When enabled with services.transmission.home services.transmission.settings.incomplete-dir-enabled, new torrents will download the files to this directory

The directory where Transmission will create .config/transmission-daemon. as well as Downloads/ unless services.transmission.settings.download-dir is changed, and .incomplete/ unless services.transmission.settings.incomplete-dir is changed.

Whether to enable the services.transmission.settings.watch-dir.

If not null, is used as the permissions set by system.activationScripts.transmission-daemon on the directories services.transmission.settings.download-dir, services.transmission.settings.incomplete-dir. and services.transmission.settings.watch-dir

Specifies if TLS should be enabled

Require TLS or TLS-PSK encryption

True if ZFS filesystem support is enabled

Require TLS or TLS-PSK encryption

Require TLS or TLS-PSK encryption

Specifies if TLS should be enabled

Specifies if TLS should be enabled

Whether to enable Micro Transport Protocol (µTP).

True if NVIDIA support is enabled

If enabled, the virtual machine will boot directly into the kernel instead of through a bootloader

Whether this list is enabled

If true, a backend match requires the frontend connection be TLS encrypted

Deprecated - use type and enable = true instead

Enable/disable the embedded DNS proxy server

Whether to enable SMTP.

Whether to enable MQTT support.

Directory to store downloaded files.

Watch a directory for torrent files and add them to transmission.

Enable Captcha.

Whether to run services.transmission.settings.script-torrent-done-filename at torrent completion.

Events of type 'api' will be logged.

Working directory of the OpenGFW service and home of opengfw.user.

Directory where incomplete downloading files are stored.

Directory where to download torrents.

Path used for -xkbdir xserver parameter.

Whether to use redis support

Makes user-profiles globally available under nextcloud.tld/u/user.name

Events of type 'system' will be logged.

Check for new versions

Whether to enable XtreemFS DIR service.

Whether to enable the TCP JSON-RPC.

Whether to enable watchdogd plugin filenr.

Whether to enable the HTTP JSON-RPC.

Enable unix-command socket.

Enable or disable PKCE (Proof Key for Code Exchange) support

Whether to enable OCSP Stapling

Whether to enable .

Whether to enable watchdogd plugin loadavg.

Whether to enable watchdogd plugin meminfo.

Events of type 'terminal' will be logged.

The port to listen on for incoming connections (TCP).

Whether to enable this SMTP server for listmonk.

Whether to enable the billing system.

The option "enabled" takes 3 values - "yes", "no", "detection-only". "yes" enables both detection and the parser, "no" disables both, and "detection-only" enables protocol detection only (parser disabled).

Whether to enable Dendrite's full-text search engine.

Whether to enable presence tracking

Whether to enable the TCP JSON-RPC.

TLS Options for the Director

List of sources that should be enabled

Configuration of XtreemFS DIR service

Specifies the listen port for the HTTP service that returns the status page.

Defines if LDAP will be used for user authentication

The director name used by the system administrator

Defines if OpenID Connect will be used for user authentication

Whether to enable the virtual host

The path of a PEM encoded TLS private key

Must be set to a unique identifier, preferably a UUID according to RFC 4122

Whether to enable streaming via TCP.

Path to a git repository

The preview providers that should be explicitly enabled.

If specified, it defines the interface to listen on

Whether to enable Bacula Director Daemon.

Path to the directory Traefik should watch for configuration files.

A systemd service name to use (without .service suffix).

A systemd service name to use (without .service suffix).

Whether to enable this activity check.

A state directory used by NetBird client to store config.json, state.json & resolv.conf.

A state directory used by NetBird client to store config.json, state.json & resolv.conf.

Path to chroot into at runtime as an additional layer of protection.

Job types that this runner will execute.

Netfilter mark and mask for input traffic

Extra configuration for Bacula Director Daemon.

Enable Metrics.

Whether to enable this wake-up check.

Enable bluemap's built-in webserver

Specify the port (a positive integer) on which the Director daemon will listen for Bacula Console connections

Whether to enable the token service as well.

A runtime directory used by NetBird client.

A runtime directory used by NetBird client.

Path to the directory where data will be stored on disk.

DEPRECATED

Specifies the password that must be supplied for a Director.

Whether to enable XtreemFS DIR replication plugin.

The default logging directory

A list of additional plugins to enable if managePlugins is true.

The directory where FileBrowser stores its cache.

Where to store below's logs

Whether to enable proxying of remote media through the instance's proxy.

Whether to enable the bot on startup.

directory to store info about uploads

Enable warp routing

Configuration of XtreemFS DIR replication plugin

Common name attribute of allowed peer certificates

Directories where static files are located.

The minimal peer port to listen to for incoming connections when services.transmission.settings.peer-port-random-on-start is enabled.

Collectors to enable

Log file directories.

Where to store below's data

Collectors to enable

The maximum peer port to listen to for incoming connections when services.transmission.settings.peer-port-random-on-start is enabled.

Collectors to enable or disable

Extra configuration to be passed in Messages directive.

Extra configuration to be passed in Director directive.

Collectors to enable

Verify peer certificate

Whether to wrap the rush binary with a SUID-enabled wrapper

The path specifying a PEM encoded TLS CA certificate(s)

The path where the collected RPKI data is stored.

Whether to enable a faster, persistent implementation of use_nix and use_flake, to replace the builtin one .

The sync mode influences how operations are committed to the disk log before the operation is acknowledged to the caller.

-ASYNC mode the writes to the disk log are buffered in memory by the operating system

The nix-direnv package to use

Directory for storing log files.

Extra lines to append to the sourced direnvrc

Enable automatic transcription of videos.

Specify the directory to store database and album art cache.

