Modules Options
ghaf.common.adminHost
Section titled “ghaf.common.adminHost”List of admin hosts currently enabled.
Type: null or string
Default:
nullDeclared by:
ghaf.common.appHosts
Section titled “ghaf.common.appHosts”List of app hosts currently enabled.
Type: list of string
Default:
[ ]Declared by:
ghaf.common.extraNetworking.enableStaticArp
Section titled “ghaf.common.extraNetworking.enableStaticArp”Enable static ARP entries for all hosts, and prevent any ARP traffic being sent or received on the internal network. This is useful to prevent ARP spoofing attacks between VMs.
Type: boolean
Default:
trueDeclared by:
ghaf.common.extraNetworking.hosts
Section titled “ghaf.common.extraNetworking.hosts”Extra host entries that override or extend the generated ones.
Type: attribute set of (submodule)
Default:
{ }Declared by:
ghaf.common.extraNetworking.hosts.<name>.cid
Section titled “ghaf.common.extraNetworking.hosts.<name>.cid”Vsock CID (Context IDentifier) as integer:
- VMADDR_CID_HYPERVISOR (0) is reserved for services built into the hypervisor
- VMADDR_CID_LOCAL (1) is the well-known address for local communication (loopback)
- VMADDR_CID_HOST (2) is the well-known address of the host
Type: null or signed integer
Default:
nullDeclared by:
ghaf.common.extraNetworking.hosts.<name>.interfaceName
Section titled “ghaf.common.extraNetworking.hosts.<name>.interfaceName”Name of the network interface.
Type: null or string
Default:
nullDeclared by:
ghaf.common.extraNetworking.hosts.<name>.ipv4
Section titled “ghaf.common.extraNetworking.hosts.<name>.ipv4”IPv4 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.common.extraNetworking.hosts.<name>.ipv4SubnetPrefixLength
Section titled “ghaf.common.extraNetworking.hosts.<name>.ipv4SubnetPrefixLength”The IPv4 subnet prefix length (e.g. 24 for 255.255.255.0)
Type: null or signed integer
Default:
nullExample:
24Declared by:
ghaf.common.extraNetworking.hosts.<name>.ipv6
Section titled “ghaf.common.extraNetworking.hosts.<name>.ipv6”IPv6 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.common.extraNetworking.hosts.<name>.mac
Section titled “ghaf.common.extraNetworking.hosts.<name>.mac”MAC address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.common.extraNetworking.hosts.<name>.name
Section titled “ghaf.common.extraNetworking.hosts.<name>.name”Host name as string.
Type: null or string
Default:
nullDeclared by:
ghaf.common.hardware.audio
Section titled “ghaf.common.hardware.audio”List of Audio PCI devices currently enabled for passthrough.
Type: list of (attribute set)
Default:
[ { }]Declared by:
ghaf.common.hardware.gpus
Section titled “ghaf.common.hardware.gpus”List of GPUs currently enabled for passthrough.
Type: list of (attribute set)
Default:
[ { }]Declared by:
ghaf.common.hardware.nics
Section titled “ghaf.common.hardware.nics”List of network interfaces currently enabled for passthrough.
Type: list of (attribute set)
Default:
[ { }]Declared by:
ghaf.common.hardware.usb
Section titled “ghaf.common.hardware.usb”List of USB devices enabled for passthrough.
Type: list of (attribute set)
Default:
[ { }]Declared by:
ghaf.common.systemHosts
Section titled “ghaf.common.systemHosts”List of system hosts currently enabled.
Type: list of string
Default:
[ ]Declared by:
ghaf.common.vms
Section titled “ghaf.common.vms”List of VMs currently enabled.
Type: list of string
Default:
[ ]Declared by:
ghaf.development.cuda.enable
Section titled “ghaf.development.cuda.enable”Whether to enable CUDA Support.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.development.debug.tools.enable
Section titled “ghaf.development.debug.tools.enable”Whether to enable Debug Tools.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.development.debug.tools.av.enable
Section titled “ghaf.development.debug.tools.av.enable”Whether to enable Camera Debugging Tools.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.development.debug.tools.gui.enable
Section titled “ghaf.development.debug.tools.gui.enable”Whether to enable GUI Debugging Tools.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.development.debug.tools.host.enable
Section titled “ghaf.development.debug.tools.host.enable”Whether to enable Host Debugging Tools.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.development.debug.tools.net.enable
Section titled “ghaf.development.debug.tools.net.enable”Whether to enable Network Debugging Tools.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.development.nix-setup.enable
Section titled “ghaf.development.nix-setup.enable”Whether to enable Target Nix config options.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.development.nix-setup.automatic-gc.enable
Section titled “ghaf.development.nix-setup.automatic-gc.enable”Whether to enable Enable automatic garbage collection.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.development.nix-setup.nixpkgs
Section titled “ghaf.development.nix-setup.nixpkgs”Path to the nixpkgs repository
Type: null or absolute path
Default:
nullDeclared by:
ghaf.development.ssh.daemon.enable
Section titled “ghaf.development.ssh.daemon.enable”Whether to enable ssh daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.development.usb-serial.enable
Section titled “ghaf.development.usb-serial.enable”Whether to enable Usb-Serial.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.firewall.enable
Section titled “ghaf.firewall.enable”Ghaf firewall for virtual machines
Type: boolean
Default:
trueDeclared by:
ghaf.firewall.IdsEnabled
Section titled “ghaf.firewall.IdsEnabled”Whether to enable Ids tool.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.firewall.allowedTCPPorts
Section titled “ghaf.firewall.allowedTCPPorts”Additional TCP ports to allow through the Ghaf firewall.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
[ ]Declared by:
ghaf.firewall.allowedUDPPorts
Section titled “ghaf.firewall.allowedUDPPorts”Additional UDP ports to allow through the Ghaf firewall.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
[ ]Declared by:
ghaf.firewall.attack-mitigation.enable
Section titled “ghaf.firewall.attack-mitigation.enable”Whether to enable Attack mitigation features integrated into the firewall.
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.firewall.attack-mitigation.ping
Section titled “ghaf.firewall.attack-mitigation.ping”Ping flood mitigation settings
Type: submodule
Default:
{ enable = true; rule = { burstNum = 10; maxPacketFreq = "60/min"; };}Declared by:
ghaf.firewall.attack-mitigation.ping.enable
Section titled “ghaf.firewall.attack-mitigation.ping.enable”Whether to enable Enable Ping flood mitigation.
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.firewall.attack-mitigation.ping.rule
Section titled “ghaf.firewall.attack-mitigation.ping.rule”Flood rule parameters for Ping
Type: submodule
Declared by:
ghaf.firewall.attack-mitigation.ping.rule.burstNum
Section titled “ghaf.firewall.attack-mitigation.ping.rule.burstNum”Number of packets allowed in a short time before blacklisting
Type: signed integer
Declared by:
ghaf.firewall.attack-mitigation.ping.rule.maxPacketFreq
Section titled “ghaf.firewall.attack-mitigation.ping.rule.maxPacketFreq”Maximum average packet rate allowed from a single IP before blacklisting.
Type: string
Declared by:
ghaf.firewall.attack-mitigation.ssh
Section titled “ghaf.firewall.attack-mitigation.ssh”SSH flood mitigation settings
Type: submodule
Default:
{ enable = false; rule = { burstNum = 5; maxPacketFreq = "30/minute"; };}Declared by:
ghaf.firewall.attack-mitigation.ssh.enable
Section titled “ghaf.firewall.attack-mitigation.ssh.enable”Whether to enable Enable SSH flood mitigation.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.firewall.attack-mitigation.ssh.rule
Section titled “ghaf.firewall.attack-mitigation.ssh.rule”Flood rule parameters for SSH
Type: submodule
Default:
{ burstNum = 5; maxPacketFreq = "30/minute";}Declared by:
ghaf.firewall.attack-mitigation.ssh.rule.burstNum
Section titled “ghaf.firewall.attack-mitigation.ssh.rule.burstNum”Number of packets allowed in a short time before blacklisting
Type: signed integer
Declared by:
ghaf.firewall.attack-mitigation.ssh.rule.maxPacketFreq
Section titled “ghaf.firewall.attack-mitigation.ssh.rule.maxPacketFreq”Maximum average packet rate allowed from a single IP before blacklisting.
Type: string
Declared by:
ghaf.firewall.blacklistFwMarkNum
Section titled “ghaf.firewall.blacklistFwMarkNum”Mark numbers for blacklisted packets.
Type: string (read only)
Default:
"8"Declared by:
ghaf.firewall.blacklistSize
Section titled “ghaf.firewall.blacklistSize”The maximum number of IP addresses that can be stored in BLACKLIST
Type: signed integer
Default:
65536Declared by:
ghaf.firewall.extra
Section titled “ghaf.firewall.extra”Extra firewall rules
Type: submodule
Default:
{ }Declared by:
ghaf.firewall.extra.forward
Section titled “ghaf.firewall.extra.forward”Extra firewall rules for FORWARD chain
Type: submodule
Default:
{ }Declared by:
ghaf.firewall.extra.forward.filter
Section titled “ghaf.firewall.extra.forward.filter”Extra firewall rules for ghaf-fw-fwd-filter
Type: list of string
Default:
[ ]Declared by:
ghaf.firewall.extra.input
Section titled “ghaf.firewall.extra.input”Extra firewall rules for INPUT chain
Type: submodule
Default:
{ }Declared by:
ghaf.firewall.extra.input.filter
Section titled “ghaf.firewall.extra.input.filter”Extra firewall rules for ghaf-fw-in-filter
Type: list of string
Default:
[ ]Declared by:
ghaf.firewall.extra.output
Section titled “ghaf.firewall.extra.output”Extra firewall rules for OUTPUT chain
Type: submodule
Default:
{ }Declared by:
ghaf.firewall.extra.output.filter
Section titled “ghaf.firewall.extra.output.filter”Extra firewall rules for ghaf-fw-out-filter
Type: list of string
Default:
[ ]Declared by:
ghaf.firewall.extra.postrouting
Section titled “ghaf.firewall.extra.postrouting”Extra firewall rules for POSTROUTING chain
Type: submodule
Default:
{ }Declared by:
ghaf.firewall.extra.postrouting.nat
Section titled “ghaf.firewall.extra.postrouting.nat”Extra iptables rules for ghaf-fw-post-nat
Type: list of string
Default:
[ ]Declared by:
ghaf.firewall.extra.prerouting
Section titled “ghaf.firewall.extra.prerouting”Extra firewall rules for PREROUTING chain
Type: submodule
Default:
{ }Declared by:
ghaf.firewall.extra.prerouting.mangle
Section titled “ghaf.firewall.extra.prerouting.mangle”Extra firewall rules for ghaf-fw-pre-mangle
Type: list of string
Default:
[ ]Declared by:
ghaf.firewall.extra.prerouting.nat
Section titled “ghaf.firewall.extra.prerouting.nat”Extra firewall rules for ghaf-fw-pre-nat
Type: list of string
Default:
[ ]Declared by:
ghaf.firewall.extra.prerouting.raw
Section titled “ghaf.firewall.extra.prerouting.raw”Extra firewall rules for raw chain
Type: list of string
Default:
[ ]Declared by:
ghaf.firewall.extraOptions
Section titled “ghaf.firewall.extraOptions”Extra options to extend networking.firewall configuration.
Type: attribute set of anything
Default:
{ }Declared by:
ghaf.firewall.filter-arp
Section titled “ghaf.firewall.filter-arp”Whether to enable static ARP and MAC/IP rules.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.firewall.kernel-modules.enable
Section titled “ghaf.firewall.kernel-modules.enable”Whether to enable kernel modules required for firewall.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.firewall.tcpBlacklistRules
Section titled “ghaf.firewall.tcpBlacklistRules”List of blacklist settings for specific TCP ports.
Type: list of (submodule)
Default:
[ ]Declared by:
ghaf.firewall.tcpBlacklistRules.*.burstNum
Section titled “ghaf.firewall.tcpBlacklistRules.*.burstNum”Number of packets allowed in a short time before blacklisting
Type: signed integer
Declared by:
ghaf.firewall.tcpBlacklistRules.*.fwMarkNum
Section titled “ghaf.firewall.tcpBlacklistRules.*.fwMarkNum”Firewall mark number for blacklisted packets
Type: string
Default:
"8"Declared by:
ghaf.firewall.tcpBlacklistRules.*.maxPacketFreq
Section titled “ghaf.firewall.tcpBlacklistRules.*.maxPacketFreq”Maximum average packet rate allowed from a single IP before blacklisting.
Type: string
Declared by:
ghaf.firewall.tcpBlacklistRules.*.port
Section titled “ghaf.firewall.tcpBlacklistRules.*.port”Port this blacklist rule applies to.
Type: signed integer
Declared by:
ghaf.firewall.tcpBlacklistRules.*.trackingSize
Section titled “ghaf.firewall.tcpBlacklistRules.*.trackingSize”Maximum number of IP addresses tracking in the hashtable.
Type: signed integer
Declared by:
ghaf.firewall.udpBlacklistRules
Section titled “ghaf.firewall.udpBlacklistRules”List of blacklist settings for specific UDP ports.
Type: list of (submodule)
Default:
[ ]Declared by:
ghaf.firewall.udpBlacklistRules.*.burstNum
Section titled “ghaf.firewall.udpBlacklistRules.*.burstNum”Number of packets allowed in a short time before blacklisting
Type: signed integer
Declared by:
ghaf.firewall.udpBlacklistRules.*.fwMarkNum
Section titled “ghaf.firewall.udpBlacklistRules.*.fwMarkNum”Firewall mark number for blacklisted packets
Type: string
Default:
"8"Declared by:
ghaf.firewall.udpBlacklistRules.*.maxPacketFreq
Section titled “ghaf.firewall.udpBlacklistRules.*.maxPacketFreq”Maximum average packet rate allowed from a single IP before blacklisting.
Type: string
Declared by:
ghaf.firewall.udpBlacklistRules.*.port
Section titled “ghaf.firewall.udpBlacklistRules.*.port”Port this blacklist rule applies to.
Type: signed integer
Declared by:
ghaf.firewall.udpBlacklistRules.*.trackingSize
Section titled “ghaf.firewall.udpBlacklistRules.*.trackingSize”Maximum number of IP addresses tracking in the hashtable.
Type: signed integer
Declared by:
ghaf.givc.enable
Section titled “ghaf.givc.enable”Whether to enable Enable gRPC inter-vm communication.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.enableTls
Section titled “ghaf.givc.enableTls”Enable TLS for gRPC communication globally, or disable for debugging.
Type: boolean
Default:
trueDeclared by:
ghaf.givc.adminConfig
Section titled “ghaf.givc.adminConfig”Admin server configuration.
Type: submodule
Declared by:
ghaf.givc.adminConfig.addresses
Section titled “ghaf.givc.adminConfig.addresses”Addresses of admin server
Type: list of (submodule)
Declared by:
ghaf.givc.adminConfig.addresses.*.addr
Section titled “ghaf.givc.adminConfig.addresses.*.addr”IP address of admin server
Type: string
Declared by:
ghaf.givc.adminConfig.addresses.*.name
Section titled “ghaf.givc.adminConfig.addresses.*.name”Name of the IP range for parsing
Type: string
Declared by:
ghaf.givc.adminConfig.addresses.*.port
Section titled “ghaf.givc.adminConfig.addresses.*.port”Port of admin server
Type: string
Declared by:
ghaf.givc.adminConfig.addresses.*.protocol
Section titled “ghaf.givc.adminConfig.addresses.*.protocol”Protocol of admin server
Type: one of “tcp”, “unix”, “vsock”
Declared by:
ghaf.givc.adminConfig.name
Section titled “ghaf.givc.adminConfig.name”Host name of admin server
Type: string
Declared by:
ghaf.givc.adminvm.enable
Section titled “ghaf.givc.adminvm.enable”Whether to enable Enable adminvm givc module…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.appPrefix
Section titled “ghaf.givc.appPrefix”Common application path prefix.
Type: string
Declared by:
ghaf.givc.appvm.enable
Section titled “ghaf.givc.appvm.enable”Whether to enable Enable appvm givc module…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.appvm.applications
Section titled “ghaf.givc.appvm.applications”Applications to run in the appvm.
Type: list of (attribute set)
Default:
[ { }]Declared by:
ghaf.givc.audiovm.enable
Section titled “ghaf.givc.audiovm.enable”Whether to enable Enable audiovm givc module…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.cliArgs
Section titled “ghaf.givc.cliArgs”Arguments for the givc-cli to contact the admin service.
Type: string
Default:
""Declared by:
ghaf.givc.debug
Section titled “ghaf.givc.debug”Whether to enable Enable givc debug mode.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.guivm.enable
Section titled “ghaf.givc.guivm.enable”Whether to enable Enable guivm givc module…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.host.enable
Section titled “ghaf.givc.host.enable”Whether to enable Enable host givc module…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.givc.idsExtraArgs
Section titled “ghaf.givc.idsExtraArgs”Extra arguments for applications when IDS/MITM is enabled.
Type: string
Declared by:
ghaf.givc.netvm.enable
Section titled “ghaf.givc.netvm.enable”Whether to enable Enable netvm givc module…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.gracefulShutdown
Section titled “ghaf.gracefulShutdown”If true, the microvm ExecStop logic for this VM will be overridden with the host-managed graceful shutdown, which starts the guest’s poweroff.target and waits for the VM process to exit.
This option only has effect if the power manager module is enabled
on the host:
ghaf.services.power-manager.host.enable = true;
Type: boolean
Default:
"config.ghaf.givc.enable"Declared by:
ghaf.graphics.boot.enable
Section titled “ghaf.graphics.boot.enable”Enables graphical boot with plymouth.
Type: boolean
Default:
falseDeclared by:
ghaf.graphics.boot.debug
Section titled “ghaf.graphics.boot.debug”Whether to enable plymouth debug logs. Plymouth debug logs are stored in /var/log/plymouth-debug.log.
Type: boolean
Default:
falseDeclared by:
ghaf.graphics.boot.deviceTimeout
Section titled “ghaf.graphics.boot.deviceTimeout”Timeout in seconds to wait for the graphics device to become ready.
Type: null or signed integer
Default:
8Declared by:
ghaf.graphics.boot.firmwareLogo.enable
Section titled “ghaf.graphics.boot.firmwareLogo.enable”Whether to override the UEFI firmware (BGRT) boot logo.
Type: boolean
Default:
trueDeclared by:
ghaf.graphics.boot.firmwareLogo.image
Section titled “ghaf.graphics.boot.firmwareLogo.image”Image to use in place of the UEFI firmware (BGRT) boot logo. Default is the Ghaf logo.
Type: absolute path
Default:
"/nix/store/ky2nxqqnvakk50nk3q7w7midrhw6q13z-ghaf-artwork-0.1.0/1600px-Ghaf_logo.png"Declared by:
ghaf.graphics.boot.logo.enable
Section titled “ghaf.graphics.boot.logo.enable”Whether to show a custom logo at the bottom of the splash screen. If left disabled, no logo is shown.
Type: boolean
Default:
falseDeclared by:
ghaf.graphics.boot.logo.image
Section titled “ghaf.graphics.boot.logo.image”Image to use at the bottom of the splash screen. Default is the Ghaf logo.
Type: absolute path
Default:
"/nix/store/ky2nxqqnvakk50nk3q7w7midrhw6q13z-ghaf-artwork-0.1.0/ghaf-logo-512px.png"Declared by:
ghaf.graphics.boot.renderer
Section titled “ghaf.graphics.boot.renderer”Renderer for the graphical boot splash.
- simpledrm: Use a simple framebuffer. Recommended if the GPU is not ready at early boot.
- gpu: Use the system GPU if drivers are available in the initrd.
Type: one of “gpu”, “simpledrm”
Default:
"simpledrm"Declared by:
ghaf.graphics.boot.splashDelay
Section titled “ghaf.graphics.boot.splashDelay”Delay in seconds before showing the splash screen.
Type: null or signed integer
Default:
0Declared by:
ghaf.graphics.boot.theme
Section titled “ghaf.graphics.boot.theme”Plymouth theme to use. The “bgrt” theme is recommended for UEFI systems.
Type: one of “bgrt”, “details”, “fade-in”, “glow”, “script”, “solar”, “spinfinity”, “spinner”, “text”, “tribar”
Default:
"bgrt"Declared by:
ghaf.graphics.boot.waitForService
Section titled “ghaf.graphics.boot.waitForService”If set, plymouth will wait for the specified systemd service to be started before quitting.
Type: null or string
Default:
nullDeclared by:
ghaf.graphics.cosmic.enable
Section titled “ghaf.graphics.cosmic.enable”Whether to enable the COSMIC desktop environment in Ghaf.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.graphics.cosmic.bottomPanelApplets
Section titled “ghaf.graphics.cosmic.bottomPanelApplets”Cosmic top panel applets configuration.
Used only when the bottom-only panel layout is selected.
Type: submodule
Default:
{ center = [ ]; left = [ "com.system76.CosmicPanelAppButton" "com.system76.CosmicPanelWorkspacesButton" "com.system76.CosmicAppList" "com.system76.CosmicAppletMinimize" ]; right = [ "com.system76.CosmicAppletInputSources" "com.system76.CosmicAppletStatusArea" "ae.tii.CosmicAppletKillSwitch" "com.system76.CosmicAppletTiling" "com.system76.CosmicAppletNetwork" "com.system76.CosmicAppletAudio" "com.system76.CosmicAppletBattery" "com.system76.CosmicAppletNotifications" "com.system76.CosmicAppletTime" "com.system76.CosmicAppletPower" ];}Declared by:
ghaf.graphics.cosmic.bottomPanelApplets.center
Section titled “ghaf.graphics.cosmic.bottomPanelApplets.center”List of applets to show in the center of the panel.
Type: list of string
Default:
[ ]Declared by:
ghaf.graphics.cosmic.bottomPanelApplets.left
Section titled “ghaf.graphics.cosmic.bottomPanelApplets.left”List of applets to show on the left side of the panel.
Type: list of string
Default:
[ ]Declared by:
ghaf.graphics.cosmic.bottomPanelApplets.right
Section titled “ghaf.graphics.cosmic.bottomPanelApplets.right”List of applets to show on the right side of the panel.
