Name is used as a suffix for the service name, user, and group

Multi-domain protection currently requires multiple instances of Authelia

Here you can provide authelia with configuration files or directories

Additional environment variables to provide to authelia

The name of the user for this authelia instance.

The name of the group for this authelia instance.

Whether to enable Authelia instance.

The authelia package to use.

It is recommended you keep your secrets separate from the configuration

Your Authelia config.yml as a Nix attribute set

The theme to display.

Instance ID for when running multiple processes (default null).

Instance name used to distinguish between different instances

uWSGI configuration

Level of verbosity for logs.

Path to your JWT secret used during identity verificaton.

Configuring authelia's secret files via the secrets attribute set is intended to be convenient and help catch cases where values are required to run at all

Format the logs are written as.

The instance ID to listen for events for.

Path to your HMAC secret used to sign OIDC JWTs.

Instance name.

The instance url to which the provisioning tool should connect.

The address to listen on.

Path to your session secret

Instance administrator email.

File path where the logs will be written

Path to your private key file used to encrypt OIDC JWTs.

Set of btrbk instances

Errbot instance configs

Permits to raise one or more cups-pdf instances

Whether to also log to stdout when a file_path is defined.

Path to your storage encryption key.

The name identifying the runner instance towards the Gitea/Forgejo instance.

How often this btrbk instance is started

Enable Metrics.

The address to listen on for metrics

Whether to enable a CUPS printer queue for this instance

Attribute set of vault-agent instances

Data directory for errbot instance.

User under which this instance runs.

The name of the instance.

Whether to enable ytdl-sub instance.

Group under which this instance runs.

varnishstat -n value.

Whether to enable this instance of Anubis.

Instance description.

Whether to enable this vault-agent instance.

The fallback instance name if not configured into the admin UI

Configure the instance from config server

Whether to enable this v4l2-relayd instance.

Enable the instance.

Assign a icinga instance to this transport

Frp instances.

Attribute set of consul-template instances

User under which this instance runs.

Base URL of your Gitea/Forgejo instance.

Group under which this instance runs.

Whether to enable this cups-pdf instance.

Path to easytier config file

This option specifies the Nix package instance to use throughout the system.

Configuration for ytdl-sub instances.

Plain token to register at the configured Gitea/Forgejo instance.

Whether to enable this consul-template instance.

Extra packages to add to GST_PLUGIN_PATH for the instance.

Group as which this instance of fcgiwrap will be run.

Whether to enable Gitea Actions Runner instance.

User as which this instance of fcgiwrap will be run

This will contain the contents of cups-pdf.conf for this instance, derived from settings

Directory where Akkoma will put uploaded files.

Path to an environment file, containing the TOKEN environment variable, that holds a token to register at the configured Gitea/Forgejo instance.

Default 2FA method for new users and fallback for preferred but disabled methods.

v4l2-relayd instances to be created.

URL of the PeerTube instance.

The address that Anubis listens to

Define multiple instances of vmalert.

Whether to enable frp.

The number of instances to start

Directory of static files

Whether to enable this radicle-native-ci instance.

Home directory of the Nexus3 instance.

An attribute set of Anubis instances

The frp consists of client and server

EasyTier instances.

Path to a file containing the logo of your Hydra instance.

Instances of clamsmtp to run.

Configuration for fcgiwrap instances.

Settings for a cups-pdf instance, see the descriptions in the template config file in the cups-pdf package

Your instance's hostname

Whether to enable the actkbd key mapping daemon

Automatic backup of important data to a AWS S3 (or compatible) instance

Configuration for ytdl-sub

FQDN for the grocy instance.

Runner name declared to the PeerTube instance.

An attribute set of database instances as described in: https://pgbackrest.org/configuration.html#section-stanza

Each instance defaults to set pg-host to the attribute's name

Configure mailpit instances

Errbot log level

Declarative instance config

SMTP bind interface and port.

The name of this nylon instance.

Only allow read operations from this Neo4j instance.

The user under which Anubis is run

List of identifiers of errbot admins.

Environment files for this instance

Local Redis instance name

Configuration of multiple mautrix-meta instances. services.mautrix-meta.instances.facebook and services.mautrix-meta.instances.instagram come preconfigured with network.mode, appservice.id, bot username, display name and avatar.

Anubis policy configuration

The group under which Anubis is run

List of paths that ytdl-sub can write to.

Whether to enable a Movim instance.

Maximum number of emails to keep

A list of extra flags to be passed to Anubis.

The email for the From: header in emails

The name the camera will show up as.