Directory for storing user uploads and similar data.

Directories where template files are located.

Direnv configuration

The directory in which Garage will store the data blocks of objects

Directory for storing temporary files.

Artalk working directory

Whether to delete torrents added from the services.transmission.settings.watch-dir.

If enabled, start the Resilio Sync daemon

The full path to the PEM encoded TLS certificate

Enable NVIDIA GPU controls for a device by index

Is the preview URL API enabled? If enabled, you must specify an explicit url_preview_ip_range_blacklist of IPs that the spider is denied from accessing.

Whether to enable nginx or not

The directory in which hickory-dns should look for .zone files, whenever zones aren't specified by absolute path.

Working directory of BIND.

veilid-server will respond to Python and other JSON client requests.

If enabled, checks that Nix can parse the generated nix.conf.

Indicates whether to allow the contents of the dataDir directory to be changed by the user at run-time

This option defines Director resources in Bacula Storage Daemon.

This option defines director resources in Bacula File Daemon.

Directories to be scanned for media files

Directory where HTML and JSON report pages are written.

The subdirectory in which to serve cgit

The data dir for Kubo

List of error types to collect from the event database.

If enabled, use TLS (encryption) over an LDAP (port 389) connection

Paths to shared directories

Directories to search for profiles, separated by , or ;.

List of enabled features in order.

Whether to enable the hiding of direnv logging .

Directory where chrony state is stored.

Only enabled bridges are available for feed production

Path to the static files.

When enabled Grafana will send anonymous usage statistics to stats.grafana.org

vdirsyncer job configurations

Whether to enable support for Linux MD RAID arrays

Whether to automatically use angrr before loading .envrc.

HTTP status used by globalRedirect & forceSSL

TLS Options for the Director in this Configuration.

TLS Options for the Director in this Configuration.

The OAuth2 redirect URL.

Whether to enable nginx or not

The metadata directory, put this on a fast disk (e.g

If enabled, checks the nix.conf parsing for any kind of error

The path of a PEM encoded TLS private key

The path of a PEM encoded TLS private key

The directory to use for Yandex

List of group entries to configure in /etc/nsswitch.conf

The direnv package to use.

This option will set "hbase.rootdir" in hbase-site.xml and determine the directory shared by region servers and into which HBase persists

path to the local directory where all files are stored

Whether to enable angrr direnv integration.

The InspIRCd package to use

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

HTTP status used by globalRedirect and forceSSL

HTTP status used by globalRedirect and forceSSL

HTTP status used by globalRedirect and forceSSL

Whether to synchronise your machine's time using ntpd, as a peer in the NTP network

Directory where downloaded files are stored.

Whether to enable guests to login if auth is enabled.

Whether to enable vdirsyncer.

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

HTTP status used by globalRedirect and forceSSL

Whether to enable loading direnv in nix-shell nix shell or nix develop .

List of passwd entries to configure in /etc/nsswitch.conf

Path to bosun's ledis data dir

HTTP status used by globalRedirect & forceSSL

List of enabled features in order.

The filesystem directory to store your table store within.

The filesystem directory to store blocks for the block store.

Rule directories for the reloader to refresh.

Directories containing files to include in the Kerberos configuration.

The path of the Searx server settings.yml file

Default directory to add folders in the web UI.

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

HTTP status used by globalRedirect and forceSSL

HTTP status used by globalRedirect and forceSSL

HTTP status used by globalRedirect and forceSSL

HTTP status used by globalRedirect and forceSSL

HTTP status used by globalRedirect and forceSSL

Directory under which Actual runs and saves its data

Location of the state directory of charybdis.

List of configuration directives for this UPS.

Require TLS or TLS-PSK encryption

Require TLS or TLS-PSK encryption

User account to run vdirsyncer as, otherwise as a systemd dynamic user

The vdirsyncer package to use.

If enabled, the agent attempts to install and then load an RDMA kernel driver that matches the version of the firmware on the underlying hardware.

Whether to enable direnv integration

group to run vdirsyncer as

Defines the path to the data directory

Nextcloud's data storage path

The wrapped direnv package.

HTTP status used by globalRedirect & forceSSL

systemd service that is enabled by default

Enable ReGreet, a clean and customizable greeter for greetd

Enables generation of split artifacts from partitions

With this option, you can customize an H2O virtual host which already has sensible defaults for Movim

URL to a PubSubHubbub-compatible hub server

Location where Tomcat stores configuration files, web applications and logfiles

If enabled, produces logs with detailed messages that describes what pam_mysql is doing

Enables GnuPG network certificate management daemon with socket-activation for every user session.

Spark worker work dir.

Where to redirect new users upon registration.

Whether to enable this vdirsyncer job.

Whether to enable nginx or not

The upload limit for files

If "ip" is given, client IP based session affinity is enabled

Cache directory.

Engine statistics such as packet counters, memory use counters and others can be logged in several ways

The path specifying a PEM encoded TLS CA certificate(s)

The path specifying a PEM encoded TLS CA certificate(s)

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

The ollama package to use

HTTP status used by globalRedirect and forceSSL

Whether to enable new users to login if auth is enabled.

The amount of time which can elapse when kexec is being executed before a watchdog hardware device will automatically reboot the system

Whether any uploads are permitted to anonymous users.

Whether to use HTTPS

vdirsyncer pair configurations

If enabled, pam_gnupg will attempt to automatically unlock the user's GPG keys with the login password via gpg-agent

The path to the password for the specified ntfy-sh user

The NATS data directory

User to run under when setuid is not enabled.

If enabled, NixOS will periodically update the database of files used by the locate command.

