| users.users.<name>.group | The user's primary group.
|
| power.ups.upsmon.group | Group for the default nutmon user
|
| services.ocis.group | The group to run oCIS under
|
| services.qui.group | Group to run qui as.
|
| services.znc.group | Group to own the ZNC process.
|
| services.node-red.group | Group under which Node-RED runs
|
| services.h2o.group | Group running H2O services
|
| services.bee.group | Group the bee binary should execute under.
|
| services.mpd.group | Group account under which MPD runs.
|
| services.vdr.group | Group under which the VDRvdr service runs.
|
| users.extraUsers.<name>.group | The user's primary group.
|
| security.agnos.group | Group to run Agnos as
|
| programs.nncp.group | The group under which NNCP files shall be owned
|
| services.nats.group | Group under which NATS runs.
|
| services.ombi.group | Group under which Ombi runs.
|
| services.plex.group | Group under which Plex runs.
|
| services.caddy.group | Group under which caddy runs.
If left as the default value this group will automatically be created
on system activation, otherwise you are responsible for
ensuring the group exists before the Caddy service starts.
|
| services.ergo.group | The group as which to run the Ergo node.
|
| services.kubo.group | Group under which the Kubo daemon runs
|
| services.loki.group | Group under which the Loki service runs.
|
| services.unit.group | Group account under which unit runs.
|
| services.nscd.group | User group under which nscd runs.
|
| services.tcsd.group | Group account under which tcsd runs.
|
| services.ente.api.group | Group under which museum runs
|
| services.bird-lg.group | Group to run the service.
|
| services.maddy.group | Group account under which maddy runs.
If left as the default value this group will automatically be created
on system activation, otherwise the sysadmin is responsible for
ensuring the group exists before the maddy service starts.
|
| services.guix.group | The group of the Guix build user pool.
|
| services.exim.group | Group to use when no root privileges are required.
|
| services.nifi.group | Group account where Apache NiFi runs.
|
| hardware.i2c.group | Grant access to i2c devices (/dev/i2c-*) to users in this group.
|
| services.db-rest.group | Group under which db-rest runs.
|
| services.hitch.group | The group to run as
|
| services.ntfy-sh.group | Primary group of ntfy-sh user.
|
| services.ytdl-sub.group | Group under which ytdl-sub runs.
|
| services.gitea.group | Group under which gitea runs.
|
| services.davis.group | Group davis runs as.
|
| services.komga.group | Group under which Komga runs.
|
| services.dspam.group | Group for the dspam daemon.
|
| services.amule.group | Group under which amule runs
|
| services.seatd.group | Group to own the seatd socket
|
| services.nexus.group | Group which runs Nexus3.
|
| services.slskd.group | Group under which slskd runs.
|
| services.omnom.group | The Omnom service group.
|
| services.mlmmj.group | mailinglist local group
|
| services.stash.group | Group under which Stash runs.
|
| services.memos.group | The group to run Memos as.
If changing the default value, you are responsible of creating the corresponding group with users.groups.
|
| services.cyrus-imap.group | Cyrus IMAP group name
|
| services.sonarr.group | Group account under which Sonarr runs.
If left as the default value this group will automatically be created
on system activation, otherwise you are responsible for
ensuring the group exists before the Sonarr service starts.
|
| services.hound.group | Group the hound daemon should execute under.
|
| services.bosun.group | Group account under which bosun runs.
|
| services.legit.group | Group account under which legit runs.
|
| services.nginx.group | Group account under which nginx runs.
|
| services.movim.group | Group running Movim service
|
| services.rqbit.group | Group account under which rqbit runs.
|
| services.uwsgi.group | Group account under which uWSGI runs.
|
| services.patroni.group | The group for the service
|
| services.snipe-it.group | Group snipe-it runs as.
|
| services.murmur.group | The name of an existing group to use to run the service
|
| services.felix.group | Group account under which Apache Felix runs.
|
| services.httpd.group | Group under which httpd children processes run.
|
| services.cgit.<name>.group | Group to run the cgit service as.
|
| services.coder.group | Group under which the coder service runs.
If left as the default value this group will automatically be created
on system activation, otherwise it needs to be configured manually.
|
| programs.cdemu.group | Group that users must be in to use cdemu.
|
| hardware.cpu.amd.sev.group | Group to assign to the SEV device.
|
| services.outline.group | Group under which the service should run
|
| services.webhook.group | Webhook will be run under this group
|
| services.ollama.group | Group under which to run ollama
|
| hardware.cpu.x86.msr.group | Group to set for devices of the msr kernel subsystem.
|
| services.quorum.group | The group as which to run quorum.
|
| services.atticd.group | The group under which attic runs.
|
| services.bazarr.group | Group under which bazarr runs.
|
| services.lidarr.group | Group under which Lidarr runs.
|
| services.immich.group | The group immich should run as.
|
| services.artalk.group | Artalk group name.
|
| services.deluge.group | Group under which deluge runs.
|
| services.kismet.group | The group to run Kismet as.
|
| services.galene.group | Group under which galene runs.
|
| services.opkssh.group | System group for opkssh
|
| services.nzbget.group | Group under which NZBGet runs
|
| services.pretix.group | Group under which pretix should run.
|
| services.radarr.group | Group under which Radarr runs.
|
| services.monica.group | Group monica runs as.
|
| services.webdav.group | Group under which WebDAV runs.
|
| services.zammad.group | Name of the Zammad group.
|
| services.mysql.group | Group account under which MySQL runs.
If left as the default value this group will automatically be created
on system activation, otherwise you are responsible for
ensuring the user exists before the MySQL service starts.
|
| security.pam.ussh.group | If set, then the authenticating user must be a member of this group
to use this module.
|
| services.github-runners.<name>.group | Group under which to run the service
|
| services.prosody.group | Group account under which prosody runs.
If left as the default value this group will automatically be created
on system activation, otherwise you are responsible for
ensuring the group exists before the prosody service starts.
|
| services.code-server.group | The group to run code-server under
|
| services.flarum.group | System group to run Flarum
|
| services.akkoma.group | Group account under which Akkoma runs.
|
| services.cross-seed.group | Group to run cross-seed as.
|
| programs.ccache.group | Group owner of CCache directory
|
| services.sftpgo.group | Group name under which SFTPGo runs.
|
| services.gollum.group | Specifies the owner group of the wiki directory
|
| services.baikal.group | Group account under which the web-application run.
|
| services.gitlab.group | Group to run gitlab and all related services.
|
| services.tomcat.group | Group account under which Apache Tomcat runs.
|
| services.rspamd.group | Group to use when no root privileges are required.
|
| services.pihole-ftl.group | Group to run the service as.
|
| services.pyload.group | Group under which pyLoad runs, and which owns the download directory.
|
| services.pocket-id.group | Group account under which Pocket ID runs.
|
| services.zeyple.group | Group to use to run Zeyple.
If left as the default value this group will automatically be created
on system activation, otherwise the sysadmin is responsible for
ensuring the user exists.
|
| services.gitDaemon.group | Group under which Git daemon would be running.
|
| services.rss-bridge.group | The group under which the web application runs.
|
| services.firefly-iii.group | Group under which firefly-iii runs
|
| services.gocd-agent.group | If the default user "gocd-agent" is configured then this is the primary
group of that user.
|
| services.syncoid.group | The group for the service.
|
| services.jupyter.group | Name of the group used to run the jupyter service
|
| services.traefik.group | Primary group under which Traefik runs
|
| services.roon-bridge.group | Group to run the Roon Bridge as.
|
| services.roon-server.group | Group to run the Roon Server as.
|
| services.dolibarr.group | Group account under which dolibarr runs.
If left as the default value this group will automatically be created
on system activation, otherwise you are responsible for
ensuring the group exists before the dolibarr application starts.
|
| services.pixelfed.group | Group account under which pixelfed runs.
