Configuration Options#
To see all available resources options, use the nixidy options search powered by NüschtOS.
applications#
An application is a single Argo CD application that will be rendered by nixidy.
The resources will be rendered into it's own directory and an Argo CD application created for it.
Type: attribute set of (submodule)
Default:
{ }
Example:
{
nginx = {
namespace = "nginx";
resources = {
deployments = {
nginx = {
spec = {
replicas = 3;
selector = {
matchLabels = {
app = "nginx";
};
};
template = {
metadata = {
labels = {
app = "nginx";
};
};
spec = {
containers = {
nginx = {
image = "nginx:1.25.1";
imagePullPolicy = "IfNotPresent";
};
};
securityContext = {
fsGroup = 1000;
};
};
};
};
};
};
services = {
nginx = {
spec = {
ports = {
http = {
port = 80;
};
};
selector = {
app = "nginx";
};
};
};
};
};
};
}
Declared by:
applications.<name>.annotations#
Annotations to add to the rendered ArgoCD application.
Type: attribute set of string
Default:
{ }
Declared by:
applications.<name>.assertions#
List of assertions that must hold during build time. If any assertion is false, the build will fail with the corresponding message.
Type: list of (submodule)
Default:
[ ]
Declared by:
applications.<name>.assertions.*.assertion#
Whether the assertion holds
Type: boolean
Declared by:
applications.<name>.assertions.*.message#
Message to display if assertion fails
Type: string
Declared by:
applications.<name>.compareOptions.ignoreExtraneous#
Sets IgnoreExtraneous compare option for the application. Only setting it as true has any effect.
Type: null or boolean
Default:
null
Declared by:
applications.<name>.compareOptions.includeMutationWebhook#
Sets IncludeMutationWebhook compare option for the application. Only setting it as true has any effect.
Type: null or boolean
Default:
null
Declared by:
applications.<name>.compareOptions.serverSideDiff#
Sets ServerSideDiff compare option for the application. Leave as null for the default behavior.
Type: null or boolean
Default:
null
Declared by:
applications.<name>.createNamespace#
Whether or not a namespace resource should be automatically created.
Type: boolean
Default:
false
Declared by:
applications.<name>.destination.name#
The name of the cluster that ArgoCD should deploy all applications to.
Type: null or string
Default:
config.nixidy.defaults.destination.name
Declared by:
applications.<name>.destination.server#
The Kubernetes server that ArgoCD should deploy the application to.
Type: null or string
Default:
config.nixidy.defaults.destination.server
Declared by:
applications.<name>.extraRawYamls#
List of YAML files to include in the application's output directory. Each file's basename becomes the output filename.
Unlike yamls, the content is not parsed into Nix and therefore cannot be patched through
resources. This is intended for files that contain fields incompatible with the typed schema;
most notably SOPS-encrypted manifests, which carry a top-level
sops metadata block that would otherwise be stripped or altered by a parse/emit round-trip.
Type: list of absolute path
Default:
[ ]
Example:
[ ./encrypted-secret.yaml ]
Declared by:
applications.<name>.finalizer#
Specify the finalizer to apply to the ArgoCD application.
Type: one of "background", "foreground", "non-cascading"
Default:
config.nixidy.defaults.finalizer
Declared by:
applications.<name>.helm.releases#
Helm releases to template and add to the rendered application's resources.
Type: attribute set of (submodule)
Default:
{ }
Declared by:
applications.<name>.helm.releases.<name>.chart#
Derivation containing the helm chart for the release.
Type: package or absolute path
Declared by:
applications.<name>.helm.releases.<name>.extraOpts#
Extra options to pass to helm template that is run when rendering the helm chart.
Type: list of string
Default:
config.nixidy.defaults.helm.extraOpts
Example:
[
"--no-hooks"
]
Declared by:
applications.<name>.helm.releases.<name>.includeCRDs#
Whether or not to include CRDs in the helm release.
Type: boolean
Default:
true
Declared by:
applications.<name>.helm.releases.<name>.name#
Name of the helm release.
Type: string
Default:
"‹name›"
Declared by:
applications.<name>.helm.releases.<name>.namespace#
Namespace for the release.
Type: string
Default:
config.applications.<name>.namespace
Declared by:
applications.<name>.helm.releases.<name>.transformer#
Function that will be applied to the list of rendered manifests after the helm templating.