Whether to enable the Keybase root redirector service, allowing any user to access KBFS files via /keybase, which will show different contents depending on the requester.

The ntfy-sh user to use for authenticating with the ntfy-sh instance

Attribute set of environment variables.

https://github.com/Glimesh/broadcast-box#environment-variables

existing configuration file

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

If enabled (the default), Nix will only download binaries from binary caches if they are cryptographically signed with any of the keys listed in nix.settings.trusted-public-keys

If set, all requests for this host are redirected permanently to the given URL.

If set, all requests for this host are redirected permanently to the given URL.

HTTP status used by globalRedirect and forceSSL

HTTP status used by globalRedirect and forceSSL

HTTP status used by globalRedirect and forceSSL

HTTP status used by globalRedirect and forceSSL

HTTP status used by globalRedirect and forceSSL

HTTP status used by globalRedirect and forceSSL

HTTP status used by globalRedirect and forceSSL

Path of the Neo4j home directory

With safeExit enabled, the daemon will ask the driver to disable the WDT before exiting

The absolute path to the directory which hosts the public-inbox.

The directory or URI where MPD reads music from

Enables the in-database configuration.

https://docs.postgrest.org/en/stable/references/configuration.html#in-database-configuration

Path of the data directory

systemd timer configuration

The data dir for ipfs-cluster.

The redirect method to use.

With this option, you can customize an Nginx virtual host which already has sensible defaults for Movim

Group to run under when setuid is not enabled.

SSL port to bind to

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Whether to enable an additional input method type.

Specifies if TLS should be enabled

Specifies if TLS should be enabled

If set, all requests for this host are redirected permanently to the given URL.

HTTP status used by globalRedirect and forceSSL

IPC directory where file sockets are stored.

vdirsyncer's status path

If enabled, NixOS will set up a kernel that will boot on crash, and leave the user in systemd rescue to be able to save the crashed kernel dump at /proc/vmcore

If enabled systemd-journald will turn on auditing on start-up

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

general configuration

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

HTTP status used by globalRedirect and forceSSL

Whether to enable nginx or not

Path to the TLS key for the web UI

HTTP status used by globalRedirect and forceSSL

XtreemFS home dir for the xtreemfs user.

Configures the user domain, if enabled

If enabled, start the Syncplay server.

SMTP configuration

Directory where certificate and other state is stored.

Common name attribute of allowed peer certificates

Common name attribute of allowed peer certificates

If set, all requests for this host are redirected permanently to the given URL.

Folders which should be shared by Syncthing

Whether to enable the Thanos query node exposing PromQL enabled Query API with data retrieved from multiple store nodes.

If Monitor is set to no, this director will have full access to this Storage daemon

If Monitor is set to no, this director will have full access to this Storage daemon

fangfrisch configuration

Peers/devices which Syncthing should communicate with

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

The kanata package to use. ::: {.note} If danger-enable-cmd is enabled in any of the keyboards, the kanata-with-cmd package should be used. :::

List of public keys used to sign binary caches

Log ERROR level messages only

Whether to automatically update DERP maps on a set frequency.

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

HTTP status used by globalRedirect and forceSSL

If enabled, spacecookie will hide personal information of users like IP addresses from log output.

Iptables filters that if matched will get the packet off of redsocks.

The path to the workdir

Enabled Fcitx5 addons.

Allow the installation and updating of apps from the Nextcloud appstore

If enabled, spacecookie will not print timestamps at the beginning of every log line.

If set, all requests for this host are redirected permanently to the given URL.

If enabled, system metrics will be sent to Linode LongView.

HTTP status used by globalRedirect and forceSSL

Whether git-http-backend should only export repositories that contain a git-daemon-export-ok file

Whether the HTTP service (when enabled) will decode ERIS content at /uri-res/N2R?urn:eris:

Do not persist any stateful znapzend setups

vdirsyncer storage configurations

If true, requests in the form /~user/page.html are rewritten to take the file public_html/page.html from the home directory of the user.

Log DEBUG, INFO, WARN and ERROR messages

Directory to store export.

Enable restrictions on the use of the well-known prefix (64:ff9b::/96) - prevents translation of non-global IPv4 ranges when using the well-known prefix

Extra configuration options that will be added verbatim at the end of the ldap configuration file (ldap.conf(5))

Whether to enable the HTTP/2 protocol

Whether to enable the HTTP/2 protocol

Whether to enable the HTTP/2 protocol

The filesystem directory to store your protected store in.

Prompt for login with an html login mask if enabled, otherwise prompt for basic auth (useful for SSO)

Require email validation before sign up completes.

The username/email in case SMTP auth is enabled.

Path to the TLS certificate for the web UI

Select the enabled input method

Run node as a replica

Whether to enable the HTTP/2 protocol

The root directory for file URLs used with the Cypher LOAD CSV clause

AppArmor mode for dbus.

enabled enables mediation when it's supported in the kernel, disabled always disables AppArmor even with kernel support, and required fails when AppArmor was not found in the kernel.

If enabled, protect SSH logins with Duo Security.

A shell application which will produce an nvd diff of the system closure with and without facter enabled.

When enabled, configures emacsclient to be the default editor using the EDITOR environment variable.

Path of the database plugin directory

Start the daemon automatically using XDG autostart

List of derivations that provide container images

Run yes | vdirsyncer discover prior to vdirsyncer sync

Whether to enable the fail2ban service

A directory that should contain the policy files, used to customize Botan’s behaviour when negotiating the TLS connections with the IRC servers.

If enabled, each virtual host gets its own access.log and error.log, namely suffixed by the hostName of the virtual host.