If left as the default value this group will automatically be created
on system activation, otherwise you are responsible for
ensuring the group exists before the pixelfed application starts.
|
| services.seafile.group | Group under which seafile runs.
|
| services.icecast.group | Group privileges for the server.
|
| services.corteza.group | The group to run Corteza under.
|
| services.jackett.group | Group under which Jackett runs.
|
| services.homebox.group | Group under which Homebox runs.
|
| services.forgejo.group | Group under which Forgejo runs.
|
| services.owncast.group | Group under which owncast runs.
|
| services.sabnzbd.group | Group to run the service as
|
| services.readarr.group | Group under which Readarr runs.
|
| services.pretalx.group | Group under which pretalx should run.
|
| services.netdata.group | Group under which netdata runs.
|
| services.pdfding.group | Group under which PdfDing runs
|
| services.redmine.group | Group under which Redmine is ran.
|
| services.polaris.group | Group under which Polaris is run.
|
| services.stunnel.group | The group under which stunnel runs.
|
| services.monetdb.group | Group under which MonetDB runs.
|
| services.unbound.group | Group under which unbound runs.
|
| services.zitadel.group | The group to run ZITADEL under.
|
| services.zerobin.group | The group 0bin should run as
|
| services.haproxy.group | Group account under which haproxy runs.
|
| services.couchdb.group | Group account under which couchdb runs.
|
| services.pleroma.group | Group account under which pleroma runs.
|
| security.acme.certs.<name>.group | Group running the ACME client.
|
| services.usbmuxd.group | The group usbmuxd should use to run after startup.
|
| hardware.cpu.amd.sevGuest.group | Group to assign to the SEV guest device.
|
| programs.ydotool.group | Group which users must be in to use ydotool.
|
| services.postfix.group | What to call the Postfix group (must be used only for postfix).
|
| services.podgrab.group | Group under which Podgrab runs, and which owns the download directory.
|
| services.gocd-server.group | If the default user "gocd-server" is configured then this is the primary group of that user.
|
| services.jenkins.group | If the default user "jenkins" is configured then this is the primary
group of that user.
|
| services.rsync.jobs.<name>.group | The name of an existing user group under which the rsync process should run.
|
| services.calibre-web.group | Group account under which Calibre-Web runs.
|
| services.actual.group | Group account under which Actual runs
|
| services.dovecot2.group | Dovecot group name.
|
| services.lavalink.group | The group of the service.
|
| services.opendkim.group | Group for the daemon.
|
| services.postsrsd.group | Group for the daemon
|
| services.lxd-image-server.group | Group assigned to the user and the webroot directory.
|
| services.redis.servers.<name>.group | Group account under which this instance of redis-server runs.
If left as the default value this group will automatically be
created on system activation, otherwise you are responsible for
ensuring the group exists before the redis service starts.
|
| services.matrix-tuwunel.group | The group tuwunel is run as
|
| services.dawarich.group | Group under which dawarich runs.
|
| services.crowdsec.group | The group to run crowdsec as
|
| services.jellyfin.group | Group under which jellyfin runs.
|
| services.agorakit.group | Group agorakit runs as.
|
| services.ejabberd.group | Group under which ejabberd is ran
|
| services.librenms.group | Name of the LibreNMS group.
|
| services.influxdb.group | Group under which influxdb runs
|
| services.kanboard.group | Group under which Kanboard runs.
|
| services.ersatztv.group | Group under which ErsatzTV runs.
|
| services.rtorrent.group | Group under which rtorrent runs.
|
| services.olivetin.group | The group under which OliveTin runs.
|
| services.peertube.group | Group under which Peertube runs.
|
| services.stalwart.group | Group ownership of service
|
| services.tautulli.group | Group under which Tautulli runs.
|
| services.mastodon.group | Group under which mastodon runs.
|
| services.sniproxy.group | Group under which sniproxy runs.
|
| services.whisparr.group | Group under which Whisparr runs.
|
| services.opencloud.group | The group to run OpenCloud under
|
| services.syncthing.group | The group to run Syncthing under
|
| services.klipper.group | Group account under which Klipper runs
|
| services.openldap.group | Group account under which slapd runs.
|
| services.opentsdb.group | Group account under which OpenTSDB runs.
|
| services.oxidized.group | Group under which the oxidized service runs.
|
| services.gitolite.group | Primary group of the Gitolite user account.
|
| services.portunus.group | Group account under which Portunus runs its webserver.
|
| services.pingvin-share.group | Group under which Pingvin Share runs.
|
| services.gammu-smsd.device.group | Owner group of the device
|
| services.webdav-server-rs.group | Group to run under when setuid is not enabled.
|
| boot.initrd.systemd.users.<name>.group | Group the user belongs to in initrd.
|
| services.nginx.gitweb.group | Group that the CGI process will belong to. (Set to config.services.gitolite.group if you are using gitolite.)
|
| services.phpfpm.pools.<name>.group | Group account under which this pool runs.
|
| services.inadyn.group | Group account under which inadyn runs.
If left as the default value this user will automatically be created
on system activation, otherwise you are responsible for
ensuring the user exists before the inadyn service starts.
|
| services.temporal.group | The group temporal runs as
|
| services.quickwit.group | The group quickwit runs as
|
| security.wrappers.<name>.group | The group of the wrapper program.
|
| services.bitcoind.<name>.group | The group as which to run bitcoind.
|
| services.mjpg-streamer.group | mjpg-streamer group name.
|
| services.jenkinsSlave.group | If the default slave agent user "jenkins" is configured then this is
the primary group of that user.
|
| services.calibre-server.group | The group under which calibre-server runs.
|
| services.octoprint.group | Group for the daemon.
|
| security.acme.defaults.group | Group running the ACME client.
|
| services.bookstack.group | Group bookstack runs as
|
| services.commafeed.group | Group under which CommaFeed runs.
|
| services.glitchtip.group | The group under which GlitchTip runs.
|
| hardware.bumblebee.group | Group for bumblebee socket
|
| services.blendfarm.group | Group under which blendfarm runs.
|
| services.kapacitor.group | Group under which Kapacitor runs
|
| services.librechat.group | The group to run the service as.
|
| services.pinchflat.group | Group under which Pinchflat runs.
|
| services.navidrome.group | Group under which Navidrome runs.
|
| services.recyclarr.group | Group under which recyclarr runs.
|
| services.sickbeard.group | Group to run the service as
|
| services.pgbouncer.group | The group pgbouncer is run as.
|
| services.privatebin.group | Group under which privatebin runs
|
| services.headscale.group | Group under which headscale runs.
If left as the default value this group will automatically be created
on system activation, otherwise you are responsible for
ensuring the user exists before the headscale service starts.
|
| services.charybdis.group | Charybdis IRC daemon group.
|
| services.cassandra.group | Run Apache Cassandra under this group.
|
| hardware.ubertooth.group | Group for Ubertooth's udev rules.
|
| services.bitmagnet.group | Group of user running bitmagnet
|
| services.stargazer.group | Group account under which stargazer runs.
|
| services.rethinkdb.group | Group which rethinkdb user belongs to.
|
| services.moonraker.group | Group account under which Moonraker runs.
|
| services.rutorrent.group | Group which runs the ruTorrent service.
|
| services.mediatomb.group | Group account under which the service runs.
|
| services.portunus.ldap.group | Group account under which Portunus runs its LDAP server.
|
| services.varnish.listen.*.group | Group name who owns the socket file.
|
| programs.k40-whisperer.group | Group assigned to the device when connected.
|
| services.infinoted.group | What to call the primary group of the dedicated user under which infinoted is run
|
| services.tandoor-recipes.group | Group under which Tandoor runs.
|
| system.nssDatabases.group | List of group entries to configure in /etc/nsswitch.conf
|
| users.groups.<name>.gid | The group GID
|
| services.buildbot-master.group | Primary group of buildbot user.
|
| services.peertube-runner.group | Group under which peertube-runner runs.
|
| services.suwayomi-server.group | Group under which Suwayomi-Server runs.
|
| services.plantuml-server.group | Group which runs PlantUML server.
|
| users.groups.<name>.members | The user names of the group members, added to the
/etc/group file.
|
| services.buildbot-worker.group | Primary group of buildbot Worker user.