Errbot backend name.

List of errbot plugin derivations.

FQDN of the Jitsi Meet instance.

HTTP bind interface and port for UI.

The base URL for the Hydra webserver instance

Identify different instances on same host

Frp configuration, for configuration options see the example of client or server on github.

The width to read from input-stream.

Gitea Actions Runner instances.

Location of the server instance files

The address Anubis' metrics server listens to

String to be appended to the config verbatim

Whether to enable hub instance.

The vault package to use.

Fully-qualified domain name (FQDN) for the Movim instance.

Id of the MySQL server instance

The ntfy-sh user to use for authenticating with the ntfy-sh instance

configuration options for btrbk

How often to run ytdl-sub

A list of the given alerting or recording rules against configured "datasource.url" compatible with Prometheus HTTP API for vmalert to execute

Errbot identity configuration

The height to read from input-stream.

Address to wait for incoming SMTP connections on

Path to the directory with database, registration, and other data for the bridge service

The video-format to read from input-stream.

Time-out for network connections.

Wether to enable VictoriaMetrics's vmalert.

vmalert evaluates alerting and recording rules against a data source, sends notifications via Alertmanager.

A header to add to scanned messages

Extra args append to the easytier command-line.

Action to take when a virus is detected

Whether to enable Mautrix-Meta, a Matrix <-> Facebook and Matrix <-> Instagram hybrid puppeting/relaybot bridge.

Send the XCLIENT command to the receiving server, for forwarding client addresses and connection information if the receiving server supports this feature.

User to be set as owner of the UNIX socket.

Socket type: 'unix', 'tcp' or 'tcp6'.

The video-format to write to output-stream.

Address of the SMTP server to send email to once it has been scanned.

Timezone of your SOGo instance

Anubis policy configuration in Nix syntax

Mode to be set on the UNIX socket

Freeform configuration via environment variables for Anubis

Additional bot rules appended to the policy

Group to be set as owner of the UNIX socket.

Email domains handled by this instance

Number of seconds to wait between each NOOP sent to the sending server. 0 to disable

Title of the instance.

Command to run when a virus is found

vmalert configuration, passed via command line flags

The gstreamer-pipeline to use for the input-stream.

Runner description declared to the PeerTube instance.

Port to bind local redis instance to.

Address to bind local redis instance to.

radicle-native-ci adapter instances.

Whether this is the master instance of your Graylog cluster

Whether to open the default ports in the firewall: TCP/UDP 22000 for transfers and UDP 21027 for discovery

Settings to generate easytier-‹name›.toml

URL of instance

Domain name of the docs instance.

Domain name of the meet instance.

Free-form settings written directly to the config.json file

The email for the Reply-To: header in emails

The consul-template package to use.

The reverse proxy target that Anubis is protecting

Socket address

Runtime directory shared between the taler services

The framerate to read from input-stream.

FQDN for the Kanboard instance.

FQDN for the Pixelfed instance.

Automatically determine the IPv4 address of this peer based on existing peers on network.

The systemd unit (a service or a target) for other services to depend on if they need to be started after matrix-synapse

PeerTube instances to register this runner with.

Path to the files with alerting and/or recording rules.

Specify the local database filename to store persistent data

Whether to enable a Pixelfed instance.

Which package to use for the ownCloud Infinite Scale instance.

If this instance is part of a replica set, set its name here

config.yaml configuration as a Nix attribute set

Whether to run in snapshot only mode

Temporary directory that needs to be accessible to both clamd and clamsmtpd.

The hosts config to be merged with the settings

Number of processes to prefork.

Peers to connect initially

Server configuration, see https://maddy.email for more information

Extra settings to add to easytier-‹name›.toml.

Path to a file containing a registration token for the PeerTube instance

Additional policy settings merged into the policy file

IPv4 cidr address of this peer in the virtual network

spool directory

The domain name serving your Weblate instance.

FQDN for the froide-govplan instance.

Adapter name that is used in the radicle-ci-broker configuration

Definitions of SIIT instances of Jool

output directory; ${HOME} will be expanded to the user's home directory, ${USER} will be expanded to the user name.

The policy file to use

The nextcloud-occ program preconfigured to target this Nextcloud instance.

Whether the configuration file specifies a remote mongo instance

Endpoint for the victorialogs instance

Path to use for the pid file.

Real name of the owner of the instance

FQDN for the nextcloud instance.

FQDN for the ruTorrent instance.

Whether to quarantine files that contain viruses by leaving them in the temporary directory.

