| options/nixos/services.wordpress.sites.<name>.database.port | Database host port.
|
| options/nixos/services.wordpress.sites.<name>.database.host | Database host address.
|
| options/darwin/services.buildkite-agents.<name>.preCommands | Extra commands to run before starting buildkite.
|
| options/home-manager/accounts.email.accounts.<name>.meli.mailboxes | Mailboxes to show in meli
|
| options/home-manager/accounts.email.accounts.<name>.mbsync.patterns | Pattern of mailboxes to synchronize.
|
| options/nixos/services.nsd.zones.<name>.dnssecPolicy.coverage | The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time.
|
| options/darwin/launchd.agents.<name>.serviceConfig.LimitLoadFromHosts | This configuration file only applies to hosts NOT listed with this key
|
| options/nixos/services.drupal.sites.<name>.virtualHost.listen | Listen addresses and ports for this virtual host.
This option overrides addSSL, forceSSL and onlySSL
|
| options/nixos/services.influxdb2.provision.organizations.<name>.buckets.<name>.present | Whether to ensure that this bucket is present or absent.
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.groups | Authorization group memberships to require
|
| options/home-manager/services.muchsync.remotes.<name>.local.importNew | Whether to begin the synchronisation by running
notmuch new locally.
|
| options/home-manager/services.xsuspender.rules.<name>.execResume | Before resuming, execute this shell script
|
| options/nixos/services.restic.backups.<name>.initialize | Create the repository if it doesn't exist.
|
| options/home-manager/accounts.calendar.accounts.<name>.primary | Whether this is the primary account
|
| options/nixos/services.firewalld.zones.<name>.ports.*.protocol | |
| options/nixos/services.snipe-it.nginx.locations.<name>.basicAuth | Basic Auth protection for a vhost
|
| options/nixos/services.rke2.manifests.<name>.content | Content of the manifest file
|
| options/nixos/services.fedimintd.<name>.nginx.config.addSSL | Whether to enable HTTPS in addition to plain HTTP
|
| options/nixos/services.firewalld.zones.<name>.forward | Whether to enable intra-zone forwarding
|
| options/nixos/services.vmalert.instances.<name>.rules | A list of the given alerting or recording rules against configured "datasource.url" compatible with
Prometheus HTTP API for vmalert to execute
|
| options/nixos/services.prefect.workerPools.<name>.installPolicy | install policy for the worker (always, if-not-present, never, prompt)
|
| options/darwin/environment.launchDaemons.<name>.enable | Whether this file should be generated
|
| options/nixos/services.hostapd.radios.<name>.networks.<name>.authentication.saeAddToMacAllow | If set, all sae password entries that have a non-wildcard MAC associated to
them will additionally be used to populate the MAC allow list
|
| options/nixos/services.drupal.sites.<name>.virtualHost.extraConfig | These lines go to httpd.conf verbatim
|
| options/darwin/launchd.agents.<name>.serviceConfig.LowPriorityIO | This optional key specifies whether the kernel should consider this daemon to be low priority when
doing file system I/O.
|
| options/home-manager/programs.firefox.profiles.<name>.search.order | The order the search engines are listed in
|
| options/nixos/services.nipap.settings.nipapd.db_name | Name of database to use on PostgreSQL server.
|
| options/home-manager/xsession.windowManager.bspwm.rules.<name>.manage | Whether the window should be managed by bspwm
|
| options/nixos/services.awstats.configs.<name>.webService.enable | Whether to enable awstats web service.
|
| options/nixos/services.easytier.instances.<name>.extraArgs | Extra args append to the easytier command-line.
|
| options/nixos/services.davis.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| options/nixos/services.logrotate.settings.<name>.enable | Whether to enable setting individual kill switch.
|
| options/nixos/services.slskd.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| options/nixos/services.movim.nginx.locations.<name>.extraConfig | These lines go to the end of the location verbatim.
|
| options/darwin/networking.wg-quick.interfaces.<name>.mtu | MTU to set for this interface, automatically set if not specified
|
| options/home-manager/programs.ssh.matchBlocks.<name>.dynamicForwards.*.port | Specifies port number to bind to.
|
| options/nixos/networking.bonds | This option allows you to define bond devices that aggregate multiple,
underlying networking interfaces together
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.reqid | Fixed reqid to use for this CHILD_SA
|
| options/nixos/systemd.user.services.<name>.restartTriggers | An arbitrary list of items such as derivations
|
| options/nixos/services.jibri.xmppEnvironments.<name>.control.login.username | User part of the JID.
|
| options/nixos/services.fedimintd.<name>.nginx.config.listen.*.addr | Listen address.
|
| options/nixos/networking.wg-quick.interfaces.<name>.preUp | Commands called at the start of the interface setup.
|
| options/nixos/services.v4l2-relayd.instances.<name>.input.height | The height to read from input-stream.
|
| options/darwin/networking.wg-quick.interfaces.<name>.preUp | List of commands to run before interface setup.
|
| options/nixos/services.multipath.devices.*.ghost_delay | Sets the number of seconds that multipath will wait after creating a device with only ghost paths before marking it ready for use in systemd
|
| options/home-manager/accounts.contact.accounts.<name>.khard.type | Either a single vdir located in accounts.contact.accounts._name_.local.path
or multiple automatically discovered vdirs in
accounts.contact.accounts._name_.local.path/accounts.contact.accounts._name_.khard.glob.