|
| services.tailscaleAuth.group | Group which runs tailscale-nginx-auth
|
| services.yggdrasil.group | Group to grant access to the Yggdrasil control socket
|
| services.taskserver.group | Group for Taskserver.
|
| users.groups.<name>.name | The name of the group
|
| services.headphones.group | Group to run the service as
|
| services.homebridge.group | Group to run homebridge as.
|
| services.govee2mqtt.group | Group under which Govee2MQTT should run.
|
| services.photoprism.group | Group under which photoprism runs.
|
| services.szurubooru.group | Group under which Szurubooru runs.
|
| services.microsocks.group | Group microsocks runs as.
|
| services.linkwarden.group | The group Linkwarden should run as.
|
| services.lubelogger.group | Group under which LubeLogger runs.
|
| services.reposilite.group | The group to run Reposilite under.
|
| services.firefly-iii-data-importer.group | Group under which firefly-iii-data-importer runs
|
| services.samba.usershares.group | Name of the group members of which will be allowed to create usershares
|
| services.shairport-sync.group | Group account name under which to run shairport-sync
|
| services.mattermost.group | Group which runs the Mattermost service.
|
| services.scollector.group | Group account under which scollector runs.
|
| services.borgbackup.jobs.<name>.group | The group borg is run as
|
| services.sourcehut.hg.group | Group for hg.sr.ht
|
| services.nullmailer.group | Group to use to run nullmailer-send.
|
| services.mailman.ldap.groupSearch.type | Type of group to perform a group search against.
|
| services.openvscode-server.group | The group to run openvscode-server under
|
| services.sourcehut.man.group | Group for man.sr.ht
|
| services.sourcehut.git.group | Group for git.sr.ht
|
| services.sourcehut.hub.group | Group for hub.sr.ht
|
| services.healthchecks.group | Group account under which healthchecks runs.
If left as the default value this group will automatically be created
on system activation, otherwise you are responsible for
ensuring the group exists before the healthchecks service starts.
|
| services.komodo-periphery.group | Group under which the Periphery agent runs.
|
| services.opensearch.group | The group OpenSearch runs as
|
| services.cloudflare-ddns.group | Group under which the service runs.
|
| services.sourcehut.todo.group | Group for todo.sr.ht
|
| services.sourcehut.meta.group | Group for meta.sr.ht
|
| services.borgbackup.repos.<name>.group | The group borg serve is run as
|
| environment.etc.<name>.group | Group name of file owner
|
| services.sourcehut.paste.group | Group for paste.sr.ht
|
| services.sourcehut.lists.group | Group for lists.sr.ht
|
| services.sourcehut.pages.group | Group for pages.sr.ht
|
| services.silverbullet.group | The group to run Silverbullet under
|
| services.hbase-standalone.group | Group account under which HBase runs.
|
| services.netbird.tunnels.<name>.user.group | A system group name for this client instance.
|
| services.netbird.clients.<name>.user.group | A system group name for this client instance.
|
| services.filebrowser.group | Group under which FileBrowser runs.
|
| services.meshtasticd.group | Group meshtasticd runs as.
|
| services.qbittorrent.group | Group under which qbittorrent runs.
|
| services.writefreely.group | Group under which Writefreely is ran.
|
| services.vdirsyncer.jobs.<name>.group | group to run vdirsyncer as
|
| hardware.cpu.intel.sgx.provision.group | Group to assign to the SGX provisioning device.
|
| users.groups | Additional groups to be created automatically by the system.
|
| services.sillytavern.group | Group account under which the web-application run.
|
| services.wyoming.satellite.group | Group to run wyoming-satellite under.
|
| services.sourcehut.builds.group | Group for builds.sr.ht
|
| services.vault-agent.instances.<name>.group | Group under which this instance runs.
|
| services.keepalived.vrrpScripts.<name>.group | Name of group to run the script under
|
| services.suricata.settings.run-as.group | Run Suricata with a specific group-id.
|
| services.mailman.ldap.groupSearch.ou | Organizational unit to look up a group.
|
| services.anubis.defaultOptions.group | The group under which Anubis is run
|
| services.anubis.instances.<name>.group | The group under which Anubis is run
|
| services.mail.sendmailSetuidWrapper.group | The group of the wrapper program.
|
| security.duosec.groups | If specified, Duo authentication is required only for users
whose primary group or supplementary group list matches one
of the space-separated pattern lists
|
| services.blockbook-frontend.<name>.group | The group as which to run blockbook-frontend-‹name›.
|
| services.foundationdb.group | Group account under which FoundationDB runs.
|
| services.matterbridge.group | Group which runs the matterbridge service.
|
| services.transmission.group | Group account under which Transmission runs.
|
| services.authelia.instances.<name>.group | The name of the group for this authelia instance.
|
| services.xserver.desktopManager.phosh.group | The group to run the Phosh service.
|
| systemd.tmpfiles.settings.<config-name>.<path>.<tmpfiles-type>.group | The group of the file
|
| services.prometheus.exporters.chrony.group | Group under which the chrony exporter shall be run
|
| services.prometheus.exporters.frr.group | Group under which the frr exporter shall be run
|
| services.nginx.tailscaleAuth.group | Alias of services.tailscaleAuth.group.
|
| services.mailman.ldap.groupSearch.query | Query to find a group associated to a user in the LDAP database.
|
| services.hostapd.radios.<name>.networks.<name>.group | Members of this group can access the control socket for this interface.
|
| services.consul-template.instances.<name>.group | Group under which this instance runs.
|
| services.cockroachdb.group | User account under which CockroachDB runs
|
| services.matrix-continuwuity.group | The group continuwuity is run as.
|
| services.wasabibackend.group | The group as which to run the wasabibackend node.
|
| services.nextcloud-spreed-signaling.group | Group under which to run the Spreed signaling server.
|
| services.fcgiwrap.instances.<name>.socket.group | Group to be set as owner of the UNIX socket.
|
| services.taskchampion-sync-server.group | Unix Group to run the server under
|
| services.prometheus.exporters.sql.group | Group under which the sql exporter shall be run.
|
| services.prometheus.exporters.nut.group | Group under which the nut exporter shall be run.
|
| services.prometheus.exporters.kea.group | Group under which the kea exporter shall be run.
|
| services.prometheus.exporters.pve.group | Group under which the pve exporter shall be run.
|
| services.prometheus.exporters.zfs.group | Group under which the zfs exporter shall be run.
|
| services.prometheus.exporters.lnd.group | Group under which the lnd exporter shall be run.
|
| boot.initrd.systemd.tmpfiles.settings.<config-name>.<path>.<tmpfiles-type>.group | The group of the file
|
| services.sourcehut.settings."todo.sr.ht::mail".sock-group | The lmtp daemon will make the unix socket group-read/write
for users in this group.
|
| services.prometheus.exporters.flow.group | Group under which the flow exporter shall be run.
|
| services.prometheus.exporters.mail.group | Group under which the mail exporter shall be run.
|
| services.prometheus.exporters.snmp.group | Group under which the snmp exporter shall be run.
|
| services.prometheus.exporters.bind.group | Group under which the bind exporter shall be run.
|
| services.prometheus.exporters.bird.group | Group under which the bird exporter shall be run.
|
| services.prometheus.exporters.mqtt.group | Group under which the mqtt exporter shall be run.
|
| services.prometheus.exporters.ebpf.group | Group under which the ebpf exporter shall be run.
|
| services.prometheus.exporters.ipmi.group | Group under which the ipmi exporter shall be run.
|
| services.prometheus.exporters.knot.group | Group under which the knot exporter shall be run.
|
| services.prometheus.exporters.nats.group | Group under which the nats exporter shall be run.
|
| services.prometheus.exporters.node.group | Group under which the node exporter shall be run.
|
| services.prometheus.exporters.ping.group | Group under which the ping exporter shall be run.
|
| services.prometheus.exporters.json.group | Group under which the json exporter shall be run.
|
| services.prometheus.exporters.postfix.group | Group under which the postfix exporter shall be run
|
| services.fcgiwrap.instances.<name>.process.group | Group as which this instance of fcgiwrap will be run.
|
| services.prometheus.exporters.php-fpm.group | Group under which the php-fpm exporter shall be run.
