether to enable OSPP rules.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.security.audit.enableStig
Section titled “ghaf.security.audit.enableStig”Whether to enable STIG rules.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.security.audit.enableVerboseCommon
Section titled “ghaf.security.audit.enableVerboseCommon”Whether to enable verbose Common audit rules.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.security.audit.enableVerboseOspp
Section titled “ghaf.security.audit.enableVerboseOspp”Whether to enable verbose OSPP rules.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.security.audit.enableVerboseRebuild
Section titled “ghaf.security.audit.enableVerboseRebuild”Whether to enable verbose nixos-rebuild rule.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.security.audit.commonRules
Section titled “ghaf.security.audit.commonRules”Common audit rules for host and guests
Type: list of string
Default:
[ "-a always,exit -F arch=b64 -S execve -F exe=/nix/store/mrpa2jjnp2vb3dymfrj4flsxxxrhjjf8-nix-2.31.3/bin/nix-daemon -k nix-daemon-exec" "-a always,exit -F arch=b64 -S execve -S execveat -F exe=/nix/store/mrpa2jjnp2vb3dymfrj4flsxxxrhjjf8-nix-2.31.3/bin/nix -F auid>=1000 -F auid!=unset -k nix-tools" "-w /nix/store/mrpa2jjnp2vb3dymfrj4flsxxxrhjjf8-nix-2.31.3/bin/nix -p x -k nix-exec" "-w /nix/store/mrpa2jjnp2vb3dymfrj4flsxxxrhjjf8-nix-2.31.3/bin/nix-store -p x -k nix-store" "-w /nix/store/mrpa2jjnp2vb3dymfrj4flsxxxrhjjf8-nix-2.31.3/bin/nix-shell -p x -k nix-exec" "-w /nix/store/mrpa2jjnp2vb3dymfrj4flsxxxrhjjf8-nix-2.31.3/bin/nix-collect-garbage -p x -k nix-gc" "-w /nix/store/mrpa2jjnp2vb3dymfrj4flsxxxrhjjf8-nix-2.31.3/bin/nix-build -p x -k nix-build" "-w /nix/store/cpv5yh0jmjhykchkcxhqsf466qyjzrdn-nixos-rebuild-ng-26.05/bin/nixos-rebuild -p x -k nix-syschange" "-w /etc/nix -p wa -k nix_conf" "-w /etc/nixos -p wa -k nixos_conf" "-w /etc/systemd/system/nix-daemon.service.d -p wa -k nix_daemon_unit" "-w /etc/systemd/system/nix-daemon.service -p wa -k nix_daemon_unit" "-w /etc/systemd/system/nix-daemon.socket -p war -k nix_daemon_unit" "-w /etc/systemd/system/sockets.target.wants/nix-daemon.socket -p wa -k nix_daemon_unit" "-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv " "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -k privileged-mount" "-a always,exit -F path=/run/current-system/sw/bin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod" "-a always,exit -S all -F path=/run/current-system/sw/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage" "-a always,exit -S all -F path=/run/current-system/sw/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_mod" "-w /etc/sudoers -p wa -k identity" "-w /etc/passwd -p wa -k identity" "-w /etc/shadow -p wa -k identity" "-w /etc/group -p wa -k identity" "-w /var/log/lastlog -p wa -k logins" "-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod" "-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod" "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" "-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" "-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" "-a always,exit -F arch=b64 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=unset -k module_chng" "-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete" "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" "--loginuid-immutable" "-a always,exit -F arch=b64 -F path=/etc/machine-id -F perm=wa -F key=identity" "-w /etc/ssh -p rwxa -k ssh_config_access" "-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=unset -k privileged-execve" "-a always,exit -F arch=b64 -S ptrace -F key=tracing" "-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection" "-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection" "-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection" "-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load" "-a always,exit -F arch=b64 -S delete_module -F key=module-unload" "-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid!=unset -F key=unsuccessful-create" "-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid!=unset -F key=unsuccessful-create" "-a always,exit -F arch=b64 -S openat,openat2,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid!=unset -F key=unsuccessful-create" "-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid!=unset -F key=unsuccessful-create" "-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid!=unset -F key=unsuccessful-create" "-a always,exit -F arch=b64 -S openat,openat2,open_by_handle_at -F a2&0100 -F success=1 -F auid!=unset -F key=successful-create" "-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid!=unset -F key=successful-create" "-a always,exit -F arch=b64 -S creat -F success=1 -F auid!=unset -F key=successful-create" "-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid!=unset -F key=unsuccessful-modification" "-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid!=unset -F key=unsuccessful-modification" "-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid!=unset -F key=unsuccessful-modification" "-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid!=unset -F key=unsuccessful-modification" "-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid!=unset -F key=unsuccessful-modification" "-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid!=unset -F key=unsuccessful-modification" "-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid!=unset -F key=successful-modification" "-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid!=unset -F key=successful-modification" "-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid!=unset -F key=successful-modification" "-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access" "-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access" "-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid!=unset -F key=unsuccessful-delete" "-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid!=unset -F key=unsuccessful-delete" "-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid!=unset -F key=successful-delete" "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change" "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change" "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change" "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change" "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change" "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change" "-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" "-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify" "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify" "-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify" "-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify" "-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify" "-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify" "-a always,exit -F arch=b64 -F path=/nix/store/6nc79i9af3y2zqa7wfjyi51sx1g9727b-systemd-259/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation" "-a always,exit -F arch=b64 -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail" "-a always,exit -F arch=b64 -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session"]Declared by:
ghaf.security.audit.debug
Section titled “ghaf.security.audit.debug”Enable audit debug mode
Type: boolean
Default:
trueDeclared by:
ghaf.security.audit.extraRules
Section titled “ghaf.security.audit.extraRules”List of additional audit rules
Type: list of string
Default:
[ ]Declared by:
ghaf.security.audit.guest.enable
Section titled “ghaf.security.audit.guest.enable”Enable guest audit rules
Type: boolean
Default:
config.ghaf.type != "host";Declared by:
ghaf.security.audit.guest.rules
Section titled “ghaf.security.audit.guest.rules”Basic guest audit rules
Type: list of string
Default:
[ ]Declared by:
ghaf.security.audit.host.enable
Section titled “ghaf.security.audit.host.enable”Enable host audit rules
Type: boolean
Default:
config.ghaf.type == "host";Declared by:
ghaf.security.audit.host.rules
Section titled “ghaf.security.audit.host.rules”Basic host audit rules
Type: list of string
Default:
[ "-w /nix/var/nix/profiles -p wa -k nix_profiles" "-w /nix/var/nix/db -p wa -k nix_db" "-w /nix/var/nix/gc.lock -p wa -k nix_gc_lock" "-w /run/current-system -p wa -k nix_system" "-w /nix/var/nix/profiles/system -p wa -k nix_system"]Declared by:
ghaf.security.fail2ban.enable
Section titled “ghaf.security.fail2ban.enable”Whether to enable the fail2ban.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.security.fail2ban.sshd-jail-fwmark
Section titled “ghaf.security.fail2ban.sshd-jail-fwmark”Configuration for the SSHD Fail2Ban jail using firewall marks.
Type: submodule
Default:
{ }Declared by:
ghaf.security.fail2ban.sshd-jail-fwmark.enable
Section titled “ghaf.security.fail2ban.sshd-jail-fwmark.enable”Whether to enable sshd custom jail.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.security.fail2ban.sshd-jail-fwmark.blacklistName
Section titled “ghaf.security.fail2ban.sshd-jail-fwmark.blacklistName”Blacklist name for fail2ban
Type: string matching the pattern ^[a-zA-Z]31$
Default:
"sshBlacklist"Declared by:
ghaf.security.fail2ban.sshd-jail-fwmark.fwMarkNum
Section titled “ghaf.security.fail2ban.sshd-jail-fwmark.fwMarkNum”Firewall mark number to apply to banned IPs when using iptables-ipset-mark.
Type: string
Default:
"70"Declared by:
ghaf.security.pwquality.enable
Section titled “ghaf.security.pwquality.enable”Whether to enable Password quality check…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.security.pwquality.minDigit
Section titled “ghaf.security.pwquality.minDigit”Minimum number of digits required in password.
Type: signed integer
Default:
1Declared by:
ghaf.security.pwquality.minLength
Section titled “ghaf.security.pwquality.minLength”Minimum password length.
Type: signed integer
Default:
8Declared by:
ghaf.security.pwquality.minLowercase
Section titled “ghaf.security.pwquality.minLowercase”Minimum number of lowercase letters required in password.
Type: signed integer
Default:
1Declared by:
ghaf.security.pwquality.minSpecialChar
Section titled “ghaf.security.pwquality.minSpecialChar”Minimum number of special letters required in password.
Type: signed integer
Default:
1Declared by:
ghaf.security.pwquality.minUppercase
Section titled “ghaf.security.pwquality.minUppercase”Minimum number of uppercase letters required in password.
Type: signed integer
Default:
1Declared by:
ghaf.security.pwquality.rememberOld
Section titled “ghaf.security.pwquality.rememberOld”Number of old password to remember to avoid repetetion.
Type: signed integer
Default:
2Declared by:
ghaf.security.ssh-tarpit.enable
Section titled “ghaf.security.ssh-tarpit.enable”Whether to enable Enable ssh tarpit.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.security.ssh-tarpit.fwMarkNum
Section titled “ghaf.security.ssh-tarpit.fwMarkNum”Firewall mark number to apply to banned IPs when using iptables-ipset-mark.
Type: string
Default:
"70"Declared by:
ghaf.security.ssh-tarpit.listenAddress
Section titled “ghaf.security.ssh-tarpit.listenAddress”Interface address to bind the ssh-tarpit daemon to SSH connections.
Type: string
Default:
"0.0.0.0"Example:
"[::]"Declared by:
ghaf.services.audio.enable
Section titled “ghaf.services.audio.enable”Whether to enable Enable Ghaf audio services.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.audio.client.pipewireControl.enable
Section titled “ghaf.services.audio.client.pipewireControl.enable”Whether to enable PipeWire control forwarding to gui-vm client.
This allows gui-vm to control audio settings via PipeWire. Requires givc to be enabled on both client and server.
To use it, set the PIPEWIRE_RUNTIME_DIR environment variable to /tmp.
PIPEWIRE_RUNTIME_DIR can be set for the entire session but is not recommended,
as it may interfere with local PipeWire instances.
.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.audio.client.pipewireControl.socket
Section titled “ghaf.services.audio.client.pipewireControl.socket”Path where the PipeWire socket is available for control operations.
Type: string (read only)
Default:
"/tmp/pipewire-0"Declared by:
ghaf.services.audio.client.remotePulseServerAddress
Section titled “ghaf.services.audio.client.remotePulseServerAddress”Address of the remote PulseAudio server to connect to.
This should point to the main Ghaf audio server.
Type: string
Default:
"tcp:audio-vm:4714"Declared by:
ghaf.services.audio.role
Section titled “ghaf.services.audio.role”The role of this VM in the Ghaf audio topology.
