A list of names of users that have additional rights when connecting to the Nix daemon, such as the ability to specify additional binary caches, or to import unsigned NARs

Whether to add nix-ssh to the nix.settings.trusted-users

A list of names of users (separated by whitespace) that are allowed to connect to the Nix daemon

The username to log in as on the remote host

Additional user accounts to be created automatically by the system

Message of the day shown to users when they log in.

The user's home directory.

The account UID

A file containing the message of the day shown to users when they log in.

The user's primary group.

The name of the user account

List of public keys used to sign binary caches

Additional groups to be created automatically by the system.

Users that can access upsd

Alias of users.users.

If set to false, the user account will not be created

The path to the user's shell

The user's auxiliary groups.

The user's home directory mode in numeric format

Attributes for user's entry in pam_mount.conf.xml

Path to encrypted luks device that contains the user's home directory.

Settings for pam_mysql

Whether to create the home directory and ensure ownership as well as permissions to match the user.

The distinguished name of the search base.

The set of packages that should be made available to the user

Subordinate user ids that user is allowed to use

Subordinate group ids that user is allowed to use

Indicates if the user is a system user or not

Alias of users.groups.

Count of subordinate user ids

Count of subordinate group ids

Automatically allocate subordinate user and group ids for this user

The default home directory for normal users.

The hostname of the MySQL/MariaDB server

The username to use when connecting to the database

If true, the user's shell will be set to users.defaultUserShell.

Indicates whether this is an account for a “real” user

Start of the range of subordinate group ids that user is allowed to use.

Start of the range of subordinate user ids that user is allowed to use.

If enabled (the default), Nix will only download binaries from binary caches if they are cryptographically signed with any of the keys listed in nix.settings.trusted-public-keys

The URL of the LDAP server.

Whether to include authentication against LDAP in login PAM.

Set the date on which the user's account will no longer be accessible

Settings for libnss-mysql

Whether to enable authentication against an LDAP server.

Additional criteria for the query.

Whether to enable or disable lingering for this user

If enabled, use TLS (encryption) over an LDAP (port 389) connection

The name of table that maps unique login names to the passwords.

Whether to enable authentication against a MySQL/MariaDB database.

The name of the database containing the users

The group GID

Whether to manage whether users linger or not.

Users to include in initrd.

The user's home directory.

Specifies the time limit (in seconds) to use when performing searches

The name of the group

The account UID

The user's primary group.

A short description of the user account, typically the user's full name

By default, nixos will check that programs

The name of the column that contains a unix login name.

The name of the user account

To enable stylus and multi-touch support, the user you're going to use must be added to this list

Whether to include lookup against LDAP in NSS.

The group GID

Specifies the time limit (in seconds) to use when connecting to the directory server

Add the necessary actions for a upsmon process to work

The name of the group

If enabled, produces logs with detailed messages that describes what pam_mysql is doing

This option defines the default shell assigned to user accounts

Indicates if the user is a system user or not

Users that intend to use BenchExec

Whether to require that no two users/groups share the same uid/gid.

SQL query for the getspnam syscall.

SQL query for the getgrent syscall.

SQL query for the getspent syscall.

SQL query for the getgrgid syscall.

SQL query for the getgrnam syscall.

SQL query for the getpwuid syscall.

SQL query for the getpwnam syscall.

SQL query for the getpwent syscall.

NNTP-Proxy user configuration

The name of the table used for password alteration

The name of the table to which logs are written.

The set of packages that should be made available to the user

Maximum number of concurrent clients allowed.

The path to the file containing the password for the user

User accounts for GRUB

Allow the user to do certain things with upsd

The default encryption method to use for passwordCrypt = 1.

The user names of the group members, added to the /etc/group file.

Extra configuration options that will be added verbatim at the end of the ldap configuration file (ldap.conf(5))

Disable checking that at least the root user or a user in the wheel group can log in using a password or an SSH key

If set to false, the user account will not be created

The path to the user's shell

The user's auxiliary groups.

If set to true, you are free to add new users and groups to the system with the ordinary useradd and groupadd commands

The user's home directory mode in numeric format

Attributes for user's entry in pam_mount.conf.xml

Path to encrypted luks device that contains the user's home directory.

