| options/nixos/services.neo4j.ssl.policies.<name>.revokedDir | Path to directory of CRLs (Certificate Revocation Lists) in
PEM format
|
| options/darwin/launchd.daemons.<name>.serviceConfig.ProcessType | This optional key describes, at a high level, the intended purpose of the job
|
| options/nixos/hardware.nvidia.dynamicBoost.enable | Whether to enable dynamic Boost balances power between the CPU and the GPU for improved
performance on supported laptops using the nvidia-powerd daemon
|
| options/nixos/services.jenkins.environment | Additional environment variables to be passed to the jenkins process
|
| options/darwin/launchd.daemons.<name>.serviceConfig.HardResourceLimits.ResidentSetSize | The maximum size (in bytes) to which a process's resident set size may grow
|
| options/darwin/launchd.daemons.<name>.serviceConfig.SoftResourceLimits.ResidentSetSize | The maximum size (in bytes) to which a process's resident set size may grow
|
| options/nixos/services.mjolnir.pantalaimon.options.logLevel | Set the log level of the daemon.
|
| options/darwin/launchd.daemons.<name>.serviceConfig.EnvironmentVariables | This optional key is used to specify additional environment variables to be set before running the
job.
|
| options/nixos/services.sourcehut.settings."lists.sr.ht::worker".sock-group | The lmtp daemon will make the unix socket group-read/write
for users in this group.
|
| options/darwin/launchd.daemons.<name>.serviceConfig.Sockets.<name>.MulticastGroup | This optional key can be used to request that the datagram socket join a multicast group
|
| options/nixos/services.neo4j.directories.imports | The root directory for file URLs used with the Cypher
LOAD CSV clause
|
| options/darwin/launchd.daemons.<name>.serviceConfig.EnableTransactions | This flag instructs launchd that the job promises to use vproc_transaction_begin(3) and
vproc_transaction_end(3) to track outstanding transactions that need to be reconciled before the
process can safely terminate
|
| options/nixos/services.neo4j.directories.plugins | Path of the database plugin directory
|
| options/nixos/services.neo4j.ssl.policies.<name>.trustedDir | Path to directory of X.509 certificates in PEM format for
trusted parties
|
| options/nixos/services.beesd.filesystems.<name>.extraOptions | Extra command-line options passed to the daemon
|
| options/darwin/launchd.daemons.<name>.serviceConfig.Disabled | This optional key is used as a hint to launchctl(1) that it should not submit this job to launchd when
loading a job or jobs
|
| options/nixos/services.endlessh-go.prometheus.listenAddress | Interface address to bind the endlessh-go daemon to answer Prometheus
queries.
|
| options/darwin/launchd.agents.<name>.serviceConfig.LowPriorityIO | This optional key specifies whether the kernel should consider this daemon to be low priority when
doing file system I/O.
|
| options/darwin/launchd.daemons.<name>.serviceConfig.inetdCompatibility.Wait | This flag corresponds to the "wait" or "nowait" option of inetd
|
| options/nixos/services.transmission.settings | Settings whose options overwrite fields in
.config/transmission-daemon/settings.json
(each time the service starts)
|
| options/nixos/services.gitea-actions-runner.instances.<name>.settings | Configuration for act_runner daemon
|
| options/darwin/launchd.user.agents.<name>.serviceConfig.LowPriorityIO | This optional key specifies whether the kernel should consider this daemon to be low priority when
doing file system I/O.
|
| options/nixos/services.neo4j.ssl.policies.<name>.baseDirectory | The mandatory base directory for cryptographic objects of this
policy
|
| options/nixos/services.mpdscribble.passwordFile | File containing the password for the mpd daemon
|
| options/nixos/services.torrentstream.openFirewall | Open ports in the firewall for TorrentStream daemon.
|
| options/darwin/launchd.daemons.<name>.serviceConfig.StartCalendarInterval | This optional key causes the job to be started every calendar interval as specified
|
| options/nixos/services.evdevremapkeys.enable | Whether to enable evdevremapkeys, a daemon to remap events on linux input devices.
|
| options/nixos/services.cyrus-imap.imapdSettings.notifysocket | Unix domain socket that the mail notification daemon listens on.