If enabled, causes a leave action to be sent when closing consul

If enabled, the agent creates a swap file (/swapfile) on the resource disk and adds it to the system swap space

Unix command socket that can be used to pass commands to Suricata

Path to a keyfile used to unlock the backing encrypted device

If enabled, protect logins with Duo Security using PAM support.

Whether to disable send and accept redirects for all network interfaces

Directories containing files to include in the Kerberos configuration.

Changes the Intel Turbo feature status (1 is disabled and 0 is enabled).

Verify peer certificate

Verify peer certificate

If we should send notifications to the desktop

The cache allows tarsnap to identify previously stored data blocks, reducing archival time and bandwidth usage

If set, all requests for this host are redirected permanently to the given URL.

With this option, you can customize an H2O virtual host which already has sensible defaults for Dolibarr

Location of the riemann-base dir

Whether to enable the HTTP/2 protocol

Whether to enable the HTTP/2 protocol

Whether to enable the HTTP/2 protocol

Whether to enable the HTTP/2 protocol

Whether to enable the HTTP/2 protocol

The TLS mode to use

The list of hostnames and/or IP addresses from which the Mailman Web UI will accept requests

Define the client configurations

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Enables the use of the ~/.ssh/authorized_keys file

Key bindings for actkbd

Path to a keyfile used to unlock the backing encrypted device

HTTP status used by globalRedirect and forceSSL

If set, Nix will perform builds in a sandboxed environment that it will set up automatically for each build

A shell application which will produce a nix-diff of the system closure with and without facter enabled.

With this option, you can customize an nginx virtualHost which already has sensible defaults for Matomo

Enable gitolite management under the gitolite user

If an Anonymous keyword is present, then anonymous proxying is enabled

If set, all requests for this host are redirected permanently to the given URL.

List of enabled daemon modules

The hostname at which you wish firefly-iii to be served

If enabled, starts a Minetest Server.

Whether to enable starting the POP3 listener (when Dovecot is enabled).

Enables routing of QUIC packets using eBPF

The fan type, can be hwmon for standard fans,

atasmart to read the temperature via S

If set, all requests for this host are redirected permanently to the given URL.

Whether to periodically upgrade NixOS to the latest version

Whether to enable starting the IMAP listener (when Dovecot is enabled).

Whether to enable starting the LMTP listener (when Dovecot is enabled).

The path to the upperdir

Whether to use TLS.

Controls Link-Local Multicast Name Resolution support (RFC 4795) on the local host

With this option, you can customize an nginx virtual host which already has sensible defaults for Pixelfed

Whether to enable NVIDIA Optimus support using the NVIDIA proprietary driver via PRIME

Whether the LDAP Server is an Active Directory.

pattern of a directory structure locally and on s3

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

The directories from which plugins should be loaded

Run bitbox-bridge.service only when hardware wallet is plugged, also registers the systemd device unit

The list of path(s) to the lowerdir(s)

HTTP status used by globalRedirect and forceSSL

With this option, you can customize an NGINX virtual host which already has sensible defaults for Kanboard

List of filesystem paths to archive.

If set, all requests for this host are redirected permanently to the given URL.

If enabled, the pam_umask module will be loaded.

Path to the postgres socket directory

What interface to use for hardware acceleration

The directory where MPD stores playlists

Port LDAP is accessible on.

Plugin directory paths

Whether to enable compressed feature which adds the options -Lce to the zfs send command

Enables or disables the laptop keyboard's Function (Fn) lock at boot

Specifies the device to use for hardware acceleration.

• cpu: no acceleration just use the CPU
• rocm: supported by modern AMD GPUs
• cuda: supported by modern NVIDIA GPUs
• metal: supported on darwin aarch64 machines

Tabby will try and determine what type of acceleration that is already enabled in your configuration when acceleration = null.

• nixpkgs.config.cudaSupport
• nixpkgs.config.rocmSupport
• if stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64

IFF multiple acceleration methods are found to be enabled or if you haven't set either cudaSupport or rocmSupport you will have to specify the device type manually here otherwise it will default to the first from the list above or to cpu.

Specifies the password that must be supplied for the default Bacula Console to be authorized

Specifies the password that must be supplied for the default Bacula Console to be authorized

On startup, the baseDir directory is populated with various files, subdirectories and symlinks

Whether the nix-channel command and state files are made available on the machine

The directory where old plugin versions and conflicting plugins should be moved

If enabled, starts a Terraria server

Automatic backup of important data to a AWS S3 (or compatible) instance

The directory where uploaded new plugins should be stored.

Sets the send events mode to disabled, enabled, or disabled-on-external-mouse

Sync users.

With this option, you can customize an nginx virtual host which already has sensible defaults for radicle-httpd

If enabled, disables all logging.

User to run the program.

If enabled, the generated nftables rule set will be owned exclusively by firewalld

Whether to enable the HTTP/2 protocol

Only applies if ssl_enable is activated

Only applies if ssl_enable is activated

Only applies if ssl_enable is activated

If set, all requests for this host are redirected (defaults to 301, configurable with redirectCode) to the given hostname.

Root path for LDAP.

HTTP status used by globalRedirect and forceSSL

Additional command-line arguments passed verbatim to udhcpc if boot.initrd.network.enable and boot.initrd.network.udhcpc.enable are enabled.

User directory, relative to root.

With this option, you can customize an nginx virtual host which already has sensible defaults for Dolibarr

Whether to enable nginx virtual host that will serve the javascript application and act as a proxy for the XMPP server

Exclude all non-globally-routable IPs from redsocks

Whether to use STARTTLS.

