Misskey

Create the PostgreSQL database locally. Sets services.misskey.settings.db.{db,host,port,user,pass}.

The path to a file containing the database password. Sets services.misskey.settings.db.pass.

Whether to enable misskey.

Create and use a local Meilisearch instance. Sets services.misskey.settings.meilisearch.{host,port,ssl}.

The path to a file containing the Meilisearch API key. Sets services.misskey.settings.meilisearch.apiKey.

The misskey package to use.

Create and use a local Redis instance. Sets services.misskey.settings.redis.host.

The path to a file containing the Redis password. Sets services.misskey.settings.redis.pass.

Whether to enable a HTTP reverse proxy for Misskey.

The fully qualified domain name to bind to. Sets services.misskey.settings.url.

This is required when using services.misskey.reverseProxy.enable = true.

Whether to enable SSL for the reverse proxy. Sets services.misskey.settings.url.

This is required when using services.misskey.reverseProxy.enable = true.

The webserver to use as the reverse proxy.

Extra configuration for the caddy virtual host of Misskey. Set to { } to use the default configuration.

Additional lines of configuration appended to this virtual host in the automatically generated Caddyfile.

Canonical hostname for the server.

A list of host interfaces to bind to for this virtual host.

Configuration for HTTP request logging (also known as access logs). See https://caddyserver.com/docs/caddyfile/directives/log#log for details.

Additional names of virtual hosts served by this virtual host configuration.

A host of an existing Let's Encrypt certificate to use. This is mostly useful if you use DNS challenges but Caddy does not currently support your provider.

Note that this option does not create any certificates, nor does it add subdomains to existing ones – you will need to create them manually using .

Extra configuration for the nginx virtual host of Misskey. Set to { } to use the default configuration.

Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.

With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.

Directory for the ACME challenge, which is public. Don't put certs or keys in here. Set to null to inherit from config.security.acme.

Whether to enable HTTPS in addition to plain HTTP. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443).

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Basic Auth password file for a vhost. Can be created by running {command}nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

Makes this vhost the default.

Whether to ask Let's Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through {option}useACMEHost.

These lines go to the end of the vhost verbatim.

Whether to add a separate nginx server block that redirects (defaults to 301, configurable with redirectCode) all plain HTTP traffic to HTTPS. This will set defaults for listen to listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx's implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.

Whether to enable the HTTP/3 protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.

Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic; and activate the QUIC transport protocol services.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.

Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides addSSL and onlySSL.

If you only want to set the addresses manually and not the ports, take a look at listenAddresses.

Listen address.

Extra parameters of this listen directive.

Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.

Enable PROXY protocol.

Enable SSL.

Listen addresses for this virtual host. Compared to listen this only sets the addresses and the ports are chosen automatically.

Note: This option overrides enableIPv6

Declarative location config

Alias directory for requests.

Basic Auth protection for a vhost.

WARNING: This is implemented to store the password in plain text in the Nix store.

Basic Auth password file for a vhost. Can be created by running {command}nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.

These lines go to the end of the location verbatim.

FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won't unset the default values for other parameters.

Adds index directive.

Order of this location block in relation to the others in the vhost. The semantics are the same as with lib.mkOrder. Smaller values have a greater priority.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Whether to support proxying websocket connections with HTTP/1.1.

Enable recommended proxy settings.

Enable recommended uwsgi settings.

Adds a return directive, for e.g. redirections.

Root directory for requests.

Adds try_files directive.

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for listen to listen on all interfaces on port 443.

Whether to enable the QUIC transport protocol. This requires using pkgs.nginxQuic package which can be achieved by setting services.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/

HTTP status used by globalRedirect and forceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.

Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the ssl_reject_handshake directive available in nginx versions 1.19.4 and above.

Create an individual listening socket . It is required to specify only once on one of the hosts.

The path of the web root directory.

Additional names of virtual hosts served by this virtual host configuration.

Name of this virtual host. Defaults to attribute name in virtualHosts.

Path to server SSL certificate.

Path to server SSL certificate key.

Path to root SSL certificate for stapling and client certificates.

A host of an existing Let's Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through {option}enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using .

Configuration for Misskey, see example.yml for all supported options.

The file access mode of the UNIX socket.

Database settings.

The database name.

Whether to disable caching queries.

Extra connection options.

The PostgreSQL host.

The password used for database authentication.

The PostgreSQL port.

The user used for database authentication.

The ID generation method to use. Do not change after starting Misskey for the first time.

Meilisearch connection options.

The Meilisearch API key.

The Meilisearch host.

Meilisearch index to use.

The Meilisearch port.

The search scope.

Whether to connect via SSL.

The port your Misskey server should listen on.

ioredis options. See README for reference.

The Redis host.

The Redis port.

ioredis options for the job queue. See README for reference.

The Redis host.

The Redis port.

ioredis options for pubsub. See README for reference.

The Redis host.

The Redis port.

ioredis options for timelines. See README for reference.

The Redis host.

The Redis port.

The UNIX socket your Misskey server should listen on.

The final user-facing URL. Do not change after running Misskey for the first time.

This needs to match up with the configured reverse proxy and is automatically configured when using services.misskey.reverseProxy.