ID of the user in initrd.

Whether to create the home directory and ensure ownership as well as permissions to match the user.

Enables logging of authentication attempts in the MySQL database.

The path to a file containing the credentials to use when binding to the LDAP server (if not binding anonymously).

SQL query for the memsbygid syscall.

SQL query for the gidsbymem syscall.

Specifies the clear text password for the account

Indicates whether this is an account for a “real” user

Extra configuration options that will be added verbatim at the end of the nslcd configuration file (nslcd.conf(5)).

Load users and passwords from this file

List of UIDs of all users for which this application is allowed location info access, Defaults to an empty string to allow it for all users.

The usernames / UIDs this rule should apply for.

The usernames / UIDs this rule should apply for.

Subordinate user ids that user is allowed to use

Subordinate group ids that user is allowed to use

A list of verbatim OpenSSH public keys that should be added to the user's authorized keys

A list of files each containing one OpenSSH public key that should be added to the user's authorized keys

The name of the column in the log table to which the description of the performed operation is stored.

The user names of the group members, added to the /etc/group file.

The usernames / UIDs this rule should apply for.

Count of subordinate user ids

Count of subordinate group ids

Automatically allocate subordinate user and group ids for this user

List of user-password pairs to provide to the sync server.

Group the user belongs to in initrd.

The path to the user's shell in initrd.

The name of the column that contains a (encrypted) password string.

The name of the column in the log table to which the timestamp of the log entry is stored.

The name of the column in the log table to which the name of the user being authenticated is stored.

The name of the column in the log table to which the name of the user being authenticated is stored.

The name of the column in the log table to which the pid of the process utilising the pam_mysql authentication service is stored.

List of users granted permission to use CrossMacro.

A list of verbatim principal names that should be added to the user's authorized principals.

If true, the user's shell will be set to users.defaultUserShell.

Per-user rules for creation, deletion and cleaning of volatile and temporary files automatically.

The full path to a file that contains the user's (clear text) password

Specifies the policy to use for reconnecting to an unavailable LDAP server

Start of the range of subordinate group ids that user is allowed to use.

Start of the range of subordinate user ids that user is allowed to use.

Let the user initiate specific instant commands

Whether to enable or disable lingering for this user

List of users, use empty list for any.

This is a comma-separated list of usernames

Specifies the password hash for the account, generated with grub-mkpasswd-pbkdf2

Users to be added to the idevice group.

Optional

The name of the column in the log table to which the name of the remote host that initiates the session is stored

Set the date on which the user's account will no longer be accessible

Path to a custom home page

RPC user information for JSON-RPC connections.

Whether to let the nslcd daemon (nss-pam-ldapd) handle the LDAP lookups for NSS and PAM

Location of the dokuwiki users file

List of users who are denied to login via Samba.

Usernames to be added to the "openrazer" group, so that they can start and interact with the OpenRazer userspace daemon.

If enabled, users are created with systemd-sysusers instead of with the custom update-users-groups.pl script

Set the path to file where the user's credentials are stored

List of binary cache URLs that non-root users can use (in addition to those specified using nix.settings.substituters) by passing --option binary-caches to Nix commands.

Username

Users to provision.

Specifies the (clear text) password for the user

Password accepted by anki-sync-server for the associated username. WARNING: This option is not secure

Set to false to prohibit users from being able to sign up / create user accounts

Username for JSON-RPC connections.

A set of users and their passwords and ACLs.

Allowed users and their secrets

The name of the column or an SQL expression that indicates the status of the user

Specifies the path to a file containing the clear text password for the account

Per-user rules for creation, deletion and cleaning of volatile and temporary files automatically

User name accepted by anki-sync-server.

The distinguished name to use to bind to the LDAP server when the root user tries to modify a user's password.

Text used as placeholder text on login page for login/username input.

SHA-512 password hash (can be generated by mkpasswd -m sha-512 <password>)

The path to a file containing the credentials with which to bind to the LDAP server if the root user tries to change a user's password.

