Users allowed to use fcrontab and fcrondyn (one name per line, all for everyone).

Users allowed to use incrontab

Whether to allow traffic that is neither TCP nor UDP

Allow HTML in client messages, comments, and channel descriptions.

Whether to enable Whether to allow the PUT verb to push narinfo and nar files directly to the cache. .

allow Artalk store the settings to config file persistently

From which hosts to allow unconditional access.

Whether to allow any user to lock the screen

Whether to allow traffic on the loopback interface

Allow Type-1 fonts

User's access level for changing data.

• view: view only permission.
• add: view and add permissions.
• edit: view, add, and edit permissions.
• sandstorm: permissions from the X-Sandstorm-Permissions request header.

Whether to enable Whether to allow the DELETE verb to delete narinfo and nar files from the cache. .

Allow hibernation support, this may be a unsafe option depending on your setup

Allow bitmap fonts

Whether to relax the security sandbox to allow running setuid binaries (e.g. sudo) in the dhcpcd hooks.

Whether to allow writes to MSRs ("on") or not ("off").

If NSD as secondary server should be allowed to AXFR if the primary server does not allow IXFR.

Disable checking that at least the root user or a user in the wheel group can log in using a password or an SSH key

Whether to enable the SFTP subsystem in the SSH daemon

Enable uploads of external files

Allow falling back to local locks if Redis is unavailable (WARNING: breaks HA guarantees).

Whether to enable configuring X to allow external NVIDIA GPUs when using Prime [Reverse] sync optimus .

Whether to enable setting the system time.

List of address ranges allowed to query this zone

Whether to allow traffic to local networks

Allow the use of writeable root inside chroot().

Whether to enable Allow the system to forward packets from easytier

Reboot the system into the new generation instead of a switch if the new generation uses a different kernel, kernel modules or initrd than the booted system

Whether to allow TRIM requests to the underlying device

Set the Access-Control-Allow-Origin header in the HTTP response, used for direct (non-proxy) JavaScript-based access from browsers. "*" to allow access from all sites.

Whether to use POINTTOPOINT interfaces

Whether to make /var/spool/at{jobs,spool} writeable by everyone (and sticky)

When enabled, the stargazer process will be given CAP_SETGID and CAP_SETUID so that it can run cgi processes as a different user

Whether to enable rebooting the system.

Install polkit rules to allow Mirakurun to access smart card readers which is commonly used along with tuner devices.

If set to true, any remote host can connect to and control this BOINC client (subject to password authentication)

IP address ranges of clients allowed to make API requests.

IP address ranges of clients allowed to make DNS queries.

TCP ports to which traffic is allowed

UDP ports to which traffic is allowed

Allow client if common name appears in the list.

Whether to load additional drivers for certain vendors (I

Allow client if organizational unit name appears in the list.

If true, allow all clients, do not check client cert subject.

Allow client if URI subject alternative name appears in the list.

Allow client if DNS subject alternative name appears in the list.

List of IPs or networks to allow (default all allowed).

Allow these URLs to be used in the downloadFrom API field

Whether to get IPv6 addresses from interfaces.

List of IP address ranges allowed to use the RPC API

IPs and subnets that are authorized to connect for this device

Whether to enable access to video devices like cameras on the system .

Whether to allow Moonraker to perform system-level operations

Whether to enable killing/restarting processes.

Allow account creation

Whether to allow creation of user namespaces

Whether to allow TRIM requests to the underlying device

Whether the initrd can be built even though modules listed in boot.initrd.kernelModules or boot.initrd.availableKernelModules are missing from the kernel

A list of names of users (separated by whitespace) that are allowed to connect to the Nix daemon

Whether to allow logging into accounts that have no password set (i.e., have an empty password field in /etc/passwd or /etc/group)

Set Torsocks to accept inbound connections

By default we create the sabnzbd configuration read-only, which keeps the nixos configuration as the single source of truth

Allow clients to create repositories in subdirectories of the specified path

Whether to respond to incoming ICMPv4 echo requests ("pings")

This tells pgmanage whether or not to allow anyone to use a custom connection from the login screen.

List of network interfaces that should be used by the avahi-daemon

Client IDs to allow (can be repeated; if not specified, all clients are allowed)

List of domains to whitelist.

Listed primary servers are allowed to notify this secondary server

Enables or disables the native transport server (CQL binary protocol)

Enable the risky critical power actions "Suspend" and "Ignore".

By default, when SSH forwarding, enabling Duo Security will disable TCP forwarding

Allows AdGuard Home to open raw sockets (CAP_NET_RAW), which is required for the integrated DHCP server

Whether to enable network access for logrotate.

Whether to allow privileged containers on Kubernetes.

Whether to enable nonpaying users to submit builds.

Whether to enable creation of new lists.

Enable the DHCP client for any interface whose name matches any of the shell glob patterns in this list

A list of device nodes to which esphome has access to

Allow client if common name appears in the list.

Whether to enable Libravatar as profile picture source on your instance

Allow client if organizational unit name appears in the list.

If true, allow all clients, do not check client cert subject.

List of groups to allow access to this vhost, or null to allow all.

Allow client if DNS subject alternative name appears in the list.

Allow client if URI subject alternative name appears in the list.