Type: function that evaluates to a(n) list of attribute set of anything
Default:
config.nixidy.defaults.helm.transformer
Example:
map (lib.kube.removeLabels ["helm.sh/chart"])
Declared by:
applications.<name>.helm.releases.<name>.values#
Values to pass to the helm chart when rendering it.
Type: attribute set of anything
Default:
{ }
Declared by:
applications.<name>.ignoreDifferences#
IgnoreDifferences is a list of resources and their fields which should be ignored during comparison.
More info here.
Type: null or (attribute set of (submodule))
Default:
null
Declared by:
applications.<name>.ignoreDifferences.<name>.group#
Type: null or string
Default:
null
Declared by:
applications.<name>.ignoreDifferences.<name>.jqPathExpressions#
Type: null or (list of string)
Default:
null
Declared by:
applications.<name>.ignoreDifferences.<name>.jsonPointers#
Type: null or (list of string)
Default:
null
Declared by:
applications.<name>.ignoreDifferences.<name>.kind#
Type: string
Default:
"‹name›"
Declared by:
applications.<name>.ignoreDifferences.<name>.managedFieldsManagers#
ManagedFieldsManagers is a list of trusted managers. Fields mutated by those managers will take precedence over the desired state defined in the SCM and won't be displayed in diffs
Type: null or (list of string)
Default:
null
Declared by:
applications.<name>.ignoreDifferences.<name>.name#
Type: null or string
Default:
null
Declared by:
applications.<name>.ignoreDifferences.<name>.namespace#
Type: null or string
Default:
null
Declared by:
applications.<name>.kustomize.applications#
Kustomize applications to render and add to the rendered application's resources.
Type: attribute set of (submodule)
Default:
{ }
Example:
{
argocd = {
namespace = "argocd";
# Equivalent to `github.com/argoproj/argo-cd/manifests/cluster-install?ref=v2.9.3`
# in kustomization.yaml.
kustomization = {
src = pkgs.fetchFromGitHub {
owner = "argoproj";
repo = "argo-cd";
rev = "v2.9.3";
hash = "sha256-GaY4Cw/LlSwy35umbB4epXt6ev8ya19UjHRwhDwilqU=";
};
path = "manifests/cluster-install";
};
};
};
Declared by:
applications.<name>.kustomize.applications.<name>.kustomization.path#
Path relative to the base of src to the entrypoint kustomization directory.
Type: string
Declared by:
applications.<name>.kustomize.applications.<name>.kustomization.src#
Derivation containing all the kustomize bases and overlays.
Type: package or absolute path
Declared by:
applications.<name>.kustomize.applications.<name>.name#
Name of the kustomize application.
Type: string
Default:
"‹name›"
Declared by:
applications.<name>.kustomize.applications.<name>.namespace#
Namespace for the kustomize application.
Type: string
Default:
config.applications.<name>.namespace
Declared by:
applications.<name>.kustomize.applications.<name>.transformer#
Function that will be applied to the list of rendered manifests from kustomize.
Type: function that evaluates to a(n) list of attribute set of anything
Default:
config.nixidy.defaults.kustomize.transformer
Declared by:
applications.<name>.labels#
Labels to add to the rendered ArgoCD application.
Type: attribute set of string
Default:
{ }
Declared by:
applications.<name>.name#
Name of the application.
Type: string
Default:
"‹name›"
Declared by:
applications.<name>.namespace#
Namespace to deploy application into (defaults to name).
Type: string
Default:
"‹name›"
Declared by:
applications.<name>.objectTransforms#
Resource transform rules applied to this application's objects.
Type: list of (submodule)
Default:
[ ]
Declared by:
applications.<name>.objectTransforms.*.match#
Which resources this rule applies to: a predicate resource -> bool,
or a declarative selector that desugars to one.
Selector fields are ANDed. kind/apiVersion/namespace/name
match by exact equality (a null field is a wildcard); labels/
annotations are SUBSET matches (the resource may carry extra keys;
the default { } matches anything).
The default matches EVERY resource in scope meaning that omitting
match on a rewrite/postProcess rule applies it cluster-wide.
Set match unless that is intended.
Predicates run against the resource as seen at this point in the
pipeline, i.e. AFTER earlier rules' rewrites. A rule that renames
a kind must be matched by its NEW kind in later rules.
Type: (function that evaluates to a(n) boolean) or (submodule)
Default:
<function>
Declared by:
applications.<name>.objectTransforms.*.name#
Optional label for this rule, surfaced in assertion messages and the activation post-process log. Helps identify a rule among many and is purely diagnostic.
