Module <configname> has an unsupported attribute <something>. This is caused by introducing a top-level <name> or <name> attribute

BoredSquirrel · March 1, 2026, 7:04pm

Getting the same obscure error as many other people here

Biggest issue is that I use the exact same config on another system without issues. Just that there I use flakes, here I just use regular nix channels.

I will share my heavily reduced configs

my configuration.nix:

{ config, lib, pkgs, ... }:

{
  imports =
    [
      ./hardware-configuration.nix
      ...
      configs/security.nix
      ...
    ];
    
  boot.x
  networking.x
  time.x
  i18n.x
  console.x
  nixpkgs.config.x
  nix.settings.x
  boot.x
  users.users.x
  system.stateVersion = x

}

then my configs/security.nix:

{ config, lib, pkgs, ... }:
{

    security.apparmor.enable = true;
    services.dbus.apparmor = "enabled";
    services.dbus.implementation = "broker";
    security.apparmor.killUnconfinedConfinables = true;

    config.systemd.enableStrictShellChecks = true;

    services.logrotate = {
        enable = true;
    };

    ### Kernel Arguments
    config = {
        boot.kernelParams = [
            "mitigations=auto"
            "pti=on"
            "spectre_v2=on"
            "l1tf=full,force"
        ];

        boot.initrd.luks.mitigateDMAAttacks = true;

        boot.blacklistedKernelModules = [
            "appletalk"
            "hfs"
            "hfsplus"
        ];

        boot.extraModprobeConfig = ''
            options vhost max_mem_regions=509
        '';

        boot.kernel.sysctl = {
            "net.core.bpf_jit_enable" = false;
        };
    };


    security = {
        lockKernelModules = true;
        protectKernelImage = true;
        allowSimultaneousMultithreading = true;
        unprivilegedUsernsClone = config.virtualisation.containers.enable;
        virtualisation.flushL1DataCache = "always";
    };

    security.sudo.enable = false;
    security.sudo-rs.enable = true;

    security.wrappers = {
        su.enable = false;
        pkexec.enable = false;

        chsh = {
            source = "${pkgs.shadow}/bin/chsh";
            setuid = lib.mkForce false;
            owner = "root";
            group = "root";
        };
    };

    services.clamav = {
        updater = {
            enable = true;
            interval = "6h";
        };
        scanner = {
            enable = true;
            interval = "*-*-* 17:00:00";
            scanDirectories = [
				"/home/user/Downloads"
            ];
        };
    };
}

I am getting multiple of these errors and did not understand the reason and solution

error: Module `/etc/nixos/configs/security.nix' has an unsupported attribute `security'. This is caused by introducing a top-level `config' or `options' attribute. Add configuration attributes immediately on the top level instead, or move all of them (namely: security services) into the explicit `config' attribute.

error: Module `/etc/nixos/configs/security.nix' has an unsupported attribute `boot'. This is caused by introducing a top-level `config' or `options' attribute. Add configuration attributes immediately on the top level instead, or move all of them (namely: boot security services) into the explicit `config' attribute.

rhendric · March 1, 2026, 7:31pm

The problem is you’re mixing the config.some.attr.path and some.attr.path styles. Either have no top-level config in your module, or put all of your config under it.

(You might suggest a rewording of this error message? I don’t understand why it trips people up, personally, but if there’s another way to say the same thing that would be clearer to you, it might be worth a PR.)

BoredSquirrel · March 1, 2026, 7:34pm

hmm, I see it only in here, and removing the config. breaks it

security = {
        unprivilegedUsernsClone = config.virtualisation.containers.enable;
}

is this not how you do it?

rhendric · March 1, 2026, 7:36pm

Right, so there’s a difference between [[this config]] and {{this config}}.

{
  [[config]].foo.bar = "value";
  bongo.drums = {{config}}.something.else;
}

This error message is only referring to [[this config]], to the left of the equals. Leave {{this config}}, to the right of the equals, alone.

eblechschmidt · March 1, 2026, 7:36pm

It is this part. The other one is correct.

rhendric · March 1, 2026, 7:37pm

(It’s this part too:

    config.systemd.enableStrictShellChecks = true;

)

BoredSquirrel · March 1, 2026, 7:38pm

thanks @eblechschmidt @rhendric

I removed both (I added the config around the kernel stuff to try and fix it lol)

so It was purely the systemd one.

thanks, I guess that makes sense

For the error message, maybe something like “redundant “config” attribute in <location>. You probably want to remove it”?

eblechschmidt · March 1, 2026, 7:56pm

I have to second that.

BoredSquirrel · March 2, 2026, 1:40am

Reading it again, while fairly technical, it is understandable. I dont understand the “move it under the attribute” part as I assume that changes the behavior.

What I think would be useful is

do not dump the nix code. This should be opt-in
give an example of how that implementation would look like
maybe not repeat yourself? I got the same error multiple times, even though it resulted in a build failure