List of emails to allow access to this vhost, or null to allow all.

Whether to enable keys to run shell commands.

Whether to allow login for accounts that have no OTP set (i.e., accounts with no OTP configured or no existing ~/.google_authenticator).

Whether to allow configuring networks "imperatively" (e.g. via wpa_supplicant_gui) and declaratively via networking.wireless.networks.

List of email domains to allow access to this vhost, or null to allow all.

Whether to enable all anonymous clients to stream to the server.

Allows the generation of a private key and associated self-signed certificate

Domains where PdfDing is allowed to run

Whether to allow capital letters in slugs.

List of IP addresses or network addresses that may connect to Polipo.

Allowed client IP ranges are evaluated first, defaults to ARIN IPv4 private ranges: [ "192.168.0.0/16" "127.0.0.0/8" "172.16.0.0/12" "10.0.0.0/8" ]

Whether to allow Conduit to automatically contact https://conduit.rs hourly to check for important Conduit news

The main host that is allowed access.

Whether to allow SMT/hyperthreading

A list of device nodes to which the containers has access to.

Common name attribute of allowed peer certificates

Common name attribute of allowed peer certificates

List of allowed origins

Common name attribute of allowed peer certificates

IfState in initrd drastically increases the size of initrd, your boot partition may be too small and/or you may have significantly fewer generations

Path to device node

Specifies whether userlistFile is a list of user names to allow or deny access

When false, the HTTP header X-Frame-Options: deny will be set in Grafana HTTP responses which will instruct browsers to not allow rendering Grafana in a <frame>, <iframe>, <embed> or <object>

Client IPs which are allowed to connect to distccd in CIDR notation

Disable PKCE on this oauth2 resource server to work around insecure clients that may not support it

IP addresses or subnets allowed to call the periphery API

Add module allowners, any user in chat is able to kick other

List of open UDP ports.

List of TCP ports on which incoming connections are accepted.

Allow IPv6 HTTP requests?

All listed users will become part of the firezone-client group so they can control the tunnel service

Whether to enable Whether to allow insecure TLS..

Allow any hostname as backend endpoint

Add module allowners, any user in chat is able to kick other

Range of open UDP ports.

List of IP addresses that are allowed to access the debug, stats and metrics endpoints

A range of TCP ports on which incoming connections are accepted.

Allow requests from a specific port.

Allow requests from a specific host.

A list of regular expressions that are matched against the reported client id (such as task 2.3.0)

The hook config, describing which paths to mount for which system features

Only allow read operations from this Neo4j instance.

If enabled, continuwuity will send a simple GET request periodically to https://continuwuity.org/.well-known/continuwuity/announcements for any new announcements made.

If non-empty, only these player names are allowed to connect

Common name attribute of allowed peer certificates

Common name attribute of allowed peer certificates

By default, non global IP addresses are never forwarded to upstream servers

Set to false to prohibit users from creating new organizations.

Hosts that homepage-dashboard will be running under

Device node access modifier

Users allowed to authenticate even if not in allowedDomains.

List of allowlists

Set to false to prohibit users from being able to sign up / create user accounts

Allow the user to do certain things with upsd

Deny (or allow) domain lists to use

A list of glob patterns, indicating which paths to expose to the sandbox

Do not fail evaluation when services.nixseparatedebuginfod.nixPackage is older than nix 2.18.

Whether to allow a websocket connection from a different origin.

Allowed principal domains. if an authenticated user's domain is not in this list authentication request will be rejected.

Whether this server federates with other servers.

Whether this server federates with other servers.

Whether new users can register on this server.

List of UnifiedPush servers

A list of regular expressions that are matched against the reported client id (such as task 2.3.0)

Whether new encrypted rooms can be created

Whether new encrypted rooms can be created

If we can't use system-provided secure storage, should we proceed anyway?

"Peer verification string"

UUIDs of Signal accounts that may use this server

Allow non-root users to specify the allow_other or allow_root mount options, see mount.fuse3(8).

Which requiredSystemFeatures should trigger relaxation of the sandbox

Specifies the MAC addresses to allow if macAcl is set to "allow" or "radius"

Whether new users can register on this server

Whether to enable brillo in userspace

Allow the cloud-init service to operate xfs filesystem.

List of open UDP ports.

Authentication type

List of TCP ports on which incoming connections are accepted.

Number of files to allow deluged to open.

Allow the cloud-init service to operate ext4 filesystem.

List of IP (v4 or v6) addresses with CIDR masks from which this peer is allowed to send incoming traffic and to which outgoing traffic for this peer is directed

Allow access to custom data locations.

Allow authentication modules to auto-create users in tt-rss internal database when authenticated successfully.

Whether to allow the X server to accept TCP connections.

List of bridge devices that can be used by qemu:///session

Range of open UDP ports.

Extends the systemd unit with permissions to allow for the use of the eXpress Data Path (XDP).

Allow clients to write to the TTY.

Allow stale Consul results (see https://www.consul.io/api/index.html#consistency-modes)

A range of TCP ports on which incoming connections are accepted.

Allow the cloud-init service to operate btrfs filesystem.

Enable saned network daemon for remote connection to scanners.

saned would be run from scanner user; to allow access to hardware that doesn't have scanner group you should add needed groups to this user.

