1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
|
# Nixtamal Manifest(5)() | Nixtamal
âââ»+â» â±ââ³âââââ³ââââ»
ââââââââ¹ââ¹â£â«ââââ£â«â
â¹âââ¹â± â¹ â¹ â¹â¹â¹ â¹â¹â¹ââ Home Install Manpage Changelog Roadmap Cookbook Real-world showcase Community FAQs Funding Nixtamal Manifest(5)() Name Nixtamal Manifest(5) - Setting up for pinning down inputs Synopsis Nixtamal uses KDL for its manifest describing inputs. At the
highest level, this includes: manifest version default hashing algorithm patches (optional) list of inputs the input kind & its specific attributes a command to check if âfreshâ hashing information patches to apply to the input Note: A KDL Schema file is shipped alongside this documentation
for use with schema-aware editors and validators. It can be found in the
installation directory under share/nixtamal/manifest.kdl . Default
manifest.kdl version "0.5.0"
inputs {
nixpkgs {
archive {
url "https://github.com/NixOS/nixpkgs/archive/{{fresh_value}}.tar.gz"
}
hash algorithm=SHA-256
fetch-time eval
fresh-cmd {
$ git ls-remote "https://github.com/NixOS/nixpkgs.git" --refs "refs/heads/nixos-unstable"
| cut -f1
}
}
} Top-level
nodes version Version of the Nixtamal spec the manifest.kdl is using. default-hash-algorithm Hash algorithm to use by default for inputs when the input does not note
its hash algorithm. Defaults to SHA-256 . patches Map of patches to be applied to inputs where the patch name should be
unique. Each patch has a URL (first argument). See Patches. default-fetch-time Default fetch time for inputs when not specified at the input level. Can
be eval (fetch during Nix evaluation using builtins.fetch* )
or build (fetch during build using pkgs.fetch* ). Defaults to eval . inputs Map of inputs to be pinned where the input+node name should be unique
& will be used in the Nix output as well as logs & errors. See
Input node. Fetch
Time Inputs can be fetched either during Nix evaluation or during build
time: eval Fetch the input during Nix evaluation using builtins.fetch* functions. This is the default behavior and is suitable for inputs that
need to be available during evaluation, such as the bootstrap
Nixpkgs. build Fetch the input during build time using pkgs.fetch* functions. This
is suitable for most inputs and allows for better caching and parallel
fetching. The fetch time can be set globally using default-fetch-time or per-input using the fetch-time property on file , archive , and git input types. Caution!: Inputs with patches cannot use eval fetch time, as
patches are applied during build time. The system will automatically enforce
this constraint. Patches Patches are defined at the top-level and can be applied to any
input. This allows defining a patch once and applying it to multiple
inputs. url Templated node URL or file reference for the patch. Supports https:// , http:// , and file:// URLs. hash Optional node for hash algorithm information. The algorithm property will be used when prefetching, locking, & for integrity
verification. The optional expected property may be used to assert
a known hash. If not specified, no hash verification is performed.
Defaults to the top-level default-hash-algorithm or SHA-256 . Input
node At a high level these should be seen as prop: frozen A boolean ( frozen=#true ) that prevents trying refresh or otherwise
get a new fresh value for this input. âkindâ There are specific nodes for each different type of supported
fetchers/prefetchers: file , archive , git , darcs , pijul , fossil (with more to come in the
future). hash An optional node for hash algorithm information for a input. The algorithm property will be used when prefetching, locking, &
for importing (which falls back to top-level default-hash-algorithm or defined default SHA-256 ). The optional expected property
may be used to assert a known hash. Caution!: The bootstrapping Nixpkgs pin (either manually set or
using nixpkgs-nixtamal or nixpkgs as defaults) must be
SHA-256 to be compatible with builtins.fetchTarball . fresh-cmd Command (with or without pipes using $ & | nodes) that
can shelled out to to return a string that will be locked as the fresh
command value which can be used both to prevent unnecessary prefectching,
but also for use in a Templated node. patches List of patch names (as arguments) to apply to this input. Patches are
defined at the top-level in the Patches section. File prop: fetch-time Property to set when to fetch this input: eval or build .
Defaults to the top-level default-fetch-time or build . url Templated node URL reference for the input mirrors Templated node URL mirror references for the input Archive prop: fetch-time Property to set when to fetch this input: eval or build .
Defaults to the top-level default-fetch-time or build . url Templated node URL reference for the input mirrors Templated node URL mirror references for the input Git prop: fetch-time Property to set when to fetch this input: eval or build .