The directory where the skeleton files are located

If enabled, checks all masters for the last zone version

The upload limit for files

additional groups to add the dynamic user to

Whether to periodically upload logs to QRZ

If enabled, starts the ArchisSteamFarm service

Name of the config adapter to use

If enabled, users are created with systemd-sysusers instead of with the custom update-users-groups.pl script

Whether to periodically update the DOK resource file

This option lists the machines to be used if distributed builds are enabled (see nix.distributedBuilds)

List of services entries to configure in /etc/nsswitch.conf

If enabled the automatic login will only happen in the first tty once per boot

Whether to enable the HTTP/2 protocol

Whether to enable the HTTP/2 protocol

Whether to enable the HTTP/2 protocol

Whether to enable the HTTP/2 protocol

Whether to enable the HTTP/2 protocol

Whether to enable the HTTP/2 protocol

Whether to enable the HTTP/2 protocol

The full path to the PEM encoded TLS certificate

The full path to the PEM encoded TLS certificate

Group directory, relative to root.

Whether or not the whitelist (in whitelist.json) shoud be enabled

If enabled, the generated destination NAT (DNAT) rules will NOT accept traffic that was DNAT'd by other entities, e.g. docker

Options for configuring workers

Whether to sync ldap groups into BitWarden.

The Nginx status page URL

Whether to periodically update the SOTA database

Whether to periodically update the WWFF database

If enabled, this will replace the FAIL_DELAY setting from login.defs

Whether to periodically upload logs to LoTW

Run everything in one thread inside the worker process

Whitelisted players, only has an effect when services.mchprs.declarativeWhitelist is true and the whitelist is enabled via services.mchprs.whitelist.enable

Directory where Akkoma will put uploaded files.

If enabled, the Crossfire game server will be started at boot.

The domain the Bitwarden/Vaultwarden is accessible on.

Whether to enable the Etebase server

LDAP filter for users.

A file containing the secret used to encrypt secrets for OTP tokens

Set to false to remove all feedback links from the UI.

Whether to enable Bitwarden Directory Connector.

Specifies whether the web interface is enabled.

If enabled Rsync will be socket-activated rather than run persistently.

Whether to enable Neovim

The Apache status page URL

Whether to enable Zsh integration .

Options to configure the LDAP connection

Options to configure what gets synced

If enabled, systemd will always respawn dnsmasq even if shut down manually

Whether to allow editing the kernel command-line before boot

Whether to generate SSH host keys

LDAP filter for groups.

When enabled, will automatically register the "brscan4" sane backend and bring configuration files to their expected location.

List of source directories and files to backup

Enabled IBus engines

Path to file that contains LDAP password for user in {option}`ldap.username

Requires libunwind to be available when Suricata is configured and built

Suffix for the email, normally @example.com.

Enable if you are syncing more than 2000 users/groups.

Whether to enable the HTTP/2 protocol

Whether to enable Bash integration .

Whether to enable Fish integration .

Whether the LDAP server paginates search results.

If enabled, virtual users will use the same privileges as local users

List of attribute sets containing configuration for each domain

Forcibly import the ZFS root pool(s) during early boot

Whether to enable this .link unit

Whether to let the nslcd daemon (nss-pam-ldapd) handle the LDAP lookups for NSS and PAM

The sensor type, can be hwmon for standard sensors,

atasmart to read the temperature via S

If enabled, start a Minecraft Server

If true, a system-wide PipeWire service and socket is enabled allowing all users in the "pipewire" group to use it simultaneously

The path to the file with the password in case SMTP auth is enabled.

The user to authenticate as.

The bitwarden-directory-connector-cli package to use.

List of hosts entries to configure in /etc/nsswitch.conf

Whether to enable Whether add CAP_NET_BIND_SERVICE to the tunnel service, this should be enabled if you want to bind port < 1024.

Class that users must have.

The host the LDAP is accessible on.

Enables Uber's USSH PAM (pam-ussh) module

Whether to enable the HTTP/2 protocol

Whether to enable nftables and use nftables based firewall if enabled. nftables is a Linux-based packet filtering framework intended to replace frameworks like iptables

If Notifications are enabled and an expiry date is set, warn 5 days before expiry

Whether to enable the HTTP/2 protocol

Whether to configure nginx as a reverse proxy for Invidious

List of shadow entries to configure in /etc/nsswitch.conf

The option is dictated by the plugin

Whether to enable Xonsh integration .

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Additional listeners to start when Dovecot is enabled.

If enabled, the Nix store in the VM is made writable by layering an overlay filesystem on top of the host's Nix store

Additional plugins dir used to configure nomad.

Whether to propagate the legacy options under services.znc.confOptions.* to the znc config

When enabled, instructs udisks2 to mount removable drives under /media/ directory, instead of the default, ACL-controlled /run/media/$USER/

Whether to periodically update the list of LoTW users

Configuration for ZNC, see https://wiki.znc.in/Configuration for details

Whether to enable the security plugin, plugins.security.ssl.transport.keystore_filepath or plugins.security.ssl.transport.server.pemcert_filepath and plugins.security.ssl.transport.client.pemcert_filepath must be set for this plugin to be enabled.

Enables support for IEEE 802.11n (WiFi 4, HT)

A class that groups will have.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Additional arguments passed to initdb during data dir initialisation.

When enabled, configures VSCode to be the default editor using the EDITOR environment variable.

Whether to configure the postgresql database for part-db

The address Anubis' metrics server listens to

Explicitly install extras provided by matrix-synapse

Whether to enable opening the HTTP server port and, if enabled, the HTTPS redirect server port in the firewall. .