- “server” controls audio hardware and runs the main audio server
- “client” connects to the audio server to play/record (and optionally control) audio
Type: one of “server”, “client”
Default:
"client"Declared by:
ghaf.services.audio.server.debug
Section titled “ghaf.services.audio.server.debug”Whether to enable debug logs for pipewire and wireplumber.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.audio.server.pipewireForwarding.enable
Section titled “ghaf.services.audio.server.pipewireForwarding.enable”Whether to enable PipeWire socket forwarding to gui-vm client.
This allows gui-vm to control audio settings via PipeWire. Requires givc to be enabled on both client and server. .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.audio.server.pipewireForwarding.port
Section titled “ghaf.services.audio.server.pipewireForwarding.port”TCP port used for PipeWire socket forwarding to gui-vm client. This port is used by the PipeWire control socket on the server.
Type: string (read only)
Default:
"9013"Declared by:
ghaf.services.audio.server.pipewireForwarding.socket
Section titled “ghaf.services.audio.server.pipewireForwarding.socket”Path to the PipeWire socket used for forwarding audio control from the server to the client.
Type: string (read only)
Default:
"/tmp/pipewire-export.sock"Declared by:
ghaf.services.audio.server.pulseaudioTcpControlPort
Section titled “ghaf.services.audio.server.pulseaudioTcpControlPort”TCP port used by PipeWire-PulseAudio for control connections.
Ghaf audio hub server should use this port to connect to the audio server for control operations.
Type: signed integer (read only)
Default:
4715Declared by:
ghaf.services.audio.server.pulseaudioTcpPort
Section titled “ghaf.services.audio.server.pulseaudioTcpPort”TCP port used by PipeWire-PulseAudio on the server.
Ghaf audio hub server should use this port to connect to the audio server.
Type: signed integer (read only)
Default:
4714Declared by:
ghaf.services.audio.server.restoreOnBoot
Section titled “ghaf.services.audio.server.restoreOnBoot”Whether to enable restoring pipewire audio settings on boot from persistent storage. .
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.services.bluetooth.enable
Section titled “ghaf.services.bluetooth.enable”Whether to enable Bluetooth configurations.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.bluetooth.defaultName
Section titled “ghaf.services.bluetooth.defaultName”Default Bluetooth adapter name.
If unset, BlueZ will attempt to fetch the hostname via hostnamed DBus service. If hostnamed is disabled, BlueZ will fall back to “BlueZ [BlueZ version]”.
Type: string
Default:
"Ghaf"Declared by:
ghaf.services.bluetooth.user
Section titled “ghaf.services.bluetooth.user”Name of the bluetooth user
Type: string
Default:
"bluetooth"Declared by:
ghaf.services.brightness.enable
Section titled “ghaf.services.brightness.enable”Whether to enable brightness controlling via VirtIO.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.brightness.socketPath
Section titled “ghaf.services.brightness.socketPath”The path where the socket needs to be created.
Type: absolute path
Default:
"/tmp/brightness.sock"Declared by:
ghaf.services.create-fake-battery.enable
Section titled “ghaf.services.create-fake-battery.enable”Whether to enable Create a fake battery device for VMs.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.disks.enable
Section titled “ghaf.services.disks.enable”Whether to enable Enable disk mount daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.disks.fileManager
Section titled “ghaf.services.disks.fileManager”The program to open mounted directories
Type: string
Default:
"xdg-open"Declared by:
ghaf.services.firmware.enable
Section titled “ghaf.services.firmware.enable”Whether to enable PLaceholder for firmware handling.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.fprint.enable
Section titled “ghaf.services.fprint.enable”Whether to enable Enable fingerprint reader support.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.github.enable
Section titled “ghaf.services.github.enable”Whether to enable Github configurations.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.github.clientId
Section titled “ghaf.services.github.clientId”GitHub OAuth client ID for bug reporting. Default is the public GitHub CLI OAuth app client ID.
Type: string
Default:
"178c6fc778ccc68e1d6a"Declared by:
ghaf.services.github.owner
Section titled “ghaf.services.github.owner”Github owner account of the bug reporter issue
Type: string
Declared by:
ghaf.services.github.repo
Section titled “ghaf.services.github.repo”Github repo of the bug reporter issue
Type: string
Declared by:
ghaf.services.github.token
Section titled “ghaf.services.github.token”Personal token of the bug reporter Github account
Type: string
Declared by:
ghaf.services.hwinfo.enable
Section titled “ghaf.services.hwinfo.enable”Whether to enable hardware information generation service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.hwinfo.format
Section titled “ghaf.services.hwinfo.format”Output format for hardware information
Type: value “json” (singular enum)
Default:
"json"Declared by:
ghaf.services.hwinfo.outputDir
Section titled “ghaf.services.hwinfo.outputDir”Directory where hardware information files will be stored
Type: string
Default:
"/var/lib/ghaf-hwinfo"Declared by:
ghaf.services.hwinfo-guest.enable
Section titled “ghaf.services.hwinfo-guest.enable”Whether to enable hardware information reading tools for guest VMs.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.kill-switch.enable
Section titled “ghaf.services.kill-switch.enable”Whether to enable ghaf kill switch support.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.locale.enable
Section titled “ghaf.services.locale.enable”Whether to enable runtime management of user and system locale settings.
When enabled, locale values can be changed imperatively without rebuilding the system configuration. .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.locale.overrideSystemLocale
Section titled “ghaf.services.locale.overrideSystemLocale”Whether to enable overriding the system-wide locale defined by i18n.defaultLocale
with runtime locale settings.
When enabled, values from /etc/locale.conf are exported
into /etc/profile so that early services (e.g. greeter,
login shells) inherit the updated locale before a user
session starts.
Runtime locale variables are stored in
/var/lib/locale/.locale-env and sourced by /etc/profile.
.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.locale.propagate
Section titled “ghaf.services.locale.propagate”Whether to enable propagating runtime timezone changes from the system
to the host using givc.
This keeps the host locale in sync with user-selected desktop locale settings. .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.performance.enable
Section titled “ghaf.services.performance.enable”Whether to enable hardware-agnostic Ghaf performance and scheduler optimizations.
For more information, see tuned-main.conf(5), tuned-profiles.7,
and system76-scheduler documentation.
Type: boolean
Default:
falseExample:
# In hostconfig.ghaf.services.performance = { enable = true; host.enable = true;};
# In GUI VMconfig.ghaf.services.performance = { enable = true; gui.enable = true;};Declared by:
ghaf.services.performance.gui.enable
Section titled “ghaf.services.performance.gui.enable”Whether to enable Ghaf-specific scheduler and power optimizations for gui-vm…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.performance.gui.scheduler.enable
Section titled “ghaf.services.performance.gui.scheduler.enable”Whether to enable system76-scheduler on gui-vm for Ghaf-specific process scheduling…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.performance.gui.tuned.enable
Section titled “ghaf.services.performance.gui.tuned.enable”Whether to enable TuneD service on the gui-vm for Ghaf-specific performance profiles…
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.services.performance.gui.tuned.defaultProfile
Section titled “ghaf.services.performance.gui.tuned.defaultProfile”Default TuneD profile to use on gui-vm.
Type: string
Default:
"gui-balanced"Declared by:
ghaf.services.performance.host.enable
Section titled “ghaf.services.performance.host.enable”Whether to enable Ghaf-specific scheduler and power optimizations for the host…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.performance.host.scheduler.enable
Section titled “ghaf.services.performance.host.scheduler.enable”Whether to enable system76-scheduler on host for Ghaf-specific process scheduling…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.performance.host.thermalLimitMode
Section titled “ghaf.services.performance.host.thermalLimitMode”Controls how passive thermal limits are applied.
enabled - Use the platform’s built-in passive thermal limits
(typically around 60-70 °C). Boosting and throttling behavior are
determined entirely by firmware and ignore thermalLimitTemp.
ac - Disable the platform’s passive limits when running on AC power,
but keep them active on battery. When passive limits are disabled,
thermalLimitTemp defines the temperature at which throttling begins.
Requires ghaf.services.performance.host.tuned to be enabled.
disabled - Disable the platform’s passive limits on both AC and
battery. Boosting is allowed up to thermalLimitTemp, after which
throttling is applied.
Supports Intel CPUs only.
Type: one of “enabled”, “ac”, “disabled”
Default:
"ac"Declared by:
ghaf.services.performance.host.thermalLimitTemp
Section titled “ghaf.services.performance.host.thermalLimitTemp”CPU package temperature (°C) at which passive thermal throttling begins.
Valid values are 60-97 °C. Lower temperatures are at or below typical CPU idle temps, while higher values approach the CPU’s hardware thermal ceiling and might cause system shutdown.
This setting is used only when
ghaf.services.performance.host.thermalLimitMode != "enabled".
Raising this value allows the CPU to sustain higher boost clocks before throttling, at the cost of increased temperature, power draw, and fan noise.
Supports Intel CPUs only.
Type: signed integer
Default:
90Declared by:
ghaf.services.performance.host.tuned.enable
Section titled “ghaf.services.performance.host.tuned.enable”Whether to enable TuneD service on the host for Ghaf-specific performance profiles…
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.services.performance.host.tuned.defaultProfile
Section titled “ghaf.services.performance.host.tuned.defaultProfile”Default TuneD profile to use on the host.
Type: string
Default:
"host-balanced"Declared by:
ghaf.services.performance.net.enable
Section titled “ghaf.services.performance.net.enable”Whether to enable Ghaf-specific power optimizations for net-vm…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.performance.net.tuned.enable
Section titled “ghaf.services.performance.net.tuned.enable”Whether to enable TuneD service on the net-vm for Ghaf-specific performance profiles…
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.services.performance.net.tuned.defaultProfile
Section titled “ghaf.services.performance.net.tuned.defaultProfile”Default TuneD profile to use on net-vm.
Type: string
Default:
"net-balanced"Declared by:
ghaf.services.performance.vm.enable
Section titled “ghaf.services.performance.vm.enable”Whether to enable Generalized Ghaf-specific power and performance optimizations for VMs.
This will enable the general virtual-guest tuned profile statically - gui-vm power profile changes will not propagate to this VM and no custom scripts will be run. .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.power-manager.enable
Section titled “ghaf.services.power-manager.enable”Whether to enable the ghaf power management module. This module provides a set of power management profiles that can be used to manage the systems suspend, resume, and poweroff actions across the system. It only has effect for a guest or host configuration if one of the profiles is enabled.
Type: boolean
Default:
falseExample:
# In hostconfig.ghaf.services.power-manager.enable = true;
# In GUI VMconfig.ghaf.services.power-manager = { vm.enable = true; gui.enable = true;};
# In system VM Aconfig.ghaf.services.power-manager.vm.enable = true;
# In system VM Bconfig.ghaf.services.power-manager = { vm = { enable = true; pciSuspend = false; };};Declared by:
ghaf.services.power-manager.gui.enable
Section titled “ghaf.services.power-manager.gui.enable”Whether to enable GUI power management profile. This profile can be used for the desktop running either in the gui-vm or host. If running in a VM and GIVC is enabled, it replaces the default systemd actions for suspend, poweroff, and reboot with givc commands. .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.power-manager.host.enable
Section titled “ghaf.services.power-manager.host.enable”Whether to enable Host power management profile. This profile manages the host’s pre- and post-suspend actions to coordinate guest suspend actions and devices.