Type: null or string
Default:
null
Declared by:
applications.<name>.objectTransforms.*.postProcess#
Activation-time stage producing the final on-disk artifact for the
matched file (a stdin -> stdout filter). Exactly one of
rewrite/postProcess must be set.
Warning
postProcess commands run at activation time, outside any sandbox,
with the privileges of whoever runs nixidy switch. A postProcess
rule from a configuration you have not vetted is arbitrary code
execution on switch. To surface this, switch prints the commands
it is about to run and, when attached to a terminal, pauses for
confirmation (NIXIDY_POST_PROCESS_APPROVE=1 skips the prompt;
NIXIDY_SKIP_POST_PROCESS=1 reuses the already-rendered target files
without running anything). These are visibility aids, not a security
boundary as the configuration that defines the rule can also set the
approval variable.
nixidy apply also runs postProcess: its apply script consumes
the same environmentPackage the switch path renders and streams
each resource through the chain before kubectl apply, so switch
and apply deploy the same manifests. The chain output must be a
valid cluster manifest. A transform whose result only a GitOps
controller can consume (e.g. a ksops / whole-document-encrypted
file) is switch-only; kubectl apply rejects it. The same
visibility/prompt applies on apply, but NIXIDY_SKIP_POST_PROCESS
is NOT honored there (no rendered target to fall back to) and the chain
always runs. The build outputs of environmentPackage /
declarativePackage still contain the pre-postProcess manifests
(the transform is runtime-only); keep real secret material out of
nixidy resources (use references), as rendered values land in the
world-readable nix store regardless.
Type: null or ((submodule) or strings concatenated with "\n" convertible to it)
Default:
null
Declared by:
applications.<name>.objectTransforms.*.postProcess.command#
Runtime stage producing final on-disk content. stdin = store content for the matched file stdout = content written to disk env = $TARGET_PATH (absolute existing file path; may not exist; switch only)
stdin/stdout is the contract so stages compose as a pipe, but the
command body is arbitrary shell. For a tool that needs a real file
path (e.g. sops -i, yq -i), capture stdin to a temp file and emit
it back: f=$(mktemp); cat > "$f"; sops -e -i "$f"; cat "$f".
Either a literal shell snippet, or a function resolved at eval time against the matched object:
{ resource, path, pkgs, lib }: <shell snippet>
resource is the post-rewrite object and path its on-disk
relative path. path is identical on the switch and apply paths,
so a path-using command resolves the same on both. $TARGET_PATH
(the absolute destination) is set only on switch/activation; on
apply there is no on-disk target and it is unset. Use the function
form to specialize the command per object (e.g. choose a recipient key
from resource.metadata.namespace) instead of re-parsing the manifest
on stdin.
Type: strings concatenated with "\n" or function that evaluates to a(n) strings concatenated with "\n"
Declared by:
applications.<name>.objectTransforms.*.postProcess.runtimeInputs#
Packages added to the post-process command's PATH.
Type: list of package
Default:
[ ]
Declared by:
applications.<name>.objectTransforms.*.rewrite#
Eval-time transform resource -> resource. Returning null drops
the resource. Exactly one of rewrite/postProcess must be set.
Type: null or (function that evaluates to a(n) (null or (attribute set of anything)))
Default:
null
Declared by:
applications.<name>.output.path#
Name of the folder that contains all rendered resources for the application. Relative to the root of the repository.
Type: string
Default:
"‹name›"
Declared by:
applications.<name>.project#
ArgoCD project to make application a part of.
Type: string
Default:
"default"
Declared by:
applications.<name>.resources#
Kubernetes resources for the application.
The entire list of available resource options is too large for the current documentation setup but can be searched in the nixidy options search powered by NüschtOS.
Type: attribute set
Default:
{ }
Example:
{
deployments = {
nginx = {
spec = {
replicas = 3;
selector = {
matchLabels = {
app = "nginx";
};
};
template = {
metadata = {
labels = {
app = "nginx";
};
};
spec = {
containers = {
nginx = {
image = "nginx:1.25.1";
imagePullPolicy = "IfNotPresent";
};
};
securityContext = {
fsGroup = 1000;
};
};
};
};
};
};
services = {
nginx = {
spec = {
ports = {
http = {
port = 80;
};
};
selector = {
app = "nginx";
};
};
};
};
}
Declared by:
applications.<name>.syncPolicy.autoSync.enable#
Specifies if application should automatically sync.