Configuration for act_runner daemon

Labels used to map jobs to their runtime environment

Name of the database instance to connect to

path for anonymously created PDF files

Whether to serve a default robots.txt that denies access to common AI bots by name and all other bots by wildcard.

Whether to include Anubis's default bot detection rules via the (data)/meta/default-config.yaml import

Definitions of NAT64 instances of Jool

The network family that Anubis should bind to

Template section of vault-agent

Mail transfer agent (MTA) integration

Home directory of the PlantUML server instance.

IP and port to which this redis instance acts as a slave.

PostgreSQL host for operating remotely.

List of packages, that are available to actions, when the runner is configured with a host execution label.

Whether to add registration file to services.matrix-synapse.settings.app_service_config_files and make Synapse wait for registration service.

Shell commands executed when the instance is starting.

List of paths files that follows systemd environmentfile structure

Whether to enable a Jibri instance and configure it to connect to Prosody

The domain serving your Dawarich instance.

The domain serving your CastoPod instance.

The domain serving your Mastodon instance.

The domain serving your PeerTube instance.

The radicle-native-ci package to use.

Mutual TLS - client certificate to call remote instance requiring client certs.

Whether to enable JiCoFo instance and configure it to connect to Prosody

Configure this LibreNMS instance as a distributed poller

location of GhostScript binary

Prometheus Alertmanager URL

Mutual TLS - client key to call remote instance requiring client certs

Maximum number of connections to accept at once.

Hostname shown in peer list and web console.

URL of the Immich instance

Whether to enable jigasi instance and configure it to connect to Prosody

Free-form settings written directly to the config.json file

Host or address that this Mattermost instance listens on.

Hostname of the instance.

Whether to enable the Hologram agent for AWS instance credentials

Shell commands executed when the instance is shutting down.

Configuration of radicle-native-ci

Enable clamsmtp's transparent proxy support.

Whether or not SSL verification should be enabled for outgoing connections to the homeserver.

Location where RethinkDB stores its data, 1 data directory per instance.

User for anonymous PDF creation

File where radicle-native-ci should write the run log.

Salt to allow room operator passwords generated by this server instance to still work when the server is restarted

The name of this installation.

This file contains the full URI that can be used to access this instance of CouchDB

The difficulty required for clients to solve the challenge

The full URL that the Sharkey instance will be publically accessible on

Subscriptions for ytdl-sub

URL this Mattermost instance is reachable under, without trailing slash.

Path to use for the pid file.

The base URI below which your pretalx instance will be reachable.

Whether to enable the Hologram server for AWS instance credentials

If set, shows a contact email address when rendering error pages

Datasource compatible with Prometheus HTTP API.

Directory where per-run directories are stored.

The network family that the metrics server should bind to

A system user name for this client instance.

A system user name for this client instance.

Set the log level of the daemon.

The directory where pantalaimon should store its state such as the database file.

Whether to install a wrapper around pleroma_ctl to simplify administration of the Akkoma instance.

If set, sshd is socket-activated; that is, instead of having it permanently running as a daemon, systemd will start an instance for each incoming connection.

Each attribute of this option defines a systemd service that runs an OpenVPN instance

Template section of consul-template

Extra configuration for roundcube webmail instance

Path to the file that contains the server salt

The domain name of your instance

Whether to enable a local mongodb instance.

Listener addresses to accept connections from other peers

The domain name of your instance (eg 'hatsu.local').

Path to the yaml registration file of the appservice.

LiveKit key file holding one or multiple application secrets

Whether this OpenVPN instance should be started automatically.

A system group name for this client instance.

A system group name for this client instance.

User account under which this instance of redis-server runs.

Instance hostname (base domain name)

Whether clients will access your PeerTube instance with HTTPS

Whether to set up a local redis instance.

IP on which the server instance will listen for incoming ServerQuery connections

IP on which the server instance will listen for incoming voice connections

Packages added to the adapter's PATH.

Rendering mode of grafana-image-renderer:

• default: Creates on browser-instance per rendering request.
• reusable: One browser instance will be started and reused for each rendering request.
• clustered: allows to precisely configure how many browser-instances are supposed to be used

A system group name for this client instance.

A system group name for this client instance.

The domain name of your instance (eg 'lemmy.ml').

The path to the file containing the Redis password

Whether to enable Open Graph tag passthrough

Cryptpad configuration settings

Create and use a local Redis instance

Whether to enable authenticating using a signature performed by the ssh-agent

Group account under which this instance of redis-server runs.

