| security.googleOsLogin.enable | Whether to enable Google OS Login
|
| programs.dconf.profiles | Attrset of dconf profiles
|
| services.hledger-web.allow | User's access level for changing data.
- view: view only permission.
- add: view and add permissions.
- edit: view, add, and edit permissions.
- sandstorm: permissions from the
X-Sandstorm-Permissions request header.
|
| services.mpd.credentials.*.permissions | List of permissions that are granted with this password
|
| security.wrappers.<name>.permissions | The permissions of the wrapper program
|
| services.g810-led.profile | Keyboard profile to apply at boot time
|
| services.cachix-agent.profile | Profile name, defaults to 'system' (NixOS).
|
| programs.schroot.profiles | Custom configuration profiles for schroot.
|
| security.acme.certs.<name>.profile | The certificate profile to choose if the CA offers multiple profiles.
|
| services.mail.sendmailSetuidWrapper.permissions | The permissions of the wrapper program
|
| services.postfix-tlspol.settings.server.socket-permissions | Permissions to the UNIX socket, if configured.
Due to hardening on the systemd unit the socket can never be created world readable/writable.
|
| security.acme.defaults.profile | The certificate profile to choose if the CA offers multiple profiles.
|
| services.mysql.ensureUsers | Ensures that the specified users exist and have at least the ensured permissions
|
| services.angrr.settings.profile-policies.<name>.profile-paths | Paths to the Nix profile
|
| security.tpm2.fapi.profileName | Name of the default cryptographic profile chosen from the profile_dir directory.
|
| programs.schroot.profiles.<name>.fstab | A file in the format described in fstab(5), used to mount filesystems inside the chroot
|
| services.syncoid.localTargetAllow | Permissions granted for the services.syncoid.user user
for local target datasets
|
| services.oauth2-proxy.profileURL | Profile access endpoint.
|
| services.angrr.settings.profile-policies | Profile GC root policies.
|
| programs.wshowkeys.enable | Whether to enable wshowkeys (displays keypresses on screen on supported Wayland
compositors)
|
| security.apparmor.policies.<name>.profile | The profile file contents
|
| services.syncoid.localSourceAllow | Permissions granted for the services.syncoid.user user
for local source datasets
|
| programs.schroot.profiles.<name>.copyfiles | A list of files to copy into the chroot from the host system.
|
| security.loginDefs.settings.TTYPERM | The terminal permissions: the login tty will be owned by the TTYGROUP group,
and the permissions will be set to TTYPERM
|
| services.autorandr.profiles.<name>.hooks | Profile hook scripts.
|
| services.syncoid.commands.<name>.localTargetAllow | Permissions granted for the services.syncoid.user user
for local target datasets
|
| services.tuned.profiles | Profiles for TuneD
|
| security.loginDefs.settings.TTYGROUP | The terminal permissions: the login tty will be owned by the TTYGROUP group,
and the permissions will be set to TTYPERM
|
| services.angrr.settings.profile-policies.<name>.keep-since | Retention period for the GC roots in this profile.
|
| services.autorandr.profiles.<name>.config | Per output profile configuration.
|
| services.prometheus.remoteWrite.*.sigv4.profile | The named AWS profile used to authenticate.
|
| security.tpm2.fapi.profileDir | Directory that contains all cryptographic profiles known to FAPI.
|
| services.disnix.profiles | Names of the Disnix profiles to expose in the system's PATH
|
| services.angrr.settings.profile-policies.<name>.keep-latest-n | Keep the latest N GC roots in this profile.
|
| users.users.<name>.createHome | Whether to create the home directory and ensure ownership as well as
permissions to match the user.
|
| services.qbittorrent.profileDir | the path passed to qbittorrent via --profile.
|
| services.asusd.profileConfig | The content of /etc/asusd/profile.ron
|
| services.mysql.ensureUsers.*.ensurePermissions | Permissions to ensure for the user, specified as attribute set
|
| programs.schroot.profiles.<name>.nssdatabases | System databases (as described in /etc/nsswitch.conf on GNU/Linux systems) to copy into the chroot from the host.
|
| services.asusd.profileConfig.text | Text of the file.
|
| services.libinput.mouse.accelProfile | Sets the pointer acceleration profile to the given profile
|
| hardware.tuxedo-drivers.settings.charging-profile | The maximum charge level to help reduce battery wear:
high_capacity charges to 100% (driver default)balanced charges to 90%stationary charges to 80% (maximum lifespan)
Note: Regardless of the configured charging profile, the operating system will always report the battery as being charged to 100%.
|
| environment.profiles | A list of profiles used to setup the global environment.
|
| services.nextcloud.settings."profile.enabled" | Makes user-profiles globally available under nextcloud.tld/u/user.name
|
| services.syncoid.commands.<name>.localSourceAllow | Permissions granted for the services.syncoid.user user
for local source datasets
|
| users.extraUsers.<name>.createHome | Whether to create the home directory and ensure ownership as well as
permissions to match the user.
|
| services.hardware.lcd.server.usbPermissions | Set group-write permissions on a USB device
|
| services.autorandr.profiles | Autorandr profiles specification.
|
| environment.profileRelativeEnvVars | Attribute set of environment variable
|
| services.libinput.touchpad.accelProfile | Sets the pointer acceleration profile to the given profile
|
| services.asusd.profileConfig.source | Path of the source file.
|
| services.angrr.settings.profile-policies.<name>.enable | Whether to enable this angrr policy.
|
| services.memos.dataDir | Specifies the directory where Memos will store its data.
|
| services.tuned.ppdSettings.profiles | Map of PPD profiles to native TuneD profiles.
|
| services.power-profiles-daemon.package | The power-profiles-daemon package to use.
|
| services.cfssl.dataDir | The work directory for CFSSL.
If left as the default value this directory will automatically be
created before the CFSSL server starts, otherwise you are
responsible for ensuring the directory exists with appropriate
ownership and permissions.
|
| services.mpd.dataDir | The directory where MPD stores its state, tag cache, playlists etc
|
| services.power-profiles-daemon.enable | Whether to enable power-profiles-daemon, a DBus daemon that allows
changing system behavior based upon user-selected power profiles.
|
| services.caddy.logDir | Directory for storing Caddy access logs.
If left as the default value this directory will automatically be created
before the Caddy server starts, otherwise the sysadmin is responsible for
ensuring the directory exists with appropriate ownership and permissions.
|
| services.knot.enableXDP | Extends the systemd unit with permissions to allow for the use of
the eXpress Data Path (XDP).
Make sure to read up on functional limitations
when running in XDP mode.
|
| services.zwave-js-ui.serialPort | Serial port for the Z-Wave controller
|
| services.mysql.dataDir | The data directory for MySQL.
If left as the default value of /var/lib/mysql this directory will automatically be created before the MySQL
server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions.
|
| security.sudo.execWheelOnly | Only allow members of the wheel group to execute sudo by
setting the executable's permissions accordingly
|
| services.nats.dataDir | The NATS data directory
|
| security.sudo-rs.execWheelOnly | Only allow members of the wheel group to execute sudo by
setting the executable's permissions accordingly
|
| services.crowdsec.localConfig.profiles | A list of profiles to enable
|
| services.node-red.userDir | The directory to store all user data, such as flow and credential files and all library data
|
| services.sonarr.dataDir | The Sonarr home directory used to store all data
|
| services.angrr.settings.profile-policies.<name>.keep-booted-system | Whether to keep the last booted system generation
|
| services.caddy.dataDir | The data directory for caddy.
If left as the default value this directory will automatically be created
before the Caddy server starts, otherwise you are responsible for ensuring
the directory exists with appropriate ownership and permissions
|
| services.angrr.settings.profile-policies.<name>.keep-current-system | Whether to keep the current system generation
|
| services.galene.stateDir | The directory where Galene stores its internal state
|
| services.molly-brown.certPath | Path to TLS certificate
|
| security.wrappers | This option effectively allows adding setuid/setgid bits, capabilities,
changing file ownership and permissions of a program without directly
modifying it
|
| services.prosody.dataDir | The prosody home directory used to store all data
|
| services.owncast.dataDir | The directory where owncast stores its data files
|
| services.mysql.initialScript | A file containing SQL statements to be executed on the first startup
|
| services.autorandr.profiles.<name>.config.<name>.dpi | Output DPI configuration.
|
| services.namecoind.wallet | Wallet file
|
| services.autorandr.profiles.<name>.config.<name>.mode | Output resolution.
|
| services.autorandr.profiles.<name>.config.<name>.rate | Output framerate.
|
| services.traefik.dataDir | Location for any persistent data Traefik creates, such as the ACME certificate store.
If left as the default value, this directory will automatically be created
before the Traefik server starts, otherwise you are responsible for ensuring
the directory exists with appropriate ownership and permissions.
|
| services.system76-scheduler.settings.processScheduler.pipewireBoost.profile.nice | Niceness.
|
| services.autorandr.profiles.<name>.config.<name>.crtc | Output video display controller.
|
| services.system76-scheduler.settings.processScheduler.pipewireBoost.profile.prio | CPU scheduler priority.
|
| services.hledger-web.stateDir | Path the service has access to
|
| services.system76-scheduler.settings.processScheduler.pipewireBoost.profile.ioPrio | IO scheduler priority.
|
| services.prometheus.scrapeConfigs.*.ec2_sd_configs.*.profile | Named AWS profile used to connect to the API.
|
| services.system76-scheduler.settings.processScheduler.pipewireBoost.profile.class | CPU scheduler class.
|
| services.redis.servers.<name>.unixSocketPerm | Change permissions for the socket
|
| services.autorandr.profiles.<name>.config.<name>.gamma | Output gamma configuration.
|
| services.system76-scheduler.settings.processScheduler.pipewireBoost.profile.ioClass | IO scheduler class.
|
| services.goeland.stateDir | The data directory for goeland where the database will reside if using the unseen filter
|
| services.gitolite.dataDir | The gitolite home directory used to store all repositories
|
| services.mpd.credentials | Credentials and permissions for accessing the mpd server.
|
| services.autorandr.profiles.<name>.config.<name>.scale.y | Vertical scaling factor/pixels.
|
| services.autorandr.profiles.<name>.config.<name>.scale.x | Horizontal scaling factor/pixels.
|
| services.autorandr.profiles.<name>.config.<name>.enable | Whether to enable the output.
|
| services.autorandr.profiles.<name>.config.<name>.rotate | Output rotate configuration.
|
| services.usbguard.ruleFile | This tells the USBGuard daemon which file to load as policy rule set
|
| security.apparmor.policies.<name>.path | A path of a profile file to include
|
| services.evremap.settings.phys | The physical device name to listen on
|
| services.system76-scheduler.settings.processScheduler.pipewireBoost.profile.matchers | Process matchers.
|
| services.hardware.lcd.server.usbGroup | The group to use for settings permissions
|
| services.nomad.settings | Configuration for Nomad
|
| services.mediawiki.uploadsDir | This directory is used for uploads of pictures
|
| services.autorandr.profiles.<name>.config.<name>.primary | Whether output should be marked as primary
|
| services.duplicati.dataDir | The directory where Duplicati stores its data files.
If left as the default value this directory will automatically be created
before the Duplicati server starts, otherwise you are responsible for ensuring
the directory exists with appropriate ownership and permissions.
|
| networking.networkmanager.ensureProfiles.profiles | Declaratively define NetworkManager profiles
|
| services.canaille.smtpPasswordFile | File containing the SMTP password
|
| services.weblate.smtp.passwordFile | Location of a file containing the SMTP password
|
| programs.wireshark.usbmon.enable | Whether to allow users in the 'wireshark' group to capture USB traffic
|
| services.autorandr.profiles.<name>.config.<name>.scale.method | Output scaling method.
|
| services.psd.enable | Whether to enable the Profile Sync daemon.
|
| services.autorandr.profiles.<name>.config.<name>.position | Output position
|
| services.borgbackup.repos.<name>.path | Where to store the backups
|
| services.tlsrpt.configurePostfix | Whether to configure permissions to allow integration with Postfix.
|
| services.autorandr.profiles.<name>.hooks.preswitch | Preswitch hook executed before mode switch.
|
| services.autorandr.profiles.<name>.config.<name>.scale | Output scale configuration
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.readPermissions | The read permissions to include for this token
|
| services.autorandr.profiles.<name>.hooks.predetect | Predetect hook executed before autorandr attempts to run xrandr.
|
| services.amule.settings.eMule.IncomingDir | Directory where aMule moves completed downloads
|
| services.grafana.settings.server.socket | Path where the socket should be created when protocol=socket
|
| services.canaille.secretKeyFile | File containing the Flask secret key
|
| services.weblate.djangoSecretKeyFile | Location of the Django secret key
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.writePermissions | The read permissions to include for this token
|
| environment.profileRelativeSessionVariables | Attribute set of environment variable used in the global
environment
|
| services.mpd.musicDirectory | The directory or NFS/SMB network share where MPD reads music from
|
| services.postgresql.dataDir | The data directory for PostgreSQL
|
| services.snapper.configs.<name>.ALLOW_GROUPS | List of groups allowed to operate with the config
|
| services.snapper.configs.<name>.ALLOW_USERS | List of users allowed to operate with the config. "root" is always
implicitly included
|
| services.jmusicbot.stateDir | The directory where config.txt and serversettings.json is saved
|
| services.roundcube.database.host | Host of the postgresql server
|
| services.autorandr.profiles.<name>.hooks.postswitch | Postswitch hook executed after mode switch.
|
| services.nominatim.database.apiUser | Postgresql database user with read-only permissions used for Nominatim
web API service.
|
| services.autorandr.profiles.<name>.config.<name>.transform | Refer to
xrandr(1)
for the documentation of the transform matrix.
|
| services.canaille.jwtPrivateKeyFile | File containing the JWT private key
|
| services.wordpress.sites.<name>.uploadsDir | This directory is used for uploads of pictures
|
| services.umami.settings.DATABASE_URL_FILE | A file containing a connection string for the database
|
| services.autorandr.profiles.<name>.fingerprint | Output name to EDID mapping
|
| services.neo4j.directories.certificates | Directory for storing certificates to be used by Neo4j for
TLS connections
|
| services.nominatim.database.host | Host of the postgresql server
|
| services.umami.settings.APP_SECRET_FILE | A file containing a secure random string
|
| services.mpd.playlistDirectory | The directory where MPD stores playlists
|
| services.rtorrent.dataPermissions | Unix Permissions in octal on the rtorrent directory.
|
| services.matrix-synapse.settings.listeners.*.mode | File permissions on the UNIX domain socket.
|
| services.reaction.runAsRoot | Whether to run reaction as root
|
| services.transmission.downloadDirPermissions | If not null, is used as the permissions
set by system.activationScripts.transmission-daemon
on the directories services.transmission.settings.download-dir,
services.transmission.settings.incomplete-dir.
and services.transmission.settings.watch-dir
|
| services.patroni.postgresqlDataDir | The data directory for PostgreSQL
|
| services.snapper.configs.<name>.SUBVOLUME | Path of the subvolume or mount point
|
| services.evremap.settings.device_name | The name of the device that should be remapped
|
| services.tlsrpt.collectd.settings.socketmode | Permissions on the UNIX socket.
|
| services.neo4j.directories.data | Path of the data directory
|
| services.healthchecks.dataDir | The directory used to store all data for healthchecks.
If left as the default value this directory will automatically be created before
the healthchecks server starts, otherwise you are responsible for ensuring the
directory exists with appropriate ownership and permissions.
|
| services.tuned.settings.profile_dirs | Directories to search for profiles, separated by , or ;.
|
| services.pdfding.consume.enable | Bulk PDF import from consume directory
|
| services.prometheus.scrapeConfigs.*.lightsail_sd_configs.*.profile | Named AWS profile used to connect to the API.
|
| services.invoiceplane.sites.<name>.stateDir | This directory is used for uploads of attachments and cache
|
| services.osquery.flags.logger_path | Base directory used for logging.
If left as the default value, this directory will be automatically created before the
service starts, otherwise you are responsible for ensuring the directory exists with
the appropriate ownership and permissions.
|
| services.postfixadmin.database.host | Host of the postgresql server
|
| services.kmonad.keyboards.<name>.extraGroups | Extra permission groups to attach to the KMonad instance for
this keyboard
|
| services.varnish.listen.*.address | If given an IP address, it can be a host name ("localhost"), an IPv4 dotted-quad
("127.0.0.1") or an IPv6 address enclosed in square brackets ("[::1]").
(VCL4.1 and higher) If given an absolute Path ("/path/to/listen.sock") or "@"
followed by the name of an abstract socket ("@myvarnishd") accept connections
on a Unix domain socket
|
| containers.<name>.path | As an alternative to specifying
config, you can specify the path to
the evaluated NixOS system configuration, typically a
symlink to a system profile.
|
| services.neo4j.ssl.policies.<name>.revokedDir | Path to directory of CRLs (Certificate Revocation Lists) in
PEM format
|
| services.immichframe.settings.Accounts.*.ApiKeyFile | File containing an API key to talk to the Immich server
|
| services.immichframe.settings.Accounts.*.ApiKey | API key to talk to the Immich server
|
| services.bepasty.servers.<name>.defaultPermissions | default permissions for all unauthenticated accesses.
|
| services.neo4j.ssl.policies.<name>.trustedDir | Path to directory of X.509 certificates in PEM format for
trusted parties
|
| services.tt-rss.auth.autoLogin | Automatically login user on remote or other kind of externally supplied
authentication, otherwise redirect to login form as normal
|
| services.trickster.profiler-port | Port that the /debug/pprof endpoint will listen on.
|
| services.neo4j.ssl.policies.<name>.baseDirectory | The mandatory base directory for cryptographic objects of this
policy
|
| services.archisteamfarm.dataDir | The ASF home directory used to store all data
|
| services.uwsgi.capabilities | Grant capabilities to the uWSGI instance
|
| services.osquery.flags.database_path | Path used for the database file.
If left as the default value, this directory will be automatically created before the
service starts, otherwise you are responsible for ensuring the directory exists with
the appropriate ownership and permissions.
|
| virtualisation.incus.enable | Whether to enable incusd, a daemon that manages containers and virtual machines
|
| i18n.inputMethod.fcitx5.settings.inputMethod | The input method configure in profile file in ini format.
|
| services.outline.slackAuthentication | To configure Slack auth, you'll need to create an Application at
https://api.slack.com/apps
When configuring the Client ID, add a redirect URL under "OAuth & Permissions"
to https://[publicUrl]/auth/slack.callback.
|
| services.mosquitto.listeners.*.users.<name>.passwordFile | Specifies the path to a file containing the
clear text password for the MQTT user
|
| system.activatable | Whether to add the activation script to the system profile
|
| services.cloudflare-ddns.credentialsFile | Path to a file containing the Cloudflare API authentication token
|
| services.mpd.settings.music_directory | The directory or URI where MPD reads music from
|
| services.traefik.supplementaryGroups | Additional groups under which Traefik runs
|
| services.geoipupdate.settings.DatabaseDirectory | The directory to store the database files in
|
| services.prometheus.exporters.sabnzbd.servers.*.apiKeyFile | The path to a file containing the API key
|
| services.netbird.tunnels.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.netbird.clients.<name>.hardened | Hardened service:
- runs as a dedicated user with minimal set of permissions (see caveats),
- restricts daemon configuration socket access to dedicated user group
(you can grant access to it with
users.users."<user>".extraGroups = [ netbird-‹name› ]),
Even though the local system resources access is restricted:
CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,- older kernels don't have
CAP_BPF and use CAP_SYS_ADMIN instead,
Known security features that are not (yet) integrated into the module:
- 2024-02-14:
rosenpass is an experimental feature configurable solely
through --enable-rosenpass flag on the netbird up command,
see the docs
|
| services.libinput.mouse.accelSpeed | Cursor acceleration (how fast speed increases from minSpeed to maxSpeed)
|
| services.cloudflared.certificateFile | Account certificate file, necessary to create, delete and manage tunnels
|
| services.tuned.ppdSettings.main.default | Default PPD profile.
|
| networking.networkmanager.ensureProfiles.profiles.<name>.connection.id | This is the name that will be displayed by NetworkManager and GUIs.
|
| services.freshrss.api.enable | Whether to enable API access for mobile apps and third-party clients (Google Reader API and Fever API)
|
| networking.networkmanager.ensureProfiles.profiles.<name>.connection.type | The connection type defines the connection kind, like vpn, wireguard, gsm, wifi and more.
|
| services.mosquitto.listeners.*.users.<name>.hashedPasswordFile | Specifies the path to a file containing the
hashed password for the MQTT user
|
| services.postgresql.ensureUsers.*.ensureClauses.inherit | Grants the user created inherit permissions
|
| services.rke2.cisHardening | Enable CIS Hardening for RKE2
|
| services.postgresql.ensureUsers.*.ensureClauses.createdb | Grants the user, created by the ensureUser attr, createdb permissions
|
| services.cloudflared.tunnels.<name>.certificateFile | Account certificate file, necessary to create, delete and manage tunnels
|
| services.libinput.mouse.accelStepScroll | Sets the step between the points of the scroll acceleration function
|
| services.mpd.settings.playlist_directory | The directory where MPD stores playlists
|
| services.libinput.mouse.accelStepMotion | Sets the step between the points of the (pointer) motion acceleration function
|
| services.libinput.touchpad.accelSpeed | Cursor acceleration (how fast speed increases from minSpeed to maxSpeed)
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.allAccess | Grants all permissions in the associated organization.
|
| services.postgresql.ensureUsers.*.ensureClauses.login | Grants the user, created by the ensureUser attr, login permissions
|
| services.matrix-synapse.workers.<name>.worker_listeners.*.mode | File permissions on the UNIX domain socket.
|
| services.matrix-tuwunel.settings.global.unix_socket_perms | The default permissions (in octal) to create the UNIX socket with.
|
| hardware.nvidia-container-toolkit.mounts | Mounts to be added to every container under the Nvidia CDI profile.
|
| services.hedgedoc.settings.allowGravatar | Whether to enable Libravatar as
profile picture source on your instance
|
| services.postgresql.ensureUsers.*.ensureClauses.bypassrls | Grants the user, created by the ensureUser attr, replication permissions
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.operator | Grants all permissions in all organizations.
|
| services.postgresql.ensureUsers.*.ensureClauses.superuser | Grants the user, created by the ensureUser attr, superuser permissions
|
| services.libinput.mouse.accelPointsScroll | Sets the points of the scroll acceleration function
|
| services.libinput.mouse.accelPointsMotion | Sets the points of the (pointer) motion acceleration function
|
| services.nitter.preferences.hideBanner | Hide profile banner.
|
| services.mobilizon.settings.":mobilizon"."Mobilizon.Storage.Repo".socket_dir | Path to the postgres socket directory
|
| services.hardware.openrgb.startupProfile | The profile file to load from "/var/lib/OpenRGB" at startup.
|
| services.libinput.mouse.accelStepFallback | Sets the step between the points of the fallback acceleration function
|
| system.build.separateActivationScript | A separate activation script package that's not part of the system profile
|
| environment.systemPackages | The set of packages that appear in
/run/current-system/sw
|
| services.libinput.touchpad.accelStepScroll | Sets the step between the points of the scroll acceleration function
|
| services.postgresql.ensureUsers.*.ensureClauses.replication | Grants the user, created by the ensureUser attr, replication permissions
|
| services.libinput.touchpad.accelStepMotion | Sets the step between the points of the (pointer) motion acceleration function
|
| services.libinput.mouse.accelPointsFallback | Sets the points of the fallback acceleration function
|
| services.postgresql.ensureUsers.*.ensureClauses.createrole | Grants the user, created by the ensureUser attr, createrole permissions
|
| virtualisation.xen.store.settings.conflict.rateLimitIsAggregate | If the conflict.rateLimitIsAggregate option is true, then after each
tick one point of conflict-credit is given to just one domain: the
one at the front of the queue
|
| security.unprivilegedUsernsClone | When disabled, unprivileged users will not be able to create new namespaces
|
| environment.variables | A set of environment variables used in the global environment
|
| services.nitter.preferences.squareAvatars | Square profile pictures.
|
| services.libinput.touchpad.accelPointsScroll | Sets the points of the scroll acceleration function
|
| services.nitter.preferences.stickyProfile | Make profile sidebar stick to top.
|
| services.libinput.touchpad.accelPointsMotion | Sets the points of the (pointer) motion acceleration function
|
| services.matrix-continuwuity.settings.global.unix_socket_perms | The default permissions (in octal) to create the UNIX socket with.
|
| services.dependency-track.oidc.teamSynchronization | This option will ensure that team memberships for OpenID Connect users are dynamic and
synchronized with membership of OpenID Connect groups or assigned roles
|
| services.libinput.touchpad.accelStepFallback | Sets the step between the points of the fallback acceleration function
|
| services.dependency-track.settings."alpine.oidc.team.synchronization" | This option will ensure that team memberships for OpenID Connect users are dynamic and
synchronized with membership of OpenID Connect groups or assigned roles
|
| security.apparmor.enable | Whether to enable the AppArmor Mandatory Access Control system
|
| services.system76-scheduler.assignments | Process profile assignments.
|
| services.libinput.touchpad.accelPointsFallback | Sets the points of the fallback acceleration function
|
| services.qbittorrent.serverConfig | Free-form settings mapped to the qBittorrent.conf file in the profile
|
| security.apparmor.killUnconfinedConfinables | Whether to enable killing of processes which have an AppArmor profile enabled
(in security.apparmor.policies)
but are not confined (because AppArmor can only confine new processes)
|
| services.prometheus.scrapeConfigs.*.openstack_sd_configs.*.all_tenants | Whether the service discovery should list all instances for all projects
|
| services.grafana.settings.security.disable_gravatar | Set to true to disable the use of Gravatar for user profile images.
|
| networking.networkmanager.ensureProfiles.secrets.entries.*.matchUuid | UUID of the connection profile
UUIDs are assigned once on connection creation and should never change as long as the connection still applies to the same network.
|
| services.pipewire.wireplumber.extraScripts | Additional scripts for WirePlumber to be used by configuration files
|