A list of IP subnets that are allowed to stream to the server.

Only allow members of the wheel group to execute sudo by setting the executable's permissions accordingly

Allow clients access to internal SOCKS5 proxy

Determines whether to add allowed IPs as routes or not.

Address to listen on (use 0.0.0.0 to allow access from any address).

Allow clients to connect without authentication, i.e. without a valid MUNGE credential.

Only allow members of the wheel group to execute sudo by setting the executable's permissions accordingly

Whether to allow publishing in general.

Whether this server federates with other servers.

Kanidm groups that are allowed to login using PAM.

Learn more at https://docs.stashapp.cc/networking/authentication-required-when-accessing-stash-from-the-internet/

Store messages in an archive and allow users to access it

Whether new encrypted rooms can be created

Whether new users can register on this server

Allow clients reverse port forwarding

Whether to enable Rygel UPnP Mediaserver

Specifies a file containing the MAC addresses to allow if macAcl is set to "allow" or "radius"

Kanidm groups that are allowed to login using PAM.

Whether to enable user self registration

Level of TLS verification

List of IP (v4 or v6) addresses with CIDR masks from which this peer is allowed to send incoming traffic and to which outgoing traffic for this peer is directed

Allow users to set vCards

Whether to enable Instructs the hook to mount the symlink targets as well, when any of the paths contain symlinks

Station MAC address -based authentication

Whether to allow editing the boot entries before booting them

Which user or group the specified command is allowed to run as

The port Invidious should listen on

Use chfn SUID to allow non-root users to change their account GECOS information.

On service or configuration errors that prevent Duo authentication, fail "safe" (allow access) or "secure" (deny access)

Controls how systemd will interpret the root FS in initrd

Additional prosody configuration

The generated file is processed by envsubst to allow secrets to be passed securely via environment variables.

Allow users to have a roster

Under which user/group the specified command is allowed to run

Allow the cloud-init service to configure network interfaces through systemd-networkd.

The restriction flags to be set on source

Under which user/group the specified command is allowed to run

Allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40

Whether to allow editing the kernel command-line before boot

Enable acpilight

Allow leaving config.boot.initrd.network.ssh.hostKeys empty, to deploy ssh host keys out of band.

The TTL ("Time to Live") value to set for your DNS records

List of additional portals to add to path

Ports to allow in the zone.

Salt to allow room operator passwords generated by this server instance to still work when the server is restarted

Allow N days for the first retry

Allow a client to resume a disconnected session, and prevent message loss

Whether or not to open the minimum required ports on the firewall

Allow changes made on the web interface to persist between service restarts.

Allow the specified IPs to act as a proxy

Whether to allow the remote address and port to change when properly encrypted packets are received.

Allow binding to non local addresses.

Allow chronyd to step the system clock if the error is larger than the specified threshold.

Whether to ignore the cpuid check to allow running on unsupported platforms

Indicates whether to allow the contents of the dataDir directory to be changed by the user at run-time

List of IPs of relays that this node should allow traffic from.

This tells pgmanage to only allow users in a certain PostgreSQL group to login to pgmanage

Whether to enable local discovery for the Kubo daemon

ACL rule

The following authentication modes are available: Open -- Accept connections from anyone, use NickServ for user authentication

Whether to enable the APC UPS daemon. apcupsd monitors your UPS and permits orderly shutdown of your computer in the event of a power failure

Allow GDM to run on Wayland instead of Xserver.

Whether to enable hardware accelerated graphics drivers

List of UIDs of all users for which this application is allowed location info access, Defaults to an empty string to allow it for all users.

Allow rooms to be moderated

This tells pgmanage whether or not to only allow super users to login

Enable Git daemon, which allows public hosting of git repositories without any access controls

Determines how client certificates are validated

Whether to configure permissions to allow integration with Postfix.

Source ports to allow in the zone.

Allow users to register on this server using a client and change passwords

Allow all users to access the FUSE mount points

Allow insecure connections to the mongo database.

Enables reverse proxy support

Whether to allow writable on-line configuration

The address (including host and port) under which we can access the Ollama backend server. !Note that if the the UI service is running under a domain "https://ui.example.org", the Ollama backend service must allow "CORS" requests from this domain, e.g. by adding "services.ollama.environment

Services to allow in the zone.

Hostname to allow or deny.

Allow users to block communications with other users

Whether to enable Sets PRESSURE_VESSEL_IMPORT_OPENXR_1_RUNTIMES system-wide to allow Steam to automatically discover the WiVRn server

Additional nftables rules to be appended to the input-allow chain

Whether to automatically allow VRRP and AH packets in the firewall.

Configure freetds database entries

Allow only a defined list of nodes to connect.

Allow changes to the program config made by the program to persist between restarts

By default pam-u2f module sets the origin to pam://$HOSTNAME

Whether to allow powerups such as the ninja.

Whether to allow users in the 'wireshark' group to capture USB traffic

Allow new user registrations with the atuin server.

Whether to allow users in the 'wireshark' group to capture network traffic

Whether to enable team damage; whether to allow team mates to inflict damage on one another.

Protocols to allow in the zone.

Allow GDM to run on Wayland instead of Xserver.