The full path to a file that contains the hash of the user's password

A short description of the user account, typically the user's full name

By default, nixos will check that programs

Specifies the path to a file containing the password hash for the account, generated with grub-mkpasswd-pbkdf2

File containing the password accepted by anki-sync-server for the associated username

Number of nixbld user accounts created to perform secure concurrent builds

Specifies the initial password for the user, i.e. the password assigned if the user does not already exist

Set to true to automatically add new users to the main organization (id 1)

Specifies the hashed password for the user

Whether to periodically update the list of LoTW users

The distinguished name to bind to the LDAP server with

If enabled, virtual users will use the same privileges as local users

Sync users.

Whether to enable new users to login if auth is enabled.

Ensures that the specified users exist and have at least the ensured permissions

Maximum number of concurrent connections to the proxy for this user

Control client access to topics on the broker.

The method to encrypt the user's password:

• 0 (or "plain"): No encryption

Text used as placeholder text on login page for password input.

Sets the default UI theme. system matches the user's system theme.

Set to false to prohibit users from creating new organizations.

Password HMAC-SHA-256 for JSON-RPC connections

By default, pam_mysql keeps the connection to the MySQL database until the session is closed

Specifies the initial hashed password for the user, i.e. the hashed password assigned if the user does not already exist

Per-user Pareto Security configuration.

Whether to ensure that this user is present or absent.

A list of verbatim OpenSSH public keys that should be added to the user's authorized keys

A list of files each containing one OpenSSH public key that should be added to the user's authorized keys

Your users.yaml as a Nix attribute set

Specifies the (clear text) password for the MQTT User.

This tells pgmanage whether or not to only allow super users to login

A list of verbatim principal names that should be added to the user's authorized principals.

Set this value to automatically add new users to the provided org

Password for the user

This setting configures the default UI language, which must be a supported IETF language tag, such as en-US.

Viewers can access and use Explore and perform temporary edits on panels in dashboards they have access to

Specification (in the format described by systemd.time(7)) of the time at which the LoTW user update will occur.

Specifies the path to a file containing the clear text password for the MQTT user

Users allowed to use incrontab

A unique ID that links the agent to Pareto Cloud

Specifies the hashed password for the MQTT User

A list of user names that belong to the organization.

The role new users will be assigned for the main organization (if the auto_assign_org setting is set to true).

Specifies the (clear text) password for the user

Specifies the path to a file containing the hashed password for the MQTT user

Users allowed to authenticate even if not in allowedDomains.

Maximum number of concurrent clients allowed.

Ensures that the specified users exist

List of plugins to load automatically for all users

Choose users database file to use for authentication

Users forbidden from using fcron.

Require email validation before sign up completes.

The full path to a file that contains the hash of the user's password

Grant access to i2c devices (/dev/i2c-*) to users in this group.

Specifies the initial password for the user, i.e. the password assigned if the user does not already exist

Specifies the hashed password for the user

Users forbidden from using incrontab.

Whether to add Wireshark to the global environment and create a 'wireshark' group

Group that users must be in to use cdemu.

Your role in Tor network

Allow users to block communications with other users

Whether the config should be checked at build time

Set the maximum number of FUSE mounts allowed to non-root users.

Whether to allow users in the 'wireshark' group to capture USB traffic

The Google Admin to impersonate for API calls

Whether to allow users in the 'wireshark' group to capture network traffic

Specifies which users are considered “administrators”, for those actions that require the user to authenticate as an administrator (i.e. have an auth_admin value)

Whether users can log in with passwords defined in /etc/shadow.

Users allowed to use fcrontab and fcrondyn (one name per line, all for everyone).

Whether to enable presence tracking

Defines the mapping from system users to database users

Range of user IDs used for the creation of regular users by useradd or newusers.

Range of user IDs used for the creation of regular users by useradd or newusers.

Number of Guix build users to be used in the build pool.

Name of the group members of which will be allowed to create usershares

Whether to enable the sudo command, which allows non-root users to execute commands as root.

Whether to enable the doas command, which allows non-root users to execute commands as root.

Whether to enable user-configurable Samba shares.

Specifies the initial hashed password for the user, i.e. the hashed password assigned if the user does not already exist

Range of user IDs used for the creation of system users by useradd or newusers.

