| options/darwin/services.gitlab-runner.services.<name>.preCloneScript | Runner-specific command script executed before code is pulled.
|
| options/nixos/services.firewalld.services.<name>.helpers | Helpers for the service.
|
| options/nixos/services.firewalld.services.<name>.version | Version of the service.
|
| options/nixos/services.postfix.masterConfig.<name>.private | Whether the service's sockets and storage directory is restricted to
be only available via the mail system
|
| options/nixos/services.restic.backups.<name>.dynamicFilesFrom | A script that produces a list of files to back up
|
| options/home-manager/programs.fish.shellAbbrs.<name>.setCursor | The marker indicates the position of the cursor when the abbreviation
is expanded
|
| options/nixos/services.fluidd.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| options/nixos/services.gancio.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| options/nixos/services.akkoma.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| options/nixos/services.fedimintd.<name>.nginx.config.extraConfig | These lines go to the end of the vhost verbatim.
|
| options/nixos/services.matomo.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| options/nixos/services.monica.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| options/nixos/services.redis.servers.<name>.maxclients | Set the max number of connected clients at the same time.
|
| options/home-manager/services.kanshi.profiles.<name>.outputs.*.status | Enables or disables the specified output.
|
| options/nixos/openstack.zfs.datasets.<name>.mount | Where to mount this dataset.
|
| options/nixos/services.kanata.keyboards.<name>.extraDefCfg | Configuration of defcfg other than linux-dev (generated
from the devices option) and
linux-continue-if-no-devs-found (hardcoded to be yes)
|
| options/nixos/services.keyd.keyboards.<name>.extraConfig | Extra configuration that is appended to the end of the file.
Do not write ids section here, use a separate option for it
|
| options/nixos/services.roundcube.database.dbname | Name of the postgresql database
|
| options/nixos/services.nominatim.database.dbname | Name of the postgresql database.
|
| options/nixos/services.keepalived.vrrpInstances.<name>.virtualIps.*.dev | The name of the device to add the address to.
|
| options/nixos/services.errbot.instances.<name>.identity | Errbot identity configuration
|
| options/home-manager/services.xsuspender.rules.<name>.resumeEvery | Resume interval in seconds.
|
| options/nixos/security.acme.certs.<name>.extraLegoRenewFlags | Additional flags to pass to lego renew.
|
| options/nixos/services.nginx.virtualHosts.<name>.reuseport | Create an individual listening socket
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.interface | Optional interface name to restrict outbound IPsec policies.
|
| options/nixos/services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| options/nixos/services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| options/nixos/services.mautrix-meta.instances.<name>.dataDir | Path to the directory with database, registration, and other data for the bridge service
|
| options/nixos/networking.fooOverUDP.<name>.local.address | Local address to bind to
|
| options/nixos/services.firezone.server.provision.accounts.<name>.resources.<name>.gatewayGroups | A list of gateway groups (sites) which can reach the resource and may be used to connect to it.
|
| options/nixos/security.pam.services.<name>.kwallet.forceRun | The force_run option is used to tell the PAM module for KWallet
to forcefully run even if no graphical session (such as a GUI
display manager) is detected
|
| options/nixos/services.wstunnel.servers.<name>.restrictTo | Accepted traffic will be forwarded only to this service.
|
| options/nixos/services.keepalived.vrrpScripts.<name>.fall | Required number of failures for KO transition.
|
| options/nixos/services.keepalived.vrrpScripts.<name>.rise | Required number of successes for OK transition.
|
| options/nixos/services.rke2.autoDeployCharts.<name>.enable | Whether to enable the installation of this Helm chart
|
| options/darwin/launchd.agents.<name>.serviceConfig.SessionCreate | This key specifies that the job should be spawned into a new security
audit session rather than the default session for the context is belongs
to
|
| options/nixos/services.strongswan-swanctl.swanctl.secrets.pkcs12.<name>.file | File name in the pkcs12 folder for which this
passphrase should be used.
|
| options/home-manager/programs.ssh.matchBlocks.<name>.match | Match block conditions used by this block
|
| options/home-manager/programs.opencode.skills | Custom agent skills for opencode
|
| options/nixos/services.firewalld.zones.<name>.forwardPorts.*.port | |
| options/nixos/services.snapserver.streams.<name>.query | Key-value pairs that convey additional parameters about a stream.
|
| options/nixos/services.klipper.firmwares.<name>.configFile | Path to firmware config which is generated using klipper-genconf
|
| options/home-manager/programs.gnome-terminal.profile.<name>.visibleName | The profile name.
|
| options/nixos/boot.initrd.luks.devices.<name>.fido2.gracePeriod | Time in seconds to wait for the FIDO2 key.
|
| options/darwin/launchd.daemons.<name>.serviceConfig.LowPriorityIO | This optional key specifies whether the kernel should consider this daemon to be low priority when
doing file system I/O.
|
| options/nixos/services.nylon.<name>.nrConnections | The number of allowed simultaneous connections to the daemon, default 10.
|
| options/nixos/services.kanata.keyboards.<name>.devices | Paths to keyboard devices
|
| options/nixos/services.httpd.virtualHosts.<name>.documentRoot | The path of Apache's document root directory
|
| options/home-manager/programs.obsidian.vaults.<name>.settings.hotkeys.<name>.*.modifiers | The hotkey modifiers.