Defines the mapping from system users to database users

List of device paths to allow access to for SMART monitoring

Set to true for unauthenticated emergency access, and false or null for no emergency access

Allow the service to create and use its own config file inside the dataDir as configured by services.mediatomb.dataDir

Additional nftables rules to be appended to the forward-allow chain

Don't allow users to connect in non-secure mode (without random padding).

Address to listen on (use 0.0.0.0 to allow access from any address).

Enable tracking of the RTC offset to the system clock and automatic trimming

Environment files that allow passing secret configuration values

How to treat USB devices that don't match any rule in the policy

If enabled, allow principal names containing (.) dots

Whether to allow X11 connections to be forwarded.

Configuration for UWSM-managed Wayland Compositors

How to treat USB devices that are already connected when the daemon starts

Allow books to be uploaded via Calibre-Web UI.

If enabled srun will accept the option "--x11" to allow for X11 forwarding from within an interactive session or a batch job

Reduce storage requirements by enabling pruning (deleting) of old blocks

Allow open registration without secondary verification (reCAPTCHA).

Configuration for WiVRn

If enabled, pam_gnupg will attempt to automatically unlock the user's GPG keys with the login password via gpg-agent

IP address on which RabbitMQ will listen for AMQP connections

Whether to make configuration.yaml writable

Whether to allow invalid certificates when provisioning the target instance

Deactivates analytics

Maximum number of concurrent certificate generation or renewal jobs

Additional shell commands executed as part of the firewall initialisation script

Set this to yes to allow symlinks that point outside user-defined media_dir.

A list of device paths to hardware acceleration devices that Plex should have access to

Multiaddr or array of multiaddrs describing the address to serve the local HTTP API on

Allow changes made on the AdGuard Home web interface to persist between service restarts.

Additional nftables rules to be appended to the rpfilter-allow chain

Allow users to register themselves

Opens up the erlang distribution port of all enabled components to allow reaching the server cluster from the internet

Default action whether to block or allow application internet access.

Allow the installation and updating of apps from the Nextcloud appstore

List of peer public keys to allow incoming peering connections from

Python environment to run jupyterhub

Customizing will affect the packages available in the hub and proxy

The maximum number of processes that EPGStation would allow to run at the same time for encoding or streaming videos.

How to treat USB controller devices that are already connected when the daemon starts

Allow for incus.service to be stopped without affecting running instances.

DEPRECATED

When set to true, the server will only allow clients that have a valid factorio.com account.

Whether to allow registration of new admin users.

Restrictions on the connections that the server will accept

Whether to enable KVMGT (iGVT-g) VGPU support

Description of how to identify the filesystem to be duplicated by this instance of bees

Whether to make ui-lovelace.yaml writable

Allow users of the wpa_supplicant group to control wpa_supplicant through wpa_gui or wpa_cli

For an IPv6-based tunnel, the maximum number of nested encapsulation to allow. 0 means no nesting, "none" unlimited.

If set, all recipients to users at either "localhost" (the literal string) or the canonical host name (from the me control attribute) are remapped to this address

If set to

• "true": all DNS lookups will be encrypted

If enabled, the generated destination NAT (DNAT) rules will NOT accept traffic that was DNAT'd by other entities, e.g. docker

Disables TLS verification of the certificate presented by your origin

Whether to prohibit creating an account in plausible's UI or allow on invite_only.

If you do not enable one of the rpc or httprpc plugins you need to expose an RPC mount through scgi using this option

Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli

The keyfile which associates this machine with your tarsnap account

If set to

• "true": all DNS lookups are DNSSEC-validated locally (excluding LLMNR and Multicast DNS)

Environment file as defined in systemd.exec(5)

Do not allow more than this many server connections per database (regardless of user)

Whether to allow other versions of PostgreSQL than the recommended one

Whether to provide the dependencies to allow using transformer models.

Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli

Change the paths where mandoc makewhatis(8)generates the manual page index caches. documentation.man.generateCaches should be enabled to allow cache generation

Allow dockerd to be restarted without affecting running container

Allow placing blocks inside of players (hitbox logic is simplified)

Address for agnos to listen on

All of these scripts will be executed in lexicographical order before hostapd is started, right after the bss segment was generated and may dynamically append bss options to the generated configuration file

Build VirtualBox web service tool (vboxwebsrv) to allow managing VMs via other webpage frontend tools

Do not allow more than this many server connections per user (regardless of database)

Allow localhost redirects

Set the priority of the system call filter setting

Either a single port or port range to allow

Number of tasks to perform simultaneously

The protocol to allow

Configures the syscall filter for postgresql.service

If set, all sae password entries that have a non-wildcard MAC associated to them will additionally be used to populate the MAC allow list

List of volumes to attach to this container

Allow users to edit datasources from the UI.

Configuration from which XMonad gets compiled

How many server connections to allow per user/database pair

Sets the password for WPA-PSK that will be converted to the pre-shared key

Whether to copy the DSCP (Differentiated Services Field Codepoint) header field to/from the outer IP header in tunnel mode

Use childless IKE_SA initiation (allow, prefer, force or never)

The project_id and project_name fields are optional for the Identity V2 API

The project_id and project_name fields are optional for the Identity V2 API

By default, PgBouncer allows only parameters it can keep track of in startup packets: client_encoding, datestyle, timezone and standard_conforming_strings

The application_credential_id or application_credential_name fields are required if using an application credential to authenticate

The application_credential_id or application_credential_name fields are required if using an application credential to authenticate

By default, all allowed IPs and subnets are comma-separated in the allowed_ips field

Define a lower and upper time value (in HH:MM format) which constitute a time window during which reboots are allowed after an upgrade

What networks are allowed to use us as a resolver

List of servers that should be probed.

