| options/nixos/services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| options/nixos/services.aria2.serviceUMask | The file mode creation mask for Aria2 service
|
| options/nixos/services.hologram-server.enableLdapRoles | Whether to assign user roles based on the user's LDAP group memberships
|
| options/nixos/services.opensearch.dataDir | Data directory for OpenSearch
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert_policy | List of certificate policy OIDs the peer's certificate
must have
|
| options/home-manager/accounts.email.accounts.<name>.mbsync.groups.<name>.channels.<name>.patterns | Instead of synchronizing just the mailboxes that
match the farPattern, use it as a prefix which is
not matched against the patterns, and is not affected by mailbox list
overrides.
|
| options/nixos/services.rke2.cisHardening | Enable CIS Hardening for RKE2
|
| options/nixos/services.smartdns.settings | A set that will be generated into configuration file, see the SmartDNS README for details of configuration parameters
|
| options/nixos/services.prometheus.remoteRead.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| options/nixos/services.borgbackup.repos.<name>.user | The user borg serve is run as
|
| options/nixos/services.pipewire.systemWide | If true, a system-wide PipeWire service and socket is enabled
allowing all users in the "pipewire" group to use it simultaneously
|
| options/nixos/services.displayManager.lemurs.enable | Whether to enable lemurs, a customizable TUI display/login manager.
For Wayland compositors, your user must be in the "seat" group.
|
| options/home-manager/accounts.email.accounts.<name>.mbsync.groups.<name>.channels.<name>.farPattern | IMAP4 patterns for which mailboxes on the remote mail server to sync
|
| options/nixos/services.prometheus.remoteWrite.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| options/nixos/services.prometheus.scrapeConfigs.*.digitalocean_sd_configs.*.tls_config.cert_file | Certificate file for client cert authentication to the server.
|
| options/nixos/<imports = [ pkgs.ghostunnel.services.default ]>.ghostunnel.allowAll | If true, allow all clients, do not check client cert subject.
|
| options/home-manager/accounts.email.accounts.<name>.mbsync.groups.<name>.channels.<name>.nearPattern | Name for where mail coming from the remote (far) mail server will end up
locally
|
| options/nixos/services.firezone.gui-client.allowedUsers | All listed users will become part of the firezone-client group so
they can control the tunnel service
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.send_certreq | Send certificate request payloads to offer trusted root CA certificates to
the peer
|
| options/home-manager/programs.fish.functions.<name>.onJobExit | Tells fish to run this function when the job with the specified group
ID exits
|
| options/nixos/services.strongswan-swanctl.swanctl.authorities.<name>.cert_uri_base | Defines the base URI for the Hash and URL feature supported by
IKEv2
|
| options/nixos/virtualisation.virtualbox.host.enableHardening | Enable hardened VirtualBox, which ensures that only the binaries in the
system path get access to the devices exposed by the kernel modules
instead of all users in the vboxusers group.
Disabling this can put your system's security at risk, as local users
in the vboxusers group can tamper with the VirtualBox device files.
|
| options/nixos/services.prometheus.scrapeConfigs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| options/nixos/services.nebula-lighthouse-service.user | The user and group to run nebula-lighthouse-service as.
|
| options/nixos/services.authelia.instances.<name>.name | Name is used as a suffix for the service name, user, and group
|
| options/home-manager/launchd.agents.<name>.config.AbandonProcessGroup | When a job dies, launchd kills any remaining processes with the same process group ID as the job
|
| options/nixos/services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_groups | List of groups to allow access to this vhost, or null to allow all.
|
| options/nixos/services.multipath.devices.*.failback | Tell multipathd how to manage path group failback
|
| options/nixos/services.glusterfs.killMode | The systemd KillMode to use for glusterd.
glusterd spawns other daemons like gsyncd
|
| options/nixos/services.nominatim.database.superUser | Postgresql database superuser used to create Nominatim database and
import data
|
| options/nixos/programs.firefox.policies | Group policies to install
|
| options/nixos/services.dnsdist.dnscrypt.providerKey | The filepath to the provider secret key
|
| options/nixos/services.kubo.settings.Addresses.API | Multiaddr or array of multiaddrs describing the address to serve the local HTTP API on
|
| options/nixos/services.roundcube.database.username | Username for the postgresql connection
|
| options/nixos/services.matrix-synapse.settings.tls_certificate_path | PEM encoded X509 certificate for TLS
|
| options/nixos/programs.thunderbird.policies | Group policies to install
|
| options/nixos/services.lifecycled.cloudwatchGroup | Write logs to a specific Cloudwatch Logs group.