Additionally, if a system VM has ghaf.gracefulShutdown = true, enabling this host profile
allows the host to override the VM’s default microvm ExecStop logic, starting
the guest’s poweroff.target and waiting for the VM process to exit.
.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.power-manager.suspend.enable
Section titled “ghaf.services.power-manager.suspend.enable”Whether to enable system suspension.
If disabled, the system will not respond to suspend requests, and all VMs with a power management profile enabled are prohibited to perform any suspend action.
Type: boolean
Default:
trueDeclared by:
ghaf.services.power-manager.suspend.mode
Section titled “ghaf.services.power-manager.suspend.mode”The memory suspend mode to use.
To check which modes are supported, run cat /sys/power/mem_sleep.
More info: https://docs\.kernel\.org/admin-guide/pm/sleep-states\.html
Type: null or one of “s2idle”, “shallow”, “deep”
Default:
nullDeclared by:
ghaf.services.power-manager.usbSuspend
Section titled “ghaf.services.power-manager.usbSuspend”Whether to enable USB device suspend and resume. When enabled, all USB devices are detached from VMs on suspend and re-attached on resume.
Type: boolean
Default:
trueDeclared by:
ghaf.services.power-manager.vm.enable
Section titled “ghaf.services.power-manager.vm.enable”Whether to enable VM power management profile. This profile can be used for guests to implement custom actions
before and after suspend using the powerManagement options, suspend PCI devices, and/or power
a VM off on suspend
.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.power-manager.vm.fakeSuspend
Section titled “ghaf.services.power-manager.vm.fakeSuspend”Whether to enable fake suspend for guests. This allows to run pre- and post-suspend commands, coordinated with the host but without actually suspending the guest internally (which does not work reliably at the moment). This is enabled by default if the VM power management profile and GIVC is enabled. In a gui-vm, this is unnecessary as a blocking GIVC command are used to “suspend” the VM, which is equivalent to a fake suspend.
Type: boolean
Default:
"useGivc && !cfg.vm.powerOffOnSuspend && !cfg.gui.enable"Declared by:
ghaf.services.power-manager.vm.pciSuspend
Section titled “ghaf.services.power-manager.vm.pciSuspend”Whether to enable automatic PCI device suspend for VMs. This will affect all PCI devices that are passed through to the guest, and will unbind PCI drivers in the guest and hotplug the device in this host. This is a solution that allows many PCI devices to enter low power states during system suspend without suspending the guest itself.
This option is enabled by default if the VM power management profile is enabled. Unless running in a gui-vm, it requires fakeSuspend and GIVC to be enabled for the coordination of guest driver binding and host PCI hotplug actions.
Type: boolean
Default:
config.ghaf.services.power-manager.vm.fakeSuspendDeclared by:
ghaf.services.power-manager.vm.pciSuspendServices
Section titled “ghaf.services.power-manager.vm.pciSuspendServices”List of services to stop before suspend and (re)start during resume. This is useful to gracefully shutdown services
that access guest PCI devices. Other suspend/resume commands can be added through the powerManagement options,
or wrapped into systemd services and added to this list.
Type: list of string
Default:
[ ]Declared by:
ghaf.services.power-manager.vm.powerOffOnSuspend
Section titled “ghaf.services.power-manager.vm.powerOffOnSuspend”Whether to enable VM poweroff on suspend. This is useful for non-GIVC cases or other suspend-related issues. If enabled the VM will be powered off on suspend, and restarted by the host on resume, which results in longer suspend and resume times as the VM has to be fully stopped and restarted.
Type: boolean
Default:
falseDeclared by:
ghaf.services.sssd.enable
Section titled “ghaf.services.sssd.enable”Whether to enable SSSD service for Active Directory and LDAP user integration.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.sssd.debugLevel
Section titled “ghaf.services.sssd.debugLevel”SSSD debug level. Higher values are more verbose.
Type: null or signed integer
Default:
nullDeclared by:
ghaf.services.sssd.domains
Section titled “ghaf.services.sssd.domains”Active Directory configurations for SSSD.
Type: attribute set
Default:
{ }Declared by:
ghaf.services.sssd.entryCacheNowaitPercentage
Section titled “ghaf.services.sssd.entryCacheNowaitPercentage”The percentage of the cache timeout after which SSSD will return a cached entry immediately and then update it.
Type: signed integer
Default:
50Declared by:
ghaf.services.sssd.extraConfig
Section titled “ghaf.services.sssd.extraConfig”Additional SSSD configuration options.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
ghaf.services.sssd.nss.defaultShell
Section titled “ghaf.services.sssd.nss.defaultShell”Default shell for user sessions.
Type: null or string
Default:
"/run/current-system/sw/bin/bash"Declared by:
ghaf.services.sssd.nss.extraConfig
Section titled “ghaf.services.sssd.nss.extraConfig”Additional NSS configuration options.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
ghaf.services.sssd.nss.homedirTemplate
Section titled “ghaf.services.sssd.nss.homedirTemplate”Home directory template.
Type: null or string
Default:
"/home/%u"Declared by:
ghaf.services.sssd.nss.shellOverride
Section titled “ghaf.services.sssd.nss.shellOverride”Shell override for user sessions.
Type: null or string
Default:
nullDeclared by:
ghaf.services.sssd.pam.displayManagerService
Section titled “ghaf.services.sssd.pam.displayManagerService”The PAM service name for your display manager (e.g., ‘gdm-password’, ‘greetd’, ‘sddm’).
Type: null or string
Default:
"greetd"Example:
"greetd"Declared by:
ghaf.services.sssd.pam.extraConfig
Section titled “ghaf.services.sssd.pam.extraConfig”Additional PAM configuration options.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
ghaf.services.sssd.pam.initGroupsScheme
Section titled “ghaf.services.sssd.pam.initGroupsScheme”PAM initgroups scheme. Set to ‘never’ to disable automatic group initialization.
Type: one of “always”, “no_session”, “never”
Default:
"never"Declared by:
ghaf.services.sssd.pam.offlineCredentialsExpiration
Section titled “ghaf.services.sssd.pam.offlineCredentialsExpiration”Number of days after which offline credentials expire.
Type: signed integer
Default:
7Declared by:
ghaf.services.sssd.pam.offlineFailedLoginAttempts
Section titled “ghaf.services.sssd.pam.offlineFailedLoginAttempts”Number of failed login attempts before the account is locked.
Type: signed integer
Default:
3Declared by:
ghaf.services.sssd.pam.offlineFailedLoginDelay
Section titled “ghaf.services.sssd.pam.offlineFailedLoginDelay”Delay in seconds before allowing another login attempt.
Type: signed integer
Default:
5Declared by:
ghaf.services.sssd.services
Section titled “ghaf.services.sssd.services”List of services SSSD should provide.
Type: list of string
Default:
[ "nss" "pam"]Declared by:
ghaf.services.storeWatcher.enable
Section titled “ghaf.services.storeWatcher.enable”Whether to enable monitoring of /nix/store for nixos-rebuild copy sessions and flagging interruptions.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.storeWatcher.busyGraceCycles
Section titled “ghaf.services.storeWatcher.busyGraceCycles”How many busy-grace cycles to allow (busyGraceCycles * busyGraceSeconds).
Type: unsigned integer, meaning >=0
Default:
5Declared by:
ghaf.services.storeWatcher.busyGraceSeconds
Section titled “ghaf.services.storeWatcher.busyGraceSeconds”Extra wait per grace cycle while checking for directory mtime progress.
Type: unsigned integer, meaning >=0
Default:
60Declared by:
ghaf.services.storeWatcher.quietSeconds
Section titled “ghaf.services.storeWatcher.quietSeconds”Idle window after the last store event to consider the session quiet.
Type: unsigned integer, meaning >=0
Default:
60Declared by:
ghaf.services.storeWatcher.sessionResetSeconds
Section titled “ghaf.services.storeWatcher.sessionResetSeconds”If idle this long since last event, clear session markers.
Type: unsigned integer, meaning >=0
Default:
1800Declared by:
ghaf.services.timezone.enable
Section titled “ghaf.services.timezone.enable”Whether to enable runtime management of timezone settings.
When enabled, system timezone can be changed imperatively without rebuilding the system configuration. .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.timezone.propagate
Section titled “ghaf.services.timezone.propagate”Whether to enable propagating runtime timezone changes from the system
to the host using givc.
This keeps the host locale in sync with user-selected desktop locale settings. .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.user-provisioning.enable
Section titled “ghaf.services.user-provisioning.enable”Whether to enable Ghaf provisioning service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.user-provisioning.enableAD
Section titled “ghaf.services.user-provisioning.enableAD”Enable Active Directory join for provisioning.
Type: boolean (read only)
Default:
falseDeclared by:
ghaf.services.user-provisioning.enableHomed
Section titled “ghaf.services.user-provisioning.enableHomed”Enable systemd-homed user setup for provisioning.
Type: boolean (read only)
Default:
falseDeclared by:
ghaf.services.wifi.enable
Section titled “ghaf.services.wifi.enable”Whether to enable Wifi configuration for the net-vm.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.xpadneo.enable
Section titled “ghaf.services.xpadneo.enable”Whether to enable The support for wireless Xbox Controllers.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.yubikey.enable
Section titled “ghaf.services.yubikey.enable”Whether to enable the yubikey support which provide 2FA.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.yubikey.u2fKeys
Section titled “ghaf.services.yubikey.u2fKeys”It will contain U2F Keys / public keys reterived from Yubikey hardware
Type: string
Default:
[ ]Example:
"ghaf:SZ2CwN7EAE4Ujfxhm+CediUaT9ngoaMOqsKRDrOC+wUkTriKlc1cVtsxkOSav2r9ztaNKn/OwoHiN3BmsBYdZA==,oIdGgoGmkVrVis1kdzpvX3kXrOmBe2noFrpHqh4VKlq/WxrFk+Du670BL7DzLas+GxIPNjgdDCHo9daVzthIwQ==,es256,+presence:9CEdjOg0YGpvNeisK5OW1hjjg0nRvJDBpr7X8Q4QPtxJP4iC5C6dShTxEpxmLAkqAi8x/jKCDwpt146AYAXfFg==,q8ddSEI2tIyRwB2MhRlrGZRv6ZDkEC2RYn/n33fdmK1KjBkcMy6ELUMQQDVGtsvsiQFbRS3v4qxjsgXF5BVD0A==,es256,+presence+pin"Declared by:
ghaf.shm.enable
Section titled “ghaf.shm.enable”Whether to enable shared memory communication between virtual machines (VMs).
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.shm.enable_host
Section titled “ghaf.shm.enable_host”Whether to enable memsocket functionality on the host system.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.shm.clientSocketPath
Section titled “ghaf.shm.clientSocketPath”Specifies the location of the output socket, which will connected to in order to receive data from AppVMs. This socket must be created by another application, such as Waypipe, when operating in client mode
Type: absolute path
Default:
"/run/user/1000/memsocket-client.sock"Declared by:
ghaf.shm.display
Section titled “ghaf.shm.display”Whether to enable shared memory with Waypipe for Wayland-enabled applications on VMs.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.shm.flataddr
Section titled “ghaf.shm.flataddr”Maps the shared memory to a physical address if set to a non-zero value. The address must be platform-specific and arbitrarily chosen to avoid conflicts with other memory areas, such as PCI regions.