|
| services.prometheus.exporters.idrac.group | Group under which the idrac exporter shall be run.
|
| services.prometheus.exporters.dmarc.group | Group under which the dmarc exporter shall be run.
|
| services.prometheus.exporters.redis.group | Group under which the redis exporter shall be run.
|
| services.prometheus.exporters.fritz.group | Group under which the fritz exporter shall be run.
|
| services.prometheus.exporters.v2ray.group | Group under which the v2ray exporter shall be run.
|
| services.prometheus.exporters.kafka.group | Group under which the kafka exporter shall be run.
|
| services.prometheus.exporters.jitsi.group | Group under which the jitsi exporter shall be run.
|
| services.prometheus.exporters.nginx.group | Group under which the nginx exporter shall be run.
|
| services.audiobookshelf.group | Group under which Audiobookshelf runs.
|
| services.libretranslate.group | Group account under which libretranslate runs.
|
| services.prometheus.exporters.node-cert.group | Group under which the node-cert exporter shall be run.
|
| boot.initrd.systemd.groups.<name>.gid | ID of the group in initrd.
|
| services.librenms.distributedPoller.group | Group(s) of this poller.
|
| networking.wireless.userControlled.group | Members of this group can control wpa_supplicant.
|
| services.prometheus.exporters.dnssec.group | Group under which the dnssec exporter shall be run.
|
| services.prometheus.exporters.mysqld.group | Group under which the mysqld exporter shall be run.
|
| services.prometheus.exporters.script.group | Group under which the script exporter shall be run.
|
| services.prometheus.exporters.fastly.group | Group under which the fastly exporter shall be run.
|
| services.prometheus.exporters.deluge.group | Group under which the deluge exporter shall be run.
|
| services.prometheus.exporters.shelly.group | Group under which the shelly exporter shall be run.
|
| services.prometheus.exporters.rspamd.group | Group under which the rspamd exporter shall be run.
|
| services.prometheus.exporters.tibber.group | Group under which the tibber exporter shall be run.
|
| services.prometheus.exporters.restic.group | Group under which the restic exporter shall be run.
|
| services.prometheus.exporters.statsd.group | Group under which the statsd exporter shall be run.
|
| services.prometheus.exporters.domain.group | Group under which the domain exporter shall be run.
|
| services.prometheus.exporters.pihole.group | Group under which the pihole exporter shall be run.
|
| services.sourcehut.settings."lists.sr.ht::worker".sock-group | The lmtp daemon will make the unix socket group-read/write
for users in this group.
|
| services.prometheus.exporters.nvidia-gpu.group | Group under which the nvidia-gpu exporter shall be run.
|
| services.prometheus.exporters.rtl_433.group | Group under which the rtl_433 exporter shall be run.
|
| services.prometheus.exporters.libvirt.group | Group under which the libvirt exporter shall be run.
|
| services.prometheus.exporters.bitcoin.group | Group under which the bitcoin exporter shall be run.
|
| services.prometheus.exporters.dovecot.group | Group under which the dovecot exporter shall be run.
|
| services.prometheus.exporters.sabnzbd.group | Group under which the sabnzbd exporter shall be run.
|
| services.prometheus.exporters.varnish.group | Group under which the varnish exporter shall be run.
|
| services.prometheus.exporters.klipper.group | Group under which the klipper exporter shall be run.
|
| services.prometheus.exporters.unbound.group | Group under which the unbound exporter shall be run.
|
| services.prometheus.exporters.mongodb.group | Group under which the mongodb exporter shall be run.
|
| services.prometheus.exporters.dnsmasq.group | Group under which the dnsmasq exporter shall be run.
|
| services.prometheus.exporters.ecoflow.group | Group under which the ecoflow exporter shall be run.
|
| services.prometheus.exporters.apcupsd.group | Group under which the apcupsd exporter shall be run.
|
| services.prometheus.exporters.process.group | Group under which the process exporter shall be run.
|
| services.prometheus.exporters.systemd.group | Group under which the systemd exporter shall be run.
|
| services.prometheus.exporters.py-air-control.group | Group under which the py-air-control exporter shall be run.
|
| services.prometheus.exporters.mailman3.group | Group under which the mailman3 exporter shall be run.
|
| services.prometheus.exporters.mikrotik.group | Group under which the mikrotik exporter shall be run.
|
| services.prometheus.exporters.opnsense.group | Group under which the opnsense exporter shall be run.
|
| services.prometheus.exporters.postgres.group | Group under which the postgres exporter shall be run.
|
| services.prometheus.exporters.nginxlog.group | Group under which the nginxlog exporter shall be run.
|
| services.prometheus.exporters.unpoller.group | Group under which the unpoller exporter shall be run.
|
| services.prometheus.exporters.graphite.group | Group under which the graphite exporter shall be run.
|
| services.prometheus.exporters.fritzbox.group | Group under which the fritzbox exporter shall be run.
|
| services.prometheus.exporters.smartctl.group | Group under which the smartctl exporter shall be run.
|
| services.prometheus.exporters.blackbox.group | Group under which the blackbox exporter shall be run.
|
| services.prometheus.exporters.influxdb.group | Group under which the influxdb exporter shall be run.
|
| services.prometheus.exporters.keylight.group | Group under which the keylight exporter shall be run.
|
| services.prometheus.exporters.collectd.group | Group under which the collectd exporter shall be run.
|
| services.changedetection-io.group | Group account under which changedetection-io runs.
|
| services.hologram-server.groupClassAttr | The objectclass attribute to search for groups when enableLdapRoles is true
|
| services.prometheus.exporters.imap-mailstat.group | Group under which the imap-mailstat exporter shall be run.
|
| networking.supplicant.<name>.userControlled.group | Members of this group can control wpa_supplicant.
|
| services.prometheus.exporters.borgmatic.group | Group under which the borgmatic exporter shall be run.
|
| services.prometheus.exporters.surfboard.group | Group under which the surfboard exporter shall be run.
|
| services.prometheus.exporters.rasdaemon.group | Group under which the rasdaemon exporter shall be run.
|
| services.prometheus.exporters.nextcloud.group | Group under which the nextcloud exporter shall be run.
|
| services.prometheus.exporters.smokeping.group | Group under which the smokeping exporter shall be run.
|
| services.prometheus.exporters.tailscale.group | Group under which the tailscale exporter shall be run.
|
| services.prometheus.exporters.pgbouncer.group | Group under which the pgbouncer exporter shall be run.
|
| services.prometheus.exporters.wireguard.group | Group under which the wireguard exporter shall be run.
|
| services.prometheus.exporters.junos-czerwonk.group | Group under which the junos-czerwonk exporter shall be run.
|
| services.prometheus.exporters.buildkite-agent.group | Group under which the buildkite-agent exporter shall be run.
|
| services.prometheus.exporters.storagebox.group | Group under which the storagebox exporter shall be run.
|
| services.prometheus.exporters.scaphandre.group | Group under which the scaphandre exporter shall be run.
|
| services.prometheus.exporters.exportarr-lidarr.group | Group under which the exportarr-lidarr exporter shall be run.
|
| services.prometheus.exporters.exportarr-sonarr.group | Group under which the exportarr-sonarr exporter shall be run.
|
| services.prometheus.exporters.exportarr-bazarr.group | Group under which the exportarr-bazarr exporter shall be run.
|
| services.prometheus.exporters.exportarr-radarr.group | Group under which the exportarr-radarr exporter shall be run.
|
| services.prometheus.exporters.exportarr-readarr.group | Group under which the exportarr-readarr exporter shall be run.
|
| services.prometheus.exporters.artifactory.group | Group under which the artifactory exporter shall be run.
|
| services.firezone.server.provision.accounts.<name>.policies.<name>.group | The group which should be allowed access to the given resource.
|
| services.prometheus.exporters.exportarr-prowlarr.group | Group under which the exportarr-prowlarr exporter shall be run.
|
| services.icingaweb2.groupBackends | groups.ini contents
|
| services.prometheus.exporters.modemmanager.group | Group under which the modemmanager exporter shall be run.
|
| services.bitwarden-directory-connector-cli.sync.groupPath | Group directory, relative to root.
|
| security.sudo.extraRules.*.runAs | Under which user/group the specified command is allowed to run
|
| security.tpm2.tssGroup | Group of the tpm kernel resource manager (tpmrm) device-group, set if
applyUdevRules is set.
|
| services.resilio.sharedFolders | Shared folder list
|
| services.galene.groupsDir | Web server directory.
|
| security.sudo-rs.extraRules.*.runAs | Under which user/group the specified command is allowed to run
|
| boot.initrd.systemd.groups | Groups to include in initrd.
|
| services.github-runners.<name>.user | User under which to run the service
|
| services.suricata.settings.vars.port-groups | The port group variables for suricata.
|
| hardware.sane.enable | Enable support for SANE scanners.