|
| options/nixos/services.openssh.authorizedKeysCommand | Specifies a program to be used to look up the user's public
keys
|
| options/nixos/services.pulseaudio.systemWide | If false, a PulseAudio server is launched automatically for
each user that tries to use the sound system
|
| options/nixos/services.varnish.listen.*.address | If given an IP address, it can be a host name ("localhost"), an IPv4 dotted-quad
("127.0.0.1") or an IPv6 address enclosed in square brackets ("[::1]").
(VCL4.1 and higher) If given an absolute Path ("/path/to/listen.sock") or "@"
followed by the name of an abstract socket ("@myvarnishd") accept connections
on a Unix domain socket
|
| options/darwin/launchd.agents.<name>.serviceConfig.AbandonProcessGroup | When a job dies, launchd kills any remaining processes with the same process group ID as the job
|
| options/darwin/launchd.user.agents.<name>.serviceConfig.AbandonProcessGroup | When a job dies, launchd kills any remaining processes with the same process group ID as the job
|
| options/nixos/services.multipath.devices.*.rr_min_io | Number of I/O requests to route to a path before switching to the next in the
same path group
|
| options/nixos/services.aria2.downloadDirPermission | The permission for settings.dir
|
| options/darwin/launchd.daemons.<name>.serviceConfig.AbandonProcessGroup | When a job dies, launchd kills any remaining processes with the same process group ID as the job
|
| options/nixos/services.transmission.enable | Whether to enable the headless Transmission BitTorrent daemon
|
| options/nixos/services.journald.upload.settings.Upload.ServerKeyFile | SSL key in PEM format
|
| options/nixos/virtualisation.docker.enable | This option enables docker, a daemon that manages
linux containers
|
| options/home-manager/services.xsuspender.rules.<name>.matchWmClassGroupContains | Match windows where wm class group contains string.
|
| options/nixos/virtualisation.lxd.enable | This option enables lxd, a daemon that manages
containers
|
| options/nixos/services.anuko-time-tracker.settings.defaultLanguage | Defines Anuko Time Tracker default language
|
| options/home-manager/services.xsuspender.defaults.matchWmClassGroupContains | Match windows where wm class group contains string.
|
| options/nixos/virtualisation.kvmgt.enable | Whether to enable KVMGT (iGVT-g) VGPU support
|
| options/nixos/services.postfixadmin.database.username | Username for the postgresql connection
|
| options/nixos/services.matrix-continuwuity.settings.global.unix_socket_path | Listen on a UNIX socket at the specified path
|
| options/nixos/networking.wireless.userControlled | Allow users of the wpa_supplicant group to control wpa_supplicant
through wpa_gui or wpa_cli
|
| options/home-manager/launchd.agents.<name>.config.Sockets.<name>.MulticastGroup | This optional key can be used to request that the datagram socket join a multicast group
|
| options/nixos/virtualisation.libvirtd.enable | This option enables libvirtd, a daemon that manages
virtual machines
|
| options/nixos/services.firezone.server.provision.accounts.<name>.relayGroups | All relay groups to provision
|
| options/nixos/services.firezone.server.provision.accounts.<name>.relayGroups.<name>.name | The name of this relay group
|
| options/nixos/services.archisteamfarm.ipcPasswordFile | Path to a file containing the password
|
| options/nixos/services.multipath.devices.*.rr_min_io_rq | Number of I/O requests to route to a path before switching to the next in the
same path group
|
| options/nixos/services.netbird.clients | Attribute set of NetBird client daemons, by default each one will:
- be manageable using dedicated tooling:
netbird-<name> script,NetBird - netbird-<name> graphical interface when appropriate (see ui.enable),
- run as a
netbird-<name>.service,
- listen for incoming remote connections on the port
51820 (openFirewall by default),
- manage the
netbird-<name> wireguard interface,
- use the /var/lib/netbird-/config.json configuration file,
- override /var/lib/netbird-/config.json with values from /etc/netbird-/config.d/*.json,
- (
hardened) be locally manageable by netbird-<name> system group,
With following caveats:
- multiple daemons will interfere with each other's DNS resolution of
netbird.cloud, but
should remain fully operational otherwise
|
| options/nixos/virtualisation.virtualbox.host.enable | Whether to enable VirtualBox.