Type: string
Default:
"0x920000000"Declared by:
ghaf.shm.hostSocketPath
Section titled “ghaf.shm.hostSocketPath”Specifies the path to the shared memory socket, used by QEMU instances for inter-VM memory sharing and interrupt signaling
Type: absolute path
Default:
"/tmp/ivshmem_socket"Declared by:
ghaf.shm.hugePageSz
Section titled “ghaf.shm.hugePageSz”Specifies the size of the large memory page area. Supported kernel values are 2 MB and 1 GB
Type: string
Default:
"2M"Declared by:
ghaf.shm.instancesCount
Section titled “ghaf.shm.instancesCount”Number of memory slots allocated in the shared memory region
Type: signed integer
Default:
0Declared by:
ghaf.shm.memSize
Section titled “ghaf.shm.memSize”Specifies the size of the shared memory region, measured in megabytes (MB)
Type: signed integer
Default:
16Declared by:
ghaf.shm.serverSocketPath
Section titled “ghaf.shm.serverSocketPath”Specifies the path of the listening socket, which is used by Waypipe or other server applications as the output socket in server mode for data transmission
Type: absolute path
Default:
"/run/user/1000/memsocket-server.sock"Declared by:
ghaf.shm.vms_enabled
Section titled “ghaf.shm.vms_enabled”List of vms having access to shared memory
Type: list of string
Default:
[ ]Declared by:
ghaf.storage.encryption.enable
Section titled “ghaf.storage.encryption.enable”Whether to enable Encryption of the data partition.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.storage.encryption.backendType
Section titled “ghaf.storage.encryption.backendType”The type of device protecting the encryption passphrase
Type: one of “tpm2”, “fido2”
Default:
"tpm2"Declared by:
ghaf.storage.encryption.debugTools
Section titled “ghaf.storage.encryption.debugTools”Install encryption debug tools (cryptsetup, tpm2-tools, etc.)
Type: boolean
Default:
falseDeclared by:
ghaf.storage.encryption.deferred
Section titled “ghaf.storage.encryption.deferred”Whether to enable Apply disk encryption on first boot instead of at image creation.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.storage.encryption.interactiveSetup
Section titled “ghaf.storage.encryption.interactiveSetup”Whether encryption setup requires user interaction (false = debug/automated)
Type: boolean
Default:
trueDeclared by:
ghaf.storage.encryption.partitionDevice
Section titled “ghaf.storage.encryption.partitionDevice”Device path for the partition to encrypt (set by the active partitioning module)
Type: string
Declared by:
ghaf.storagevm.enable
Section titled “ghaf.storagevm.enable”Whether to enable StorageVM support.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.storagevm.directories
Section titled “ghaf.storagevm.directories”Directories to bind mount to persistent storage.
Type: list of anything
Default:
[ ]Example:
[ "/var/lib/nixos" "/var/log" "/var/lib/bluetooth" "/var/lib/systemd/coredump"]Declared by:
ghaf.storagevm.encryption.enable
Section titled “ghaf.storagevm.encryption.enable”Whether to enable Encryption of the VM storage area on the host filesystem.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.storagevm.encryption.initialDiskSize
Section titled “ghaf.storagevm.encryption.initialDiskSize”Size of the persistent disk image in megabytes.
This is the size of the storage device as seen by the guest (when running lsblk for example).
The image on the host filesystem is a sparse file and only occupies the space actually used by the VM.
Type: signed integer
Default:
10240Declared by:
ghaf.storagevm.encryption.keepDefaultPassword
Section titled “ghaf.storagevm.encryption.keepDefaultPassword”Whether to enable keeping the default password (empty string) that unlocks the VM storage partition.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.storagevm.encryption.pcrs
Section titled “ghaf.storagevm.encryption.pcrs”List of PCR registers to measure for the guestStorage partition.
For supported syntax see the —tpm2-pcrs flag description in systemd-cryptenroll(1).
Type: string
Default:
"15"Example:
"7+11+14"Declared by:
ghaf.storagevm.files
Section titled “ghaf.storagevm.files”Files to bind mount to persistent storage.
Type: list of anything
Default:
[ ]Example:
[ "/etc/machine-id"]Declared by:
ghaf.storagevm.maximumSize
Section titled “ghaf.storagevm.maximumSize”Maximum size of the storage area in megabytes.
This is the size of the storage device as seen by the guest (when running lsblk for example).
The image on the host filesystem is a sparse file and only occupies the space actually used by the VM.
Type: signed integer
Default:
10240Declared by:
ghaf.storagevm.mountOptions
Section titled “ghaf.storagevm.mountOptions”Specify a list of mount options that should be used. They define access permissions, performance behavior and security restrictions. Common options determine whether the filesystem is read-only or writable, if users can execute binaries,
Type: list of anything
Default:
[ "rw" "nodev" "nosuid" "noexec"]Declared by:
ghaf.storagevm.mountPath
Section titled “ghaf.storagevm.mountPath”Mount path for the storage virtual machine.
Type: string
Default:
"/guestStorage"Declared by:
ghaf.storagevm.name
Section titled “ghaf.storagevm.name”Name of the corresponding directory on the storage virtual machine.
Type: string
Default:
""Declared by:
ghaf.storagevm.preserveLogs
Section titled “ghaf.storagevm.preserveLogs”Whether to preserve journald and audit logs of the VM. If enabled, it will keep logs
locally in persistant storage across reboots. This is useful for debugging purposes.
Type: boolean
Default:
"config.ghaf.logging.enable"Declared by:
ghaf.storagevm.users
Section titled “ghaf.storagevm.users”User-specific directories to bind mount to persistent storage.
Type: attribute set of (submodule)
Default:
{ }Example:
{ user = { directories = [ "Downloads" "Music" "Pictures" "Documents" "Videos" ]; };}Declared by:
ghaf.storagevm.users.<name>.directories
Section titled “ghaf.storagevm.users.<name>.directories”Directories to bind mount for this user.
Type: list of string
Default:
[ ]Declared by:
ghaf.systemd.enable
Section titled “ghaf.systemd.enable”Whether to enable Enable minimal systemd configuration…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.boot.enable
Section titled “ghaf.systemd.boot.enable”Enable systemd in stage 1 of the boot (initrd).
Type: unspecified value
Default:
trueDeclared by:
ghaf.systemd.logLevel
Section titled “ghaf.systemd.logLevel”Systemd log verbosity. Must be one of ‘debug’, ‘info’, ‘notice’, ‘warning’, ‘err’, ‘crit’, ‘alert’, ‘emerg’. Defaults to ‘info’.
Type: one of “debug”, “info”, “notice”, “warning”, “err”, “crit”, “alert”, “emerg”
Default:
"info"Declared by:
ghaf.systemd.withApparmor
Section titled “ghaf.systemd.withApparmor”Whether to enable systemd apparmor functionality.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.withAudio
Section titled “ghaf.systemd.withAudio”Whether to enable audio functionality.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.withAudit
Section titled “ghaf.systemd.withAudit”Whether to enable systemd audit functionality.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.withBluetooth
Section titled “ghaf.systemd.withBluetooth”Whether to enable bluetooth functionality.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.withBootloader
Section titled “ghaf.systemd.withBootloader”Enable systemd bootloader functionality.
Type: boolean
Default:
trueDeclared by:
ghaf.systemd.withCryptsetup
Section titled “ghaf.systemd.withCryptsetup”Whether to enable systemd LUKS2 functionality.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.withDebug
Section titled “ghaf.systemd.withDebug”Whether to enable systemd debug functionality.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.withEfi
Section titled “ghaf.systemd.withEfi”Enable systemd EFI functionality.
Type: boolean
Default:
trueDeclared by:
ghaf.systemd.withFido2
Section titled “ghaf.systemd.withFido2”Whether to enable systemd Fido2 token functionality.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.withHardenedConfigs
Section titled “ghaf.systemd.withHardenedConfigs”Whether to enable common hardened configs.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.withHomed
Section titled “ghaf.systemd.withHomed”Whether to enable systemd homed for users home functionality.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.withHostnamed
Section titled “ghaf.systemd.withHostnamed”Whether to enable systemd hostname daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.withHwdb
Section titled “ghaf.systemd.withHwdb”Enable systemd hwdb functionality.
Type: boolean
Default:
trueDeclared by:
ghaf.systemd.withJournal
Section titled “ghaf.systemd.withJournal”Enable systemd journal daemon.
Type: boolean
Default:
trueDeclared by:
ghaf.systemd.withLocaled
Section titled “ghaf.systemd.withLocaled”Enable systemd locale daemon.
Type: boolean
Default:
trueDeclared by:
ghaf.systemd.withLogind
Section titled “ghaf.systemd.withLogind”Enable systemd login daemon.
Type: boolean
Default:
trueDeclared by:
ghaf.systemd.withMachines
Section titled “ghaf.systemd.withMachines”Whether to enable systemd container and VM functionality.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.withName
Section titled “ghaf.systemd.withName”Set systemd name.
Type: string
Default:
"base-systemd"Declared by:
ghaf.systemd.withNetworkd
Section titled “ghaf.systemd.withNetworkd”Enable systemd networking daemon.
Type: boolean
Default:
trueDeclared by:
ghaf.systemd.withNss
Section titled “ghaf.systemd.withNss”Whether to enable systemd Name Service Switch (NSS) functionality.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.withOpenSSL
Section titled “ghaf.systemd.withOpenSSL”Enable systemd OpenSSL functionality.
Type: boolean
Default:
trueDeclared by:
ghaf.systemd.withPolkit
Section titled “ghaf.systemd.withPolkit”Whether to enable systemd polkit functionality.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.withRepart
Section titled “ghaf.systemd.withRepart”Whether to enable systemd repart functionality.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.withResolved
Section titled “ghaf.systemd.withResolved”Whether to enable systemd resolve daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.withSerial
Section titled “ghaf.systemd.withSerial”Whether to enable systemd serial console.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.withSysupdate
Section titled “ghaf.systemd.withSysupdate”Whether to enable systemd system update functionality.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.withTimesyncd
Section titled “ghaf.systemd.withTimesyncd”Whether to enable systemd timesync daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.withTpm2Tss
Section titled “ghaf.systemd.withTpm2Tss”Whether to enable systemd TPM functionality.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.withUkify
Section titled “ghaf.systemd.withUkify”Enable systemd UKI functionality.
Type: boolean
Default:
trueDeclared by:
ghaf.type
Section titled “ghaf.type”Type of the ghaf component. One of ‘host’, ‘admin-vm’, ‘system-vm’, or ‘app-vm’.
Type: one of “host”, “admin-vm”, “system-vm”, “app-vm”
Declared by:
ghaf.users.active-directory.domains
Section titled “ghaf.users.active-directory.domains”Active Directory domain configurations.