Note: if your mailserver has rspamd(8) configured, it can happen that emails from this exporter are marked as spam

Allowed time window for first received packet in seconds (positive number allows packets from history)

List of network interfaces that should be ignored by the avahi-daemon

If pings are allowed, this allows setting rate limits on them

Allowable formats for the RAUC bundle.

addr:port to listen on for HTTPS clients

Storage quota for the repository

The artalk configuration

The allowlisted XMPP servers

Set of accepted cipher suites (encryption algorithms) for pairwise keys (unicast packets)

Whether to open the UDP port used for multicast peer discovery

This option allows modules to define helper functions, constants, etc.

A list of SSH public keys allowed to access the binary cache via SSH.

Set to true to automatically add new users to the main organization (id 1)

The command the user is allowed to run

Denied client IP ranges, these gets evaluated after the allowed IP ranges, defaults to all IPv4 addresses: [ "0.0.0.0/0" ] To block all other access than the allowed.

list of origins allowed to upload

Whether to enable writing to the Nix store as a remote store via SSH

A set of NixOS system configurations to be run as lightweight containers

Set the maximum number of FUSE mounts allowed to non-root users.

Enable uptimed, allowing you to track your highest uptimes.

Specifies the ciphers allowed and their order of preference.

Maximum number of concurrent clients allowed.

Subordinate group ids that user is allowed to use

Subordinate user ids that user is allowed to use

Extra configuration text appended to doas.conf

Mutual TLS - regex for whitelist of allowed client CNs.

Extra arguments to pass to sanoid

Start of the range of subordinate user ids that user is allowed to use.

Start of the range of subordinate group ids that user is allowed to use.

A list of users allowed to access the ifp dbus interface.

Path to TLS certificate

Whether domains on this list should be explicitly allowed, or blocked

Subordinate user ids that user is allowed to use

Subordinate group ids that user is allowed to use

Message to display to the remote user before authentication is allowed.

SSH public key allowed to login as user btrbk to run remote backups.

Define list of allowed domains.

If an Anonymous keyword is present, then anonymous proxying is enabled

Start of the range of subordinate group ids that user is allowed to use.

Start of the range of subordinate user ids that user is allowed to use.

List of allowed HTTP origins for WebSocket listeners

Extra directories where SFTPGo is allowed to write to.

Require authentication of the STUN Binding request

Define specific rules to be set in the /etc/doas.conf file

Whether to enable RustDesk, a remote access and remote control software, allowing maintenance of computers and other devices.

Allowed TLS protocol versions.

Limit on the number of simultaneous connections allowed.

The maximum number of outstanding audit buffers allowed; exceeding this is considered a failure and handled in a manner specified by failureMode.

Reflect incoming mDNS requests to all allowed network interfaces.

Allowed SSL/TLS protocol versions.

Used to select a secure SMTP connection

Free-form settings written directly to the config file

Whether the installation process is allowed to modify EFI boot variables.

Whether to run the Avahi daemon, which allows Avahi clients to use Avahi's service discovery facilities and also allows the local machine to advertise its presence and services (through the mDNS responder implemented by avahi-daemon).

Whether to enable allowing blendfarm network access through the firewall.

I2P nodes that are allowed to connect to this service.

Whether to enable all firmware, including unfree packages that must be explictly allowed

This option allows you to define interfaces encapsulating IP packets within IP packets; which should be automatically created

Allowed MACs

Defaults to recommended settings from both https://stribika.github.io/2015/01/04/secure-secure-shell.html and https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67

Whether to add the boot.binfmt.emulatedSystems to nix.settings.extra-platforms

If true, a system-wide PipeWire service and socket is enabled allowing all users in the "pipewire" group to use it simultaneously

Whether to enable the Keybase root redirector service, allowing any user to access KBFS files via /keybase, which will show different contents depending on the requester.

Net masks for trusted - allowed to relay mail to third parties - hosts

Username or user ID of the user allowed to to fetch Tailscale TLS certificates for the node.

Number of attempts a client is allowed to make in autobanTimeframe seconds, before being banned for autobanTime.

For a port to pass the filter and appear on the port list managed by drone, it be allowed by this include list.

Enables or disables the laptop keyboard's Function (Fn) lock at boot

Indicate if login is allowed if we can't cd to the home directory.

Line-separated email addresses that are allowed to authenticate.

sysfs attributes to be set as soon as they become available

TURN listener port for UDP and TCP

Allowed ciphers

Defaults to recommended settings from both https://stribika.github.io/2015/01/04/secure-secure-shell.html and https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67

Whether the application will be allowed access to location information.

If specified, login is allowed only for the listed users

Restrict the allowed ciphers of this policy to those defined here

Name of the group members of which will be allowed to create usershares

Limits the amount of maximum concurrent clients allowed.

The number of allowed simultaneous connections to the daemon, default 10.