Type: list of string
Default:
[ ]Declared by:
ghaf.graphics.cosmic.extraAutostart
Section titled “ghaf.graphics.cosmic.extraAutostart”Additional shell commands to run on ghaf COSMIC session start-up.
Type: string
Default:
""Declared by:
ghaf.graphics.cosmic.idleManagement.enable
Section titled “ghaf.graphics.cosmic.idleManagement.enable”Whether to enable idle management.
When enabled, the system will automatically manage screen blanking and suspension based on user inactivity.
If disabled, the default timeouts will be set to ‘Never’. However, users can still manually configure the settings via COSMIC Settings to override this behavior.
If ‘config.ghaf.services.power-manager.allowSuspend’ is false, suspension will not occur regardless of this setting.
Type: boolean
Default:
config.ghaf.profiles.graphics.idleManagement.enableDeclared by:
ghaf.graphics.cosmic.idleManagement.screenOffTime
Section titled “ghaf.graphics.cosmic.idleManagement.screenOffTime”Time in seconds of inactivity before the screen is turned off and the session is locked.
Type: signed integer
Default:
300Declared by:
ghaf.graphics.cosmic.idleManagement.suspendOnAC
Section titled “ghaf.graphics.cosmic.idleManagement.suspendOnAC”Time in seconds of inactivity before the system suspends when on AC power.
Type: signed integer
Default:
config.ghaf.graphics.cosmic.idleManagement.screenOffTime * 3Declared by:
ghaf.graphics.cosmic.idleManagement.suspendOnBattery
Section titled “ghaf.graphics.cosmic.idleManagement.suspendOnBattery”Time in seconds of inactivity before the system suspends when on battery power.
Type: signed integer
Default:
config.ghaf.graphics.cosmic.idleManagement.screenOffTime * 3Declared by:
ghaf.graphics.cosmic.renderDevice
Section titled “ghaf.graphics.cosmic.renderDevice”Path to the render device to be used by the COSMIC compositor.
If set, this will be assigned to the COSMIC_RENDER_DEVICE environment variable,
directing COSMIC to use the specified device (e.g., /dev/dri/renderD129).
This option can be useful in systems with multiple GPUs to explicitly select which device the compositor should use.
If unset, COSMIC will attempt to automatically detect a suitable render device.
Type: null or absolute path
Default:
"null"Example:
"/dev/dri/renderD129"Declared by:
ghaf.graphics.cosmic.screenRecorder.enable
Section titled “ghaf.graphics.cosmic.screenRecorder.enable”Whether to enable screen recording capabilities using gpu-screen-recorder.
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.graphics.cosmic.securityContext
Section titled “ghaf.graphics.cosmic.securityContext”Security context settings
Type: submodule
Default:
{ borderWidth = 4; rules = [ ];}Declared by:
ghaf.graphics.cosmic.securityContext.borderWidth
Section titled “ghaf.graphics.cosmic.securityContext.borderWidth”Default border width in pixels
Type: positive integer, meaning >0
Default:
6Example:
6Declared by:
ghaf.graphics.cosmic.securityContext.rules
Section titled “ghaf.graphics.cosmic.securityContext.rules”List of security contexts rules
Type: list of (submodule)
Declared by:
ghaf.graphics.cosmic.securityContext.rules.*.color
Section titled “ghaf.graphics.cosmic.securityContext.rules.*.color”Window border color
Type: string
Example:
"#006305"Declared by:
ghaf.graphics.cosmic.securityContext.rules.*.identifier
Section titled “ghaf.graphics.cosmic.securityContext.rules.*.identifier”The identifier attached to the security context
Type: string
Example:
"chrome-vm"Declared by:
ghaf.graphics.cosmic.topPanelApplets
Section titled “ghaf.graphics.cosmic.topPanelApplets”Cosmic top panel applets configuration.
Used only when the top and bottom panel layout is selected.
Type: submodule
Default:
{ center = [ "com.system76.CosmicAppletTime" "com.system76.CosmicAppletNotifications" ]; left = [ "com.system76.CosmicPanelAppButton" "com.system76.CosmicPanelWorkspacesButton" ]; right = [ "com.system76.CosmicAppletInputSources" "com.system76.CosmicAppletStatusArea" "ae.tii.CosmicAppletKillSwitch" "com.system76.CosmicAppletTiling" "com.system76.CosmicAppletNetwork" "com.system76.CosmicAppletAudio" "com.system76.CosmicAppletBattery" "com.system76.CosmicAppletPower" ];}Declared by:
ghaf.graphics.cosmic.topPanelApplets.center
Section titled “ghaf.graphics.cosmic.topPanelApplets.center”List of applets to show in the center of the panel.
Type: list of string
Default:
[ ]Declared by:
ghaf.graphics.cosmic.topPanelApplets.left
Section titled “ghaf.graphics.cosmic.topPanelApplets.left”List of applets to show on the left side of the panel.
Type: list of string
Default:
[ ]Declared by:
ghaf.graphics.cosmic.topPanelApplets.right
Section titled “ghaf.graphics.cosmic.topPanelApplets.right”List of applets to show on the right side of the panel.
Type: list of string
Default:
[ ]Declared by:
ghaf.graphics.hybrid-setup.enable
Section titled “ghaf.graphics.hybrid-setup.enable”Whether to enable Hybrid GPU setup that utilizes both Intel and NVIDIA GPU cards The Intel GPU will handle rendering tasks, while the Nvidia GPU will be dedicated to media coding. .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.graphics.hybrid-setup.prime.enable
Section titled “ghaf.graphics.hybrid-setup.prime.enable”prime offload. This will allow on-demand offloading of rendering tasks to the NVIDIA GPU, all other rendering will happen on the GPU integrated in the CPU.
The GPU should be turned off whenever it is not in use, so this shouldn’t cause increased battery drain, but there are some reports floating around that this isn’t always the case - likely especially for older devices. Feel free to turn it off if you find this doesn’t work properly for you.
Type: boolean
Default:
falseDeclared by:
ghaf.graphics.hybrid-setup.prime.intelBusId
Section titled “ghaf.graphics.hybrid-setup.prime.intelBusId”Bus ID of the Intel GPU. You can find it using lspci; for example if lspci shows the Intel GPU at “0001:02:03.4”, set this option to “PCI:2@1:3:4”.
Type: string
Default:
""Declared by:
ghaf.graphics.hybrid-setup.prime.nvidiaBusId
Section titled “ghaf.graphics.hybrid-setup.prime.nvidiaBusId”Bus ID of the NVIDIA GPU. You can find it using lspci; for example if lspci shows the NVIDIA GPU at “0001:02:03.4”, set this option to “PCI:2@1:3:4”.
Type: string
Default:
""Declared by:
ghaf.graphics.intel-setup.enable
Section titled “ghaf.graphics.intel-setup.enable”Whether to enable Enable Intel GPU setup.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.graphics.launchers
Section titled “ghaf.graphics.launchers”Application launchers to show in the system drawer or launcher.
Type: list of (submodule)
Default:
[ ]Declared by:
ghaf.graphics.launchers.*.description
Section titled “ghaf.graphics.launchers.*.description”Description of the application
Type: string
Default:
"Secured Ghaf Application"Declared by:
ghaf.graphics.launchers.*.execPath
Section titled “ghaf.graphics.launchers.*.execPath”Path to the executable to be launched
Type: absolute path
Declared by:
ghaf.graphics.launchers.*.icon
Section titled “ghaf.graphics.launchers.*.icon”Optional icon for the launcher. If unspecified, active icon theme will be searched to find an icon matching the launcher name. Can be set to an icon name from the current theme (Papirus) or a full path to an icon file.
Type: null or string
Default:
nullDeclared by:
ghaf.graphics.launchers.*.name
Section titled “ghaf.graphics.launchers.*.name”Name of the application
Type: string
Declared by:
ghaf.graphics.launchers.*.vm
Section titled “ghaf.graphics.launchers.*.vm”VM name in case this launches an isolated application.
Type: null or string
Default:
nullDeclared by:
ghaf.graphics.login-manager.enable
Section titled “ghaf.graphics.login-manager.enable”Whether to enable Ghaf login manager config using greetd.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.graphics.login-manager.failLock.enable
Section titled “ghaf.graphics.login-manager.failLock.enable”Whether to enable Account locking after repeated failed login attempts. When activated, the system will temporarily lock accounts that exceed the maximum allowed authentication failures. .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.graphics.login-manager.failLock.maxTries
Section titled “ghaf.graphics.login-manager.failLock.maxTries”Defines the number of authentication failures required before locking the account. Key details: 1 authentication failure = 5 consecutive failed login attempts The system aggregates 5 incorrect password attempts into one recorded authentication failure. When maxTries = 2, locking occurs after: 2 authentication failures × 5 attempts each = 10 total failed login attempts The counter resets after successful authentication
Type: signed integer
Default:
2Declared by:
ghaf.graphics.nvidia-setup.enable
Section titled “ghaf.graphics.nvidia-setup.enable”Whether to enable Enable Nvidia setup.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.graphics.nvidia-setup.openDrivers
Section titled “ghaf.graphics.nvidia-setup.openDrivers”Whether to use the open source drivers instead of the nvidia proprietary drivers, e.g., for Blackwell architectures.
Type: boolean
Default:
falseDeclared by:
ghaf.graphics.nvidia-setup.vaapi.enable
Section titled “ghaf.graphics.nvidia-setup.vaapi.enable”Whether to enable the NVIDIA vaapi driver.
This allows using the NVIDIA GPU for decoding video streams instead of using software decoding on the CPU.
This particularly makes sense for desktop computers without an iGPU, as on those software en/decoding will take a lot of processing power while the NVIDIA GPU’s encoding capacity isn’t doing anything, so this option is enabled by default there.
However, on machines with an iGPU, the dGPU’s en/decoding capabilities are often more limited than those of the iGPU, and require more power, so this is disabled there by default - it may still make sense from time to time, so feel free to experiment.
Type: boolean
Default:
falseDeclared by:
ghaf.graphics.nvidia-setup.vaapi.maxInstances
Section titled “ghaf.graphics.nvidia-setup.vaapi.maxInstances”The maximum number of concurrent instances of the driver.
Sometimes useful for graphics cards with little VRAM.
Type: null or signed integer
Default:
nullDeclared by:
ghaf.graphics.nvidia-setup.withIntegratedGPU
Section titled “ghaf.graphics.nvidia-setup.withIntegratedGPU”Whether the computer has a separate integrated GPU.
This also configures the machine to use the integrated GPU for other things like software decoding, so keep this enabled even if you separately disable offload rendering.
Type: boolean
Default:
falseDeclared by:
ghaf.graphics.screen-recorder.enable
Section titled “ghaf.graphics.screen-recorder.enable”Whether to enable Whether to enable screen recording capabilities using gpu-screen-recorder…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.hardware.definition.audio.acpiPath
Section titled “ghaf.hardware.definition.audio.acpiPath”Path to ACPI file to add to a VM
Type: null or absolute path
Default:
"/sys/firmware/acpi/tables/NHLT"Declared by:
ghaf.hardware.definition.audio.kernelConfig
Section titled “ghaf.hardware.definition.audio.kernelConfig”Hardware specific kernel configuration for audio devices
Type: submodule
Default:
{ }Declared by:
ghaf.hardware.definition.audio.kernelConfig.kernelParams
Section titled “ghaf.hardware.definition.audio.kernelConfig.kernelParams”Hardware specific kernel parameters
Type: list of string
Default:
[ ]Example:
[ "intel_iommu=on,sm_on" "iommu=pt" "module_blacklist=i915" "acpi_backlight=vendor" "acpi_osi=linux"]Declared by:
ghaf.hardware.definition.audio.kernelConfig.stage1.kernelModules
Section titled “ghaf.hardware.definition.audio.kernelConfig.stage1.kernelModules”Hardware specific kernel modules
Type: list of string
Default:
[ ]Example:
[ "i915"]Declared by:
ghaf.hardware.definition.audio.kernelConfig.stage2.kernelModules
Section titled “ghaf.hardware.definition.audio.kernelConfig.stage2.kernelModules”Hardware specific kernel modules
Type: list of string
Default:
[ ]Example:
[ "i915"]Declared by:
ghaf.hardware.definition.audio.pciDevices
Section titled “ghaf.hardware.definition.audio.pciDevices”PCI Devices to passthrough to AudioVM
Type: list of (submodule)
Default:
[ ]Example:
[ { path = "0000:00:1f.0"; vendorId = "8086"; productId = "519d"; } { path = "0000:00:1f.3"; vendorId = "8086"; productId = "51ca"; } { path = "0000:00:1f.4"; vendorId = "8086"; productId = "51a3"; } { path = "0000:00:1f.5"; vendorId = "8086"; productId = "51a4"; }]Declared by:
ghaf.hardware.definition.audio.pciDevices.*.name
Section titled “ghaf.hardware.definition.audio.pciDevices.*.name”PCI device name (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.audio.pciDevices.*.path
Section titled “ghaf.hardware.definition.audio.pciDevices.*.path”PCI device path
Type: string
Declared by:
ghaf.hardware.definition.audio.pciDevices.*.productId
Section titled “ghaf.hardware.definition.audio.pciDevices.*.productId”PCI Product ID (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.audio.pciDevices.*.qemu.deviceExtraArgs
Section titled “ghaf.hardware.definition.audio.pciDevices.*.qemu.deviceExtraArgs”Device additional arguments (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.audio.pciDevices.*.vendorId
Section titled “ghaf.hardware.definition.audio.pciDevices.*.vendorId”PCI Vendor ID (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.gpu.kernelConfig
Section titled “ghaf.hardware.definition.gpu.kernelConfig”Hardware specific kernel configuration for gpu devices
Type: submodule
Default:
{ }Declared by:
ghaf.hardware.definition.gpu.kernelConfig.kernelParams
Section titled “ghaf.hardware.definition.gpu.kernelConfig.kernelParams”Hardware specific kernel parameters
Type: list of string
Default:
[ ]Example:
[ "intel_iommu=on,sm_on" "iommu=pt" "module_blacklist=i915" "acpi_backlight=vendor" "acpi_osi=linux"]Declared by:
ghaf.hardware.definition.gpu.kernelConfig.stage1.kernelModules
Section titled “ghaf.hardware.definition.gpu.kernelConfig.stage1.kernelModules”Hardware specific kernel modules
Type: list of string
Default:
[ ]Example:
[ "i915"]Declared by:
ghaf.hardware.definition.gpu.kernelConfig.stage2.kernelModules
Section titled “ghaf.hardware.definition.gpu.kernelConfig.stage2.kernelModules”Hardware specific kernel modules
Type: list of string
Default:
[ ]Example:
[ "i915"]Declared by:
ghaf.hardware.definition.gpu.pciDevices
Section titled “ghaf.hardware.definition.gpu.pciDevices”PCI Devices to passthrough to GuiVM
Type: list of (submodule)
Default:
[ ]Example:
[{ path = "0000:00:02.0"; vendorId = "8086"; productId = "a7a1"; qemu.deviceExtraArgs = "x-igd-opregion=on"}]Declared by:
ghaf.hardware.definition.gpu.pciDevices.*.name
Section titled “ghaf.hardware.definition.gpu.pciDevices.*.name”PCI device name (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.gpu.pciDevices.*.path
Section titled “ghaf.hardware.definition.gpu.pciDevices.*.path”PCI device path
Type: string
Declared by:
ghaf.hardware.definition.gpu.pciDevices.*.productId
Section titled “ghaf.hardware.definition.gpu.pciDevices.*.productId”PCI Product ID (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.gpu.pciDevices.*.qemu.deviceExtraArgs
Section titled “ghaf.hardware.definition.gpu.pciDevices.*.qemu.deviceExtraArgs”Device additional arguments (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.gpu.pciDevices.*.vendorId
Section titled “ghaf.hardware.definition.gpu.pciDevices.*.vendorId”PCI Vendor ID (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.host.extraVfioPciIds
Section titled “ghaf.hardware.definition.host.extraVfioPciIds”Extra ids for the vfio-pci.ids kerenel parameter
Type: list of string
Default:
[ ]Declared by:
ghaf.hardware.definition.host.kernelConfig
Section titled “ghaf.hardware.definition.host.kernelConfig”Host kernel configuration
Type: submodule
Default:
{ }Declared by:
ghaf.hardware.definition.host.kernelConfig.kernelParams
Section titled “ghaf.hardware.definition.host.kernelConfig.kernelParams”Hardware specific kernel parameters
Type: list of string
Default:
[ ]Example:
[ "intel_iommu=on,sm_on" "iommu=pt" "module_blacklist=i915" "acpi_backlight=vendor" "acpi_osi=linux"]Declared by:
ghaf.hardware.definition.host.kernelConfig.stage1.kernelModules
Section titled “ghaf.hardware.definition.host.kernelConfig.stage1.kernelModules”Hardware specific kernel modules
Type: list of string
Default:
[ ]Example:
[ "i915"]Declared by:
ghaf.hardware.definition.host.kernelConfig.stage2.kernelModules
Section titled “ghaf.hardware.definition.host.kernelConfig.stage2.kernelModules”Hardware specific kernel modules
Type: list of string
Default:
[ ]Example:
[ "i915"]Declared by:
ghaf.hardware.definition.input.keyboard
Section titled “ghaf.hardware.definition.input.keyboard”Name of the keyboard device(s)
Type: submodule
Default:
{ }Declared by:
ghaf.hardware.definition.input.keyboard.evdev
Section titled “ghaf.hardware.definition.input.keyboard.evdev”List of event devices.
Type: list of string
Default:
[ ]Declared by:
ghaf.hardware.definition.input.keyboard.name
Section titled “ghaf.hardware.definition.input.keyboard.name”List of input device names. Can either be a string, or a list of strings. The list option allows to bind several input device names to the same evdev. This allows to create one generic hardware definition for multiple SKUs.
Type: list of raw value
Default:
[ ]Declared by:
ghaf.hardware.definition.input.misc
Section titled “ghaf.hardware.definition.input.misc”Name of the misc device(s)
Type: submodule
Default:
{ }Declared by:
ghaf.hardware.definition.input.misc.evdev
Section titled “ghaf.hardware.definition.input.misc.evdev”List of event devices.
Type: list of string
Default:
[ ]Declared by:
ghaf.hardware.definition.input.misc.name
Section titled “ghaf.hardware.definition.input.misc.name”List of input device names. Can either be a string, or a list of strings. The list option allows to bind several input device names to the same evdev. This allows to create one generic hardware definition for multiple SKUs.
Type: list of raw value
Default:
[ ]Declared by:
ghaf.hardware.definition.input.mouse
Section titled “ghaf.hardware.definition.input.mouse”Name of the mouse device(s)
Type: submodule
Default:
{ }Declared by:
ghaf.hardware.definition.input.mouse.evdev
Section titled “ghaf.hardware.definition.input.mouse.evdev”List of event devices.
Type: list of string
Default:
[ ]Declared by:
ghaf.hardware.definition.input.mouse.name
Section titled “ghaf.hardware.definition.input.mouse.name”List of input device names. Can either be a string, or a list of strings. The list option allows to bind several input device names to the same evdev. This allows to create one generic hardware definition for multiple SKUs.
Type: list of raw value
Default:
[ ]Declared by:
ghaf.hardware.definition.input.touchpad
Section titled “ghaf.hardware.definition.input.touchpad”Name of the touchpad device(s)
Type: submodule
Default:
{ }Declared by:
ghaf.hardware.definition.input.touchpad.evdev
Section titled “ghaf.hardware.definition.input.touchpad.evdev”List of event devices.
Type: list of string
Default:
[ ]Declared by:
ghaf.hardware.definition.input.touchpad.name
Section titled “ghaf.hardware.definition.input.touchpad.name”List of input device names. Can either be a string, or a list of strings. The list option allows to bind several input device names to the same evdev. This allows to create one generic hardware definition for multiple SKUs.
Type: list of raw value
Default:
[ ]Declared by:
ghaf.hardware.definition.name
Section titled “ghaf.hardware.definition.name”Name of the hardware
Type: string
Default:
""Declared by:
ghaf.hardware.definition.network.kernelConfig
Section titled “ghaf.hardware.definition.network.kernelConfig”Hardware specific kernel configuration for network devices
Type: submodule
Default:
{ }Declared by:
ghaf.hardware.definition.network.kernelConfig.kernelParams
Section titled “ghaf.hardware.definition.network.kernelConfig.kernelParams”Hardware specific kernel parameters
Type: list of string
Default:
[ ]Example:
[ "intel_iommu=on,sm_on" "iommu=pt" "module_blacklist=i915" "acpi_backlight=vendor" "acpi_osi=linux"]Declared by:
ghaf.hardware.definition.network.kernelConfig.stage1.kernelModules
Section titled “ghaf.hardware.definition.network.kernelConfig.stage1.kernelModules”Hardware specific kernel modules
Type: list of string
Default:
[ ]Example:
[ "i915"]Declared by:
ghaf.hardware.definition.network.kernelConfig.stage2.kernelModules
Section titled “ghaf.hardware.definition.network.kernelConfig.stage2.kernelModules”Hardware specific kernel modules
Type: list of string
Default:
[ ]Example:
[ "i915"]Declared by:
ghaf.hardware.definition.network.pciDevices
Section titled “ghaf.hardware.definition.network.pciDevices”PCI Devices to passthrough to NetVM
Type: list of (submodule)
Default:
[ ]Example:
[{ path = "0000:00:14.3"; vendorId = "8086"; productId = "51f1";}]Declared by:
ghaf.hardware.definition.network.pciDevices.*.name
Section titled “ghaf.hardware.definition.network.pciDevices.*.name”PCI device name (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.network.pciDevices.*.path
Section titled “ghaf.hardware.definition.network.pciDevices.*.path”PCI device path
Type: string
Declared by:
ghaf.hardware.definition.network.pciDevices.*.productId
Section titled “ghaf.hardware.definition.network.pciDevices.*.productId”PCI Product ID (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.network.pciDevices.*.qemu.deviceExtraArgs
Section titled “ghaf.hardware.definition.network.pciDevices.*.qemu.deviceExtraArgs”Device additional arguments (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.network.pciDevices.*.vendorId
Section titled “ghaf.hardware.definition.network.pciDevices.*.vendorId”PCI Vendor ID (optional)
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.skus
Section titled “ghaf.hardware.definition.skus”List of hardware SKUs (Stock Keeping Unit) covered with this definition
Type: list of string
Default:
[ ]Declared by:
ghaf.hardware.definition.type
Section titled “ghaf.hardware.definition.type”Type of hardware (laptop, desktop, server)
Type: string
Default:
"laptop"Declared by:
ghaf.hardware.definition.usb.devices
Section titled “ghaf.hardware.definition.usb.devices”Internal USB device(s) to passthrough.