Range of user IDs used for the creation of system users by useradd or newusers.

Only applies if enableVirtualUsers is true

List of shells which binaries should be installed to /bin/

Group which users must be in to use ydotool.

Chat with users in the same room.

The resolved shell path that users can inherit to set rush as their login shell

Whether to enable FTP for local users.

Enable support for SANE scanners.

SMTP host used when sending emails to users.

SMTP port used when sending emails to users.

Whether to enable a memory-safe implementation of the sudo command, which allows non-root users to execute commands as root .

A list of users allowed to access the ifp dbus interface.

User to use when no root privileges are required

Check readiness of users.

Whether to enable i2c devices support

Whether to enable brillo in userspace

Enables P11 PAM (pam_p11) module

Allow non-root users to specify the allow_other or allow_root mount options, see mount.fuse3(8).

Allow authentication modules to auto-create users in tt-rss internal database when authenticated successfully.

Whether to enable Ombi, a web application that automatically gives your shared Plex or Emby users the ability to request content by themselves!

Optionally see https://docs.ombi.app/info/reverse-proxy on how to set up a reverse proxy .

Whether any write activity is permitted to users.

Enables udev rules for BladeRF devices

Whether to enable please, a Sudo clone which allows a users to execute a command or edit a file as another user .

The bare JID of the gateway administrator

Allow all users to access the FUSE mount points

Whether to enable pmount, a tool that allows normal users to mount removable devices without requiring root privileges .

Gives the verbosity level that is used when logging messages from sshd(8)

Only monitors owned symbolic link target of GC roots.

• "auto": behaves like true for normal users, false for root.
• "true": only monitor GC roots owned by the current user.
• "false": monitor all GC roots.

Whether to enable the Howdy PAM module

Whether to enable the dp9ik pam module provided by tlsclient

If specified, login is denied for all listed users

If specified, login is allowed only for the listed users

List of administrator users

SMTP host used when sending emails to users.

SMTP port used when sending emails to users.

SMTP host used when sending emails to users.

SMTP port used when sending emails to users.

The list of the email addresses of the listmasters (users authorized to perform global server commands).

Default user to store mail for virtual users.

List of public signing keys of users that can access the admin panel

Only allow members of the wheel group to execute sudo by setting the executable's permissions accordingly

Defines how users authenticate themselves to the server

Name of the group used to run the jupyter service

Automatically login user on remote or other kind of externally supplied authentication, otherwise redirect to login form as normal

Only allow members of the wheel group to execute sudo by setting the executable's permissions accordingly

Path to text to display when users join

Path to a json file containing users and folders to load (or update) on startup

If specified, login is denied for all users part of the listed groups

Store messages in an archive and allow users to access it

If specified, login is allowed only for users part of the listed groups

Send a message to users when they log in

Whether to enable minipro and its udev rules

Default group to store mail for virtual users.

The group of the running mount.davfs daemon

If specified, Duo authentication is required only for users whose primary group or supplementary group list matches one of the space-separated pattern lists

Operate in single user mode, disables all functionality related to multiple users and authentication

Enables users to publish their mood, activity, playing music and more

Remap all users to "nobody"

The location for users to install Drupal themes.

When true, any user will be able to register

Text to display when users join

Allow users to set vCards

All listed users will become part of the timekpr group so they can manage timekpr settings without requiring sudo.

Kea DHCP4 configuration as a path, see https://kea.readthedocs.io/en/kea-3.0.2/arm/dhcp4-srv.html

Kea DHCP6 configuration as a path, see https://kea.readthedocs.io/en/kea-3.0.2/arm/dhcp6-srv.html

Kea DHCP-DDNS configuration as a path, see https://kea.readthedocs.io/en/kea-3.0.2/arm/ddns.html

Whether to enable incusd, a daemon that manages containers and virtual machines

Allow users of the wpa_supplicant group to control wpa_supplicant through wpa_gui or wpa_cli

The default realm to be used for the users when no explicit origin/realm relationship was found in the database, or if the TURN server is not using any database (just the commands-line settings and the userdb file)

This option is opposite to lt-cred-mech. (TURN Server with no-auth option allows anonymous access)

Installs flashrom and configures udev rules for programmers used by flashrom

How users are authenticated storage -- save passwords internally pam -- Linux PAM authentication

Whether to prevent sign-up of new users via the web UI

Allow users to have a roster

Which user or group the specified command is allowed to run as

The base DN for your Hologram users

Outgoing email for notifications generated by users.