Newline separated list of names to be allowed/denied if userlistEnable is true

Whether to enable Google OS Login

Dynamic configuration files to write

Whether to add Wireshark to the global environment and create a 'wireshark' group

Disable all routes allowing Chromium-based conversion.

Roles that are allowed to access the JMX (e.g. nodetool) BEWARE: The passwords will be stored world readable in the nix store

List of groups allowed to operate with the config

List of users allowed to operate with the config. "root" is always implicitly included

Bulk PDF import from consume directory

If specified, login is allowed only for users part of the listed groups

Whether to enable native host connector for the GNOME Shell browser extension, a DBus service allowing to install GNOME Shell extensions from a web browser .

In case of a virtual device, the user who owns it. null will not set owner, allowing access to any user.

When to run the exporter

List of OIDC clients

Allowed users and their secrets

The window size of the default gateway

If you want to prevent node sharing from allowing users to access services across tailnets, declare your expected tailnets domain here.

The changes the principal is allowed to make.

Maximum number of concurrent clients allowed.

The maximum amount of memory, in MiB, a Sidekiq worker is allowed to consume before being killed.

Specifies whether remote hosts are allowed to connect to ports forwarded for the client

Max qps allowed from any query source. 0 means unlimited

Erlang cookie is a string of arbitrary length which must be the same for several nodes to be allowed to communicate

Maximum amount of users which will be allowed to register on this system. 0 - no limit.

Whether to verify clients against a locally running tailscale daemon if they are allowed to connect to this node or not.

Verbatim ferm.conf configuration.

Only use TLSv1.3 (default also allows TLSv1.2).

Any remote cjdns nodes that offer these passwords on connection will be allowed to route through this node.

Omits password checking, allowing anyone to log in with any user name unless other mandatory authentication methods (eg TLS client certificates) are configured.

Whether to run reaction as root

List the file systems that clients will be allowed to mount

The time allowed for all jobs to finish before Sidekiq is killed forcefully.

Disable all routes allowing LibreOffice-based conversion.

Upstream server maximum allowed concurrent connections

A list of Cron jobs to be appended to the system-wide crontab

Allowed key exchange algorithms

Uses the lower bound recommended in both https://stribika.github.io/2015/01/04/secure-secure-shell.html and https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67

Whitelist allowed images.

Whether to enable the sudo command, which allows non-root users to execute commands as root.

Whether to enable the doas command, which allows non-root users to execute commands as root.

Whether to enable fwupd, a DBus service that allows applications to update firmware.

Whether to enable loading the wireless regulatory database at boot.

The path to the folder which should be shared

The qemu package to use. pkgs.qemu can emulate alien architectures (e.g. aarch64 on x86) pkgs.qemu_kvm saves disk space allowing to emulate only host architectures.

This option allows you to define interfaces encapsulating IPv6 packets within IPv4 packets; which should be automatically created.

An extra set of filesystem paths that FoundationDB can read to and write from

An attribute set describing an HTTP to GCS proxy that allows us to use GCS bucket via HTTP protocol.

This option disables password/group lookups

Whether to enable a memory-safe implementation of the sudo command, which allows non-root users to execute commands as root .

A list of additional patches to apply to the kernel

Whitelist allowed services.

List of trusted remote SMTP clients, that are allowed to relay mail

Whether to enable firmware with a license allowing redistribution.

Preferences to set from about:config

Specify the controller targets

The maximum samples allowed for a single Series request

The timestamp format to use for constructing snapshot names

Multiple monitor configuration, just specify a list of XRandR outputs

Allows customizing the nginx virtualHost settings

TURN listener port for TLS

Whether to enable please, a Sudo clone which allows a users to execute a command or edit a file as another user .

The number of concurrent jobs the build machine supports

Max qps allowed from whitelisted sources. 0 means unlimited

Whether to enable pmount, a tool that allows normal users to mount removable devices without requiring root privileges .

This option allows you to configure Foo Over UDP and Generic UDP Encapsulation endpoints

Group under which the postfix exporter shall be run

How many sync accounts are allowed on this server

Whether to enable udisks2, a DBus service that allows applications to query and manipulate storage devices.

Whether to enable the OpenSSH secure shell daemon, which allows secure remote logins.

Greatest allowed size for individual swapfiles

Smallest allowed size for individual swapfiles

VHT (Very High Throughput) capabilities given as a list of flags

DSCP (differentiated services) value to be assigned to SIP packets

DSCP (differentiated services) value to be assigned to RTP packets

This option allows you to define Generic Routing Encapsulation (GRE) tunnels.

Whether to enable Bonjour auto-discovery, which allows clients over your LAN to automatically discover Mumble servers.

HT (High Throughput) capabilities given as a list of flags

Set to "true" to install pprof debug handlers

This option allows you to define macvlan interfaces which should be automatically created.

This option allows you to define vlan devices that tag packets on top of a physical interface

oauth2-proxy allows passing sensitive configuration via environment variables

Country code (ISO/IEC 3166-1)

Whether to enable ‘oidentd’, an implementation of the Ident protocol (RFC 1413)

Allows the container to create and setup tunnel interfaces by granting the NET_ADMIN capability and enabling access to /dev/net/tun.