Users in the "scanner" group will gain access to the scanner, or the "lp" group if it's also a printer.
|
| users.extraGroups.<name>.members | The user names of the group members, added to the
/etc/group file.
|
| services.outline.user | User under which the service should run
|
| services.public-inbox.inboxes.<name>.newsgroup | NNTP group name for the inbox.
|
| security.doas.extraRules.*.groups | The groups / GIDs this rule should apply for.
|
| security.sudo.extraRules.*.groups | The groups / GIDs this rule should apply for.
|
| services.bitwarden-directory-connector-cli.sync.groupNameAttribute | Attribute for a name of group.
|
| security.sudo-rs.extraRules.*.groups | The groups / GIDs this rule should apply for.
|
| services.firezone.server.provision.accounts.<name>.groups | All groups to provision
|
| services.kanidm.provision.groups.<name>.present | Whether to ensure that this group is present or absent.
|
| services.kanidm.provision.groups.<name>.members | List of kanidm entities (persons, groups, ...) which are part of this group.
|
| services.below.cgroupFilterOut | A regexp matching the full paths of cgroups whose data shouldn't be collected
|
| services.davfs2.davGroup | The group of the running mount.davfs daemon
|
| services.multipath.devices.*.path_grouping_policy | The default path grouping policy to apply to unspecified multipaths
|
| services.bitwarden-directory-connector-cli.sync.groupFilter | LDAP filter for groups.
|
| services.postfix.setgidGroup | How to call postfix setgid group (for postdrop)
|
| services.ananicy.extraCgroups | Cgroups to write in 'nixCgroups.cgroups'
|
| services.suricata.settings.vars.address-groups | The address group variables for suricata, if not defined the
default value of suricata (see example) will be used
|
| services.slurm.extraCgroupConfig | Extra configuration for cgroup.conf
|
| services.bitwarden-directory-connector-cli.sync.groupObjectClass | A class that groups will have.
|
| services.oauth2-proxy.google.groups | Restrict logins to members of these Google groups.
|
| services.samba-wsdd.workgroup | Set workgroup name (default WORKGROUP).
|
| services.prosody.modules.groups | Shared roster support
|
| security.doas.extraRules.*.runAs | Which user or group the specified command is allowed to run as
|
| hardware.hackrf.enable | Enables hackrf udev rules and ensures 'plugdev' group exists
|
| services.kanidm.provision.groups | Provisioning of kanidm groups
|
| services.nsd.zones.<name>.zoneStats | When set to something distinct to null NSD is able to collect
statistics per zone
|
| services.pgmanage.loginGroup | This tells pgmanage to only allow users in a certain PostgreSQL group to
login to pgmanage
|
| services.hardware.lcd.server.usbGroup | The group to use for settings permissions
|
| services.firezone.server.provision.accounts.<name>.groups.<name>.name | The name of this group
|
| hardware.ckb-next.gid | Limit access to the ckb daemon to a particular group.
|
| services.strongswan-swanctl.swanctl.connections.<name>.remote.<name>.groups | Authorization group memberships to require
|
| systemd.enableCgroupAccounting | Whether to enable cgroup accounting; see cgroups(7).
|
| services.kanidm.provision.groups.<name>.overwriteMembers | Whether the member list should be overwritten each time (true) or appended
(false)
|
| services.grafana.provision.alerting.rules.settings.groups.*.name | Name of the rule group
|
| users.mutableUsers | If set to true, you are free to add new users and groups to the system
with the ordinary useradd and
groupadd commands
|
| services.taskserver.organisations.<name>.groups | A list of group names that belong to the organization.
|
| services.github-runners.<name>.runnerGroup | Name of the runner group to add this runner to (defaults to the default runner group)
|
| users.extraGroups.<name>.gid | The group GID
|
| services.firezone.server.provision.accounts.<name>.groups.<name>.members | The members of this group
|
| programs.wireshark.enable | Whether to add Wireshark to the global environment and create a 'wireshark'
group
|
| users.extraGroups.<name>.name | The name of the group
|
| services.grafana.provision.alerting.rules.settings.groups.*.folder | Name of the folder the rule group will be stored in
|
| services.firezone.server.provision.accounts.<name>.groups.<name>.forceMembers | Ensure that only the given members are part of this group at every server start.
|
| programs.wireshark.usbmon.enable | Whether to allow users in the 'wireshark' group to capture USB traffic
|
| programs.wireshark.dumpcap.enable | Whether to allow users in the 'wireshark' group to capture network traffic
|
| services.grafana.provision.alerting.rules.settings.groups.*.interval | Interval that the rule group should be evaluated at
|
| services.kanidm.provision.persons.<name>.groups | List of groups this person should belong to.
|
| users.users.<name>.subGidRanges.*.count | Count of subordinate group ids
|
| users.users.<name>.subGidRanges | Subordinate group ids that user is allowed to use
|
| services.prometheus.exporters.dovecot.socketPath | Path under which the stats socket is placed
|
| services.reposilite.useACMEHost | Host of an existing Let's Encrypt certificate to use for SSL
|
| users.users.<name>.autoSubUidGidRange | Automatically allocate subordinate user and group ids for this user
|
| services.diod.userdb | This option disables password/group lookups
|
| users.users.<name>.subGidRanges.*.startGid | Start of the range of subordinate group ids that user is
allowed to use.
|
| services.unbound.localControlSocketPath | When not set to null this option defines the path
at which the unbound remote control socket should be created at
|
| services.suricata.settings.vars.address-groups.HOME_NET | HOME_NET variable.
|
| programs.light.enable | Whether to install Light backlight control command
and udev rules granting access to members of the "video" group.
|
| users.extraUsers.<name>.subGidRanges.*.count | Count of subordinate group ids
|
| services.kmonad.keyboards.<name>.extraGroups | Extra permission groups to attach to the KMonad instance for
this keyboard
|
| users.extraUsers.<name>.subGidRanges | Subordinate group ids that user is allowed to use
|
| hardware.brillo.enable | Whether to enable brillo in userspace
|
| users.extraUsers.<name>.autoSubUidGidRange | Automatically allocate subordinate user and group ids for this user
|
| services.suricata.settings.vars.address-groups.DNP3_SERVER | DNP3_SERVER variable.
|
| services.suricata.settings.vars.address-groups.DNP3_CLIENT | DNP3_CLIENT variable.
|
| services.jack.jackd.enable | Whether to enable JACK Audio Connection Kit
|
| hardware.i2c.enable | Whether to enable i2c devices support
|
| services.suricata.settings.vars.address-groups.ENIP_CLIENT | ENIP_CLIENT variable.
|
| services.suricata.settings.vars.address-groups.ENIP_SERVER | ENIP_SERVER variable.
|
| hardware.bladeRF.enable | Enables udev rules for BladeRF devices
|
| services.suricata.settings.vars.address-groups.DC_SERVERS | DC_SERVERS variable.
|
| services.userdbd.enable | Whether to enable the systemd JSON user/group record lookup service
.
|
| services.fastnetmon-advanced.hostgroups | Hostgroups to declaratively load into FastNetMon Advanced
|
| services.suricata.settings.vars.address-groups.AIM_SERVERS | AIM_SERVERS variable.
|
| services.suricata.settings.vars.address-groups.DNS_SERVERS | DNS_SERVERS variable.
