| options/nixos/services.slskd.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| options/nixos/services.movim.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| options/nixos/services.movim.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| options/nixos/services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| options/nixos/services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| options/nixos/services.slskd.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| options/nixos/services.davis.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| options/nixos/services.changedetection-io.behindProxy | Enable this option when changedetection-io runs behind a reverse proxy, so that it trusts X-* headers
|
| options/nixos/services.davis.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| options/nixos/services.yggdrasil.persistentKeys | Whether to enable automatic generation and persistence of keys
|
| options/nixos/services.snipe-it.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| options/nixos/services.n8n.environment.N8N_DIAGNOSTICS_ENABLED | Whether to share selected, anonymous telemetry with n8n
|
| options/nixos/services.snipe-it.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| options/nixos/services.draupnir.settings.managementRoom | The room ID or alias where moderators can use the bot's functionality
|
| options/home-manager/xsession.windowManager.i3.config.startup.*.notification | Whether to enable startup-notification support for the command
|
| options/nixos/services.jellyfin.transcoding.hardwareEncodingCodecs | Which codecs to enable for hardware encoding. h264 is always enabled.
|
| options/nixos/services.misskey.reverseProxy.webserver.nginx.http3_hq | Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests
|
| options/nixos/services.opensearch.settings."plugins.security.disabled" | Whether to enable the security plugin,
plugins.security.ssl.transport.keystore_filepath or
plugins.security.ssl.transport.server.pemcert_filepath and
plugins.security.ssl.transport.client.pemcert_filepath
must be set for this plugin to be enabled.
|
| options/nixos/services.anubis.defaultOptions.settings.OG_PASSTHROUGH | Whether to enable Open Graph tag passthrough
|
| options/home-manager/programs.khal.locale.unicode_symbols | By default khal uses some Unicode symbols (as in "non-ASCII") as
indicators for things like repeating events
|
| options/nixos/virtualisation.useNixStoreImage | Build and use a disk image for the Nix store, instead of
accessing the host's one through 9p
|
| options/nixos/services.monica.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| options/nixos/services.matomo.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| options/nixos/services.monica.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| options/nixos/services.matomo.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| options/nixos/services.fluidd.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| options/nixos/services.gancio.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| options/nixos/services.jellyfin.transcoding.hardwareDecodingCodecs.av1 | Enable hardware decoding for av1 codec.
|
| options/nixos/services.jellyfin.transcoding.hardwareDecodingCodecs.vp9 | Enable hardware decoding for vp9 codec.
|
| options/nixos/services.anubis.instances.<name>.settings.OG_PASSTHROUGH | Whether to enable Open Graph tag passthrough
|
| options/nixos/services.akkoma.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| options/nixos/services.jellyfin.transcoding.hardwareDecodingCodecs.vp8 | Enable hardware decoding for vp8 codec.
|
| options/nixos/services.jellyfin.transcoding.hardwareDecodingCodecs.vc1 | Enable hardware decoding for vc1 codec.
|
| options/nixos/services.akkoma.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| options/nixos/services.fluidd.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| options/nixos/services.gancio.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| options/nixos/services.jellyfin.transcoding.hardwareEncodingCodecs.av1 | Enable hardware encoding for av1 codec.
|
| options/nixos/services.waagent.settings.Provisioning.Enable | Whether to enable provisioning functionality in the agent
|
| options/nixos/networking.networkmanager.wifi.scanRandMacAddress | Whether to enable MAC address randomization of a Wi-Fi device
during scanning.
|
| options/nixos/networking.networkmanager.wifi.powersave | Whether to enable Wi-Fi power saving.
|
| options/nixos/networking.resolvconf.dnsExtensionMechanism | Enable the edns0 option in resolv.conf
|
| options/nixos/services.wgautomesh.settings.lan_discovery | Enable discovery of peers on the same LAN using UDP broadcast.
|
| options/nixos/services.nextcloud.config.objectstore.s3.sseCKeyFile | If provided this is the full path to a file that contains the key
to enable [server-side encryption with customer-provided keys][1]
(SSE-C)
|
| options/nixos/services.jellyfin.transcoding.hardwareDecodingCodecs.h264 | Enable hardware decoding for h264 codec.
|
| options/nixos/services.jellyfin.transcoding.hardwareDecodingCodecs.hevc | Enable hardware decoding for hevc codec.
|
| options/nixos/services.jellyfin.transcoding.hardwareEncodingCodecs.hevc | Enable hardware encoding for hevc codec.
|
| options/home-manager/targets.darwin.defaults."com.googlecode.iterm2".AlternateMouseScroll | Whether to enable arrow keys when scrolling in alternate screen mode.
|
| options/nixos/virtualisation.virtualbox.guest.clipboard | Whether to enable clipboard support.
|
| options/nixos/virtualisation.virtualbox.guest.seamless | Whether to enable seamless mode
|
| options/darwin/system.defaults.NSGlobalDomain.NSAutomaticInlinePredictionEnabled | Whether to enable inline predictive text
|
| options/nixos/hardware.amdgpu.overdrive.ppfeaturemask | Sets the amdgpu.ppfeaturemask kernel option
|
| options/nixos/virtualisation.virtualbox.host.headless | Use VirtualBox installation without GUI and Qt dependency
|
| options/nixos/services.jellyfin.transcoding.hardwareDecodingCodecs.mpeg2 | Enable hardware decoding for mpeg2 codec.