Each device definition requires a name, and either vendorId and productId, or hostbus and hostport. The latter is useful for addressing devices that may have different vendor and product IDs in the same hardware generation.
Note that internal devices must follow the naming convention to be correctly identified and subsequently used. Current special names are:
- ‘cam0’ for the internal cam0 device
- ‘fpr0’ for the internal fingerprint reader device
Type: list of (submodule)
Default:
[ ]Example:
[ { name = "cam0"; vendorId = "0123"; productId = "0123"; } { name = "fpr0"; hostbus = "3"; hostport = "3"; }]Declared by:
ghaf.hardware.definition.usb.devices.*.hostbus
Section titled “ghaf.hardware.definition.usb.devices.*.hostbus”USB device bus number (optional). If this is set, the hostport must also be set.
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.usb.devices.*.hostport
Section titled “ghaf.hardware.definition.usb.devices.*.hostport”USB device device number (optional). If this is set, the hostbus must also be set.
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.usb.devices.*.name
Section titled “ghaf.hardware.definition.usb.devices.*.name”USB device name. NOT optional for external devices, in which case it must not contain spaces or extravagant characters.
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.usb.devices.*.productId
Section titled “ghaf.hardware.definition.usb.devices.*.productId”USB Product ID (optional). If this is set, the vendorId must also be set.
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.usb.devices.*.vendorId
Section titled “ghaf.hardware.definition.usb.devices.*.vendorId”USB Vendor ID (optional). If this is set, the productId must also be set.
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.definition.usb.devices.*.vmUdevExtraRule
Section titled “ghaf.hardware.definition.usb.devices.*.vmUdevExtraRule”Extra udev rule for the VM to control access of the USB device.
Type: null or string
Default:
nullDeclared by:
ghaf.hardware.devices.audio
Section titled “ghaf.hardware.devices.audio”Audio PCI devices to passthrough.
Type: attribute set
Default:
{ }Declared by:
ghaf.hardware.devices.evdev
Section titled “ghaf.hardware.devices.evdev”Evdev devices to passthrough.
Type: attribute set
Default:
{ }Declared by:
ghaf.hardware.devices.gpus
Section titled “ghaf.hardware.devices.gpus”GPU PCI devices to passthrough.
Type: attribute set
Default:
{ }Declared by:
ghaf.hardware.devices.hotplug
Section titled “ghaf.hardware.devices.hotplug”Enable hotplugging of PCI devices. This allows to dynamically add or remove PCI devices to the microvm without needing to restart it. Useful for power management and future use cases.
Type: boolean
Default:
trueDeclared by:
ghaf.hardware.devices.nics
Section titled “ghaf.hardware.devices.nics”NIC PCI devices to passthrough.
Type: attribute set
Default:
{ }Declared by:
ghaf.hardware.passthrough.VMs
Section titled “ghaf.hardware.passthrough.VMs”VM USB device map.
Type: attribute set of (submodule)
Default:
{ }Declared by:
ghaf.hardware.passthrough.VMs.<name>.permittedDevices
Section titled “ghaf.hardware.passthrough.VMs.<name>.permittedDevices”List of devices allowed to access by the VM.
Type: list of string
Declared by:
ghaf.hardware.passthrough.evdev.evdevRules
Section titled “ghaf.hardware.passthrough.evdev.evdevRules”Non-USB Input Device Passthrough Rules for GUIVM
Type: list of (attribute set)
Default:
[ { allow = [ { property = "ID_INPUT_MOUSE"; value = "1"; } { property = "ID_INPUT_KEYBOARD"; value = "1"; } { property = "ID_INPUT_TOUCHPAD"; value = "1"; } { property = "ID_INPUT_TOUCHSCREEN"; value = "1"; } { property = "ID_INPUT_TABLET"; value = "1"; } { description = "ThinkPad Extra Buttons"; pathTag = "platform-thinkpad_acpi"; } { description = "Intel HID events"; pathTag = "platform-INTC1070_00"; } { description = "Intel HID events"; pathTag = "platform-INT33D5:00"; } { description = "Dell WMI hotkeys"; pathTag = "platform-PNP0C14:02"; } ]; description = "Non-USB Input Devices for GUIVM"; targetVm = "gui-vm"; }]Declared by:
ghaf.hardware.passthrough.mode
Section titled “ghaf.hardware.passthrough.mode”Pass through mode for the pre attached devices defined in hardware.passthrough.usb.devices. Options: “static”, “dynamic”, “user” “none”: no passthrough “static”: legacy mode, static passthrough via qemu “dynamic”: dynamic passthrough via vhotplug in runtime “user”: user defined passthrough [Not supported]
Type: string
Default:
"static"Declared by:
ghaf.hardware.passthrough.pci.audiovmRules
Section titled “ghaf.hardware.passthrough.pci.audiovmRules”PCI Device Passthrough Rules for AudioVM
Type: list of (attribute set)
Default:
[ { allow = [ { address = "0000:00:1f.0"; deviceId = "519d"; vendorId = "8086"; } { address = "0000:00:1f.3"; deviceId = "51ca"; vendorId = "8086"; } { address = "0000:00:1f.4"; deviceId = "51a3"; vendorId = "8086"; } { address = "0000:00:1f.5"; deviceId = "51a4"; vendorId = "8086"; } ]; description = "PCI Devices for AudioVM"; targetVm = "audio-vm"; }]Declared by:
ghaf.hardware.passthrough.pci.autoDetectAudio
Section titled “ghaf.hardware.passthrough.pci.autoDetectAudio”Auto-detect audio PCI devices.
Type: boolean
Default:
falseDeclared by:
ghaf.hardware.passthrough.pci.autoDetectGpu
Section titled “ghaf.hardware.passthrough.pci.autoDetectGpu”Auto-detect GPU PCI devices.
Type: boolean
Default:
falseDeclared by:
ghaf.hardware.passthrough.pci.autoDetectNet
Section titled “ghaf.hardware.passthrough.pci.autoDetectNet”Auto-detect network PCI devices.
Type: boolean
Default:
falseDeclared by:
ghaf.hardware.passthrough.pci.guivmRules
Section titled “ghaf.hardware.passthrough.pci.guivmRules”PCI Device Passthrough Rules for GUIVM
Type: list of (attribute set)
Default:
[ { allow = [ { address = "0000:00:02.0"; deviceId = "a7a1"; vendorId = "8086"; } ]; description = "Static PCI Devices for GUIVM"; skipOnSuspend = true; targetVm = "gui-vm"; }]Declared by:
ghaf.hardware.passthrough.pci.netvmRules
Section titled “ghaf.hardware.passthrough.pci.netvmRules”PCI Device Passthrough Rules for NetVM
Type: list of (attribute set)
Default:
[ { allow = [ { address = "0000:00:14.3"; deviceId = "51f1"; vendorId = "8086"; } ]; description = "Static PCI Devices for NetVM"; targetVm = "net-vm"; }]Declared by:
ghaf.hardware.passthrough.pciAcsOverride.enable
Section titled “ghaf.hardware.passthrough.pciAcsOverride.enable”Whether to enable PCIe ACS (Access Control Services) override support for VFIO device assignment.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.hardware.passthrough.pciAcsOverride.ids
Section titled “ghaf.hardware.passthrough.pciAcsOverride.ids”List of specific PCI device IDs (vendor:device in hex) to override ACS. This works for ALL PCI devices including non-PCIe devices.
Use this when you need to split IOMMU groups for specific devices that are not PCIe (e.g., LPC/eSPI devices like Intel 00:1f.x).
Type: list of string
Default:
[ ]Example:
[ "8086:550a" "8086:7702"]Declared by:
ghaf.hardware.passthrough.pciPorts.pcieBusPrefix
Section titled “ghaf.hardware.passthrough.pciPorts.pcieBusPrefix”PCIe bus prefix used for the pcie-root-port QEMU device.
Type: null or string
Default:
"pci_hotplug_"Declared by:
ghaf.hardware.passthrough.pciPorts.pciePortCountForVMs
Section titled “ghaf.hardware.passthrough.pciPorts.pciePortCountForVMs”The number of PCIe ports used for hot-plugging PCI devices to virtual machines.
In order to support hot-plugging of PCIe devices, QEMU virtual machines must have available PCIe ports created by adding pcie-root-port devices at startup. This is used, for example, to pass input devices to the GUI VM as virtio-input-host-pci and to passthrough PCI devices from the host (GPU, network, audio devices) as vfio-pci. Additionally, vhotplug can detect PCI devices that are not listed in the static hardware definitions and pass them through as well.
Type: attribute set of signed integer
Default:
{ audio-vm = 7; gui-vm = 7; net-vm = 2;}Example:
{ "vm-name1" = 5; "vm-name2" = 3;}Declared by:
ghaf.hardware.passthrough.qemuExtraArgs
Section titled “ghaf.hardware.passthrough.qemuExtraArgs”Extra arguments to pass to qemu when enabling the internal USB device(s). Qemu arguments for the devices are grouped by vm-name.
Type: attribute set of list of string
Default:
{ }Example:
{ "vm-name1" = [ "-device qemu-xhci -device usb-host,vendorid=0x0001,productid=0x0001" ]; "vm-name2" = [ "-device qemu-xhci -device usb-host,vendorid=0x1234,productid=0x1234" ];}Declared by:
ghaf.hardware.passthrough.usb.audiovmRules
Section titled “ghaf.hardware.passthrough.usb.audiovmRules”USB Device Passthrough Rules for AudioVM
Type: list of (attribute set)
Default:
[ { allow = [ { description = "Audio"; interfaceClass = 1; } { description = "Bluetooth"; interfaceClass = 224; interfaceProtocol = 1; interfaceSubclass = 1; } ]; deny = [ { description = "Video (USB Webcams)"; interfaceClass = 14; } ]; description = "USB Devices for AudioVM"; targetVm = "audio-vm"; }]Declared by:
ghaf.hardware.passthrough.usb.guivmRules
Section titled “ghaf.hardware.passthrough.usb.guivmRules”USB Device Passthrough Rules for GUIVM
Type: list of (attribute set)
Default:
[ { allow = [ { description = "HID Keyboard"; interfaceClass = 3; interfaceProtocol = 1; } { description = "HID Mouse"; interfaceClass = 3; interfaceProtocol = 2; } { description = "Chip/SmartCard (e.g. YubiKey)"; interfaceClass = 11; } { description = "Mass Storage - SCSI (USB drives)"; interfaceClass = 8; interfaceSubclass = 6; } { description = "USB-C alternate modes supported by device"; interfaceClass = 17; } ]; description = "USB Devices for GUIVM"; targetVm = "gui-vm"; }]Declared by:
ghaf.hardware.passthrough.usb.netvmRules
Section titled “ghaf.hardware.passthrough.usb.netvmRules”USB Device Passthrough Rules for NetVM
Type: list of (attribute set)
Default:
[ { allow = [ { description = "Communications - Ethernet Networking"; interfaceClass = 2; interfaceSubclass = 6; } { description = "USB network devices that do not report their class or interfaces"; driverPath = ".*/kernel/drivers/net/usb/.*"; } ]; description = "USB Devices for NetVM"; targetVm = "net-vm"; }]Declared by:
ghaf.hardware.passthrough.usbQuirks.enable
Section titled “ghaf.hardware.passthrough.usbQuirks.enable”Whether to enable quirks for USB devices.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.hardware.passthrough.vhotplug.enable
Section titled “ghaf.hardware.passthrough.vhotplug.enable”Whether to enable Enable hot plugging of USB devices.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.hardware.passthrough.vhotplug.acpiRules
Section titled “ghaf.hardware.passthrough.vhotplug.acpiRules”List of ACPI hot plugging rules.
Type: list of (attribute set)
Default:
[ ]Declared by:
ghaf.hardware.passthrough.vhotplug.api.enable
Section titled “ghaf.hardware.passthrough.vhotplug.api.enable”Enable external API.
Type: boolean
Default:
trueDeclared by:
ghaf.hardware.passthrough.vhotplug.api.allowedCids
Section titled “ghaf.hardware.passthrough.vhotplug.api.allowedCids”List of VSOCK CIDs allowed to connect.
Type: list of signed integer
Default:
[ 4]Example:
[ 3 4 5]Declared by:
ghaf.hardware.passthrough.vhotplug.api.port
Section titled “ghaf.hardware.passthrough.vhotplug.api.port”API port number.
Type: signed integer
Default:
2000Declared by:
ghaf.hardware.passthrough.vhotplug.api.transports
Section titled “ghaf.hardware.passthrough.vhotplug.api.transports”List of supported transports for the API.
Type: list of (one of “tcp”, “unix”, “vsock”)
Default:
[ "vsock" "unix"]Example:
[ "tcp" "unix" "vsock"]Declared by:
ghaf.hardware.passthrough.vhotplug.evdevRules
Section titled “ghaf.hardware.passthrough.vhotplug.evdevRules”List of evdev hot plugging rules.
Type: list of (attribute set)
Default:
[ ]Declared by:
ghaf.hardware.passthrough.vhotplug.pciRules
Section titled “ghaf.hardware.passthrough.vhotplug.pciRules”List of PCI hot plugging rules.
Type: list of (attribute set)
Default:
[ ]Declared by:
ghaf.hardware.passthrough.vhotplug.postpendUsbRules
Section titled “ghaf.hardware.passthrough.vhotplug.postpendUsbRules”List of extra USB rules to be added to the system. Uses the same format as vhotplug.usbRules, and is postpened to the default rules. This is useful for adding rules for additional VMs while keeping the ghaf defaults.
Type: list of (attribute set)
Default:
[ ]Declared by:
ghaf.hardware.passthrough.vhotplug.prependUsbRules
Section titled “ghaf.hardware.passthrough.vhotplug.prependUsbRules”List of extra USB rules to be added to the system. Uses the same format as vhotplug.usbRules, and is prepended to the default rules. This is helpful for setting rules where the order of USB device detection matters for additional VMs, while still maintaining the default rules.
Type: list of (attribute set)
Default:
[ ]Declared by:
ghaf.hardware.passthrough.vhotplug.usbRules
Section titled “ghaf.hardware.passthrough.vhotplug.usbRules”List of USB hot plugging rules.
Type: list of (attribute set)
Default:
[ ]Declared by:
ghaf.hardware.passthrough.vhotplug.vms
Section titled “ghaf.hardware.passthrough.vhotplug.vms”List of virtual machines.
Type: list of (attribute set)
Default:
[ { name = "admin-vm"; socket = "/var/lib/microvms/admin-vm/admin-vm.sock"; type = "qemu"; } { name = "audio-vm"; socket = "/var/lib/microvms/audio-vm/audio-vm.sock"; type = "qemu"; } { name = "business-vm"; socket = "/var/lib/microvms/business-vm/business-vm.sock"; type = "qemu"; } { name = "chrome-vm"; socket = "/var/lib/microvms/chrome-vm/chrome-vm.sock"; type = "qemu"; } { name = "comms-vm"; socket = "/var/lib/microvms/comms-vm/comms-vm.sock"; type = "qemu"; } { name = "flatpak-vm"; socket = "/var/lib/microvms/flatpak-vm/flatpak-vm.sock"; type = "qemu"; } { name = "gui-vm"; socket = "/var/lib/microvms/gui-vm/gui-vm.sock"; type = "qemu"; } { name = "net-vm"; socket = "/var/lib/microvms/net-vm/net-vm.sock"; type = "qemu"; } { name = "zathura-vm"; socket = "/var/lib/microvms/zathura-vm/zathura-vm.sock"; type = "qemu"; }]Declared by:
ghaf.hardware.passthrough.vmUdevExtraRules
Section titled “ghaf.hardware.passthrough.vmUdevExtraRules”Extra udev rules to be used by the specified vm.
Type: attribute set of list of string
Default:
{ }Example:
{ "vm-name1" = [ "udev rule 1" "udev rule 2" ];}Declared by:
ghaf.hardware.tpm2.enable
Section titled “ghaf.hardware.tpm2.enable”Whether to enable TPM2 PKCS#11 interface.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.hardware.x86_64.common.enable
Section titled “ghaf.hardware.x86_64.common.enable”Whether to enable Common x86 configs.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.host.kernel.hardening.enable
Section titled “ghaf.host.kernel.hardening.enable”Enable Ghaf Host hardening feature
Type: boolean
Default:
falseDeclared by:
ghaf.host.kernel.hardening.debug.enable
Section titled “ghaf.host.kernel.hardening.debug.enable”Enable support for debug features in the Ghaf Host
Type: boolean
Default:
falseDeclared by:
ghaf.host.kernel.hardening.inputdevices.enable
Section titled “ghaf.host.kernel.hardening.inputdevices.enable”Enable support for input devices in the Ghaf Host
Type: boolean
Default:
falseDeclared by:
ghaf.host.kernel.hardening.networking.enable
Section titled “ghaf.host.kernel.hardening.networking.enable”Enable support for networking in the Ghaf Host
Type: boolean
Default:
falseDeclared by:
ghaf.host.kernel.hardening.usb.enable
Section titled “ghaf.host.kernel.hardening.usb.enable”Enable support for USB in the Ghaf Host
Type: boolean
Default:
falseDeclared by:
ghaf.host.kernel.hardening.virtualization.enable
Section titled “ghaf.host.kernel.hardening.virtualization.enable”Enable support for virtualization in the Ghaf Host
Type: boolean
Default:
falseDeclared by:
ghaf.host.kernel.memory-wipe.enable
Section titled “ghaf.host.kernel.memory-wipe.enable”Whether to enable Memory wipe on boot and free using kernel configuration (host only).
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.host.networking.enable
Section titled “ghaf.host.networking.enable”Whether to enable Host networking.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.host.networking.enableExternalNetworking
Section titled “ghaf.host.networking.enableExternalNetworking”Enable external host networking support. This option currently enables the host nat, and disables the default configuration of deactivating any additional interfaces. Note that even with this configuration, the host networking can be enabled manually if needed. By default, this option is enabled if no net-vm is defined, or the debug profile is enabled.
Type: boolean
Default:
(!(hasAttr "net-vm" config.microvm.vms)) || config.ghaf.profiles.debug.enableDeclared by:
ghaf.host.networking.bridgeNicName
Section titled “ghaf.host.networking.bridgeNicName”Name of the internal interface
Type: string
Default:
"virbr0"Declared by:
ghaf.host.secureboot.enable
Section titled “ghaf.host.secureboot.enable”Whether to enable Secure Boot support.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.host.secureboot.keysDir
Section titled “ghaf.host.secureboot.keysDir”Path to the directory containing Secure Boot public keys.
Type: string
Default:
"/etc/ghaf/secureboot/keys"Declared by:
ghaf.host.secureboot.keysSource
Section titled “ghaf.host.secureboot.keysSource”Source directory for Secure Boot public keys; set to null to skip installing keys.
Type: null or absolute path
Default:
https://github.com/tiiuae/ghaf/blob/main/modules/secureboot/keysDeclared by:
ghaf.identity.dynamicHostName.enable
Section titled “ghaf.identity.dynamicHostName.enable”Whether to enable runtime human-readable hostname derived from hardware.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.identity.dynamicHostName.digits
Section titled “ghaf.identity.dynamicHostName.digits”Number of decimal digits
Type: signed integer
Default:
10Declared by:
ghaf.identity.dynamicHostName.outputDir
Section titled “ghaf.identity.dynamicHostName.outputDir”Private host-only output dir
Type: absolute path
Default:
"/var/lib/ghaf/identity"Declared by:
ghaf.identity.dynamicHostName.prefix
Section titled “ghaf.identity.dynamicHostName.prefix”Hostname prefix
Type: string
Default:
"ghaf"Declared by:
ghaf.identity.dynamicHostName.shareDir
Section titled “ghaf.identity.dynamicHostName.shareDir”Shared dir exposed to VMs (is available under /etc/common in VMs)
Type: absolute path
Default:
"/persist/common/ghaf"Declared by:
ghaf.identity.dynamicHostName.source
Section titled “ghaf.identity.dynamicHostName.source”Source for generating the hardware ID:
- hardware: Best-effort hardware detection (DMI, disk hardware ID, MAC, machine-id)
- static: Use user-provided static value
- random: Generate random value on first boot (persisted)
Type: one of “hardware”, “static”, “random”
Default:
"hardware"Declared by:
ghaf.identity.dynamicHostName.staticValue
Section titled “ghaf.identity.dynamicHostName.staticValue”Static hardware ID value (only used when source = ‘static’)
Type: null or string
Default:
nullDeclared by:
ghaf.identity.vmHostNameExport.enable
Section titled “ghaf.identity.vmHostNameExport.enable”Whether to enable export dynamic hostname to VM environment.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.identity.vmHostNameExport.hostnamePath
Section titled “ghaf.identity.vmHostNameExport.hostnamePath”Path to hostname file in VM (usually shared via virtiofs)
Type: string
Default:
"/etc/common/ghaf/hostname"Declared by:
ghaf.identity.vmHostNameSetter.enable
Section titled “ghaf.identity.vmHostNameSetter.enable”Whether to enable set VM hostname from shared hardware-based hostname file.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.identity.vmHostNameSetter.hostnamePath
Section titled “ghaf.identity.vmHostNameSetter.hostnamePath”Path to hostname file in VM (usually shared via virtiofs)
Type: string
Default:
"/etc/common/ghaf/hostname"Declared by:
ghaf.kernel.audiovm
Section titled “ghaf.kernel.audiovm”AudioVM kernel configuration
Type: attribute set
Default:
{ }Declared by:
ghaf.kernel.guivm
Section titled “ghaf.kernel.guivm”GuiVM kernel configuration
Type: attribute set
Default:
{ }Declared by:
ghaf.kernel.host
Section titled “ghaf.kernel.host”Host kernel configuration
Type: attribute set
Default:
{ }Declared by:
ghaf.kernel.netvm
Section titled “ghaf.kernel.netvm”NetVM kernel configuration
Type: attribute set
Default:
{ }Declared by:
ghaf.logging.enable
Section titled “ghaf.logging.enable”Enable logging service. Currently we have grafana alloy running as client which will upload system journal logs to grafana alloy running in admin-vm.