Type: boolean
Default:
config.nixidy.defaults.syncPolicy.autoSync.enable
Declared by:
applications.<name>.syncPolicy.autoSync.prune#
Specifies if resources should be pruned during auto-syncing.
Type: boolean
Default:
config.nixidy.defaults.syncPolicy.autoSync.prune
Declared by:
applications.<name>.syncPolicy.autoSync.selfHeal#
Specifies if partial app sync should be executed when resources are changed only in target Kubernetes cluster and no git change detected.
Type: boolean
Default:
config.nixidy.defaults.syncPolicy.autoSync.selfHeal
Declared by:
applications.<name>.syncPolicy.managedNamespaceMetadata#
ArgoCD Managed namespace metadata.
Type: null or (submodule)
Default:
null
Declared by:
applications.<name>.syncPolicy.managedNamespaceMetadata.annotations#
Annotations to add to the ArgoCD managed namespace.
Type: null or (attribute set of string)
Default:
null
Declared by:
applications.<name>.syncPolicy.managedNamespaceMetadata.labels#
Label to add to the ArgoCD managed namespace.
Type: null or (attribute set of string)
Default:
null
Declared by:
applications.<name>.syncPolicy.retry#
ArgoCD retry syncPolicy.
Type: null or (submodule)
Default:
null
Declared by:
applications.<name>.syncPolicy.retry.backoff#
Type: null or (submodule)
Default:
null
Declared by:
applications.<name>.syncPolicy.retry.backoff.duration#
Type: null or string
Default:
null
Declared by:
applications.<name>.syncPolicy.retry.backoff.factor#
Type: null or signed integer
Default:
null
Declared by:
applications.<name>.syncPolicy.retry.backoff.maxDuration#
Type: null or string
Default:
null
Declared by:
applications.<name>.syncPolicy.retry.limit#
Type: null or signed integer
Default:
null
Declared by:
applications.<name>.syncPolicy.syncOptions.applyOutOfSyncOnly#
Currently when syncing using auto sync Argo CD applies every object in the application. For applications containing thousands of objects this takes quite a long time and puts undue pressure on the api server. Turning on selective sync option which will sync only out-of-sync resources.
Type: boolean
Default:
false
Declared by:
applications.<name>.syncPolicy.syncOptions.clientSideApplyMigration#
This option controls the migration of field ownership from client-side apply to server-side apply when serverSideApply is enabled.
By default (true), Argo CD attempts to migrate the managed fields.
If set to false, the ClientSideApplyMigration=false sync option is applied, disabling this automatic migration. This is useful for avoiding conflicts during the transition to Server-Side Apply for existing resources.
Type: boolean
Default:
true
Declared by:
applications.<name>.syncPolicy.syncOptions.createNamespace#
Namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster.
Type: boolean
Default:
false
Declared by:
applications.<name>.syncPolicy.syncOptions.failOnSharedResource#
By default, Argo CD will apply all manifests found in the git path configured in the Application regardless if the
resources defined in the yamls are already applied by another Application. If the failOnSharedResource sync option
is set, Argo CD will fail the sync whenever it finds a resource in the current Application that is already applied in
the cluster by another Application.
Type: boolean
Default:
false
Declared by:
applications.<name>.syncPolicy.syncOptions.pruneLast#
This feature is to allow the ability for resource pruning to happen as a final, implicit wave of a sync operation, after the other resources have been deployed and become healthy, and after all other waves completed successfully.
Type: boolean
Default:
false
Declared by:
applications.<name>.syncPolicy.syncOptions.replace#
By default, Argo CD executes kubectl apply operation to apply the configuration stored in Git.
In some cases kubectl apply is not suitable. For example, resource spec might be too big and won't fit into
kubectl.kubernetes.io/last-applied-configuration annotation that is added by kubectl apply.
If the replace = true; sync option is set the Argo CD will use kubectl replace or kubectl create command
to apply changes.
Type: boolean
Default:
false
Declared by:
applications.<name>.syncPolicy.syncOptions.serverSideApply#
By default, Argo CD executes kubectl apply operation to apply the configuration stored in Git.
This is a client side operation that relies on kubectl.kubernetes.io/last-applied-configuration annotation to
store the previous resource state.