This tells pgmanage whether or not to only allow super users to login

Whether to enable this instance of Anubis.

Whether to enable this wstunnel instance.

Whether to enable this wstunnel instance.

The port where the daemon will listen to client connections for this homeserver

The domain serving your FileSender instance.

File containing environment variables to substitute when copying the configuration out of Nix store to the services.mautrix-meta.dataDir

Base URL for build logs (mandatory for access from CI broker page).

A list of host:port for the Redis servers that are part of a cluster

Whether to enable starting this wstunnel instance automatically.

Whether to enable starting this wstunnel instance automatically.

The origin of your Kanidm instance

Whether to enable creation of database on the instance.

List of Systemd services to require and wait for when starting the application service.

Role of the MySQL server instance.

Directory under which Actual runs and saves its data

The origin of your Kanidm instance

FQDN for the OnlyOffice instance.

Whether to configure the required settings to use pfix-srsd in the local Postfix instance.

The address where the daemon will listen to client connections for this homeserver.

EasyTier network name.

Nextcloud's data storage path

Enable the karakeep-browser service that runs a chromium instance in the background with debugging ports exposed

Extra configuration options

A list of names of users that have additional rights when connecting to the Nix daemon, such as the ability to specify additional binary caches, or to import unsigned NARs

Overwrite the URL for the GitLab instance

Configuration of this OpenVPN instance

Path to the session tokens file

Instance theme.

Which package to use for the Nextcloud instance.

Make your The Lounge instance public

Whether to enable Paperless-ngx

Host and port used to connect to a redis instance.

If you're running a self hosted instance and wish to serve public links, set this to the URL where your albums web app is running.

Whether to enable and configure a local Redis instance.

General description of the instance

Instance hostname (base domain name)

Whether to automatically set up the database on the local DBMS instance

The registration service that generates the registration file

The path to the password for the specified ntfy-sh user

The URI of the homeserver that the pantalaimon proxy should forward requests to, without the matrix API path but including the http(s) schema.

Whether to enable captive browser, a dedicated Chrome instance to log into captive portals without messing with DNS settings.

Enable Tandoor Recipes

Specifies the platform on which NixOS should be built

Lock backend to use: 'local' (single instance), 'redis' (distributed), 'postgres' (distributed, requires PostgreSQL)

Enables InfluxDB on the host system using the services.influxdb2 NixOS module with default options

pantalaimon options (enables E2E Encryption support)

LiveKit key file holding one or multiple application secrets

The primary account of your instance (eg 'example.com').

Whether to configure the required settings to use postsrsd in the local Postfix instance.

The port of the InfluxDB instance.

config.xml configuration as a Nix attribute set

This is the URL that users will enter to load your instance

IP on which the server instance will listen for incoming file transfer connections

Enable billing Cron-Jobs on the local instance

Whether to automatically set up the database on the local DBMS instance

IP or hostname of the InfluxDB instance.

URL of a cgit instance

Compress the btrfs send stream before transferring it from/to remote locations using a compression command.

Custom base path for this Reposilite instance

EasyTier network credential used for verification and encryption

lnd instance gRPC address:port.

Configure Nginx as a reverse proxy for Cryptpad

Jitsi Videobridge instance and configure it to connect to Prosody

Whether to enable a local mongodb instance.

URL of the immich instance.

The domain that Kanidm manages

The domain that Kanidm manages

Whether to configure the required settings to use postfix-tlspol in the local Postfix instance.

FQDN for the Oncall instance.

The hostname of this ncdns instance, which defaults to the machine hostname

Extra configuration for the postfixadmin instance, see postfixadmin's config.inc.php for available options.

How many invidious instances to run

Whether to enable creating a postgresql instance.

The port Conduit will be running on

Default instance (unit) priority.

Replace YouTube links with links to this instance (blank to disable).

The port(s) tuwunel will be running on

Whether to allow invalid certificates when provisioning the target instance

Domain name of the instance.

Whether to enable Libravatar as profile picture source on your instance

Replace Reddit links with links to this instance (blank to disable).

Extra permission groups to attach to the KMonad instance for this keyboard

Whether to use binary caches for downloading store paths

Parameter-sets for each instance of hddfancontrol.

The n8n instance timezone

Write logs to a specific Cloudwatch Logs stream

The host:port combination or the path to the UNIX socket of a memcached instance

The PHP-FPM pool that serves SimpleSAMLphp instance.

Replace Twitter links with links to this instance (blank to disable).