|
| options/nixos/services.usbguard.presentControllerPolicy | How to treat USB controller devices that are already connected when
the daemon starts
|
| options/nixos/security.auditd.settings.admin_space_left | This is a numeric value in mebibytes (MiB) that tells the audit daemon when to perform a configurable action because the system is running
low on disk space
|
| options/nixos/programs.ssh.forwardX11 | Whether to request X11 forwarding on outgoing connections by default
|
| options/nixos/services.nixseparatedebuginfod.nixPackage | The version of nix that nixseparatedebuginfod should use as client for the nix daemon
|
| options/nixos/services.mjolnir.pantalaimon.options.listenPort | The port where the daemon will listen to client connections for
this homeserver
|
| options/nixos/services.bacula-sd.device.<name>.archiveDevice | The specified name-string gives the system file name of the storage
device managed by this storage daemon
|
| options/nixos/networking.dhcpcd.persistent | Whether to leave interfaces configured on dhcpcd daemon
shutdown
|
| options/nixos/services.mjolnir.pantalaimon.options.listenAddress | The address where the daemon will listen to client connections
for this homeserver.
|
| options/nixos/services.dbus.implementation | The implementation to use for the message bus defined by the D-Bus specification
|
| options/nixos/services.automatic-timezoned.enable | Enable automatic-timezoned, simple daemon for keeping the system
timezone up-to-date based on the current location
|
| options/nixos/services.tuned.settings.sleep_interval | Interval in which the TuneD daemon is waken up and checks for events (in seconds).
|
| options/nixos/services.firewalld.settings.IndividualCalls | Whether to use individual -restore calls to apply changes to the firewall
|
| options/nixos/services.gotosocial.environmentFile | File path containing environment variables for configuring the GoToSocial service
in the format of an EnvironmentFile as described by systemd.exec(5)
|
| options/nixos/users.users.<name>.openssh.authorizedKeys.keyFiles | A list of files each containing one OpenSSH public key that should be
added to the user's authorized keys
|
| options/darwin/users.users.<name>.openssh.authorizedKeys.keyFiles | A list of files each containing one OpenSSH public key that should be
added to the user's authorized keys
|
| options/nixos/users.users.<name>.openssh.authorizedKeys.keys | A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys
|
| options/darwin/users.users.<name>.openssh.authorizedKeys.keys | A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys
|
| options/nixos/services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| options/nixos/services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| options/nixos/services.pantalaimon-headless.instances.<name>.logLevel | Set the log level of the daemon.
|
| options/nixos/virtualisation.vswitch.enable | Whether to enable Open vSwitch
|
| options/nixos/services.mpd.settings.bind_to_address | The address for the daemon to listen on
|
| options/nixos/users.extraUsers.<name>.openssh.authorizedKeys.keyFiles | A list of files each containing one OpenSSH public key that should be
added to the user's authorized keys
|
| options/nixos/virtualisation.xen.store.settings | The OCaml-based Xen Store Daemon configuration
|
| options/nixos/virtualisation.xen.store.settings.pidFile | Path to the Xen Store Daemon PID file.
|
| options/home-manager/launchd.agents.<name>.config.HardResourceLimits.NumberOfFiles | The maximum number of open files for this process
|
| options/home-manager/launchd.agents.<name>.config.SoftResourceLimits.NumberOfFiles | The maximum number of open files for this process
|
| options/nixos/users.extraUsers.<name>.openssh.authorizedKeys.keys | A list of verbatim OpenSSH public keys that should be added to the
user's authorized keys
|
| options/nixos/virtualisation.docker.extraOptions | The extra command-line options to pass to
docker daemon.
|
| options/nixos/services.glusterfs.enableGlustereventsd | Whether to enable the GlusterFS Events Daemon
|
| options/home-manager/launchd.agents.<name>.config.LowPriorityBackgroundIO | This optional key specifies whether the kernel should consider this daemon to be low priority when
doing file system I/O when the process is throttled with the Darwin-background classification.
|
| options/home-manager/launchd.agents.<name>.config.inetdCompatibility | The presence of this key specifies that the daemon expects to be run as if it were launched from inetd.
|
| options/nixos/virtualisation.docker.extraPackages | Extra packages to add to PATH for the docker daemon process.
|
| options/nixos/services.pantalaimon-headless.instances.<name>.listenPort | The port where the daemon will listen to client connections for
this homeserver
|
| options/nixos/services.strongswan-swanctl.swanctl.authorities.<name>.file | Absolute path to the certificate to load
|
| options/nixos/services.pantalaimon-headless.instances.<name>.listenAddress | The address where the daemon will listen to client connections
for this homeserver.