If serverSideApply = true; sync option is set, Argo CD will use kubectl apply --server-side command to apply changes.
More info here.
Type: boolean
Default:
false
Declared by:
applications.<name>.warnings#
List of warnings that will be printed during build time when when is true, but will not fail the build.
Type: list of ((submodule) or string convertible to it)
Default:
[ ]
Declared by:
applications.<name>.warnings.*.message#
Type: string
Declared by:
applications.<name>.warnings.*.when#
Type: boolean
Default:
false
Declared by:
applications.<name>.yamls#
List of Kubernetes manifests declared in YAML strings. They will be parsed and added to the application's
resources where they can be overwritten and modified.
Can be useful for reading existing YAML files (i.e. [(builtins.readFile ./deployment.yaml)]).
Type: list of string
Default:
[ ]
Example:
[
''
apiVersion: v1
kind: Namespace
metadata:
name: default
''
]
Declared by:
nixidy.appOfApps.destination.name#
The name of the cluster that ArgoCD should deploy the app of apps to.
Type: null or string
Default:
config.nixidy.defaults.destination.name
Declared by:
nixidy.appOfApps.destination.server#
The Kubernetes server that ArgoCD should deploy the app of apps to.
Type: null or string
Default:
config.nixidy.defaults.destination.server
Declared by:
nixidy.appOfApps.name#
Name of the application for bootstrapping all other applications (app of apps pattern).
Type: string
Default:
"apps"
Declared by:
nixidy.appOfApps.namespace#
Destination namespace for generated Argo CD Applications in the app of apps applications.
Type: string
Default:
"argocd"
Declared by:
nixidy.appOfApps.project#
The project of the generated bootstrap app for appOfApps
Type: string
Default:
"default"
Declared by:
nixidy.appendNameWithEnv#
When this is set to true, all applications names will be suffixed by the environment.
Type: boolean
Default:
false
Declared by:
nixidy.applicationImports#
List of modules to import into applications.* submodule (most useful for resource definition options).
Type: list of (package or absolute path or function that evaluates to a(n) (attribute set))
Default:
[ ]
Declared by:
nixidy.assertions#
List of global assertions that must hold during build time. If any assertion is false, the build will fail with the corresponding message.
These assertions are evaluated alongside per-application assertions.
Type: list of (submodule)
Default:
[ ]
Declared by:
nixidy.assertions.*.assertion#
Whether the assertion holds.
Type: boolean
Declared by:
nixidy.assertions.*.message#
Message to display if assertion fails.
Type: string
Declared by:
nixidy.bootstrapManifest.enable#
Automatically include a bootstrap.yaml manifest in the generated output. This can be used to bootstrap the app of apps by running kubectl apply -f bootstrap.yaml.
Type: boolean
Default:
false
Declared by:
nixidy.build.revision#
The revision being built. Will be written to .revision in the environment destination directory.
Type: null or string
Default:
null
Example:
if (self ? rev) then self.rev else self.dirtyRev
Declared by:
nixidy.charts#
Attrset of derivations containing helm charts. This will be passed as charts to every module.
Type: attribute set of anything
Default:
{ }
Declared by:
nixidy.chartsDir#
Path to a directory containing sub-directory structure that can be used to build a charts attrset. This will be passed as charts to every module.
Type: null or absolute path
Default:
null
Declared by:
nixidy.defaults.destination.name#
The name of the cluster that ArgoCD should deploy all applications to.
This is the default value for all applications if not explicitly set for the application.
Type: null or string
Default:
null
Declared by:
nixidy.defaults.destination.server#
The Kubernetes server that ArgoCD should deploy all applications to.
This is the default value for all applications if not explicitly set for the application.
Type: null or string
Default:
"https://kubernetes.default.svc"
Declared by:
nixidy.defaults.finalizer#
Specify the default finalizer to apply to all ArgoCD application, by default.
Type: one of "background", "foreground", "non-cascading"
Default:
"non-cascading"
Declared by:
nixidy.defaults.helm.extraOpts#
The default extra options to pass to helm template that is run
when rendering the helm chart, applies to all applications.
Type: list of string
Default:
[ ]
Example:
[
"--no-hooks"
]
Declared by:
nixidy.defaults.helm.transformer#
Function that will be applied to the list of rendered manifests after the helm templating. This option applies to all helm releases in all applications unless explicitly specified there.