This is the URL that users will enter to load your instance

The location for users to install Drupal modules.

Whether users are included.

Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli

Kea Control Agent configuration as a path, see https://kea.readthedocs.io/en/kea-3.0.2/arm/agent.html

When this option is not 0, users ability to control feed purging intervals is disabled and all articles (which are not starred) older than this amount of days are purged.

Enables Kerberos PAM modules (pam-krb5, pam-ccreds)

Enables Yubico PAM (yubico-pam) module

Use chfn SUID to allow non-root users to change their account GECOS information.

Whether to enable zeitgeist, a service which logs the users' activities and events.

Only applies if sslEnable is true

Whether or not to enable the headless Aria2 daemon service

Whether to install and set up mouse-actions and it's udev rules

Outgoing email for notifications generated by users.

Whether to enable nonpaying users to submit builds.

The lmtp daemon will make the unix socket group-read/write for users in this group.

Configures the user domain, if enabled

If set, the pam_mysql module will be used to authenticate users against a MySQL/MariaDB database.

Enable acpilight

"From" address used when sending emails to users.

"From" address used when sending Emails to users.

Welcome users who register accounts

Whether to enable tailscale.nginx-auth, to authenticate users via tailscale.

Whether to try to create home directories for users with $HOMEs pointing to nonexistent locations on session login.

Only applies if sslEnable is true

If enabled, spacecookie will hide personal information of users like IP addresses from log output.

Whether users of the wheel group must provide a password to run commands as super user via sudo.

Whether users of the wheel group must provide a password to run commands as super user via doas.

This controls the hostname for the 9front authentication server that users will be authenticated against.

Path to the working directory (used for config and pidfile)

Allow normal users to control wpa_supplicant through wpa_gui or wpa_cli

Whether users of the wheel group must provide a password to run commands as super user via sudo.

Do we ignore the lid state

Some laptops are broken

This tells pgmanage to only allow users in a certain PostgreSQL group to login to pgmanage

Whether to enable API access for mobile apps and third-party clients (Google Reader API and Fever API)

Specifies if mapped OpenID Connect accounts are automatically created upon successful authentication

The following authentication modes are available: Open -- Accept connections from anyone, use NickServ for user authentication

Enable or disable TTY auditing for specified users

If set, users listed in ~/.yubico/authorized_yubikeys are able to log in with the associated Yubikey tokens.

If enabled, starts a Terraria server

Whether users of the wheel group must provide a password to run commands as super user via run0.

Seed settings for users and groups

A list of users which will not be shown in the display manager.

Defines whether users see the Register option in the menu of Time Tracker that allows them to self-register and create new organizations (top groups).

Define resource limits that should apply to users or groups

The lmtp daemon will make the unix socket group-read/write for users in this group.

Window class translation rules. /etc/X11/imwheelrc is generated based on this config which means this config is global for all users

Send announcement to all online users

Number of daemons to serve user requests

Whether to enable provisioning of groups, users and oauth2 resource servers.

Whether to enable non-root access to the firmware of UHK keyboards

Whether to add Soundmodem to the global environment and configure a wrapper for 'soundmodemconfig' for users in the 'soundmodem' group.

Font packages to use in Steam

Whether to enable tailscale.nginx-auth, to authenticate nginx users via tailscale.

File containing a secret used to salt the users' password hashes and generate filenames for static content.

If set, users listed in $XDG_CONFIG_HOME/Yubico/u2f_keys (or $HOME/.config/Yubico/u2f_keys if XDG variable is not set) are able to log in with the associated U2F key

Allow users to register on this server using a client and change passwords

Whether to enable udev rules for devices supported by libjaylink

Whether users of the wheel group must provide a password to run commands or edit files with please and pleaseedit respectively.