|
| services.suricata.settings.vars.address-groups.SQL_SERVERS | SQL_SERVERS variable.
|
| services.dependency-track.oidc.teams.claim | Defines the name of the claim that contains group memberships or role assignments in the provider's userinfo endpoint
|
| services.saned.enable | Enable saned network daemon for remote connection to scanners.
saned would be run from scanner user; to allow
access to hardware that doesn't have scanner group
you should add needed groups to this user.
|
| programs.tcpdump.enable | Whether to configure a setcap wrapper for tcpdump
|
| users.extraUsers.<name>.subGidRanges.*.startGid | Start of the range of subordinate group ids that user is
allowed to use.
|
| services.suricata.settings.vars.address-groups.SMTP_SERVERS | SMTP_SERVERS variable.
|
| services.suricata.settings.vars.address-groups.HTTP_SERVERS | HTTP_SERVERS variable.
|
| services.dovecot2.mailGroup | Default group to store mail for virtual users.
|
| security.isolate.cgRoot | Control group which subgroups are placed under
|
| services.suricata.settings.vars.address-groups.MODBUS_CLIENT | MODBUS_CLIENT variable
|
| services.suricata.settings.vars.address-groups.MODBUS_SERVER | MODBUS_SERVER variable.
|
| security.sudo.execWheelOnly | Only allow members of the wheel group to execute sudo by
setting the executable's permissions accordingly
|
| security.sudo.keepTerminfo | Whether to preserve the TERMINFO and TERMINFO_DIRS
environment variables, for root and the wheel group.
|
| systemd.tmpfiles.settings.<config-name>.<path>.<tmpfiles-type>.user | The user of the file
|
| services.suricata.settings.vars.address-groups.EXTERNAL_NET | EXTERNAL_NET variable.
|
| security.sudo-rs.execWheelOnly | Only allow members of the wheel group to execute sudo by
setting the executable's permissions accordingly
|
| hardware.glasgow.enable | Enables Glasgow udev rules and ensures 'plugdev' group exists
|
| services.bitwarden-directory-connector-cli.sync.groups | Whether to sync ldap groups into BitWarden.
|
| programs.minipro.enable | Whether to enable minipro and its udev rules
|
| users.allowNoPasswordLogin | Disable checking that at least the root user or a user in the wheel group can log in using
a password or an SSH key
|
| services.suricata.settings.vars.address-groups.TELNET_SERVERS | TELNET_SERVERS variable.
|
| programs.sedutil.enable | Whether to enable sedutil, to manage self encrypting drives that conform to the Trusted Computing Group OPAL 2.0 SSC specification.
|
| services.nginx.upstreams | Defines a group of servers to use as proxy target.
|
| users.users.<name>.isNormalUser | Indicates whether this is an account for a “real” user
|
| virtualisation.incus.enable | Whether to enable incusd, a daemon that manages containers and virtual machines
|
| programs.gphoto2.enable | Whether to configure system to use gphoto2
|
| services.couchdb.configFile | Configuration file for persisting runtime changes
|
| services.pdfding.enable | Whether to enable PdfDing service
|
| services.smokeping.user | User that runs smokeping and (optionally) thttpd
|
| services.onlyoffice.securityNonceFile | File holding nginx configuration that sets the nonce used to create secret links
|
| security.loginDefs.settings.GID_MAX | Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.
|
| security.loginDefs.settings.GID_MIN | Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.
|
| services.molly-brown.certPath | Path to TLS certificate
|
| services.timekpr.adminUsers | All listed users will become part of the timekpr group so they can manage timekpr settings without requiring sudo.
|
| services.portunus.enable | Whether to enable Portunus, a self-contained user/group management and authentication service for LDAP.
|
| services.grafana.settings.server.socket_gid | GID where the socket should be set when protocol=socket
|
| services.grafana.provision.alerting.rules.settings.groups | List of rule groups to import or update.
|
| hardware.rtl-sdr.enable | Enables rtl-sdr udev rules, ensures 'plugdev' group exists, and blacklists DVB kernel modules
|
| services.nomad.enableDocker | Enable Docker support
|
| services.traefik.supplementaryGroups | Additional groups under which Traefik runs
|
| programs.flashrom.enable | Installs flashrom and configures udev rules for programmers
used by flashrom
|
| hardware.openrazer.users | Usernames to be added to the "openrazer" group, so that they
can start and interact with the OpenRazer userspace daemon.
|
| security.loginDefs.settings.SYS_GID_MAX | Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers
|
| security.loginDefs.settings.SYS_GID_MIN | Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers
|
| services.aria2.enable | Whether or not to enable the headless Aria2 daemon service
|
| services.mailman.ldap.superUserGroup | Group where a user must be a member of to gain superuser rights.
|
| services.dependency-track.oidc.teamSynchronization | This option will ensure that team memberships for OpenID Connect users are dynamic and
synchronized with membership of OpenID Connect groups or assigned roles
|
| services.hologram-server.roleAttr | Which LDAP group attribute to search for authorized role ARNs
|
| security.sudo.defaultOptions | Options used for the default rules, granting root and the
wheel group permission to run any command as any user.
|
| networking.networkmanager.enable | Whether to use NetworkManager to obtain an IP address and other
configuration for all network interfaces that are not manually
configured
|
| boot.initrd.systemd.tmpfiles.settings.<config-name>.<path>.<tmpfiles-type>.user | The user of the file
|
| security.sudo-rs.defaultOptions | Options used for the default rules, granting root and the
wheel group permission to run any command as any user.
|
| services.dokuwiki.sites.<name>.acl.*.actor | User or group to restrict
|
| programs.mouse-actions.enable | Whether to install and set up mouse-actions and it's udev rules
|
| users.extraUsers.<name>.isNormalUser | Indicates whether this is an account for a “real” user
|
| services.sourcehut.settings."hg.sr.ht".changegroup-script | A changegroup script which is installed in every mercurial repo
|
| networking.wireless.networks.<name>.priority | By default, all networks will get same priority group (0)
|
| nix.settings.trusted-users | A list of names of users that have additional rights when
connecting to the Nix daemon, such as the ability to specify
additional binary caches, or to import unsigned NARs
|
| hardware.acpilight.enable | Enable acpilight
|
| services.quickwit.dataDir | Data directory for Quickwit
|
| services.temporal.dataDir | Data directory for Temporal
|
| virtualisation.podman.dockerSocket.enable | Make the Podman socket available in place of the Docker socket, so
Docker tools can find the Podman socket
|
| services.dovecot2.createMailUser | Whether to enable automatically creating the user
given in services.dovecot.user and the group
given in services.dovecot.group.
|
| programs.corectrl.enable | Whether to enable CoreCtrl, a tool to overclock amd graphics cards and processors
|
| hardware.sheep_net.enable | Enables sheep_net udev rules, ensures 'sheep_net' group exists, and adds
sheep-net to boot.kernelModules and boot.extraModulePackages
|
| security.run0.wheelNeedsPassword | Whether users of the wheel group must
provide a password to run commands as super user via run0.
|
| services.dependency-track.settings."alpine.oidc.teams.claim" | Defines the name of the claim that contains group memberships or role assignments in the provider's userinfo endpoint
|
| security.sudo.wheelNeedsPassword | Whether users of the wheel group must
provide a password to run commands as super user via sudo.
|
| security.doas.wheelNeedsPassword | Whether users of the wheel group must provide a password to
run commands as super user via doas.
|
| programs.feedbackd.enable | Whether to enable the feedbackd D-BUS service and udev rules
|
| security.sudo-rs.wheelNeedsPassword | Whether users of the wheel group must
provide a password to run commands as super user via sudo.
|
| programs.mosh.withUtempter | Whether to enable libutempter for mosh
|
| programs.tmux.withUtempter | Whether to enable libutempter for tmux
|
| services.mx-puppet-discord.enable | Whether to enable mx-puppet-discord is a discord puppeting bridge for matrix
|
| hardware.kryoflux.enable | Enables kryoflux udev rules, ensures 'floppy' group exists
|
| services.oauth2-proxy.nginx.virtualHosts.<name>.allowed_groups | List of groups to allow access to this vhost, or null to allow all.