Enables or disables drag lock during tapping behavior

Whether to enable Allow the system to forward packets from easytier

Enable CIS Hardening for RKE2

Dynamic configuration files to write

The hostname at which you wish privatebin to be served

Directory of static files

The interval when to run the connector

Whether to enable the HTTP/2 protocol

When enabled, installs neovim and configures neovim to be the default editor using the EDITOR environment variable.

Path to a list of ini file containing confidential settings such as credentials

Whether to enable NVIDIA Optimus support using the NVIDIA proprietary driver via reverse PRIME

Sets the send events mode to disabled, enabled, or disabled-on-external-mouse

Enable or disable TLS

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Whether to initialise non‐existent secrets with random values

Whether to enable the HTTP/2 protocol

A port to serve DNS entries on when dns-resolver.address is enabled.

A port to serve DNS entries on when dns-resolver.address is enabled.

Add network connectivity support to initrd

Path to the data dir fedimintd will use to store its data

If enabled srun will accept the option "--x11" to allow for X11 forwarding from within an interactive session or a batch job

If enabled, the configured environment will be translated to native fish using babelfish

Automatically enable the apps in services.nextcloud.extraApps every time Nextcloud starts

Whether to periodically upload logs to Clublog

Whether to periodically prune gitlab runner's Docker resources

Name of HTTP request header used for dynamic prefixing of UI links and redirects

Storage quota for the repository

Directory that holds the TSM node's password information.

Bulk PDF import from consume directory

List of sudoers entries to configure in /etc/nsswitch.conf

Ignore the user configures. Warning: When this is enabled, the user config files are totally ignored and the user dict can't be saved and loaded.

Default working directory for server (server-working-dir in rserver.conf).

Allow the service to create and use its own config file inside the dataDir as configured by services.mediatomb.dataDir

Path to the file containing the password for the root user if auth is enabled.

If a user has no email address, combine a username prefix with a suffix value to form an email.

When enabled, the stargazer process will be given CAP_SETGID and CAP_SETUID so that it can run cgi processes as a different user

Whether to periodically update the Clublog SCP database

If a Store doesn't send any data in this specified duration then a Store will be ignored and partial data will be returned if it's enabled. 0 disables timeout

Remove users from bitwarden groups if no longer in the ldap group.

Plugins to enable

If enabled, pam_wallet will attempt to automatically unlock the user's default KDE wallet upon login

Conditions to make outbound packets go through this redsocks instance

The meilisearch package to use

Name of HTTP request header used for dynamic prefixing of UI links and redirects

Define a lower and upper time value (in HH:MM format) which constitute a time window during which reboots are allowed after an upgrade

The DankMaterialShell package to use for the greeter

Whether to open the firewall ports for Reposilite

When enabled, will automatically register the "dsseries" SANE backend

If enabled, a Fontconfig configuration file will be built pointing to a set of default fonts

Whether to enable intra-zone forwarding

The pathname of the IMAP configuration directory.

List of forwarded ports from the external interface to internal destinations by using DNAT

Attribute for a name of group.

Attribute for a users email.

Directory to write the output to.

Whether to run shellcheck on the generated scripts for systemd units

Whether to enable U2F support in the i3lock program

Check redirects for manualHTML.

If GitLab container registry should be enabled by default for projects.

Attribute that lists members in a LDAP group.

Enable billing Cron-Jobs on the local instance

Some servers have invalid or self-signed certificates

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Maximum estimated error threshold for the rtcautotrim command

Whether the service should be reloaded during a NixOS configuration switch if its definition has changed

Environment variables which are read by healthchecks (local)_settings.py

Allow localhost redirects

If enabled, periodically check the journal with journalwatch and report the results by mail.

Whether to enable hardware accelerated graphics drivers

Atomically update the host OS, container images, portable service images or other sources

If inspectHttps is enabled, the time generated HTTPS certificates will be stored in a temporary directory for reuse

Whether to clear the configuration of the interfaces that were set up in the initrd right before stage 2 takes over

Enables middle button emulation

Additional Munin plugins to activate

Whether or not SSL verification should be enabled for outgoing connections to the homeserver.

Environment variables which are read by healthchecks (local)_settings.py

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Directory for storing certificates to be used by Neo4j for TLS connections

Set of paths that should be intercepted and rewritten while checking the ruleset using pkgs.buildPackages.libredirect.

The hostname at which you wish firefly-iii-data-importer to be served

The attribute that contains the users username.

Whether to enable the HTTP/2 protocol

Enables settings required for NetBird's routing features: Network Resources, Network Routes & Exit Nodes

Enable automatic config reload on config change

Whether the service should be reloaded during a NixOS configuration switch if its definition has changed

When IPv6 is enabled with SLAAC, this option controls the use of temporary address (aka privacy extensions) on this interface

Enables or disables drag lock during tapping behavior

In direct boot situations, you may want to influence the initrd to load to use your own customized payload

PostgreSQL package to use

Provides a custom seed for the RANDSTRUCT security option of the Linux kernel

Environment variables to set for the service

Whether to enable render offload support using the NVIDIA proprietary driver via PRIME

Enables MOBIKE on IKEv2 connections

The package that provides the 32-bit driver set

Additional Munin plugins to autoconfigure, using munin-node-configure --suggest

Whether to enable nginx reverse proxy for derper

Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details.

When not set to null this option defines the path at which the unbound remote control socket should be created at

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Whether to enable tournament mode

If enabled, pam_gnome_keyring will attempt to automatically unlock the user's default Gnome keyring upon login

Unless enabled, encryption keys can be easily recovered by an attacker with physical access to any machine with PCMCIA, ExpressCard, ThunderBolt or FireWire port

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Attribute that lists a user's creation date.