Type: boolean
Default:
falseDeclared by:
ghaf.logging.client.enable
Section titled “ghaf.logging.client.enable”Whether to enable Alloy client service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.logging.client.endpoint
Section titled “ghaf.logging.client.endpoint”Assign endpoint url value to the alloy.service running in different log producers. This endpoint URL will include protocol, upstream, address along with port value.
Type: string
Default:
"https://192.168.100.5:9999/loki/api/v1/push"Declared by:
ghaf.logging.client.tls.caFile
Section titled “ghaf.logging.client.tls.caFile”CA bundle used to verify the admin-vm TLS terminator certificate.
Type: null or absolute path
Default:
"/etc/givc/ca-cert.pem"Declared by:
ghaf.logging.client.tls.certFile
Section titled “ghaf.logging.client.tls.certFile”Client certificate (PEM) used for mTLS to the admin-vm.
Type: null or absolute path
Default:
"/etc/givc/cert.pem"Declared by:
ghaf.logging.client.tls.keyFile
Section titled “ghaf.logging.client.tls.keyFile”Client private key (PEM) used for mTLS to the admin-vm.
Type: null or absolute path
Default:
"/etc/givc/key.pem"Declared by:
ghaf.logging.client.tls.minVersion
Section titled “ghaf.logging.client.tls.minVersion”Minimum TLS version for the outbound connection.
Type: null or one of “TLS12”, “TLS13”
Default:
"TLS12"Declared by:
ghaf.logging.fss.enable
Section titled “ghaf.logging.fss.enable”Enable Forward Secure Sealing for systemd journal logs. Automatically enabled when ghaf.logging.enable is true.
FSS provides cryptographic tamper-evidence for audit logs using HMAC-based sealing chains. Any tampering will break the chain and be detected during verification.
Type: boolean
Default:
trueDeclared by:
ghaf.logging.fss.keyPath
Section titled “ghaf.logging.fss.keyPath”Directory to store FSS keys and metadata for this component.
Per-component isolation ensures each component (host + VMs) has independent FSS key pairs for proper tamper detection.
Path structure:
- Host: /persist/common/journal-fss/ghaf-host/ (direct persist access)
- VMs: /etc/common/journal-fss/<vm-name>/ (virtiofs mount from host)
Examples:
- Host: /persist/common/journal-fss/ghaf-host/verification-key
- Audio-VM: /etc/common/journal-fss/audio-vm/verification-key
- Admin-VM: /etc/common/journal-fss/admin-vm/verification-key
Contains:
- initialized: Sentinel file (prevents re-initialization)
- verification-key: Public verification key for independent validation
The sealing key is stored by systemd in /var/log/journal/<machine-id>/fss and should never be exported from the host.
Verification Key Storage:
- The verification key is extracted once during initial setup
- CRITICAL: Copy verification-key to secure offline storage immediately
- Required for independent verification of exported journal archives
- If lost, tamper detection is still functional but offline verification is impossible
Offline Verification Process:
- Export journal: journalctl -o export > journal.export
- Transfer journal.export and verification-key to verification system
- Verify: journalctl —verify —verify-key=<verification-key> —file=journal.export
Key Rotation:
- FSS keys are bound to the seal interval and cannot be rotated independently
- To rotate: clear journals, delete /persist/common/journal-fss/ghaf-host/initialized, reboot
- WARNING: Rotation destroys tamper-evidence chain for existing logs
- Best practice: Archive and verify existing journals before rotation
Type: absolute path
Default:
"/persist/common/journal-fss/ghaf-host"Declared by:
ghaf.logging.fss.sealInterval
Section titled “ghaf.logging.fss.sealInterval”Time interval for sealing journal entries during key generation.
This interval is set once during ‘journalctl —setup-keys’ and cannot be changed without regenerating keys. Systemd will create a new HMAC seal every interval, advancing the forward-secure key chain.
Shorter intervals provide more granular tamper detection but increase storage overhead.
Format: time span (e.g., “15min”, “1h”, “30s”) Recommended: 15min (systemd default)
Impact of Changing sealInterval:
-
REQUIRES key regeneration (destroys existing tamper-evidence chain)
-
Shorter intervals (e.g., “5min”):
- Faster tamper detection granularity
- Higher storage overhead (~0.5% per seal)
- More verification CPU overhead
-
Longer intervals (e.g., “1h”):
- Lower storage overhead
- Coarser tamper detection window
- Faster verification
Operational Notes:
-
The seal interval is embedded in the FSS key structure
-
Changing this value after deployment requires:
- Archive and verify existing journals
- Clear /var/log/journal/<machine-id>/
- Delete /persist/common/journal-fss/ghaf-host/initialized
- Reboot to trigger new key generation
-
All VMs in the system can use different seal intervals independently
Type: string
Default:
"15min"Declared by:
ghaf.logging.fss.verifyOnBoot
Section titled “ghaf.logging.fss.verifyOnBoot”Run journal verification on system boot.
Verification will run 10 minutes after systemd-journald starts to ensure journal files are ready and FSS setup has completed.
Type: boolean
Default:
trueDeclared by:
ghaf.logging.fss.verifySchedule
Section titled “ghaf.logging.fss.verifySchedule”Systemd calendar expression for periodic verification.
Examples: “hourly”, “daily”, “weekly”, “*:0/30” (every 30 min) See systemd.time(7) for full syntax.
Type: string
Default:
"hourly"Declared by:
ghaf.logging.journalRetention.enable
Section titled “ghaf.logging.journalRetention.enable”Enable local journal retention configuration. This configures systemd-journald to retain logs locally for a specified period.
Type: boolean
Default:
trueDeclared by:
ghaf.logging.journalRetention.MaxFileSec
Section titled “ghaf.logging.journalRetention.MaxFileSec”The maximum time to store entries in a single journal file before rotating to the next one. This setting takes time values which may be suffixed with the units: ‘year’, ‘month’, ‘week’, ‘day’, ‘h’ or ’ m’ to override the default time unit of seconds.
Type: string
Default:
"1day"Declared by:
ghaf.logging.journalRetention.maxDiskUsage
Section titled “ghaf.logging.journalRetention.maxDiskUsage”Maximum disk space that journal logs can occupy. Accepts sizes like “500M”, “1G”, etc.
Type: string
Default:
"500M"Declared by:
ghaf.logging.journalRetention.maxRetention
Section titled “ghaf.logging.journalRetention.maxRetention”Period of time to retain journal logs locally. After this period, old logs will be deleted automatically. This setting takes time values which may be suffixed with the units: ‘year’, ‘month’, ‘week’, ‘day’, ‘h’ or ’ m’ to override the default time unit of seconds.
Type: string
Default:
"30day"Declared by:
ghaf.logging.listener.address
Section titled “ghaf.logging.listener.address”Listener address will be used where log producers will push logs and where admin-vm alloy.service will be keep on listening or receiving logs.
Type: string
Default:
""Declared by:
ghaf.logging.listener.port
Section titled “ghaf.logging.listener.port”Listener port for the logproto endpoint which will be used to receive logs from different log producers. Also this port value will be used to open the port in the admin-vm firewall.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
9999Declared by:
ghaf.logging.recovery.enable
Section titled “ghaf.logging.recovery.enable”Recover journald/alloy after a realtime clock jump (e.g., manual clock change).
Type: boolean
Default:
falseDeclared by:
ghaf.logging.recovery.cooldownSeconds
Section titled “ghaf.logging.recovery.cooldownSeconds”Minimum time between recover executions.
Type: signed integer
Default:
60Declared by:
ghaf.logging.recovery.intervalSeconds
Section titled “ghaf.logging.recovery.intervalSeconds”Polling interval used by the clock-jump watcher.
Type: signed integer
Default:
5Declared by:
ghaf.logging.recovery.thresholdSeconds
Section titled “ghaf.logging.recovery.thresholdSeconds”Only act on clock jumps >= this many seconds.
Type: signed integer
Default:
30Declared by:
ghaf.logging.server.enable
Section titled “ghaf.logging.server.enable”Whether to enable Logs aggregator server.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.logging.server.endpoint
Section titled “ghaf.logging.server.endpoint”Assign endpoint url value to the alloy.service running in admin-vm. This endpoint URL will include protocol, upstream address along with port value.
Type: null or string
Default:
nullDeclared by:
ghaf.logging.server.identifierFilePath
Section titled “ghaf.logging.server.identifierFilePath”This configuration option used to specify the identifier file path. The identifier file will be text file which have unique identification value per machine so that when logs will be uploaded to cloud we can identify its origin.
Type: null or absolute path
Default:
"/etc/common/device-id"Example:
"/etc/common/device-id"Declared by:
ghaf.logging.server.tls.caFile
Section titled “ghaf.logging.server.tls.caFile”Optional CA bundle for server verification (e.g., /etc/givc/ca-cert.pem). If null, use system CAs.
Type: null or absolute path
Default:
"/etc/givc/ca-cert.pem"Declared by:
ghaf.logging.server.tls.certFile
Section titled “ghaf.logging.server.tls.certFile”Client certificate (PEM) used for mTLS.
Type: null or absolute path
Default:
"/etc/givc/cert.pem"Declared by:
ghaf.logging.server.tls.keyFile
Section titled “ghaf.logging.server.tls.keyFile”Client private key (PEM) used for mTLS.
Type: null or absolute path
Default:
"/etc/givc/key.pem"Declared by:
ghaf.logging.server.tls.minVersion
Section titled “ghaf.logging.server.tls.minVersion”Minimum TLS version for the outbound connection.
Type: null or one of “TLS12”, “TLS13”
Default:
"TLS12"Declared by:
ghaf.logging.server.tls.remoteCAFile
Section titled “ghaf.logging.server.tls.remoteCAFile”Optional CA bundle used ONLY for server→REMOTE (Grafana Loki) TLS verification.
Type: null or absolute path
Default:
nullDeclared by:
ghaf.logging.server.tls.serverName
Section titled “ghaf.logging.server.tls.serverName”Expected TLS server_name (SNI), e.g., loki.example.com (optional).
Type: null or string
Default:
nullDeclared by:
ghaf.logging.server.tls.terminator.backendPort
Section titled “ghaf.logging.server.tls.terminator.backendPort”HTTP backend port for Alloy when TLS terminator is enabled.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
3101Declared by:
ghaf.logging.server.tls.terminator.verifyClients
Section titled “ghaf.logging.server.tls.terminator.verifyClients”Require client certificates (mTLS).
Type: boolean
Default:
trueDeclared by:
ghaf.microvm-boot.enable
Section titled “ghaf.microvm-boot.enable”Whether to enable ghaf-specific microvm boot order.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.microvm-boot.debug
Section titled “ghaf.microvm-boot.debug”Whether to enable resource tracing of the ghaf-specific microvm boot order.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.microvm-boot.uiEnabled
Section titled “ghaf.microvm-boot.uiEnabled”Enable microvm boot order for GUI targets
Type: boolean
Default:
trueDeclared by:
ghaf.networking.hosts
Section titled “ghaf.networking.hosts”List of hosts entries.
Type: attribute set of (submodule)
Default:
{ }Declared by:
ghaf.networking.hosts.<name>.cid
Section titled “ghaf.networking.hosts.<name>.cid”Vsock CID (Context IDentifier) as integer:
- VMADDR_CID_HYPERVISOR (0) is reserved for services built into the hypervisor
- VMADDR_CID_LOCAL (1) is the well-known address for local communication (loopback)
- VMADDR_CID_HOST (2) is the well-known address of the host
Type: null or signed integer
Default:
nullDeclared by:
ghaf.networking.hosts.<name>.interfaceName
Section titled “ghaf.networking.hosts.<name>.interfaceName”Name of the network interface.
Type: null or string
Default:
nullDeclared by:
ghaf.networking.hosts.<name>.ipv4
Section titled “ghaf.networking.hosts.<name>.ipv4”IPv4 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.networking.hosts.<name>.ipv4SubnetPrefixLength
Section titled “ghaf.networking.hosts.<name>.ipv4SubnetPrefixLength”The IPv4 subnet prefix length (e.g. 24 for 255.255.255.0)
Type: null or signed integer
Default:
nullExample:
24Declared by:
ghaf.networking.hosts.<name>.ipv6
Section titled “ghaf.networking.hosts.<name>.ipv6”IPv6 address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.networking.hosts.<name>.mac
Section titled “ghaf.networking.hosts.<name>.mac”MAC address as string.
Type: null or string
Default:
nullDeclared by:
ghaf.networking.hosts.<name>.name
Section titled “ghaf.networking.hosts.<name>.name”Host name as string.
Type: null or string
Default:
nullDeclared by:
ghaf.partitioning.disko.enable
Section titled “ghaf.partitioning.disko.enable”Whether to enable the disko partitioning scheme.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.partitioning.disko.imageBuilder.compression
Section titled “ghaf.partitioning.disko.imageBuilder.compression”Compression algorithm used for the install image
Type: one of “none”, “zstd”
Default:
"zstd"Declared by:
ghaf.profiles.debug.enable
Section titled “ghaf.profiles.debug.enable”Whether to enable debug profile.
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.profiles.graphics.enable
Section titled “ghaf.profiles.graphics.enable”Whether to enable Graphics profile.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.profiles.graphics.autoLogin.enable
Section titled “ghaf.profiles.graphics.autoLogin.enable”Whether to enable automatic login.
When enabled, the system will automatically log in the specified user without requiring credentials at the login screen.
Type: boolean
Default:
falseDeclared by:
ghaf.profiles.graphics.autoLogin.user
Section titled “ghaf.profiles.graphics.autoLogin.user”Username to automatically log in as when auto-login is enabled.
This should correspond to a valid user defined in the system configuration.
Type: null or string
Default:
nullExample:
"ghaf"Declared by:
ghaf.profiles.graphics.bluetooth.enable
Section titled “ghaf.profiles.graphics.bluetooth.enable”Whether to enable support for Bluetooth on the system where graphics profile is applied.
Type: boolean
Default:
falseDeclared by:
ghaf.profiles.graphics.bluetooth.applet.enable
Section titled “ghaf.profiles.graphics.bluetooth.applet.enable”Enable the Blueman tray applet
Type: boolean
Default:
trueDeclared by:
ghaf.profiles.graphics.bluetooth.applet.useDbusProxy
Section titled “ghaf.profiles.graphics.bluetooth.applet.useDbusProxy”If true, run the applet via a D-Bus proxy to audio-vm.
Type: boolean
Default:
trueDeclared by:
ghaf.profiles.graphics.idleManagement.enable
Section titled “ghaf.profiles.graphics.idleManagement.enable”Whether to enable idle management.
When enabled, the system will automatically manage screen blanking and suspension based on user inactivity.
Disabling this option is the same as setting all idle timeouts to ‘0’.
If ‘config.ghaf.services.power-manager.allowSuspend’ is false, suspension will not occur regardless of this setting.
Type: boolean
Default:
trueDeclared by:
ghaf.profiles.graphics.networkManager.enable
Section titled “ghaf.profiles.graphics.networkManager.enable”Whether to use NetworkManager on the system where graphics profile is applied.
Type: boolean
Default:
falseDeclared by:
ghaf.profiles.graphics.networkManager.applet.enable
Section titled “ghaf.profiles.graphics.networkManager.applet.enable”Enable the NetworkManager tray applet (nm-applet)
Type: boolean
Default:
trueDeclared by:
ghaf.profiles.graphics.networkManager.applet.useDbusProxy
Section titled “ghaf.profiles.graphics.networkManager.applet.useDbusProxy”If true, run the applet via a D-Bus proxy to net-vm.
Type: boolean
Default:
trueDeclared by:
ghaf.profiles.host-hardening.enable
Section titled “ghaf.profiles.host-hardening.enable”Whether to enable Host hardening profile.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.profiles.laptop-x86.enable
Section titled “ghaf.profiles.laptop-x86.enable”Whether to enable Enable the basic x86 laptop config.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.profiles.laptop-x86.guivmExtraModules
Section titled “ghaf.profiles.laptop-x86.guivmExtraModules”List of additional modules to be passed to the guivm.
Type: unspecified value
Default:
[ ]Declared by:
ghaf.profiles.laptop-x86.netvmExtraModules
Section titled “ghaf.profiles.laptop-x86.netvmExtraModules”List of additional modules to be passed to the netvm.
Type: unspecified value
Default:
[ ]Declared by:
ghaf.profiles.minimal.enable
Section titled “ghaf.profiles.minimal.enable”Whether to enable minimal profile.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.profiles.release.enable
Section titled “ghaf.profiles.release.enable”Whether to enable release profile.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.qemu.audiovm
Section titled “ghaf.qemu.audiovm”Extra qemu arguments for AudioVM
Type: attribute set
Default:
{ }Declared by:
ghaf.qemu.guivm
Section titled “ghaf.qemu.guivm”Extra qemu arguments for GuiVM
Type: attribute set
Default:
{ }Declared by:
ghaf.qemu.netvm
Section titled “ghaf.qemu.netvm”Extra qemu arguments for NetVM
Type: attribute set
Default:
{ }Declared by:
ghaf.reference.appvms.enable
Section titled “ghaf.reference.appvms.enable”Whether to enable Enable the Ghaf reference appvms module.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.desktop.applications.enable
Section titled “ghaf.reference.desktop.applications.enable”Whether to enable desktop applications.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.desktop.ghaf-intro.enable
Section titled “ghaf.reference.desktop.ghaf-intro.enable”Whether to enable Ghaf introduction guide.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.passthrough.usb.fingerprintReaders
Section titled “ghaf.reference.passthrough.usb.fingerprintReaders”List of fingerprint readers.
Type: list of attribute set of string
Default:
[ ]Declared by:
ghaf.reference.passthrough.usb.internalWebcams
Section titled “ghaf.reference.passthrough.usb.internalWebcams”List of internal USB webcams.
Type: list of attribute set of string
Default:
[ ]Declared by:
ghaf.reference.personalize.keys.enable
Section titled “ghaf.reference.personalize.keys.enable”Whether to enable Enable personalization of keys for dev team.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.personalize.keys.authorizedSshKeys
Section titled “ghaf.reference.personalize.keys.authorizedSshKeys”List of authorized ssh keys for the development team.
Type: list of string
Default:
[ "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIA/pwHnzGNM+ZU4lANGROTRe2ZHbes7cnZn72Oeun/MCAAAABHNzaDo= brian@arcadia" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEJ9ewKwo5FLj6zE30KnTn8+nw7aKdei9SeTwaAeRdJDAAAABHNzaDo= brian@minerva" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILu6O3swRVWAjP7J8iYGT6st7NAa+o/XaemokmtKdpGa brian@builder" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKm9NtS/ZmrxQhY/pbRlX+9O1VaBEd8D9vojDtvS0Ru juliuskoskela@vega" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM3w7NzqMuF+OAiIcYWyP9+J3kwvYMKQ+QeY9J8QjAXm shamma-alblooshi@tii.ae" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB/iv9RWMN6D9zmEU85XkaU8fAWJreWkv3znan87uqTW humaid@tahr" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGOifxDCESZZouWLpoCWGXEYOVbMz53vrXTi9RQe4Bu5 hazaa@nixos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICwsW+YJw6ukhoWPEBLN93EFiGhN7H2VJn5yZcKId56W mb@mmm" "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCsjXKHCkpQT4LhWIdT0vDM/E/3tw/4KHTQcdJhyqPSH0FnwC8mfP2N9oHYFa2isw538kArd5ZMo5DD1ujL5dLk= joerg@turingmachine" "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLMlGNda7bilB0+3aMeJSFcB17auBPV0WhW60WlGZsQRF50Z/OgIHAA0/8HaxPmpIOLHv8JO3dCsj+OY1iS4FNo= joerg@turingmachine" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIstCgKDX1vVWI8MgdVwsEMhju6DQJubi3V0ziLcU/2h vunny.sodhi@unikie.com" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINfyjcPGIRHEtXZgoF7wImA5gEY6ytIfkBeipz4lwnj6 Ganga.Ram@tii.ae" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEA7p7hHPvPT6uTU44Nb/p9/DT9mOi8mpqNllnpfawDE tanel@nixos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIwGPH/oOrD1g15uiPV4gBKGk7f8ZBSyMEaptKOVs3NG jaroslawkurowski@TII-JaroslawKurowski" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHu4r7nCQ6A26HsE4+wIupvXAfVQHgBGXv0+epCho2/m rodrigo.pino@tii.ae" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGll9sWYdGc2xi9oQ25TEcI1D3T4n8MMXoMT+lJdE/KC milla@nixos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJSuGlmQ/iMu7JGL7L4jVT3d+o4MiOsuh0e1ZVkBUKq gayathri@tii.ae" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINlIpJ9Q1oW1KiFBa12N5K/ecGVeGSBbcD8M9ZjA0TYe kajus.naujokaitis@unikie.com" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPE/CgI8MXyHiiUyt7BXWjQG1pb25b4N3als/dKKPZyD samuli@nixos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJpTkKsWyFQxWKwL22fghfJnLaOhUtZLlF9h2gdWcoJz everton.dematos@tii.ae" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAolaKCuIUBQSBFGFZI1taNX+JTAr8edqUts7A6k2Kv7"]Declared by:
ghaf.reference.profiles.mvp-user-trial.enable
Section titled “ghaf.reference.profiles.mvp-user-trial.enable”Whether to enable Enable the mvp configuration for apps and services.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.profiles.mvp-user-trial-extras.enable
Section titled “ghaf.reference.profiles.mvp-user-trial-extras.enable”Whether to enable Enable the mvp configuration for apps and services.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.programs.chromium.enable
Section titled “ghaf.reference.programs.chromium.enable”Whether to enable Enable Chromium program settings.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.programs.chromium.openInNormalExtension
Section titled “ghaf.reference.programs.chromium.openInNormalExtension”Whether to enable browser extension to open links in the normal browser.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.programs.element-desktop.enable
Section titled “ghaf.reference.programs.element-desktop.enable”Whether to enable element-desktop program settings.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.programs.element-desktop.gpsSupport
Section titled “ghaf.reference.programs.element-desktop.gpsSupport”Whether to enable gps support for location sharing.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.programs.firefox.enable
Section titled “ghaf.reference.programs.firefox.enable”Configure Firefox to used the vaapi driver for video decoding.