Reference to the matrix-synapse wrapper with all extras (e.g. for oidc or saml2) added to the PYTHONPATH of all executables

Basic Auth username used to protect VictoriaLogs instance by authorization

Create and use a local Meilisearch instance

Controls the timeout to connect to a Pi-Hole instance

This option allows you to override the Linux kernel used by NixOS

The domain serving your LibreTranslate instance

File containing the password for the mpd daemon

Whether to enable creating a clickhouse instance.

The domain serving your SimpleSAMLphp instance

Whether to enable Google OS Login

File that contains the Basic Auth password used to protect VictoriaLogs instance by authorization

User name under which the chrony exporter shall be run

Whether to automatically set up a local Meilisearch instance and configure Sharkey to use it

Grant capabilities to the uWSGI instance

List of URLs of the Nextcloud instance

Description of how to identify the filesystem to be duplicated by this instance of bees

Group under which the chrony exporter shall be run

Description of the homebridge instance.

Configure nginx as a reverse proxy for mastodon

Enables distributed pollers for this LibreNMS instance

The domain part of the JID for this Jibri instance.

Default configuration for the loggers used by matrix-synapse and its workers

The prefix that will be added to all metrics

The interfaces wpa_supplicant will use

The nickname for this Jibri instance in the MUC.

Whether to enable the AppArmor Mandatory Access Control system

Whether the official parsedmarc grafana dashboard should be provisioned to the local grafana instance.

Configure the domain name of this Warpgate instance

Basic Auth username used to protect VictoriaTraces instance by authorization

Whether to generate an extlinux-compatible configuration file under /boot/extlinux.conf

The port(s) continuwuity will be running on

File that contains the Basic Auth password used to protect VictoriaTraces instance by authorization

NNTP URLs to this public-inbox instance

POP3 URLs to this public-inbox instance

IMAP URLs to this public-inbox instance

The IP address to connect to the XMPP server on

The shell (/bin/sh) command executed once the proxy starts

Whether the automatically provisioned Elasticsearch instance should be added as a grafana datasource

Basic Auth username used to protect VictoriaMetrics instance by authorization

Enable per-torrent metrics

Addresses of public STUN services to use to automatically find the public and local addresses of this Jitsi-Videobridge instance without the need for manual configuration

By default any user can create an account on this gitea instance

Whether to set up and use a local instance of Elasticsearch.

Compression algorithm used by this instance of Reposilite. none reduces usage of CPU & memory, but requires transfering more data.

File that contains the Basic Auth password used to protect VictoriaMetrics instance by authorization

The base URL of the ntfy.sh instance.

Conditions to make outbound packets go through this redsocks instance

Your instance's hostname for generating URLs throughout the app

File must contain one line, example: R3300000,R3400000,NC430000,...

Additional configuration for the WirePlumber daemon when run in single-instance mode (the default in nixpkgs and currently the only supported way to run WirePlumber configured via extraConfig)

The base path for plugin endpoints

Point DOCKER_HOST to rootless Docker instance for normal users by default.

Whether to assign predictable names to network interfaces

The AWS Region

A boolean that controls whether site visitors can create new accounts

Whether to enable tweaking of kernel parameters to open many more connections at the same time

Filters can be used optionally to filter the instance list by other criteria.

Script to provision the TPM before control is handed off to the VM.

TPM2TOOLS_TCTI will be provided to configure tpm2-tools to use the swtpm instance transparently. TCTI is also provided as a generic value, consumer is expected to re-export it however it may need (TPM2OPENSSL_TCTI, TPM2_PKCS11_TCTI, ...).

The database backend for the service

Filter can be used optionally to filter the instance list by other criteria Syntax of this filter string is described here in the filter query parameter section: https://cloud.google.com/compute/docs/reference/latest/instances/list.

Controls how Prometheus handles conflicts between labels that are already present in scraped data and labels that Prometheus would attach server-side ("job" and "instance" labels, manually configured target labels, and labels generated by service discovery implementations)

XFRM interface ID set on inbound policies/SA

XFRM interface ID set on outbound policies/SA

Netfilter mark and mask for output traffic

Netfilter mark and mask for input traffic

Role of the targets to retrieve

The tag separator used to separate concatenated GCE instance network tags

The AWS region

Refresh interval to re-read the instance list

Refresh interval to re-read the cloud instance list

The string by which Linode Instance tags are joined into the tag label

Refresh interval to re-read the instance list

Whether the service discovery should list all instances for all projects

Refresh interval to re-read the instance list

Refresh interval to re-read the instance list

Maximum number of connections per plugin instance.