Type: attribute set of (submodule)
Default:
{ }Declared by:
ghaf.users.active-directory.domains.<name>.enableGlobalCatalog
Section titled “ghaf.users.active-directory.domains.<name>.enableGlobalCatalog”Whether to enable use of the Active Directory Global Catalog for this domain.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.active-directory.domains.<name>.accessProvider
Section titled “ghaf.users.active-directory.domains.<name>.accessProvider”Access control provider for the domain.
Type: one of “ldap”, “krb5”, “ipa”, “ad”, “simple”, “permit”
Default:
"ad"Declared by:
ghaf.users.active-directory.domains.<name>.ad.controllers
Section titled “ghaf.users.active-directory.domains.<name>.ad.controllers”List of Active Directory domain controllers.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.active-directory.domains.<name>.ad.domain
Section titled “ghaf.users.active-directory.domains.<name>.ad.domain”The Active Directory domain name.
Type: null or string
Default:
nullExample:
"corp.example.com"Declared by:
ghaf.users.active-directory.domains.<name>.ad.dyndnsUpdate
Section titled “ghaf.users.active-directory.domains.<name>.ad.dyndnsUpdate”Whether to enable automatic DNS record updates in AD for this client.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.active-directory.domains.<name>.ad.extraConfig
Section titled “ghaf.users.active-directory.domains.<name>.ad.extraConfig”Additional Active Directory configuration options.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
ghaf.users.active-directory.domains.<name>.ad.gpoAccessControl
Section titled “ghaf.users.active-directory.domains.<name>.ad.gpoAccessControl”Use AD Group Policy Objects (GPOs) to control who can log in.
permissive: Users are allowed unless explicitly denied by a GPO.
enforcing: Users are denied unless explicitly allowed by a GPO.
Type: one of “permissive”, “enforcing”, “disabled”
Default:
"permissive"Declared by:
ghaf.users.active-directory.domains.<name>.authProvider
Section titled “ghaf.users.active-directory.domains.<name>.authProvider”Authentication provider for the domain.
Type: one of “ldap”, “krb5”, “ipa”, “ad”, “idp”, “proxy”, “none”
Default:
"krb5"Declared by:
ghaf.users.active-directory.domains.<name>.cacheCredentials
Section titled “ghaf.users.active-directory.domains.<name>.cacheCredentials”Cache user credentials for offline logins.
Type: boolean
Default:
trueDeclared by:
ghaf.users.active-directory.domains.<name>.chpassProvider
Section titled “ghaf.users.active-directory.domains.<name>.chpassProvider”Password change provider for the domain.
Type: one of “ldap”, “krb5”, “ipa”, “ad”
Default:
"ad"Declared by:
ghaf.users.active-directory.domains.<name>.description
Section titled “ghaf.users.active-directory.domains.<name>.description”A short description of the domain.
Type: string
Default:
"Default AD domain"Declared by:
ghaf.users.active-directory.domains.<name>.dnsProvider
Section titled “ghaf.users.active-directory.domains.<name>.dnsProvider”DNS provider for the domain.
Type: null or (submodule)
Default:
nullDeclared by:
ghaf.users.active-directory.domains.<name>.dnsProvider.ipAddress
Section titled “ghaf.users.active-directory.domains.<name>.dnsProvider.ipAddress”IP address of the DNS server for the domain.
Type: string
Default:
""Declared by:
ghaf.users.active-directory.domains.<name>.dnsProvider.name
Section titled “ghaf.users.active-directory.domains.<name>.dnsProvider.name”Name of the DNS provider for the domain.
Type: string
Default:
""Declared by:
ghaf.users.active-directory.domains.<name>.entryCacheTimeout
Section titled “ghaf.users.active-directory.domains.<name>.entryCacheTimeout”How many seconds should nss_sss consider entries valid before asking the backend again.
Type: signed integer
Default:
5400Declared by:
ghaf.users.active-directory.domains.<name>.extraConfig
Section titled “ghaf.users.active-directory.domains.<name>.extraConfig”Additional domain configuration options.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
ghaf.users.active-directory.domains.<name>.idProvider
Section titled “ghaf.users.active-directory.domains.<name>.idProvider”Identity provider for the domain.
Type: one of “ldap”, “ipa”, “ad”, “proxy”
Default:
"ad"Declared by:
ghaf.users.active-directory.domains.<name>.krb5.extraConfig
Section titled “ghaf.users.active-directory.domains.<name>.krb5.extraConfig”Additional Kerberos configuration options.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
ghaf.users.active-directory.domains.<name>.krb5.kpasswd
Section titled “ghaf.users.active-directory.domains.<name>.krb5.kpasswd”List of Kerberos kpasswd servers for password changes.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.active-directory.domains.<name>.krb5.realm
Section titled “ghaf.users.active-directory.domains.<name>.krb5.realm”The Kerberos realm.
Type: null or string
Default:
nullDeclared by:
ghaf.users.active-directory.domains.<name>.krb5.server
Section titled “ghaf.users.active-directory.domains.<name>.krb5.server”List of Kerberos KDC servers.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.active-directory.domains.<name>.ldap.enableSasl
Section titled “ghaf.users.active-directory.domains.<name>.ldap.enableSasl”Enable SASL (GSSAPI) authentication for LDAP. Defaults to true.
Type: boolean (read only)
Default:
trueDeclared by:
ghaf.users.active-directory.domains.<name>.ldap.baseDn
Section titled “ghaf.users.active-directory.domains.<name>.ldap.baseDn”The default search base for LDAP queries.
Type: null or string
Default:
nullDeclared by:
ghaf.users.active-directory.domains.<name>.ldap.extraConfig
Section titled “ghaf.users.active-directory.domains.<name>.ldap.extraConfig”Additional LDAP configuration options.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
ghaf.users.active-directory.domains.<name>.ldap.idMapping
Section titled “ghaf.users.active-directory.domains.<name>.ldap.idMapping”Enable or disable the ID mapping feature. Useful for AD integration without POSIX attributes.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.active-directory.domains.<name>.ldap.schema
Section titled “ghaf.users.active-directory.domains.<name>.ldap.schema”LDAP schema to use.
Type: null or one of “rfc2307”, “rfc2307bis”, “ipa”, “ad”
Default:
nullExample:
"ad"Declared by:
ghaf.users.active-directory.domains.<name>.ldap.tlsCaCert
Section titled “ghaf.users.active-directory.domains.<name>.ldap.tlsCaCert”CA certificate for LDAP TLS as multi-line string. This will get added to the global certificate store at ‘/etc/ssl/certs/ca-certificates.crt’.
Type: null or strings concatenated with “\n”
Default:
nullExample:
'' -----BEGIN CERTIFICATE----- [ Your CA certificate here ] -----END CERTIFICATE-----''Declared by:
ghaf.users.active-directory.domains.<name>.ldap.tlsReqcert
Section titled “ghaf.users.active-directory.domains.<name>.ldap.tlsReqcert”TLS certificate checking policy.
Type: null or one of “allow”, “try”, “demand”, “hard”
Default:
"allow"Example:
"hard"Declared by:
ghaf.users.active-directory.domains.<name>.ldap.uri
Section titled “ghaf.users.active-directory.domains.<name>.ldap.uri”List of LDAP server URIs.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.active-directory.domains.<name>.ldap.useStartTls
Section titled “ghaf.users.active-directory.domains.<name>.ldap.useStartTls”Whether to enable StartTLS for LDAP connections for ldap:// URIs.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.active-directory.domains.<name>.maxId
Section titled “ghaf.users.active-directory.domains.<name>.maxId”Maximum UID and GID for this domain. Defaults to no limit (0).
Type: signed integer
Default:
0Declared by:
ghaf.users.active-directory.domains.<name>.minId
Section titled “ghaf.users.active-directory.domains.<name>.minId”Minimum UID and GID for this domain. Defaults to 1.
Type: signed integer
Default:
1Declared by:
ghaf.users.active-directory.domains.<name>.useFullyQualifiedNames
Section titled “ghaf.users.active-directory.domains.<name>.useFullyQualifiedNames”Whether to enable fully qualified names (e.g., user@DOMAIN) for user accounts.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.adUsers.enable
Section titled “ghaf.users.adUsers.enable”Whether to enable Active Directory user configuration.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.admin.enable
Section titled “ghaf.users.admin.enable”Enable the admin user account. Enabled by default.
Type: boolean
Default:
trueDeclared by:
ghaf.users.admin.enableUILogin
Section titled “ghaf.users.admin.enableUILogin”Whether to enable admin user login via the graphical login manager.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.admin.createHome
Section titled “ghaf.users.admin.createHome”Boolean value whether to create admin home folder. Defaults to config.ghaf.users.admin.enableUILogin.
A value of ‘false’ results in home directory set to /var/empty, ‘true’ will create the home directory
as /home/<name>.
Type: boolean
Default:
falseDeclared by:
ghaf.users.admin.extraGroups
Section titled “ghaf.users.admin.extraGroups”Extra groups for the admin user.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.admin.hashedPassword
Section titled “ghaf.users.admin.hashedPassword”Hashed password for live updates.
Type: null or string
Default:
nullDeclared by:
ghaf.users.admin.homeSize
Section titled “ghaf.users.admin.homeSize”Size of the admin user’s home directory image in megabytes.
Type: signed integer
Default:
10240Declared by:
ghaf.users.admin.initialHashedPassword
Section titled “ghaf.users.admin.initialHashedPassword”Initial hashed password for the admin user account.
Type: null or string
Default:
nullDeclared by:
ghaf.users.admin.initialPassword
Section titled “ghaf.users.admin.initialPassword”Default password for the admin user account.
Type: null or string
Default:
"ghaf"Declared by:
ghaf.users.admin.isNormalUser
Section titled “ghaf.users.admin.isNormalUser”Whether the admin user is a normal user.
Type: boolean
Default:
falseDeclared by:
ghaf.users.admin.name
Section titled “ghaf.users.admin.name”Admin account name. Defaults to ‘ghaf’.
Type: string
Default:
"ghaf"Declared by:
ghaf.users.admin.shell
Section titled “ghaf.users.admin.shell”Login shell for the admin user.
Type: string
Default:
"/run/current-system/sw/bin/bash"Declared by:
ghaf.users.admin.uid
Section titled “ghaf.users.admin.uid”User identifier (uid) for the admin account.
Type: signed integer
Default:
901Declared by:
ghaf.users.appUser
Section titled “ghaf.users.appUser”User account for app-vms running applications.
Type: submodule
Declared by:
ghaf.users.appUser.enable
Section titled “ghaf.users.appUser.enable”Whether to enable auxiliary user account.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.appUser.extraGroups
Section titled “ghaf.users.appUser.extraGroups”Extra groups for the auxiliary users.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.appUser.name
Section titled “ghaf.users.appUser.name”Auxiliary users name.
Type: string
Declared by:
ghaf.users.appUser.uid
Section titled “ghaf.users.appUser.uid”Auxiliary users UID.
Type: signed integer
Default:
1000Declared by:
ghaf.users.homedUser
Section titled “ghaf.users.homedUser”User account for desktop login.