Note that this requires disabling the RDD sandbox.
Type: boolean
Default:
falseDeclared by:
ghaf.reference.programs.google-chrome.enable
Section titled “ghaf.reference.programs.google-chrome.enable”Whether to enable Google Chrome program settings.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.programs.google-chrome.defaultPolicy
Section titled “ghaf.reference.programs.google-chrome.defaultPolicy”Google chrome policy options. A list of available policies can be found in the Chrome Enterprise documentation: https://cloud.google.com/docs/chrome-enterprise/policies/ Make sure the selected policy is supported on Linux and your browser version.
Type: attribute set
Default:
{ AlwaysOpenPdfExternally = true; DefaultBrowserSettingEnabled = true; ExtensionInstallForcelist = [ ]; MetricsReportingEnabled = false; PromptForDownloadLocation = true;}Example:
{ PromptForDownloadLocation=true;}Declared by:
ghaf.reference.programs.google-chrome.extensions
Section titled “ghaf.reference.programs.google-chrome.extensions”List of Chrome extensions to install.
Each entry can be:
- A string: the Chrome extension ID (fetched from the Web Store at runtime)
- A package: a Nix derivation that provides a pre-fetched CRX file (for example, one defined in pkgs.chrome-extensions).
When provided as a package, it must have the following passthru attributes:
- id: the Chrome extension ID.
Type: list of (string or package)
Default:
[ ]Example:
[ "edacconmaakjimmfgnblocblbcdcpbko" # fetched at runtime from Chrome Web Store pkgs.chrome-extensions.session-buddy # pre-packaged, fetched at runtime from local server]Declared by:
ghaf.reference.programs.google-chrome.extraOpts
Section titled “ghaf.reference.programs.google-chrome.extraOpts”Extra google chrome policy options. A list of available policies can be found in the Chrome Enterprise documentation: https://cloud.google.com/docs/chrome-enterprise/policies/ Make sure the selected policy is supported on Linux and your browser version.
Type: attribute set
Default:
{ }Example:
{ "BrowserSignin" = 0; "SyncDisabled" = true; "PasswordManagerEnabled" = false; "SpellcheckEnabled" = true; "SpellcheckLanguage" = [ "de" "en-US" ];}Declared by:
ghaf.reference.programs.google-chrome.localExtensionServer.enable
Section titled “ghaf.reference.programs.google-chrome.localExtensionServer.enable”Enable local extension update HTTP server
Type: boolean
Default:
lib.any (ext: ext.source == "local") config.ghaf.reference.programs.google-chrome.extensionsDeclared by:
ghaf.reference.programs.google-chrome.localExtensionServer.port
Section titled “ghaf.reference.programs.google-chrome.localExtensionServer.port”Port for the local Chrome extension update server.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
8080Declared by:
ghaf.reference.programs.google-chrome.openInNormalExtension
Section titled “ghaf.reference.programs.google-chrome.openInNormalExtension”Whether to enable browser extension to open links in the normal browser.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.programs.google-chrome.policyOwner
Section titled “ghaf.reference.programs.google-chrome.policyOwner”Policy files owner
Type: string
Default:
"root"Declared by:
ghaf.reference.programs.google-chrome.policyOwnerGroup
Section titled “ghaf.reference.programs.google-chrome.policyOwnerGroup”Policy files group
Type: string
Default:
"root"Declared by:
ghaf.reference.programs.windows-launcher.enable
Section titled “ghaf.reference.programs.windows-launcher.enable”Whether to enable Windows launcher.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.programs.windows-launcher.spice
Section titled “ghaf.reference.programs.windows-launcher.spice”Whether to enable remote access to the virtual machine using spice.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.programs.windows-launcher.spice-host
Section titled “ghaf.reference.programs.windows-launcher.spice-host”Spice host
Type: string
Default:
"192.168.100.2"Declared by:
ghaf.reference.programs.windows-launcher.spice-port
Section titled “ghaf.reference.programs.windows-launcher.spice-port”Spice port
Type: signed integer
Default:
5900Declared by:
ghaf.reference.programs.zathura.enable
Section titled “ghaf.reference.programs.zathura.enable”Whether to enable Enable Zathura program settings.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.enable
Section titled “ghaf.reference.services.enable”Whether to enable Ghaf reference services.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.alpaca-ollama
Section titled “ghaf.reference.services.alpaca-ollama”Whether to enable Alpaca/ollama service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.chromecast.enable
Section titled “ghaf.reference.services.chromecast.enable”Whether to enable Enable chromecast service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.chromecast.externalNic
Section titled “ghaf.reference.services.chromecast.externalNic”External network interface
Type: string
Default:
""Declared by:
ghaf.reference.services.chromecast.internalNic
Section titled “ghaf.reference.services.chromecast.internalNic”Internal network interface
Type: string
Default:
""Declared by:
ghaf.reference.services.chromecast.tcpPorts
Section titled “ghaf.reference.services.chromecast.tcpPorts”Chromecast tcp ports
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive) (read only)
Default:
[ 8008 8009]Declared by:
ghaf.reference.services.chromecast.udpPorts
Section titled “ghaf.reference.services.chromecast.udpPorts”Chromecast udp ports
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive) (read only)
Default:
[ 1900 5353]Declared by:
ghaf.reference.services.chromecast.vmName
Section titled “ghaf.reference.services.chromecast.vmName”The name of the chromium/chrome VM to setup chromecast for.
Type: string
Default:
"chrome-vm"Example:
"chrome-vm"Declared by:
ghaf.reference.services.dendrite
Section titled “ghaf.reference.services.dendrite”Whether to enable dendrite-pinecone service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.dendrite-pinecone.enable
Section titled “ghaf.reference.services.dendrite-pinecone.enable”Whether to enable Enable dendrite pinecone module.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.dendrite-pinecone.McastUdpIp
Section titled “ghaf.reference.services.dendrite-pinecone.McastUdpIp”Multicast UDP IP for dendrite pinecone
Type: string
Default:
"239.0.0.114"Declared by:
ghaf.reference.services.dendrite-pinecone.McastUdpPort
Section titled “ghaf.reference.services.dendrite-pinecone.McastUdpPort”Multicast UDP port for dendrite pinecone
Type: string
Default:
"60606"Declared by:
ghaf.reference.services.dendrite-pinecone.McastUdpPortInt
Section titled “ghaf.reference.services.dendrite-pinecone.McastUdpPortInt”Multicast UDP port for dendrite pinecone
Type: signed integer
Default:
60606Declared by:
ghaf.reference.services.dendrite-pinecone.TcpPort
Section titled “ghaf.reference.services.dendrite-pinecone.TcpPort”TCP port for dendrite pinecone
Type: string
Default:
"49000"Declared by:
ghaf.reference.services.dendrite-pinecone.TcpPortInt
Section titled “ghaf.reference.services.dendrite-pinecone.TcpPortInt”TCP port for dendrite pinecone
Type: signed integer
Default:
49000Declared by:
ghaf.reference.services.dendrite-pinecone.externalNic
Section titled “ghaf.reference.services.dendrite-pinecone.externalNic”External network interface
Type: string
Default:
""Declared by:
ghaf.reference.services.dendrite-pinecone.internalNic
Section titled “ghaf.reference.services.dendrite-pinecone.internalNic”Internal network interface
Type: string
Default:
""Declared by:
ghaf.reference.services.dendrite-pinecone.serverIpAddr
Section titled “ghaf.reference.services.dendrite-pinecone.serverIpAddr”Dendrite Server Ip address
Type: string
Default:
""Declared by:
ghaf.reference.services.google-chromecast
Section titled “ghaf.reference.services.google-chromecast”Google Chromecast service configuration
Type: submodule
Default:
{ enable = false; vmName = "chrome-vm";}Declared by:
ghaf.reference.services.google-chromecast.enable
Section titled “ghaf.reference.services.google-chromecast.enable”Whether to enable Chromecast service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.google-chromecast.vmName
Section titled “ghaf.reference.services.google-chromecast.vmName”The name of the chromium/chrome VM to setup chromecast for.
Type: string
Default:
"chrome-vm"Example:
"chrome-vm"Declared by:
ghaf.reference.services.ollama.enable
Section titled “ghaf.reference.services.ollama.enable”Whether to enable Enable the ollama service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.proxy-business
Section titled “ghaf.reference.services.proxy-business”Whether to enable Enable the proxy server service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.proxy-server.enable
Section titled “ghaf.reference.services.proxy-server.enable”Whether to enable Enable proxy server module.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.proxy-server.bindPort
Section titled “ghaf.reference.services.proxy-server.bindPort”Bind port for proxy server
Type: signed integer
Default:
3128Declared by:
ghaf.reference.services.proxy-server.internalAddress
Section titled “ghaf.reference.services.proxy-server.internalAddress”Internal address for proxy server
Type: string
Default:
"192.168.100.1"Declared by:
ghaf.reference.services.wireguard-gui
Section titled “ghaf.reference.services.wireguard-gui”Whether to enable Wireguard GUI service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.wireguard-gui-config.enable
Section titled “ghaf.reference.services.wireguard-gui-config.enable”Whether to enable wireguard gui config.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.reference.services.wireguard-gui-vmconfig.enabledVmNames
Section titled “ghaf.reference.services.wireguard-gui-vmconfig.enabledVmNames”List of VM names where Wireguard GUI should be enabled.
Type: list of string
Default:
[ ]Example:
[ "business-vm" "chrome-vm"]Declared by:
ghaf.reference.services.wireguard-gui-vmconfig.netVmExternalNic
Section titled “ghaf.reference.services.wireguard-gui-vmconfig.netVmExternalNic”External network interface
Type: string
Default:
""Declared by:
ghaf.reference.services.wireguard-gui-vmconfig.serverPortsByVm
Section titled “ghaf.reference.services.wireguard-gui-vmconfig.serverPortsByVm”List of server ports per VM for Wireguard GUI. Each element has:
- vmName (string)
- serverPorts (list of integers)
Type: list of (submodule)
Default:
[ ]Example:
[ { serverPorts = [ 51820 51821 ]; vmName = "business-vm"; } { serverPorts = [ 51822 ]; vmName = "chrome-vm"; }]Declared by:
ghaf.reference.services.wireguard-gui-vmconfig.serverPortsByVm.*.serverPorts
Section titled “ghaf.reference.services.wireguard-gui-vmconfig.serverPortsByVm.*.serverPorts”WireGuard server ports for this VM.
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
[ ]Declared by:
ghaf.reference.services.wireguard-gui-vmconfig.serverPortsByVm.*.vmName
Section titled “ghaf.reference.services.wireguard-gui-vmconfig.serverPortsByVm.*.vmName”VM name providing WireGuard server ports.
Type: string
Declared by:
ghaf.security.apparmor.enable
Section titled “ghaf.security.apparmor.enable”Enable Apparmor security.
Type: boolean
Default:
falseDeclared by:
ghaf.security.audit.enable
Section titled “ghaf.security.audit.enable”Whether to enable Enable audit support.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.security.audit.enableOspp
Section titled “ghaf.security.audit.enableOspp”Enable OSPP rules
Type: boolean
Default:
falseDeclared by:
ghaf.security.audit.enableStig
Section titled “ghaf.security.audit.enableStig”Enable STIG rules
Type: boolean
Default:
falseDeclared by:
ghaf.security.audit.enableVerboseCommon
Section titled “ghaf.security.audit.enableVerboseCommon”Include verbose Common audit rules
Type: boolean
Default:
falseDeclared by:
ghaf.security.audit.enableVerboseOspp
Section titled “ghaf.security.audit.enableVerboseOspp”Include verbose OSPP rules
Type: boolean
Default:
falseDeclared by:
ghaf.security.audit.enableVerboseRebuild
Section titled “ghaf.security.audit.enableVerboseRebuild”Include verbose nixos-rebuild rule
Type: boolean
Default:
falseDeclared by:
ghaf.security.audit.commonRules
Section titled “ghaf.security.audit.commonRules”Common audit rules for host and guests
Type: list of string
Default:
[ "-a always,exit -F arch=b64 -S execve -F exe=/nix/store/aa4mydg97n9f7ldiclk9by7blw0xwdp6-nix-2.31.3/bin/nix-daemon -k nix-daemon-exec" "-a always,exit -F arch=b64 -S execve -S execveat -F exe=/nix/store/aa4mydg97n9f7ldiclk9by7blw0xwdp6-nix-2.31.3/bin/nix -F auid>=1000 -F auid!=unset -k nix-tools" "-w /nix/store/aa4mydg97n9f7ldiclk9by7blw0xwdp6-nix-2.31.3/bin/nix -p x -k nix-exec" "-w /nix/store/aa4mydg97n9f7ldiclk9by7blw0xwdp6-nix-2.31.3/bin/nix-store -p x -k nix-store" "-w /nix/store/aa4mydg97n9f7ldiclk9by7blw0xwdp6-nix-2.31.3/bin/nix-shell -p x -k nix-exec" "-w /nix/store/aa4mydg97n9f7ldiclk9by7blw0xwdp6-nix-2.31.3/bin/nix-collect-garbage -p x -k nix-gc" "-w /nix/store/aa4mydg97n9f7ldiclk9by7blw0xwdp6-nix-2.31.3/bin/nix-build -p x -k nix-build" "-w /nix/store/6j2qbcp8mizpcwnk0b04wbh9f6a57jfq-nixos-rebuild-ng-26.05/bin/nixos-rebuild -p x -k nix-syschange" "-w /etc/nix -p wa -k nix_conf" "-w /etc/nixos -p wa -k nixos_conf" "-w /etc/systemd/system/nix-daemon.service.d -p wa -k nix_daemon_unit" "-w /etc/systemd/system/nix-daemon.service -p wa -k nix_daemon_unit" "-w /etc/systemd/system/nix-daemon.socket -p war -k nix_daemon_unit" "-w /etc/systemd/system/sockets.target.wants/nix-daemon.socket -p wa -k nix_daemon_unit" "-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv" "-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv " "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -k privileged-mount" "-a always,exit -F path=/run/current-system/sw/bin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod" "-a always,exit -S all -F path=/run/current-system/sw/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage" "-a always,exit -S all -F path=/run/current-system/sw/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_mod" "-w /etc/sudoers -p wa -k identity" "-w /etc/passwd -p wa -k identity" "-w /etc/shadow -p wa -k identity" "-w /etc/group -p wa -k identity" "-w /var/log/lastlog -p wa -k logins" "-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod" "-a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod" "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod" "-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access" "-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access" "-a always,exit -F arch=b64 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=unset -k module_chng" "-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete" "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod" "--loginuid-immutable" "-a always,exit -F arch=b64 -F path=/etc/machine-id -F perm=wa -F key=identity" "-w /etc/ssh -p rwxa -k ssh_config_access" "-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=unset -k privileged-execve" "-a always,exit -F arch=b64 -S ptrace -F key=tracing" "-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code-injection" "-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data-injection" "-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register-injection" "-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load" "-a always,exit -F arch=b64 -S delete_module -F key=module-unload"]Declared by:
ghaf.security.audit.debug
Section titled “ghaf.security.audit.debug”Enable audit debug mode
Type: boolean
Default:
trueDeclared by:
ghaf.security.audit.extraRules
Section titled “ghaf.security.audit.extraRules”List of additional audit rules
Type: list of string
Default:
[ ]Declared by:
ghaf.security.audit.guest.enable
Section titled “ghaf.security.audit.guest.enable”Enable guest audit rules
Type: boolean
Default:
config.ghaf.type != "host";Declared by:
ghaf.security.audit.guest.rules
Section titled “ghaf.security.audit.guest.rules”Basic guest audit rules
Type: list of string
Default:
[ ]Declared by:
ghaf.security.audit.host.enable
Section titled “ghaf.security.audit.host.enable”Enable host audit rules
Type: boolean
Default:
config.ghaf.type == "host";Declared by:
ghaf.security.audit.host.rules
Section titled “ghaf.security.audit.host.rules”Basic host audit rules
Type: list of string
Default:
[ "-w /nix/var/nix/profiles -p wa -k nix_profiles" "-w /nix/var/nix/db -p wa -k nix_db" "-w /nix/var/nix/gc.lock -p wa -k nix_gc_lock" "-w /run/current-system -p wa -k nix_system" "-w /nix/var/nix/profiles/system -p wa -k nix_system"]Declared by:
ghaf.security.fail2ban.enable
Section titled “ghaf.security.fail2ban.enable”Whether to enable the fail2ban.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.security.fail2ban.sshd-jail-fwmark
Section titled “ghaf.security.fail2ban.sshd-jail-fwmark”Configuration for the SSHD Fail2Ban jail using firewall marks.
Type: submodule
Default:
{ }Declared by:
ghaf.security.fail2ban.sshd-jail-fwmark.enable
Section titled “ghaf.security.fail2ban.sshd-jail-fwmark.enable”Whether to enable sshd custom jail.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.security.fail2ban.sshd-jail-fwmark.blacklistName
Section titled “ghaf.security.fail2ban.sshd-jail-fwmark.blacklistName”Blacklist name for fail2ban
Type: string matching the pattern ^[a-zA-Z]31$
Default:
"sshBlacklist"Declared by:
ghaf.security.fail2ban.sshd-jail-fwmark.fwMarkNum
Section titled “ghaf.security.fail2ban.sshd-jail-fwmark.fwMarkNum”Firewall mark number to apply to banned IPs when using iptables-ipset-mark.
Type: string
Default:
"70"Declared by:
ghaf.security.pwquality.enable
Section titled “ghaf.security.pwquality.enable”Whether to enable Password quality check…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.security.pwquality.minDigit
Section titled “ghaf.security.pwquality.minDigit”Minimum number of digits required in password.
Type: signed integer
Default:
1Declared by:
ghaf.security.pwquality.minLength
Section titled “ghaf.security.pwquality.minLength”Minimum password length.
Type: signed integer
Default:
8Declared by:
ghaf.security.pwquality.minLowercase
Section titled “ghaf.security.pwquality.minLowercase”Minimum number of lowercase letters required in password.
Type: signed integer
Default:
1Declared by:
ghaf.security.pwquality.minSpecialChar
Section titled “ghaf.security.pwquality.minSpecialChar”Minimum number of special letters required in password.
Type: signed integer
Default:
1Declared by:
ghaf.security.pwquality.minUppercase
Section titled “ghaf.security.pwquality.minUppercase”Minimum number of uppercase letters required in password.
Type: signed integer
Default:
1Declared by:
ghaf.security.pwquality.rememberOld
Section titled “ghaf.security.pwquality.rememberOld”Number of old password to remember to avoid repetetion.
Type: signed integer
Default:
2Declared by:
ghaf.security.ssh-tarpit.enable
Section titled “ghaf.security.ssh-tarpit.enable”Whether to enable Enable ssh tarpit.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.security.ssh-tarpit.fwMarkNum
Section titled “ghaf.security.ssh-tarpit.fwMarkNum”Firewall mark number to apply to banned IPs when using iptables-ipset-mark.
Type: string
Default:
"70"Declared by:
ghaf.security.ssh-tarpit.listenAddress
Section titled “ghaf.security.ssh-tarpit.listenAddress”Interface address to bind the ssh-tarpit daemon to SSH connections.
Type: string
Default:
"0.0.0.0"Example:
"[::]"Declared by:
ghaf.services.audio.enable
Section titled “ghaf.services.audio.enable”Whether to enable Enable Ghaf audio services.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.audio.client.pipewireControl.enable
Section titled “ghaf.services.audio.client.pipewireControl.enable”Whether to enable PipeWire control forwarding to gui-vm client.
This allows gui-vm to control audio settings via PipeWire. Requires givc to be enabled on both client and server.
To use it, set the PIPEWIRE_RUNTIME_DIR environment variable to /tmp.
PIPEWIRE_RUNTIME_DIR can be set for the entire session but is not recommended,
as it may interfere with local PipeWire instances.
.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.audio.client.pipewireControl.socket
Section titled “ghaf.services.audio.client.pipewireControl.socket”Path where the PipeWire socket is available for control operations.
Type: string (read only)
Default:
"/tmp/pipewire-0"Declared by:
ghaf.services.audio.client.remotePulseServerAddress
Section titled “ghaf.services.audio.client.remotePulseServerAddress”Address of the remote PulseAudio server to connect to.
This should point to the main Ghaf audio server.
Type: string
Default:
"tcp:audio-vm:4714"Declared by:
ghaf.services.audio.role
Section titled “ghaf.services.audio.role”The role of this VM in the Ghaf audio topology.
- “server” controls audio hardware and runs the main audio server
- “client” connects to the audio server to play/record (and optionally control) audio
Type: one of “server”, “client”
Default:
"client"Declared by:
ghaf.services.audio.server.debug
Section titled “ghaf.services.audio.server.debug”Whether to enable debug logs for pipewire and wireplumber.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.audio.server.pipewireForwarding.enable
Section titled “ghaf.services.audio.server.pipewireForwarding.enable”Whether to enable PipeWire socket forwarding to gui-vm client.
This allows gui-vm to control audio settings via PipeWire. Requires givc to be enabled on both client and server. .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.audio.server.pipewireForwarding.port
Section titled “ghaf.services.audio.server.pipewireForwarding.port”TCP port used for PipeWire socket forwarding to gui-vm client. This port is used by the PipeWire control socket on the server.
Type: string (read only)
Default:
"9013"Declared by:
ghaf.services.audio.server.pipewireForwarding.socket
Section titled “ghaf.services.audio.server.pipewireForwarding.socket”Path to the PipeWire socket used for forwarding audio control from the server to the client.
Type: string (read only)
Default:
"/tmp/pipewire-export.sock"Declared by:
ghaf.services.audio.server.pulseaudioTcpControlPort
Section titled “ghaf.services.audio.server.pulseaudioTcpControlPort”TCP port used by PipeWire-PulseAudio for control connections.