Type: function that evaluates to a(n) list of attribute set of anything
Default:
res: res
Example:
map (lib.kube.removeLabels ["helm.sh/chart"])
Declared by:
nixidy.defaults.kustomize.transformer#
Function that will be applied to the list of rendered manifests after kustomize rendering. This option applies to all kustomize applications in all nixidy applications unless explicitly specified there.
Type: function that evaluates to a(n) list of attribute set of anything
Default:
res: res
Example:
map (lib.kube.removeLabels ["app.kubernetes.io/version"])
Declared by:
nixidy.defaults.syncPolicy.autoSync.enable#
Specifies if applications should automatically sync.
This is the default value for all applications if not explicitly set for the application.
Type: boolean
Default:
false
Declared by:
nixidy.defaults.syncPolicy.autoSync.prune#
Specifies if resources should be pruned during auto-syncing.
This is the default value for all applications if not explicitly set for the application.
Type: boolean
Default:
false
Declared by:
nixidy.defaults.syncPolicy.autoSync.selfHeal#
Specifies if partial app sync should be executed when resources are changed only in target Kubernetes cluster and no git change detected.
This is the default value for all applications if not explicitly set for the application.
Type: boolean
Default:
false
Declared by:
nixidy.env#
The environment name for this configuration.
Type: string
Default:
"default"
Declared by:
nixidy.extraFiles#
Extra files to write in the generated stage.
Type: attribute set of (submodule)
Default:
{ }
Declared by:
nixidy.extraFiles.<name>.path#
Path of output file.
Type: string
Default:
"‹name›"
Declared by:
nixidy.extraFiles.<name>.source#
Path of the source file.
Type: absolute path
Declared by:
nixidy.extraFiles.<name>.text#
Text of the output file.
Type: null or strings concatenated with "\n"
Default:
null
Declared by:
nixidy.k8sVersion#
The Kubernetes version for generated resource options to use.
Type: one of "1.32", "1.33", "1.34", "1.35", "1.36"
Default:
"1.35"
Declared by:
nixidy.objectTransforms#
Resource transform rules applied across all applications in this environment.
Type: list of (submodule)
Default:
[ ]
Declared by:
nixidy.objectTransforms.*.match#
Which resources this rule applies to: a predicate resource -> bool,
or a declarative selector that desugars to one.
Selector fields are ANDed. kind/apiVersion/namespace/name
match by exact equality (a null field is a wildcard); labels/
annotations are SUBSET matches (the resource may carry extra keys;
the default { } matches anything).
The default matches EVERY resource in scope meaning that omitting
match on a rewrite/postProcess rule applies it cluster-wide.
Set match unless that is intended.
Predicates run against the resource as seen at this point in the
pipeline, i.e. AFTER earlier rules' rewrites. A rule that renames
a kind must be matched by its NEW kind in later rules.
Type: (function that evaluates to a(n) boolean) or (submodule)
Default:
<function>
Declared by:
nixidy.objectTransforms.*.name#
Optional label for this rule, surfaced in assertion messages and the activation post-process log. Helps identify a rule among many and is purely diagnostic.
Type: null or string
Default:
null
Declared by:
nixidy.objectTransforms.*.postProcess#
Activation-time stage producing the final on-disk artifact for the
matched file (a stdin -> stdout filter). Exactly one of
rewrite/postProcess must be set.
Warning
postProcess commands run at activation time, outside any sandbox,
with the privileges of whoever runs nixidy switch. A postProcess
rule from a configuration you have not vetted is arbitrary code
execution on switch. To surface this, switch prints the commands
it is about to run and, when attached to a terminal, pauses for
confirmation (NIXIDY_POST_PROCESS_APPROVE=1 skips the prompt;
NIXIDY_SKIP_POST_PROCESS=1 reuses the already-rendered target files
without running anything). These are visibility aids, not a security
boundary as the configuration that defines the rule can also set the
approval variable.
nixidy apply also runs postProcess: its apply script consumes
the same environmentPackage the switch path renders and streams
each resource through the chain before kubectl apply, so switch
and apply deploy the same manifests. The chain output must be a
valid cluster manifest. A transform whose result only a GitOps
controller can consume (e.g. a ksops / whole-document-encrypted
file) is switch-only; kubectl apply rejects it. The same
visibility/prompt applies on apply, but NIXIDY_SKIP_POST_PROCESS
is NOT honored there (no rendered target to fall back to) and the chain
always runs. The build outputs of environmentPackage /
declarativePackage still contain the pre-postProcess manifests
(the transform is runtime-only); keep real secret material out of
nixidy resources (use references), as rendered values land in the
world-readable nix store regardless.