|
| programs.idescriptor.users | Users to be added to the idevice group.
|
| services.terraria.enable | If enabled, starts a Terraria server
|
| services.netbird.clients.<name>.bin.suffix | A system group name for this client instance.
|
| services.netbird.tunnels.<name>.bin.suffix | A system group name for this client instance.
|
| services.hardware.lcd.server.usbPermissions | Set group-write permissions on a USB device
|
| programs.soundmodem.enable | Whether to add Soundmodem to the global environment and configure a
wrapper for 'soundmodemconfig' for users in the 'soundmodem' group.
|
| services.dependency-track.settings."alpine.oidc.team.synchronization" | This option will ensure that team memberships for OpenID Connect users are dynamic and
synchronized with membership of OpenID Connect groups or assigned roles
|
| security.pam.services.<name>.requireWheel | Whether to permit root access only to members of group wheel.
|
| services.netbird.tunnels.<name>.name | Primary name for use (as a suffix) in:
- systemd service name,
- hardened user name and group,
- systemd
*Directory= names,
- desktop application identification,
|
| services.netbird.clients.<name>.name | Primary name for use (as a suffix) in:
- systemd service name,
- hardened user name and group,
- systemd
*Directory= names,
- desktop application identification,
|
| programs.benchexec.users | Users that intend to use BenchExec
|
| services.aria2.serviceUMask | The file mode creation mask for Aria2 service
|
| hardware.libjaylink.enable | Whether to enable udev rules for devices supported by libjaylink
|
| security.loginDefs.settings.TTYPERM | The terminal permissions: the login tty will be owned by the TTYGROUP group,
and the permissions will be set to TTYPERM
|
| security.please.wheelNeedsPassword | Whether users of the wheel group must provide a password to run
commands or edit files with please and
pleaseedit respectively.
|
| hardware.keyboard.uhk.enable | Whether to enable non-root access to the firmware of UHK keyboards
|
| services.borgbackup.jobs.<name>.user | The user borg is run as
|
| services.rke2.cisHardening | Enable CIS Hardening for RKE2
|
| services.hologram-server.enableLdapRoles | Whether to assign user roles based on the user's LDAP group memberships
|
| security.pam.services.<name>.enableAppArmor | Enable support for attaching AppArmor profiles at the
user/group level, e.g., as part of a role based access
control scheme.
|
| services.beszel.agent.smartmon.enable | Include services.beszel.agent.smartmon.package in the Beszel agent path for disk monitoring and add the agent to the disk group.
|
| services.opensearch.dataDir | Data directory for OpenSearch
|
| services.borgbackup.repos.<name>.user | The user borg serve is run as
|
| services.smartdns.settings | A set that will be generated into configuration file, see the SmartDNS README for details of configuration parameters
|
| security.loginDefs.settings.TTYGROUP | The terminal permissions: the login tty will be owned by the TTYGROUP group,
and the permissions will be set to TTYPERM
|
| services.pipewire.systemWide | If true, a system-wide PipeWire service and socket is enabled
allowing all users in the "pipewire" group to use it simultaneously
|
| security.polkit.adminIdentities | Specifies which users are considered “administrators”, for those
actions that require the user to authenticate as an
administrator (i.e. have an auth_admin
value)
|
| services.displayManager.lemurs.enable | Whether to enable lemurs, a customizable TUI display/login manager.
For Wayland compositors, your user must be in the "seat" group.
|
| virtualisation.virtualbox.host.enableHardening | Enable hardened VirtualBox, which ensures that only the binaries in the
system path get access to the devices exposed by the kernel modules
instead of all users in the vboxusers group.
Disabling this can put your system's security at risk, as local users
in the vboxusers group can tamper with the VirtualBox device files.
|
| services.firezone.gui-client.allowedUsers | All listed users will become part of the firezone-client group so
they can control the tunnel service
|
| services.nebula-lighthouse-service.user | The user and group to run nebula-lighthouse-service as.
|
| services.authelia.instances.<name>.name | Name is used as a suffix for the service name, user, and group
|
| services.multipath.devices.*.failback | Tell multipathd how to manage path group failback
|
| services.glusterfs.killMode | The systemd KillMode to use for glusterd.
glusterd spawns other daemons like gsyncd
|
| services.nominatim.database.superUser | Postgresql database superuser used to create Nominatim database and
import data
|
| security.googleOsLogin.enable | Whether to enable Google OS Login
|
| programs.firefox.policies | Group policies to install
|
| services.dnsdist.dnscrypt.providerKey | The filepath to the provider secret key
|
| services.lifecycled.cloudwatchGroup | Write logs to a specific Cloudwatch Logs group.
|
| programs.thunderbird.policies | Group policies to install
|
| services.roundcube.database.username | Username for the postgresql connection
|
| services.aria2.downloadDirPermission | The permission for settings.dir
|
| services.openssh.authorizedKeysCommand | Specifies a program to be used to look up the user's public
keys
|
| services.prometheus.scrapeConfigs.*.triton_sd_configs.*.groups | A list of groups for which targets are retrieved, only supported when targeting the container role
|
| services.pulseaudio.systemWide | If false, a PulseAudio server is launched automatically for
each user that tries to use the sound system
|
| services.kubo.settings.Addresses.API | Multiaddr or array of multiaddrs describing the address to serve the local HTTP API on
|
| services.multipath.devices.*.rr_min_io | Number of I/O requests to route to a path before switching to the next in the
same path group
|
| services.varnish.listen.*.address | If given an IP address, it can be a host name ("localhost"), an IPv4 dotted-quad
("127.0.0.1") or an IPv6 address enclosed in square brackets ("[::1]").
(VCL4.1 and higher) If given an absolute Path ("/path/to/listen.sock") or "@"
followed by the name of an abstract socket ("@myvarnishd") accept connections
on a Unix domain socket
|
| security.pam.services.<name>.allowNullPassword | Whether to allow logging into accounts that have no password
set (i.e., have an empty password field in
/etc/passwd or
/etc/group)
|
| services.transmission.enable | Whether to enable the headless Transmission BitTorrent daemon
|
| virtualisation.docker.enable | This option enables docker, a daemon that manages
linux containers
|
| virtualisation.lxd.enable | This option enables lxd, a daemon that manages
containers
|
| virtualisation.kvmgt.enable | Whether to enable KVMGT (iGVT-g) VGPU support
|
| services.matrix-continuwuity.settings.global.unix_socket_path | Listen on a UNIX socket at the specified path
|
| services.anuko-time-tracker.settings.defaultLanguage | Defines Anuko Time Tracker default language
|
| services.journald.upload.settings.Upload.ServerKeyFile | SSL key in PEM format
|
| services.postfixadmin.database.username | Username for the postgresql connection
|
| networking.wireless.userControlled | Allow users of the wpa_supplicant group to control wpa_supplicant
through wpa_gui or wpa_cli
|
| virtualisation.libvirtd.enable | This option enables libvirtd, a daemon that manages
virtual machines
|
| services.archisteamfarm.ipcPasswordFile | Path to a file containing the password
|
| services.multipath.devices.*.rr_min_io_rq | Number of I/O requests to route to a path before switching to the next in the
same path group
|
| services.firezone.server.provision.accounts.<name>.relayGroups | All relay groups to provision
|
| services.firezone.server.provision.accounts.<name>.relayGroups.<name>.name | The name of this relay group
|
| virtualisation.virtualbox.host.enable | Whether to enable VirtualBox.
In order to pass USB devices from the host to the guests, the user
needs to be in the vboxusers group.