Ghaf audio hub server should use this port to connect to the audio server for control operations.
Type: signed integer (read only)
Default:
4715Declared by:
ghaf.services.audio.server.pulseaudioTcpPort
Section titled “ghaf.services.audio.server.pulseaudioTcpPort”TCP port used by PipeWire-PulseAudio on the server.
Ghaf audio hub server should use this port to connect to the audio server.
Type: signed integer (read only)
Default:
4714Declared by:
ghaf.services.audio.server.restoreOnBoot
Section titled “ghaf.services.audio.server.restoreOnBoot”Whether to enable restoring pipewire audio settings on boot from persistent storage. .
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.services.bluetooth.enable
Section titled “ghaf.services.bluetooth.enable”Whether to enable Bluetooth configurations.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.bluetooth.defaultName
Section titled “ghaf.services.bluetooth.defaultName”Default Bluetooth adapter name.
If unset, BlueZ will attempt to fetch the hostname via hostnamed DBus service. If hostnamed is disabled, BlueZ will fall back to “BlueZ [BlueZ version]”.
Type: string
Default:
"Ghaf"Declared by:
ghaf.services.bluetooth.user
Section titled “ghaf.services.bluetooth.user”Name of the bluetooth user
Type: string
Default:
"bluetooth"Declared by:
ghaf.services.brightness.enable
Section titled “ghaf.services.brightness.enable”Whether to enable brightness controlling via VirtIO.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.brightness.socketPath
Section titled “ghaf.services.brightness.socketPath”The path where the socket needs to be created.
Type: absolute path
Default:
"/tmp/brightness.sock"Declared by:
ghaf.services.create-fake-battery.enable
Section titled “ghaf.services.create-fake-battery.enable”Whether to enable Create a fake battery device for VMs.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.disks.enable
Section titled “ghaf.services.disks.enable”Whether to enable Enable disk mount daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.disks.fileManager
Section titled “ghaf.services.disks.fileManager”The program to open mounted directories
Type: string
Default:
"xdg-open"Declared by:
ghaf.services.firmware.enable
Section titled “ghaf.services.firmware.enable”Whether to enable PLaceholder for firmware handling.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.fprint.enable
Section titled “ghaf.services.fprint.enable”Whether to enable Enable fingerprint reader support.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.github.enable
Section titled “ghaf.services.github.enable”Whether to enable Github configurations.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.github.clientId
Section titled “ghaf.services.github.clientId”GitHub OAuth client ID for bug reporting. Default is the public GitHub CLI OAuth app client ID.
Type: string
Default:
"178c6fc778ccc68e1d6a"Declared by:
ghaf.services.github.owner
Section titled “ghaf.services.github.owner”Github owner account of the bug reporter issue
Type: string
Declared by:
ghaf.services.github.repo
Section titled “ghaf.services.github.repo”Github repo of the bug reporter issue
Type: string
Declared by:
ghaf.services.github.token
Section titled “ghaf.services.github.token”Personal token of the bug reporter Github account
Type: string
Declared by:
ghaf.services.hwinfo.enable
Section titled “ghaf.services.hwinfo.enable”Whether to enable hardware information generation service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.hwinfo.format
Section titled “ghaf.services.hwinfo.format”Output format for hardware information
Type: value “json” (singular enum)
Default:
"json"Declared by:
ghaf.services.hwinfo.outputDir
Section titled “ghaf.services.hwinfo.outputDir”Directory where hardware information files will be stored
Type: string
Default:
"/var/lib/ghaf-hwinfo"Declared by:
ghaf.services.hwinfo-guest.enable
Section titled “ghaf.services.hwinfo-guest.enable”Whether to enable hardware information reading tools for guest VMs.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.kill-switch.enable
Section titled “ghaf.services.kill-switch.enable”Whether to enable ghaf kill switch support”.
Type: boolean
Default:
falseDeclared by:
ghaf.services.locale.enable
Section titled “ghaf.services.locale.enable”Whether to enable Propagate locale changes from the system to givc-cli.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.performance.enable
Section titled “ghaf.services.performance.enable”Whether to enable hardware-agnostic Ghaf performance and scheduler optimizations.
For more information, see tuned-main.conf(5), tuned-profiles.7,
and system76-scheduler documentation.
Type: boolean
Default:
falseExample:
# In hostconfig.ghaf.services.performance = { enable = true; host.enable = true;};
# In GUI VMconfig.ghaf.services.performance = { enable = true; gui.enable = true;};Declared by:
ghaf.services.performance.gui.enable
Section titled “ghaf.services.performance.gui.enable”Whether to enable Ghaf-specific scheduler and power optimizations for gui-vm…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.performance.gui.scheduler.enable
Section titled “ghaf.services.performance.gui.scheduler.enable”Whether to enable system76-scheduler on gui-vm for Ghaf-specific process scheduling…
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.services.performance.gui.tuned.enable
Section titled “ghaf.services.performance.gui.tuned.enable”Whether to enable TuneD service on the gui-vm for Ghaf-specific performance profiles…
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.services.performance.gui.tuned.defaultProfile
Section titled “ghaf.services.performance.gui.tuned.defaultProfile”Default TuneD profile to use on gui-vm.
Type: string
Default:
"gui-balanced"Declared by:
ghaf.services.performance.host.enable
Section titled “ghaf.services.performance.host.enable”Whether to enable Ghaf-specific scheduler and power optimizations for the host…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.performance.host.scheduler.enable
Section titled “ghaf.services.performance.host.scheduler.enable”Whether to enable system76-scheduler on host for Ghaf-specific process scheduling…
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.services.performance.host.thermalLimitMode
Section titled “ghaf.services.performance.host.thermalLimitMode”Controls how passive thermal limits are applied.
enabled - Use the platform’s built-in passive thermal limits
(typically around 60-70 °C). Boosting and throttling behavior are
determined entirely by firmware and ignore thermalLimitTemp.
ac - Disable the platform’s passive limits when running on AC power,
but keep them active on battery. When passive limits are disabled,
thermalLimitTemp defines the temperature at which throttling begins.
Requires ghaf.services.performance.host.tuned to be enabled.
disabled - Disable the platform’s passive limits on both AC and
battery. Boosting is allowed up to thermalLimitTemp, after which
throttling is applied.
Supports Intel CPUs only.
Type: one of “enabled”, “ac”, “disabled”
Default:
"ac"Declared by:
ghaf.services.performance.host.thermalLimitTemp
Section titled “ghaf.services.performance.host.thermalLimitTemp”CPU package temperature (°C) at which passive thermal throttling begins.
Valid values are 60-97 °C. Lower temperatures are at or below typical CPU idle temps, while higher values approach the CPU’s hardware thermal ceiling and might cause system shutdown.
This setting is used only when
ghaf.services.performance.host.thermalLimitMode != "enabled".
Raising this value allows the CPU to sustain higher boost clocks before throttling, at the cost of increased temperature, power draw, and fan noise.
Supports Intel CPUs only.
Type: signed integer
Default:
90Declared by:
ghaf.services.performance.host.tuned.enable
Section titled “ghaf.services.performance.host.tuned.enable”Whether to enable TuneD service on the host for Ghaf-specific performance profiles…
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.services.performance.host.tuned.defaultProfile
Section titled “ghaf.services.performance.host.tuned.defaultProfile”Default TuneD profile to use on the host.
Type: string
Default:
"host-balanced"Declared by:
ghaf.services.performance.net.enable
Section titled “ghaf.services.performance.net.enable”Whether to enable Ghaf-specific power optimizations for net-vm…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.performance.net.tuned.enable
Section titled “ghaf.services.performance.net.tuned.enable”Whether to enable TuneD service on the net-vm for Ghaf-specific performance profiles…
Type: boolean
Default:
trueExample:
trueDeclared by:
ghaf.services.performance.net.tuned.defaultProfile
Section titled “ghaf.services.performance.net.tuned.defaultProfile”Default TuneD profile to use on net-vm.
Type: string
Default:
"net-balanced"Declared by:
ghaf.services.performance.vm.enable
Section titled “ghaf.services.performance.vm.enable”Whether to enable Generalized Ghaf-specific power and performance optimizations for VMs.
This will enable the general virtual-guest tuned profile statically - gui-vm power profile changes will not propagate to this VM and no custom scripts will be run. .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.power-manager.enable
Section titled “ghaf.services.power-manager.enable”Whether to enable the ghaf power management module. This module provides a set of power management profiles that can be used to manage the systems suspend, resume, and poweroff actions across the system. It only has effect for a guest or host configuration if one of the profiles is enabled.
Type: boolean
Default:
falseExample:
# In hostconfig.ghaf.services.power-manager.enable = true;
# In GUI VMconfig.ghaf.services.power-manager = { vm.enable = true; gui.enable = true;};
# In system VM Aconfig.ghaf.services.power-manager.vm.enable = true;
# In system VM Bconfig.ghaf.services.power-manager = { vm = { enable = true; pciSuspend = false; };};Declared by:
ghaf.services.power-manager.allowSuspend
Section titled “ghaf.services.power-manager.allowSuspend”Whether to enable system suspension.
If disabled, the system will not respond to suspend requests, and all VMs with a power management profile enabled are prohibited to perform any suspend action.
Type: boolean
Default:
trueDeclared by:
ghaf.services.power-manager.gui.enable
Section titled “ghaf.services.power-manager.gui.enable”Whether to enable GUI power management profile. This profile can be used for the desktop running either in the gui-vm or host. If running in a VM and GIVC is enabled, it replaces the default systemd actions for suspend, poweroff, and reboot with givc commands. .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.power-manager.host.enable
Section titled “ghaf.services.power-manager.host.enable”Whether to enable Host power management profile. This profile manages the host’s pre- and post-suspend actions to coordinate guest suspend actions and devices.
Additionally, if a system VM has ghaf.gracefulShutdown = true, enabling this host profile
allows the host to override the VM’s default microvm ExecStop logic, starting
the guest’s poweroff.target and waiting for the VM process to exit.
.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.power-manager.usbSuspend
Section titled “ghaf.services.power-manager.usbSuspend”Whether to enable USB device suspend and resume. When enabled, all USB devices are detached from VMs on suspend and re-attached on resume.
Type: boolean
Default:
trueDeclared by:
ghaf.services.power-manager.vm.enable
Section titled “ghaf.services.power-manager.vm.enable”Whether to enable VM power management profile. This profile can be used for guests to implement custom actions
before and after suspend using the powerManagement options, suspend PCI devices, and/or power
a VM off on suspend
.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.power-manager.vm.fakeSuspend
Section titled “ghaf.services.power-manager.vm.fakeSuspend”Whether to enable fake suspend for guests. This allows to run pre- and post-suspend commands, coordinated with the host but without actually suspending the guest internally (which does not work reliably at the moment). This is enabled by default if the VM power management profile and GIVC is enabled. In a gui-vm, this is unnecessary as a blocking GIVC command are used to “suspend” the VM, which is equivalent to a fake suspend.
Type: boolean
Default:
"useGivc && !cfg.vm.powerOffOnSuspend && !cfg.gui.enable"Declared by:
ghaf.services.power-manager.vm.pciSuspend
Section titled “ghaf.services.power-manager.vm.pciSuspend”Whether to enable automatic PCI device suspend for VMs. This will affect all PCI devices that are passed through to the guest, and will unbind PCI drivers in the guest and hotplug the device in this host. This is a solution that allows many PCI devices to enter low power states during system suspend without suspending the guest itself.
This option is enabled by default if the VM power management profile is enabled. Unless running in a gui-vm, it requires fakeSuspend and GIVC to be enabled for the coordination of guest driver binding and host PCI hotplug actions.
Type: boolean
Default:
config.ghaf.services.power-manager.vm.fakeSuspendDeclared by:
ghaf.services.power-manager.vm.pciSuspendServices
Section titled “ghaf.services.power-manager.vm.pciSuspendServices”List of services to stop before suspend and (re)start during resume. This is useful to gracefully shutdown services
that access guest PCI devices. Other suspend/resume commands can be added through the powerManagement options,
or wrapped into systemd services and added to this list.
Type: list of string
Default:
[ ]Declared by:
ghaf.services.power-manager.vm.powerOffOnSuspend
Section titled “ghaf.services.power-manager.vm.powerOffOnSuspend”Whether to enable VM poweroff on suspend. This is useful for non-GIVC cases or other suspend-related issues. If enabled the VM will be powered off on suspend, and restarted by the host on resume, which results in longer suspend and resume times as the VM has to be fully stopped and restarted.
Type: boolean
Default:
falseDeclared by:
ghaf.services.sssd.enable
Section titled “ghaf.services.sssd.enable”Whether to enable SSSD service for Active Directory and LDAP user integration.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.sssd.debugLevel
Section titled “ghaf.services.sssd.debugLevel”SSSD debug level. Higher values are more verbose.
Type: null or signed integer
Default:
nullDeclared by:
ghaf.services.sssd.domains
Section titled “ghaf.services.sssd.domains”Active Directory configurations for SSSD.
Type: attribute set
Default:
{ }Declared by:
ghaf.services.sssd.entryCacheNowaitPercentage
Section titled “ghaf.services.sssd.entryCacheNowaitPercentage”The percentage of the cache timeout after which SSSD will return a cached entry immediately and then update it.
Type: signed integer
Default:
50Declared by:
ghaf.services.sssd.extraConfig
Section titled “ghaf.services.sssd.extraConfig”Additional SSSD configuration options.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
ghaf.services.sssd.nss.defaultShell
Section titled “ghaf.services.sssd.nss.defaultShell”Default shell for user sessions.
Type: null or string
Default:
"/run/current-system/sw/bin/bash"Declared by:
ghaf.services.sssd.nss.extraConfig
Section titled “ghaf.services.sssd.nss.extraConfig”Additional NSS configuration options.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
ghaf.services.sssd.nss.homedirTemplate
Section titled “ghaf.services.sssd.nss.homedirTemplate”Home directory template.
Type: null or string
Default:
"/home/%u"Declared by:
ghaf.services.sssd.nss.shellOverride
Section titled “ghaf.services.sssd.nss.shellOverride”Shell override for user sessions.
Type: null or string
Default:
nullDeclared by:
ghaf.services.sssd.pam.displayManagerService
Section titled “ghaf.services.sssd.pam.displayManagerService”The PAM service name for your display manager (e.g., ‘gdm-password’, ‘greetd’, ‘sddm’).
Type: null or string
Default:
"greetd"Example:
"greetd"Declared by:
ghaf.services.sssd.pam.extraConfig
Section titled “ghaf.services.sssd.pam.extraConfig”Additional PAM configuration options.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
ghaf.services.sssd.pam.initGroupsScheme
Section titled “ghaf.services.sssd.pam.initGroupsScheme”PAM initgroups scheme. Set to ‘never’ to disable automatic group initialization.
Type: one of “always”, “no_session”, “never”
Default:
"never"Declared by:
ghaf.services.sssd.pam.offlineCredentialsExpiration
Section titled “ghaf.services.sssd.pam.offlineCredentialsExpiration”Number of days after which offline credentials expire.
Type: signed integer
Default:
7Declared by:
ghaf.services.sssd.pam.offlineFailedLoginAttempts
Section titled “ghaf.services.sssd.pam.offlineFailedLoginAttempts”Number of failed login attempts before the account is locked.
Type: signed integer
Default:
3Declared by:
ghaf.services.sssd.pam.offlineFailedLoginDelay
Section titled “ghaf.services.sssd.pam.offlineFailedLoginDelay”Delay in seconds before allowing another login attempt.
Type: signed integer
Default:
5Declared by:
ghaf.services.sssd.services
Section titled “ghaf.services.sssd.services”List of services SSSD should provide.
Type: list of string
Default:
[ "nss" "pam"]Declared by:
ghaf.services.storeWatcher.enable
Section titled “ghaf.services.storeWatcher.enable”Whether to enable monitoring of /nix/store for nixos-rebuild copy sessions and flagging interruptions.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.storeWatcher.busyGraceCycles
Section titled “ghaf.services.storeWatcher.busyGraceCycles”How many busy-grace cycles to allow (busyGraceCycles * busyGraceSeconds).
Type: unsigned integer, meaning >=0
Default:
5Declared by:
ghaf.services.storeWatcher.busyGraceSeconds
Section titled “ghaf.services.storeWatcher.busyGraceSeconds”Extra wait per grace cycle while checking for directory mtime progress.
Type: unsigned integer, meaning >=0
Default:
60Declared by:
ghaf.services.storeWatcher.quietSeconds
Section titled “ghaf.services.storeWatcher.quietSeconds”Idle window after the last store event to consider the session quiet.
Type: unsigned integer, meaning >=0
Default:
60Declared by:
ghaf.services.storeWatcher.sessionResetSeconds
Section titled “ghaf.services.storeWatcher.sessionResetSeconds”If idle this long since last event, clear session markers.
Type: unsigned integer, meaning >=0
Default:
1800Declared by:
ghaf.services.timezone.enable
Section titled “ghaf.services.timezone.enable”Whether to enable Propagate timezone changes from the system to givc-cli.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.user-provisioning.enable
Section titled “ghaf.services.user-provisioning.enable”Whether to enable Ghaf provisioning service.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.user-provisioning.enableAD
Section titled “ghaf.services.user-provisioning.enableAD”Enable Active Directory join for provisioning.
Type: boolean (read only)
Default:
falseDeclared by:
ghaf.services.user-provisioning.enableHomed
Section titled “ghaf.services.user-provisioning.enableHomed”Enable systemd-homed user setup for provisioning.
Type: boolean (read only)
Default:
falseDeclared by:
ghaf.services.wifi.enable
Section titled “ghaf.services.wifi.enable”Whether to enable Wifi configuration for the net-vm.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.xpadneo.enable
Section titled “ghaf.services.xpadneo.enable”Whether to enable The support for wireless Xbox Controllers.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.yubikey.enable
Section titled “ghaf.services.yubikey.enable”Whether to enable the yubikey support which provide 2FA.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.services.yubikey.u2fKeys
Section titled “ghaf.services.yubikey.u2fKeys”It will contain U2F Keys / public keys reterived from Yubikey hardware
Type: string
Default:
[ ]Example:
"ghaf:SZ2CwN7EAE4Ujfxhm+CediUaT9ngoaMOqsKRDrOC+wUkTriKlc1cVtsxkOSav2r9ztaNKn/OwoHiN3BmsBYdZA==,oIdGgoGmkVrVis1kdzpvX3kXrOmBe2noFrpHqh4VKlq/WxrFk+Du670BL7DzLas+GxIPNjgdDCHo9daVzthIwQ==,es256,+presence:9CEdjOg0YGpvNeisK5OW1hjjg0nRvJDBpr7X8Q4QPtxJP4iC5C6dShTxEpxmLAkqAi8x/jKCDwpt146AYAXfFg==,q8ddSEI2tIyRwB2MhRlrGZRv6ZDkEC2RYn/n33fdmK1KjBkcMy6ELUMQQDVGtsvsiQFbRS3v4qxjsgXF5BVD0A==,es256,+presence+pin"Declared by:
ghaf.shm.enable
Section titled “ghaf.shm.enable”Enables shared memory communication between virtual machines (VMs)
Type: boolean
Default:
falseDeclared by:
ghaf.shm.enable_host
Section titled “ghaf.shm.enable_host”Enables the memsocket functionality on the host system
Type: boolean
Default:
falseDeclared by:
ghaf.shm.clientSocketPath
Section titled “ghaf.shm.clientSocketPath”Specifies the location of the output socket, which will connected to in order to receive data from AppVMs. This socket must be created by another application, such as Waypipe, when operating in client mode
Type: absolute path
Default:
"/run/user/1000/memsocket-client.sock"Declared by:
ghaf.shm.display
Section titled “ghaf.shm.display”Enables the use of shared memory with Waypipe for Wayland-enabled applications running on virtual machines (VMs), facilitating efficient inter-VM communication
Type: boolean
Default:
falseDeclared by:
ghaf.shm.flataddr
Section titled “ghaf.shm.flataddr”Maps the shared memory to a physical address if set to a non-zero value. The address must be platform-specific and arbitrarily chosen to avoid conflicts with other memory areas, such as PCI regions.
Type: string
Default:
"0x920000000"Declared by:
ghaf.shm.hostSocketPath
Section titled “ghaf.shm.hostSocketPath”Specifies the path to the shared memory socket, used by QEMU instances for inter-VM memory sharing and interrupt signaling
Type: absolute path
Default:
"/tmp/ivshmem_socket"Declared by:
ghaf.shm.hugePageSz
Section titled “ghaf.shm.hugePageSz”Specifies the size of the large memory page area. Supported kernel values are 2 MB and 1 GB
Type: string
Default:
"2M"Declared by:
ghaf.shm.instancesCount
Section titled “ghaf.shm.instancesCount”Number of memory slots allocated in the shared memory region
Type: signed integer
Default:
0Declared by:
ghaf.shm.memSize
Section titled “ghaf.shm.memSize”Specifies the size of the shared memory region, measured in megabytes (MB)
Type: signed integer
Default:
16Declared by:
ghaf.shm.serverSocketPath
Section titled “ghaf.shm.serverSocketPath”Specifies the path of the listening socket, which is used by Waypipe or other server applications as the output socket in server mode for data transmission
Type: absolute path
Default:
"/run/user/1000/memsocket-server.sock"Declared by:
ghaf.shm.vms_enabled
Section titled “ghaf.shm.vms_enabled”List of vms having access to shared memory
Type: list of string
Default:
[ ]Declared by:
ghaf.storage.encryption.enable
Section titled “ghaf.storage.encryption.enable”Whether to enable Encryption of the data partition.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.storage.encryption.backendType
Section titled “ghaf.storage.encryption.backendType”The type of device protecting the encryption passphrase
Type: one of “tpm2”, “fido2”
Default:
"tpm2"Declared by:
ghaf.storage.encryption.deferred
Section titled “ghaf.storage.encryption.deferred”Whether to enable Apply disk encryption on first boot instead of at image creation.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.enable
Section titled “ghaf.systemd.enable”Whether to enable Enable minimal systemd configuration…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.systemd.boot.enable
Section titled “ghaf.systemd.boot.enable”Enable systemd in stage 1 of the boot (initrd).