|
| options/nixos/services.postfix.masterConfig.<name>.private | Whether the service's sockets and storage directory is restricted to
be only available via the mail system
|
| options/nixos/services.fedimintd.<name>.nginx.config.onlySSL | Whether to enable HTTPS and reject plain HTTP connections
|
| options/nixos/services.restic.backups.<name>.dynamicFilesFrom | A script that produces a list of files to back up
|
| options/nixos/services.libinput.touchpad.dev | Path for touchpad device
|
| options/nixos/services.code-server.extensionsDir | Path to the extensions directory.
|
| options/nixos/services.bluesky-pds.pdsadmin.enable | Add pdsadmin script to PATH
|
| options/nixos/services.buildbot-master.masterCfg | Optionally pass master.cfg path
|
| options/nixos/services.forgejo.database.socket | Path to the unix socket file to use for authentication.
|
| options/nixos/services.gokapi.settingsFile | Path to config file to parse and append to settings
|
| options/nixos/services.forgejo.settings.log.ROOT_PATH | Root path for log files.
|
| options/nixos/services.ncps.cache.storage.s3.accessKeyIdPath | The path to a file containing only the access-key-id.
|
| options/nixos/services.shibboleth-sp.configFile | Path to shibboleth config file
|
| options/nixos/services.restic.server.htpasswd-file | The path to the servers .htpasswd file
|
| options/nixos/services.outline.storage.secretKeyFile | File path that contains the S3 secret key.
|
| options/nixos/services.syncplay.passwordFile | Path to the file that contains the server password
|
| options/nixos/services.redmine.database.socket | Path to the unix socket file to use for authentication.
|
| options/nixos/services.lasuite-meet.secretKeyPath | Path to the Django secret key
|
| options/nixos/services.lasuite-docs.secretKeyPath | Path to the Django secret key
|
| options/nixos/services.akkoma.nginx.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| options/nixos/services.gancio.nginx.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| options/nixos/services.fluidd.nginx.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| options/nixos/services.gancio.nginx.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| options/nixos/services.fluidd.nginx.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| options/nixos/services.akkoma.nginx.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| options/nixos/services.monica.nginx.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| options/nixos/services.monica.nginx.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| options/nixos/services.matomo.nginx.locations.<name>.proxyPass | Adds proxy_pass directive and sets recommended proxy headers if
recommendedProxySettings is enabled.
|
| options/nixos/services.matomo.nginx.locations.<name>.uwsgiPass | Adds uwsgi_pass directive and sets recommended proxy headers if
recommendedUwsgiSettings is enabled.
|
| options/home-manager/accounts.email.accounts.<name>.mbsync.subFolders | The on-disk folder naming style
|
| options/nixos/services.fedimintd.<name>.nginx.config.default | Makes this vhost the default.
|
| options/home-manager/programs.hexchat.channels.<name>.options.forceSSL | Use SSL for all servers.
|
| options/darwin/launchd.daemons.<name>.serviceConfig.ServiceIPC | This optional key specifies whether the job participates in advanced
communication with launchd
|
| options/home-manager/launchd.agents.<name>.config.AbandonProcessGroup | When a job dies, launchd kills any remaining processes with the same process group ID as the job
|
| options/nixos/systemd.user.services.<name>.stopIfChanged | If set, a changed unit is restarted by calling
systemctl stop in the old configuration,
then systemctl start in the new one
|
| options/nixos/boot.initrd.luks.devices.<name>.tryEmptyPassphrase | If keyFile fails then try an empty passphrase first before
prompting for password.
|
| options/home-manager/programs.hexchat.channels.<name>.password | Password to use
|
| options/home-manager/programs.i3status.modules.<name>.settings | Configuration to add to this i3status module
|
| options/nixos/services.wstunnel.servers.<name>.restrictTo.*.port | The port.
|
| options/nixos/services.wstunnel.servers.<name>.restrictTo.*.host | The hostname.
|
| options/nixos/services.firewalld.zones.<name>.protocols | Protocols to allow in the zone.
|
| options/nixos/services.blockbook-frontend.<name>.configFile | Location of the blockbook configuration file.
|
| options/nixos/services.zeronsd.servedNetworks.<name>.package | The zeronsd package to use.
|
| options/home-manager/programs.gnome-terminal.profile.<name>.audibleBell | Turn on/off the terminal's bell.
|
| options/nixos/services.kanata.keyboards.<name>.devices | Paths to keyboard devices
|
| options/nixos/services.blockbook-frontend.<name>.package | The blockbook package to use.
|
| options/nixos/programs.proxychains.proxies.<name>.port | Proxy port
|
| options/nixos/programs.proxychains.proxies.<name>.type | Proxy type.
|
| options/home-manager/programs.librewolf.profiles.<name>.extensions.settings.<name>.permissions | Allowed permissions for this extension
|
| options/nixos/services.netbird.clients.<name>.dns-resolver.port | A port to serve DNS entries on when dns-resolver.address is enabled.
|
| options/nixos/services.netbird.tunnels.<name>.dns-resolver.port | A port to serve DNS entries on when dns-resolver.address is enabled.
|
| options/nixos/services.tor.relay.onionServices.<name>.settings | Settings of the onion service
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.ca_id | Identity in CA certificate to accept for authentication
|
| options/nixos/services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| options/nixos/services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|