Install the SPICE USB redirection helper with setuid privileges

If set, users with an SSH certificate containing an authorized principal in their SSH agent are able to log in

Whether any uploads are permitted to anonymous users.

Newline separated list of names to be allowed/denied if userlistEnable is true

Whether to enable the Howdy PAM module

Users and proxy configuration

Refer to the Tuliprox documentation for available attributes

Launch Hyprland with the UWSM (Universal Wayland Session Manager) session manager

Initial preferences are used to configure the browser for the first run

Enable font antialiasing

List of users allowed to operate with the config. "root" is always implicitly included

Specifies if mapped OpenID Connect accounts are automatically created upon successful authentication

Whether to enable exposing OpenSSH public keys defined in userdb

A file containing the secret used to encrypt session keys

If true, a system-wide PipeWire service and socket is enabled allowing all users in the "pipewire" group to use it simultaneously

Whether to allow registration of new admin users.

Whether local users are confined to their home directory.

Whether any uploads are permitted to anonymous users.

Sets transmission's file mode creation mask

Make your The Lounge instance public

The duration in time a user invitation remains valid before expiring

A file containing the secret used to encrypt secrets for OTP tokens

Do minification on public static files which reduces the size of assets — saving data for the server & users as well as offering a performance improvement

An attribute set that maps aliases (the top level attribute names in this option) to command strings or directly to build outputs

Enables U2F PAM (pam-u2f) module

Whether new users can register on this server

All listed users will become part of the firezone-client group so they can control the tunnel service

List of reporter objects used to present build status to various users.

Whether to enable System bus notification support

WARNING: enabling this option (while convenient) should not be done on a machine where you do not trust the other users as it allows any other local user to DoS your session by spamming notifications .

Set this option to true to enable HTTP compression, this can improve transfer speed and bandwidth utilization

Path to the configuration file containing authorized users credentials to run iperf tests.

This option will ensure that team memberships for OpenID Connect users are dynamic and synchronized with membership of OpenID Connect groups or assigned roles

Enable hardened VirtualBox, which ensures that only the binaries in the system path get access to the devices exposed by the kernel modules instead of all users in the vboxusers group.

Enable font hinting

If set, shows a contact email address when rendering error pages

Maximum number of client connections allowed

Maximum amount of users which will be allowed to register on this system. 0 - no limit.

The hosts.hfaxd file entry in the spooling area will be symlinked to the location given here

Makes user-profiles globally available under nextcloud.tld/u/user.name

Paths to the Nix profile

A list of paths that should be included in the system closure but generally not visible to users

If set, shows a contact email address when rendering error pages

Whether to generate the password files at build time and store them directly in the system closure, without requiring any services at boot time

Defines one or more team names that auto-provisioned OIDC users shall be added to

Don't allow users to connect in non-secure mode (without random padding).

Path to a file containing extra ntfy environment variables in the systemd EnvironmentFile format

Frontend configuration

Name of the remote read config, which if specified must be unique among remote read configs

Specify SSH host keys to import into the initrd

This is optional and is by default off, because most users will not need it

Where to redirect new users upon registration.

A list of users who should be able to integrate 1Password with polkit-based authentication mechanisms.

Name of the remote write config, which if specified must be unique among remote write configs

SFTP private key file

Whether new users can register on this server

JSON file containing secret keys

When not set to null this option defines the path at which the unbound remote control socket should be created at

FreeType LCD filter

The set of packages that appear in /run/current-system/sw

Whether to open the default ports in the firewall: TCP/UDP 22000 for transfers and UDP 21027 for discovery

This option will ensure that team memberships for OpenID Connect users are dynamic and synchronized with membership of OpenID Connect groups or assigned roles

The channel in which users will appear in when connecting.

If you want to prevent node sharing from allowing users to access services across tailnets, declare your expected tailnets domain here.

If false, a PulseAudio server is launched automatically for each user that tries to use the sound system

Allow users to register themselves

Whether to enable the dummy "startx" pseudo-display manager, which allows users to start X manually via the startx command from a virtual terminal.