|
| options/nixos/networking.ipips.<name>.remote | The address of the remote endpoint to forward traffic over.
|
| options/nixos/systemd.slices.<name>.startLimitBurst | Configure unit start rate limiting
|
| options/nixos/systemd.timers.<name>.startLimitBurst | Configure unit start rate limiting
|
| options/nixos/security.auditd.plugins.<name>.args | This allows you to pass arguments to the child program
|
| options/nixos/services.fediwall.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| options/nixos/services.dolibarr.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| options/nixos/services.anuko-time-tracker.nginx.locations.<name>.root | Root directory for requests.
|
| options/nixos/services.agorakit.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| options/nixos/services.kanboard.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| options/nixos/services.librenms.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| options/nixos/services.mainsail.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| options/nixos/services.pixelfed.nginx.locations.<name>.tryFiles | Adds try_files directive.
|
| options/nixos/services.vdirsyncer.jobs.<name>.config.statusPath | vdirsyncer's status path
|
| options/nixos/services.davis.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| options/nixos/services.movim.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| options/nixos/services.slskd.nginx.locations.<name>.basicAuthFile | Basic Auth password file for a vhost
|
| options/nixos/services.openvpn.servers.<name>.authUserPass | This option can be used to store the username / password credentials
with the "auth-user-pass" authentication method
|
| options/nixos/services.authelia.instances.<name>.enable | Whether to enable Authelia instance.
|
| options/nixos/services.autorandr.profiles.<name>.config | Per output profile configuration.
|
| options/nixos/services.sanoid.templates.<name>.autosnap | Whether to automatically take snapshots.
|
| options/home-manager/services.xsuspender.rules.<name>.execResume | Before resuming, execute this shell script
|
| options/nixos/services.buildkite-agents.<name>.package | The buildkite-agent package to use.
|
| options/darwin/services.buildkite-agents.<name>.package | Which buildkite-agent derivation to use
|
| options/nixos/services.spiped.config.<name>.weakHandshake | Use fast/weak handshaking: This reduces the CPU time spent
in the initial connection setup, at the expense of losing
perfect forward secrecy.
|
| options/nixos/services.openvpn.servers.<name>.authUserPass.password | The password to store inside the credentials file.
|
| options/nixos/services.fcgiwrap.instances.<name>.socket.type | Socket type: 'unix', 'tcp' or 'tcp6'.
|
| options/nixos/services.fcgiwrap.instances.<name>.socket.user | User to be set as owner of the UNIX socket.
|
| options/nixos/services.v4l2-relayd.instances.<name>.output.format | The video-format to write to output-stream.
|
| options/nixos/services.fedimintd.<name>.nginx.config.listen.*.port | Port number to listen on
|
| options/nixos/programs.neovim.runtime.<name>.source | Path of the source file.
|
| options/nixos/systemd.user.services.<name>.restartTriggers | An arbitrary list of items such as derivations
|
| options/nixos/services.displayManager.dms-greeter.compositor.name | The Wayland compositor to run the greeter in
|
| options/home-manager/programs.floorp.profiles.<name>.extensions.settings.<name>.force | Forcibly override any existing configuration for
this extension.
|
| options/home-manager/accounts.email.accounts.<name>.imap.port | The port on which the IMAP server listens
|
| options/home-manager/accounts.email.accounts.<name>.smtp.port | The port on which the SMTP server listens
|
| options/nixos/security.pam.services.<name>.gnupg.noAutostart | Don't start gpg-agent if it is not running
|
| options/nixos/services.orangefs.server.fileSystems.<name>.troveSyncData | Sync data.
|
| options/nixos/services.vdirsyncer.jobs.<name>.config.general | general configuration
|
| options/nixos/systemd.user.slices.<name>.startLimitBurst | Configure unit start rate limiting
|
| options/nixos/systemd.user.timers.<name>.startLimitBurst | Configure unit start rate limiting
|
| options/nixos/services.bitcoind.<name>.prune | Reduce storage requirements by enabling pruning (deleting) of old
blocks
|
| options/home-manager/services.podman.containers.<name>.autoUpdate | The autoupdate policy for the container.
|
| options/darwin/launchd.user.agents.<name>.serviceConfig.RootDirectory | This optional key is used to specify a directory to chroot(2) to before running the job.
|
| options/nixos/systemd.network.links.<name>.linkConfig | Each attribute in this set specifies an option in the
[Link] section of the unit
|
| options/nixos/services.radicle.httpd.nginx.locations.<name>.return | Adds a return directive, for e.g. redirections.
|
| options/nixos/services.dokuwiki.sites.<name>.settings | Structural DokuWiki configuration
|
| options/nixos/services.davis.nginx.serverName | Name of this virtual host
|
| options/nixos/services.movim.nginx.serverName | Name of this virtual host
|
| options/nixos/services.slskd.nginx.serverName | Name of this virtual host
|
| options/nixos/services.jibri.xmppEnvironments.<name>.control.login.username | User part of the JID.
|
| options/nixos/services.vmalert.instances.<name>.enable | Wether to enable VictoriaMetrics's vmalert.
vmalert evaluates alerting and recording rules against a data source, sends notifications via Alertmanager.
|