Type: submodule
Default:
{ }Declared by:
ghaf.users.homedUser.enable
Section titled “ghaf.users.homedUser.enable”Whether to enable a single homed user account.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.homedUser.extraGroups
Section titled “ghaf.users.homedUser.extraGroups”Extra groups for the login user.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.homedUser.fidoAuth
Section titled “ghaf.users.homedUser.fidoAuth”Whether to enable FIDO authentication for the login user…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.homedUser.fsType
Section titled “ghaf.users.homedUser.fsType”Filesystem type for the home directory.
Type: string
Default:
"ext4"Declared by:
ghaf.users.homedUser.homeSize
Section titled “ghaf.users.homedUser.homeSize”Size of the home directory for the login user in MiB (integer). The integer size is inherited from the microvm volume size parameter. Defaults to 400 GiB.
Type: signed integer
Default:
409600Declared by:
ghaf.users.homedUser.loginShell
Section titled “ghaf.users.homedUser.loginShell”Login shell for the user.
Type: string
Default:
"/run/current-system/sw/bin/bash"Declared by:
ghaf.users.homedUser.uid
Section titled “ghaf.users.homedUser.uid”Login user identifier (uid). Defaults to 1000 for compatibility.
Type: signed integer
Default:
1000Declared by:
ghaf.users.managed
Section titled “ghaf.users.managed”List of declarativively managed user accounts.
The ghaf user interface for declarative users has the following options:
- No enable flag, a specified account is enabled by default [mandatory]
- name: User name
- vms: List of VMs (or host) the user is enabled in [optional]
- initialPassword: Default password for the user account
- initialHashedPassword: Initial hashed password for the user account
- hashedPassword: Hashed password for live updates
- uid: Optional user identifier (uid). Defaults to null
- gid: Optional primary group identifier (gid). Defaults to null
- createHome: Create home directory for the user
- linger: Enable lingering for the user
- extraGroups: Extra groups for the user
These, as any additional user option, may be set through the usual NixOS user options.
Type: list of (submodule)
Default:
[ ]Declared by:
ghaf.users.managed.*.createHome
Section titled “ghaf.users.managed.*.createHome”Create home directory for the user.
Type: boolean
Default:
trueDeclared by:
ghaf.users.managed.*.extraGroups
Section titled “ghaf.users.managed.*.extraGroups”Extra groups for the user.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.managed.*.gid
Section titled “ghaf.users.managed.*.gid”Optional primary group identifier (gid). Defaults to null.
Type: null or signed integer
Default:
nullDeclared by:
ghaf.users.managed.*.hashedPassword
Section titled “ghaf.users.managed.*.hashedPassword”Hashed password for live updates.
Type: null or string
Default:
nullDeclared by:
ghaf.users.managed.*.initialHashedPassword
Section titled “ghaf.users.managed.*.initialHashedPassword”Initial hashed password for the admin user account.
Type: null or string
Default:
nullDeclared by:
ghaf.users.managed.*.initialPassword
Section titled “ghaf.users.managed.*.initialPassword”Initial password for the admin user account.
Type: null or string
Default:
nullDeclared by:
ghaf.users.managed.*.linger
Section titled “ghaf.users.managed.*.linger”Enable lingering for the user.
Type: boolean
Default:
falseDeclared by:
ghaf.users.managed.*.name
Section titled “ghaf.users.managed.*.name”User name
Type: null or string
Default:
nullDeclared by:
ghaf.users.managed.*.uid
Section titled “ghaf.users.managed.*.uid”Optional user identifier (uid). Defaults to null.
Type: null or signed integer
Default:
nullDeclared by:
ghaf.users.managed.*.vms
Section titled “ghaf.users.managed.*.vms”List of VMs (or host) the user is enabled in.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.profile.ad-users.enable
Section titled “ghaf.users.profile.ad-users.enable”Whether to enable Active Directory users for UI login. To use this option, you need Active Directory configured (backend) and locally the SSSD service. It further requires the computer to be enrolled in the Active Directory domain.
Account restrictions such as single user login on the machine have to be configured via AD policies (e.g., GPO). Otherwise, all domain users will be able to login to the machine.
Note: This profile is not compatible with ‘homed-user’ profile. .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.profile.homed-user.enable
Section titled “ghaf.users.profile.homed-user.enable”Whether to enable local systemd-homed managed user. This is the default for a single user system that does not require remote management. .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.profile.mutable-users.enable
Section titled “ghaf.users.profile.mutable-users.enable”Whether to enable mutable (configuration defined) user accounts, which allows to modify local user accounts at runtime.
This applies only to configuration ‘managed’ user accounts, it does not affect homed or AD users. Passwords and hashes of configuration defined accounts will be stored in the /nixos/store and thus are immutable at runtime unless this option is enabled. This also applies to other user attributes like uid/gid, shell, home directory, groups, etc. Make sure to read the nixos documentation for users.mutableUsers for more information such as priority of the different password and hash options.
This means:
- enabled (true) - you can change the password of the configuration defined user at runtime, but you cannot change the users password by rebuilding the system
- disabled (false), all user accounts are immutable and can only be changed via NixOS configuration rebuilds, and hashes (or passwords) will be stored in the /nixos/store .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.proxyUser
Section titled “ghaf.users.proxyUser”User account for system-vms running dbus proxy functionality.
Type: submodule
Declared by:
ghaf.users.proxyUser.enable
Section titled “ghaf.users.proxyUser.enable”Whether to enable auxiliary user account.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.proxyUser.extraGroups
Section titled “ghaf.users.proxyUser.extraGroups”Extra groups for the auxiliary users.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.proxyUser.name
Section titled “ghaf.users.proxyUser.name”Auxiliary users name.
Type: string
Declared by:
ghaf.users.proxyUser.uid
Section titled “ghaf.users.proxyUser.uid”Auxiliary users UID.
Type: signed integer
Default:
1000Declared by:
ghaf.version
Section titled “ghaf.version”The version of Ghaf
Type: string (read only)
Default:
"26.03.1"Declared by:
ghaf.virtualization.microvm.adminvm.enable
Section titled “ghaf.virtualization.microvm.adminvm.enable”Whether to enable AdminVM.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.virtualization.microvm.adminvm.evaluatedConfig
Section titled “ghaf.virtualization.microvm.adminvm.evaluatedConfig”Pre-evaluated Admin VM NixOS configuration. Profiles must set this using adminvmBase.extendModules from a profile (e.g., laptop-x86 or orin).
Type: null or unspecified value
Default:
nullDeclared by:
ghaf.virtualization.microvm.adminvm.extraNetworking
Section titled “ghaf.virtualization.microvm.adminvm.extraNetworking”Extra Networking option
Type: submodule
Default:
{ }Declared by:
ghaf.virtualization.microvm.adminvm.extraNetworking.cid
Section titled “ghaf.virtualization.microvm.adminvm.extraNetworking.cid”Vsock CID (Context IDentifier) as integer:
- VMADDR_CID_HYPERVISOR (0) is reserved for services built into the hypervisor
- VMADDR_CID_LOCAL (1) is the well-known address for local communication (loopback)
- VMADDR_CID_HOST (2) is the well-known address of the host
Type: null or signed integer
Default:
nullDeclared by:
ghaf.virtualization.microvm.adminvm.extraNetworking.interfaceName
Section titled “ghaf.virtualization.microvm.adminvm.extraNetworking.interfaceName”Name of the network interface.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.adminvm.extraNetworking.ipv4
Section titled “ghaf.virtualization.microvm.adminvm.extraNetworking.ipv4”IPv4 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.adminvm.extraNetworking.ipv4SubnetPrefixLength
Section titled “ghaf.virtualization.microvm.adminvm.extraNetworking.ipv4SubnetPrefixLength”The IPv4 subnet prefix length (e.g. 24 for 255.255.255.0)
Type: null or signed integer
Default:
nullExample:
24Declared by:
ghaf.virtualization.microvm.adminvm.extraNetworking.ipv6
Section titled “ghaf.virtualization.microvm.adminvm.extraNetworking.ipv6”IPv6 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.adminvm.extraNetworking.mac
Section titled “ghaf.virtualization.microvm.adminvm.extraNetworking.mac”MAC address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.adminvm.extraNetworking.name
Section titled “ghaf.virtualization.microvm.adminvm.extraNetworking.name”Host name as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.appvm.enable
Section titled “ghaf.virtualization.microvm.appvm.enable”Whether to enable appvm.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.virtualization.microvm.appvm.enabledVms
Section titled “ghaf.virtualization.microvm.appvm.enabledVms”Read-only attrset of enabled VMs with all values derived from evaluatedConfig. Use this instead of accessing vms directly when you need derived values like vtpm, applications, mem, etc.
Type: attribute set of unspecified value (read only)
Declared by:
ghaf.virtualization.microvm.appvm.vms
Section titled “ghaf.virtualization.microvm.appvm.vms”App VM configurations. Each VM must have evaluatedConfig set via mkAppVm.
Extension Pattern:
- ALL values (name, mem, borderColor, applications, vtpm, etc.) are derived from evaluatedConfig.config.ghaf.appvm.vmDef
- You only need to set ‘enable’ and ‘evaluatedConfig’ here
- Use ‘extensions’ to add modules from external features (e.g., ghaf-intro)
- Extensions are applied via NixOS native extendModules
The attrset key (e.g., ‘chromium’ in vms.chromium) is used as fallback for name.
Type: attribute set of (submodule)
Default:
{ }Declared by:
ghaf.virtualization.microvm.appvm.vms.<name>.enable
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.enable”Whether to enable this virtual machine.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.virtualization.microvm.appvm.vms.<name>.bootPriority
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.bootPriority”Boot priority for the VM (affects systemd ordering)
Type: one of “low”, “medium”, “high”
Default:
"medium"Declared by:
ghaf.virtualization.microvm.appvm.vms.<name>.evaluatedConfig
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.evaluatedConfig”Base NixOS configuration from mkAppVm profile function.
Type: null or unspecified value
Default:
nullDeclared by:
ghaf.virtualization.microvm.appvm.vms.<name>.extensions
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.extensions”Additional modules to extend this VM’s configuration. Applied via NixOS native extendModules after the base evaluatedConfig. Use this for features that need to add apps, services, or other configuration to a VM without modifying its base definition.
Type: list of module
Default:
[ ]Example:
[ ({ pkgs, ... }: { ghaf.appvm.applications = [{ name = "My App"; command = "myapp"; packages = [ pkgs.myapp ]; }]; })]Declared by:
ghaf.virtualization.microvm.appvm.vms.<name>.extraNetworking
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.extraNetworking”Extra networking options for this VM (host-side only)
Type: anything
Default:
{ }Declared by:
ghaf.virtualization.microvm.appvm.vms.<name>.usbPassthrough
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.usbPassthrough”USB passthrough rules for this VM (host-side only)
Type: list of anything
Default:
[ ]Declared by:
ghaf.virtualization.microvm.audiovm.enable
Section titled “ghaf.virtualization.microvm.audiovm.enable”Whether to enable AudioVM.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.virtualization.microvm.audiovm.evaluatedConfig
Section titled “ghaf.virtualization.microvm.audiovm.evaluatedConfig”Pre-evaluated NixOS configuration for Audio VM. Profiles must set this using audiovmBase.extendModules from a profile (e.g., laptop-x86 or orin).
