Whether to enable Google OS Login

Attrset of dconf profiles

List of permissions that are granted with this password

The permissions of the wrapper program

Custom configuration profiles for schroot.

Keyboard profile to apply at boot time

User's access level for changing data.

• view: view only permission.
• add: view and add permissions.
• edit: view, add, and edit permissions.
• sandstorm: permissions from the X-Sandstorm-Permissions request header.

The permissions of the wrapper program

Permissions to the UNIX socket, if configured.

The certificate profile to choose if the CA offers multiple profiles.

Profile name, defaults to 'system' (NixOS).

A file in the format described in fstab(5), used to mount filesystems inside the chroot

The certificate profile to choose if the CA offers multiple profiles.

Paths to the Nix profile

Name of the default cryptographic profile chosen from the profile_dir directory.

Profiles for TuneD

Profile access endpoint.

Profile GC root policies.

Names of the Disnix profiles to expose in the system's PATH

A list of files to copy into the chroot from the host system.

Profile hook scripts.

Per output profile configuration.

Directory that contains all cryptographic profiles known to FAPI.

The profile file contents

Retention period for the GC roots in this profile.

Ensures that the specified users exist and have at least the ensured permissions

Whether to enable wshowkeys (displays keypresses on screen on supported Wayland compositors)

Keep the latest N GC roots in this profile.

The terminal permissions: the login tty will be owned by the TTYGROUP group, and the permissions will be set to TTYPERM

Autorandr profiles specification.

Map of PPD profiles to native TuneD profiles.

A list of profiles used to setup the global environment.

Text of the file.

The content of /etc/asusd/profile.ron

Permissions granted for the services.syncoid.user user for local target datasets

System databases (as described in /etc/nsswitch.conf on GNU/Linux systems) to copy into the chroot from the host.

The named AWS profile used to authenticate.

The terminal permissions: the login tty will be owned by the TTYGROUP group, and the permissions will be set to TTYPERM

The maximum charge level to help reduce battery wear:

• high_capacity charges to 100% (driver default)
• balanced charges to 90%
• stationary charges to 80% (maximum lifespan)

Note: Regardless of the configured charging profile, the operating system will always report the battery as being charged to 100%.

Whether to enable power-profiles-daemon, a DBus daemon that allows changing system behavior based upon user-selected power profiles.

The power-profiles-daemon package to use.

Makes user-profiles globally available under nextcloud.tld/u/user.name

the path passed to qbittorrent via --profile.

A list of profiles to enable

Path of the source file.

Whether to enable this angrr policy.

Permissions granted for the services.syncoid.user user for local source datasets

Output DPI configuration.

Permissions granted for the services.syncoid.user user for local target datasets

Output resolution.

Output framerate.

Vertical scaling factor/pixels.

Horizontal scaling factor/pixels.

Output video display controller.

Attribute set of environment variable

Whether to keep the last booted system generation

Output gamma configuration.

Whether to keep the current system generation

Whether to enable the output.

Output rotate configuration.

Output scaling method.

Whether to create the home directory and ensure ownership as well as permissions to match the user.

Niceness.

Preswitch hook executed before mode switch.

CPU scheduler priority.

Whether output should be marked as primary

IO scheduler priority.

Predetect hook executed before autorandr attempts to run xrandr.

Output scale configuration

CPU scheduler class.

Sets the pointer acceleration profile to the given profile

IO scheduler class.

Output position

Permissions to ensure for the user, specified as attribute set

Postswitch hook executed after mode switch.

Process matchers.

Set group-write permissions on a USB device

Specifies the directory where Memos will store its data.

Declaratively define NetworkManager profiles

The directory where MPD stores its state, tag cache, playlists etc

Permissions granted for the services.syncoid.user user for local source datasets

Whether to create the home directory and ensure ownership as well as permissions to match the user.

Refer to xrandr(1) for the documentation of the transform matrix.

Sets the pointer acceleration profile to the given profile

The work directory for CFSSL.

Directory for storing Caddy access logs.

The physical device name to listen on

Output name to EDID mapping

Configuration for Nomad

The data directory for MySQL.

Extends the systemd unit with permissions to allow for the use of the eXpress Data Path (XDP).

The NATS data directory

Serial port for the Z-Wave controller

Only allow members of the wheel group to execute sudo by setting the executable's permissions accordingly

The directory to store all user data, such as flow and credential files and all library data

Whether to allow users in the 'wireshark' group to capture USB traffic

Named AWS profile used to connect to the API.