Attribute set of paths whose content is copied to the extensions subdirectory of the MediaWiki installation and enabled in configuration

If enabled, allow principal names containing (.) dots

Address to access the nginx status page

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Whether to enable the HTTP/2 protocol

Whether to use sign the limine binary with sbctl.

Opens up the erlang distribution port of all enabled components to allow reaching the server cluster from the internet

Path to a file containing the idm admin password for kanidm

Whether to give the container its own private UIDs/GIDs space (user namespacing)

Location of the dir with main.css CSS file

If set to false, run lightdm in greeterless mode

DEPRECATED, use driverOptions

Whether to enable the systemd-networkd-wait-online service.

systemd-networkd-wait-online can timeout and fail if there are no network interfaces available for it to manage

Plugins to add to the environment of MediaGoblin

Command line options for pg_dump

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Database settings will be reset to the value set in this module if this is not enabled

Shared folder list

Set environment path of systemd to include the current system's bin directory

Whether to enable the HTTP/2 protocol

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Enables middle button emulation

Allow clients to create repositories in subdirectories of the specified path

Whether to consider the network online when any interface is online, as opposed to all of them

Whitelisted players, only has an effect when services.minecraft-server.declarative is true and the whitelist is enabled via services.minecraft-server.serverProperties by setting white-list to true

Group under which the postfix exporter shall be run

The path specifying a PEM encoded TLS CA certificate(s)

The path specifying a PEM encoded TLS CA certificate(s)

Whether to invert the icmp block handling

Whether the Mattermost config.json is writeable by Mattermost

Elasticsearch host

Whether to enable the systemd-networkd-wait-online service.

systemd-networkd-wait-online can timeout and fail if there are no network interfaces available for it to manage

Path to a keyfile used to unlock the backing encrypted device

Whether the config should be checked at build time

Additional PHP extensions to use for Nextcloud

Enable running shellcheck on the generated scripts for this unit

Names of backends which are enabled by default but should be disabled

The path of a directory which contains a custom landing page.

Directory below /var/lib to store metrics

Connection string to postgresql in the [rust postgres crate config format](https://docs.rs/postgres/latest/postgres/config/struct

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

HMAC-SHA-256 is used with 128-bit truncation with IPsec

Whether to consider the network online when any interface is online, as opposed to all of them

Logs dropped packets failing the reverse path filter test if the option networking.firewall.checkReversePath is enabled.

The Quickshell package to use for the greeter

Enabled collectors

Additional units shipped with systemd that shall be enabled.

Additional packages to generate completions from, if programs.fish.generateCompletions is enabled.

The Wayland compositor to run the greeter in

Required for some non-Amazon S3 implementations

Whether generation of Diffie-Hellman parameters should be stateful or not

Enables settings required for Tailscale's routing features like subnet routers and exit nodes

Whether all users can write to the consumption dir.

The path to the workdir

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Enable running shellcheck on the generated scripts for this unit

Whether to enable protontricks, a simple wrapper for running Winetricks commands for Proton-enabled games.

Whether to enable automatic client password generation

Whether to make sshd look up authorized keys from SSS

Whether to enable Whether video acceleration (VA-API) should be enabled. .

Whether to enable the Firefox Sync storage service

If enabled, the virtual machine will provide a EFI boot manager. useEFIBoot is ignored if useBootLoader == false.

Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.

Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.

Additional units shipped with systemd that shall be enabled.

Which pinentry package to use

ChronyServerAddress of the chrony server side command port. (Not enabled by default.) Defaults to the local unix socket.

Whether or not SSL verification should be enabled for outgoing connections to the homeserver.

If enabled, when NIX_SSL_CERT_FILE is set on the host, pass the CA certificates from the host to the VM.

The path to the upperdir

When set to false, disables checking for new versions of Grafana from Grafana's GitHub repository

The list of path(s) to the lowerdir(s)

The compression level used when compression is enabled. gzip accepts levels 1 to 9. zstd accepts levels 1 to 19.

The credentials to access the web interface, in case authentication is enabled, in the format username:hash

Whether to enable automatic generation and persistence of keys

If enabled for legacy MBR VMs, the VM image will have a separate boot partition mounted at /boot. useBIOSBoot is ignored if useEFIBoot == true.

Whether to create symlinks to the system generations under /boot

The manual pages to generate caches for if documentation.man.generateCaches is enabled

Path to file that contains Client ID.

Whether to allow other versions of PostgreSQL than the recommended one

Whether the automatically provisioned Elasticsearch instance should be added as a grafana datasource

Enables lxd to use zfs as a storage for containers

The package that provides the system-wide resolvconf command

Install the SPICE USB redirection helper with setuid privileges

Collectors to disable which are enabled by default.

Whether to overwrite Jellyfin's encoding.xml configuration file on each service start

Mount nvidia-docker-1 directories on containers: /usr/local/nvidia/lib and /usr/local/nvidia/lib64.

Collectors to disable which are enabled by default.

Determines whether a process should detect changes to the configuration file since it was last read

Whether to set up and configure an nginx virtual host according to upstream's recommendations

If networking.firewall.logRefusedPackets and this option are enabled, then only log packets specifically directed at this machine, i.e., not broadcasts or multicasts.

Whether this interface should be configured with DHCP

Which codecs to enable for hardware encoding. h264 is always enabled.

Enable per-CPU CHILD_SAs

Collectors to enable or disable

If set, users with enabled Google Authenticator (created ~/.google_authenticator) will be required to provide Google Authenticator token to log in.