|
| options/nixos/networking.wireless.enableHardening | Whether to apply security hardening measures to wpa_supplicant
|
| options/darwin/launchd.agents.<name>.serviceConfig.SoftResourceLimits.NumberOfFiles | The maximum number of open files for this process
|
| options/darwin/launchd.agents.<name>.serviceConfig.HardResourceLimits.NumberOfFiles | The maximum number of open files for this process
|
| options/darwin/launchd.user.agents.<name>.serviceConfig.HardResourceLimits.NumberOfFiles | The maximum number of open files for this process
|
| options/darwin/launchd.user.agents.<name>.serviceConfig.SoftResourceLimits.NumberOfFiles | The maximum number of open files for this process
|
| options/home-manager/launchd.agents.<name>.config.Sockets | This optional key is used to specify launch on demand sockets that can be used to let launchd know when
to run the job
|
| options/darwin/launchd.agents.<name>.serviceConfig.LowPriorityBackgroundIO | This optional key specifies whether the kernel should consider this daemon to be low priority when
doing file system I/O when the process is throttled with the Darwin-background classification.
|
| options/nixos/services.pipewire.wireplumber.extraConfig | Additional configuration for the WirePlumber daemon when run in
single-instance mode (the default in nixpkgs and currently the only
supported way to run WirePlumber configured via extraConfig)
|
| options/darwin/launchd.user.agents.<name>.serviceConfig.LowPriorityBackgroundIO | This optional key specifies whether the kernel should consider this daemon to be low priority when
doing file system I/O when the process is throttled with the Darwin-background classification.
|
| options/darwin/launchd.agents.<name>.serviceConfig.inetdCompatibility | The presence of this key specifies that the daemon expects to be run as if it were launched from inetd.
|
| options/home-manager/launchd.agents.<name>.config.SoftResourceLimits.NumberOfProcesses | The maximum number of simultaneous processes for this user id
|
| options/home-manager/launchd.agents.<name>.config.HardResourceLimits.NumberOfProcesses | The maximum number of simultaneous processes for this user id
|
| options/darwin/launchd.user.agents.<name>.serviceConfig.inetdCompatibility | The presence of this key specifies that the daemon expects to be run as if it were launched from inetd.
|
| options/nixos/virtualisation.docker.rootless.extraPackages | Extra packages to add to PATH for the docker daemon process.
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.local.<name>.cert.<name>.file | Absolute path to the certificate to load
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.encap | To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the
NAT detection payloads
|
| options/nixos/services.neo4j.directories.certificates | Directory for storing certificates to be used by Neo4j for
TLS connections
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cert.<name>.file | Absolute path to the certificate to load
|
| options/darwin/launchd.user.agents.<name>.serviceConfig.Sockets | This optional key is used to specify launch on demand sockets that can be used to let launchd know when
to run the job
|
| options/darwin/launchd.agents.<name>.serviceConfig.Sockets | This optional key is used to specify launch on demand sockets that can be used to let launchd know when
to run the job
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.cacert.<name>.file | Absolute path to the certificate to load
|
| options/darwin/launchd.agents.<name>.serviceConfig.SoftResourceLimits.NumberOfProcesses | The maximum number of simultaneous processes for this user id
|
| options/darwin/launchd.agents.<name>.serviceConfig.HardResourceLimits.NumberOfProcesses | The maximum number of simultaneous processes for this user id
|
| options/darwin/launchd.user.agents.<name>.serviceConfig.SoftResourceLimits.NumberOfProcesses | The maximum number of simultaneous processes for this user id
|
| options/darwin/launchd.user.agents.<name>.serviceConfig.HardResourceLimits.NumberOfProcesses | The maximum number of simultaneous processes for this user id
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.send_cert | Send certificate payloads when using certificate authentication.
- With the default of
ifasked the daemon sends
certificate payloads only if certificate requests have been received.
never disables sending of certificate payloads
altogether,always causes certificate payloads to be sent
unconditionally whenever certificate authentication is used
|
| options/nixos/services.transmission.downloadDirPermissions | If not null, is used as the permissions
set by system.activationScripts.transmission-daemon
on the directories services.transmission.settings.download-dir,
services.transmission.settings.incomplete-dir.
and services.transmission.settings.watch-dir
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.policies | Whether to install IPsec policies or not
|
| options/nixos/services.prometheus.scrapeConfigs.*.docker_sd_configs.*.host | Address of the Docker daemon.
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.if_id_out | XFRM interface ID set on outbound policies/SA
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.fragmentation | Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2
fragmentation)
|
| options/nixos/services.prometheus.scrapeConfigs.*.dockerswarm_sd_configs.*.host | Address of the Docker daemon.
|
| options/nixos/services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.local_ts | List of local traffic selectors to include in CHILD_SA
|
| options/nixos/services.wgautomesh.settings.upnp_forward_external_port | Public port number to try to redirect to this machine's Wireguard
daemon using UPnP IGD.
|
| packages/nixpkgs/khd | Simple modal hotkey daemon for OSX |
| packages/nixpkgs/skhd | Simple hotkey daemon for macOS |