Defaults to the top-level default-fetch-time or build . repository Templated node repository reference for the input mirrors Templated node repository mirror references for the input Warning: Probably not yet supported upstream. "reference" branch or tag or ref node as the
reference point for getting stable reference. tag provides
convenience over using ref with full tag paths. submodules Leaf node for enabling submodules on a repository lfs Leaf node for enabling Git LFS on a repository Darcs repository Templated node repository reference for the input mirrors Templated node repository mirror references for the input Note: Recently upstreamed. See:
<https://github.com/NixOS/nixpkgs/pull/467172> âreferenceâ context or tag node as the reference point for
getting stable reference; in the case of Darcs, if neither is supplied a context will be assumed & copied from nix-prefetch-darcs Pijul remote Templated node remote reference for the input mirrors Templated node remote mirror references for the input Note: Recently upstreamed. See:
<https://github.com/NixOS/nixpkgs/pull/467890> âreferenceâ channel or state or change (not
recommended) node as the reference point for getting stable reference; if
unsure, try channel main Fossil repository Templated node repository reference for the input âreferenceâ branch or tag or check-in node as the
reference point for getting stable reference Templated
node Some nodes have values with string substitution via Jingoo
<https://tategakibunko.github.io/jingoo/templates/templates.en.html>,
which is probably overkill, but could give you flexibilty with if statements. The templated nodes include: inputs >> file > url inputs >> file > mirrors inputs >> archive > url inputs >> archive > mirrors inputs >> git > repository inputs >> git > mirrors inputs >> darcs > repository inputs >> darcs > mirrors inputs >> pijul > remote inputs >> pijul > mirrors inputs >> fossil > repository inputs >> fresh-cmd > $ inputs >> fresh-cmd > | The input kind affects the values for substition: file Key Type Description name string input name fresh_value string nullable fresh command return value archive Key Type Description name string input name fresh_value string nullable fresh command return value git Key Type Description name string input name fresh_value string nullable fresh command return value branch string nullable branch name ref string nullable reference name datetime string nullable Datetime of latest revision lfs bool repository uses LFS submodules bool repository uses submodules rev / revision string nullable latest revision darcs Key Type Description name string input name fresh_value string nullable fresh command return value context string nullable path to context file tag string nullable tag datetime string nullable datetime of latest patch weak_hash string nullable latest weak hash of the repository pijul Key Type Description name string input name fresh_value string nullable fresh command return value channel string nullable remote channel change string nullable change datetime string nullable datetime of latest patch state string nullable latest state of the remote or supplied state fossil Key Type Description name string input name fresh_value string nullable fresh command return value branch string nullable branch name tag string nullable tag checkin string nullable check-in date string nullable date of latest patch Input
showcase Darcs
using exposed WeakHash to avoid needless refresh nixtamal {
darcs {
repository "https://darcs.toastal.in.th/nixtamal/stable/"
mirrors "https://smeder.ee/~toastal/nixtamal.darcs"
}
fresh-cmd {
$ curl -sL "https://darcs.toastal.in.th/nixtamal/stable/_darcs/weak_hash"
}
} Local
directory checking for latest modification soupault-plugins {
file {
url "file:///home/toastal/my-project"
}
fresh-cmd {
$ find "/home/toastal/my-project" "-print0"
| xargs "-0" stat -c %Y
| sort -n
| tail -n1
}
} Eval
time file with mirror + templated nodes mozilla-tls-guidelines {
file fetch-time=eval {
url "https://ssl-config.mozilla.org/guidelines/{{fresh_value}}.json"
mirrors "https://raw.githubusercontent.com/mozilla/ssl-config-generator/refs/tags/v{{fresh_value}}/src/static/guidelines/{{fresh_value}}.json"
}
fresh-cmd {
$ curl -sL "https://wiki.mozilla.org/Security/Server_Side_TLS"
| htmlq -w -t "table.wikitable:last-of-type > tbody > tr:nth-child(2) > td:first-child"
| head -n1
}
} Basic
Pijul with BLAKE3 hash pijul {
pijul {
remote "https://nest.pijul.com/pijul/pijul"
channel main
}
hash algorithm=BLAKE3
} Inputs
with patches patches {
nixpkgs-pr123 "https://github.com/NixOS/nixpkgs/pull/123.diff"
my-fix "./patches/my-fix.patch"
}
inputs {
nixpkgs {
git {
repository "https://github.com/NixOS/nixpkgs.git"
ref "refs/heads/nixos-unstable"
}
patches "nixpkgs-pr123" "my-fix"
}
nixpkgs-stable {
git {
repository "https://github.com/NixOS/nixpkgs.git"
ref "refs/heads/nixos-24.05"
}
patches "my-fix"
}
} Local patches (starting with ./ or ../ ) are applied
directly from the repository and & be tracked by your VCS.
âRemoteâ patches (meaning not local to the repository such as
HTTPS, absolute paths with file: , & so forth) are fetched &
hashed during nixtamal lock . Author toastal 0.5.0 Site made with Nix ( dep management), Nickel ( config ), Soupault ( SSG ), Docutils ( rST rendering), mandoc (manpage conversion), & sugilite256 (color scheme). © 2025â2026 toastal .
© 2026 Nixtamal contributors.
Some rights reserved.
Except where otherwise noted, the content on this website is licensed under CC-BY-SA-4.0 .
Citations must attribute the workâs writer/maker & include a hyperlink to this website (or rather the work itself).
Yes, these rules/clauses apply to LLM s & AI assistants too.
|