Deactivates analytics

The permission for settings.dir

List of accepted local users

When disabled, unprivileged users will not be able to create new namespaces

This is optional and is by default off, because most users will not need it

Defines one or more team names that auto-provisioned OIDC users shall be added to

Converts users profiles and Avatars between old and new formats

Whether to use binary caches for downloading store paths

The manual pages to generate caches for if documentation.man.generateCaches is enabled

Whether all users can write to the consumption dir.

Source of truth of users

Whenever to send wall notifications to all users.

Whether to enable the headless Transmission BitTorrent daemon

Authentication type

Push notifications to inform users of new messages or other pertinent information even when they have no XMPP clients online

The base URL of the API server

Diffie-Hellman parameters to generate

This option enables docker, a daemon that manages linux containers

This option enables lxd, a daemon that manages containers

Exposes EDID files from users-sourced database at https://github.com/linuxhw/EDID

Attribute names will be mapped to EDID filenames <NAME>.bin

Whether to enable the "sx" pseudo-display manager, which allows users to start manually via the "sx" command from a vt shell

Set of default packages that aren't strictly necessary for a running system, entries can be removed for a more minimal NixOS installation

Identity the EAP/XAuth secret belongs to

Identity the NTLM secret belongs to

All actors (users) to provision

Whether to enable KVMGT (iGVT-g) VGPU support

Whether to enable registration for new users.

LDAP filter for users.

If set, all recipients to users at either "localhost" (the literal string) or the canonical host name (from the me control attribute) are remapped to this address

Identity the EAP/XAuth secret belongs to

A boolean that controls whether site visitors can create new accounts

This option enables libvirtd, a daemon that manages virtual machines

The XEP-0423 defines a set of recommended XEPs to implement for a server

Enable if you are syncing more than 2000 users/groups.

Set of core packages for a normal interactive system

Whenever to use precomputated tables for ElGamal. i2pd defaults to false to save 64M of memory (and looses some performance)

An attribute set where the keys name the organisation and the values are a set of lists of users and groups.

Class that users must have.

Enables single account mode

Environment file to be passed to the systemd service

Environment file to be passed to the systemd service

Font packages to use in OpenGamepadUI

Whether users must authenticate when using the web UI or command-line tool

Allow users to edit datasources from the UI.

Displays a CAPTCHA challenge for users that register externally.

The directory where the skeleton files are located

Make the Podman socket available in place of the Docker socket, so Docker tools can find the Podman socket

Whether to use NetworkManager to obtain an IP address and other configuration for all network interfaces that are not manually configured

Remove users from bitwarden groups if no longer in the ldap group.

If set, users with enabled Google Authenticator (created ~/.google_authenticator) will be required to provide Google Authenticator token to log in.

Point DOCKER_HOST to rootless Docker instance for normal users by default.

Outbound email configuration is mandatory for Firezone and supports many different delivery adapters

This option defines the first version of NixOS you have installed on this particular machine, and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions

Attribute for a users email.

Whether new users can register on this server.

Send notifications about killed processes via the system d-bus

The attribute that contains the users username.

Enable registration for new users.

If set, will use the Google OS Login PAM modules (pam_oslogin_login, pam_oslogin_admin) to verify possible OS Login users and set sudoers configuration accordingly

If set, will use the pam_oslogin_login's user authentication methods to authenticate users using 2FA

The configuration of vaultwarden is done through environment variables, therefore it is recommended to use upper snake case (e.g. DISABLE_2FA_REMEMBER)

Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details.

Additional environment file or files as defined in systemd.exec(5)

Default 2FA method for new users and fallback for preferred but disabled methods.

Whenever to send systembus-notify notifications

Whether to enable support for unprivileged users to launch containers.

The name-string specifies an external program to be called that will automatically change volumes as required by Bacula

Whether the users will be able to use the ad-hoc commands that lets them configure their realname and username.

If not null, is used as the permissions set by system.activationScripts.transmission-daemon on the directories services.transmission.settings.download-dir, services.transmission.settings.incomplete-dir. and services.transmission.settings.watch-dir

Do not allow more than this many server connections per user (regardless of database)

The read permissions to include for this token

The read permissions to include for this token