Type: null or unspecified value
Default:
nullDeclared by:
ghaf.virtualization.microvm.audiovm.extraNetworking
Section titled “ghaf.virtualization.microvm.audiovm.extraNetworking”Extra Networking option
Type: submodule
Default:
{ }Declared by:
ghaf.virtualization.microvm.audiovm.extraNetworking.cid
Section titled “ghaf.virtualization.microvm.audiovm.extraNetworking.cid”Vsock CID (Context IDentifier) as integer:
- VMADDR_CID_HYPERVISOR (0) is reserved for services built into the hypervisor
- VMADDR_CID_LOCAL (1) is the well-known address for local communication (loopback)
- VMADDR_CID_HOST (2) is the well-known address of the host
Type: null or signed integer
Default:
nullDeclared by:
ghaf.virtualization.microvm.audiovm.extraNetworking.interfaceName
Section titled “ghaf.virtualization.microvm.audiovm.extraNetworking.interfaceName”Name of the network interface.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.audiovm.extraNetworking.ipv4
Section titled “ghaf.virtualization.microvm.audiovm.extraNetworking.ipv4”IPv4 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.audiovm.extraNetworking.ipv4SubnetPrefixLength
Section titled “ghaf.virtualization.microvm.audiovm.extraNetworking.ipv4SubnetPrefixLength”The IPv4 subnet prefix length (e.g. 24 for 255.255.255.0)
Type: null or signed integer
Default:
nullExample:
24Declared by:
ghaf.virtualization.microvm.audiovm.extraNetworking.ipv6
Section titled “ghaf.virtualization.microvm.audiovm.extraNetworking.ipv6”IPv6 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.audiovm.extraNetworking.mac
Section titled “ghaf.virtualization.microvm.audiovm.extraNetworking.mac”MAC address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.audiovm.extraNetworking.name
Section titled “ghaf.virtualization.microvm.audiovm.extraNetworking.name”Host name as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.guivm.enable
Section titled “ghaf.virtualization.microvm.guivm.enable”Whether to enable GUIVM.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.virtualization.microvm.guivm.applications
Section titled “ghaf.virtualization.microvm.guivm.applications”Applications to include in the GUIVM
Type: list of (submodule)
Default:
[ ]Declared by:
ghaf.virtualization.microvm.guivm.applications.*.packages
Section titled “ghaf.virtualization.microvm.guivm.applications.*.packages”Packages required for this application
Type: list of package
Default:
[ ]Declared by:
ghaf.virtualization.microvm.guivm.applications.*.categories
Section titled “ghaf.virtualization.microvm.guivm.applications.*.categories”The Categories of the desktop entry; see https://specifications\.freedesktop\.org/menu-spec/1\.0/category-registry\.html for possible values
Type: list of string
Default:
[ ]Declared by:
ghaf.virtualization.microvm.guivm.applications.*.description
Section titled “ghaf.virtualization.microvm.guivm.applications.*.description”The Comment of the desktop entry
Type: string
Declared by:
ghaf.virtualization.microvm.guivm.applications.*.desktopName
Section titled “ghaf.virtualization.microvm.guivm.applications.*.desktopName”The Name of the desktop entry
Type: string
Default:
""Declared by:
ghaf.virtualization.microvm.guivm.applications.*.exec
Section titled “ghaf.virtualization.microvm.guivm.applications.*.exec”The Exec of the desktop entry.
If vm is set, this command will be executed in the target VM.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.guivm.applications.*.extraModules
Section titled “ghaf.virtualization.microvm.guivm.applications.*.extraModules”Additional modules required for the application
Type: list of (attribute set)
Default:
[ ]Declared by:
ghaf.virtualization.microvm.guivm.applications.*.genericName
Section titled “ghaf.virtualization.microvm.guivm.applications.*.genericName”The GenericName of the desktop entry
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.guivm.applications.*.givcArgs
Section titled “ghaf.virtualization.microvm.guivm.applications.*.givcArgs”GIVC arguments for the application
Type: list of string
Default:
[ ]Declared by:
ghaf.virtualization.microvm.guivm.applications.*.icon
Section titled “ghaf.virtualization.microvm.guivm.applications.*.icon”The Icon of the desktop entry
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.guivm.applications.*.name
Section titled “ghaf.virtualization.microvm.guivm.applications.*.name”The name of the desktop file (excluding the .desktop or .directory file extensions)
Type: string
Declared by:
ghaf.virtualization.microvm.guivm.applications.*.noDisplay
Section titled “ghaf.virtualization.microvm.guivm.applications.*.noDisplay”The NoDisplay field of the desktop entry
Type: boolean
Default:
falseDeclared by:
ghaf.virtualization.microvm.guivm.applications.*.startupWMClass
Section titled “ghaf.virtualization.microvm.guivm.applications.*.startupWMClass”The StartupWMClass of the desktop entry
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.guivm.applications.*.vm
Section titled “ghaf.virtualization.microvm.guivm.applications.*.vm”VM name in case this launches an isolated application.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.guivm.evaluatedConfig
Section titled “ghaf.virtualization.microvm.guivm.evaluatedConfig”Pre-evaluated GUI VM configuration from extendModules. Profiles must set this by extending guivmBase from a profile (e.g., laptop-x86 or orin).
Type: null or unspecified value
Default:
nullDeclared by:
ghaf.virtualization.microvm.guivm.extraNetworking
Section titled “ghaf.virtualization.microvm.guivm.extraNetworking”Extra Networking option
Type: submodule
Default:
{ }Declared by:
ghaf.virtualization.microvm.guivm.extraNetworking.cid
Section titled “ghaf.virtualization.microvm.guivm.extraNetworking.cid”Vsock CID (Context IDentifier) as integer:
- VMADDR_CID_HYPERVISOR (0) is reserved for services built into the hypervisor
- VMADDR_CID_LOCAL (1) is the well-known address for local communication (loopback)
- VMADDR_CID_HOST (2) is the well-known address of the host
Type: null or signed integer
Default:
nullDeclared by:
ghaf.virtualization.microvm.guivm.extraNetworking.interfaceName
Section titled “ghaf.virtualization.microvm.guivm.extraNetworking.interfaceName”Name of the network interface.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.guivm.extraNetworking.ipv4
Section titled “ghaf.virtualization.microvm.guivm.extraNetworking.ipv4”IPv4 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.guivm.extraNetworking.ipv4SubnetPrefixLength
Section titled “ghaf.virtualization.microvm.guivm.extraNetworking.ipv4SubnetPrefixLength”The IPv4 subnet prefix length (e.g. 24 for 255.255.255.0)
Type: null or signed integer
Default:
nullExample:
24Declared by:
ghaf.virtualization.microvm.guivm.extraNetworking.ipv6
Section titled “ghaf.virtualization.microvm.guivm.extraNetworking.ipv6”IPv6 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.guivm.extraNetworking.mac
Section titled “ghaf.virtualization.microvm.guivm.extraNetworking.mac”MAC address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.guivm.extraNetworking.name
Section titled “ghaf.virtualization.microvm.guivm.extraNetworking.name”Host name as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.idsvm.enable
Section titled “ghaf.virtualization.microvm.idsvm.enable”Whether to enable Whether to enable IDS-VM on the system.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.virtualization.microvm.idsvm.evaluatedConfig
Section titled “ghaf.virtualization.microvm.idsvm.evaluatedConfig”Pre-evaluated NixOS configuration for IDS VM. Profiles must set this using idsvmBase.extendModules from a profile (e.g., laptop-x86).
Type: null or unspecified value
Default:
nullDeclared by:
ghaf.virtualization.microvm.idsvm.extraNetworking
Section titled “ghaf.virtualization.microvm.idsvm.extraNetworking”Extra Networking option
Type: submodule
Default:
{ }Declared by:
ghaf.virtualization.microvm.idsvm.extraNetworking.cid
Section titled “ghaf.virtualization.microvm.idsvm.extraNetworking.cid”Vsock CID (Context IDentifier) as integer:
- VMADDR_CID_HYPERVISOR (0) is reserved for services built into the hypervisor
- VMADDR_CID_LOCAL (1) is the well-known address for local communication (loopback)
- VMADDR_CID_HOST (2) is the well-known address of the host
Type: null or signed integer
Default:
nullDeclared by:
ghaf.virtualization.microvm.idsvm.extraNetworking.interfaceName
Section titled “ghaf.virtualization.microvm.idsvm.extraNetworking.interfaceName”Name of the network interface.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.idsvm.extraNetworking.ipv4
Section titled “ghaf.virtualization.microvm.idsvm.extraNetworking.ipv4”IPv4 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.idsvm.extraNetworking.ipv4SubnetPrefixLength
Section titled “ghaf.virtualization.microvm.idsvm.extraNetworking.ipv4SubnetPrefixLength”The IPv4 subnet prefix length (e.g. 24 for 255.255.255.0)
Type: null or signed integer
Default:
nullExample:
24Declared by:
ghaf.virtualization.microvm.idsvm.extraNetworking.ipv6
Section titled “ghaf.virtualization.microvm.idsvm.extraNetworking.ipv6”IPv6 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.idsvm.extraNetworking.mac
Section titled “ghaf.virtualization.microvm.idsvm.extraNetworking.mac”MAC address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.idsvm.extraNetworking.name
Section titled “ghaf.virtualization.microvm.idsvm.extraNetworking.name”Host name as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.idsvm.mitmproxy.enable
Section titled “ghaf.virtualization.microvm.idsvm.mitmproxy.enable”Whether to enable Whether to enable mitmproxy on ids-vm.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.virtualization.microvm.idsvm.mitmproxy.webUIEnabled
Section titled “ghaf.virtualization.microvm.idsvm.mitmproxy.webUIEnabled”Whether to enable mitmproxyWebUI on ids-vm
Type: boolean
Default:
falseDeclared by:
ghaf.virtualization.microvm.idsvm.mitmproxy.webUIPort
Section titled “ghaf.virtualization.microvm.idsvm.mitmproxy.webUIPort”MitmwebUI port
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive) (read only)
Default:
[ 8081]Declared by:
ghaf.virtualization.microvm.idsvm.mitmproxy.webUIPswd
Section titled “ghaf.virtualization.microvm.idsvm.mitmproxy.webUIPswd”MitmwebUI password
Type: string (read only)
Default:
"ghaf"Declared by:
ghaf.virtualization.microvm.netvm.enable
Section titled “ghaf.virtualization.microvm.netvm.enable”Whether to enable NetVM.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.virtualization.microvm.netvm.evaluatedConfig
Section titled “ghaf.virtualization.microvm.netvm.evaluatedConfig”Pre-evaluated NixOS configuration for Net VM set via profile’s netvmBase.extendModules.