Literal Kismet config lines appended to the site config

This option effectively allows adding setuid/setgid bits, capabilities, changing file ownership and permissions of a program without directly modifying it

This option allows you to define bond devices that aggregate multiple, underlying networking interfaces together

A list of files containing additional configuration to be included using the include directive

Allows specifying if weechat should run in TUI or headless mode.

A list of backends from which clients are allowed to connect from

Whether to enable authenticating using a signature performed by the ssh-agent

Whether to run the BitlBee IRC to other chat network gateway

Enable dnsmasq forwarding to nixops-dns

Implements the CSI protocol that allows clients to report their active/inactive state to the server

Files to include into the config file using Taler's @inline@ directive

Whether to enable WINS NSS (Name Service Switch) plug-in

Whether to enable Webhook, a server written in Go that allows you to create HTTP endpoints (hooks), which execute configured commands for any person or service that knows the URL .

Percentage of bandwidth_max that sabnzbd is allowed to use. 0 means no limit.

Allows loading of private environment variables

The group which should be allowed access to the given resource.

This option is opposite to lt-cred-mech. (TURN Server with no-auth option allows anonymous access)

If enabled, causes a leave action to be sent when closing consul

Whether to enable the mDNS NSS (Name Service Switch) plug-in for IPv4

Whether this file locals should be generated

List of overlays to apply to Nixpkgs

This allows you to pass arguments to the child program

Whether this /etc file should be generated

Allows loading of public environment variables, these are emitted to the log so it shouldn't contain secrets.

This option allows you to define multipath groups as described in http://christophe.varoqui.free.fr/usage.html.

By default, nginx caches answers using the TTL value of a response

Labels by name to drop before sending to alertmanager

Mount verity-protected block devices in the initrd

This option allows you to define arrays for use in multipath groups.

Specifies whether password authentication is allowed.

This option allows you to define Ethernet bridge devices that connect physical networks together

The resource to which access should be allowed.

The largest allowed upload size in bytes

Whether this runtime directory should be generated

Allows you to host Umami under a subdirectory

Prefix for API and UI endpoints

This option allows to remove the support of protocol, even if compiled in

This allows to override the default bit size for all of the Diffie-Hellman parameters set in security.dhparams.params.

Path to the file that contains the server salt

A list of filter to restrict traffic

Enables routing of QUIC packets using eBPF

Prefix for API and UI endpoints

Enable append only mode

Whether this file should be generated

Install the SPICE USB redirection helper with setuid privileges

Whether to use components requiring unfree dependencies

Configuration for Immich

Whether to enable Zsh integration for VTE terminals

The organization's buckets which should be allowed to be read

Whether to enable the actkbd key mapping daemon

Controls the file Xorg logs to

List of allowed indicator modules to use for the lightdm gtk greeter panel

The organization's buckets which should be allowed to be written

Restrictions for access from non-local IP addresses

Whether to enable Bash integration for VTE terminals

This option allows you to define Open vSwitches that connect physical networks together

Installing a public key allows firmware signed with a matching private key to be recognized as trusted, which may require less authentication to install than for untrusted files

Specifies whether keyboard-interactive authentication is allowed.

Name of the config adapter to use

Whether this file overrides should be generated

Whether to enable power-profiles-daemon, a DBus daemon that allows changing system behavior based upon user-selected power profiles.

Don't poll the kernel for battery level changes

You want that ip-from-header in the nginx setup case

Whether to enable the atopacct service which manages process accounting

Whether to enable System bus notification support

WARNING: enabling this option (while convenient) should not be done on a machine where you do not trust the other users as it allows any other local user to DoS your session by spamming notifications .

These options tell pgmanage where the TLS Certificate and Key files reside

Whether to enable the mDNS NSS (Name Service Switch) plug-in for IPv6

Allows you to assign a custom name to the tracker script different from the default script.js.

Whether to set mark_in on the inbound SA

Whether the service should be reloaded during a NixOS configuration switch if its definition has changed

Add ImageMagick to server's path; allows for image thumbnailing

Wait for DNS

This option activates the wrapper that allows the use of mullvad-exclude

Named accounts and their respective configurations

Allows interop between older clients that use XEP-0048: Bookmarks in its 1.0 version and recent clients which use it in PEP

If this attribute is not included, or if is set to the wildcard address (ff:ff:ff:ff:ff:ff), the entry is available for any station (client) to use

Whether to set up a loopback device that continuously records and allows to play back audio from the computer

emits keter logs and it's applications to stderr. which allows journald to capture them

Extra config files to include

Make netboot.xyz available from the systemd-boot menu. netboot.xyz is a menu system that allows you to boot OS installers and utilities over the network.

Whether the service should be reloaded during a NixOS configuration switch if its definition has changed

If set, the service will register a new session with systemd's login manager

This option allows you to override the Linux kernel used by NixOS

Allows you to send metrics to a location different than the default /api/send.