Directory where aMule moves completed downloads

Only allow members of the wheel group to execute sudo by setting the executable's permissions accordingly

Path where the socket should be created when protocol=socket

The Sonarr home directory used to store all data

The data directory for caddy.

The directory where Galene stores its internal state

Path to TLS certificate

Directories to search for profiles, separated by , or ;.

A file containing a secure random string

The prosody home directory used to store all data

The directory where owncast stores its data files

A file containing a connection string for the database

Attribute set of environment variable used in the global environment

Location for any persistent data Traefik creates, such as the ACME certificate store.

A file containing SQL statements to be executed on the first startup

Path the service has access to

Wallet file

This option effectively allows adding setuid/setgid bits, capabilities, changing file ownership and permissions of a program without directly modifying it

The data directory for goeland where the database will reside if using the unseen filter

The group to use for settings permissions

The gitolite home directory used to store all repositories

Change permissions for the socket

This tells the USBGuard daemon which file to load as policy rule set

File permissions on the UNIX domain socket.

Whether to enable the Profile Sync daemon.

Credentials and permissions for accessing the mpd server.

Location of a file containing the SMTP password

Permissions on the UNIX socket.

A path of a profile file to include

The directory where Duplicati stores its data files.

The name of the device that should be remapped

This directory is used for uploads of pictures

File containing the SMTP password

Port that the /debug/pprof endpoint will listen on.

File containing the Flask secret key

Where to store the backups

The directory or NFS/SMB network share where MPD reads music from

Whether to configure permissions to allow integration with Postfix.

Location of the Django secret key

Host of the postgresql server

The data directory for PostgreSQL

Postgresql database user with read-only permissions used for Nominatim web API service.

The directory where config.txt and serversettings.json is saved

This is the name that will be displayed by NetworkManager and GUIs.

List of users allowed to operate with the config. "root" is always implicitly included

The input method configure in profile file in ini format.

Host of the postgresql server

List of groups allowed to operate with the config

The connection type defines the connection kind, like vpn, wireguard, gsm, wifi and more.

File containing the JWT private key

File containing an API key to talk to the Immich server

Named AWS profile used to connect to the API.

API key to talk to the Immich server

This directory is used for uploads of pictures

Whether to run reaction as root

The read permissions to include for this token

Directory for storing certificates to be used by Neo4j for TLS connections

The read permissions to include for this token

The directory where MPD stores playlists

Bulk PDF import from consume directory

Path of the data directory

Unix Permissions in octal on the rtorrent directory.

The data directory for PostgreSQL

Automatically login user on remote or other kind of externally supplied authentication, otherwise redirect to login form as normal

Path of the subvolume or mount point

The directory used to store all data for healthchecks.

If not null, is used as the permissions set by system.activationScripts.transmission-daemon on the directories services.transmission.settings.download-dir, services.transmission.settings.incomplete-dir. and services.transmission.settings.watch-dir

The directory or URI where MPD reads music from

Base directory used for logging.

Path to directory of CRLs (Certificate Revocation Lists) in PEM format

The directory to store the database files in

If given an IP address, it can be a host name ("localhost"), an IPv4 dotted-quad ("127.0.0.1") or an IPv6 address enclosed in square brackets ("[::1]").

(VCL4.1 and higher) If given an absolute Path ("/path/to/listen.sock") or "@" followed by the name of an abstract socket ("@myvarnishd") accept connections on a Unix domain socket

Host of the postgresql server

This directory is used for uploads of attachments and cache

Extra permission groups to attach to the KMonad instance for this keyboard

Path to directory of X.509 certificates in PEM format for trusted parties

Whether to enable Libravatar as profile picture source on your instance

The mandatory base directory for cryptographic objects of this policy

Grant capabilities to the uWSGI instance

default permissions for all unauthenticated accesses.

Path used for the database file.

Default PPD profile.

The ASF home directory used to store all data

Cursor acceleration (how fast speed increases from minSpeed to maxSpeed)

Whether to enable API access for mobile apps and third-party clients (Google Reader API and Fever API)

Whether to enable incusd, a daemon that manages containers and virtual machines

The path to a file containing the API key

The directory where MPD stores playlists

The default permissions (in octal) to create the UNIX socket with.