In order to pass USB devices from the host to the guests, the user
needs to be in the vboxusers group.
|
| options/nixos/services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| options/nixos/services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| options/nixos/services.firezone.server.provision.accounts.<name>.gatewayGroups | All gateway groups (sites) to provision
|
| options/nixos/services.firezone.server.provision.accounts.<name>.gatewayGroups.<name>.name | The name of this gateway group
|
| options/nixos/services.prometheus.scrapeConfigs.*.triton_sd_configs.*.groups | A list of groups for which targets are retrieved, only supported when targeting the container role
|
| options/darwin/launchd.agents.<name>.serviceConfig.Sockets.<name>.MulticastGroup | This optional key can be used to request that the datagram socket join a multicast group
|
| options/darwin/launchd.user.agents.<name>.serviceConfig.Sockets.<name>.MulticastGroup | This optional key can be used to request that the datagram socket join a multicast group
|
| options/nixos/services.bitwarden-directory-connector-cli.sync.removeDisabled | Remove users from bitwarden groups if no longer in the ldap group.
|
| options/nixos/services.keepalived.vrrpInstances.<name>.unicastPeers | Do not send VRRP adverts over VRRP multicast group
|
| options/nixos/services.prometheus.scrapeConfigs.*.http_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| options/nixos/services.prometheus.scrapeConfigs.*.kuma_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| options/nixos/services.archisteamfarm.bots.<name>.passwordFile | Path to a file containing the password
|
| options/darwin/launchd.daemons.<name>.serviceConfig.Sockets.<name>.MulticastGroup | This optional key can be used to request that the datagram socket join a multicast group
|
| options/nixos/services.multipath.devices.*.path_grouping_policy | The default path grouping policy to apply to unspecified multipaths
|
| options/nixos/services.bitwarden-directory-connector-cli.sync.memberAttribute | Attribute that lists members in a LDAP group.
|
| options/nixos/services.prometheus.scrapeConfigs.*.azure_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| options/nixos/services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| options/nixos/services.prometheus.scrapeConfigs.*.triton_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| options/nixos/services.prometheus.scrapeConfigs.*.eureka_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| options/nixos/services.prometheus.scrapeConfigs.*.linode_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| options/nixos/services.prometheus.scrapeConfigs.*.consul_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| options/nixos/services.prometheus.scrapeConfigs.*.docker_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| options/nixos/services.librenms.distributedPoller.distributedBilling | Enable distributed billing on this poller
|
| options/nixos/services.prometheus.scrapeConfigs.*.hetzner_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| options/nixos/services.prometheus.scrapeConfigs.*.static_configs.*.targets | The targets specified by the target group.
|
| options/nixos/services.kanidm.unix.settings.kanidm.pam_allowed_login_groups | Kanidm groups that are allowed to login using PAM.
|
| options/nixos/services.prometheus.scrapeConfigs.*.puppetdb_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| options/nixos/services.prometheus.scrapeConfigs.*.marathon_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| options/nixos/services.prometheus.scrapeConfigs.*.scaleway_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| options/nixos/services.kanidm.unixSettings.pam_allowed_login_groups | Kanidm groups that are allowed to login using PAM.
|
| options/nixos/services.matrix-tuwunel.settings.global.unix_socket_path | Listen on a UNIX socket at the specified path
|
| options/nixos/services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| options/nixos/services.transmission.downloadDirPermissions | If not null, is used as the permissions
set by system.activationScripts.transmission-daemon
on the directories services.transmission.settings.download-dir,
services.transmission.settings.incomplete-dir.
and services.transmission.settings.watch-dir
|
| options/nixos/services.prometheus.scrapeConfigs.*.kubernetes_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| options/nixos/services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.tls_config.key_file | Key file for client cert authentication to the server.
|
| options/nixos/services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.separator | The string by which Uyuni group names are joined into the groups label
Defaults to , in prometheus
when set to null.
|