Static prefix for all HTML links and redirect URLs in the UI query web interface

Allows configuring environment variable credentials for renovate, read from files

Package set to use for the host-specific packages of the VM runner

Static prefix for all HTML links and redirect URLs in the UI query web interface

Enable/disable the embedded DNS proxy server

Origins allowed to connect to the collaboration server

Whether to enable the Jenkins Job Builder (JJB) service

Environment variables suffixed by "_FILE" to set for the cert's service for your selected dnsProvider

File to load as the environment file

Sets allowed passwords for WPA3-SAE

Environment variables for the Firezone server

Allows administration via an XMPP client that supports ad-hoc commands

When a room is destroyed, it leaves behind a tombstone which prevents the room being entered or recreated

Whether to fall back to WPA2 authentication protocols if WPA3 failed

You want that ip-from-header in the nginx setup case

Defines whether users see the Register option in the menu of Time Tracker that allows them to self-register and create new organizations (top groups).

Allows Octoprint to control Klipper.

Use a boot loader to boot the system

The hostname that clients should use to connect to this server

The cache allows tarsnap to identify previously stored data blocks, reducing archival time and bandwidth usage

Your role in Tor network

It is recommended you keep your secrets separate from the configuration

Environment variables suffixed by "_FILE" to set for the cert's service for your selected dnsProvider

Whether to enable the dummy "startx" pseudo-display manager, which allows users to start X manually via the startx command from a virtual terminal.

Path to collection.cgi script from (collectd sources)/contrib/collection.cgi This option allows to use a customized version

List of additional allowed URLs to pass by the CSRF check

Maximum number of client connections allowed

CPU family of motherboard

Whether to generate the manual page index caches

Name of HTTP request header used for dynamic prefixing of UI links and redirects

Known homeservers

Whether to enable (experimental) dumpless upgrade

"bantime.increment" allows to use database for searching of previously banned ip's to increase a default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32 ...

Whether to enable the Xen Project Hypervisor, a virtualisation technology defined as a type-1 hypervisor, which allows multiple virtual machines, known as domains, to run concurrently on the physical machine

Name of HTTP request header used for dynamic prefixing of UI links and redirects

A proposal is a set of algorithms

This option allows you to define APs for one or multiple physical radios

This is a convenience option which allows you to set secret values for environment variables by specifying a file which will contain the value at runtime

Whether to enable presence tracking

When using the SLiRP user networking (default), this option allows to forward ports to/from the host/guest.

TURN REST API flag

User name under which the chrony exporter shall be run

Alloy configuration file/directory path

Allows libvirtd to use swtpm to create an emulated TPM.

Allows libvirtd to take advantage of OVMF when creating new QEMU VMs with UEFI boot.

Sets the pointer acceleration profile to the given profile

Group under which the chrony exporter shall be run

If provided, adds a prefix to indexes in Elasticsearch

Whether to enable the "sx" pseudo-display manager, which allows users to start manually via the "sx" command from a vt shell

Enable legacy crypto on this client

Whether to install the register_new_matrix_user script, that allows account creation on the terminal.

VRRP will normally preempt a lower priority machine when a higher priority machine comes online. "nopreempt" allows the lower priority machine to maintain the master role, even when a higher priority machine comes back online

List of allowed headers to be set by the user

Sets the pointer acceleration profile to the given profile

Whether the member list should be overwritten each time (true) or appended (false)

Whether to wrap the interpreter in a shell script

AH proposals to offer for the CHILD_SA

Make the Podman and Docker compatibility API available over the network with TLS client certificate authentication

Rendering mode of grafana-image-renderer:

• default: Creates on browser-instance per rendering request.
• reusable: One browser instance will be started and reused for each rendering request.
• clustered: allows to precisely configure how many browser-instances are supposed to be used

Whether to overwrite Jellyfin's encoding.xml configuration file on each service start

Additional arguments passed to each module in addition to ones like lib, config, and pkgs, modulesPath

Send notifications about killed processes via the system d-bus

Data Plane Development Kit is a framework for fast packet processing in data plane applications running on a wide variety of CPU architectures

Specifies the number of seconds between status packets sent back to the server

The configuration of vaultwarden is done through environment variables, therefore it is recommended to use upper snake case (e.g. DISABLE_2FA_REMEMBER)

Specifies if mapped OpenID Connect accounts are automatically created upon successful authentication

Whenever to send systembus-notify notifications

ESP proposals to offer for the CHILD_SA

Define a whitelist of allowed IP addresses or domains, with ports, to be used in data source URLs with the Grafana data source proxy

Periodically refresh the endpoint hostname or address for all peers

Enables MOBIKE on IKEv2 connections

Enables Aggressive Mode instead of Main Mode with Identity Protection

Specifies if mapped OpenID Connect accounts are automatically created upon successful authentication

List of IP address CIDR ranges that the URL preview spider is allowed to access even if they are specified in url_preview_ip_range_blacklist.

XFRM interface ID set on inbound policies/SA

Set of characters used as the delimiters for address extensions

Defines the base URI for the Hash and URL feature supported by IKEv2

XFRM interface ID set on outbound policies/SA

Netfilter mark and mask for output traffic

Netfilter mark and mask for input traffic

Sets the password(s) for WPA-PSK

Enable per-CPU CHILD_SAs

Netfilter mark applied to packets after the outbound IPsec SA processed them

Set to true to add the Content-Security-Policy header to your requests

Email will be sent by default with an HTML and a plain text body

List of local traffic selectors to include in CHILD_SA

If set, allows registration by anyone who also has the shared secret, even if registration is otherwise disabled