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.firezone.server.provision.accounts.<name>.gatewayGroups | All gateway groups (sites) to provision
|
| services.bitwarden-directory-connector-cli.sync.removeDisabled | Remove users from bitwarden groups if no longer in the ldap group.
|
| services.keepalived.vrrpInstances.<name>.unicastPeers | Do not send VRRP adverts over VRRP multicast group
|
| services.netbird.clients | Attribute set of NetBird client daemons, by default each one will:
- be manageable using dedicated tooling:
netbird-<name> script,NetBird - netbird-<name> graphical interface when appropriate (see ui.enable),
- run as a
netbird-<name>.service,
- listen for incoming remote connections on the port
51820 (openFirewall by default),
- manage the
netbird-<name> wireguard interface,
- use the /var/lib/netbird-/config.json configuration file,
- override /var/lib/netbird-/config.json with values from /etc/netbird-/config.d/*.json,
- (
hardened) be locally manageable by netbird-<name> system group,
With following caveats:
- multiple daemons will interfere with each other's DNS resolution of
netbird.cloud, but
should remain fully operational otherwise
|
| services.firezone.server.provision.accounts.<name>.gatewayGroups.<name>.name | The name of this gateway group
|
| services.archisteamfarm.bots.<name>.passwordFile | Path to a file containing the password
|
| services.kanidm.unixSettings.pam_allowed_login_groups | Kanidm groups that are allowed to login using PAM.
|
| services.bitwarden-directory-connector-cli.sync.memberAttribute | Attribute that lists members in a LDAP group.
|
| services.kanidm.unix.settings.kanidm.pam_allowed_login_groups | Kanidm groups that are allowed to login using PAM.
|
| services.librenms.distributedPoller.distributedBilling | Enable distributed billing on this poller
|
| services.prometheus.scrapeConfigs.*.static_configs.*.targets | The targets specified by the target group.
|
| services.transmission.downloadDirPermissions | If not null, is used as the permissions
set by system.activationScripts.transmission-daemon
on the directories services.transmission.settings.download-dir,
services.transmission.settings.incomplete-dir.
and services.transmission.settings.watch-dir
|
| services.matrix-tuwunel.settings.global.unix_socket_path | Listen on a UNIX socket at the specified path
|
| services.prometheus.scrapeConfigs.*.uyuni_sd_configs.*.separator | The string by which Uyuni group names are joined into the groups label
Defaults to , in prometheus
when set to null.
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rekey_time | Time to schedule CHILD_SA rekeying
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rekey_bytes | Number of bytes processed before initiating CHILD_SA rekeying
|
| services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.rekey_packets | Number of packets processed before initiating CHILD_SA rekeying
|
| services.sogo.enable | Whether to enable SOGo groupware.
|
| systemd.sysusers.enable | If enabled, users are created with systemd-sysusers instead of with
the custom update-users-groups.pl script
|
| services.usbguard.IPCAllowedGroups | A list of groupnames that the daemon will accept IPC connections
from.
|
| security.pam.loginLimits.*.domain | Username, groupname, or wildcard this limit applies to
|
| security.pam.services.<name>.limits.*.domain | Username, groupname, or wildcard this limit applies to
|
| services.nsd.ratelimit.ipv4PrefixLength | IPv4 prefix length
|
| services.nsd.ratelimit.ipv6PrefixLength | IPv6 prefix length
|
| virtualisation.oci-containers.containers.<name>.user | Override the username or UID (and optionally groupname or GID) used
in the container.
|
| services.netbird.server.management.singleAccountModeDomain | Enables single account mode
|
| users.users.<name>.extraGroups | The user's auxiliary groups.
|
| users.extraUsers.<name>.extraGroups | The user's auxiliary groups.
|
| services.mympd.extraGroups | Additional groups for the systemd service.
|
| services.postgresql.systemCallFilter.<name>.priority | Set the priority of the system call filter setting
|
| services.pghero.extraGroups | Additional groups for the systemd service.
|
| services.tomcat.extraGroups | Defines extra groups to which the tomcat user belongs.
|
| services.gocd-agent.extraGroups | List of extra groups that the "gocd-agent" user should be a part of.
|
| services.postgresql.systemCallFilter | Configures the syscall filter for postgresql.service
|
| services.polaris.extraGroups | Polaris' auxiliary groups.
|
| services.code-server.extraGroups | An array of additional groups for the code-server user.
|
| services.jenkins.extraGroups | List of extra groups that the "jenkins" user should be a part of.
|
| services.gocd-server.extraGroups | List of extra groups that the "gocd-server" user should be a part of.
|
| services.nagios.objectDefs | A list of Nagios object configuration files that must define
the hosts, host groups, services and contacts for the
network that you want Nagios to monitor.
|
| users.enforceIdUniqueness | Whether to require that no two users/groups share the same uid/gid.
|
| services.multipath.pathGroups | This option allows you to define multipath groups as described
in http://christophe.varoqui.free.fr/usage.html.
|
| services.logcheck.extraGroups | Extra groups for the logcheck user, for example to be able to use sendmail,
or to access certain log files.
|
| services.multipath.devices | This option allows you to define arrays for use in multipath
groups.
|
| nix.settings.allowed-users | A list of names of users (separated by whitespace) that are
allowed to connect to the Nix daemon
|
| services.portunus.seedSettings | Seed settings for users and groups
|
| services.buildbot-master.extraGroups | List of extra groups that the buildbot user should be a part of.
|
| services.buildbot-worker.extraGroups | List of extra groups that the Buildbot Worker user should be a part of.
|
| services.centrifugo.extraGroups | Additional groups for the systemd service.
|
| security.pam.loginLimits | Define resource limits that should apply to users or groups
|
| services.collabora-online.aliasGroups | Alias groups to use.
|
| services.kanidm.provision.enable | Whether to enable provisioning of groups, users and oauth2 resource servers.
|
| services.synapse-auto-compressor.settings.chunk_size | The number of state groups to work on at once
|
| services.buildkite-agents.<name>.extraGroups | Groups the user for this buildkite agent should belong to
|
| services.snapper.configs.<name>.ALLOW_GROUPS | List of groups allowed to operate with the config
|
| services.pufferpanel.extraGroups | Additional groups for the systemd service.
|
| services.openssh.settings.AllowGroups | If specified, login is allowed only for users part of the
listed groups
|
| services.openssh.settings.DenyGroups | If specified, login is denied for all users part of the listed
groups
|
| services.openvscode-server.extraGroups | An array of additional groups for the openvscode-server user.
|
| services.kanidm.provision.extraJsonFile | A JSON file for provisioning persons, groups & systems
|
| services.woodpecker-agents.agents.<name>.extraGroups | Additional groups for the systemd service.
|
| services.scrutiny.collector.settings.host.id | Host ID for identifying/labelling groups of disks
|
| services.anuko-time-tracker.settings.multiorgMode | Defines whether users see the Register option in the menu of Time Tracker that allows them
to self-register and create new organizations (top groups).
|
| services.crab-hole.supplementaryGroups | Adds additional groups to the crab-hole service
|
| services.kanidm.provision.systems.oauth2.<name>.scopeMaps | Maps kanidm groups to returned oauth scopes
|
| services.vdirsyncer.jobs.<name>.additionalGroups | additional groups to add the dynamic user to
|
| services.anuko-time-tracker.settings.defaultCurrency | Defines a default currency symbol for new groups
|
| services.thanos.compact.compact.concurrency | Number of goroutines to use when compacting groups
|
| services.kanidm.provision.systems.oauth2.<name>.claimMaps | Adds additional claims (and values) based on which kanidm groups an authenticating party belongs to
|
| services.taskserver.organisations | An attribute set where the keys name the organisation and the values
are a set of lists of users and
groups.
|
| services.bitwarden-directory-connector-cli.sync.largeImport | Enable if you are syncing more than 2000 users/groups.
|
| services.kanidm.provision.systems.oauth2.<name>.claimMaps.<name>.valuesByGroup | Maps kanidm groups to values for the claim.
|
| services.prometheus.scrapeConfigs.*.static_configs | List of labeled target groups for this job.
|
| services.bitwarden-directory-connector-cli.sync.overwriteExisting | Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details.
|
| services.firezone.server.provision.accounts.<name>.resources.<name>.gatewayGroups | A list of gateway groups (sites) which can reach the resource and may be used to connect to it.
|
| services.kanidm.provision.systems.oauth2.<name>.supplementaryScopeMaps | Maps kanidm groups to additionally returned oauth scopes
|
| services.prometheus.scrapeConfigs.*.file_sd_configs.*.files | Patterns for files from which target groups are extracted
|