Type: null or ((submodule) or strings concatenated with "\n" convertible to it)
Default:
null
Declared by:
nixidy.objectTransforms.*.postProcess.command#
Runtime stage producing final on-disk content. stdin = store content for the matched file stdout = content written to disk env = $TARGET_PATH (absolute existing file path; may not exist; switch only)
stdin/stdout is the contract so stages compose as a pipe, but the
command body is arbitrary shell. For a tool that needs a real file
path (e.g. sops -i, yq -i), capture stdin to a temp file and emit
it back: f=$(mktemp); cat > "$f"; sops -e -i "$f"; cat "$f".
Either a literal shell snippet, or a function resolved at eval time against the matched object:
{ resource, path, pkgs, lib }: <shell snippet>
resource is the post-rewrite object and path its on-disk
relative path. path is identical on the switch and apply paths,
so a path-using command resolves the same on both. $TARGET_PATH
(the absolute destination) is set only on switch/activation; on
apply there is no on-disk target and it is unset. Use the function
form to specialize the command per object (e.g. choose a recipient key
from resource.metadata.namespace) instead of re-parsing the manifest
on stdin.
Type: strings concatenated with "\n" or function that evaluates to a(n) strings concatenated with "\n"
Declared by:
nixidy.objectTransforms.*.postProcess.runtimeInputs#
Packages added to the post-process command's PATH.
Type: list of package
Default:
[ ]
Declared by:
nixidy.objectTransforms.*.rewrite#
Eval-time transform resource -> resource. Returning null drops
the resource. Exactly one of rewrite/postProcess must be set.
Type: null or (function that evaluates to a(n) (null or (attribute set of anything)))
Default:
null
Declared by:
nixidy.target.branch#
The destination branch of the generated applications.
Type: string
Declared by:
nixidy.target.repository#
The repository URL to put in all generated applications.
Type: string
Declared by:
nixidy.target.rootPath#
The root path of all generated applications in the repository.
Type: string
Default:
"./"
Declared by:
nixidy.warnings#
List of warnings that will be printed during build time when when is true, but will not fail the build.
Type: list of ((submodule) or string convertible to it)
Default:
[ ]
Declared by:
nixidy.warnings.*.message#
Type: string
Declared by:
nixidy.warnings.*.when#
Type: boolean
Default:
false
Declared by:
templates#
Defines reusable templates that can be used in applications. See documentation.
Type: attribute set of (submodule)
Default:
{ }
Example:
{
webApplication = {
options = with lib; {
image = mkOption {
type = lib.types.str;
description = "The image to use in the web application deployment";
};
replicas = mkOption {
type = lib.types.int;
default = 3;
description = "The number of replicas for the web application deployment.";
};
port = mkOption {
type = lib.types.port;
default = 8080;
description = "The web application's port.";
};
ingressHost = mkOption {
type = with lib.types; nullOr str;
default = null;
description = "The application's ingress host. Set to null to disable ingress.";
};
};
output = {
name,
config,
...
}: let
cfg = config;
appLabels = {
"app.kubernetes.io/name" = name;
"app.kubernetes.io/instance" = name;
};
in {
deployments."${name}".spec = {
replicas = cfg.replicas;
selector.matchLabels = appLabels;
template = {
metadata.labels = appLabels;
spec.containers."${name}" = {
image = cfg.image;
ports."http".containerPort = cfg.port;
};
};
};
services."${name}".spec = {
selector = appLabels;
ports.http = {
port = cfg.port;
targetPort = cfg.port;
};
};
ingresses = lib.mkIf (cfg.ingressHost != null) {
"${name}".spec = {
rules = [
{
host = cfg.ingressHost;
http.paths = [
{
path = "/";
pathType = "Prefix";
backend.service = {
inherit name;
port.number = cfg.port;
};
}
];
}
];
};
};
};
};
};
Declared by:
templates.<name>.options#
A set of module options that define the configurable parameters for your template.
Type: attribute set of option
Declared by:
templates.<name>.output#
A Nix function that takes the template instance's name and its config (derived from the options you defined) and returns a set of nixidy resources (e.g., deployments, services, ingresses).
Type: function that evaluates to a(n) attribute set of anything
Declared by: