You didn't specify what certfile
looks like in the first line. If it's a variable thats populated with a builtins.readFile
, you can skip that step and just populate the variable yourself.
$> nixos-option security.pki.certificates
Value:
[ "-----BEGIN CERTIFICATE-----
... edited for brevity .... " ]
Default:
[ ]
Example:
[ "NixOS.org\n=========\n-----BEGIN CERTIFICATE-----\nMIIGUDCCBTigAwIBAgIDD8KWMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ\nTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0\n...\n-----END CERTIFICATE-----\n" ]
Description:
A list of trusted root certificates in PEM format.
Declared by:
"/etc/nixos/nixpkgs/nixos/modules/security/ca.nix"
Defined by:
"/etc/nixos/user.nix
So, setting security.pki.certificates [ "insert certificate here" ];
would eliminate the file dependency and then the configuration is self contained.
Otherwise, if you wanted to keep the content out of the configuration, you'd need to create packaging/a derivation for it and add it to the store.
NixOS community has three manuals, always consult them first, if you're stuck:
Every package on Nix is specified by a Nix expression. A Nix expression is some text, written in Nix language, typically residing in a file with extension .nix
.
Every expression has the so-called “symbolic name”, a human-readable name that is printed, when you use nix-env
. See sample Nix expression. Nix itself doesn't use this symbolic name anywhere internally, so it doesn't matter if your package is named aspell-dict-en
, it's just for your, human's, convenience.
What actually matters is the so-called “attribute path”. So your confusion is between symbolic name and attribute path. Every package has an attribute path, which you can use in environment.systemPackages
configuration option to install system-wide using declarative package management.
To find out your package's attribute path, add another flag -P
to your query:
$ nix-env -qaP 'aspell.*en'
nixos.aspellDicts.en aspell-dict-en-7.1-0
You should be comfortable using nix-env
on a daily basis, so practice calling nix-env
with --query
and --install
options. However you can also browse packages and find out their attribute paths online on Nix packages search. Type aspell
, click on aspell-dict-en
and you'll see various package's properties, including attribute path as part of the install command:
$ nix-env -iA nixos.pkgs.aspellDicts.en
Now you can put this attribute path into /etc/nixos/configuration.nix
:
environment.systemPackages = with pkgs; [
aspellDicts.en
];
Then update the system by running sudo nixos-rebuild switch
.
Best Answer
Nix expressions
A Nix expression is like any programming language expression: anything that evaluates to a value or a function. A value in this case can also be a list or a set. As a Nix module (file with extension
.nix
) can contain any Nix expression, you would expect the NixOS configuration file (/etc/nixos/configuration.nix
) to contain a single Nix expression as its file contents.The NixOS configuration file contains a Nix expression of the form:
If you look closely, you can see it's a function, because functions follow the form
pattern: form
. You can also see it's a function that accepts a set and returns a set. E.g., if you have a functionf = {x, y}: {a = x + y;}
, then you could call it asf {x=1; y=2;}
and get back a set{a=3;}
.So that means that when you call
nixos-rebuild switch
, something calls the function inside the NixOS configuration file with the set that must contain attributesconfig
andpkgs
.imports
Following example of
./hardware-configuration.nix
, the simple way to extract the list of packages into a separate modulepackages.nix
is just to rip theenvironment.systemPackages
option out and put./packages.nix
intoimports
option. Your/etc/nixos/configuration.nix
would look like:Your
/etc/nixos/packages.nix
would look like:How does that work? When you run
nixos-rebuild switch
, the process that evaluates Nix expressions and decides to install packages and so on callsconfiguration.nix
with a set of attributes, some of which areconfig
andpkgs
.It finds attribute
imports
inside the returned set, so it evaluates every Nix expression in the modules thatimports
contains with the same arguments (config
,pkgs
, etc).You must have
pkgs
as an argument (or, technically speaking, an attribute of a set, which itself is an argument) of a function inpackages.nix
, because, from a Nix language perspective, the process might or might not call the function with the set that containspkgs
. If it doesn't, what attribute would you refer to, when runningwith pkgs
?You also must have ellipsis, because the function might be called with other attributes, not just
pkgs
.Why isn't there
pkgs
inconfiguration.nix
? You can have it, but if you don't refer to it anywhere in the file, you can safely omit it, as the ellipsis would include them anyway.Updating an attribute by calling an external function
Another way is just to make a function that returns a set with some attribute, and the value of that attribute you would put inside
environment.systemPackages
. This is yourconfiguration.nix
:Your
packages.nix
:import ./packages.nix pkgs
means: load and return the Nix expression in./packages.nix
and as it is a function, call it with an argumentpkgs
.with pkgs; [ emacs gitFull ]
is a with-expression, it brings the scope of the expression before semicolon to the expression after semicolon. Without it, it would be[ pkgs.emacs pkgs.gitFull ]
.