Partially removing modules from NixOS

A technique I needed to redefine / overwrite a service configuration which was defined upstream.

April 21, 2024

I use OAuth2 Proxy in my home cluster, which runs NixOS. My update policy for this cluster is, quite literally, best effort when the vibes feel like it I remember to.

Recently, a change was introduced upstream in nixos/nixpkgs, where the OAuth2 Proxy integration with Nginx had a regression for my use case of forwarding authorization header as X-User and X-Email.

This problem was preventing me from using my Grafana instance, since I have it configured to use proxy authentication.

So now I’m stuck in a situation where I want to stay updated upstream for everything, except for OAuth2 Proxy Nginx integration. Simply redefining the options will end up with a complaint from Nix, as it won’t accept overwrite as is.

And then I learned about a new option: disabledModules. As the name states, it tells NixOS to not use certain paths from derivations.

To accomplish a “working setup” I pretty much have to copy over the service configuration prior to recent changes, then mark the upstream path as disabled.

{
  disabledModules = [ "services/security/oauth2_proxy_nginx.nix" ];

  # The rest of this file is copied from 2e751c077 of nixos/nixpkgs
  # under nixos/modules/services/security/oauth2_proxy_nginx.nix
  options.services.oauth2_proxy.nginx = {
    proxy = {
  # ...
}

Afterwards, make sure to import the file above as imports from the configuration.nix (or its import tree).

Thanks for reading. More like this?

#nix #til

© 2023-2025 Wilson Husin

This site was last updated 2025-09-16T22:01:08-0700.

:wq