Type: unspecified value
Default:
trueDeclared by:
ghaf.systemd.logLevel
Section titled “ghaf.systemd.logLevel”Systemd log verbosity. Must be one of ‘debug’, ‘info’, ‘notice’, ‘warning’, ‘err’, ‘crit’, ‘alert’, ‘emerg’. Defaults to ‘info’.
Type: one of “debug”, “info”, “notice”, “warning”, “err”, “crit”, “alert”, “emerg”
Default:
"info"Declared by:
ghaf.systemd.withApparmor
Section titled “ghaf.systemd.withApparmor”Enable systemd apparmor functionality.
Type: boolean
Default:
falseDeclared by:
ghaf.systemd.withAudio
Section titled “ghaf.systemd.withAudio”Enable audio functionality.
Type: boolean
Default:
falseDeclared by:
ghaf.systemd.withAudit
Section titled “ghaf.systemd.withAudit”Enable systemd audit functionality.
Type: boolean
Default:
falseDeclared by:
ghaf.systemd.withBluetooth
Section titled “ghaf.systemd.withBluetooth”Enable bluetooth functionality.
Type: boolean
Default:
falseDeclared by:
ghaf.systemd.withBootloader
Section titled “ghaf.systemd.withBootloader”Enable systemd bootloader functionality.
Type: boolean
Default:
trueDeclared by:
ghaf.systemd.withCryptsetup
Section titled “ghaf.systemd.withCryptsetup”Enable systemd LUKS2 functionality.
Type: boolean
Default:
falseDeclared by:
ghaf.systemd.withDebug
Section titled “ghaf.systemd.withDebug”Enable systemd debug functionality.
Type: boolean
Default:
falseDeclared by:
ghaf.systemd.withEfi
Section titled “ghaf.systemd.withEfi”Enable systemd EFI functionality.
Type: boolean
Default:
trueDeclared by:
ghaf.systemd.withFido2
Section titled “ghaf.systemd.withFido2”Enable systemd Fido2 token functionality.
Type: boolean
Default:
falseDeclared by:
ghaf.systemd.withHardenedConfigs
Section titled “ghaf.systemd.withHardenedConfigs”Enable common hardened configs.
Type: boolean
Default:
falseDeclared by:
ghaf.systemd.withHomed
Section titled “ghaf.systemd.withHomed”Enable systemd homed for users home functionality.
Type: boolean
Default:
falseDeclared by:
ghaf.systemd.withHostnamed
Section titled “ghaf.systemd.withHostnamed”Enable systemd hostname daemon.
Type: boolean
Default:
falseDeclared by:
ghaf.systemd.withHwdb
Section titled “ghaf.systemd.withHwdb”Enable systemd hwdb functionality.
Type: boolean
Default:
trueDeclared by:
ghaf.systemd.withJournal
Section titled “ghaf.systemd.withJournal”Enable systemd journal daemon.
Type: boolean
Default:
trueDeclared by:
ghaf.systemd.withLocaled
Section titled “ghaf.systemd.withLocaled”Enable systemd locale daemon.
Type: boolean
Default:
trueDeclared by:
ghaf.systemd.withLogind
Section titled “ghaf.systemd.withLogind”Enable systemd login daemon.
Type: boolean
Default:
trueDeclared by:
ghaf.systemd.withMachines
Section titled “ghaf.systemd.withMachines”Enable systemd container and VM functionality.
Type: boolean
Default:
falseDeclared by:
ghaf.systemd.withName
Section titled “ghaf.systemd.withName”Set systemd name.
Type: string
Default:
"base-systemd"Declared by:
ghaf.systemd.withNetworkd
Section titled “ghaf.systemd.withNetworkd”Enable systemd networking daemon.
Type: boolean
Default:
trueDeclared by:
ghaf.systemd.withNss
Section titled “ghaf.systemd.withNss”Enable systemd Name Service Switch (NSS) functionality.
Type: boolean
Default:
falseDeclared by:
ghaf.systemd.withOpenSSL
Section titled “ghaf.systemd.withOpenSSL”Enable systemd OpenSSL functionality.
Type: boolean
Default:
trueDeclared by:
ghaf.systemd.withPolkit
Section titled “ghaf.systemd.withPolkit”Enable systemd polkit functionality.
Type: boolean
Default:
falseDeclared by:
ghaf.systemd.withRepart
Section titled “ghaf.systemd.withRepart”Enable systemd repart functionality.
Type: boolean
Default:
falseDeclared by:
ghaf.systemd.withResolved
Section titled “ghaf.systemd.withResolved”Enable systemd resolve daemon.
Type: boolean
Default:
falseDeclared by:
ghaf.systemd.withSerial
Section titled “ghaf.systemd.withSerial”Enable systemd serial console.
Type: boolean
Default:
falseDeclared by:
ghaf.systemd.withSysupdate
Section titled “ghaf.systemd.withSysupdate”Enable systemd system update functionality.
Type: boolean
Default:
falseDeclared by:
ghaf.systemd.withTimesyncd
Section titled “ghaf.systemd.withTimesyncd”Enable systemd timesync daemon.
Type: boolean
Default:
falseDeclared by:
ghaf.systemd.withTpm2Tss
Section titled “ghaf.systemd.withTpm2Tss”Enable systemd TPM functionality.
Type: boolean
Default:
falseDeclared by:
ghaf.systemd.withUkify
Section titled “ghaf.systemd.withUkify”Enable systemd UKI functionality.
Type: boolean
Default:
trueDeclared by:
ghaf.type
Section titled “ghaf.type”Type of the ghaf component. One of ‘host’, ‘admin-vm’, ‘system-vm’, or ‘app-vm’.
Type: one of “host”, “admin-vm”, “system-vm”, “app-vm”
Declared by:
ghaf.users.active-directory.domains
Section titled “ghaf.users.active-directory.domains”Active Directory domain configurations.
Type: attribute set of (submodule)
Default:
{ }Declared by:
ghaf.users.active-directory.domains.<name>.enableGlobalCatalog
Section titled “ghaf.users.active-directory.domains.<name>.enableGlobalCatalog”Enable use of the Active Directory Global Catalog for this domain.
Type: boolean
Default:
falseDeclared by:
ghaf.users.active-directory.domains.<name>.accessProvider
Section titled “ghaf.users.active-directory.domains.<name>.accessProvider”Access control provider for the domain.
Type: one of “ldap”, “krb5”, “ipa”, “ad”, “simple”, “permit”
Default:
"ad"Declared by:
ghaf.users.active-directory.domains.<name>.ad.controllers
Section titled “ghaf.users.active-directory.domains.<name>.ad.controllers”List of Active Directory domain controllers.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.active-directory.domains.<name>.ad.domain
Section titled “ghaf.users.active-directory.domains.<name>.ad.domain”The Active Directory domain name.
Type: null or string
Default:
nullExample:
"corp.example.com"Declared by:
ghaf.users.active-directory.domains.<name>.ad.dyndnsUpdate
Section titled “ghaf.users.active-directory.domains.<name>.ad.dyndnsUpdate”Whether to automatically update DNS records in AD for this client.
Type: boolean
Default:
falseDeclared by:
ghaf.users.active-directory.domains.<name>.ad.extraConfig
Section titled “ghaf.users.active-directory.domains.<name>.ad.extraConfig”Additional Active Directory configuration options.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
ghaf.users.active-directory.domains.<name>.ad.gpoAccessControl
Section titled “ghaf.users.active-directory.domains.<name>.ad.gpoAccessControl”Use AD Group Policy Objects (GPOs) to control who can log in.
permissive: Users are allowed unless explicitly denied by a GPO.
enforcing: Users are denied unless explicitly allowed by a GPO.
Type: one of “permissive”, “enforcing”, “disabled”
Default:
"permissive"Declared by:
ghaf.users.active-directory.domains.<name>.authProvider
Section titled “ghaf.users.active-directory.domains.<name>.authProvider”Authentication provider for the domain.
Type: one of “ldap”, “krb5”, “ipa”, “ad”, “idp”, “proxy”, “none”
Default:
"krb5"Declared by:
ghaf.users.active-directory.domains.<name>.cacheCredentials
Section titled “ghaf.users.active-directory.domains.<name>.cacheCredentials”Cache user credentials for offline logins.
Type: boolean
Default:
trueDeclared by:
ghaf.users.active-directory.domains.<name>.chpassProvider
Section titled “ghaf.users.active-directory.domains.<name>.chpassProvider”Password change provider for the domain.
Type: one of “ldap”, “krb5”, “ipa”, “ad”
Default:
"ad"Declared by:
ghaf.users.active-directory.domains.<name>.description
Section titled “ghaf.users.active-directory.domains.<name>.description”A short description of the domain.
Type: string
Default:
"Default AD domain"Declared by:
ghaf.users.active-directory.domains.<name>.dnsProvider
Section titled “ghaf.users.active-directory.domains.<name>.dnsProvider”DNS provider for the domain.
Type: null or (submodule)
Default:
nullDeclared by:
ghaf.users.active-directory.domains.<name>.dnsProvider.ipAddress
Section titled “ghaf.users.active-directory.domains.<name>.dnsProvider.ipAddress”IP address of the DNS server for the domain.
Type: string
Default:
""Declared by:
ghaf.users.active-directory.domains.<name>.dnsProvider.name
Section titled “ghaf.users.active-directory.domains.<name>.dnsProvider.name”Name of the DNS provider for the domain.
Type: string
Default:
""Declared by:
ghaf.users.active-directory.domains.<name>.entryCacheTimeout
Section titled “ghaf.users.active-directory.domains.<name>.entryCacheTimeout”How many seconds should nss_sss consider entries valid before asking the backend again.
Type: signed integer
Default:
5400Declared by:
ghaf.users.active-directory.domains.<name>.extraConfig
Section titled “ghaf.users.active-directory.domains.<name>.extraConfig”Additional domain configuration options.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
ghaf.users.active-directory.domains.<name>.idProvider
Section titled “ghaf.users.active-directory.domains.<name>.idProvider”Identity provider for the domain.
Type: one of “ldap”, “ipa”, “ad”, “proxy”
Default:
"ad"Declared by:
ghaf.users.active-directory.domains.<name>.krb5.extraConfig
Section titled “ghaf.users.active-directory.domains.<name>.krb5.extraConfig”Additional Kerberos configuration options.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
ghaf.users.active-directory.domains.<name>.krb5.kpasswd
Section titled “ghaf.users.active-directory.domains.<name>.krb5.kpasswd”List of Kerberos kpasswd servers for password changes.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.active-directory.domains.<name>.krb5.realm
Section titled “ghaf.users.active-directory.domains.<name>.krb5.realm”The Kerberos realm.
Type: null or string
Default:
nullDeclared by:
ghaf.users.active-directory.domains.<name>.krb5.server
Section titled “ghaf.users.active-directory.domains.<name>.krb5.server”List of Kerberos KDC servers.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.active-directory.domains.<name>.ldap.enableSasl
Section titled “ghaf.users.active-directory.domains.<name>.ldap.enableSasl”Enable SASL (GSSAPI) authentication for LDAP. Defaults to true.
Type: boolean (read only)
Default:
trueDeclared by:
ghaf.users.active-directory.domains.<name>.ldap.baseDn
Section titled “ghaf.users.active-directory.domains.<name>.ldap.baseDn”The default search base for LDAP queries.
Type: null or string
Default:
nullDeclared by:
ghaf.users.active-directory.domains.<name>.ldap.extraConfig
Section titled “ghaf.users.active-directory.domains.<name>.ldap.extraConfig”Additional LDAP configuration options.
Type: null or strings concatenated with “\n”
Default:
nullDeclared by:
ghaf.users.active-directory.domains.<name>.ldap.idMapping
Section titled “ghaf.users.active-directory.domains.<name>.ldap.idMapping”Enable or disable the ID mapping feature. Useful for AD integration without POSIX attributes.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.active-directory.domains.<name>.ldap.schema
Section titled “ghaf.users.active-directory.domains.<name>.ldap.schema”LDAP schema to use.
Type: null or one of “rfc2307”, “rfc2307bis”, “ipa”, “ad”
Default:
nullExample:
"ad"Declared by:
ghaf.users.active-directory.domains.<name>.ldap.tlsCaCert
Section titled “ghaf.users.active-directory.domains.<name>.ldap.tlsCaCert”CA certificate for LDAP TLS as multi-line string. This will get added to the global certificate store at ‘/etc/ssl/certs/ca-certificates.crt’.
Type: null or strings concatenated with “\n”
Default:
nullExample:
'' -----BEGIN CERTIFICATE----- [ Your CA certificate here ] -----END CERTIFICATE-----''Declared by:
ghaf.users.active-directory.domains.<name>.ldap.tlsReqcert
Section titled “ghaf.users.active-directory.domains.<name>.ldap.tlsReqcert”TLS certificate checking policy.
Type: null or one of “allow”, “try”, “demand”, “hard”
Default:
"allow"Example:
"hard"Declared by:
ghaf.users.active-directory.domains.<name>.ldap.uri
Section titled “ghaf.users.active-directory.domains.<name>.ldap.uri”List of LDAP server URIs.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.active-directory.domains.<name>.ldap.useStartTls
Section titled “ghaf.users.active-directory.domains.<name>.ldap.useStartTls”Use StartTLS for LDAP connections for ldap:// URIs. Requires tlsCaCert to be set.
Type: boolean
Default:
falseDeclared by:
ghaf.users.active-directory.domains.<name>.maxId
Section titled “ghaf.users.active-directory.domains.<name>.maxId”Maximum UID and GID for this domain. Defaults to no limit (0).
Type: signed integer
Default:
0Declared by:
ghaf.users.active-directory.domains.<name>.minId
Section titled “ghaf.users.active-directory.domains.<name>.minId”Minimum UID and GID for this domain. Defaults to 1.
Type: signed integer
Default:
1Declared by:
ghaf.users.active-directory.domains.<name>.useFullyQualifiedNames
Section titled “ghaf.users.active-directory.domains.<name>.useFullyQualifiedNames”Whether to use fully qualified names (e.g., user@DOMAIN) for user accounts. Note that the behavior is different depending on the identity provider used. A value of ‘false’ may break functionality in multi-domain setups.
Type: boolean
Default:
falseDeclared by:
ghaf.users.adUsers.enable
Section titled “ghaf.users.adUsers.enable”Whether to enable Active Directory user configuration.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.admin.enable
Section titled “ghaf.users.admin.enable”Enable the admin user account. Enabled by default.
Type: boolean
Default:
trueDeclared by:
ghaf.users.admin.enableUILogin
Section titled “ghaf.users.admin.enableUILogin”Allow the admin user to login via the graphical login manager.
Type: boolean
Default:
falseDeclared by:
ghaf.users.admin.createHome
Section titled “ghaf.users.admin.createHome”Boolean value whether to create admin home folder. Defaults to config.ghaf.users.admin.enableUILogin.
A value of ‘false’ results in home directory set to /var/empty, ‘true’ will create the home directory
as /home/<name>.
Type: boolean
Default:
falseDeclared by:
ghaf.users.admin.extraGroups
Section titled “ghaf.users.admin.extraGroups”Extra groups for the admin user.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.admin.hashedPassword
Section titled “ghaf.users.admin.hashedPassword”Hashed password for live updates.
Type: null or string
Default:
nullDeclared by:
ghaf.users.admin.homeSize
Section titled “ghaf.users.admin.homeSize”Size of the admin user’s home directory image in megabytes.
Type: signed integer
Default:
10240Declared by:
ghaf.users.admin.initialHashedPassword
Section titled “ghaf.users.admin.initialHashedPassword”Initial hashed password for the admin user account.
Type: null or string
Default:
nullDeclared by:
ghaf.users.admin.initialPassword
Section titled “ghaf.users.admin.initialPassword”Default password for the admin user account.
Type: null or string
Default:
"ghaf"Declared by:
ghaf.users.admin.isNormalUser
Section titled “ghaf.users.admin.isNormalUser”Whether the admin user is a normal user.
Type: boolean
Default:
falseDeclared by:
ghaf.users.admin.name
Section titled “ghaf.users.admin.name”Admin account name. Defaults to ‘ghaf’.
Type: string
Default:
"ghaf"Declared by:
ghaf.users.admin.shell
Section titled “ghaf.users.admin.shell”Login shell for the admin user.
Type: string
Default:
"/run/current-system/sw/bin/bash"Declared by:
ghaf.users.admin.uid
Section titled “ghaf.users.admin.uid”User identifier (uid) for the admin account.
Type: signed integer
Default:
901Declared by:
ghaf.users.appUser
Section titled “ghaf.users.appUser”User account for app-vms running applications.
Type: submodule
Declared by:
ghaf.users.appUser.enable
Section titled “ghaf.users.appUser.enable”Whether to enable auxiliary user account.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.appUser.extraGroups
Section titled “ghaf.users.appUser.extraGroups”Extra groups for the auxiliary users.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.appUser.name
Section titled “ghaf.users.appUser.name”Auxiliary users name.
Type: string
Declared by:
ghaf.users.appUser.uid
Section titled “ghaf.users.appUser.uid”Auxiliary users UID.
Type: signed integer
Default:
1000Declared by:
ghaf.users.homedUser
Section titled “ghaf.users.homedUser”User account for desktop login.
Type: submodule
Default:
{ }Declared by:
ghaf.users.homedUser.enable
Section titled “ghaf.users.homedUser.enable”Whether to enable a single homed user account.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.homedUser.extraGroups
Section titled “ghaf.users.homedUser.extraGroups”Extra groups for the login user.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.homedUser.fidoAuth
Section titled “ghaf.users.homedUser.fidoAuth”Whether to enable FIDO authentication for the login user…
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.homedUser.fsType
Section titled “ghaf.users.homedUser.fsType”Filesystem type for the home directory.
Type: string
Default:
"ext4"Declared by:
ghaf.users.homedUser.homeSize
Section titled “ghaf.users.homedUser.homeSize”Size of the home directory for the login user in MiB (integer). The integer size is inherited from the microvm volume size parameter. Defaults to 400 GiB.
Type: signed integer
Default:
409600Declared by:
ghaf.users.homedUser.loginShell
Section titled “ghaf.users.homedUser.loginShell”Login shell for the user.
Type: string
Default:
"/run/current-system/sw/bin/bash"Declared by:
ghaf.users.homedUser.uid
Section titled “ghaf.users.homedUser.uid”Login user identifier (uid). Defaults to 1000 for compatibility.
Type: signed integer
Default:
1000Declared by:
ghaf.users.managed
Section titled “ghaf.users.managed”List of declarativively managed user accounts.
The ghaf user interface for declarative users has the following options:
- No enable flag, a specified account is enabled by default [mandatory]
- name: User name
- vms: List of VMs (or host) the user is enabled in [optional]
- initialPassword: Default password for the user account
- initialHashedPassword: Initial hashed password for the user account
- hashedPassword: Hashed password for live updates
- uid: Optional user identifier (uid). Defaults to null
- gid: Optional primary group identifier (gid). Defaults to null
- createHome: Create home directory for the user
- linger: Enable lingering for the user
- extraGroups: Extra groups for the user
These, as any additional user option, may be set through the usual NixOS user options.
Type: list of (submodule)
Default:
[ ]Declared by:
ghaf.users.managed.*.createHome
Section titled “ghaf.users.managed.*.createHome”Create home directory for the user.
Type: boolean
Default:
trueDeclared by:
ghaf.users.managed.*.extraGroups
Section titled “ghaf.users.managed.*.extraGroups”Extra groups for the user.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.managed.*.gid
Section titled “ghaf.users.managed.*.gid”Optional primary group identifier (gid). Defaults to null.
Type: null or signed integer
Default:
nullDeclared by:
ghaf.users.managed.*.hashedPassword
Section titled “ghaf.users.managed.*.hashedPassword”Hashed password for live updates.
Type: null or string
Default:
nullDeclared by:
ghaf.users.managed.*.initialHashedPassword
Section titled “ghaf.users.managed.*.initialHashedPassword”Initial hashed password for the admin user account.
Type: null or string
Default:
nullDeclared by:
ghaf.users.managed.*.initialPassword
Section titled “ghaf.users.managed.*.initialPassword”Initial password for the admin user account.
Type: null or string
Default:
nullDeclared by:
ghaf.users.managed.*.linger
Section titled “ghaf.users.managed.*.linger”Enable lingering for the user.
Type: boolean
Default:
falseDeclared by:
ghaf.users.managed.*.name
Section titled “ghaf.users.managed.*.name”User name
Type: null or string
Default:
nullDeclared by:
ghaf.users.managed.*.uid
Section titled “ghaf.users.managed.*.uid”Optional user identifier (uid). Defaults to null.
Type: null or signed integer
Default:
nullDeclared by:
ghaf.users.managed.*.vms
Section titled “ghaf.users.managed.*.vms”List of VMs (or host) the user is enabled in.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.profile.ad-users.enable
Section titled “ghaf.users.profile.ad-users.enable”Whether to enable Active Directory users for UI login. To use this option, you need Active Directory configured (backend) and locally the SSSD service. It further requires the computer to be enrolled in the Active Directory domain.
Account restrictions such as single user login on the machine have to be configured via AD policies (e.g., GPO). Otherwise, all domain users will be able to login to the machine.
Note: This profile is not compatible with ‘homed-user’ profile. .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.profile.homed-user.enable
Section titled “ghaf.users.profile.homed-user.enable”Whether to enable local systemd-homed managed user. This is the default for a single user system that does not require remote management. .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.profile.mutable-users.enable
Section titled “ghaf.users.profile.mutable-users.enable”Whether to enable mutable (configuration defined) user accounts, which allows to modify local user accounts at runtime.
This applies only to configuration ‘managed’ user accounts, it does not affect homed or AD users. Passwords and hashes of configuration defined accounts will be stored in the /nixos/store and thus are immutable at runtime unless this option is enabled. This also applies to other user attributes like uid/gid, shell, home directory, groups, etc. Make sure to read the nixos documentation for users.mutableUsers for more information such as priority of the different password and hash options.
This means:
- enabled (true) - you can change the password of the configuration defined user at runtime, but you cannot change the users password by rebuilding the system
- disabled (false), all user accounts are immutable and can only be changed via NixOS configuration rebuilds, and hashes (or passwords) will be stored in the /nixos/store .