To configure Slack auth, you'll need to create an Application at https://api.slack.com/apps

When configuring the Client ID, add a redirect URL under "OAuth & Permissions" to https://[publicUrl]/auth/slack.callback.

Path to the postgres socket directory

Specifies the path to a file containing the clear text password for the MQTT user

If the conflict.rateLimitIsAggregate option is true, then after each tick one point of conflict-credit is given to just one domain: the one at the front of the queue

Path to a file containing the Cloudflare API authentication token

Whether to add the activation script to the system profile

Hardened service:

• runs as a dedicated user with minimal set of permissions (see caveats),
• restricts daemon configuration socket access to dedicated user group (you can grant access to it with users.users."<user>".extraGroups = [ netbird-‹name› ]),

Even though the local system resources access is restricted:

• CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,
• older kernels don't have CAP_BPF and use CAP_SYS_ADMIN instead,

Known security features that are not (yet) integrated into the module:

• 2024-02-14: rosenpass is an experimental feature configurable solely through --enable-rosenpass flag on the netbird up command, see the docs

Hardened service:

• runs as a dedicated user with minimal set of permissions (see caveats),
• restricts daemon configuration socket access to dedicated user group (you can grant access to it with users.users."<user>".extraGroups = [ netbird-‹name› ]),

Even though the local system resources access is restricted:

• CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,
• older kernels don't have CAP_BPF and use CAP_SYS_ADMIN instead,

Known security features that are not (yet) integrated into the module:

• 2024-02-14: rosenpass is an experimental feature configurable solely through --enable-rosenpass flag on the netbird up command, see the docs

Additional groups under which Traefik runs

As an alternative to specifying config, you can specify the path to the evaluated NixOS system configuration, typically a symlink to a system profile.

Sets the step between the points of the scroll acceleration function

Account certificate file, necessary to create, delete and manage tunnels

Grants the user created inherit permissions

Sets the step between the points of the (pointer) motion acceleration function

This option will ensure that team memberships for OpenID Connect users are dynamic and synchronized with membership of OpenID Connect groups or assigned roles

Cursor acceleration (how fast speed increases from minSpeed to maxSpeed)

Specifies the path to a file containing the hashed password for the MQTT user

Grants the user, created by the ensureUser attr, createdb permissions

Enable CIS Hardening for RKE2

Sets the points of the scroll acceleration function

Sets the points of the (pointer) motion acceleration function

The default permissions (in octal) to create the UNIX socket with.

Grants the user, created by the ensureUser attr, login permissions

Hide profile banner.

Sets the step between the points of the fallback acceleration function

The profile file to load from "/var/lib/OpenRGB" at startup.

Mounts to be added to every container under the Nvidia CDI profile.

Grants the user, created by the ensureUser attr, replication permissions

Account certificate file, necessary to create, delete and manage tunnels

Grants the user, created by the ensureUser attr, superuser permissions

Sets the step between the points of the scroll acceleration function

Sets the step between the points of the (pointer) motion acceleration function

Sets the points of the fallback acceleration function

Grants all permissions in the associated organization.

A separate activation script package that's not part of the system profile

Sets the points of the scroll acceleration function

File permissions on the UNIX domain socket.

Square profile pictures.

Sets the points of the (pointer) motion acceleration function

Make profile sidebar stick to top.

Grants all permissions in all organizations.

Grants the user, created by the ensureUser attr, replication permissions

Whether to enable the AppArmor Mandatory Access Control system

Grants the user, created by the ensureUser attr, createrole permissions

Sets the step between the points of the fallback acceleration function

Set to true to disable the use of Gravatar for user profile images.

The set of packages that appear in /run/current-system/sw

Sets the points of the fallback acceleration function

A set of environment variables used in the global environment

This option will ensure that team memberships for OpenID Connect users are dynamic and synchronized with membership of OpenID Connect groups or assigned roles

When disabled, unprivileged users will not be able to create new namespaces

Process profile assignments.

Free-form settings mapped to the qBittorrent.conf file in the profile

Whether to enable killing of processes which have an AppArmor profile enabled (in security.apparmor.policies) but are not confined (because AppArmor can only confine new processes)

Whether the service discovery should list all instances for all projects

UUID of the connection profile

UUIDs are assigned once on connection creation and should never change as long as the connection still applies to the same network.

Additional scripts for WirePlumber to be used by configuration files