Whether to persist metrics to a file

Whether to enable the --fakeroot support of Singularity/Apptainer

By default, all allowed IPs and subnets are comma-separated in the allowed_ips field

Whether to enable IPv6 Privacy Extensions for interfaces not configured explicitly in networking.interfaces._name_.tempAddress

If enabled, causes the following behavior:

• Passes the --ephemeral flag to the runner configuration script
• De-registers and stops the runner with GitHub after it has processed one job
• On stop, systemd wipes the runtime directory (this always happens, even without using the ephemeral option)
• Restarts the service after its successful exit
• On start, wipes the state directory and configures a new runner

You should only enable this option if tokenFile points to a file which contains a personal access token (PAT)

The system-wide memory allocator

Name of the voice model to use

Whether to enable kernel modesetting when using the NVIDIA proprietary driver

Whether to periodically prune Podman resources

Whether to periodically prune Docker resources

Whether to enable Starship's transient prompt feature in fish shells

Collectors to disable which are enabled by default

When enabled dockerd is started on boot

Override the default working directory for the container.

Whether to run QEMU with a graphics window, or in nographic mode

Whether to enable loading the wireless regulatory database at boot.

Type of 9p cache to use when mounting host nix store. "none" provides no caching. "loose" enables Linux's local VFS cache. "fscache" uses Linux's fscache subsystem

If enabled, sets the ATH_USER_REGD kernel config switch to true to disable the enforcement of EEPROM regulatory restrictions for ath drivers

If enabled, copies the NixOS configuration file (usually /etc/nixos/configuration.nix) and symlinks it from the resulting system (getting to /run/current-system/configuration.nix)

If enabled, lowerdir, upperdir and workdir will be prefixed with /sysroot

When enabled, alerts will be tried to dispatch with an error message regarding faulty templating or missing fields to help debugging.

When enabled, alerts are presented in HTML format and include colorized status (FIR|RES), alert start time, and a link to the generator of the alert.

Change the paths where mandoc makewhatis(8)generates the manual page index caches. documentation.man.generateCaches should be enabled to allow cache generation

Path to file that contains Client Secret.

Encrypt swap device with a random key

When using the SLiRP user networking (default), this option allows to forward ports to/from the host/guest.

When enabled, n8n sends notifications of new versions and security updates.

The client TLS security level.

https://www.postfix.org/postconf.5.html#smtp_tls_security_level

List of source directories and files to backup

If this option is enabled, the guest will be isolated, i.e. it will not be able to contact the host and no guest IP packets will be routed over the host to the outside

Whether to use NetworkManager to obtain an IP address and other configuration for all network interfaces that are not manually configured

Enable IPComp compression before encryption

Whether to include the build closure of the whole system in its runtime closure

The name of the connection to mediate this connection through

Configure whether HTTP requests follow HTTP 3xx redirects

Configure whether HTTP requests follow HTTP 3xx redirects

XFRM interface ID set on inbound policies/SA, can be overridden by child config, see there for details

Whether to generate Device Tree-related directives in the extlinux configuration

Whether to enable killing of processes which have an AppArmor profile enabled (in security.apparmor.policies) but are not confined (because AppArmor can only confine new processes)

Configure whether HTTP requests follow HTTP 3xx redirects

Configure whether HTTP requests follow HTTP 3xx redirects

XFRM interface ID set on outbound policies/SA, can be overridden by child config, see there for details

If this attribute is given, SAE-PK will be enabled for this connection

Number of seconds we're willing to wait for a guest to shut down

Whether to assign predictable names to network interfaces

Runs container in ephemeral mode with the empty root filesystem at boot

Configure whether HTTP requests follow HTTP 3xx redirects

Configure whether HTTP requests follow HTTP 3xx redirects

Configure whether HTTP requests follow HTTP 3xx redirects

Configure whether HTTP requests follow HTTP 3xx redirects

Encrypt swap device with a random key

When set to false, disables checking for new versions of installed plugins from https://grafana.com

If enabled, the boot disk of the virtual machine will be formatted and mounted with the default filesystems for testing

Send certificate request payloads to offer trusted root CA certificates to the peer

Configure whether HTTP requests follow HTTP 3xx redirects

Set to true if you want to enable HTTP Strict-Transport-Security (HSTS) response header

XFRM interface ID set on inbound policies/SA

When enabled, the container is automatically started on boot

Configure whether HTTP requests follow HTTP 3xx redirects

Configure whether HTTP requests follow HTTP 3xx redirects

Configure whether HTTP requests follow HTTP 3xx redirects

XFRM interface ID set on outbound policies/SA

Netfilter mark and mask for output traffic

If enabled, continuwuity will send a simple GET request periodically to https://continuwuity.org/.well-known/continuwuity/announcements for any new announcements made.

Authentication to expect from remote

If enabled, lowerdir, upperdir and workdir will be prefixed with /sysroot

Configure whether HTTP requests follow HTTP 3xx redirects

Netfilter mark applied to packets after the inbound IPsec SA processed them

Periodically re-execute the wg utility every this many seconds in order to let WireGuard notice DNS / hostname changes

Configure whether HTTP requests follow HTTP 3xx redirects

Netfilter mark applied to packets after the outbound IPsec SA processed them

Authentication to perform locally.

• The default pubkey uses public key authentication using a private key associated to a usable certificate.
• psk uses pre-shared key authentication.
• The IKEv1 specific xauth is used for XAuth or Hybrid authentication,
• while the IKEv2 specific eap keyword defines EAP authentication.
• For xauth, a specific backend name may be appended, separated by a dash

Additionally enable the recommended set of pairwise ciphers

Configure whether HTTP requests follow HTTP 3xx redirects

Declaratively define NetworkManager profiles

Set to true to enable HSTS preloading option

Set to true to enable HSTS includeSubDomains option

Sets how long a browser should cache HSTS in seconds