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.proxyUser
Section titled “ghaf.users.proxyUser”User account for system-vms running dbus proxy functionality.
Type: submodule
Declared by:
ghaf.users.proxyUser.enable
Section titled “ghaf.users.proxyUser.enable”Whether to enable auxiliary user account.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.users.proxyUser.extraGroups
Section titled “ghaf.users.proxyUser.extraGroups”Extra groups for the auxiliary users.
Type: list of string
Default:
[ ]Declared by:
ghaf.users.proxyUser.name
Section titled “ghaf.users.proxyUser.name”Auxiliary users name.
Type: string
Declared by:
ghaf.users.proxyUser.uid
Section titled “ghaf.users.proxyUser.uid”Auxiliary users UID.
Type: signed integer
Default:
1000Declared by:
ghaf.version
Section titled “ghaf.version”The version of Ghaf
Type: string (read only)
Default:
"26.01.1"Declared by:
ghaf.virtualization.microvm.adminvm.enable
Section titled “ghaf.virtualization.microvm.adminvm.enable”Whether to enable AdminVM.
Type: boolean
Default:
falseExample:
trueDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.adminvm.extraModules
Section titled “ghaf.virtualization.microvm.adminvm.extraModules”List of additional modules to be imported and evaluated as part of AdminVM’s NixOS configuration.
Type: unspecified value
Default:
[ ]Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.adminvm.extraNetworking
Section titled “ghaf.virtualization.microvm.adminvm.extraNetworking”Extra Networking option
Type: submodule
Default:
{ }Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.adminvm.extraNetworking.cid
Section titled “ghaf.virtualization.microvm.adminvm.extraNetworking.cid”Vsock CID (Context IDentifier) as integer:
- VMADDR_CID_HYPERVISOR (0) is reserved for services built into the hypervisor
- VMADDR_CID_LOCAL (1) is the well-known address for local communication (loopback)
- VMADDR_CID_HOST (2) is the well-known address of the host
Type: null or signed integer
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.adminvm.extraNetworking.interfaceName
Section titled “ghaf.virtualization.microvm.adminvm.extraNetworking.interfaceName”Name of the network interface.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.adminvm.extraNetworking.ipv4
Section titled “ghaf.virtualization.microvm.adminvm.extraNetworking.ipv4”IPv4 address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.adminvm.extraNetworking.ipv4SubnetPrefixLength
Section titled “ghaf.virtualization.microvm.adminvm.extraNetworking.ipv4SubnetPrefixLength”The IPv4 subnet prefix length (e.g. 24 for 255.255.255.0)
Type: null or signed integer
Default:
nullExample:
24Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.adminvm.extraNetworking.ipv6
Section titled “ghaf.virtualization.microvm.adminvm.extraNetworking.ipv6”IPv6 address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.adminvm.extraNetworking.mac
Section titled “ghaf.virtualization.microvm.adminvm.extraNetworking.mac”MAC address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.adminvm.extraNetworking.name
Section titled “ghaf.virtualization.microvm.adminvm.extraNetworking.name”Host name as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.enable
Section titled “ghaf.virtualization.microvm.appvm.enable”Whether to enable appvm.
Type: boolean
Default:
falseExample:
trueDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.extraModules
Section titled “ghaf.virtualization.microvm.appvm.extraModules”List of additional modules to be imported and evaluated as part of appvm’s NixOS configuration.
Type: unspecified value
Default:
[ ]Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms
Section titled “ghaf.virtualization.microvm.appvm.vms”List of AppVMs to be created
Type: attribute set of (submodule)
Default:
{ }Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.enable
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.enable”Whether to enable this virtual machine.
Type: boolean
Default:
falseExample:
trueDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.packages
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.packages”Packages that are included into the AppVM
Type: list of package
Default:
[ ]Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.applications
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.applications”Applications to include in the AppVM
Type: list of (submodule)
Default:
[ ]Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.applications.*.packages
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.applications.*.packages”A list of packages required for the application
Type: list of package
Default:
[ ]Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.applications.*.command
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.applications.*.command”The command to run the application
Type: string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.applications.*.description
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.applications.*.description”A brief description of the application
Type: string
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.applications.*.extraModules
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.applications.*.extraModules”Additional modules required for the application
Type: list of (attribute set)
Default:
[ ]Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.applications.*.givcArgs
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.applications.*.givcArgs”A list of GIVC arguments for the application
Type: list of string
Default:
[ ]Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.applications.*.givcName
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.applications.*.givcName”GIVC name for the application
Type: string
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.applications.*.icon
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.applications.*.icon”Application icon
Type: string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.applications.*.name
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.applications.*.name”The name of the application
Type: string
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.balloonRatio
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.balloonRatio”Amount of dynamic RAM for this AppVM as a multiple of ramMb
Type: signed integer or floating point number
Default:
2Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.bootPriority
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.bootPriority”Boot priority of the AppVM.
Type: one of “low”, “medium”, “high”
Default:
"medium"Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.borderColor
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.borderColor”Border color of the AppVM window
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.cores
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.cores”Amount of processor cores for this AppVM
Type: signed integer
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.extraModules
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.extraModules”List of additional modules to be imported and evaluated as part of appvm’s NixOS configuration.
Type: unspecified value
Default:
[ ]Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.extraNetworking
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.extraNetworking”Extra Networking option
Type: submodule
Default:
{ }Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.extraNetworking.cid
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.extraNetworking.cid”Vsock CID (Context IDentifier) as integer:
- VMADDR_CID_HYPERVISOR (0) is reserved for services built into the hypervisor
- VMADDR_CID_LOCAL (1) is the well-known address for local communication (loopback)
- VMADDR_CID_HOST (2) is the well-known address of the host
Type: null or signed integer
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.extraNetworking.interfaceName
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.extraNetworking.interfaceName”Name of the network interface.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.extraNetworking.ipv4
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.extraNetworking.ipv4”IPv4 address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.extraNetworking.ipv4SubnetPrefixLength
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.extraNetworking.ipv4SubnetPrefixLength”The IPv4 subnet prefix length (e.g. 24 for 255.255.255.0)
Type: null or signed integer
Default:
nullExample:
24Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.extraNetworking.ipv6
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.extraNetworking.ipv6”IPv6 address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.extraNetworking.mac
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.extraNetworking.mac”MAC address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.extraNetworking.name
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.extraNetworking.name”Host name as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.ghafAudio.enable
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.ghafAudio.enable”Whether to enable Ghaf application audio support.
Type: boolean
Default:
falseExample:
trueDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.ramMb
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.ramMb”Minimum amount of RAM for this AppVM
Type: signed integer
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.usbPassthrough
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.usbPassthrough”List of USB passthrough rules for this AppVM
Type: unspecified value
Default:
[ ]Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.vtpm.enable
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.vtpm.enable”Whether to enable vTPM support in the virtual machine.
Type: boolean
Default:
falseExample:
trueDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.vtpm.basePort
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.vtpm.basePort”vsock port where the remote swtpm will listen on.
Control channel is on <basePort> and data channel on
<basePort+1>.
Set this option when runInVM is true.
Type: null or signed integer
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.vtpm.runInVM
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.vtpm.runInVM”Whether to run the swtpm instance on a separate VM or on the host. If set to false, the daemon runs on the host and keys are stored on the host filesystem. If true, the swtpm daemon runs in the admin VM. This setup makes it harder for a host process to access the guest keys.
Type: boolean
Default:
falseDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.waypipe.enable
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.waypipe.enable”Enable waypipe for this VM
Type: boolean
Default:
trueDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.appvm.vms.<name>.yubiProxy
Section titled “ghaf.virtualization.microvm.appvm.vms.<name>.yubiProxy”Whether to enable 2FA token proxy.
Type: boolean
Default:
falseExample:
trueDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.audiovm.enable
Section titled “ghaf.virtualization.microvm.audiovm.enable”Whether to enable AudioVM.
Type: boolean
Default:
falseExample:
trueDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.audiovm.audio
Section titled “ghaf.virtualization.microvm.audiovm.audio”Enable Audio module configuration.
Type: boolean
Default:
trueDeclared by:
ghaf.virtualization.microvm.audiovm.extraModules
Section titled “ghaf.virtualization.microvm.audiovm.extraModules”List of additional modules to be imported and evaluated as part of AudioVM’s NixOS configuration.
Type: unspecified value
Default:
[ ]Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.audiovm.extraNetworking
Section titled “ghaf.virtualization.microvm.audiovm.extraNetworking”Extra Networking option
Type: submodule
Default:
{ }Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.audiovm.extraNetworking.cid
Section titled “ghaf.virtualization.microvm.audiovm.extraNetworking.cid”Vsock CID (Context IDentifier) as integer:
- VMADDR_CID_HYPERVISOR (0) is reserved for services built into the hypervisor
- VMADDR_CID_LOCAL (1) is the well-known address for local communication (loopback)
- VMADDR_CID_HOST (2) is the well-known address of the host
Type: null or signed integer
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.audiovm.extraNetworking.interfaceName
Section titled “ghaf.virtualization.microvm.audiovm.extraNetworking.interfaceName”Name of the network interface.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.audiovm.extraNetworking.ipv4
Section titled “ghaf.virtualization.microvm.audiovm.extraNetworking.ipv4”IPv4 address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.audiovm.extraNetworking.ipv4SubnetPrefixLength
Section titled “ghaf.virtualization.microvm.audiovm.extraNetworking.ipv4SubnetPrefixLength”The IPv4 subnet prefix length (e.g. 24 for 255.255.255.0)
Type: null or signed integer
Default:
nullExample:
24Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.audiovm.extraNetworking.ipv6
Section titled “ghaf.virtualization.microvm.audiovm.extraNetworking.ipv6”IPv6 address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.audiovm.extraNetworking.mac
Section titled “ghaf.virtualization.microvm.audiovm.extraNetworking.mac”MAC address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.audiovm.extraNetworking.name
Section titled “ghaf.virtualization.microvm.audiovm.extraNetworking.name”Host name as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.enable
Section titled “ghaf.virtualization.microvm.guivm.enable”Whether to enable GUIVM.
Type: boolean
Default:
falseExample:
trueDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.applications
Section titled “ghaf.virtualization.microvm.guivm.applications”Applications to include in the GUIVM
Type: list of (submodule)
Default:
[ ]Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.applications.*.command
Section titled “ghaf.virtualization.microvm.guivm.applications.*.command”The command to run the application
Type: string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.applications.*.description
Section titled “ghaf.virtualization.microvm.guivm.applications.*.description”A brief description of the application
Type: string
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.applications.*.icon
Section titled “ghaf.virtualization.microvm.guivm.applications.*.icon”Application icon
Type: string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.applications.*.name
Section titled “ghaf.virtualization.microvm.guivm.applications.*.name”The name of the application
Type: string
Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.brightness
Section titled “ghaf.virtualization.microvm.guivm.brightness”brightness module configuration.
Type: boolean
Default:
trueDeclared by:
ghaf.virtualization.microvm.guivm.extraModules
Section titled “ghaf.virtualization.microvm.guivm.extraModules”List of additional modules to be imported and evaluated as part of GUIVM’s NixOS configuration.
Type: unspecified value
Default:
[ ]Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.extraNetworking
Section titled “ghaf.virtualization.microvm.guivm.extraNetworking”Extra Networking option
Type: submodule
Default:
{ }Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.extraNetworking.cid
Section titled “ghaf.virtualization.microvm.guivm.extraNetworking.cid”Vsock CID (Context IDentifier) as integer:
- VMADDR_CID_HYPERVISOR (0) is reserved for services built into the hypervisor
- VMADDR_CID_LOCAL (1) is the well-known address for local communication (loopback)
- VMADDR_CID_HOST (2) is the well-known address of the host
Type: null or signed integer
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.extraNetworking.interfaceName
Section titled “ghaf.virtualization.microvm.guivm.extraNetworking.interfaceName”Name of the network interface.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.extraNetworking.ipv4
Section titled “ghaf.virtualization.microvm.guivm.extraNetworking.ipv4”IPv4 address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.extraNetworking.ipv4SubnetPrefixLength
Section titled “ghaf.virtualization.microvm.guivm.extraNetworking.ipv4SubnetPrefixLength”The IPv4 subnet prefix length (e.g. 24 for 255.255.255.0)
Type: null or signed integer
Default:
nullExample:
24Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.extraNetworking.ipv6
Section titled “ghaf.virtualization.microvm.guivm.extraNetworking.ipv6”IPv6 address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.extraNetworking.mac
Section titled “ghaf.virtualization.microvm.guivm.extraNetworking.mac”MAC address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.extraNetworking.name
Section titled “ghaf.virtualization.microvm.guivm.extraNetworking.name”Host name as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.guivm.fprint
Section titled “ghaf.virtualization.microvm.guivm.fprint”Enable Fingerprint module configuration.
Type: boolean
Default:
trueDeclared by:
ghaf.virtualization.microvm.guivm.yubikey
Section titled “ghaf.virtualization.microvm.guivm.yubikey”Enable Yubikey module configuration.
Type: boolean
Default:
trueDeclared by:
ghaf.virtualization.microvm.idsvm.enable
Section titled “ghaf.virtualization.microvm.idsvm.enable”Whether to enable Whether to enable IDS-VM on the system.
Type: boolean
Default:
falseExample:
trueDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.idsvm.extraModules
Section titled “ghaf.virtualization.microvm.idsvm.extraModules”List of additional modules to be imported and evaluated as part of IDSVM’s NixOS configuration.
Type: unspecified value
Default:
[ ]Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.idsvm.extraNetworking
Section titled “ghaf.virtualization.microvm.idsvm.extraNetworking”Extra Networking option
Type: submodule
Default:
{ }Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.idsvm.extraNetworking.cid
Section titled “ghaf.virtualization.microvm.idsvm.extraNetworking.cid”Vsock CID (Context IDentifier) as integer:
- VMADDR_CID_HYPERVISOR (0) is reserved for services built into the hypervisor
- VMADDR_CID_LOCAL (1) is the well-known address for local communication (loopback)
- VMADDR_CID_HOST (2) is the well-known address of the host
Type: null or signed integer
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.idsvm.extraNetworking.interfaceName
Section titled “ghaf.virtualization.microvm.idsvm.extraNetworking.interfaceName”Name of the network interface.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.idsvm.extraNetworking.ipv4
Section titled “ghaf.virtualization.microvm.idsvm.extraNetworking.ipv4”IPv4 address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.idsvm.extraNetworking.ipv4SubnetPrefixLength
Section titled “ghaf.virtualization.microvm.idsvm.extraNetworking.ipv4SubnetPrefixLength”The IPv4 subnet prefix length (e.g. 24 for 255.255.255.0)
Type: null or signed integer
Default:
nullExample:
24Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.idsvm.extraNetworking.ipv6
Section titled “ghaf.virtualization.microvm.idsvm.extraNetworking.ipv6”IPv6 address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.idsvm.extraNetworking.mac
Section titled “ghaf.virtualization.microvm.idsvm.extraNetworking.mac”MAC address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.idsvm.extraNetworking.name
Section titled “ghaf.virtualization.microvm.idsvm.extraNetworking.name”Host name as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.idsvm.mitmproxy.enable
Section titled “ghaf.virtualization.microvm.idsvm.mitmproxy.enable”Whether to enable Whether to enable mitmproxy on ids-vm.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.virtualization.microvm.idsvm.mitmproxy.webUIEnabled
Section titled “ghaf.virtualization.microvm.idsvm.mitmproxy.webUIEnabled”Whether to enable mitmproxyWebUI on ids-vm
Type: boolean
Default:
falseDeclared by:
ghaf.virtualization.microvm.idsvm.mitmproxy.webUIPort
Section titled “ghaf.virtualization.microvm.idsvm.mitmproxy.webUIPort”MitmwebUI port
Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive) (read only)
Default:
[ 8081]Declared by:
ghaf.virtualization.microvm.idsvm.mitmproxy.webUIPswd
Section titled “ghaf.virtualization.microvm.idsvm.mitmproxy.webUIPswd”MitmwebUI password
Type: string (read only)
Default:
"ghaf"Declared by:
ghaf.virtualization.microvm.netvm.enable
Section titled “ghaf.virtualization.microvm.netvm.enable”Whether to enable NetVM.
Type: boolean
Default:
falseExample:
trueDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.netvm.extraModules
Section titled “ghaf.virtualization.microvm.netvm.extraModules”List of additional modules to be imported and evaluated as part of NetVM’s NixOS configuration.
Type: unspecified value
Default:
[ ]Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.netvm.extraNetworking
Section titled “ghaf.virtualization.microvm.netvm.extraNetworking”Extra Networking option
Type: submodule
Default:
{ }Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.netvm.extraNetworking.cid
Section titled “ghaf.virtualization.microvm.netvm.extraNetworking.cid”Vsock CID (Context IDentifier) as integer:
- VMADDR_CID_HYPERVISOR (0) is reserved for services built into the hypervisor
- VMADDR_CID_LOCAL (1) is the well-known address for local communication (loopback)
- VMADDR_CID_HOST (2) is the well-known address of the host
Type: null or signed integer
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.netvm.extraNetworking.interfaceName
Section titled “ghaf.virtualization.microvm.netvm.extraNetworking.interfaceName”Name of the network interface.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.netvm.extraNetworking.ipv4
Section titled “ghaf.virtualization.microvm.netvm.extraNetworking.ipv4”IPv4 address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.netvm.extraNetworking.ipv4SubnetPrefixLength
Section titled “ghaf.virtualization.microvm.netvm.extraNetworking.ipv4SubnetPrefixLength”The IPv4 subnet prefix length (e.g. 24 for 255.255.255.0)
Type: null or signed integer
Default:
nullExample:
24Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.netvm.extraNetworking.ipv6
Section titled “ghaf.virtualization.microvm.netvm.extraNetworking.ipv6”IPv6 address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.netvm.extraNetworking.mac
Section titled “ghaf.virtualization.microvm.netvm.extraNetworking.mac”MAC address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.netvm.extraNetworking.name
Section titled “ghaf.virtualization.microvm.netvm.extraNetworking.name”Host name as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm.netvm.wifi
Section titled “ghaf.virtualization.microvm.netvm.wifi”Enable Wifi module configuration.
Type: boolean
Default:
trueDeclared by:
ghaf.virtualization.microvm.storeOnDisk
Section titled “ghaf.virtualization.microvm.storeOnDisk”Global setting for all MicroVMs: use storeOnDisk (erofs compressed image) instead of shared virtiofs /nix/store.
When true: All VMs use storeOnDisk (compressed, less memory) When false: All VMs use sharedStore (virtiofs, more memory)
Default is false (shared store for easier development experience).
This setting is read by MicroVMs via configHost.ghaf.virtualization.microvm.storeOnDisk to configure their /nix/store access method.
Type: boolean
Default:
falseDeclared by:
ghaf.virtualization.microvm-host.enable
Section titled “ghaf.virtualization.microvm-host.enable”Whether to enable MicroVM Host.
Type: boolean
Default:
falseExample:
trueDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm-host.extraNetworking
Section titled “ghaf.virtualization.microvm-host.extraNetworking”Extra Networking option
Type: submodule
Default:
{ }Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm-host.extraNetworking.cid
Section titled “ghaf.virtualization.microvm-host.extraNetworking.cid”Vsock CID (Context IDentifier) as integer:
- VMADDR_CID_HYPERVISOR (0) is reserved for services built into the hypervisor
- VMADDR_CID_LOCAL (1) is the well-known address for local communication (loopback)
- VMADDR_CID_HOST (2) is the well-known address of the host
Type: null or signed integer
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm-host.extraNetworking.interfaceName
Section titled “ghaf.virtualization.microvm-host.extraNetworking.interfaceName”Name of the network interface.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm-host.extraNetworking.ipv4
Section titled “ghaf.virtualization.microvm-host.extraNetworking.ipv4”IPv4 address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm-host.extraNetworking.ipv4SubnetPrefixLength
Section titled “ghaf.virtualization.microvm-host.extraNetworking.ipv4SubnetPrefixLength”The IPv4 subnet prefix length (e.g. 24 for 255.255.255.0)
Type: null or signed integer
Default:
nullExample:
24Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm-host.extraNetworking.ipv6
Section titled “ghaf.virtualization.microvm-host.extraNetworking.ipv6”IPv6 address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm-host.extraNetworking.mac
Section titled “ghaf.virtualization.microvm-host.extraNetworking.mac”MAC address as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm-host.extraNetworking.name
Section titled “ghaf.virtualization.microvm-host.extraNetworking.name”Host name as string.
Type: null or string
Default:
nullDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm-host.networkSupport
Section titled “ghaf.virtualization.microvm-host.networkSupport”Whether to enable Network support services to run host applications…
Type: boolean
Default:
falseExample:
trueDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm-host.sharedVmDirectory.enable
Section titled “ghaf.virtualization.microvm-host.sharedVmDirectory.enable”Whether to enable shared directory.
Type: boolean
Default:
trueExample:
trueDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm-host.sharedVmDirectory.inotifyPassthrough
Section titled “ghaf.virtualization.microvm-host.sharedVmDirectory.inotifyPassthrough”Whether to enable inotify passthrough.
Type: boolean
Default:
trueExample:
trueDeclared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.microvm-host.sharedVmDirectory.vms
Section titled “ghaf.virtualization.microvm-host.sharedVmDirectory.vms”List of names of virtual machines for which unsafe shared folder will be enabled.
Type: list of string
Default:
[ ]Declared by:
- [https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm](https://github.com/tiiuae/ghaf/blob/main/modules/microvm/flake-module.nix, via option flake.nixosModules.microvm)
ghaf.virtualization.nvidia-docker.daemon.enable
Section titled “ghaf.virtualization.nvidia-docker.daemon.enable”Whether to enable Nvidia Docker Daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.virtualization.nvidia-podman.daemon.enable
Section titled “ghaf.virtualization.nvidia-podman.daemon.enable”Whether to enable Nvidia Podman Daemon.
Type: boolean
Default:
falseExample:
trueDeclared by:
ghaf.virtualization.storagevm-encryption.enable
Section titled “ghaf.virtualization.storagevm-encryption.enable”Whether to enable Encryption of the VM storage area for all VMs.
Type: boolean
Default:
falseExample:
trueDeclared by: