| options/nixos/services.autorandr.profiles.<name>.config | Per output profile configuration.
|
| options/nixos/services.sanoid.templates.<name>.autosnap | Whether to automatically take snapshots.
|
| options/nixos/services.nginx.virtualHosts.<name>.reuseport | Create an individual listening socket
|
| options/nixos/boot.initrd.luks.devices.<name>.yubikey.slot | Which slot on the YubiKey to challenge.
|
| options/nixos/services.influxdb2.provision.organizations.<name>.auths.<name>.present | Whether to ensure that this user is present or absent.
|
| options/nixos/services.nsd.zones.<name>.dnssecPolicy.coverage | The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time.
|
| options/darwin/launchd.daemons.<name>.serviceConfig.LimitLoadFromHosts | This configuration file only applies to hosts NOT listed with this key
|
| options/nixos/services.wordpress.sites.<name>.database.user | Database user.
|
| options/home-manager/services.podman.containers.<name>.autoUpdate | The autoupdate policy for the container.
|
| options/home-manager/accounts.email.accounts.<name>.imap.tls | Configuration for secure connections.
|
| options/home-manager/i18n.inputMethod.fcitx5.themes.<name>.panelImage | Path to the SVG of the panel.
|
| options/home-manager/accounts.email.accounts.<name>.smtp.tls | Configuration for secure connections.
|
| options/nixos/services.snapserver.streams.<name>.query | Key-value pairs that convey additional parameters about a stream.
|
| options/nixos/services.klipper.firmwares.<name>.configFile | Path to firmware config which is generated using klipper-genconf
|
| options/home-manager/launchd.agents.<name>.config.Umask | This optional key specifies what value should be passed to umask(2) before running the job
|
| options/nixos/systemd.user.sockets.<name>.unitConfig | Each attribute in this set specifies an option in the
[Unit] section of the unit
|
| options/nixos/systemd.user.targets.<name>.unitConfig | Each attribute in this set specifies an option in the
[Unit] section of the unit
|
| options/nixos/services.fedimintd.<name>.nginx.config.addSSL | Whether to enable HTTPS in addition to plain HTTP
|
| options/nixos/services.firewalld.zones.<name>.forward | Whether to enable intra-zone forwarding
|
| options/nixos/services.vmalert.instances.<name>.rules | A list of the given alerting or recording rules against configured "datasource.url" compatible with
Prometheus HTTP API for vmalert to execute
|
| options/nixos/users.extraUsers.<name>.isSystemUser | Indicates if the user is a system user or not
|
| options/nixos/boot.loader.grub.extraFiles | A set of files to be copied to /boot
|
| options/nixos/services.grafana.provision.dashboards.settings.providers.*.name | A unique provider name.
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.pools | List of named IP pools to allocate virtual IP addresses
and other configuration attributes from
|
| options/home-manager/programs.smug.projects.<name>.root | Root path in filesystem of the smug project
|
| options/nixos/services.firewalld.zones.<name>.forwardPorts.*.to-port | |
| options/nixos/services.restic.backups.<name>.repository | repository to backup to.
|
| options/home-manager/programs.ssh.matchBlocks.<name>.host | Host pattern used by this conditional block
|
| options/nixos/services.inadyn.settings.custom.<name>.include | File to include additional settings for this provider from.
|
| options/nixos/systemd.services.<name>.description | Description of this unit used in systemd messages and progress indicators.
|
| options/nixos/openstack.zfs.datasets.<name>.mount | Where to mount this dataset.
|
| options/nixos/services.peertube-runner.instancesToRegister.<name>.runnerName | Runner name declared to the PeerTube instance.
|
| options/nixos/systemd.targets.<name>.requires | Start the specified units when this unit is started, and stop
this unit when the specified units are stopped or fail.
|
| options/nixos/systemd.sockets.<name>.requires | Start the specified units when this unit is started, and stop
this unit when the specified units are stopped or fail.
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.updown | Updown script to invoke on CHILD_SA up and down events.
|
| options/nixos/services.cgit.<name>.gitHttpBackend.enable | Whether to bypass cgit and use git-http-backend for HTTP clones
|
| options/nixos/services.snipe-it.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| options/home-manager/services.muchsync.remotes.<name>.local.importNew | Whether to begin the synchronisation by running
notmuch new locally.
|
| options/home-manager/services.xsuspender.rules.<name>.execResume | Before resuming, execute this shell script
|
| options/nixos/services.sanoid.datasets.<name>.autoprune | Whether to automatically prune old snapshots.
|
| options/nixos/services.wyoming.faster-whisper.servers.<name>.uri | URI to bind the wyoming server to.
|
| options/darwin/launchd.user.agents.<name>.serviceConfig.LimitLoadFromHosts | This configuration file only applies to hosts NOT listed with this key
|
| options/nixos/services.postfix.masterConfig.<name>.private | Whether the service's sockets and storage directory is restricted to
be only available via the mail system
|
| options/nixos/services.fedimintd.<name>.nginx.config.onlySSL | Whether to enable HTTPS and reject plain HTTP connections
|
| options/nixos/services.restic.backups.<name>.dynamicFilesFrom | A script that produces a list of files to back up
|
| options/nixos/services.strongswan-swanctl.swanctl.secrets.ecdsa.<name>.file | File name in the ecdsa folder for which this
passphrase should be used.