Type: null or unspecified value
Default:
nullDeclared by:
ghaf.virtualization.microvm.netvm.extraNetworking
Section titled “ghaf.virtualization.microvm.netvm.extraNetworking”Extra Networking option
Type: submodule
Default:
{ }Declared by:
ghaf.virtualization.microvm.netvm.extraNetworking.cid
Section titled “ghaf.virtualization.microvm.netvm.extraNetworking.cid”Vsock CID (Context IDentifier) as integer:
- VMADDR_CID_HYPERVISOR (0) is reserved for services built into the hypervisor
- VMADDR_CID_LOCAL (1) is the well-known address for local communication (loopback)
- VMADDR_CID_HOST (2) is the well-known address of the host
Type: null or signed integer
Default:
nullDeclared by:
ghaf.virtualization.microvm.netvm.extraNetworking.interfaceName
Section titled “ghaf.virtualization.microvm.netvm.extraNetworking.interfaceName”Name of the network interface.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.netvm.extraNetworking.ipv4
Section titled “ghaf.virtualization.microvm.netvm.extraNetworking.ipv4”IPv4 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.netvm.extraNetworking.ipv4SubnetPrefixLength
Section titled “ghaf.virtualization.microvm.netvm.extraNetworking.ipv4SubnetPrefixLength”The IPv4 subnet prefix length (e.g. 24 for 255.255.255.0)
Type: null or signed integer
Default:
nullExample:
24Declared by:
ghaf.virtualization.microvm.netvm.extraNetworking.ipv6
Section titled “ghaf.virtualization.microvm.netvm.extraNetworking.ipv6”IPv6 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.netvm.extraNetworking.mac
Section titled “ghaf.virtualization.microvm.netvm.extraNetworking.mac”MAC address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.netvm.extraNetworking.name
Section titled “ghaf.virtualization.microvm.netvm.extraNetworking.name”Host name as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.storeOnDisk
Section titled “ghaf.virtualization.microvm.storeOnDisk”Whether to enable storeOnDisk (erofs compressed image) for all MicroVMs.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.virtualization.microvm.sysvm.enabledVms
Section titled “ghaf.virtualization.microvm.sysvm.enabledVms”Read-only attrset of enabled system VMs. Filtered from sysvm.vms to only include VMs with enable = true.
Type: attribute set of unspecified value (read only)
Declared by:
ghaf.virtualization.microvm.sysvm.vms
Section titled “ghaf.virtualization.microvm.sysvm.vms”System VM registry. Each system VM module self-registers here. Keys are vmType names (guivm, netvm, etc.) matching vmConfig.sysvms keys. Use enabledVms for the filtered view of active VMs.
Type: attribute set of (submodule)
Default:
{ }Declared by:
ghaf.virtualization.microvm.sysvm.vms.<name>.enable
Section titled “ghaf.virtualization.microvm.sysvm.vms.<name>.enable”Whether to enable this system VM.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.virtualization.microvm.sysvm.vms.<name>.evaluatedConfig
Section titled “ghaf.virtualization.microvm.sysvm.vms.<name>.evaluatedConfig”Pre-evaluated NixOS configuration for this system VM.
Type: null or unspecified value
Default:
nullDeclared by:
ghaf.virtualization.microvm.sysvm.vms.<name>.extraNetworking
Section titled “ghaf.virtualization.microvm.sysvm.vms.<name>.extraNetworking”Extra networking configuration for this system VM.
Type: submodule
Default:
{ }Declared by:
ghaf.virtualization.microvm.sysvm.vms.<name>.extraNetworking.cid
Section titled “ghaf.virtualization.microvm.sysvm.vms.<name>.extraNetworking.cid”Vsock CID (Context IDentifier) as integer:
- VMADDR_CID_HYPERVISOR (0) is reserved for services built into the hypervisor
- VMADDR_CID_LOCAL (1) is the well-known address for local communication (loopback)
- VMADDR_CID_HOST (2) is the well-known address of the host
Type: null or signed integer
Default:
nullDeclared by:
ghaf.virtualization.microvm.sysvm.vms.<name>.extraNetworking.interfaceName
Section titled “ghaf.virtualization.microvm.sysvm.vms.<name>.extraNetworking.interfaceName”Name of the network interface.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.sysvm.vms.<name>.extraNetworking.ipv4
Section titled “ghaf.virtualization.microvm.sysvm.vms.<name>.extraNetworking.ipv4”IPv4 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.sysvm.vms.<name>.extraNetworking.ipv4SubnetPrefixLength
Section titled “ghaf.virtualization.microvm.sysvm.vms.<name>.extraNetworking.ipv4SubnetPrefixLength”The IPv4 subnet prefix length (e.g. 24 for 255.255.255.0)
Type: null or signed integer
Default:
nullExample:
24Declared by:
ghaf.virtualization.microvm.sysvm.vms.<name>.extraNetworking.ipv6
Section titled “ghaf.virtualization.microvm.sysvm.vms.<name>.extraNetworking.ipv6”IPv6 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.sysvm.vms.<name>.extraNetworking.mac
Section titled “ghaf.virtualization.microvm.sysvm.vms.<name>.extraNetworking.mac”MAC address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.sysvm.vms.<name>.extraNetworking.name
Section titled “ghaf.virtualization.microvm.sysvm.vms.<name>.extraNetworking.name”Host name as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm.sysvm.vms.<name>.vmName
Section titled “ghaf.virtualization.microvm.sysvm.vms.<name>.vmName”VM name with hyphen (e.g., gui-vm, net-vm).
Type: string
Declared by:
ghaf.virtualization.microvm-host.enable
Section titled “ghaf.virtualization.microvm-host.enable”Whether to enable MicroVM Host.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.virtualization.microvm-host.extraNetworking
Section titled “ghaf.virtualization.microvm-host.extraNetworking”Extra Networking option
Type: submodule
Default:
{ }Declared by:
ghaf.virtualization.microvm-host.extraNetworking.cid
Section titled “ghaf.virtualization.microvm-host.extraNetworking.cid”Vsock CID (Context IDentifier) as integer:
- VMADDR_CID_HYPERVISOR (0) is reserved for services built into the hypervisor
- VMADDR_CID_LOCAL (1) is the well-known address for local communication (loopback)
- VMADDR_CID_HOST (2) is the well-known address of the host
Type: null or signed integer
Default:
nullDeclared by:
ghaf.virtualization.microvm-host.extraNetworking.interfaceName
Section titled “ghaf.virtualization.microvm-host.extraNetworking.interfaceName”Name of the network interface.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm-host.extraNetworking.ipv4
Section titled “ghaf.virtualization.microvm-host.extraNetworking.ipv4”IPv4 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm-host.extraNetworking.ipv4SubnetPrefixLength
Section titled “ghaf.virtualization.microvm-host.extraNetworking.ipv4SubnetPrefixLength”The IPv4 subnet prefix length (e.g. 24 for 255.255.255.0)
Type: null or signed integer
Default:
nullExample:
24Declared by:
ghaf.virtualization.microvm-host.extraNetworking.ipv6
Section titled “ghaf.virtualization.microvm-host.extraNetworking.ipv6”IPv6 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm-host.extraNetworking.mac
Section titled “ghaf.virtualization.microvm-host.extraNetworking.mac”MAC address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm-host.extraNetworking.name
Section titled “ghaf.virtualization.microvm-host.extraNetworking.name”Host name as string.
Type: null or string
Default:
nullDeclared by:
ghaf.virtualization.microvm-host.networkSupport
Section titled “ghaf.virtualization.microvm-host.networkSupport”Whether to enable Network support services to run host applications…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.virtualization.microvm-host.sharedVmDirectory.enable
Section titled “ghaf.virtualization.microvm-host.sharedVmDirectory.enable”Whether to enable shared directory.
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.virtualization.microvm-host.sharedVmDirectory.inotifyPassthrough
Section titled “ghaf.virtualization.microvm-host.sharedVmDirectory.inotifyPassthrough”Whether to enable inotify passthrough.
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.virtualization.microvm-host.sharedVmDirectory.vms
Section titled “ghaf.virtualization.microvm-host.sharedVmDirectory.vms”List of names of virtual machines for which unsafe shared folder will be enabled.
Type: list of string
Default:
[ ]Declared by:
ghaf.virtualization.nvidia-docker.daemon.enable
Section titled “ghaf.virtualization.nvidia-docker.daemon.enable”Whether to enable Nvidia Docker Daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.virtualization.nvidia-podman.daemon.enable
Section titled “ghaf.virtualization.nvidia-podman.daemon.enable”Whether to enable Nvidia Podman Daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.virtualization.storagevm-encryption.enable
Section titled “ghaf.virtualization.storagevm-encryption.enable”Whether to enable Encryption of the VM storage area for all VMs.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.virtualization.vmConfig.appvms
Section titled “ghaf.virtualization.vmConfig.appvms”Per-App-VM configuration. Keys should match App VM names.
Type: attribute set of (submodule)
Default:
{ }Example:
{ chromium = { mem = 8192; extraModules = [ ./chrome.nix ]; }; comms = { mem = 4096; };}Declared by:
ghaf.virtualization.vmConfig.appvms.<name>.balloonRatio
Section titled “ghaf.virtualization.vmConfig.appvms.<name>.balloonRatio”Memory balloon ratio. The VM is allocated mem * (balloonRatio + 1) bytes of memory, with ballooning enabled when balloonRatio > 0. If null, uses the default from the VM definition (typically 2).
Type: null or signed integer
Default:
nullDeclared by:
ghaf.virtualization.vmConfig.appvms.<name>.extraModules
Section titled “ghaf.virtualization.vmConfig.appvms.<name>.extraModules”Additional modules for this App VM.
Type: list of unspecified value
Default:
[ ]Declared by:
ghaf.virtualization.vmConfig.appvms.<name>.mem
Section titled “ghaf.virtualization.vmConfig.appvms.<name>.mem”App VM memory allocation in MB.
Type: null or signed integer
Default:
nullDeclared by:
ghaf.virtualization.vmConfig.appvms.<name>.vcpu
Section titled “ghaf.virtualization.vmConfig.appvms.<name>.vcpu”App VM vCPU count.
Type: null or signed integer
Default:
nullDeclared by:
ghaf.virtualization.vmConfig.sysvms
Section titled “ghaf.virtualization.vmConfig.sysvms”Per-system-VM configuration. Keys should match system VM names (e.g., guivm, netvm, audiovm, adminvm, idsvm).
Type: attribute set of (submodule)
Default:
{ }Example:
{ guivm = { mem = 16384; vcpu = 8; }; netvm = { extraModules = [ ./my-net-config.nix ]; };}Declared by:
ghaf.virtualization.vmConfig.sysvms.<name>.extraModules
Section titled “ghaf.virtualization.vmConfig.sysvms.<name>.extraModules”Additional NixOS modules for this VM. Used for profile-specific apps, services, and downstream customization.
Note: Hardware-specific modules (GPU quirks, passthrough) belong in hardware.definition.<vm>.extraModules instead.
Type: list of unspecified value
Default:
[ ]Example:
[ ./my-apps.nix { services.myService.enable = true; }]Declared by:
ghaf.virtualization.vmConfig.sysvms.<name>.mem
Section titled “ghaf.virtualization.vmConfig.sysvms.<name>.mem”VM memory allocation in MB. If null, uses the default from the VM base module. This is for profile/downstream tuning, not hardware constraints.
Type: null or signed integer
Default:
nullExample:
8192Declared by:
ghaf.virtualization.vmConfig.sysvms.<name>.vcpu
Section titled “ghaf.virtualization.vmConfig.sysvms.<name>.vcpu”VM vCPU count. If null, uses the default from the VM base module.
Type: null or signed integer
Default:
nullExample:
4Declared by: