Host of an existing Let's Encrypt certificate to use for SSL

Group running the ACME client.

Attribute set of certificates to get signed and renewed

Default values inheritable by all configured certs

Group under which the node-cert exporter shall be run.

Path to TLS certificate

Path to a certificate signing request to apply when fetching the certificate.

Path to the private key to the matching certificate signing request.

Key type to use for private keys

Commands to run after new certificates go live

Email address for account creation and correspondence from the CA

Domain to fetch certificate for (defaults to the entry name).

Minimum remaining validity before renewal in days.

S3 bucket name to use for HTTP-01 based challenges

ACME Directory Resource URI

The certificate profile to choose if the CA offers multiple profiles.

Interface and port to listen on to solve HTTP challenges in the form [INTERFACE]:PORT

Additional global flags to pass to all lego commands.

Where the webroot of the HTTP vhost is located. .well-known/acme-challenge/ directory will be created below the webroot if it doesn't exist. http://example.org/.well-known/acme-challenge/ must also be available (notice unencrypted HTTP).

Additional flags to pass to lego run.

Turns on the OCSP Must-Staple TLS extension

Whether to enable debug logging for this certificate.

Additional flags to pass to lego renew.

A list of extra domain names, which are included in the one certificate to be issued.

DNS Challenge provider

Set the resolver to use for performing recursive DNS queries

Directory where certificate and other state is stored.

Systemd calendar expression when to check for renewal

The list of systemd services to call systemctl try-reload-or-restart on.

Whether to inherit values set in security.acme.defaults or not.

Environment variables suffixed by "_FILE" to set for the cert's service for your selected dnsProvider

Path to an EnvironmentFile for the cert's service containing any required and optional environment variables for your selected dnsProvider

Group running the ACME client.

Toggles lego DNS propagation check, which is used alongside DNS-01 challenge to ensure the DNS entries required are available.

Group to run Agnos as

If set, then the authenticating user must be a member of this group to use this module.

The user's primary group.

Cert file to use for clients

Group for the default nutmon user

The group to run oCIS under

Certificate file in PEM format.

Group under which Node-RED runs

Group to run qui as.

Group to own the ZNC process.

The group of the wrapper program.

Group running H2O services

Group the bee binary should execute under.

Group account under which MPD runs.

Group under which the VDRvdr service runs.

The user's primary group.

The group under which NNCP files shall be owned

Group under which caddy runs.

Group under which NATS runs.

Group under which Ombi runs.

Group under which Plex runs.

Group under which museum runs

Group account under which maddy runs.

The group as which to run the Ergo node.

Group under which the Kubo daemon runs

Group under which the Loki service runs.

Group account under which unit runs.

User group under which nscd runs.

Group account under which tcsd runs.

Group to run the service.

The group of the Guix build user pool.

Group to use when no root privileges are required.

Group account where Apache NiFi runs.

Group under which db-rest runs.

The group to run as

The group for the service

Grant access to i2c devices (/dev/i2c-*) to users in this group.

Primary group of ntfy-sh user.

Cyrus IMAP group name

Group under which ytdl-sub runs.

Group under which gitea runs.

Group davis runs as.

Group under which Komga runs.

Group for the dspam daemon.

Group under which amule runs

Group to own the seatd socket

Group which runs Nexus3.

Group under which slskd runs.

The Omnom service group.

mailinglist local group

Group under which Stash runs.

Group account under which Sonarr runs.

The group to run Memos as.

Path to the certificate file.

The name of an existing group to use to run the service

Group the hound daemon should execute under.

Group account under which bosun runs.

Group account under which legit runs.

Group account under which nginx runs.

Group running Movim service

Group account under which rqbit runs.

Group account under which uWSGI runs.

Group snipe-it runs as.

Group under which to run the service

Group account under which Apache Felix runs.

Group under which httpd children processes run.

Group to run the cgit service as.

Group under which the coder service runs.

Group under which the service should run

Webhook will be run under this group

Group that users must be in to use cdemu.

Group under which to run ollama

Group account under which prosody runs.

The cert.pem file used for https.

Group to assign to the SEV device.

The group to run code-server under

The group as which to run quorum.

The group under which attic runs.

Group under which bazarr runs.

Group under which Lidarr runs.

The group immich should run as.

Artalk group name.

Group under which deluge runs.

The group to run Kismet as.

Group under which galene runs.

System group for opkssh

Group under which NZBGet runs

Group under which pretix should run.

Group under which Radarr runs.

Group monica runs as.

Group under which WebDAV runs.

Name of the Zammad group.

Group to set for devices of the msr kernel subsystem.

TLS certificate

System group to run Flarum

Group account under which Akkoma runs.

Group to run cross-seed as.

Group owner of CCache directory

Group name under which SFTPGo runs.

Group account under which MySQL runs.

Etcd cert file

Specifies the owner group of the wiki directory

Group account under which the web-application run.

Group to run gitlab and all related services.

Group account under which Apache Tomcat runs.

Group to use when no root privileges are required.

Group to run the service as.

Group under which firefly-iii runs

Group under which pyLoad runs, and which owns the download directory.

Group account under which Pocket ID runs.

Group under which Git daemon would be running.

The group under which the web application runs.

Group to use to run Zeyple.

Group account under which dolibarr runs.

Group account under which pixelfed runs.

SSL certificate file path.

List of certificate specs to feed to cert generator.

The group for the service.

Name of the group used to run the jupyter service

Primary group under which Traefik runs

If the default user "gocd-agent" is configured then this is the primary group of that user.

Path to TLS certificate to use for connections to public-inbox-imapd(1).

Path to TLS certificate to use for connections to public-inbox-nntpd(1).

Group to run the Roon Bridge as.

Group to run the Roon Server as.

Group under which seafile runs.

Group privileges for the server.

The group to run Corteza under.

Group under which Jackett runs.

Group under which Homebox runs.

Group under which Forgejo runs.

Group under which owncast runs.

Group to run the service as

Group under which Readarr runs.

Group under which pretalx should run.

Group under which netdata runs.

Group under which PdfDing runs

Group under which Redmine is ran.

Group under which Polaris is run.

The group under which stunnel runs.

Group under which MonetDB runs.

Group under which unbound runs.

The group to run ZITADEL under.

The group 0bin should run as

Whether to skip certificates issued before the first launch of Cert Spotter

Group account under which haproxy runs.

Group account under which couchdb runs.

Group account under which pleroma runs.

If specified, Duo authentication is required only for users whose primary group or supplementary group list matches one of the space-separated pattern lists

The group usbmuxd should use to run after startup.

Group to assign to the SEV guest device.

Group which users must be in to use ydotool.

What to call the Postfix group (must be used only for postfix).

Group under which Podgrab runs, and which owns the download directory.

The TLS certificate to use for encryption.

Path to the cert.pem file, which will be copied into Syncthing's configDir.

If the default user "gocd-server" is configured then this is the primary group of that user.

If the default user "jenkins" is configured then this is the primary group of that user.

Group account under which Calibre-Web runs.

The name of an existing user group under which the rsync process should run.

Group account under which this instance of redis-server runs.

The group tuwunel is run as

The group to run OpenCloud under

The group to run Syncthing under

Dovecot group name.

The group of the service.

Group for the daemon.

Group for the daemon

Group assigned to the user and the webroot directory.

Group under which dawarich runs.

The group to run crowdsec as

Group under which jellyfin runs.

Group agorakit runs as.

Group under which ejabberd is ran

Name of the LibreNMS group.

Group under which influxdb runs

Group under which Kanboard runs.

Group under which ErsatzTV runs.

Group under which rtorrent runs.

The group under which OliveTin runs.

Group under which Peertube runs.

Group ownership of service

Group under which Tautulli runs.

Group under which mastodon runs.

Group under which sniproxy runs.

Group under which Whisparr runs.

Group account under which Actual runs

Group account under which slapd runs.

Group account under which OpenTSDB runs.

Group under which the oxidized service runs.

Path to the host certificate.

Primary group of the Gitolite user account.

Group account under which Portunus runs its webserver.

Group under which Pingvin Share runs.

Owner group of the device

Group to run under when setuid is not enabled.

Group account under which Klipper runs

Group the user belongs to in initrd.

Group account under which this pool runs.

Group that the CGI process will belong to. (Set to config.services.gitolite.group if you are using gitolite.)

The group as which to run bitcoind.

The group temporal runs as

The group quickwit runs as

mjpg-streamer group name.

Group account under which inadyn runs.

The group under which calibre-server runs.

Group under which privatebin runs

Group for the daemon.

If the default slave agent user "jenkins" is configured then this is the primary group of that user.

Group bookstack runs as

Group under which CommaFeed runs.

The group under which GlitchTip runs.

Group for bumblebee socket

Group under which blendfarm runs.

Group under which Kapacitor runs

The group to run the service as.

Group under which Pinchflat runs.

Group under which Navidrome runs.

Group under which recyclarr runs.

Group to run the service as

The group pgbouncer is run as.

Group under which headscale runs.

Charybdis IRC daemon group.

Run Apache Cassandra under this group.

Group for Ubertooth's udev rules.

Group of user running bitmagnet

Group account under which stargazer runs.

Group which rethinkdb user belongs to.

Group account under which Moonraker runs.

Group which runs the ruTorrent service.

Group account under which the service runs.

Path to the server's certificate

Group account under which Portunus runs its LDAP server.

Group name who owns the socket file.

An existing Let’s Encrypt certificate to use for this virtual host

Whether to enable Cert Spotter, a Certificate Transparency log monitor.

Path to the certificate file.

Group assigned to the device when connected.

Group under which Tandoor runs.

What to call the primary group of the dedicated user under which infinoted is run

Extra command-line arguments to pass to Cert Spotter

The user names of the group members, added to the /etc/group file.

A host of an existing Let's Encrypt certificate to use. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using security.acme.certs.

Primary group of buildbot user.

Group under which peertube-runner runs.

Group under which Suwayomi-Server runs.

Group which runs PlantUML server.

An existing Let’s Encrypt certificate to use for this virtual host

Path to the TLS certificate file

Primary group of buildbot Worker user.

Group which runs tailscale-nginx-auth

List of group entries to configure in /etc/nsswitch.conf

A switch to disable Endorsement Key (EK) certificate verification

Group under which firefly-iii-data-importer runs

Name of the group members of which will be allowed to create usershares

Group for Taskserver.

Group to grant access to the Yggdrasil control socket

The group borg is run as

Group to run the service as

Group to run homebridge as.

Group under which Govee2MQTT should run.

Group under which photoprism runs.

Group under which Szurubooru runs.

Group microsocks runs as.

The group Linkwarden should run as.

Group under which LubeLogger runs.

The group to run Reposilite under.

TLS certificates directory to use for encryption

The group to run openvscode-server under

The group GID

Group which runs the Mattermost service.

Group account under which scollector runs.

Group account under which healthchecks runs.

Group account name under which to run shairport-sync

Group to use to run nullmailer-send.

Path to the SSL certificate file

The path to a file or AF_UNIX stream socket to read the server certificate from

Group for hg.sr.ht

The group borg serve is run as

Type of group to perform a group search against.

Group under which the Periphery agent runs.

Group under which the service runs.

Group for man.sr.ht

Group for git.sr.ht

Group for hub.sr.ht

The group OpenSearch runs as

The name of the group

The group to run Silverbullet under

Group for todo.sr.ht

Group for meta.sr.ht

Path to certificate (PEM with certificate chain)

An existing Let’s Encrypt certificate to use for this virtual host

Group account under which HBase runs.

A system group name for this client instance.

A system group name for this client instance.

Group under which FileBrowser runs.

Group meshtasticd runs as.

Group under which qbittorrent runs.

Group under which Writefreely is ran.

Fully qualified path to the CA certificate.

Group name of file owner

Group for paste.sr.ht

Group for lists.sr.ht

Group for pages.sr.ht

The name of the organization responsible for the X.509 certificate's /O name.

Name of group to run the script under

group to run vdirsyncer as

Group to assign to the SGX provisioning device.

Group account under which the web-application run.

Group to run wyoming-satellite under.

Path to the certificate used for TLS.

Group under which this instance runs.

The path to the certificate directory.

TLS Certificate for gRPC server, leave blank to disable TLS

Group for builds.sr.ht

TLS Certificates to use to identify this client to the server

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

Run Suricata with a specific group-id.

Path to GitLab container registry certificate.

Use a certificate generated by the NixOS ACME module for the given host

TLS Certificate for gRPC server, leave blank to disable TLS

TLS Certificate for gRPC server, leave blank to disable TLS

Fully qualified path to the server certificate.

The group of the wrapper program.

Etcd cert file.

Group of the tpm kernel resource manager (tpmrm) device-group, set if applyUdevRules is set.

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

The group under which Anubis is run

Path to the certificate file for the mongo database.

The group of the file

The group under which Anubis is run

The group as which to run blockbook-frontend-‹name›.

Group account under which FoundationDB runs.

Group which runs the matterbridge service.

Group account under which Transmission runs.

Under which user/group the specified command is allowed to run

Whether to enable LDAPS protocol

Group under which the chrony exporter shall be run

The name of the group for this authelia instance.

Under which user/group the specified command is allowed to run

If inspectHttps is enabled, the time generated HTTPS certificates will be stored in a temporary directory for reuse

Group under which the frr exporter shall be run

Organizational unit to look up a group.

The group to run the Phosh service.

Use a certificate generated by the NixOS ACME module for the given host

Path to SSL certificate file.

Whether to enable the prometheus node-cert exporter.

Members of this group can access the control socket for this interface.

TLS Certificate for gRPC server, leave blank to disable TLS

TLS Certificate for gRPC server, leave blank to disable TLS

Additional groups to be created automatically by the system.

A host of an existing Let's Encrypt certificate to use

Alias of services.tailscaleAuth.group.

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

Extra commandline options to pass to the node-cert exporter.

Group under which this instance runs.

The group continuwuity is run as.

The group as which to run the wasabibackend node.

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

The group of the file

A host of an existing Let's Encrypt certificate to use

Group under which to run the Spreed signaling server.

Query to find a group associated to a user in the LDAP database.

This public key is an SSH certificate authority, rather than an individual host's key.

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

Group to be set as owner of the UNIX socket.

How long certs generated by Stargazer should live for

Unix Group to run the server under

User account under which CockroachDB runs

Scripts to run upon the detection of a new certificate

A host of an existing Let's Encrypt certificate to use

IPA server CA certificate

Group under which the postfix exporter shall be run

Group under which the sql exporter shall be run.

Group under which the nut exporter shall be run.

Group under which the kea exporter shall be run.

Group under which the pve exporter shall be run.

Group under which the zfs exporter shall be run.

Group under which the lnd exporter shall be run.

Path to certificate describing the server.

The certspotter package to use.

Group under which the flow exporter shall be run.

Group under which the mail exporter shall be run.

Group under which the snmp exporter shall be run.

Group under which the bind exporter shall be run.

Group under which the bird exporter shall be run.

Group under which the mqtt exporter shall be run.

Group under which the ebpf exporter shall be run.

Group under which the ipmi exporter shall be run.

Group under which the knot exporter shall be run.

Group under which the nats exporter shall be run.

Group under which the node exporter shall be run.

Group under which the ping exporter shall be run.

Group under which the json exporter shall be run.

The lmtp daemon will make the unix socket group-read/write for users in this group.

Group as which this instance of fcgiwrap will be run.

Group under which the php-fpm exporter shall be run.

The groups / GIDs this rule should apply for.

The groups / GIDs this rule should apply for.

A host of an existing Let's Encrypt certificate to use

Group under which the idrac exporter shall be run.

Group under which the dmarc exporter shall be run.

Group under which the redis exporter shall be run.

Group under which the fritz exporter shall be run.

Group under which the v2ray exporter shall be run.

Group under which the kafka exporter shall be run.

Group under which the jitsi exporter shall be run.

Group under which the nginx exporter shall be run.

The groups / GIDs this rule should apply for.

Group under which Audiobookshelf runs.

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

Group account under which libretranslate runs.

TLS Certificate for gRPC server, leave blank to disable TLS

An absolute file path (which should be outside the Nix-store) to Gemini certificates.

Group(s) of this poller.

A host of an existing Let's Encrypt certificate to use

Members of this group can control wpa_supplicant.

A list of trusted root certificates in PEM format.

Group under which the dnssec exporter shall be run.

Group under which the mysqld exporter shall be run.

Group under which the script exporter shall be run.

Group under which the fastly exporter shall be run.

Group under which the deluge exporter shall be run.

Group under which the shelly exporter shall be run.

Group under which the rspamd exporter shall be run.

Group under which the tibber exporter shall be run.

Group under which the restic exporter shall be run.

Group under which the statsd exporter shall be run.

Group under which the domain exporter shall be run.

Group under which the pihole exporter shall be run.

The lifetime (in minutes) of the resolver certificate

ID of the group in initrd.

Group under which the nvidia-gpu exporter shall be run.

The lmtp daemon will make the unix socket group-read/write for users in this group.

To enable SSL, specify path to the name of certificate files without extension

Group under which the rtl_433 exporter shall be run.

Path to certificate (PEM with certificate chain)

Group under which the libvirt exporter shall be run.

Group under which the bitcoin exporter shall be run.

Group under which the dovecot exporter shall be run.

Group under which the sabnzbd exporter shall be run.

Group under which the varnish exporter shall be run.

Group under which the klipper exporter shall be run.

Group under which the unbound exporter shall be run.

Group under which the mongodb exporter shall be run.

Group under which the dnsmasq exporter shall be run.

Group under which the ecoflow exporter shall be run.

Group under which the apcupsd exporter shall be run.

Group under which the process exporter shall be run.

Group under which the systemd exporter shall be run.

This public key is an SSH certificate authority, rather than an individual host's key.

Shared folder list

A host of an existing Let's Encrypt certificate to use

Group under which the py-air-control exporter shall be run.

Group under which the mailman3 exporter shall be run.

A list of files containing trusted root certificates in PEM format

Group under which the mikrotik exporter shall be run.

Group under which the opnsense exporter shall be run.

Group under which the postgres exporter shall be run.

Group under which the nginxlog exporter shall be run.

Group under which the unpoller exporter shall be run.

Group under which the graphite exporter shall be run.

Group under which the fritzbox exporter shall be run.

Group under which the smartctl exporter shall be run.

Group under which the blackbox exporter shall be run.

Group under which the influxdb exporter shall be run.

Group under which the keylight exporter shall be run.

Group under which the collectd exporter shall be run.

Path to the sendmail binary

A host of an existing Let's Encrypt certificate to use

Group account under which changedetection-io runs.

A host of an existing Let's Encrypt certificate to use

User under which to run the service

Port to listen on.

Domain names to watch

Which user or group the specified command is allowed to run as

User owning the certs.

File path to a cert file.

Group under which the imap-mailstat exporter shall be run.

A host of an existing Let's Encrypt certificate to use

Members of this group can control wpa_supplicant.

Group under which the borgmatic exporter shall be run.

Group under which the surfboard exporter shall be run.

Group under which the rasdaemon exporter shall be run.

Group under which the nextcloud exporter shall be run.

Group under which the smokeping exporter shall be run.

Group under which the tailscale exporter shall be run.

Group under which the pgbouncer exporter shall be run.

Group under which the wireguard exporter shall be run.

Group under which the junos-czerwonk exporter shall be run.

Whether to enable certmgr.

Enable support for SANE scanners.

The user names of the group members, added to the /etc/group file.

List of paths to search for SSL certificates.

A host of an existing Let's Encrypt certificate to use

A host of an existing Let's Encrypt certificate to use

The interval before a certificate expires to start attempting to renew it.

User under which the service should run

Default kubeconfig client certificate file used to connect to kube-apiserver.

Group under which the buildkite-agent exporter shall be run.

Group under which the storagebox exporter shall be run.

Group under which the scaphandre exporter shall be run.

Certificate specs as described by: https://github.com/cloudflare/certmgr#certificate-specs These will be added to the Nix store, so they will be world readable.

A host of an existing Let's Encrypt certificate to use

Section for a certificate candidate to use for authentication

Group under which the exportarr-lidarr exporter shall be run.

Group under which the exportarr-sonarr exporter shall be run.

Group under which the exportarr-bazarr exporter shall be run.

Group under which the exportarr-radarr exporter shall be run.

A list of email addresses to send certificate updates to.

Path to a SSL certificate file for the server

Cert file to use for peer to peer communication

Optional slot number of the token that stores the certificate.

Certificate file for MQTT server access.

Section for a certificate candidate to use for authentication

The certmgr package to use.

A host of an existing Let's Encrypt certificate to use

Optional slot number of the token that stores the certificate.

Kubernetes proxy client certificate file used to connect to kube-apiserver.

Group under which the exportarr-readarr exporter shall be run.

Group under which the artifactory exporter shall be run.

Optional PKCS#11 module name.

Absolute path to the certificate to load

The group of the running mount.davfs daemon

Optional PKCS#11 module name.

The objectclass attribute to search for groups when enableLdapRoles is true

Absolute path to the certificate to load

The group which should be allowed access to the given resource.

List of paths to exclute from searching for SSL certificates.

Group under which the exportarr-prowlarr exporter shall be run.

Address to listen on.

Hex-encoded CKA_ID or handle of the certificate on a token or TPM, respectively

Open port in firewall for incoming connections.

The port for the Prometheus HTTP endpoint.

List files matching a pattern to include

List files matching a pattern to include

Kubelet client certificate file used to connect to kube-apiserver.

Group under which the modemmanager exporter shall be run.

How to call postfix setgid group (for postdrop)

Hex-encoded CKA_ID or handle of the certificate on a token or TPM, respectively

Specify rules for nftables to add to the input chain when services.prometheus.exporters.node-cert.openFirewall is true.

The directory holding configuration files, the SQlite database and the SSL Cert.

Group directory, relative to root.

The default CA host:port to use.

Kubernetes scheduler client certificate file used to connect to kube-apiserver.

This specifies the service manager to use for restarting or reloading services

Enables hackrf udev rules and ensures 'plugdev' group exists

Specify a filter for iptables to use when services.prometheus.exporters.node-cert.openFirewall is true

Certificates for agnos to issue or renew.

Path to keystore (combined PEM with cert/key, or PKCS12 keystore)

List of certificates to accept for authentication

The address for the Prometheus HTTP endpoint.

How often to check certificate expirations and how often to update the cert_next_expires metric.

The port and interface of the listen endpoint in the form [HOST]:PORT[+CERT].

List of certificate candidates to use for authentication

Certificate file for client cert authentication to the server.

The port group variables for suricata.

This tells pgmanage to only allow users in a certain PostgreSQL group to login to pgmanage

The group to use for settings permissions

When set to something distinct to null NSD is able to collect statistics per zone

Groups to include in initrd.

Certificate file for client cert authentication to the server.

NNTP group name for the inbox.

Limit access to the ckb daemon to a particular group.

All groups to provision

groups.ini contents

Web server directory.

The path to the TLS key.

  nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"

Domains the certificate represents

Kubernetes controller manager client certificate file used to connect to kube-apiserver.

Certificate file for client cert authentication to the server.

The path to the TLS certificate.

  nix-shell -p dendrite --command "generate-keys --tls-cert server.crt --tls-key server.key"

Whether to enable the flag "--ignore-certificate-errors" for the Chromium browser opened by Jibri

Whether to ensure that this group is present or absent.

Attribute for a name of group.

Control group which subgroups are placed under

Name of the runner group to add this runner to (defaults to the default runner group)

The group GID

Only allow members of the wheel group to execute sudo by setting the executable's permissions accordingly

List of kanidm entities (persons, groups, ...) which are part of this group.

Only allow members of the wheel group to execute sudo by setting the executable's permissions accordingly

Whether to add Wireshark to the global environment and create a 'wireshark' group

Whether to preserve the TERMINFO and TERMINFO_DIRS environment variables, for root and the wheel group.

The name of the group

If set to true, you are free to add new users and groups to the system with the ordinary useradd and groupadd commands

IRCD server SSL certificate

Root of the certificate directory.

The directory where TLS certificates are stored.

Whether to allow users in the 'wireshark' group to capture USB traffic

Whether to allow users in the 'wireshark' group to capture network traffic

Path to certificate file.

List of CA certificates to accept for authentication

Path to the certificate used for SSL connections with clients.

The address group variables for suricata, if not defined the default value of suricata (see example) will be used

Count of subordinate group ids

A regexp matching the full paths of cgroups whose data shouldn't be collected

Subordinate group ids that user is allowed to use

Options used for the default rules, granting root and the wheel group permission to run any command as any user.

Path under which the stats socket is placed

File holding nginx configuration that sets the nonce used to create secret links

Options used for the default rules, granting root and the wheel group permission to run any command as any user.

Path to the private key used for TLS.

Automatically allocate subordinate user and group ids for this user

The path to the client cert

Path to CA bundle file (PEM/X509)

A list of attribute sets containing paths to TLS certificates and keys

Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.

Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.

Path to the certificate key file (if protocol is set to https or h2).

Path to keystore (combined PEM with cert/key, or PKCS12 keystore)

Server certificate to use for TLS

Certificate file for securing RPC connections.

LDAP filter for groups.

Whether users of the wheel group must provide a password to run commands as super user via run0.

Cgroups to write in 'nixCgroups.cgroups'

Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers

Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers

Extra configuration for cgroup.conf

Whether users of the wheel group must provide a password to run commands as super user via sudo.

Whether users of the wheel group must provide a password to run commands as super user via doas.

Set workgroup name (default WORKGROUP).

Start of the range of subordinate group ids that user is allowed to use.

When not set to null this option defines the path at which the unbound remote control socket should be created at

Whether users of the wheel group must provide a password to run commands as super user via sudo.

Path to the certificate file (if protocol is set to https or h2).

Authorization group memberships to require

Chain of CA-certificates to which our certificateFile is relative

Path to certificate.

Whether to install Light backlight control command and udev rules granting access to members of the "video" group.

This option disables password/group lookups

Count of subordinate group ids

Restrict logins to members of these Google groups.

A class that groups will have.

The full path to the PEM encoded TLS certificate

The full path to the PEM encoded TLS certificate

The full path to the PEM encoded TLS certificate

Subordinate group ids that user is allowed to use

Shared roster support

Whether to automatically generate cfssl API webserver TLS cert and key, if they don't exist.

Extra permission groups to attach to the KMonad instance for this keyboard

The name of this group

Whether to enable brillo in userspace

Automatically allocate subordinate user and group ids for this user

Extra x509 Subject Alternative Names to be added to the cfssl API webserver TLS cert.

Path to your SSL certificate

Path to certificate file

Path to the TLS certificate for the web UI

Whether to enable JACK Audio Connection Kit

Whether to enable i2c devices support

TLS certificate path.

TLS ceritficate path.

Whether to permit root access only to members of group wheel.

Enables udev rules for BladeRF devices

Path to certificate file

Certificate file for MQTT

Whether users of the wheel group must provide a password to run commands or edit files with please and pleaseedit respectively.

Name of the rule group

Whether to enable the systemd JSON user/group record lookup service .

The terminal permissions: the login tty will be owned by the TTYGROUP group, and the permissions will be set to TTYPERM

If true, allow all clients, do not check client cert subject.

A list of group names that belong to the organization.

Defines the name of the claim that contains group memberships or role assignments in the provider's userinfo endpoint

Whether the member list should be overwritten each time (true) or appended (false)

Whether to configure a setcap wrapper for tcpdump

Start of the range of subordinate group ids that user is allowed to use.

Enable support for attaching AppArmor profiles at the user/group level, e.g., as part of a role based access control scheme.

Path to HTTPS listener certificate.

The members of this group

Default group to store mail for virtual users.

Enable saned network daemon for remote connection to scanners.

saned would be run from scanner user; to allow access to hardware that doesn't have scanner group you should add needed groups to this user.

Provisioning of kanidm groups

The name that will be given to this DNSCrypt resolver.

Path to MySQL listener certificate.

Output path for the certificate private key

The user of the file

Whether to check the resulting config file with unbound checkconf for syntax errors

Enables Glasgow udev rules and ensures 'plugdev' group exists

Name of the folder the rule group will be stored in

The terminal permissions: the login tty will be owned by the TTYGROUP group, and the permissions will be set to TTYPERM

Whether to enable cgroup accounting; see cgroups(7).

Path to certificate file

Whether to enable minipro and its udev rules

Disable checking that at least the root user or a user in the wheel group can log in using a password or an SSH key

Configure SSL server certificates to terminate the SSL sessions

Specifies which users are considered “administrators”, for those actions that require the user to authenticate as an administrator (i.e. have an auth_admin value)

Certificate file for client cert authentication to the server.

Certificate file for client cert authentication to the server.

Whether to enable sedutil, to manage self encrypting drives that conform to the Trusted Computing Group OPAL 2.0 SSC specification.

Defines a group of servers to use as proxy target.

Indicates whether this is an account for a “real” user

Whether to enable incusd, a daemon that manages containers and virtual machines

Whether to configure system to use gphoto2

Configuration file for persisting runtime changes

Whether to enable PdfDing service

User that runs smokeping and (optionally) thttpd

Ensure that only the given members are part of this group at every server start.

Extra x509 Subject Alternative Names to be added to the kubernetes apiserver tls cert.

All listed users will become part of the timekpr group so they can manage timekpr settings without requiring sudo.

Whether to enable Portunus, a self-contained user/group management and authentication service for LDAP.

GID where the socket should be set when protocol=socket

Interval that the rule group should be evaluated at

Whether to enable Google OS Login

Path to the TLS certificate file

Enables rtl-sdr udev rules, ensures 'plugdev' group exists, and blacklists DVB kernel modules

Enable Docker support

Certificate file for client cert authentication to the server.

Certificate file for client cert authentication to the server.

Path to CA certificate to use for client authentication.

Installs flashrom and configures udev rules for programmers used by flashrom

Usernames to be added to the "openrazer" group, so that they can start and interact with the OpenRazer userspace daemon.

Additional groups under which Traefik runs

Path to PostgreSQL listener certificate.

Whether or not to enable the headless Aria2 daemon service

Group where a user must be a member of to gain superuser rights.

The full path to the PEM encoded TLS certificate

The full path to the PEM encoded TLS certificate

Which LDAP group attribute to search for authorized role ARNs

The path to the CA certificate to use.

Path to already created certificate.

Whether to use NetworkManager to obtain an IP address and other configuration for all network interfaces that are not manually configured

The user of the file

User or group to restrict

Whether to install and set up mouse-actions and it's udev rules

Indicates whether this is an account for a “real” user

This option will ensure that team memberships for OpenID Connect users are dynamic and synchronized with membership of OpenID Connect groups or assigned roles

Certificate file for client cert authentication to the server.

Certificate file for client cert authentication to the server.

Certificate file for client cert authentication to the server.

Certificate file for client cert authentication to the server.

Certificate file for client cert authentication to the server.

Enable acpilight

Data directory for Quickwit

Data directory for Temporal

Whether to configure Privoxy to inspect HTTPS requests, meaning all encrypted traffic will be filtered as well

By default, all networks will get same priority group (0)

Make the Podman socket available in place of the Docker socket, so Docker tools can find the Podman socket

Whether to enable automatically creating the user given in services.dovecot.user and the group given in services.dovecot.group.

Whether to enable CoreCtrl, a tool to overclock amd graphics cards and processors

A list of names of users that have additional rights when connecting to the Nix daemon, such as the ability to specify additional binary caches, or to import unsigned NARs

Account certificate file, necessary to create, delete and manage tunnels

Enables sheep_net udev rules, ensures 'sheep_net' group exists, and adds sheep-net to boot.kernelModules and boot.extraModulePackages

Defines the name of the claim that contains group memberships or role assignments in the provider's userinfo endpoint

Path to CA bundle file (PEM/X509)

Certificate file for client cert authentication to the server.

Whether to enable the feedbackd D-BUS service and udev rules

Whether to enable libutempter for mosh

Whether to enable libutempter for tmux

Path to a cert file for connecting to kubelet.

Whether to enable mx-puppet-discord is a discord puppeting bridge for matrix

Enables kryoflux udev rules, ensures 'floppy' group exists

List of groups this person should belong to.

Users to be added to the idevice group.

If enabled, starts a Terraria server

A system group name for this client instance.

A system group name for this client instance.

Set group-write permissions on a USB device

Certificate file for client cert authentication to the server.

Certificate file for client cert authentication to the server.

Certificate file for client cert authentication to the server.

Whether to allow logging into accounts that have no password set (i.e., have an empty password field in /etc/passwd or /etc/group)

Whether to add Soundmodem to the global environment and configure a wrapper for 'soundmodemconfig' for users in the 'soundmodem' group.

Primary name for use (as a suffix) in:

• systemd service name,
• hardened user name and group,
• systemd *Directory= names,
• desktop application identification,

Primary name for use (as a suffix) in:

• systemd service name,
• hardened user name and group,
• systemd *Directory= names,
• desktop application identification,

This option will ensure that team memberships for OpenID Connect users are dynamic and synchronized with membership of OpenID Connect groups or assigned roles

Users that intend to use BenchExec

The file mode creation mask for Aria2 service

Whether to enable udev rules for devices supported by libjaylink

Whether to enable non-root access to the firmware of UHK keyboards

The user borg is run as

Enable CIS Hardening for RKE2

The certificates may use a relative path from the swanctl x509ca directory or an absolute path

Certificate to authenticate with.

Certificate file for client cert authentication to the server.

Account certificate file, necessary to create, delete and manage tunnels

Whether to assign user roles based on the user's LDAP group memberships

Path to the Unbound control socket certificate

Key file for client cert authentication to the server.

HOME_NET variable.

Include services.beszel.agent.smartmon.package in the Beszel agent path for disk monitoring and add the agent to the disk group.

Data directory for OpenSearch

Path to the certificate used for the HTTPS listener

The user borg serve is run as

A set that will be generated into configuration file, see the SmartDNS README for details of configuration parameters

Key file for client cert authentication to the server.

Certificates for additional domains.

Output path for the full chain including the acquired certificate

Certificate file for client cert authentication to the server.

Section for a CA certificate to accept for authentication

If true, a system-wide PipeWire service and socket is enabled allowing all users in the "pipewire" group to use it simultaneously

If true, allow all clients, do not check client cert subject.

Path to private key.

Optional slot number of the token that stores the certificate.

Directory for storing certificates to be used by Neo4j for TLS connections

The path to a TLS certificate bundle used to verify the server's certificate.

Whether to enable lemurs, a customizable TUI display/login manager.

Enable hardened VirtualBox, which ensures that only the binaries in the system path get access to the devices exposed by the kernel modules instead of all users in the vboxusers group.

DNP3_SERVER variable.

DNP3_CLIENT variable.

Key file for client cert authentication to the server.

ENIP_CLIENT variable.

ENIP_SERVER variable.

Optional PKCS#11 module name.

All listed users will become part of the firezone-client group so they can control the tunnel service

The user and group to run nebula-lighthouse-service as.

Certificate file for client cert authentication to the server.

Absolute path to the certificate to load

Hostgroups to declaratively load into FastNetMon Advanced

DC_SERVERS variable.

AIM_SERVERS variable.

DNS_SERVERS variable.

SQL_SERVERS variable.

Name is used as a suffix for the service name, user, and group

SMTP_SERVERS variable.

HTTP_SERVERS variable.

Hex-encoded CKA_ID or handle of the certificate on a token or TPM, respectively

Tell multipathd how to manage path group failback

The common name field of the certificate used by the mysql or postgres server

Send certificate payloads when using certificate authentication.

• With the default of ifasked the daemon sends certificate payloads only if certificate requests have been received.
• never disables sending of certificate payloads altogether,
• always causes certificate payloads to be sent unconditionally whenever certificate authentication is used

MODBUS_CLIENT variable

MODBUS_SERVER variable.

Certificate file for client cert authentication to the server.

EXTERNAL_NET variable.

The systemd KillMode to use for glusterd.

glusterd spawns other daemons like gsyncd

Whether to sync ldap groups into BitWarden.

TELNET_SERVERS variable.

Postgresql database superuser used to create Nominatim database and import data

Group policies to install

The filepath to the provider secret key

Write logs to a specific Cloudwatch Logs group.

List of certificate policy OIDs the peer's certificate must have

Group policies to install

Username for the postgresql connection

The permission for settings.dir

List of rule groups to import or update.

Specifies a program to be used to look up the user's public keys

If false, a PulseAudio server is launched automatically for each user that tries to use the sound system

Multiaddr or array of multiaddrs describing the address to serve the local HTTP API on

Number of I/O requests to route to a path before switching to the next in the same path group

A changegroup script which is installed in every mercurial repo

If given an IP address, it can be a host name ("localhost"), an IPv4 dotted-quad ("127.0.0.1") or an IPv6 address enclosed in square brackets ("[::1]").

(VCL4.1 and higher) If given an absolute Path ("/path/to/listen.sock") or "@" followed by the name of an abstract socket ("@myvarnishd") accept connections on a Unix domain socket

Send certificate request payloads to offer trusted root CA certificates to the peer

Defines the base URI for the Hash and URL feature supported by IKEv2

Whether to enable the headless Transmission BitTorrent daemon

This option enables docker, a daemon that manages linux containers

This option enables lxd, a daemon that manages containers

List of groups to allow access to this vhost, or null to allow all.

Whether to enable KVMGT (iGVT-g) VGPU support

PEM encoded X509 certificate for TLS

Listen on a UNIX socket at the specified path

Defines Anuko Time Tracker default language

SSL key in PEM format

Username for the postgresql connection

Allow users of the wpa_supplicant group to control wpa_supplicant through wpa_gui or wpa_cli

This option enables libvirtd, a daemon that manages virtual machines

Path to a file containing the password

Number of I/O requests to route to a path before switching to the next in the same path group

All relay groups to provision

The name of this relay group

Whether to enable VirtualBox.

Hardened service:

• runs as a dedicated user with minimal set of permissions (see caveats),
• restricts daemon configuration socket access to dedicated user group (you can grant access to it with users.users."<user>".extraGroups = [ netbird-‹name› ]),

Even though the local system resources access is restricted:

• CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,
• older kernels don't have CAP_BPF and use CAP_SYS_ADMIN instead,

Known security features that are not (yet) integrated into the module:

• 2024-02-14: rosenpass is an experimental feature configurable solely through --enable-rosenpass flag on the netbird up command, see the docs

Hardened service:

• runs as a dedicated user with minimal set of permissions (see caveats),
• restricts daemon configuration socket access to dedicated user group (you can grant access to it with users.users."<user>".extraGroups = [ netbird-‹name› ]),

Even though the local system resources access is restricted:

• CAP_NET_RAW, CAP_NET_ADMIN and CAP_BPF still give unlimited network manipulation possibilites,
• older kernels don't have CAP_BPF and use CAP_SYS_ADMIN instead,

Known security features that are not (yet) integrated into the module:

• 2024-02-14: rosenpass is an experimental feature configurable solely through --enable-rosenpass flag on the netbird up command, see the docs

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Do not send VRRP adverts over VRRP multicast group

Attribute set of NetBird client daemons, by default each one will:

1. be manageable using dedicated tooling:

• netbird-<name> script,
• NetBird - netbird-<name> graphical interface when appropriate (see ui.enable),

2. run as a netbird-<name>.service,
3. listen for incoming remote connections on the port 51820 (openFirewall by default),
4. manage the netbird-<name> wireguard interface,
5. use the /var/lib/netbird-/config.json configuration file,
6. override /var/lib/netbird-/config.json with values from /etc/netbird-/config.d/*.json,
7. (hardened) be locally manageable by netbird-<name> system group,

With following caveats:

• multiple daemons will interfere with each other's DNS resolution of netbird.cloud, but should remain fully operational otherwise

All gateway groups (sites) to provision

The name of this gateway group

Path to a file containing the password

Remove users from bitwarden groups if no longer in the ldap group.

Attribute that lists members in a LDAP group.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Enable distributed billing on this poller

A list of groups for which targets are retrieved, only supported when targeting the container role

The targets specified by the target group.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

Key file for client cert authentication to the server.

The default path grouping policy to apply to unspecified multipaths

Key file for client cert authentication to the server.

If not null, is used as the permissions set by system.activationScripts.transmission-daemon on the directories services.transmission.settings.download-dir, services.transmission.settings.incomplete-dir. and services.transmission.settings.watch-dir

Key file for client cert authentication to the server.

Listen on a UNIX socket at the specified path

Key file for client cert authentication to the server.

The string by which Uyuni group names are joined into the groups label

Defaults to , in prometheus when set to null.

Key file for client cert authentication to the server.

Kanidm groups that are allowed to login using PAM.

Time to schedule CHILD_SA rekeying

Kanidm groups that are allowed to login using PAM.

Number of bytes processed before initiating CHILD_SA rekeying

Number of packets processed before initiating CHILD_SA rekeying