|
| options/nixos/services.strongswan-swanctl.swanctl.secrets.pkcs8.<name>.file | File name in the pkcs8 folder for which this
passphrase should be used.
|
| options/nixos/services.github-runners.<name>.group | Group under which to run the service
|
| options/nixos/services.drupal.sites.<name>.virtualHost.extraConfig | These lines go to httpd.conf verbatim
|
| options/nixos/services.librenms.nginx.locations.<name>.root | Root directory for requests.
|
| options/nixos/services.agorakit.nginx.locations.<name>.root | Root directory for requests.
|
| options/nixos/services.dolibarr.nginx.locations.<name>.root | Root directory for requests.
|
| options/nixos/services.kanboard.nginx.locations.<name>.root | Root directory for requests.
|
| options/nixos/services.fediwall.nginx.locations.<name>.root | Root directory for requests.
|
| options/nixos/services.mainsail.nginx.locations.<name>.root | Root directory for requests.
|
| options/nixos/services.pixelfed.nginx.locations.<name>.root | Root directory for requests.
|
| options/nixos/services.wordpress.sites.<name>.database.port | Database host port.
|
| options/nixos/services.wordpress.sites.<name>.database.host | Database host address.
|
| options/darwin/services.buildkite-agents.<name>.preCommands | Extra commands to run before starting buildkite.
|
| options/darwin/launchd.daemons.<name>.serviceConfig.LowPriorityIO | This optional key specifies whether the kernel should consider this daemon to be low priority when
doing file system I/O.
|
| options/nixos/boot.loader.grub.users.<name>.password | Specifies the clear text password for the account
|
| options/nixos/systemd.user.timers.<name>.timerConfig | Each attribute in this set specifies an option in the
[Timer] section of the unit
|
| options/nixos/systemd.timers.<name>.requiredBy | Units that require (i.e. depend on and need to go down with) this unit
|
| options/nixos/systemd.slices.<name>.requiredBy | Units that require (i.e. depend on and need to go down with) this unit
|
| options/nixos/systemd.user.paths.<name>.conflicts | If the specified units are started, then this unit is stopped
and vice versa.
|
| options/home-manager/programs.floorp.profiles.<name>.id | Profile ID
|
| options/home-manager/services.unison.pairs.<name>.commandOptions | Additional command line options as a dictionary to pass to the
unison program
|
| options/nixos/services.mautrix-meta.instances.<name>.dataDir | Path to the directory with database, registration, and other data for the bridge service
|
| options/nixos/security.acme.certs.<name>.server | ACME Directory Resource URI
|
| options/nixos/systemd.user.services.<name>.restartTriggers | An arbitrary list of items such as derivations
|
| options/nixos/services.restic.backups.<name>.initialize | Create the repository if it doesn't exist.
|
| options/home-manager/services.podman.containers.<name>.volumes | The volumes to mount into the container.
|
| options/home-manager/services.podman.containers.<name>.devices | The devices to mount into the container
|
| options/nixos/services.prefect.workerPools.<name>.installPolicy | install policy for the worker (always, if-not-present, never, prompt)
|
| options/nixos/services.jibri.xmppEnvironments.<name>.control.muc.nickname | The nickname for this Jibri instance in the MUC.
|
| options/nixos/services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| options/nixos/services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| options/home-manager/programs.firefox.profiles.<name>.extensions.settings.<name>.force | Forcibly override any existing configuration for
this extension.
|
| options/nixos/services.firewalld.services.<name>.sourcePorts | Source ports for the service.
|
| options/nixos/security.acme.certs.<name>.extraLegoRenewFlags | Additional flags to pass to lego renew.
|
| options/nixos/services.kanata.keyboards.<name>.devices | Paths to keyboard devices
|
| options/nixos/services.httpd.virtualHosts.<name>.documentRoot | The path of Apache's document root directory
|
| options/nixos/services.firewalld.zones.<name>.ports.*.protocol | |
| options/nixos/services.akkoma.nginx.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| options/nixos/services.gancio.nginx.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| options/nixos/services.fluidd.nginx.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| options/nixos/services.gancio.nginx.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| options/nixos/services.fluidd.nginx.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| options/nixos/services.akkoma.nginx.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| options/nixos/services.monica.nginx.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| options/nixos/services.monica.nginx.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| options/nixos/services.matomo.nginx.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| options/nixos/services.matomo.nginx.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| options/nixos/services.awstats.configs.<name>.webService.enable | Whether to enable awstats web service.
|
| options/nixos/services.easytier.instances.<name>.extraArgs | Extra args append to the easytier command-line.
|
| options/nixos/services.davis.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| options/nixos/services.logrotate.settings.<name>.enable | Whether to enable setting individual kill switch.
|
| options/nixos/services.slskd.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| options/nixos/services.movim.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| options/darwin/launchd.agents.<name>.serviceConfig.SessionCreate | This key specifies that the job should be spawned into a new security
audit session rather than the default session for the context is belongs
to
|