|
| options/nixos/programs.nix-required-mounts.allowedPatterns.<name>.unsafeFollowSymlinks | Whether to enable Instructs the hook to mount the symlink targets as well, when any of
the paths contain symlinks
|
| options/darwin/system.defaults.trackpad.TrackpadFourFingerVertSwipeGesture | 0 to disable four finger vertical swipe gestures, 2 to enable (down for Mission Control, up for App Exposé)
|
| options/nixos/services.prometheus.exporters.deluge.exportPerTorrentMetrics | Enable per-torrent metrics
|
| options/nixos/services.stash.settings.sound_on_preview | Enable sound on mouseover previews
|
| options/nixos/services.prometheus.exporters.opnsense.disabledExporter | Collectors to enable or disable
|
| options/nixos/services.opentelemetry-collector.validateConfigFile | Whether to enable Validate configuration file.
|
| options/nixos/services.sourcehut.settings."meta.sr.ht::settings".registration | Whether to enable public registration.
|
| options/nixos/services.grafana.settings.analytics.feedback_links_enabled | Set to false to remove all feedback links from the UI.
|
| options/nixos/services.nextcloud.settings.mail_smtpdebug | Enable SMTP class debugging.
loglevel will likely need to be adjusted too.
See docs.
|
| options/nixos/services.mediagoblin.settings.mediagoblin.plugins | Plugins to enable
|
| options/nixos/services.mainsail.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| options/nixos/services.pixelfed.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| options/nixos/services.mainsail.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| options/nixos/services.pixelfed.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| options/nixos/services.fediwall.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| options/nixos/services.dolibarr.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| options/nixos/services.firezone.server.provision.accounts.<name>.features.idp_sync | Whether to enable the idp_sync feature for this account.
|
| options/nixos/services.firezone.server.provision.accounts.<name>.features.rest_api | Whether to enable the rest_api feature for this account.
|
| options/nixos/services.changedetection-io.webDriverSupport | Enable support for fetching web pages using WebDriver and Chromium
|
| options/nixos/services.agorakit.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| options/nixos/services.librenms.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| options/nixos/services.librenms.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| options/nixos/services.agorakit.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| options/nixos/services.kanboard.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| options/nixos/services.dolibarr.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| options/nixos/services.fediwall.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| options/nixos/services.firezone.server.smtp.configureManually | Outbound email configuration is mandatory for Firezone and supports
many different delivery adapters
|
| options/nixos/services.kanboard.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| options/nixos/services.mastodon.activeRecordEncryptionPrimaryKeyFile | This key must be set to enable the Active Record Encryption feature within
Rails that Mastodon uses to encrypt and decrypt some database attributes
|
| options/nixos/security.pam.services.<name>.googleOsLoginAuthentication | If set, will use the pam_oslogin_login's user
authentication methods to authenticate users using 2FA
|
| options/nixos/services.jellyfin.transcoding.hardwareDecodingCodecs.hevcRExt10bit | Enable hardware decoding for hevcRExt10bit codec.
|
| options/nixos/security.pam.services.<name>.googleOsLoginAccountVerification | If set, will use the Google OS Login PAM modules
(pam_oslogin_login,
pam_oslogin_admin) to verify possible OS Login
users and set sudoers configuration accordingly
|
| options/nixos/services.jellyfin.transcoding.hardwareDecodingCodecs.hevcRExt12bit | Enable hardware decoding for hevcRExt12bit codec.
|
| options/nixos/services.paperless.openMPThreadingWorkaround | Whether to enable a workaround for document classifier timeouts
|
| options/nixos/hardware.trackpoint.press_to_select | Setting this to true will enable the Press to Select functions like tapping the control stick to simulate a left click, and setting false will disable it.
|
| options/home-manager/programs.zsh.syntaxHighlighting.highlighters | Highlighters to enable
See the list of highlighters: https://github.com/zsh-users/zsh-syntax-highlighting/blob/master/docs/highlighters.md
Note: The "main" highlighter is always included automatically
|
| options/darwin/system.defaults.NSGlobalDomain.NSAutomaticSpellingCorrectionEnabled | Whether to enable automatic spelling correction
|
| options/nixos/services.radicle.httpd.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| options/nixos/services.radicle.httpd.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| options/darwin/system.defaults.NSGlobalDomain.NSAutomaticDashSubstitutionEnabled | Whether to enable smart dash substitution
|
| options/nixos/services.prometheus.exporters.unpoller.log.prometheusErrors | Whether to enable emitting errors to prometheus.
|
| options/nixos/services.nginx.virtualHosts.<name>.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| options/nixos/services.nginx.virtualHosts.<name>.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| options/nixos/services.anuko-time-tracker.nginx.locations.<name>.recommendedProxySettings | Enable recommended proxy settings.
|
| options/nixos/services.anuko-time-tracker.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|
| options/darwin/system.defaults.NSGlobalDomain.NSAutomaticQuoteSubstitutionEnabled | Whether to enable smart quote substitution
|
| options/nixos/services.bookstack.nginx.locations.<name>.recommendedUwsgiSettings | Enable recommended uwsgi settings.
|