Require authentication of the STUN Binding request

Define specific rules to be set in the /etc/doas.conf file

Whether to enable RustDesk, a remote access and remote control software, allowing maintenance of computers and other devices.

Allowed TLS protocol versions.

Limit on the number of simultaneous connections allowed.

The maximum number of outstanding audit buffers allowed; exceeding this is considered a failure and handled in a manner specified by failureMode.

Reflect incoming mDNS requests to all allowed network interfaces.

Allowed SSL/TLS protocol versions.

Used to select a secure SMTP connection

Free-form settings written directly to the config file

Whether the installation process is allowed to modify EFI boot variables.

Whether to enable Devilspie2, a window matching utility, allowing the user to perform scripted actions on windows as they are created.

Whether to run the Avahi daemon, which allows Avahi clients to use Avahi's service discovery facilities and also allows the local machine to advertise its presence and services (through the mDNS responder implemented by avahi-daemon).

Whether to enable allowing blendfarm network access through the firewall.

I2P nodes that are allowed to connect to this service.

Whether to enable all firmware, including unfree packages that must be explictly allowed

This option allows you to define interfaces encapsulating IP packets within IP packets; which should be automatically created

Allowed MACs

Defaults to recommended settings from both https://stribika.github.io/2015/01/04/secure-secure-shell.html and https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67

Whether to add the boot.binfmt.emulatedSystems to nix.settings.extra-platforms

If true, a system-wide PipeWire service and socket is enabled allowing all users in the "pipewire" group to use it simultaneously

Whether this file should be generated

Whether to enable the Keybase root redirector service, allowing any user to access KBFS files via /keybase, which will show different contents depending on the requester.

Net masks for trusted - allowed to relay mail to third parties - hosts

Username or user ID of the user allowed to to fetch Tailscale TLS certificates for the node.

Whether this file should be generated

Number of attempts a client is allowed to make in autobanTimeframe seconds, before being banned for autobanTime.

For a port to pass the filter and appear on the port list managed by drone, it be allowed by this include list.

Enables or disables the laptop keyboard's Function (Fn) lock at boot

Indicate if login is allowed if we can't cd to the home directory.

Line-separated email addresses that are allowed to authenticate.

sysfs attributes to be set as soon as they become available

TURN listener port for UDP and TCP

Allowed ciphers

Defaults to recommended settings from both https://stribika.github.io/2015/01/04/secure-secure-shell.html and https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67

Whether this file should be generated

Whether this file should be generated

Whether the application will be allowed access to location information.

If specified, login is allowed only for the listed users

Restrict the allowed ciphers of this policy to those defined here

Name of the group members of which will be allowed to create usershares

Limits the amount of maximum concurrent clients allowed.

The number of allowed simultaneous connections to the daemon, default 10.

Newline separated list of names to be allowed/denied if userlistEnable is true

Whether to enable Google OS Login

Dynamic configuration files to write

Whether to add Wireshark to the global environment and create a 'wireshark' group

Disable all routes allowing Chromium-based conversion.

Roles that are allowed to access the JMX (e.g. nodetool) BEWARE: The passwords will be stored world readable in the nix store

List of groups allowed to operate with the config

List of users allowed to operate with the config. "root" is always implicitly included

Include this configuration only when condition matches

Bulk PDF import from consume directory

If specified, login is allowed only for users part of the listed groups

Whether to enable native host connector for the GNOME Shell browser extension, a DBus service allowing to install GNOME Shell extensions from a web browser .

In case of a virtual device, the user who owns it. null will not set owner, allowing access to any user.

When to run the exporter

List of OIDC clients

Allowed users and their secrets

Whether this file should be generated

The window size of the default gateway

If you want to prevent node sharing from allowing users to access services across tailnets, declare your expected tailnets domain here.

The changes the principal is allowed to make.

Maximum number of concurrent clients allowed.

The maximum amount of memory, in MiB, a Sidekiq worker is allowed to consume before being killed.

Specifies whether remote hosts are allowed to connect to ports forwarded for the client

Max qps allowed from any query source. 0 means unlimited

Erlang cookie is a string of arbitrary length which must be the same for several nodes to be allowed to communicate

Maximum amount of users which will be allowed to register on this system. 0 - no limit.

Whether to verify clients against a locally running tailscale daemon if they are allowed to connect to this node or not.

Verbatim ferm.conf configuration.

Only use TLSv1.3 (default also allows TLSv1.2).

Any remote cjdns nodes that offer these passwords on connection will be allowed to route through this node.

Omits password checking, allowing anyone to log in with any user name unless other mandatory authentication methods (eg TLS client certificates) are configured.

Whether to run reaction as root

List the file systems that clients will be allowed to mount

The time allowed for all jobs to finish before Sidekiq is killed forcefully.

Disable all routes allowing LibreOffice-based conversion.

Upstream server maximum allowed concurrent connections

A list of Cron jobs to be appended to the system-wide crontab

Allowed key exchange algorithms

Uses the lower bound recommended in both https://stribika.github.io/2015/01/04/secure-secure-shell.html and https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67

Whitelist allowed images.

Whitelist allowed images.

Whether to enable the sudo command, which allows non-root users to execute commands as root.

Whether to enable the doas command, which allows non-root users to execute commands as root.

Whether to enable fwupd, a DBus service that allows applications to update firmware.

The path to the folder which should be shared

Custom agent skills for opencode

Whether to enable loading the wireless regulatory database at boot.

The path to the folder which should be shared

The qemu package to use. pkgs.qemu can emulate alien architectures (e.g. aarch64 on x86) pkgs.qemu_kvm saves disk space allowing to emulate only host architectures.

This option allows you to define interfaces encapsulating IPv6 packets within IPv4 packets; which should be automatically created.

An extra set of filesystem paths that FoundationDB can read to and write from

An attribute set describing an HTTP to GCS proxy that allows us to use GCS bucket via HTTP protocol.

This option disables password/group lookups

Whether to enable a memory-safe implementation of the sudo command, which allows non-root users to execute commands as root .

A list of additional patches to apply to the kernel

Whitelist allowed services.

List of trusted remote SMTP clients, that are allowed to relay mail

Whitelist allowed services.

Whether to enable firmware with a license allowing redistribution.

Preferences to set from about:config